Posts by DMR

Used Killbox as instructed. I received this message: PendingFileOperations Registry Data has been Removed by External Process!

Unfortunately, that message means that something (probably the infection) prevented Killbox from doing its job. Try the Killbox deletion while booted into Safe Mode:

* Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).
* In the "Full Path of File to Delete" box, copy and paste the following:
C:\WINDOWS\system32\biU.exe
* Select the "Replace on reboot" and "Use Dummy" options.
* Click on the button with the red circle with the X in the middle and then click Yes at the "Replace on Reboot" confirmation prompt.
This time, click Yes when prompted to reboot now.

I guess our PC's rid off all virus

I'm not at all convinced of that yet :(

We still cannot get access to emails and other secure sites.

This could be related to the problem with Norton's firewall, but if not, there are a few possible fixes. The first fix to try is the free IEFix utility. Download and run the utility, and let us know the results.

We also get this annoying "Symantec Security Alert: Firewall Protection is turned off" message that does not go away.

Infections often disable and/or damage firewall and antivirus programs.
* If you open the Norton Internet Security program and attempt to turn the Firewall component back on, what happens?

In the mean time, you might very well find some clues in your System and Application log files:

Open the Event Viewer utility in your Administrative Tools control panel and look through your System and Application logs for entries flagged with "Error" or "Warning".
Double-clicking on such an entry will open a properties window with more detailed information on the error; post the details from a representative sample of some of the different error messages (please don't post duplicates of a given entry, or flood us with the entire contents of the logs).

To post the details:
In the Properties window of a given entry, click on the button with the graphic of two pieces of paper on it; the button is at the right of the window just below the up arrow/down arrow buttons. You won't see anything happen when you click the button, but it will copy all of the details to the Windows clipboard. You can then paste the details into your next post here.

Does anyone know of software I can download or purchase that will allow me to create partitions for each OS and use a BootUp system to allow for easy switching between them?

There's no need for separate disk and boot management utilities; they are part of the Mandriva package (and most, if not all, other Linux installation packages).

...its not like im gonna stalk you or anything...

Hey, feel free- it's been a while since I had a good *glomp*ing... [IMG]http://www.stevewolfonline.com/Downloads/DMR/Visuals/jesterlaugh.gif[/IMG]

Seriously though- you're welcome, I'm glad the info helped.
Are you all set with the rest? If you have any other questions, let us know.

Have a look at the contents of your hosts file:

Open Windows' Notepad utility. In Notepad:
* Click on the "File" menu option.
* Click the "Open" option in the File menu.
* In the "Files of Type:" drop-down menu box, choose "All Files"
* In the "Look in:" drop-down menu box, navigate to the C:\Windows\System32\Drivers\etc folder.
* Double-click on the file named "hosts".

A default Windows hosts file contains only the following text:

# Copyright (c) 1998 Microsoft Corp.  #
  # This is a sample HOSTS file used by Microsoft TCP/IP stack for Windows98
  #
  # This file contains the mappings of IP addresses to host names. Each
  # entry should be kept on an individual line. The IP address should
  # be placed in the first column followed by the corresponding host name.
  # The IP address and the host name should be separated by at least one
  # space.
  #
  # Additionally, comments (such as these) may be inserted on individual
  # lines or following the machine name denoted by a '#' symbol.
  #
  # For example:
  #
  #      102.54.94.97     rhino.acme.com          # source server
  #       38.25.63.10     x.acme.com              # x client host
  
  127.0.0.1       localhost

If your hosts file contains entries beyond the "127.0.0.1 localhost" line, please post the contents of the file here.

-

...an unexpected error has occured at procedure: modmain_fixotheroneitem(sltem=01-hosts:local127.0.0.1
error#75-path/file access error

That most likely indicates that the hosts file has its "read-only" attribute set, meaning that HijackThis cannot make changes to the file.

The hosts file is located in the C:\Windows\System32\Drivers\etc folder, and is a plain text file which can be viewed by opening it with Windows Notepad. The "localhost 127.0.0.1" entry in a hosts file is perfectly normal, but if your hosts file contains other lines below the localhost entry, they could be the work of malware.

I think the 017 entries are fine. wp.fsi is my internal network.

You look good to go, then; glad we could be of assistance. :)

This should probably be moved to the marketing and promotion forum under the site management section.

Right you are- done.

@DMR - The lines...They are gone!

It's magic!

... or was it sheer boredom on my part? :mrgreen:

Glad you got everything figured out... :)

I was hoping that the error code would be enough.

