Posts by DMR

Hi bella69, welcome to Daniweb :)

Your log does indicate a few different infections, but we need to take care of one thing first:

C:\DOCUME~1\ANNABE~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

The log entry above indicates that you are running HJT from within a Temp/Temporary folder. Please do the following:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else.
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

Moved to the Browser forum until we can get more specific info.

How often?
That really depends on what sort of usage a particular system gets and what functions it performs. It also depends on the particular filesystem you're using on your disks; some filesystems are better than others in terms of dealing with fragmentation (or even minimizing it). For example, Microsoft's NTFS filesystem (in general) handles fragmentation a bit better than MS's earlier FAT/FAT32 filesystems, and UNIX/Linux filesystems such as ext2, ext3, and ReiserFS deal with fragmentation much better than either MS filesystem.

Fragmentation as a whole occurs as a result of adds/deletes/changes to the data stored on a drive, so a drive whose contents are pretty much "static" will need to be defragged much less often than a drive whose contents are constantly changing.

Given all of the above, the question isn't really how often to defragment, but at what percentage of disk/file fragmentation do you decide to defrag.
The whole thing is more than a bit subjective; you'll find people who have very strong opinions in one direction or the other in regard to how much of an issue fragmentation really is in terms of overall system performance.

I personally like to keep my Windows machines at 2-3 % fragmentation or less, but that's only due to the fact that I tend to run on the conservative side when it comes to my system maintenance schedule, and defragging is just part of that overall routine. My Linux machines are a totally different story though- …

The first (and easiest) thing to check out is this:

XP creates a default account for a user named "Administrator", and this account is different fron any other user accounts which are members of the "Administrators" group.

You'll sometimes find that although passwords have been set for all other user accounts that have been created on the computer, there has been no password set for the user "Administrator". Try typing Administrator as the user name in the login window and then just hit Enter; if no password has been set for the Administrator user account, Windows will happily log you in as the system administrator. If that works, you can modify your user accounts/passwords from there.

If that doesn't work, things get difficult; you can't just "bypass" the login on XP or 2000 systems like you could with Win 95/98.

There are a number of tools you can use to recover or change a forgotten password, and some of them involve a Linux boot disk. The reason being that Linux can access Windows drives/partitions, but it totally ignores Windows permissions and passwords.

Here are a couple of links which discuss some of the options:

http://www.petri.co.il/forgot_admin...or_password.htm
http://is-it-true.org/nt/atips/atips262.shtml

And here are the results of a general Google search on the subject:

http://www.google.com/search?hl=en&...ecovery&spell=1

Hmm- That mobo is at least RAID-capable; maybe RAID is an option that's only available on some versions of the board.

What are the exact errors that you're getting concerning file corruption?

Ok- thread reopened. The concensus is that you probably aren't an Evil Hacker. :mrgreen:

There are a number of tools you can use to recover or change a forgotten password, and yes, some of them do involve a Linux boot disk. The reason being that Linux can access Windows drives/partitions, but it totally ignores Windows permissions and passwords.

Here are a couple of links which discuss some of the options:

http://www.petri.co.il/forgot_administrator_password.htm
http://is-it-true.org/nt/atips/atips262.shtml

And here are the results of a general Google search on the subject:

http://www.google.com/search?hl=en&q=%22windows+2000%22+password+recovery&spell=1

The drive being identified as SCSI really sounds to me like it has something to do with the fact that your motherboard has SATA and RAID capabilities, although I don't know if that has anything to do with the problems you're having.

Have a look at the hard drive and RAID options in the BIOS. Turn off the RAID-related settings there and see if that changes anything.

I'll ask this again for starters:

- What exact problems are you having, and what (if any) errors do you get?

If you created a folder under /mnt named "fat", and your FAT32 partition really is hda6, then mediaphyte's syntax for the mount command is correct.

In terms of the way rwx permissions work with FAT32 mounts:

The default permissions for a mounted FAT32 volume are rwx for root, but only rx for normal users.

In Linux, permission control works differently for FAT32 and NTFS filesystems than it does for native Linux filesystems (ext2, ext3, reiser, etc.):

1. The UNIX permissions of a directory onto which you mount a Windows filesystem can't be changed while the fileystem is mounted. Unmount the Windows partition; you should then be able to chmod the permissions of /mnt/Windows. You will need to set the appropriate Linux rwx permissions on the /mnt/fat folder and set the permissions for the FAT partition (as described below) in order to grant everyone write access.

