Posts by DMR

OK- but in the mean time, please buy your girlfreind more RAM. :)

Here's a serious question in that regard though: Is 64M really the total amount of RAM in her system? You would have to crack open her computer's case to verify that, but XP will barely run (if at all) on that amount of RAM.

Those errors as a whole do not sound good, and may be indicative of failing hardware :(

It would help if we could have the full and exact content of the Stop errors, but in the mean time:

Some general info on Stop error 0x00000024:

http://www.google.com/search?q=windows+stop+error+0x00000024&btnG=Search&hl=en&lr=

and the same for Stop error 0x00000050:

http://www.google.com/search?hl=en&q=windows+stop+error+0x00000050&btnG=Google+Search

Hi sanperry,

One thing about your posts: you appear to be starting a new thread for each of the reponses you post, as opposed to replying to the thread you originally started. You need to make sure to post your replies in the original thread, as it will be very difficult to track our troubleshooting progress otherwise.

That said though, you lastest log looks clean to me now. Are you still experiencing problems, or do things seem to be fixed now?

Hi rushyx, welcome to the site :)

The "smitfraud" and "Security iGuard" infections are related, and you have both.

Please follow the removal instructions in the link below and then repost here with a new HijackThis log and an update on whether or not you see an improvement after performing the fixes:

http://www.bleepingcomputer.com/forums/How_to_remove_the_Smitfraud_or_Wpexe_WindowsFY-t17258.html

*** Please note that all of the files mentioned in the above fix might not exist on your particular system, as the infection has a few variations. If you cannot find and/or delete any of the files mentioned in the link, let us know that as well.

Log is still clean. :)

Let us know if you're still getting popup or not. HJT is a great tool, but it isn't supposed to detect and remove all of the possible infections out there. If you are still having problems there are other things we can do to get rid of them.

Can you give some detail on a couple of things I mentioned earlier please?:

If you have any anti-virus or firewall software installed, temporarilly disable it entirely; those programs are known to cause such behaviour in Outlook.

Did anything else happen around that time that might be related to the problem, or are you noticing any other odd behaviour with the system?

Can you even ping the server from the problematic computer? Open a DOS box again, try both of the ping commands below, and tell us the results:

ping your pop server's name

ping your pop server's IP address

You should get 4 positive responses from each command if they work.

That looks like a clean log, although that doesn't necessarilly mean that you're infection-free.

What (if any) of the original problems are you still experiencing?

So all is well now, yes?

It's OK if you can't tell us exactly how things worked out...

The first question to ask in that reagard is: why do you want to do a flash upgrade to the BIOS in the first place?

If you aren't currently experiencing any of the specific problems that the particular flash upgrade is said to fix, you shouldn't perform the procedure. If a BIOS upgrade goes wrong it could, at the worst, pretty much render your system unusable. In other words, it's not something that should be done just because you find a new version available.

But do you have any idea what's wrong with these device drivers? I remember updating them about a month and a half ago and even then I was still getting errors about them. Thanks

You would have to tell us exactly which drivers were giving you errors, but if you can do that it's pretty likely that we can help.

You're confusing a couple of terms that are important to your particular problem: AP (access point) and Router; the two devices are quite different. An AP enables wireless devices configured for a given network/subnetwork to access the wired portion of that same network/subnet, while a router is used to connect computers (wired or wireless) on two different networks.

1. The Linksys BEFW11S4 is not an access point, it is a full-fledged wired/wireless router; if you were using a true Access Point such as a Linksys WAP11 or WAP54G you wouldn't have the issues you're running in to.

2. The BEFW11S4 has remote access/administration disabled by default (IIRC).That means that because you're trying to connect to the BEFW11S4 from computers connected to the Prolink and via the BEFW11S4's WAN port, your requests to the BEFW11S4's configuration on that port are considered to be "remote", and access will be denied.

3. Being a true router, the WAN-facing side of the BEFW11S4 can be configured to obtain its IP settings from your Prolink via DHCP, while still acting as an independent/second NAT-capable DHCP server for the computers connected to its LAN-facing side. The default DHCP configuration of Linksys routers is to assign IP addresses in the 192.168.1 range to computers connected to its LAN side, so this automatically places the machines behind the Linksys on a different network that those connected to your Prolink.

There lies the basis of your problem. Ideally, you want all of your computers to …

Well, that was fast.