Rarely; Microsoft usually lists several possible causes for the major BSOD error codes; it's the specifics in the error messages that let one narrow it down. Also- please be very careful and exact when posting error codes; the addition or ommission of a single digit in the code can change its meaning (0X000000C vs 0x0000000C, for example).

I just downloaded ewido 4.0. I wouldn't know where to begin besides virus scans, Trend Micro and Windows Defender. I'm using Windows XP Home.

Scanning for malware is a good idea, but we don't deal with those issues in this particular forum.
Instructions for running the new version of ewido are here; if the ewido scan and/or other scans turn up malicious infections, start a new thread in our malware forum and posts the contents of the scan reports there.

If you want to pursue the possibility of non-malicious causes for the error, we can do that in this thread, but you will need to provide the details of the error message.

OK- that shows us the infections; please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

* Download and install the most current updates for your antivirus program.

* Download these (free) utilities and save them in a convenient location:
ewido Antispyware (trial version)
ATF Cleaner
(Your log indicates that you had/have ewido installed; unless you installed it fairly recently, download and use the version I linked to above)

* Install and configure ewido:

• Close all other Applications and run hte ewido installer.
• Select language click Ok
• Click I Agree
• Click next
• Click Install
• Click Finish
• Wait Ewido will open main screen automatically.
• Wait again a few minutes and Ewido Should Auto update itself. If it doesn't click update at top of screen. (It is very important to get the updates)
• Don't run a scan with ewido yet; just close the program when the updating has finished.

*Open the Services utility in your Administrative Tools control panel.
- In the list of services, locate the service named Command Service or cmdService and double-click on it.
- In the General tab of the Properties window that opens, click the Stop button.
- Once the service is stopped, choose Disabled in the Startup Type drop-down …

"Memory could not be read" errors have many possible causes, and the causes of your particular errors aren't obvious to me. I'll have to do a little research, but I'll post again shortly.

By the way- crunchie got me hip to the fact that there is a Vundo variant which involves sysprotect.com, and which also hides itself from HijackThis. You might want to do the VundoFix routine.

I hate to say this, but it is pretty hard to read that log, with all those lines in it...

What lines, T? [IMG]http://www.stevewolfonline.com/Downloads/DMR/Visuals/dunno.gif[/IMG]

:mrgreen:

Hi John7435,

First of all- Welcome to DaniWeb :)

Second- Don't bump your posts. [IMG]http://www.stevewolfonline.com/Downloads/DMR/Visuals/nono.gif[/IMG]

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

* Download and install the most current updates for your antivirus program.

* Make sure that Windows Defender and ewido have the most current updates installed.

* Download these (free) utilities and save them in a convenient location:
VundoFix
ATF Cleaner

* Run HijackThis again, put a check mark in the boxes to the left of the following entries, and then click the "Fix checked" button. close HJT once the fixes are completed:
O2 - BHO: (no name) - {255FA86C-E8C3-45AE-A0BE-61C94A35682B} - C:\WINDOWS\system32\pmkhf.dll (file missing)
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O20 - Winlogon Notify: wineij32 - C:\WINDOWS\SYSTEM32\wineij32.dll

* Run VundoFix
- Double-click VundoFix.exe to run it.
- Put a check next to *Run VundoFix as a task.
- You will receive a message saying vundofix will close and re-open in a minute or less. Click *OK*
- When VundoFix re-opens, click the *Scan for Vundo* button.
- …

Please give us the details of your Network/Internet connection and the hardware involved.

Can you give you give us the specs of your computer please (especially the hard drive)?

Finally- the avload32.dll file is gone :)

Were you able to find the C:\WINDOWS\system32\biU.exe and delete it manually? If you found it but were unable to delete it, use the Killbox again as follows:

- In the "Full Path of File to Delete" box, copy and paste the following:
C:\WINDOWS\system32\biU.exe

- Select the "Replace on reboot" and "Use Dummy" options.

- Click on the button with the red circle with the X in the middle and then click Yes at the "Replace on Reboot" confirmation prompt.
This time, click Yes when prompted to reboot now.

Congratulations- you've got Nasties... :sad:

You have a couple of different infections indicated in your log, but nothing that we can't get rid of. Please start by doing the following:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

* Open your Add/Remove Programs control panel and uninstall the WeatherBug program. Also uninstall the WinFixer software if you see it listed there.

* The version of Java installed on your computer is very out-of-date, and that can pose a security risk. Update to version 1.5.0_07 here:
http://www.java.com/en/download/manual.jsp

* Download and install the most current updates for your antivirus program.

