Posts by DMR

Should I just leave my computer on tonight so as to not give the files a chance to 'transform' into another file?

If possible, yes.

Am I compromising our network here at work in any way?

Possibly; spyware and adware infections do not spread over networks, but viruses/trojans/worms obviously do. However, if your machine is infected by network-spread infected, chances are very good that you're not the only one (or the first one) who's been hit.

I'm pretty sure tnluj.exe is responsible for that

It's more than that... :(

You said that you've already run SpyBot and Ad Aware, so please do these additional things:

You'll want to print these instructions out or save them into a text file with Notepad; you'll be disconnected from the Internet for much of this.

1. Download the trial version of Ewido Security Suite here:
Install it, and update the definitions to the newest files. Do NOT run a scan yet, though; just close the program once it finishes updating.

2. Download Microsoft AntiSpyware beta. As above, install and update the program, but don't run it yet.

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of the following folders (but not the folders themselves):

(Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, …

OK- the dllcompare log is clean, but it will take me a bit of time to snuffle through all of those Startdreck entries; please hang in there.

1.

it is a dell 4500

Dell often installs a hidden diagnostic partition on their drives, which you can access by hitting the F12 key just as your computer first starts up. However, the diagnostics they provide may or may not help with your particular problem.

As I asked before: what exactly are you trying to fix with msconfig?

2. msconfig should live in your C:\Windows\PCHealth\HelpCtr\Binaries folder; look for it there.

Thanks for such a fast reply

You're welcome. :)

Please download ESS3remove.zip and unzip it into its a folder of its own.

Double-click on the ESSremove.bat file to run it. Reboot after that, and post a new HijackThis log.

*Groan*

Most (if not all) of the files you gave the screenie of are malicious, but don't go randomly delting things yet.

Time to probe a little deeper; the "KavSvc" entry can be a real bear to remove. Please do the following:

1. Download: "StartDreck", from here:

- Unzip to its own folder and start the program,
- Press 'Config'
- Press 'Unmark All'
- Check the following boxes only:
In this section >System/drivers
[x] Running processes
[x] list modules
[x] NT services
[x] List binaries
[x] NT kernal and FS drivers
- Press 'Ok'
- Press 'Save' and select the location to save the log file
(default is the same folder as the application)
- Close the program.

2. Download DllCompare

Run Dllcompare, click the Run Locate.com, then click the Compare button.

When done, post that log here along with the Startdreck log.

Do not reboot your system until we're done; some of the names of malicious files in those logs can change their names on reboot!!

I have the Smitfraud virus on my computer, and probably many other problems as well. I ran Hijackthis and my log is 413 pages long!!!

What?! [img]http://www.stevewolfonline.com/Downloads/DMR/Visuals/eek3.gif[/img]
Are you using a 568-point font in Notepad or something?? :mrgreen:

Do you have similar, repeating entries that are filling up the the log? If so, please just post a couple of samples of those entries, and then separately post the rest of the log.

There are one or two hidden files which will keep bringing the Martfinder hijack back to life if you don't fully remove the infection. Please do the following so that we locate those files:

Download: "StartDreck", from here:

Unzip to its own folder and start the program,

Press 'Config'

Press 'Unmark All'

Check the following boxes only:
In this section >System/drivers
[x] Running processes
[x] list modules
[x] NT services
[x] List binaries
[x] NT kernal and FS drivers

Press 'Ok'

Press 'Save' and select the location to save the log file
(default is the same folder as the application)

Exit StartDreck and post the log in this thread.

1. You need to take care of one thing before we proceed:

C:\Documents and Settings\Admin\Local Settings\Temp\HijackThis.exe

The log entry above indicates that you are running HJT from within a Temp/Temporary folder. Please do the following:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

2. I see reference (the "010" entry) to the BulletProof "anti-spyware" software in your log; uninstall that program. In addition to the fact that the product itself is of dubious reliability, the Bulletproofsoft company actually partners with known adware distributors and bundles that adware with downloads from the bulletproof.com site.

