Posts by DMR

Hmm,

Forums... member.... me... think...

* Here, obviously
* JustLinux
* LinuxQuestions (there- happy now, Dani? :p )
* Computing.net
* Spyware BeWare/ASAP
* CastleCops
* LavaSoftUSA
* BleepingComputer

"sorry if this is in the wrong place :confused: "

Yup, 'tis. Off we go to the Geek's Lounge...

McAfee tells me the location of the virus, it is always in c:\Windows\Temp\............... then a seriesof numbers that differs each time. i go the the exact location, scan it, andit comes up clean.

That is exactly the description given by everyone else who encounters the "Poly Win32" issue with the McAfee/BitDefender mix; I really think we're looking at false positive with this one.

McAfee suggest i disable system restore, start up in safe mode, then do afull scan. Would you agree ? They then say to do the same in dOS mode if this does not work.

I'd certainly run a scan in Safe Mode, but I wouldn't suggest disabling System Restore before doing the scan. If you disable System Restore before scanning, and something goes wrong with McAfee's disinfection, you won't have anything to fall back on in terms of a system recovery point. System Restore points should be flushed only after the rest of the computer is infection-free.

When i do "ipconfig" this is displayed:
.
.
That is exactly how it shows.

That IP configuration info is all wonky. To begin with, 169.254. addresses are what Windows auto-assigns when it can't get a valid IP address from the DHCP server (the router, in this case). Can you give us the output of the "ipconfig /all" command; it yields more info than the simple "ipconfig"command.

* A mysterious "router hijacker", eh? What was that tech smoking when he suggested that ?? No further comment.

* When you connect the CAT5 cable (which is known to be in good, working condition, yes?) between the computer and the router, do you get a link/activity indication on the router?

* Have you tried replacing the CAT5 cable with another?

* Have you tried all of the different LAN ports on the router?

* Post the exact model # of the router. If I have that info we should be able to get in to the router's setup pages and see what's happening on that end.

At this point i am highly considering just reformating the computer

At this point, I see nothing which indicates that a reformat is needed, and in fact, I honestly see nothing which indicates that a reformat would directly solve your problem.

:mrgreen:

* Your HJT log is clean, and ewido appears to have cleaned up a number of hidden "nasties".

* In this case, physically disconnecting from the Net was just a precaution on my part; part of my general malware removal "canned answer". If it appears necessary to redo things in Safe Mode, we will do that.

* The "locked background" problem you describe is usually a leftover symptom of the SpySheriff/Smitfraud group of infections. Here's the specific fix for regaining full functionality of your desktop properties:

- Download the smitfraud.reg file by right-clicking on this link and choosing "Save link as..." or "Save target as..." from the resulting pop-up menu. Save the file to your desktop.
- Double-click the smitfraud.reg file you saved, and when it asks if you want to merge with the registry, click YES.
- Reboot your computer; your display properties should be returned to normal.

Hi, I'm Samantha and I'm 15.

Really?? A 15 year old posting from a Wodonga Catholic College account?
And interestingly enough, the same Wodonga college from which "Candy01" posts.
How um... questionable.

Ah, yes- Troll Patrol. One of the more exciting aspects of moderating a tech support forum, to be sure.

Candy01/AoM,
Consider this a polite (but first and final) warning: The novely has worn off, so if you want to continue participating here, it's time to cut the sex games and stick to what this site is about.

Thank you.

We're just disabling the security measures as a test to eliminate obvious variables. If we end up finding that one of those is the culprit, we'll deal with it; if not, we'll re-enable all of the security.

Also check your log files as I suggested; there very well may be clues in the logs.

Sorry about the "extract" confusion in the HijackThis instructions; that was a reference to a version of hijackthis which comes as a .zip download; the version I linked to was the raw hijackthis.exe executable. Glad you got it sorted in spite of my attempt to confuzzle you.... :mrgreen:

* Your log is clean, although it does indicate that you are running both McAfee and Avast concurrently. Running more than one AV program at a time is definitely not recommended, as conflicts can occur. Choose one AV program and remove/disable the other.

* I've still got the feeling that the McAfee warning is a false-positive having something to do with the BitDefender scan. Does McAfee's log give you any details concerning the suspect file's name and/or location?

I would try to connect it to the switch, then connect the other nodes and use static IP addressing, with the DSL modem IP as the gateway and Prefered DNS Server.

I doubt that will work. A DSL modem only hands out 1 IP address to the "LAN", and a switch doesn't perform NAT, so only the first machine to obtain a DHCP lease will be allowed to connect.