And- Congratulations, you definitely have unwanted guests... :(

Let's start with the following:

1. C:\Program Files\Internet Explorer\iexplore.exe
The log entry above indicates that you had at least 1 instance of Internet Explorer running when you ran HijackThis.
Before fixing problems with HijackThis, you must make sure to close/quit ALL instances of your web browser! HijackThis cannot fully perform its fixes while browsers are running.

2. Open your Add/Remove Programs control panel and uninstall Security iGuard if it is listed there.

3. With all instances of any web browsers closed: scan with HijackThis again, put a check in the boxes to the left of the following entries, and then click the "Fix Checked" button:

O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [Windows System Manager] smsc.exe
O4 - HKLM\..\Run: [Windows Services] scmsg.exe
O4 - HKLM\..\RunServices: [Windows System Manager] smsc.exe
O4 - HKLM\..\RunServices: [Windows Services] scmsg.exe
O4 - HKCU\..\Run: [Windows System Manager] smsc.exe
O4 - HKCU\..\Run: [Windows Services] scmsg.exe
O4 - HKCU\..\RunServices: [Windows System Manager] smsc.exe
O4 - HKCU\..\RunServices: [Windows Services] scmsg.exe
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comned.com/signuptem...iveSekurity.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/insta.../sinstaller.cab

4. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

…

Hi alexanderp513- welcome to the site :)

Please do the following to start with:

- Download the (free) HijackThis utility from here.

- Once downloaded, follow these instructions to install and run the program:

1. Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

2. Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

the problem just started a week ago

Judging from the info in your first post It sounds like you've covered all of the normal troubleshooting steps. Did anything else happen around that time that might be related to the problem, or are you noticing any other odd behaviour with the system?

Open a DOS windows and type the following command at the prompt:

telnet your pop server's name 110

Are you able to hit the POP server that way? If that works, you should get a message beginning with "OK", and a flashing cursor below the message. Type "quit" to end the Telnet session.

1. Outlook should allow you to view the details of the error by clicking the yellow exclamation-point icon that appears in the lower right-hand corner of Outlook's Window when a send/receive error occurs. Please locate that info and paste the full and exact text here; there's usually an error code listed in those details which can help to pinpoint the problem.

2. If you have any anti-virus or firewall software installed, temporarilly disable it entirely; those programs are known to cause such behaviour in Outlook.

Money.msi is the Windows Installer component for MS Money. Unfortunately, it is not (as far as I know) available as a separate download, as it part of the Money installation package and normally exists in the same location as the rest of the original Money installation files. In your case, that location appears to be a remote/network system to which you are no longer connected.

- If you have the original Money 2002 installation CD, you can insert the CD and tell the uninstaller to look for it there.

- Alternately, you can use the utility described in the link below to remove the references to the 2002 version of Money from your system's Registry. Note that this will not remove the actual Money 2002 files and folders, but it will make the new version of Money unaware of the fact that you had a previous version installed. That should at least allow you to proceed with the installation of the new version:

http://support.microsoft.com/default.aspx?kbid=290301

Very cool; glad we could help. :)

If he installs it again and I get the same problem, well, guess I'll have found the source!

I'd say that would be a good assumption, yes. :D

OK- that's a pretty common card, and I don't think XP has any known issues with it under normal circumstances.

Some things you can try:

1. You said "when Windows loaded it only showed 2"; I'm assuming you meant that only two drives appeared in My Computer and/or Windows Explorer. If you haven't already: Right-click on your My Computer icon, choose "Manage" from the context menu, and then click "Disk Management" in the resulting window.

Do any of the "missing" disks appear there, and if so, what info is reported about them (File System, Status, etc.)?

2. Uninstall the Promise card through Device Manager, reboot, and let Windows redetect the card and reinstall its drivers.

3. Try connecting only 1 drive at a time to the controller card (do this for each of two IDE channels on the card). That will help you determine if you've got a faulty drive or channel that's bringing the rest of the card down. Also check your ribbon cable connections and make sure the card is firmly seated in its PCI slot.

4. Put each of the drives on the motherboard's regular IDE channels and see if their all recognized when connected there.

Is it supposed to contain a "services" folder?

Actually, a basic XP system won't have a C:Windows\System32\Services folder; it isn't a folder that gets created during the Windows install.

There may be legit applications that create a Services folder during their installation, but the existence of the folder is also known to be associated with at least a couple of pieces of malware.

