Posts by DMR

A. If your BIOS is not holding custom settings, it's probably time to change the CMOS battery. A good indication (although not the only one) that your CMOS battery has died is that the computer will not retain the correct date and time.

B. Most BIOSes have an option to turn off floppy drive detection at boot-up and/or disable the floppy drive entirely. Systems usually will barf errors if the floppy is enabled in the BIOS but no floppy drive is installed.

Given that you say the BIOS is constantly reverting to default settings, problem B is most likely related to problem A. A new CMOS battery only cost a few bucks; try replacing that first and see what happens.

A few things:

1. That log looks very short; were you running in Safe Mode when the HijackThis scan? If so, please try to post a log generated while booted into Windows normally.

2. C:\Program Files\Internet Explorer\IEXPLORE.EXE

The log entry above indicates that you had at least 1 instance of Internet Explorer running when you ran HijackThis.
Before fixing problems with HijackThis, you must make sure to close/quit ALL instances of your web browser! HijackThis cannot fully perform its fixes while browsers are running.

3. C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

The log entry above indicates that you are running HJT from within a Temp/Temporary folder. Please do the following:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

4. Please post the specific information from AVG's reports concerning the exact name of the trojan it detects and the location(s) of …

Does this happen on all sites, or just some?

Some sites are designed in such a way that when you hit the "Back" button, you just get redirected to the same page that you're trying to leave (regardless of what browser you're using). I'm not a web programmer, so I don't know the mechanics of it, but I do find it pretty irritating myself.

Although you could do that with many DOS and early Windows programs, you need to go through the true installation process with modern applications.

I'll give you the gory details of why that's true if you'd like, but the short answer is that just moving the program folders to the new machine will not work.

You might find more detailed information on the problem in your system logs. You can view the logs with the Event Viewer utility in your Administrative Tools control panel.

Look through the messages in the System and Application logs, especially those identified as "Error" or "Warning". If you find any information in the messages which could help pinpoint the problem, post the full and exact text of those messages here.

Sounds like you were driving it a frequency it wasn't the happiest with. Glad you found a better setting.

Does the monitor itself have any sizing and centering adjustments? If so, you might be able to change those to get the rest of your screen space back.

If I were younger I would say : You guys rock! :)

lol. Kewl d00d!

Glad we could help. :mrgreen:

...Turns out it was one of those "Internet Accellerators" asking me if I wanted to install it.

Word to the wise: don't go places you don't trust, and read everything before you click it.

Absolutely.
They often word those pop-ups in a purpously misleading way, making it very easy to click the wrong button and end up installing the programs.

Also- you should stay away from all of those free accellerators, search toolbars, etc.; almost all of them come bundled with adware or spyware. The caveat "there's no free ride" probably applies to the Net more than it's ever applied to anything else...

Oops, my bad :o

I forgot: although WMP does show up in at least the Win 2K/XP versions of the Add/Remove Programs control panel (under the "Add/Remove Windows Components" option), uninstalling from there doesn't even remove the program itself, it only removes the Desktop/Start menu shortcuts to the program.

Thanks for following up on this one, Chris! :)

O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe

Those entries were actually probably valid; they're components of some of the the digital audio/video editing and multimedia storage packages made by Avid Technologies/DigiDesign.
However, if I recall correctly, they don't need to run as start-up services unless you're using certain types of Avid storage solutions.

Aebeyes,

1. Judging from your latest log, it looks as though the nasties are gone. How does the system appear to be working now?

2. There are viruses known to either infect or replace notepad.exe; you may be infected by one. One quick thing to check is the file's size- on XP, C:\Windows\System32\notepad.exe should be 65KB; if it's some other size, that's a good indication that you're infected. Even f the size is correct, you should still run a couple of anti-virus scans to be sure:

- Get the most current updates for your McAfee anti-virus and run a full scan with that.

- Do at least a couple of these free online scans as well:

http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm
http://www.kaspersky.com/scanforvirus.html
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

The only error message I get from RH is that the destination host is unreachable.

That can indicate a problem with the route/gateway settings on hte RH box.

Open a terminal window on the RH box, type the following command at the prompt, and post the command's output for us:

route

The problem could be hardware or driver-related, but unfortunately you may be experiencing a bug in XP which I don't think Microsoft has really addressed.

In general, the error is saying that Windows cannot find or cannot correctly read a special piece of information on the floppy called the "Media Descriptor".

