Posts by DMR

I'm actually just signing off for the night right now (very early day at work tomorrow), so I'll have to give you a full response tomorrow...

I'm honestly not sure why things suddenly cleared up like that. I've been running across some unusually stubborn variants of the HS/CWS/etc. infections lately (including yours), and I get the distinct feeling that there is some new and well-hidden component to these beasties. Unfortunately though, I just haven't had the time to do any real research on the issue.

In terms of your best defenses against future infections, there are many useful suggestions in this thread.

If you use IE for general browsing, it's recommended that you tightening up its default ActiveX, scripting, etc. settings as decribed in the following two links:

http://bshagnasty.home.att.net/browsersettings.htm
https://netfiles.uiuc.edu/ehowes/www/btw/ie/ie-opts.htm

Also- the free SpywareBlaster utility does a good job of blocking "unwanted guests" which exploit ActiveX controls and the like.

Looks good; glad we could be of assistance. Have a very, merry, virus-free holiday! :mrgreen:

Hi trevari, welcome to DaniWeb :)

1. I've moved your thread to the appropriate forum.

2. The problem you describe is a symptom of the SpySheriff/Smitfraud group of infections; here's the specific fix for regaining full functionality of your desktop properties:

Download the smitfraud.reg file by right-clicking on this link and choosing "Save link as..." or "Save target as..." from the resulting pop-up menu. Save the file to your desktop.

- Double-click the smitfraud.reg file you saved, and when it asks if you want to merge with the registry, click YES.

- Reboot your computer; your display properties should be returned to normal.

3. As the others have suggested, post a HijackThis log for us to review:

Download the (free) HijackThis utility:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, follow these instructions to install and run the program:

Create a folder for HJT outside of any Temp/Temporary folders and move/extract HijackThis to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...".
Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log". Open the log file with Windows Notepad, and cut-n-paste the entire contents of the Notepad file here.

The …

If i am allowed by the mods i will do it....

There's nothing wrong with giving a replacement copy of a file to another member.
The arrangement is obviously between the two of you though; we (the site) can't assume any responsibility if something goes "Kablooie" due to version mismatches, file corruption, etc.

Use Microsoft's Windows Validation Assistant.

I think you have to post this problem into Tech Thread :idea: .

Already done; a thread has been started in the viruses and spyware forum. :)

1. You posted your question in our viruses and spyware forum; is there any reason that you specifically suspect those to be the cause of your slowdowns?

2. Your description of the problems is pretty general; can you give us more specific details that might help us?

3. Please tell us exactly what (if any) steps you've already taken to try to solve or at least pinpoint the problems.

Is it back from the dead??

In full glory. It also brought a few of its zombie friends along with it. :(

Follow these SpySheriff removal instructions fully and completely.

- In section #10 of the instructions, where you uninstall SpySheriff through the Add/Remove Programs control panel, also uninstall the following programs if you see them listed:

180Search/180Solutions
Media Gateway
Surf Accuracy
Download Accelerator Plus (DAP) <- if you have the "free" version, which is adware.

- In section #13 of the instructions, where it indicates which entries to have HiajckThis fix, also have HJT fix these additional entries (only fix the DAP entries if you've decided to uninstall the program):

R3 - Default URLSearchHook is missing
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: 180search Toolbar - {93CECBB2-6B1B-448D-91B9-72604EF70105} - C:\Program Files\180search Assistant Programs\180search Toolbar\180ST.dll
O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm

Once you've performed the removal proceedures, run HijackThis and post the new log for us to review.

1. There's only one entry I see in the latest log that I'm not liking:

C:\DOCUME~1\user\LOCALS~1\Temp\ins83.tmp

The above process hasn't been listed in any of your previous logs, and normal/legitimate programs shouldn't be running from Temp folders, so it could be indicative of something still lingering in the background.

2. There is something in the log that I am not seeing, but that I should be seeing. One of the tools I asked you to download and install was Microsoft Antispyware beta, but there are no indications in your logs that the program is running. Can you shed any light on that?

3. Do one (hopefully) final clean-up sweep:

- Open ewido and MS Antispyware and make sure they both have the most current updates installed.

- Reboot into Safe Mode again and:

* Run CCleaner.