Before downloading/buying/installing any product touted as an anti-spyware/anti-adware program, you should consult the list of reputable vs. disreputable utilities at the following site:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

3. Download and run LSPFix.

In LSPFix, if you see a file named "apptoport.dll" listed in the left-hand Keep column, …

600k?! Holy cow! Won't hear me complaining about it anymore LOL

:mrgreen:

Thanks for viewing my log :cheesy: I just wanted to make sure!

No problem at all; you're welcome.

Very good; glad we could help. :)

Could you please post one final HJT log so that we can review it and sign it off as "clean"? Thanks.

Sorry, Crunchie is right- a lot of people are having problems with the nailfix download from the usual site. If Crunchie's link doesn't work, here's another alternate NailFix.zip download link.

Judging from those logs, it looks like the fix worked.
Is drpmon.dll still detected on your system, or is it gone now?

I can't tell you what cables, etc. you need to put a drive in the external case, because I have no idea what kind of case you have. Is it firewire or USB? Is the internal drive connector meant for a laptop (2.5") drive or a standard 3.5" drive? Does the case have any cables with it at all?

You obviously can't directly connect the two drives together without a computer, but you can certainly connect them both to USB connectors on the same laptop and drag files from one to the other in Explorer (without copying them to the laptop's internal drive first).

The choice of which utility to use is really your decision; it depends on how familiar and/or comfortable you are with these types of proceedures. If you're new to this stuff and your drive maufacturer has recommended a certian utility, you might want to take their advice. Quite honestly though, I am not going to tell you which utility you should use, because there's a chance that any of the utilities could do something that makes matters worse, and I don't want to ge blamed if something goes wrong. :cheesy:

I will tell you this though: if your data is at all valuable, it would probably be a good idea to pay a local service technician to perform the recovery. Data recovery involving partition manipulation and filetable repairs can be dangerous and complicated; it is not something that you should attempt yourself if …

Did you scroll down? The answer to that is visible on my PC, and I'm most certainly NOT logged in there!

Exactly. You don't have to subscribe; just scroll further down the page to view the thread.

1.

i wanna know what does any of this process running do, can u tell me please?

The following site will give you a description of most (if not all) of processes you have questions about It will also usually tell you whether or not it's necessary to have a given process auto-run every time Windows starts:

http://www.processlibrary.com/

2.

wuauclt.exe wasn't running anymore

wuauclt.exe is the component responsible for handling Windows' Automatic Update feature. This process will activate itself at certain times to check for (and automatically install, if you have it set to do that) updates at Microsoft's site.

3.

then if that happens i'll go for alg.exe maybe that one is the one

Be careful with that: alg.exe is a core Windows component needed by Winodws Firewall and Internet Connection Sharing. If you use either of those features, you will need to leave that process running.

4.

it says LOCAL SERVICE, what's that mean?

Mostly for security reasons, XP runs different services/processes under different, system-level accounts; Local Service and Network Service are two of these accounts. Like the Administrator account and normal user accounts, these system-level accounts have different permissions and privileges; running groups of services under a certain system account provides a way to grant or deny those service different "powers" over the system.

5.

...i also have one instance of svchost running and it says LOCAL SERVICE...

svchost is sort of …

Hi ElectricElmo, welcome to the site :)

Your log shows signs of a BargainBuddy adware/spyware variant, as well as at least one trojan infection.

For a pretty thorough cleaning, try this:

1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed).

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but …

Glad we could help you get it sorted. :)

Here's some info about the first error:
http://support.microsoft.com/default.aspx?kbid=837115

The second error is obviously an AIM crash, but I can't find any info on the "yaplock.dll" file.

The third error is related to a broken/missing component of Microsoft Money, but I can't indentify the exact component that the "'{F3849C77-E20F-11D4-8CC5-0050DAD32D95}" indentifier relates to. You might want to do a repair or reinstall of Money if the program is giving you any noticeable trouble.

1. The "backups" folder is created by HijackThis automatically. It contains info to restore the changes HJT makes in case you accidentally "fix" something you shouldn't have.