And you've applied the most current patches to the OS, SQL, and all other relevant software?

i am using a modem and i have dsl but i am not sure.

You'll need to find out; it makes a difference. If your laptop was originally configured to connect directly to a DSL modem, chances are that you have DSL connection/dialer software installed. This software is not needed when you connect to anything beside a DSL modem, and will often cause conflicts such as you describe if you try.

Please try to give us as much specific information about the network(s) and devices you are trying to connect to. There are literally scores of different possible network configurations and devices out there; the more we know about your particular situations, the faster we can get yor problems solved.

I have McAfee running. I also use Bit Defender.

When i do a manual bit defender scan i get a warning box from Mcafee telling me i have the New Poly Win 32 virus... is it just something that Bit Defender does that is being picked up by McAfee as a virus ?

Quite possibly, yes; others have had the same warning from McAfee when doing a BitDefender scan.

Just to make sure, please do the following:

Download the (free) HijackThis utility:

Once downloaded, follow these instructions to install and run the program:

Create a folder for HJT outside of any Temp/Temporary folders and move/extract HijackThis to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...".
Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log". Open the log file with Windows Notepad, and cut-n-paste the entire contents of the Notepad file here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

A few basic troubleshooting steps to start with:

* When troubleshooting any network-related issue, the first thing you need to do is to completely disable any firewall software (including XP's built-in ICF/ICS features). Simply choosing the "Disable" option in the firewall program's settings/preferences rarely turns the firewall off entirely; you will need to deselect the preference setting that tells the firewall to automatically start when Windows boots, and then restart the computers. After reboot, verify that the firewall is indeed disabled.
Keep your firewalls dropped until you get things working.

* To avoid conflicts as to which network device the computer shold be connecting through, disable the wireless NIC.

* Try reaching a site by its actual IP address instead of its URL. For example, open a browser and enter the following in the address/location bar:
http://66.102.7.99
If that takes you to Google, chances are pretty good that you've got a DNS problem.

* Click on the "Run..." option in your Start menu. In the "Open:" box of the resulting window, type "cmd" (omit the quotes) and hit Enter. This will bring up a DOS window.
At the DOS prompt, type the following commands, hit Enter after each, and tell us the results for each command:

ping Your_Router's_IP_Address
ping 66.102.7.99
ping www.google.com

* Again at the DOS prompt, type the following command and hit Enter. You won't see any result from the command, …

What do u mean u need a LAN setup to install your router?

Erm- perhaps because it's rather hard to connect to and configure the router when you can't make an Ethernet connection to it? Just a thought... :p

You may need to install specific driver software for your laptop's NIC. Did the system come with any driver disks or the like?

Is there a way to somehow monitor what the pc does, anything that logs whatever happens, preferably also the last few microseconds before the feeze?

You may be able to find some clues in your System and Application log files, which can be reviewed with the Event Viewer utility in your Administrative Tools folder/Control Panel.

We can help you if you can give us details of the troubleshooting steps you've performed so far and the exact results of those proceedures.

What kind of Internet access to you currently use (DSL, Cable, etc.), and what device (wireless router, access point, or modem) is your computer trying to connect to?

A few initial suggestions/questions:

* What make/model of router do you have?
* If you have security settings configured on the router, disable them temporarilly and see if that changes the problem at all.
* Try the wifi card on a few more networks in addition to your neighbors just to be thorough.
* Give the router a hard reset if it has that option; it may have taken a power hit or glitched in some other way.

Without a router or ICS? No can do, unless your ISP can give you (and you can afford) an account where you can have separate, public IP addresses for every computer on the LAN. Even if that's an option, I doubt that you want all of those machines sitting right out there on the Net, directly accessible to every J. Random Hacker on the planet. Obviously, that is exactly what you would have with the "solution" you're asking about.

Do the Right Thing- buy the broadband router and install it between the modem and the switch. The cost of such a router is about equal to the cost of one of the many hours of time you'll spend rebuiding your entire network after it gets hacked.

-

my laptop loses connectivity to the internet...

Can you clarify that a bit please? Are you saying that you lose the wireless link between the laptop and the router, that the WAN-facing side of the router drops its connection to your ISP, or both?

* Disable WEP/WPA, disable MAC filtering, and reenable SSID broadcast on the router. After that, cold-boot (power on/off) both the router and the laptop; see if the problem changes.