In terms of the bug, the only thing Microsoft has to say is that it's a problem with floppies which have been formatted with the "quick format" option. They're only suggestion is to only use floppies which have been formatted with the "Full Format" method. Not very helpful if you've already got important data stored on dozens of quick-formatted floppies.

If boooting from bootable floppies works, but no floppies can be read from within XP, you're probably experiencing the bug; the fact that the computer itself can read the boot floppies pretty much means that the problem is with the OS and not your hardware.

However, you should check your hardware just to be sure:

- make sure the floppy drives data cable is connected correctly (a common mistake is to plug the cable in upside-down) and firmly seated.

- make sure the cable is not damaged in any way.

- clean the floppy drive's head with a cleaning disk (if anyone still makes those) or with a cotton swab and isopropyl alchohol

- update/reinstall the floppy controller driver.

- try another floppy drive that's known to be …

Hello Aebeyes- welcome to our forums. :)

Your log definitely does show indications of a few different infections, but I can't give you a full response right now due to the fact that it's dinner time in my end of the world.

I'll pass a message on to a few of our other spyware experts and ask if they can help until I'm able to return tomorrow.

If the problem truly does happen with any disk you try, there's a good chance that the floppy drive itself has failed. However, if you can give us more specifics on the model and age of your machine, the version of Windows you're using, etc., we'll probably be able to provide you with more info.

Hi Heidi719,

This does actually sound more like a general Internet Explorer issue rather than something caused by malicious infections, so I'm moving this to our Web Browser forum now. You should get more "eyeballs" on your question in that forum.

Ok- your log shows signs of a few different infections, a couple of which can by rather persistent. Given that, this will be a multi-step cleaning process, so please bear with us.

1. You'll need to download a few detection and removal tools; we'll probably need them later on in this process. Please just download each and save them into their own separate folder for the moment.

LSPFix: http://www.cexx.org/lspfix.htm
The Pocket Killbox: http://www.bleepingcomputer.com/files/killbox.php
RKFiles: http://skads.org/special/rkfiles.zip

2. Uninstall any and all Wild Tanget programs using your Add/Remove Programs control panel. The Wild Tangent programs come bundles with adware/spyware. Do the same for the SideStep program, for the same reason.

3. Have HJT fix the following entries:

R3 - URLSearchHook: (no name) - _{9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [U0dQurU.exe] c:\documents and settings\owner\local settings\temp\U0dQurU.exe
O4 - HKLM\..\Run: [nsvcin] C:\Documents and Settings\Owner\n20050308.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\inrkmv.exe
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll

Faulty RAM can do all sorts of strange things, so I wouldn't rule it out (especially given that you seem to have replaced almost all of the the other major components).

Also: this may be a long shot, but I know that at least a couple of models of laptops will start to exhibit symptoms (including locking up and/or not booting up properly) if either their main battery pack or the CMOS/motherboard battery are failing.

Unfortunately, I'm not very familiar with the Tecra laptops, so I can't say specifically what other components you might want to check.

You're welcome homescool; good luck with the hunt!

Apparently the maximum OS that a Performa 6200 could handle is OS 9.1. So when you purchased OS9 from where ever, keep that in mind.

Yes, I think that's true. Also- if I recall correctly, 9.1 fixed some bugs in 9.0 that were causing a lot of people problems, so you probably want to get 9.1 if possible.

...I was wondering if I could legally change the registration terms and conditions so that it stats if you start a new account on my forums with the intent of millisus or corrutive I can then find that person money (a lot of money).

You can change the conditions in your Acceptable Use Policy and other such statements on your site, but there's nothing to say that they will be legally binding to any of your members.

For one thing, you'll still have to find and identify the offendng members before you can take any action against them. Additionally, you may quite well find that the laws in your area don't even apply to the members in question anyway; there's really not much in place yet in terms of global law regarding any of this.

It's been a while since I've dealt with that era of Macs, so I might not be right about some of the following; it comes from now dim and distant memory:

1. First of all, to upgrade to any version of OS 9, you need to be running at least OS 8.5. Unfortunately, I have absolutely no idea where you can get the software for any part of that migration path at this point; eBay, Craig's List, or some similar avenue might be your best bet.

2. No current version of OS X will run on that machine at all as far as I know (they require at least a true G3 CPU), and if recall correctly, the only way to get even the early versions of OS X on to such a machine involved installing a processor upgrade card.

