Posts by DMR

Can you run any other executables (aside from HijackThis) yet?

OK- we'll be here... :)

It's not XP it's 2000...

Doesn't matter; both 2000 and XP are fully backward compatible in that regard.

All you should need to do is install each drive as a slave drive in the new system, paying attention to the Master/Slave jumper settings on your IDE devices. The drives should then appear in Windows Explorer; from there you can copy your old data to the new drive. I'd suggest working with the drives one at a time to minimize the chance of confilicts, especially since you indicated that one of hte old drives is unbootlable.

In terms of the unbootable drive, hopefully the damage is minimal enough that the system can at least read the data on the drive and let you copy it off. If the damage is severe enough that you can't even do that, let us know; there are further options you can try.

There are no infections evident in your log; can you tell us exactly which websites give you trouble?

I see no signs of infections in the log. Open the Event Viewer utility in your Administrative Tools control panel and look through your System and Application logs for entries flagged with "Error" or "Warning" which might be related to the problems. Double-clicking on such an entry will open a properties window with more detailed information on the error; post that info here. To do so:

In the Properties window of a given entry, click on the button with the graphic of two pieces of paper on it; the button is at the right of the window just below the up arrow/down arrow buttons. You won't see anything happen when you click the button, but it will copy all of the details to the Windows clipboard. You can then paste the details into your next post here.

I don't see any malicious entries in your log, but what you describe (slow program start, delayed page loads, going to odd sites, etc.) does sound fishy. A couple of things to try:

1. Download Firefox and see if it exhibits any of the same browsing problems.

2. Open the Event Viewer utility in your Administrative Tools control panel and look through your System and Application logs for entries flagged with "Error" or "Warning" which might be related to the problems. Double-clicking on such an entry will open a properties window with more detailed information on the error; post that info here. To do so:

In the Properties window of a given entry, click on the button with the graphic of two pieces of paper on it; the button is at the right of the window just below the up arrow/down arrow buttons. You won't see anything happen when you click the button, but it will copy all of the details to the Windows clipboard. You can then paste the details into your next post here.

everyday when I scan my PC the virus still wandering in my PC.

Where is the virus found? Give us as much specific info as possible (filr names, folder locations, etc.).

Just want to know that is there a nodus operandi file that still in my PC and still duplicating itself?If there is, which file?

That's what I'm hoping to find out. The virus is fairly new, and there isn't much in-depth info available on it.

Given some of the background info you've posted, I'd suggest giving us a HijackThis log to review; we may catch something that you overlooked. If you do post, please post the log in a new thread in our Virues, Spyware, and other Nasties forum, not in this forum.

Also- if the machine is connected via Ethernet, does it exhibit any of the same symptoms?

btw: you did a little double posting

Thanks for the heads up; dupe has been deleted.

Download hijackthis - http://www.spywareinfo.com/~merijn/ and post a log in the spyware forum. That will get you started in the process of cleanup.

Right- there are a lot of very nasty infections out there which Norton alone can't deal with. If you want us to help you disinfect your system, do as tayspen suggests. Be sure to post your HJT log in a new thread in our Viruses, Spyware and other Nasties forum, not in this forum.

Good job- there's only one infection (the Look2Me parasite) left to kill as far as I can tell. Please do the following:

Download L2MFix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

* Save the file to your desktop and double click l2mfix.exe.
* Click the Install button to extract the files and follow the prompts.
* Open the newly added l2mfix folder on your desktop.
* Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing Enter.

This will scan your computer and it may appear nothing is happening. After a minute or two, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 or any other files in the l2mfix folder until you are asked to do so!

Congratulations, raidertrk- you are the proud owner of a virus farm... :(

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Open the Services utility in your Administrative Tools control panel.
- In the list of services, locate the service named Csrs and double-click on it.
- In the General tab of the Properties window that opens, click the Stop button.
- Once the service is stopped, choose Disabled in the Startup Type drop-down menu and then click OK.
- Repeat the above steps for the following services:
W32
Win32Sr
wkssvc

- Close the Services utility.