* Open the Event Viewer utility in your Administrative Tools control panel and look through your System and Application logs for entries flagged with "Error" or "Warning"; see if any of those entries seem like they may relate to your problem. Double-clicking on such an entry will open a properties window with more detailed information on the error; post the details from a representative sample of some of the different error messages (please don't post duplicates of a given entry, or flood us with the entire contents of the logs).

To post the details:
In the Properties window of a given entry, click on the button with the graphic of two pieces of paper on it; the button is at the right of the window just below the up arrow/down arrow buttons. You won't see anything happen when you click the button, but it will copy all of the details to the Windows clipboard. You can then paste the details into your next post here.

Is that server behind any sort of hardware firewall? If not, it should be.

I am not sure how you guys do this, but from the looks to me he was infected due to not having any Service Packs installed...

Good catch Burton; that's why we appreciate other pairs of eyeballs on the problems. :)
That is indeed a "virgin" install of XP by the looks of it, and yes- we do advise that SP1a be applied (if possible) before anything else.

Please note: One thing often becomes evident at this point- the member is denied access to the upgrade because the version of XP installed on their system is not a legal copy, and it therefore fails Microsoft's "Genuine Advantage" validation check.
Unfortunately, regardless of how/why the member got an illegal load of Windows installed on their machine, we cannot continue the troubleshoot until the member obtains a valid copy of the operating system or a valid product key for their current install.

As stated in our Forum Rules:

"Keep it clean and do not post pornographic material or link to it. In addition, do not post anything warez related or related to other illegal acts. This includes tech support troubleshooting pirated software or P2P programs (i.e. Gnutella, Kazaa) used to obtain pirated software. Exceptions are helping to remove spyware or browser hijacks (that may or may not be related to illegal material) from a computer. "

-

i'm trying to learn about everything so i don't just have to get a program to do it all for me but windows can be difficult with the hidden files, program files, registry stuff...

Yes, and those reasons are why we actually prefer to avoid the "manual" removal approach unless as a last resort. The automated anti-malware programs know where to look for the hidden components of the infections and are programmed to safely remove them. Performing malware removal "by hand" can, in the worst case, lead to making some incorrect "fix" which wrecks your computer. At the very least, manual removal quite often leaves some remnants of the infections lurking in your system.

any last ideas on how i was getting the same things over and over? was it one lingering file (dvldr32 or whatever) that kept sprouting new ones? or am i doing something dumb?

That particular infection, like many others, installs other infected files which may/can "respawn" the full infection. The devldr32.exe file is a component of a netwrok worm, so you could also have been reinfected by another (also infected) remote computer.
Since the worm's infection method includes attempting to gain access to computers using well-known ("weak") passwords, one primary way to lessen the chances of reinfection is to use "strong" (8 random characters or more, mixed upper/lower case, mixed letters/punctuation symbols, etc.) passwords on your user accounts, your router or modem, and any other place where passwords are an option.
…

Still have the problem though... SO FAR I don't have the problem when I use the search engines seperately. I typed in the old homepage and for the same search topics, the spyware was back

Unfortunately, I think what you're experiencing isn't "spyware" at all (your latest HJT log is clean, by the way), but simply the way the MyWay search sites operate. MyWay searches are not the same as the (much more unbiased) searches performed by the separate search engines in that companies pay MyWay to be placed in MyWay search results; to use a betting analogy, the outcomes of the MyWay search game are "fixed".
To see this for yourself, do a search for the word "cars" using both MyWay's "Google Search" option and by using Google directly. Not much similarity in the results, is there?

The "Sponsored Links" and "Related Results" types of boxes that you see are something that MyWay throws at you on their web pages, not something that is a result of any malicious software they install on your computer.

Your logs look good :)

I'd suggest waiting for crunchie's (hopefully final) input on this, as he was your troubleshooter. He should be back online a bit later today.

Can you post the results of the Panda scan? That report could give us some details of what infections you have and where they are located.

Also- For a more thorough check of your system, you can do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

* Download and install the following utilities:

Windows Defender - http://www.microsoft.com/downloads/d...displaylang=en
CCleaner - www.ccleaner.com
ewido Anti-malware - http://www.ewido.net/en/download/
When installing ewido, under "Additional Options" uncheck..

1. • Install background guard
   • Install scan via context menu
2. Launch ewido, there should be an icon on your desktop, double-click it.
3. The program will now open to the main screen.
4. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
5. You will need to update ewido to the latest definition files.
   • On the left hand side of the main screen click update.
   • Then click on Start Update.
6. The update will start and a progress bar will show the updates being installed.
   (the status bar at the bottom will display ("Update successful" )

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't …

ohok thank you, I donot excatly know what hosts I was using,? is firefox a host?