2. Windows doesn't support UNIX-style permissions, and you can only apply permissions to the entire filesystem, not to individual Windows files/folders. This is done with the "umask" option of the mount command. In /etc/fstab, change the mount entry for your Windows partition to this:

/dev/hda6 /mnt/fat vfat users,defaults,umask=000 0 0

(the "users" option allows anyone to mount/unmount the drive and overrides the default , which is that only root is allowed to mount/unmount.)

- …

DMR, your DaniWeb link doesn't work :(

Again??!!
I even made sure to test the link after I posted, because this has happened to me a few times before. I'll have to ask Dani if she can find out what makes search-result links "go stale"....

Yes, removing and reinstalling TCP/IP would be the next step. A good step-by-step description of the procedure can be found here:

http://customersupport.acd.net/admin/articles/reinstall%20tcpip.cfm

If you're using a dial-up connection, the dial-up networking components have to be reinstalled as well. There's a more detailed/thorough procedure for reinstalling both TCP/IP and the dial-up components at Micorsoft's support site:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q181599

Keep in mind that since the problem seemed to appear after you experienced some file corruption and had to reinstall, even the above fixes might not do the trick. You could have other missing/corrupted files that the reinstall didn't correct.

You're welcome. :)

Did you find out where the error/message/whatever was coming from?

Yes- that model is (obviously) not a SCSI drive.

The reason I asked is that drives connected to some RAID controllers (or RAID-capable motherboards) get reported/identified as SCSI drives.

Is this a possiblity?

Although I could be way off base on this, if you can give us the exact make/model of your motherboard that might help.

Hi bama.mal, welcome to the site :)

I know this is a dangerous subject because you never can tell what is really going on...

Unfortunately, you're right. Bypassing password protection is a "dangerous subject", for just the reason you state: we have no way of knowing if a member who asks for help in that regard has good or bad intentions. The reality is that we leave ourselves open to possible legal action if we offer advice in "grey areas" such as this.

With that in mind, please understand my action here: I am going to temporarilly lock this thread until I can contact our site's administrator and get her take/word on your particular question.

In the mean time, I'll suggest the obvious: contact the "someone" who gave you the computer and ask him/her what the possible passwords might be.

1. Download and run ElitebarRemover.

2. Run HijackThis again and have it fix::

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitetro32.exe
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.156.31.79/100039/uk/ringtone/ringtone.exe

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Delete C:\windows\system32\elitetro32.exe if it still exists.

- Empty your Recycle Bin and reboot normally.

4. Run HJT again and post a fresh log. Also let us know if the "derbiz" problem is still present.

That's a pretty nasty pot of Spyware Soup you've got cookin' there... :mrgreen:

Please do the following (if, from the infected computer, you cannot download the utilities we ask you to use in the course of this, you'll need to use another computer to download them, burn them to a CD, and get them on to the infected computer that way):

1. Open you Add/Remove Programs control panel and remove any of the following items if they appear in the list of installed programs:

WindUpdates
Windows SyncroAd
Windows AdTools
Windows AdControl
Windows TaskAd
Windows AdService
Windows ControlAd
Windows ServeAd
WebRebates
DAP/Download Accelerator Plus
WeatherBug

2. Turn of XP's System Restore feature.

3.Have HJT fix:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://gameshark.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: transURL Class - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - C:\WINDOWS\System32\SEARCH~1.DLL
O1 - Hosts: 69.50.173.4 lycos.com
O1 - Hosts: 69.50.173.4 www.lycos.com
O1 - Hosts: 69.50.173.4 altavista.com
O1 - Hosts: 69.50.173.4 www.altavista.com
O1 - Hosts: 69.50.173.4

64mb ram

With XP?!
Please tell us that's a typo. :eek: :eek:

Until you can post more info, here are a couple of suggestions:

Bad RAM is definitely one thing that can cause such behaviour. Make sure the RAM modules are firmly and properly seated in their sockets, and test the RAM with Memtest86.

Although probably uncommon, I've worked on a few systems recently which started exhibiting very similar behaviour. In each case I found that the culprit was a Microsoft update package downloaded and installed by Windows' Automatic Update feature. The specific update was different on each machine, but the symptoms were the same, and they were reliably repeatable: uninstall the update, the crash & reboot problem disappears; redownload the update, the crash & reboot problem comes right back.

I looked at my hardware manager and windows thinks my drive is a SCSI drive.

Interesting... What exactly does Device Manager say in that regard?

Unfortunately, given the series of events you describe, it does sound like the drive has gone south. If the disk corruption is serious enough, or if the problem is the result of a failure of the drive's controller electronics, chances are that you may not even be able to reinstall.