2. Your latest log is clean, but if you still find your CPU usage spiking, look in the Processses tab in Task Manager and see if you can identify which exact program/process is responsible.

drpmon.dll is part of the evil Aurora infection that's making the rounds lately. Please follow the instructions below fully and carefully to (hopefully) remove the beast:

You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the following instructions or save them into a text file using Notepad.

Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then run Ewido, and run a full scan. Save the logfile from the scan.

Next run HijackThis, click Scan, and check:

O2 - BHO: (no name) - {E0B6B505-10D0-2AD3-537D-D8E7472D0E13} - …

To begin with, please do the following:

Download the (free) HijackThis utility:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, follow these instructions to install and run the program:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

No sweat- I didn't take it as sarcastic at all. :)

The "missing CCL30.DLL" could indicate a viral infection, and your log certainly shows that you are infected by a few things.

Before starting any fixes though, there are a couple of things you need to take care of:

1. C:\WINDOWS\TEMP\TD_0002.DIR\HIJACKTHIS.EXE

The log entry above indicates that you are running HJT from within a Temp/Temporary folder. Please do the following:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

2. C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

The log entry above indicates that you had at least 1 instance of Internet Explorer running when you ran HijackThis.
Before actually fixing problems with HijackThis, you must make sure to close/quit ALL instances of your web browser! HijackThis cannot fully perform its fixes while browsers are running.

3. Run some (or all) of the following recommended virus/spyware detection and removal tools; they should clean up a lot of the infections:

…

Your log is clean. :)

1. 17K isn't bad for the winlogon process; I've seen it chew upwards of 600K on perfectly healthy machines.

2. The Winlogon Notify reg entries are legit. igfxsrvc.dll is a software component for Intel's accelerated graphics hardware; opxpgina.dll is part of OmniPass' sercure password management software.

Good work- I see no signs of infections in your latest log. :)

There are a few (non-malicious) loose ends though:

1. Do you know what these entries reference; I'm not familiar with them?:

O9 - Extra button: (no name) - {779844B5-6D28-414C-ABF1-8397EBE7B048} - C:\Program Files\Local Website Archive\wsarc_add.exe (file missing) (HKCU)
O9 - Extra button: (no name) - {BAF775D7-142D-4EB3-B72D-38BC6B302274} - C:\Program Files\Local Website Archive\wsarc_add.exe (file missing) (HKCU)

If they relate to a program that you've uninstalled, have HijackThis fix the entries.

2. These are non-malicious entries, but they're also optional, non-critical processes which don't need to be automatically started every time you boot Winodws. Disabling then can speed up Windows start-up and free up a bit of system resources. You can have HJT fix the entries if you want:

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe

It's not there. I've had the "Show hidden files", etc. checked in normal mode for a couple of days now.

OK; just wanted to double-check.

My guess is that there is a component of the infection which has hidden from our scans so far that is "respawning" the infection. We may need to try a couple of other scans/fixes, but do the above steps first, post a new HJT log, and we'll take it from there.

1. Try whatever things I suggested above that you haven't had a chance to try yet.

2. I notice that you have the Zone Alarm firewall installed. Firewall software often gets a bit "flaky" or even corrupted, and if so, will interfere with your connection. Try disabling Zone Alarm entirely and see if that clears up the connection problem.

3. Check your system log files to see if Windows is recording any error messages related to the connection drops in those logs:

Open the Event Viewer utility in your Administrative Tools control panel.

In the Event Viewer, look through the System and Application logs for entries flagged as "Warning" or "Error"; double-clicking on any of those entries will open a "details" window with more information about the error/warning. If you find any entries that seem to relate to network errors, post the full and exact contents given in the detail windows.

4. Does your computer connect directly to your DSL modem? If so, is the connection via an Ethernet cable, or USB?

If you have a router installed between the computer and the modem, please tell us the exact make/model of the router.

5. There are some other things we can check out as well, but let's start with the above and see what we get.

as for installed diagnostic tools i have no idea i wasnt made aware of any

What is the make/model of the computer?

Ok- here's the Aurora fix; it should also clean up some of the other nasties as well. Please follow the instructions below carefully and fully:

You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the following instructions or save them into a text file using Notepad.

Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then run Ewido, and run a full scan. Save the logfile from the scan.