- Click on the "Run..." option in your Start menu. In the "Open:" box of the resulting window, type "cmd" (omit the quotes) and hit Enter. This will bring up a DOS window. At the DOS prompt, type the following commands, hitting Enter after each:

sc delete Csrs
sc delete W32
sc delete Win32Sr
sc delete wkssvc

2. Download and install the following utilities:

CCleaner - www.ccleaner.com
Webroot Spy Sweeper (14 day free trial) - http://www.webroot.com/shoppingcart...4011&vcode=DT02
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
ewido Anti-malware - http://www.ewido.net/en/download/

- Open Spy Sweeper, click on "Options", and then click on "Update Definitions" under the …

That's a McAfee error message, yes?
1. Does a full virus scan of your system yield any more specific/helpful information?
2. What (if any) steps have you already taken to resolve the issue?

Hi raidertrk, welcome to DaniWeb :)

Please do the following:

Download the (free) HijackThis utility:

Once downloaded, follow these instructions to install and run the program:

Create a folder for HJT outside of any Temp/Temporary folders and move/extract HijackThis to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...".
Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log". Open the log file with Windows Notepad, and cut-n-paste the entire contents of the Notepad file here.

Once we analyse the log we can tell you what to do from there.

I see no signs of infections there; looks clean :)

Looks good; just a few loose ends to clean up. Run HJT again and have it fix:

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=
O4 - HKLM\..\RunOnce: [Need2FindBar Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -2
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O18 - Filter: text/html - (no CLSID) - (no file)

It starts normally now.

Good- now we've got a better place to work from.

We've removed the major obstacles, but there will still be many remnants of the infections which need to be cleaned out. Please perform the following general disinfection procedures:

1. Download and install the following (free) utilities:

CCleaner - www.ccleaner.com
Webroot Spy Sweeper (14 day free trial) - http://www.webroot.com/shoppingcart...4011&vcode=DT02
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
ewido Anti-malware (trial version) - http://www.ewido.net/en/download/

- Open Spy Sweeper, click on "Options", and then click on "Update Definitions" under the Program Options tab. Do not run a scan yet; just close the program once the update completes.

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open your antivirus program and use its online update function to make sure that it has the most current virus definitions installed. Again- don't scan yet, just close the program once it's updated.

2. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).

a) Open CCleaner.
- Go to Options-> Advanced: Uncheck "Only delete files in Windows Temp …

Sounds like you've got it covered; I can't think of anything else:

* Set BIOS boot order.
* Install new drive as the Primary Master dirve.
* Install XP and make sure everything is working properly.
* Reinstall old drive as a slave drive.

As you indicated, you should leave the old drive out of the system until you've verified that the XP side of things is working. When you do reinstall the old drive, just make sure to pay attention to the Master/Slave jumper settings on your devices.

You're welcome; glad we could help :)

Glad we could help :)

Infected files can get backed up into your System Restore folders, but I didn't think that would keep the vundofix program from working. Oh well... regardless of why it worked, it seems like it did work. :)

You'll be able to read from/write to the old ME drive, but there won't be booting conflicts or the like with XP, if that's what you're concerned about.

Odd. Care to give us a few small details, such as the make/model of the 'puter? ;)

Good job :)

Can you pleae post one final HijackThis log for us to review before I mark this issue as "Solved"? Thanks.

It all looks clean. :)

That all looks good; neither of those logs show any signs of infections as far as I can see.

To answer a few of your questions:

1. USB support was not introduced until the "B" version of 95, and didn't reach any sort of reliability until 98SE.

2. 95 can be upgraded to 98SE, and you shouldbe able to do that without data loss. As with any OS upgrade though, there is a possibility that something will go squiffy.

3. There are many hard drive size limitztions, but many can be worked around by upgrading the BIOS, installing a newer ATA controller card, or using a "drive overlay" utility. You will eventually hit some unsurpassable barrier though, perhaps even at the 8.4G "Int13" limit depending on the exact age of the machine.

4. The AN430TX mobo supports a max of 256M RAM; end of story.

When installed by CD AOL said file to large to open.

Can you be more clear on that please? AOL should have nothing to do with installing the Lexmark software from CD.

...the disk is only 31.49GB Fat 32

That's the problem- Win XP and 2000 cannot format partitions larger than 32G with FAT32, although they canwork with FAT32 partitions larger than 32G (which third-party disk utilities like Partition Magic can create, as FAT32 itself has a 2TB partition limit).