At this point I'd suggest installing the drive as a slave drive in another computer. Doing so might at least allow you to access the drive and copy your data to a safe location.

There are more than a few reasons why you might get that error, including a corrupt email (or email account), interference from your anti-virus or firewall software, or damaged TCP/IP software.

- Try testing send and receive separately if you haven't already. Can you do one but not the other, or do both functions not work?

- Create a new email account in OE on the problematic machine using the same server, etc. settings as the original (non-working) account. Can you send and/or receive from that new account?

- Temporarilly disable (entirely) your Anti-virus software.

- If you have firewall software installed (Zone Alarm, McAfee Personal firewall, Norton Internet Security, etc.) disable that. Just turning off or closing most firewall programs does not usually disable them completely. You need to go into the programs Preferences, uncheck any/all "Start automatically when Windows starts" options, and then reboot.

- Your TCP/IP stack may be corrupt. If so, you will need to uninstall and reinstall TCP/IP.

There are a couple of other possibilities, but the above are the most common.

Hotoffers infections have been a pretty popular topic here in the last few months. Please review the suggestions given in our recent hotoffers-related threads and see if one of those solutions works for you:

http://www.daniweb.com/techtalkforums/search.php?searchid=373139

If you cannot find a fix that works, or if you have any questions about the procedures described in those threads, please repost here. When you do, it would be a good idea to give us a HijackThis log as well:

Download HijackThis onto your jump drive:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

You should be able to run HJT right from the jump drive, but if not, create a folder on the hard drive for HJT and move it there. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here. The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

As nicentral noted, there are no obviously suspicious or abnormal processes/programs listed in your log.

It keeps appearing in my computer when I have to restart

If you are saying that you get an error or message concerning the process, please post the full contents of the message. If you mean something else, please be more specific.

The setting to display the Run option is in your Start menu preferences. Right-click on your Taskbar, click Properties, click the Start Menu tab, and then click the Customize button.

- If you're using the standard XP Start Menu style: click on the Advanced tab in the Customize window, scroll down to the "Run command" option, and click on its check-mark box.

- If you're using the "classic" Windows Start Menu style: put a check in the "Display Run" box in the Customize window.

I was unable to delete the O23 security thing. It simply came back after HJT nixed it...

That's because when HJT performs a normal "fix" on an 023 entry, it will disable the service, but it does not remove references to the service that exist in the Windows Registry.

HJT does have a special function for deleting a service from the Registry, although in this case I'm not sure it will work because the service name consists of non-standard "gobbledy-gook" characters.

You can try it anyway and see what happens if you want:

In the main HJT window, click on Config, then Misc Tools, and then press the Delete an NT service.. button.

In the resulting Delete window, enter " 11Fßä#·ºÄÖ`I" (omit the quotes, and note that the first character of the name is a blank space) and then press OK.

There's actually an uninstaller for about:bank I had it but lost it when i caught the Blaster virus.

Unfortunately, the original "About:Blank" hijacker has now grown/morphed into a family consisting of close to 10 variants. There was an uninstaller (and perhaps a few) that worked for the early incarnations of the infection, but AFAIK there's no single "uninstall" program that can whack all all of the current incarnations.

Looks like the Killbox did its job- that's a clean log. :)

Are you stll experiencing popups or other unwanted behaviour?

I'm 99% sure you're fine.

I finally had time to look up the name of the program associated with the CLSID {8952a998-1e7e-4716-b23d-3dbe0391072}. It is an ActiveX control installed and used by the "HuntBar" family of search-hijacker parasites, which SpyBot is capable of detecting and removing.

I just did some tests and found the message from pestscan to be erroneous. Here's what's going on:

Pestscan is misinterpreting a protective setting made by SpyBot.

- SpyBot's "immunize" feature sets the "Kill Bit" on dangerous ActiveX controls.

- Setting the Kill Bit involves changing the DWORD value of the ActiveX control's "Compatibilty Flags" entry in the controls CLSID key to a value of 00000400. hkey_local_machine\software\microsoft\internet explorer\activex compatibility is where those CLSID keys live.

- If the CLSID {8952a998-1e7e-4716-b23d-3dbe0391072} does not already exist in your Registry, SpyBot will create the CLSID and set the Kill Bit when it immunizes as a measure of future protection.

The only conclusion I can come to is that Pestscan knows enough to identify the CLSID in question as refering to a possibly dangerous ActiveX control, but doesn't see that SpyBot has set the Kill Bit on it; hence the warning.