Next run HijackThis, click Scan, and check:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
F2 …

You're welcome; glad we could help you get it sorted so easily. :)

Good- that's a cleaner log. There's still a bit more to do, though:

You should print these instructions out or save them into a text file, because you will need to disconnect from the Internet for this procedure.

1. Run HijackThis again and make sure to close all other other open programs. Put a check mark in the boxes next to the following HJT entries, and then click the "Fix checked" button:

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [anlllgc] C:\WINDOWS\system32\aybtfp.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/mini...ransporter.cab?

2. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Locate and delete the following file:
C:\WINDOWS\system32\aybtfp.exe

- For every user account listed under C:\Documents and Settings, delete the entire contents of the following folders (but not the folders themselves):

(Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!)

1. …

Almost everyone I know that has the Norton Anti-Virus 2005 (or read on the internet) has had problems with this.

Yeah, corruption problems like that seem to be becoming more common in the packages from both Norton and McAfee as those companies keep making bigger, more "feature-filled" versions of their products.

Regardless of how you got it sorted out, I'm glad you did. :)

it's back in my Hijack This log, however it's not in my Windows\System32 Folder.

The settings you made in Safe Mode to have Explorer show hidden files and folders don't carry over when you reboot into normal mode. Repeat the steps below and see if hjharl.exe becomes visible. Let us know the result:

Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

Let's try this another way. You will need to print out these instructions or save them into a text file:

1. Download and install CCleaner, but do not run it yet.

2. Download The Pocket Killbox and save it someplace convenient (your desktop is fine). Again, don't run the program yet.

3. Reboot into Safe Mode again and set Explorer's view settings to show hidden files/folders.

4. Run HijackThis again and have it fix:
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\hjharl.exe reg_run

5. Disable System Restore:

- Right-click on the My Computer icon on your desktop and choose the "Properties" option.

- In the System Properties window, click on the System Restore tab and then put a check in the box next to the "Turn off System Restore" option and hit the "OK" button.

- Click "Yes" in the resulting confirmation box. You may …

Hi quigley,

First of all- welcome to TechTalk!

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

Still not showing any service packs as being installed.

Agreed. If your system had all current updates installed, the following log entries should have changed to reflect that:

Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

crikey... sounds like you've got some kinda nasty lurking about in there thats corrupting your system.

Unfortunately, that's a possiblity. There are malicious infections which cripple or disable utilities like msconfig, Task Manager, etc. in order to make it harder to detect/remove the infections. :(

- Why are you trying to use msconfig in the first place?

- Have you been able to run any anti-virus/anti-spyware scans to eliminate the possibilty of malicious infections.

- Without the original install CD, you are somewhat schrod in terms of repair options. However, many systems with pre-installed versions of Windows offer alternatives such as a separate restore/recovery partition or other diagnostic tools. Does your system include such options?

can you tell me how "install the drive as a slave drive in another computer and back up your data to that computer" and i will be backing up my data on a laptop so is that possible to do that?

Do you mean that the problematic computer is a laptop, or that the computer that you want to back up to is a laptop?

Connecting a problematic desktop (3.5") drive to a laptop can be done, but it would involve extra hardware (like an external USB or Firewire drive enclosure), and it could give you a fight. However, if the problematic drive is the laptop drive, and you have a desktop machine to put it in, all you need is a 2.5"->3.5" IDE adapter, which only costs about $10 USD.

this is what the error message for the external hd corrupted volume says:
this disk (or volume) is unaccessible
the disk STRUCTURE is corrupted or unreadable.

can youtell me what this means please

*Groan* Unfortunately, yes- it indicates Boot Record/Partition Table/File Table corruption. :(

Fixing the corruption could be difficult, and there's no guarantee whatsoever that rescue attempts will not render the entire drive unreadable.

- If you can still access one of the partitions, get the data off of it before attempting anything. Also prepare yourself for the fact that whatever lives on the corrupted partition may not be recoverable at all.

- There are numerous things you can try …

Award BIOSes have relatively few beep codes, but a single longish beep is supposed to be indicative of a problem with RAM. Keep in mind though that many computers normally emit a single beep at startup (although that beep is usually of a shorter duration).