SO the problem has cleared itself up somehow?

Was ibs55.exe some sort of mother file which kept spawning the misb22.exe files?

Actually, the type of "mother files" I was refering to are usually files with a ".dll" extension as opposed to an ".exe" extension, but the idea is still the same regardless of what type of file has actually caused the others to come back to life. When a malicious infection spawns more that one file, those files can act as "guardians" or "sentinels" for each other in the way that if one of them senses that someone/something has terminated the other, it will immediately issue a command to restart the one that was "killed".

I'll let cruchie and dlh 6213 respond to the rest of your questions, as theye've been your primary troubleshooters here.

Them buggers drive my Master System 2 and Game Gear! :lol:

LOL- Someone still does know about those the beasties. :cheesy:

Just out of curiousity, what info did you get about the NIC from the winipcfg command I mentioned?

all files were deleted i think except C:\WINDOWS\System32\{007D53FO.....} which wasn't to be found.

Sorry, that wasn't quite the right path. It should have been:

C:\WINDOWS\System32\Services\{007D53F0-7FE3-40B6-BD90-A305EE4B59AB}

Some of the other nasties have respawned as well. Have HJT fix these again:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\DANNYH~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O21 - SSODL: pufPxz - {D03F9FC7-7A95-356D-B10A-9F3EB1B5D2B5} - C:\WINDOWS\System32\dnlsbn.dll (file missing)

Once you do that:

1. Turn off XP's System Restore feature.

2. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!

1. Local Settings\Temp
2. Cookies
3. History
…

In terms of the reported intrusion- can you describe you overall network setup in more detail please?

- What type of Internet connection do you have (Cable, DSL, etc.)?

- If you have broadband, do you have a Cable/DSL firewall router installed?

- Is there wireless in use on the network?

- Is this an office network or just a home network? How many machines are on it, what functions do they perform (workstation, file server, mail server, etc.), and how are they interconnected?

One of the keys to figuring out the intent and possible danger of a reported connection from the outside world is to figure which ports are being used in the connection. By default, many ports known to vulnerable to exploit are left open. The thing to do is to eliminate access to those ports by shutting down the services that use them and configuring your firewall to block connections on those ports.

You can get some interesting and illuminating detail in that regard by opening a DOS window and typing the following command at the prompt:

netstat -ano

If Device Manager reports the card to be working and it also shows up your networking properties, you probably have gotten it basically installed correctly. So...

What makes you think that it isn't working? Is it because the DSL setup software doesn't seem to recognize it, or is there some other reason?

You can see what Windows itself thinks about the NIC by opening an MS-DOS box and typing the following command at the prompt:

winipcfg

That should open a status window which lists the specifics of the card's configuration.

Did yall major in college...

Yeah- digital circuit design and microprocessor architecture/programming was the focus of my electronics study, but only the very basic fundamentals of what I learned back then apply to today's computers. I mean, who the heck even remembers what a Z80 or an 8080A was anymore... :o

Like CM, I learned almost everything I know about modern computers on my own.

I'll just put out the fact that downloading/playing online games is a good way to get loaded up with adware and spyware, but that said, I don't see any obvious "nasties" in your log.

A few thoughts:

1. Open the Event Viewer utility in your Administratve Tools control panel and look through the Application and System logs to see if you can find any event messages/warnings/errors in those logs which might give us clues as to the reason for the disconnects.

2. Maybe your modem has glitched: power down both the computer and the modem, leaving both off for 30 seconds or more. Turn on the modem again and give it a minute or two to go through its power-up tests; reboot the computer after that and see if the problem has gone away.

3. Does the problem occur when using AOL's browser only, or does it happen when you're using Internet Explorer as well?

Paul,

Were you able to use the Killbox to delete the C:\WINDOWS\ibs55.exe file?

Also- what are the makes/models of the NICs you've tried, and what corresponding drivers are you using?

Shutdown problems can certainly be the work of spyware and the like, but it's also just as likely the result of (non-malicious) software conflicts or corruption.

Let's see if the system is leaving any "suicide notes": Open the Event Viewer utility in your Administrative Tools control panel and look through the system and application logs for any errors, warnings, or other messages which might point to the source of the problem. If you find any such messages, post their complete and exact contents for us please.

Sounds like a possible driver issue.

- What version of Windows are you running, and what is the make/model of the controller card?