* Make sure that Windows Defender has the most current updates installed.

* Download these (free) utilities and save them in a convenient location:
VundoFix
Ewido Anti-Malware
ATF Cleaner

* Install and configure ewido:

• Close all other Applications and run hte ewido installer.
• Select language click Ok
• Click I Agree
• Click next
• Click Install
• Click Finish
• Wait Ewido will open main screen automatically.
• Wait again a few minutes and Ewido Should Auto update itself. If it doesn't click update at top of screen. (It is very important to get the updates)
• Don't run a scan with ewido yet; just close the program when the …

...the desktop was private so i did not have permissions so i tried to go through the admin to transfer permissions but was unable to.

Getting the permissions and ownership changed correctly can be a bit difficult sometimes. The article below describes the basic process pretty well:
http://pcsupport.about.com/od/pcrepair/a/reclaimfolder.htm

To begin with, please give us the make and model of the computer.

Please try to give us as much informaiton as possible when asking for assistance; it will help us get to the source of the problem much more quickly:

* Post the full and exact text of the Blue Screen error.
* Tell us the circumstances under which the error started occuring.
* Tell us if you had made any hardware or software changes at all around the time you first got the error.
* If you have tried any troubleshooting steps already, let us know what they were (and what results you got from them).
* Give us your full hardware specs/details.
* Tell us exactly which version of Windows you are running.

IYou must use only the disks that came with your machine. no others:mad:

That does apply to most manufacturer-supplied (OEM) disks, as those disks are specific to the model of machine they are shipped with. However, any fully-fledged Windows installation disk can obviously be used.

wjrinck,

I'm surprised that your wife's install disk didn't even find a drive to install on; that isn't the problem one usually encounters when using an OEM disk on another machine. Given that you've received two different disk-related errors when trying two different installation methods, I would:

* Double/triple check the physical installaiton of the drive; just because the BIOS can read the disk info from the drive's firmware does not mean that the drive is functioning (or installed) entirely correctly.

* Borrow a retail version of a Windows XP or 2000 install disk from someone, try it, and see if you encounter errors with that. If so, something isn't right hardware-wise.

Please give us the full and exact text of the error message.
Errors related to the kernel32.dll file are fairly common, but have different causes; knowing the exact error will help us narrow down the possibilities more quickly.

If the "MAC spoofing" doesn't do the trick, go into the router's internal configuration utility and check the WAN/Internet settings there.
What info does the router report on its utility's status page?

Less elaborative verbiage and more succinct detail would be good for starters; the exact circumstances of your situation get a bit lost in your telling of the tale. :mrgreen:

Seriously though:

1. Please clarify why exactly, when the problematic hard drive was installed in the other computer as a slave, you couldn't access the data you wanted to rescue? If you were denied permission to a folder, you can gain access to it by going in to the advanced security settings of the folder's Properties and taking ownership of the folder.
If you had a different problem, please explain.

2. As for the original error, the windows\system32\config\system file is a component (called a "Hive") of the Registry, and yours appears to have become corrupted. The hives are unique to the system on which Windows was installed, so you cannot just replace them with copies from another computer.

* Booting into the "Last known good configuration" might do the trick, although it often doesn't. It is the easiest fix though, so it's worth trying.
To boot into that configuration, start tapping the F8 key right after your computer starts up (that is- well before you see the Windows startup graphic/logo). This should bring up the boot options menu, where you can choose the "Last known good" menu item.

* There are a couple of other ways to fix the corruption, which are discussed in these links:
http://www.kellys-korner-xp.com/xp_sys32.htm
http://support.microsoft.com/kb/307545/en-us

:rolleyes:

You're welcome :)

1. The Pest Patrol screenies are a bit choppy and difficult to read, but it looks like most of those items are referencing cookies, which are pretty harmless. You'd have to cick on the "+" box next to each entry in hte PP reports to see exactly what the items are.

2. A clean HijackThis log is by no means an indication that you're infection-free, as many of the "nasties" do a good job of hiding themselves.
Please give us as many details on what exactly McAfee is finding, andin what location the found items are living. If we can get the name of the trojan or a name of one of the infected files, that will give us something to go on.

Cool- you're welcome :)

I see no signs of infections in that log :)

What are the items that SpyBot found? Details do help... :mrgreen:

Can you please tell us what symptoms you're experiencing?
Aside from the unusual "O1 - Hosts:" entries, I see nothing suspicious in your log.