- Given that you're having random crashes, I'd check out the RAM first:

1. Open the case, fully remove all RAM modules, and examine the modules and the RAM sockets on the motherboard for damage. If all looks good, firmly reinsert the RAM, reboot, and see if the system performs any better.

2. If not, you should "stress test" the RAM with the memtest86 utility, which is freely downloadable here. Memtest is a stand-alone program which runs off of a bootable floppy or CD, meaning that Windows isn't involved in the testing processs at all (memtest is Linux-based).

I'd suggest letting memtest run for 4+ hours for the most thorough results.

- Your CPU and case temperatures are fine.

- The "SETPATH" line you see flash by is coming from the DiskKeeper (not DeskKeeper) utility. DiskKeeper adds that line to your autoexec.bat file; to see it appear on the screen at boot is normal.

...dang registry messup strikes again.

Yeah, that's a really obscure one, isn't it?

Glad we could help you get it sorted out so quickly. :)

Do you have the program "Spyware Doctor" installed, by chance? If so, uninstall it and see if the errors go away; the runtime error is a known issue with Spyware Dr. and Win 98/ME systems.

it shows C:\Windows.....Nortonxxxx on line

Is "Nortonxxxx" really what the message shows, or does it give an exact filename? Since the filename points to Norton, I'd try uninstalling and reinstalling Norton; it sounds like one of Norton's driver files got corrupted, or the installation didn't complete correctly.

IPerhaps you could try locating and reinstalling a device driver for the Cirrus Logic display card?

Yes, try that. I've seen exactly what you describe happen even when Device Manager reports that the video card is functioning and the correct driver is in use. Downloading and installing a new copy of the driver driver solved the problem.

Not certain if Win 98 will edit the Windows 2000 boot.ini file so that the second device shows up properly in the boot loader menu.

Nope, it won't.

What version of Windows?

Msconfig doesn't exist in Win 2000, but in 98 and XP, click on the "Run..." option under your Start menu, type msconfig in the resulting "Open:" box, and then hit the OK button.

matthell,

Could you please post one final log for us to review so that we can make sure that everything is really clean?

Thanks.

OK- That log is looking good; finish going through the steps Crunchie posted and post one (hopefully) last log for us to review.

Hi jol102001,

First of all- welcome to TechTalk!

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

" PXE-E61: media test failure..."

That indicates that your system is trying to do a network boot, and it's doing that because it doesn't see valid local boot drive. Given the clicking noises you're hearing, combined with the network boot attempts, there's a good chance that your drive is going South. The loud clicking sounds are usually caused by the head actuator mechanism as it repeatedly tries to engage, but keeps failing to do so.

Try booting from the Windows installation CD. If it does boot from the CD, run the repair utility from the CD and see if it at least recognizes the internal hard drive.

I would not suggest backing up your data onto the external drive if you already know that the external drive has problems too, that's not a reliable backup strategy. If possible, install the drive as a slave drive in another computer and back up your data to that computer.

1. rkfiles doesn't give you any feedback when it creates its log, it just makes a log file in your main C:\ folder called "log.txt". Open the log.txt file in Notepad and copy the contents into a post here.

2. svchost.exe is a valid Windows system file which manages other groups of Windows components. Because of that, it isn't unusual to see multiple instances of svchost running, or to see one instance of it spike your CPU usage.
Update.exe could be legit, but it's a common filename and could be part of your adware infections.

3. Run HijackThis again and have it fix:

O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\hjharl.exe reg_run
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"

4. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Delete the following files:
C:\WINDOWS\System32\PSof1.exe
C:\WINDOWS\System32\hjharl.exe

- Delete the following folder entirely:
C:\Program Files\Cas

- For every user account listed under C:\Documents and Settings, delete the entire contents of the following folders (but not the folders themselves):

(Important: One of the normal steps in eliminating malicious programs is to entirely delete …

I don't know if these are the exact "nailfix" instructions you used before, but even if so, please do the following:

You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the following instructions or save them into a text file using Notepad.

Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then run Ewido, and run a full scan. Save the logfile from the scan.

Next run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and …