1.

I was wondering if it was the media explorer (windows) that I downloaded...

In an earlier post you specifically said Windows Media Player, but here you're saying "the media explorer". Are you referring to Windows Media Player from Microsoft in both cases? If not, please tell us the exact name of the program in question.

2. Grrr!! "qnpi.dll" doesn't want to leave, and "rrsi.exe" has come back to play. :mad:

A) Download the Pocket KillBox and unzip the downloaded file to your desktop.

- Run Pocket Killbox, paste the following file path into the "...file to delete" box, click "Standard File Kill" and "End Explorer Shell While Killing File", and then click on the button with the red circle and an X in the middle:

C:\WINDOWS\System32\qnpi.dll

- Repeat the above process for:

C:\WINDOWS\system\rrsi.exe

- If you get no errors when you do the deletions, reboot your computer.

- If either deletion fails, do not reboot yet. Instead:
Run Pocket Killbox again, paste C:\WINDOWS\System32\qnpi.dll into the Delete box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "No".

Repeat the process for C:\WINDOWS\system\rrsi.exe, and this time click Yes when prompted to reboot.

B) Once the system has rebooted, run HJT again and …

1. Just a couple of loose ends left in that log; otherwise it looks clean.
Have HJT fix:

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)

2. In terms of the download problem: I can't think of anything else to suggest except to see what happens when you get a chance to install Firefox.

3. "Disappearing" mail: If you're using Outlook or Outlook Express, your read messages haven't gone anywhere, they're just hidden from you because either your "View" setting is set to "Unread Messages" instead of just "Messages", or you have a rule/filter in place which is hiding read messages.

Great- thanks for that confirmation, twhitehead. :)

The only common thing I could find in the reports of mysterious "shellpar" files (aside from the few mentions of the trojan dialer) was that systems with Shellpar files also seemed to have UWC installed.

Some other disk/file utilities will "litter" your folders with hidden files that they create and use in the course of doing their job, and I'll bet that's exactly what UWC is doing with the Shellpar files.

We should get some specific info to narrow this down:

- When did this start happening, and you had you made any hardware or software adds/removes/upgrades just before that (upgrading to SP2, for example)?

- Once you run Reg Mech at startup, the CPU does not slow down again until the next boot, right?

- Does Reg Mechanic give any you any report of what it has fixed? If it does, there may be clues in that report. Post any possibly helpful info that you can get from that.

- When you "turn off" the laptop, do you do a true Shut Down, or do you put it in Sleep or Hibernate mode?

- Whichever mode you use to turn off the laptop, test each of the other two modes and tell us whether or not CPU speed has decreased afer you bring the machine back to life from each of those modes.

- Give us the exact model number and age of the laptop, as well as the make and version of the BIOS.

That sounds like it may be bug. I'll look in to it ang get back later today.

(you really ARE good!!! :lol: )

Nah- we just know where the stash of magic digital dust is, and we like to share. :cheesy:

There are still at least two malicious elements in your last log as far as I can see.

1. Have HJT fix:

O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\system32\pc32.exe bg
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2005423191951_mcinfo.exe /insfin

2. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Locate and delete the following file:
C:\WINDOWS\system32\pc32.exe bg

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

- Delete the entire content of your C:\Windows\Temp folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you …

Your right- that about:Buster link seems to have gotten b0rked. Let's try again; I just tested this link and it works for me:

http://www.majorgeeks.com/download4289.html

Once you've run About:Buster, please do the following:

- Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

- Delete the entire content of your C:\Windows\Temp folder.

- Delete the entire content of your C:\Windows\Prefetch.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the …

Everything seems to be working ok. No popups, no error messages, and no odd/unknown programs displayed in task manager.

I'll uninstal and the reinstall Avast, and see if everything is working ok!

OK- do that, and let us know how it goes. If everything still appears to be cool I'll mark this one as solved.

(I see that I wasn't the only one with an older version of HJT this evening!)

lol. Nope- effects of the full moon and all that I guess... :mrgreen:

Now all I've got to do is get my email account back up an running again!
<trying to log on this evening I'm getting a message saying that the account is being locked! I can't think why, so I've got to go through the hassel of contacting the uni to sort it out in the morning!

Groan- I hope they haven't mistaken you for a spammer (and that you have paid your bill)...

Thanks again
(DMR and Crunchie (think you've both helped with a problem that I have had before!)