I now have an exe file that is always in use when i try and delete it.

What is the exact name and location of that exe? I see no signs of infections in your log.

Rusty?! Oil thyself! :D

The only obvious sign of nasties that I see in the log is:
O23 - Service: Microsoft Networks DN (msndn) - Unknown owner - C:\WINDOWS\msndn.exe (file missing)

msndn.exe is a component of one of the SDBOT variants. ewido can detect and clean the file (and it looks like it may have already), but you might need to manually disable and then delete the "Microsoft Networks DN" service.

PDF (Portable Document Format) is an Adobe format; .pdf file can be read/opened with, among other programs, Adobe's free Acrobat Reader.

I understand..its really tough these days not to fall prey to the online viruses, precuation is the best measure.

Yes, exactly.

Once again thanks a lot and I am sure there are many others who think the same.

The thanks are definitely appreciated; glad we could help. :)

Any idea what that issue could be?

Well- is the lag constant, or does it come and go?
Either way, do you experience the lag even when Windows is booted in Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).

Also, I've started my computer since I used hijack this to check those items and my computer still takes the same amount of time to boot up. Any ideas please?

Unfortunately, as I said earilier:

Whether or not the actual performance increase gained by disabling startup items is actually noticeable to the user is another story.

But what you're trying to do is exactly what you said the people managing the router do not want you to do.

Basically, it sounds like:

1. You are paying a monthly fee to use someone else's service.
2. They do not want filesharing activity on their pipeline.
3. You are trying to find a way around that.

The upshot is this: Either you have rights to modify the router and Internet connection, or you don't. If you do, you need to talk to the others involved to see if you can resolve the issue. If you don't have rights to make changes to the service, we at this site can't help you do that.

I honestly don't know of any open source network monitoring packages for the Mac or Windows, although they certainly might exist. The open source tools that I know of run on Linux.

* Did Killbox give you any errors for either file when you ran it, or did it seem to do what it should (for both files)?

* Did you have AVG fix the BiSpy-infected file (C:\WINDOWS\system32\biU.exe)?

- Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).
- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Search for the infected C:\WINDOWS\system32\biU.exe file and delete it if it still exists.

* Run HijackThis again and have it fix this entry again:
O20 - Winlogon Notify: avload32 - C:\WINDOWS\SYSTEM32\avload32.dll

* Empty your Recycle Bin, reboot normally, run HijackThis again, and post the new log.

I would wager that you do have the voltage out of the power supply, and it's just the software.

Agreed.

Before you get too worried about it, I would get a DVM and check out the voltages with this.

Yes- if you really want/need to verify your voltages, don't relay on a piece of sensor software to give you accurate information. Borrow or buy a voltmeter and test the voltages directly at the power connectors inside the computer.

Glad you got it fixed, regardless of the method... :)
Do you suspect that the version of "vsmon.exe" on your computer was not the valid Zone Alarm file, but the version created by one of the RBOT worms?

You Cut-N-Pasted the majority of your post from another member's post. Does this mean that you are having exactly the same problem? If not, please post the specific symptoms and error codes that you are experiencing.

Hi cre,

Please try to include as much information as possible in your posts; the more we know up front, the faster we can help you solve the problem.

The "khalmnpr.exe" program is a part of Logitech's mouse/keyboard software, but I can't tell you much about the error, as you've provided no details. Please give us the following information:

* The full and exact text of the error message(s).
* When do the errors appear? (when starting Windows? randomly? only when you perform a certain action? etc., etc.)
* The version of Windows that you are using.
* The version of the Logitech software, and the type of Logitech device you are using.
* Details on the history of the problem:
- When did it start happening?
- Had you added/removed/changed any hardware or software at about that time (think carefully)?

If your connection to the router is wireless, there is a program called NetStumbler which will at least give you the SSIDs and MAC addresses of the wireless devices within its range. If you can sniff the MAC address you can at least determine the brand of router; if you can pull the SSID you might be able ot narrrow it down to a model range.

None of this will help much if the people who are controlling the router have changed the router's default settings, though.

Can you give us more details on exactly what you mean by "manage", please? I'm assuming that you're looking for more functionality than just knowing whether or not the router is in a working state.

hi everybody, i was wondering if tere is a tool to know my router's type...
it's not in my apartment.

Sounds to me like it isn't really your router. Are we "borrowing" Internet access, perhaps? :mrgreen:

What you've described doesn't point to an obvious suspect. Swapping the positioning of the two routers in the connection scheme is the next thing I would try.