* Run full system scans with ewido and MS Antispyware; have them fix all items they find. Save the new ewido scan report log.

* Empty the Recycle Bin and reboot normally.

- Once rebooted, run HJT and post the new log. Also post the new ewido log.

The log is clean, but are you sure you pasted the whole thing into the post? I'm pretty sure there should be a bit more info beyond the last " O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) -"

I see no signs of infections in your log, nor do I see anything else which looks like it might be the source of the problems.

Open the Event Viewer utility in your Administrative Tools control panel and have a look through your System and Application logs for entries flagged with "Error" or "Warning". If you find such entries, double-clicking on them will open a window containing more details. If you find any entries which seem like they might related to your problems, post the full and exact contents of the details window(s).

Hi hateviruses123, welcome to DaniWeb.

A) C:\DOCUME~1\JOHNMI~1\LOCALS~1\Temp\Rar$EX00.578\HijackThis.exe

The log entry above indicates that you are running HijackThis from within a Temp/Temporary folder. Please do the following:

Create a folder for HJT outside of any Temp/Temporary folders and move the HijackThis.exe file to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

B)

I once had the virus that gave my desktop a blue screen and a black box in the center... after trying to right click desktop>properties>display tab, I am unable to change/click anything...

That's a side effect of the "Smitfraud" and "SpySheriff" infections. Please do the following:

- Download the smitfraud.reg file by right-clicking on this link and choosing "Save link as..." or "Save target as..." from the resulting pop-up menu. Save the file to your desktop.

- Double-click the smitfraud.reg file you saved, and when it asks if you want to merge with the registry, click YES.

- Reboot your computer; your display properties should …

Although we've disinfected many of the "nasties", there are still some that are being stubborn. Let's try a slightly different approach:

You will need to disconnect from the Internet for some of the following, so you'll need to print out the following instructions, or save them into a text file with Notepad.

1. Download the Pocket Killbox utility and save it to your desktop or some other convenient folder. Don't run the program yet.

2. Close all open programs, especially web browsers, run HijackThis again, and have it fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pytaj.dll/sp.html#10001%everything4find.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pytaj.dll/sp.html#10001%everything4find.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pytaj.dll/sp.html#10001%everything4find.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pytaj.dll/sp.html#10001%everything4find.com
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0407E660-52FB-E54C-3C68-5ABC0C1994F8} - C:\WINDOWS\javajf.dll
O4 - HKLM\..\Run: [apita.exe] C:\WINDOWS\system32\apita.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sysbf32.exe" /s (file missing)

Once HJT completes the fixes:

- Click on the "Config" button in the lower right corner of HJT's main window. In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Paste the following in the box and click OK (omit the …

Your HJT log is clean, but not all of the components of the particular infection that Norton is finding are reported in a HijackThis scan. Do a manual check to make sure the infected files have been deleted:

1. Reboot into Safe Mode again.

2. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

3. Delete the C:\WINDOWS\system32\hpdriver.sys file if it still exists.

4. Search for the following file; delete it if it exists: C:\WINDOWS\Ntfsprotect.exe

5. Empty your Recycle Bin and reboot normally.

6. Once rebooted, run another scan with Norton and see if it still detects the infection.

Off the top of my head, I can't think of anything else right now. You might want to post about this particular issue in a new thread in our Win 2000/XP forum, as it sounds like it may be totally unrelated to the spyware infections you had.

Hi DMR,
Power DVD is a programme from the new video card my children stalled. Is it a bad programme?

The Cyberlink PowerDVD program as a whole is legit, but I definitely question the KGB Keylogger program which your log shows to be running from within the Cyberlink folder.
You may know this already, but keylogger programs are used to capture a user's keystrokes on a computer and save that information so that it can be reviewed by, or sent to, someone else. Obviously, unless you specifically installed the keylogger as a "parental control", you definitely don't want it installed on your computer.

If you know nothing about the keylogger:

- Leave the Cyberlink software installed for now.

- Have HijackThis fix the "[winlogons.exe]" log entry to disable off the keylogger component.

- Follow my instructions concerning removing "mstool.exe".

- Reboot the computer, run hijackThis again, and post the new log.

I tried the usual f2 ...