- Is the controller card reported to be working properly in Device Manager.

OK, here's the general deal:

In terms of whether to put two devices on the same IDE channel or put them on two separate channels, the performance considerations bascally revolve around the fact that command execution in ATA/IDE technology is a sequential process. Unlike SCSI technology, only one command can be issued to, and processed by, one device on an IDE bus/channel at any given moment; pending operations on that and any other devices on the channel must wait until the device executing the current command completes that operation and then notifies the bus controller that it has done so.

This means that if you are performing operations on two drives on the same channel, the bus controller will issue a command to one device, but cannot initiate any communication with the second device until the first one finishes what it's doing and releases control of the bus. However, since each of the two IDE channels on a PC has its own controller circuitry, operations on a device connected to the first channel can be carried out at the same time as operations being performed on a device connected to the second channel.

Just as a side note- SCSI doesn't suffer from this limitation. A SCSI controller can issue multiple commands at a time to multiple devices on a single bus, and SCSI devices can disconnect from that bus while they process a given command and then reconnect once done, thereby allowing the bus to be used …

1. Did you get all of the Windows updates as I suggested? If you did, I would have expected to see some change in the Windows/IE version information in your log's header.

2. The problem with your Favorites may or may not have been caused by the infections; I can't honestly say, as I've never seen that exact symptom before. I don't know if it will do the trick, but you can try running the IEFix tool.

Just to be clear about it though- you are saying that when you click on the Favorites menu item, it displays the contents of your C:\Windows folder instead of your Favorites folder, right? If that's not exactly what's happening, please give us better description of what is happening.

3. Your latest log shows no signs of infections, but that doesn't mean that your system is clean yet. If you're still getting porn popups, you've obviously still got problems. Let's do some general clean-up to see if we can get rid of anything that's lingering:

A) Run a full anti-virus scan, making sure that your anti-virus program is using the most current virus definition updates. Also do the free online virus scans at these sites:

http://housecall.trendmicro.com/
http://www.kaspersky.com/scanforvirus.html
http://www.ravantivirus.com/scan/
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

B) Download and run Ad Aware (download link are in my sig below).

Follow these directions for configuring Ad Aware …

1. misb22 has invited a friend to the party:

C:\WINDOWS\ibs55.exe

Repeat the Killbox procedure for the above file as well as C:\misb22.exe.

2. Turn off XP's System Restore feature.

3. I've got a feeling that you might have a hidden "mother file" that is spawning the .exe files. Please download the Silent Runners script, run it, and post the log it generates. The log will give us information about a few things that HijackThis doesn't report.

Thanks to independent device timing, hard drives can operate at their maximum speeds on the same cable

Hey CM- yes, in that regard you are correct.

However, I was referring to aspects of IDE/ATA technology other than the ability of attached devices to operate at their optimal speed (even when connected to the same IDE channel as possibly slower drives).

The fact that modern drives can do that has nothing to do with the performance issues I was alluding to. I'll post more on the specifics of that tomorrow.

I'll try to post more info on how to delete the "023" service entry ASAP, but I need to log for the night now. Glad we could help you get the rest fixed though. :)

I defrag my home computer on a daily basis

And I thought I was conservative in that respect. :mrgreen:

With all due respect Novell52, that's some serious overkill for a home system.

you could try reinstalling ie, i think it will save your favorites
or try mozilla and import your favorites

Yes perhaps, but we need to get rid of the existing infections first, as "reinstalling" IE over a currently-infected version isn't advised.

Lol- sounds like you're looking for answers to homework questions... :p

What is the difference between F.S.B & bus speed of a processor

"Googleage"

what actually happnes when the hard disk jumper setting is "upper 32 gb"

"Googleage"

what is the difference between 40 conductor & 80 conductor data cables that we use to connect hdds to the motherboard & how does the hdd come to know that the cable connected is 40 or 80 conductor cable

The extra 40 lines in the newer Ultra-ATA cables are ground wires which are placed between the data signal lines of the standard IDE/ATA cable. The placement of the ground lines between each signal/data line minimizes the effects of crosstalk and other electrical interference; a technique that is necessary to ensure reliable communication at today's higher data-tranfer rates.

why in the cable used for connecting floppy drive, some lines of the cable are reversed

Basically a holdover from the days when computers actually had two floppy drives (A and B). The determination of which is the drive A and which is the drive B is made by the drives' placement on the cable: the floppy drive installed on the connector before the twist is IDed as the B floppy, and the drive on the connector after the twist is (obviously) the A floppy.

does it make any difference (in speed) when you connect 2 hdds on the same cable &when you connect them on diff. cables

Yes- actually …

bella69,

After following my *ahem* esteemed colleague's instructions concerning the newdotnet removal, please post a fresh HJT log, as there's still more work to be done...