You're welcome.
Yeah, we're busy little beavers around here- we try to munch on as many HJT logs as humanly possible (although I think for crunchie, a few hundred logs a day only counts as a snack). :)

I could certainly be missing something, but I don't see anything in your log that would be responsible for the infection warnings you're getting. HijackThis isn't designed to detect everything though, so let's start with this:

A) Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

- Delete the entire content of your C:\Windows\Temp folder.

- Delete the entire contents of your C:\Windows\Prefetch folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete …

No nasties that I can see in your lastest log, although the following entries indicate that your install of Avast! may have taken a hit in the process:

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

You might want to uninstall and reinstall Avast! just to be on the safe side.

How are things behaving now; still seeing any signs of malicious activity?

The modem is producing sound because it has a built-in speaker of its own.

dsound.dll is part of Microsoft's DirectX multi-media support package; it sounds like your DirectX got corrupted somehow.

Try either reinstalling or upgrading your DirectX components. You can get the download's from Microsoft's site.

Mounting FAT32 and NTFS volumes in Linux are pretty much the same process.

- What distro (including version) of Linux do you use?

- What is the drive/partition layout for the system in question?

- What exact problems are you having, and what (if any) errors do you get?

- Do you have problems when manually issuing the mount command, when trying to mount via /etc/fstab, or both?

- What is the syntax of the mount command you're using?

Helpful info on issues revolving around FAT32/NTFS mounts under Linux can be found here.

You're running a slightly older (1.99.0) version of HijackThis.

Before we start to dig in, please download the latest (1.99.1) version and post a log from that version.

umm they CANT die....

Ahh... you'd be surprised what Danny can kill when he puts his heart into it. :mrgreen:

1.

Also, new error message on startup:

C:\WINDOWS\NAIL.EXE
Windows cannot find 'C:\Windows\Nail.exe'...

Have HJT fix this one again and let's see if it takes this time:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

2 .

Your instruction 2b) 023 - service..... wasn't there...and couldn't find "Delete an NT service"...

Ah- thanks for that info; it alerted me to something I missed before:

You are running a slightly older version of HiajckThis. Please download the latest version (1.99.1) from here, run it, and post the log that new version generates.

It looks like one of the QT plugin's file-association entries in the Registry got corrupted somehow.

You can have HJT fix the entry, but you may have to reinstall or update QuickTime to regain whatever functionality might have been lost as a result of the corruption.

If you're curious, you can open up the Registry Editor, navigate to HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\plugins, and look to see if a corrupted-looking "npqtplugin.dll" entry appears there as well.

Yeah, I had a good idea of what the program did, I just meant that I'd never actually used it. I can't, for that matter- we Californians don't even have NTL. ;)

Thanks for getting back to us; I'll marked this as a solved one now...

As the member who originally started this thread has not responded for (exactly) 1 year, the thread is consided abandonded and is being locked.

If the original poster would like this thread re-activated, please PM a moderator. All other members should start their own threads for their questions.

Hello The Unreal Wolf,

I don't know if you noticed, but this thread is almost a year old; a lot can change in that amount of time.

The Killbox is now called the Pocket Killbox, and can be downloaded here. I can't find a working link to DLLFix anywhere; my guess is that it isn't in use anymore. In any event, programs such as those are dangerous to use without having an expert give you directions that are specific to your particular infection.

If you need help, you should do the following:

Download HijackThis:

http://www.majorgeeks.com/download3155.html

Once downloaded, follow these instructions to install and run the program:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log in a new …

1. Please download the following two "about:blank"- related removal tools. Also print out the instructions given for each regarding their setup and execution:

About:Buster and HSRemove

Run About:Buster and then run HSRemove, being sure to follow the directions you printed out in each case.

2. Open your Add/Remove Programs control panel and uninstall the PartyPoker program if it's listed there.

3. Run HijackThis again and post a new log.

Ahh... and there was much rejoicing in BrowserLand. :cheesy:

Glad we could (finally) help you get it all sorted.

Let us know if everything is really OK; I'll mark this thread as solved if so.

BTW: the last HTJ log you posted looks clean. :)

I didn't know spyware, etc. had been ruled out as a problem...

My reasoning in that regard was:

A) While viruses, spyware, etc. can certainly cause sluggishness/slowdowns, they cause that behaviour because they "hog" available system resources (CPU time and memory), not because they throttle back the speed at which your processor is running.

B) Although a clean HJT log does not necessarilly mean that you have no infections, your log is clean.

Since your HJT log also indicates that we are dealing with a laptop here, if you're really seeing a drop in actual clock speed it's much more likely due something like power management than malicious infections.