I think F10 is the BIOS access key on the 1500 series; try that. Remember that you only have a window of a couple seconds to hit that key. if you don't press the key in time, the system will continue booting normally and you'll have to restart and try again.

Once in the BIOS, the boot-order settings should be in the System section of the setup pages.

Let's see if we can remove the leftovers:

1. Open your Add/Remove Programs control panel and uninstall the Cyberlink/Key Logger software if you see it listed there.

2. Run HJT again and have it fix:

O4 - HKLM\..\Run: [winlogons.exe] C:\Program Files\CyberLink\PowerDVD\Free KGB Key Logger\winlogons.exe
O4 - HKLM\..\Run: [Microsoft tool] C:\WINXP\System32\mstool.exe

3. Reboot into Safe Mode again.

4. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Locate and delete the C:\WINXP\System32\mstool.exe
file.

- Delete the following folder entirely:

C:\Program Files\CyberLink

5. Empty your Recycle Bin, reboot normally, run HijackThis again, and post the new (and hopefully final) log.

I'm not actually sure what's going on with the desktop settings. Can you effect any changes by right-clicking on the desktop, choosing "Properties" from the resulting drop-down menu, and "twiddling" with any of settings under the tabs there (Themes, Desktop, etc.)?

Sorry, I meant the link in my first post.

What the.... ?! Enough already.

[img]http://www.stevewolfonline.com/Downloads/DMR/Visuals/DWThreadLock.jpg[/img]

...but i think this has got nothing to do with virues or spyware

Neither do I, actually.
I would start by having a look through your System and Application logs for any entries flagged as "Warning" or "Error". Such entries might help you narrow down the offending component(s). You can view the logs through the Event Viewer utility in your Administrative Tools control panel.

also post the http://www.majorgeeks.com/download3155.html Log

As the Announcement posted at the top of this forum indicates, HijackThis logs should only be posted in our Viruses, Spyware, and other Nasties forum.

First of all get rid of that Norton Antivirus

U have Windows XP with SP2 then why do u need Google toolbar

:rolleyes:

madspook,

I see no signs of malicious infections or other problems in your log. Can you describe your connection issue(s) in more detail please? The more information we have concerning the problem, the faster we'll be able to help you get it solved.

Hi pinkbee, welcome to DaniWeb :)

You have quite a few "unwanted guests" listed in your hijackThis log. Please perform the following general cleaning procedures; they should clean up most, if not, of the infections:

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

(It is suggested that you uninstall the Wild Tangent and WeatherBug programs using your Add/Remove Programs control panel)

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open SpyBot and use its update feature to download and install the most current spyware definitions file. Close the program once the update is complete.

- Open AdAware, click the "Check for updates now" button, and follow the prompts to install the most current spyware definition database. Close the program once the …

You have a few different "unwanted guests" listed in your log. Please do the following:

- Open your Add/Remove Programs control panel and uninstall these programs if they appear in the list of installed programs:

My Way/My Search/My Bar
Wild Tangent
BrowserAid
BrowserPal
CashToolbar
Web Toolbar
iSearch
If you did not knowingly install the "CrazyTalk" program, remove that as well.

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open Norton Anti-virus and use its LiveUpdate feature to make sure that you have the most current virus definitions installed. As with the above programs, don't run a scan with it; just close it once it is updated.

3. Download and install the CCleaner utility, but don't run it yet.

4. …

Donations are made through PayPal; if you click on link in my post it will take you to the page where you can begin the process.

Hi nooklogan,

First of all- welcome to TechTalk :)

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your HijackThis log in that thread. Once you start the new thread, we will assist you there.

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

A little paranoia can be a Good Thing when it comes to infections :mrgreen:

Pretty obscure little bug, isn't it?
Glad we could help you get it sorted :)

What exact version of Word were the old documents create with?

The stars indicate that a member is part of the DaniWeb staff; a moderator, super moderator, or administrator.

Staff members can also customize their user title, and so can members who help sponsor the site by donating $5 or more. More info on site sponsorship can be found here.

my children didn't know I was trying to fix the problems and instal a new graphic card and some new softwares.

Ah, children- that explains it...

I notice that some of the lines I fixed before appear again.

Yes, that means that we haven't fully removed all of the infection yet.