You also need to remove Newdotnet, either from Add/Remove Programs, or by going to http://www.newdotnet.com/#remove and scrolling down to the Uninstall tool.

Hey- stop babysitting my threads! I was getting to that bit...

:D

Hello beauchicox3, welcome to the site. :)

1. Your log does still indicate at least one infection, but you need to take care of one thing before we proceed:

C:\Program Files\Internet Explorer\iexplore.exe

The log entry above indicates that you had at least 1 instance of Internet Explorer running when you ran HijackThis.
Before fixing problems with HijackThis, you must make sure to close/quit ALL instances of your web browser. HijackThis cannot fully perform its fixes while browsers are running.

2. Once you've taken care of the above, reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up) and:

a) In your Start menu, click the "Run..." option, type the following command in the "Open:" box, and click OK:
services.msc

When the Services console opens, locate "System Startup Service",
right-click on it, and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services console.

b) Run HJT and have it fix the following (don't close HJT after the fixes are done though):

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O23 - Service: System Startup Service - Unknown - C:\WINDOWS\svcproc.exe

Once HJT completes the fixes:

- Click …

Hi Paul,

A couple of things:

1. There are usually more "R0" and "R1" entries in a HijackThis log, reporting things like Internet Explorer's default Home page, Search page, etc. It's possible that you may not have those entries in your particular log, be just to be sure: are you positive you're posting the full contents of your logs?

2. I don't see anything in your log which would indicate that a hijacker is still present.

- Does SpywareGuard pop up warnings that something is trying to reset your home page to about:blank, and if so, does it give the name of the program/process that is trying to do that?

- The about:blank setting may just be a leftover of the infection. If you go into your Internet Options control panel and manually set your home page to something other than about:blank, does that change "stick", or does something still try to change it back to about:blank?

Mind if I cut in?

Aaaaannnyyy time you feel like it, Danny.

Glad you did, actually. I had to run out for a bit, so my post was short, and more just an effort to let the new member know that there actually was somebody working behind the counter at the Spyware Cafe. :D

Good job- your latest log is clean. :)

Hello dsandor, welcome aboard :)

Don't worry about what you need to delete and how you need to do it; we'll give you very specific instructions on all of that.

1. Open your Add/Remove Programs control panel and uninstall all Security iGuard, StopSign, and eAcceleration programs that you find listed there.

2. Put a check mark in the boxes next to the following items in HijackThis and then click the "Fix Checked" button:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0366/
O1 - Hosts: 69.50.173.4 lycos.com
O1 - Hosts: 69.50.173.4 www.lycos.com
O1 - Hosts: 69.50.173.4 altavista.com
O1 - Hosts: 69.50.173.4 www.altavista.com
O1 - Hosts: 69.50.173.4 amazon.com
O1 - Hosts: 69.50.173.4 www.amazon.com
O1 - Hosts: 69.50.173.4 aol.com
O1 - Hosts: 69.50.173.4 www.aol.com
O1 - Hosts: 69.50.173.4 earthlink.net
O1 - Hosts: 69.50.173.4 www.earthlink.net
O1 - Hosts: 69.50.173.4 ebay.com
O1 - Hosts: 69.50.173.4 www.ebay.com
O1 - Hosts: 69.50.173.4 go.com
O1 - Hosts: 69.50.173.4 www.go.com
O1 - Hosts: 69.50.173.4 google.com
O1 - Hosts: 69.50.173.4

No signs of "nasties" in that log; just a couple of loose ends that you might want to clean up:

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

The bube and nail.exe infections are, unfortunately, a couple of the more stubborn nasties; general utilities lke McAfee, Ad Aware, etc. won't be of much use.

1. For the bube infection, please follow the procedures outlined in the link below carefully and completely:

http://www.broadbandreports.com/forum/remark,12688162~mode=flat

2. Once you complete the above, run HijackThis and post the log here. Once we review the log we'll be able to tell you what needs to be done next.