The "hosts" refered to in a hosts file are computers on your local network and/or URLs of locations (servers) on the Internet; the word "host" has nothing to do with browsers or other software.

...how can I know it is fixed?

Aside from a block of comment lines at the head of the file, a clean Windows hosts file will contain only the following entry:
127.0.0.1 localhost
(What your HJT log was listing in its "O1 - Hosts:" entry was actually a line from the comment block of your hosts file)

Some anti-spyware utilities such as SpyBot can add entries to your host file which block communication to/from known "bad" web sites. Unfortunatley, malicious infections can do the reverse, adding entries which will deny you access to "good" sites like Microsoft's Windows Update site or your anti-virus maker's web site.

Can't boot up from the XP CD, even when tapping F8.

F8 only gets you to the OS boot menu option; it won't lead you to any option where you choose the actual boot device.

Using the F2 key, enter your BIOS setup.

* Make sure the Hard Drive and CD Drive are properly detected/reported in the BIOS' list of installed devices. If one of the devices is not detected, double-check the cabling and Master/Slave jumpers on all of the drives.

* Look for the boot device order configuration. Make sure the boot order is as follows:
1. Floppy disk
2. CD/DVD drive
3. Add-in controller cards
4. Hard drive
5. Network boot

* Save the configuration and exit the BIOS setup. The system should now look for bootable media in the floppy drive, CD-ROM drive, and on any peripheral controller cards before it looks to the internal hard drives attached to your motherboard.

If you have problems/questions with the above, please include the model # of the computer and the make/version of the BIOS (if possible) in your next post. Also- I'm making the assumption that the devices in question are IDE drives which are connected directly to the motherboard. IF this is not the case, please give us the details of your hardware configuration.

PXE is for Server 3003 and RIS (Remote Installation Services). On your Desktop you would need a DHCP server that supports bootp requests and a tftpd server. That functionality is not built in into Windows XP

Right. If you've never done it, and don't have a server configured to do it with, trying the network install method could have you banging your head against the wall for hours.

Considering the minimal cost of a 2.5"->3.5" converter (about $12 USD or so), the easiest and most reliable method would be to install the laptop drive in the desktop machine and prep it there.

By the way- your HJT log is clean, and ewido seems to have nothing aside from cookies. Are you seeing any indications of possibly lingering infections, or do things seem back to normal now?

thanks this is a hijack this log info(do I need to run this in safe mode?)

Thanks for the log. As far as running HijackThis goes, the program should be run in normal mode (not Safe Mode) unless someone specifically asks you to do otherwise.

Since tayspen has been working through this with you, please wait until he comes back online and posts new instructions before taking any further steps.

am i wrong in thinking the dates on files are a giveaway?...

Dates can be a clue, but you shouldn't go by that alone. The operating system and your programs will create or modify different files as part of their normal operation, so the fact that a file was modified/created on a date that you didn't manipulate any files isn't an absolute indication that the file is malware-related.

Some other fators that can help you determine whether a file is malicious or not:

* The exact time of creation/modification. If you find a clump of files whose timestamps (as well as datestamps) are identical or very close, chances are good that the files were created/modified by the same process.

* No identifying information (version #, company name, etc.) in a file's properties pages. Such "anonymous" files are always worth looking into.

* Random or "garbage" filenames. For instance, common sense should indicate that a file named "11Fßä#·ºÄÖ`I" just might be malicious.

* Files whose names are almost identical to normal/legit files: scvhost.exe instead of svchost.exe, for example.

just need to follow instructions to do the Hijack this but i need the download link , thanks a lot

Instructions and linkage:

Download the (free) HijackThis utility:

Once downloaded, follow these instructions to install and run the program:

Create a folder for HJT outside of any Temp/Temporary folders and move/extract HijackThis to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...".
Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log". Open the log file with Windows Notepad, and cut-n-paste the entire contents of the Notepad file here.

Confused beyond belief now...

It's a marsupial thing; you wouldn't understand.....

Wohoo, a fellow Tennessean

Oh dear... they're clumping....