- Can you give us more details about the ewido crash? Does it crash at a specific point in the scan (when scanning a particular file, for example)? Are there any error messages? Try uninstalling ewido and reinstalling it; it would really be helpful to have the program working properly.

Are you sure? The moderator's notes for this thread do say that it was moved here from another forum.

Hi TheGu3st, welcome to DaniWeb :)

Before we start to remove the infection, there is one thing you have to take care of first:

C:\DOCUME~1\SADHWA~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

The log entry above indicates that you are running HijackThis from within a Temp/Temporary folder. Please do the following:

Create a folder for HJT outside of any Temp/Temporary folders and move the HijackThis.exe file to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

Once you've done the above:

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process …

Error 39 is one of the error codes associated with the Registry issue I've mentioned, and the fact that you're getting the error for both drives simultaneously makes it less likely that the drivers are truly corrupt or missing.

Please read and follow the instructions in the Microsoft article I linked to carefully; if you find "upperfilters" and/or "lowerfilters" entries in your Registry, there's a very good chance that the described fix will work. Please ask questions before doing anything that you are unsure of though, as incorrectly editing the Registry can make matters worse.

Please post the exact errors from Device Manager, including the error codes (if they're given).
If you read the Microsoft article referenced in the post I linked to above, you'll see that certain CD/DVD driver errors in Device Manager are indicative of the Registry problem described in the article. The problem will not be fixed by reinstalling the drivers.

All looks good!

Your HijackThis log is clean now, and the report from ewido shows that ewido found and deleted a handful of other "nasties" that were lurking in your system. :)

Does everything seem to be functioning normally now?

- Close Internet Explorer.
- Open your Internet Options control panel.
- Click on the Security tab.
- Select/hilight the "Internet" zone.
- Click the "Custom Level..." button to open the Security Settings window.
- Scroll down the list of Settings to the "ALLOW META REFRESH" option and make sure it is set to "Enabled".
- Click OK in the Security window and then click OK in the main Internet properties window.
- Open Internet Explorer again and see whether or not the problem still occurs.

I agree with chrisbliss18's diagnosis; the clicking noise is the telltale sign.

If you really need to recover data fom the drive, but cannot get it to come alive, you can try this.

Are the drives listed in Device Manager, and if so, are they reported to be working properly?

Also- there is a documented problem with "disappearing" CD/DVD devices in Windows. Please see this post for more info and a possible solution.

i got it wrecked

How? If you physically damaged the unit, it isn't really worth trying to repair it considering the fact that the things only cost about $65 USD new.

Do you have any third-party security/privacy software installed (Norton, McAfee, etc.)? If so, that software may be blocking the images; check the program's options/settings.

What's the specific error that you get and what is giving the error?

Yes. Please tell us the exact error you receive; also tell us which version of Windows you are using.

Due to the fact that the member who originally started this thread has not responded in almost two years, this thread is considered abandoned and has been closed.

In accordance with our posting rules, other members having similar problems should start their own threads and post their questions there. In order to help us help you most quickly, please include as much information about your problem as possible in your posts.

If the member who originally started this thread wishes to have the thread reopened, please send your request, including a link to this thread, to one of our moderators via email or Private Message.

Thank you.

Hi JR5600,

First of all- welcome to TechTalk :)

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

i couldnt get u plz b more clear

Alex is saying that your question was originally posted in our Networking forum for some reason, but he moved it to this forum because the question/problem is not related to networking.

Is it just your web browser that can't access the 'Net, or do you have no Internet access at all? The firewall component of Norton Internet Security gets "confused" sometimes, blocking some or all legitimate network traffic.

First- try uninstalling the entire Norton package and reinstalling it. If that doesn't work, this topic on Symantec's support site pretty much covers the possible causes and remedies for the problem.

Due to the fact that the member who originally started this thread has not responded in more than a year, this thread is considered abandoned and has been closed.

In accordance with our posting rules, other members having similar problems should start their own threads and post their questions there. In order to help us help you most quickly, please include as much information about your problem as possible in your posts.

If the member who originally started this thread wishes to have the thread reopened, please send your request, including a link to this thread, to one of our moderators via email or Private Message.

Thank you.