You have 2 options if you want to use the full capacity of the disk:

1. Format it with the NTFS filesystem.

2. Format it with a utility which can create FAT32 partitions >32G.

The jumper is set to slave

That may be the problem- SATA drives don't use a Master/Slave relationship. Your ATA drive should be set to Master or to Single if it is the only device on the IDE channel. Which drive the computer tries to boot from (SATA or IDE) is determined by the settings in your BIOS.

I overlooked one malicious entry in your log:

O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe (file missing)

1.Open the Services utility in your Administrative Tools control panel.
- In the list of services, locate the service named Local Security Authority Subsystem Service orlsass and double-click on it.
- In the General tab of the Properties window that opens, click the Stop button.
- Once the service is stopped, choose Disabled in the Startup drop-down menu and then click Type OK.
- Close the Services utility.

2. Run HJT and have it fix the O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe (file missing) entry.

3. In HijackThis' main window, click on Config, then Misc Tools, and then press the Delete an NT service.. button. When it opens, enter the following in the deletion box and press OK: lsass
Close HijackThis after that.

4. Download and install the most current updates for MS Antispyware ewido, Avast!, SpyBot, and Ad Aware.

5. Run the above utilities while booted into Safe Mode; have them fix all malicious items they find.

6. Reboot normally, run HJT again, and post the new log. Also post the scan report log that ewido generated.

You do have a couple of infections.

1. I'd suggest uninstalling WeatherBug and Messenger Plus! 3 via your Add/Remove Programs control panel; both programs contain adware components. (In the fixes below I'm assuming that the programs have been uninstalled.)

2. Let's see if we can at least get the computer to a point where it can boot into Windows normally:

*Open the Services utility in your Administrative Tools control panel.
- In the list of services, locate the service named Command Service or cmdService and double-click on it.
- In the General tab of the Properties window that opens, click the Stop button.
- Once the service is stopped, choose Disabled in the Startup Type drop-down menu and then click OK.
- Close the Services utility.

* Run HijackThis again and have it fix:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [FX] C:\WINDOWS\Downloaded Program Files\ieloader.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000080.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/min...ransporter.cab?
O16 - DPF: …

Sorry- I didn't know that you had the newer, fuller version of ZA; that's cool, then.

I've edited my previous post to include some further detection and cleaning steps that you should probably perform just to make sure that there's nothing still lurking about in your system.

Go through those steps and then post the requested log files; it never hurts to be cautious....

Although I'm not a web designer, judging from a look at the source code of that OneTel page, I believe that the text in/on the page is static. Furthermore, comments visible in the page's source code seem to indicate that certain dynamic functions/elements of the page, such as truly checking your IP address, haven't been added (yet?).

In other words, I think that anyone who goes directly to the page you linked to is going to see exactly the same information, regardless of how they are accessing the page. (For instance, the page tells me that my IP address is also 10.240.245.241.)

However, as the "itunesff.exe" file is known to be a component of a rogue dialer infection, we should probably dig a bit deeper:

1. Download and install the following (free) utilities, but don't run them yet:

CCleaner - www.ccleaner.com
Ad Aware SE Personal - www.lavasoftusa.com

* Open Ad Aware, click the "Check for updates now" button, and follow the prompts to install the most current spyware definition database. Close the program once the update is complete.

* Open AVG and use its Update feature to make sure that you have the most current virus definitions installed. As with the above programs, don't run a scan with it; just close it once it is updated.

* Open Spy Sweeper, click on "Options", and then click on "Update Definitions" under the Program Options tab. Do not run …

Zone Alarm is a only firewall, not an antivirus program; it can block unwanted network activity, but it doesn't detect and remove viruses or spyware.

I'd suggest downloading and installing the free AVG antivirus program; it works very well. It would also be a good idea to install Microsoft's antispyware program, which is also free. Both programs not only scan for and remove malicious programs, but they also monitor your system in real time and alert you the moment they encounter suspicious activity.

Since you've been running without any antivirus or antispyware protection installed, you should probably perform the following general detection and disinfection steps:

1. In addition to AVG and Microsoft Antispyware, download and install:

CCleaner - www.ccleaner.com
ewido Anti-malware - http://www.ewido.net/en/download/

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open AVG and use its online update function to make sure that it has the most current virus definitions installed. Again- don't scan yet, just close the program once it's updated.

2. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).

Open …

That log looks better, although I just noticed something: your log shows no indication that you have an anti-virus program running. What's the story there?

Can you describe the problem(s) in more detail please? There are only a couple of possibly suspicious entries in your log, but HijackThis isn't as effective at pointing out infections on Win 98 systems as it is on WIn 2000 or XP systems.

I don't see the usual signs of that infection in your HJT log. Can you give us any further info/details to go on?

Hmm... you're right- the output of netstat isn't shedding any light on things as far as I can tell.

Since I can't definitively say if the proxy setting is legit, I'll leave it alone for the moment. What about the rest of the cleanup; were you able to complete that sucessfully? If so, post a new HJT log for us to review.

I'm pretty sure "StillMnt.exe" is a component of some webcam software. Do you have such software installed?

The problem could be caused by a number of things, including virus/spyware infections, software corruption/conflicts, hardware-related problems, etc.
Please give us as much background information as you can. The more details we have on the problem, the faster we can help you pinpoint the exact cause.

Yes- the type of filesystem you're dealing with (NTFS, FAT32, etc.) can definitely be a factor. Glad you got it worked out. :)

A) 127.0.0.1 is the "loopback" or "localhost" address, and it exists on any computer (regardless of OS) running the TCP/IP protocol. The ":81" is what I'm interested in, as that entry is telling the system to use an alternate network port (port 81) instead of the default HTTP port (80).

Zone Alarm may very well have configured the proxy; let's find out for certain:

* Open an MS-DOS window.
* At the command prompt, type netstat -aop tcp and then hit Enter. This will list your tcp connections.
* Look for the line with the localhost address listening to port 81. In the last column of that line, note the Process ID (PID).
* Now type tasklist /fi "pid eq xxxx" /v (include the quotes, and replace xxxx with the PID found by the netstat command). This will display the name of the process/program listening on that port.

Let us know if you need any help with the WiFi setup.

I just did a quick restore on my compaq mv500

"MV 500" is the model of your computer's monitor, not the model of the computer itself.

As tayspen asked, post the model of the Ethernet controller (or even just the model of the computer) and we can most likely provide you with a download link for the Ethernet drivers. You will have to download the driver software on another computer and burn it to CD in order to install it on your computer.

If the issue isn't with the fans:

The thermal transfer compound which is applied between the CPU's surface and the heat sink can dry out, or the heatsink itself can work itself loose; either may cause the computer to go into thermal shutdown.

Remove the heatsink from the CPU and make sure there is a decent covering of thermal paste on the CPU. If not, or if the paste appears dried and cracked, remove the old compound and apply new compound. "Arctic Silver" is probably the most recommended brand of thermal compound.

Due to the fact that the member who originally started this thread has not responded in quite a long time, this thread is considered abandoned and has been closed.

In accordance with our posting rules, other members having similar problems should start their own threads and post their questions there. In order to help us help you most quickly, please include as much information about your problem as possible in your posts.

If the member who originally started this thread wishes to have the thread reopened, please send your request, including a link to this thread, to one of our moderators via email or Private Message.

Thank you.

Please do the following on the problematic computer:

* Click on the "Run..." option in your Start menu. In the "Open:" box of the resulting window, type "cmd" (omit the quotes) and hit Enter. This will bring up a DOS window

* At the DOS prompt, type the following command and hit Enter. You won't see any result from the command, but when it completes a second prompt with a flashing cursor will be displayed; close the DOS box once that happens:

ipconfig /all >ipconfig.txt

* The above command will have created a text file on you desktop named ipconfig.txt; double-click on the file to open it in Notepad, and then cut-n-paste the file's contents in your next post.

I'll second sfbell's assessment. Although it's a relatively common boast in chat rooms, that kind of "I got your IP, now know all about you" drivel is BS, for just the reasons sfbell explained.

Many virus and spyware infections cripple your ability to run certain programs, and sometimes even make it impossible to run any programs.
The following fix may work for you; it restores "broken" .exe file associations in the Registry:

http://www.dougknox.com/xp/fileassoc/xp_exe_fix.zip

An explanation and brief instructions on using the xp_exe_fix file can be found here:

http://www.dougknox.com/xp/file_assoc.htm