:mrgreen:

OK- this is the first step, which will help us determine if your computer is indeed infected:

Download the (free) HijackThis utility:

Once downloaded, follow these instructions to install and run the program:

Create a folder for HJT outside of any Temp/Temporary folders and move/extract HijackThis to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...".
Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log". Open the log file with Windows Notepad, and cut-n-paste the entire contents of the Notepad file here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

Start by repairing your keyboard. :rolleyes:

Love it... :mrgreen:

Hi apnasewa, welcome to DaniWeb. :)

Problems accessing web sites in general can be the result of a number of things, but not being able to reach Microsoft and anti-virus sites is often the work of malicious infections.
I'm moving your post to our anti-spyware/anti-virus forum now; we'll help you out from there.

Glad you dropped in, F&M.

I see that you've already posted your question in one of our Tech forums; hopefully one of our helpers there will be able to have a look at the problem shorlty.

The moderators are much considerate than I.

And perhaps much more in need of this thread's comic relief... :mrgreen:

Hi IT_No_Nothing, welcome to DaniWeb :)

If you can give us a few more details to go on, that would be a Good Thing. What is the make/model of your player, and what software are you using to download, burn, and transfer your data?

Welcome to DaniWeb, Golzoidian being!
Glad you dropped by; we don't see many of your species around here any more.

my old post (http://www.daniweb.com/techtalkforums/thread45768.html) doesn't seem to be working...

Yes- your original thread seems to have gotten corrupted. In light of that, could you also post a current HJT log in this thread, please?

Thanks.

Hi Linitchka, welcome to DaniWeb :)

1. You said that you've tried some solutions already; please tell us exactly what you've tried.

2. For the sites that you can't access:
* What error message/error page do you get?
* Is it the main page of the sites that you cannot access, or is it only areas/pages within the sites that need to be accessed with a username/password (that is, secure pages)?

3. Your log shows the remains of at least one malware infection; please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

* Download and install the following utilities:

Windows Defender - http://www.microsoft.com/downloads/details.aspx?FamilyID=435bfce7-da2b-4a6a-afa4-f7f14e605a0d&displaylang=en
CCleaner - www.ccleaner.com
ewido Anti-malware - http://www.ewido.net/en/download/
When installing ewido, under "Additional Options" uncheck..

1. • Install background guard
   • Install scan via context menu
2. Launch ewido, there should be an icon on your desktop, double-click it.
3. The program will now open to the main screen.
4. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
5. You will need to update ewido to the latest definition files.
   • On the left hand side of the main screen click update.
   • Then click on Start Update.
6. The …

Hi zellex, welcome to DaniWeb. :)

To begin with, please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for some of the following, so you should print out the following instructions or save them into a text file with Notepad.

* Download the 14-day free trial verison of ewido anti-malware.

1. Install ewido anti-malware
2. When installing, under "Additional Options" uncheck..
   • Install background guard
   • Install scan via context menu
3. Launch ewido, there should be an icon on your desktop, double-click it.
4. The program will now open to the main screen.
5. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
6. You will need to update ewido to the latest definition files.
   • On the left hand side of the main screen click update.
   • Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed.
   (the status bar at the bottom will display ("Update successful" )

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't run a scan with ewido yet; just close the program once the updates are installed.

* Close all open/running programs, especially Internet Explorer.
Run HijackThis again, put a check mark in the boxes …

That's good so far (don't worry about the insightbb entries; they're related to your ISP). Please follow through with the rest of tayspen's instructions and then post the ewido log and new HJT log after that.

Let's see if your system and application log files can give us more specific information:

Open the Event Viewer utility in your Administrative Tools control panel and look through your System and Application logs for events flagged with "Error" or "Warning". Double-clicking on such an event will open a properties window with more detailed information on the error. If you find events which seem like they might relate to your problem, post the event's details here.

To do so:
In the Properties window of a given event, click on the button with the graphic of two pieces of paper on it; the button is at the right of the window just below the up arrow/down arrow buttons. You won't see anything happen when you click the button, but it will copy all of the details to the Windows clipboard. You can then paste the details into your next post here.

192.168.254.254 is a private IP address which is not used on the Internet; it is reserved for "internal" networks only. The address is used by some models of routers used on home/small office networks; do you have such a device installed?

If the power supply has blown two fuses, then it is almost certainly faulty power supply. A shorted component in the supply is causing the supply to try to draw more current (from the wall outlet) than it should safely do; the fuses are blowing because of this, because that is their job- to protect the rest of the system from electrical overload.

As djrivera1 suggested, do not continue trying to use the computer, as you risk further damage by doing so. The supply can be tested at a professional computer repair shop if you want the definitive answer as to its condition, but from your description I'd say she's toast. Hopefully, the fuses blew quickly enough that other components in the computer escaped harm, but don't be surprised if that's not the case. :(