If you're connecting the computers together directly (that is, not through a hub/switch/router), you need to make sure you are using a "crossover" Ethernet cable; the computers will not be able to communicate if you try to connect them using a standard Ethernet cable. The following link has a bit more information on the whole "crossover vs standard" cable issue, including pictures which will help you identify the difference between the two types of cable:

http://www.aptcommunications.com/ncode.htm

Thanks for that link sukiyaki99. :)

I found the original thread (at Geeks To Go) that the instructions in your link were distilled from, but now I don't have to go through that thread and re-distill the instructions myself.

jackolos,

If you have any questions about the procedure sukiyaki99 linked to, please ask us for help; if you accidentally delete the wrong file or make some other such mistake you could cause more problems than you have now.

You're welcome.

Yeah, just talk to the folks at the hosting comany and explain what you want to do. They may not be able to swing it for you, but you never know...

Have (obviously) gotten PM. Thanks again Chris.

First of all, please uninstall Spyware Begone. The program is bogus in that is known to "warn" you of infections that may not even be present on your system in an attempt to scare you into paying $$ for their full package. More on that and other bogus "anti-spyware" programs can be found here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

I have more info on your original problem also, but I won't have time to post that until tomorrow- please hang in there until then.

ok yeah i think that answers my question...i will just be careful not to do anything potentially risky on the internet while not at my home. Thanks for your help.

You're welcome.

Yeah- when you jump on someone else's network you never know what might happen. Usually nothing will if you're only latching on to their network to grab a few minutes of Net access; they'll probably never even notice you. However, if their network has virus-infected machines on it, the viruses might notice you! :D

OK, I see now. Judging from your first post I was under the impression that you were hosting on your own server (meaning that you were also the server admin), but that doesn't seem to be the case.

Disk quotas are set up and controlled by the server admins, who in this case would be Surpass Hosting's techs. They're the ones who configured the 3G limit for your account, and although they may have some way for you (or they) to further slice up and manage that 3G, you would really have to speak with them about that. I looked on their support site, but there was nothing I could find there which answered the question of whether or not they would or could do such a thing.

Not having an account with them, I also couldn't look into what user/account management tools are available to you as the account owner. They do seem to use the WebHost Manager (WHM), which has the ability to manage quotas, but A) I don't know if they let you use those features, and B) they're running Linux servers by the looks of it; you would need to be familiar with that operating system in order to manage things like your disk quotas.

Is it possible for a laptop setting up a network to change the network type to an access point rather than a computer to computer network?

To change the type? No, not in the way I think you mean.

A normal computer can be configured to be an access point, but once you form a network by joining client computer to that access point, you're really creating a new type of network, not changing the existing one. Bacically, you would be tearing down the old ad-hoc(IBSS) network and reconfiguring the computers to form a new infrastructure (BSS) network.

If I've misunderstood what you're asking, just let me know.

Chris- could you give me an update on this new QL strain when you get a chance if possible; I haven't had time to keep up.

Thanks.

i just read this article and it says that you can log on to anothers computer with out knowing it thinking its a hotspot. My question is in wireless settings there are 2 types, access point and computer to computer.,,,

Technically, the differentiation is between "infrastructure" mode and "ad hoc" mode; the former being a connection via a wireless router/access point/etc., and the later being a direct computer-to-computer connection. Google is your friend for more specifics on that one. :)

If i have only access point set would i be safe

Nope, not if you have no other security protections in place. We've got a bit of a running (my fault) thread on wireless security issues here that might shed more light in that regard.

I connect to about 20 different access points everyday that i have no idea what they of or who owns them so im a bit conserned.

You should be able to determine which are access points and which are stand-alone (ad-hoc) wireless computers via Windows' "View available wireless networks" option. In general though, I'd be concerned when connecting to any unknown network unless you're sure your own machine's security is up to snuff.

The two things you haven't mentioned are RAM and the power supply- have you tried to verify either of those yet?

That's called a disk quota. How it's implemented in general (and what options you have specifically in that regard) will depend primarilly on what operating system you're using.

Give us more specific info on your setup and we'll try to help from there.

Hi chmoke,

Please give us more specific information (make/model of router and laptop, version of Windows, etc.); without such info, we really don't have a heck of a lot to work with.

Thanks Chris ;)

My apologies- I submitted a respose to your question, but it doesn't seem to have gone through.

The basic gist of that response was this: It's the end of the day in my end of the world (California) and I need to log off and start thinking about dinner and other real life matters. However- I've sent a request to our other troubleshooters (who live in other areas of the world) asking them if they can follow up with this until I come back online tomorrow. If crunchie, dlh6213, or caperjack respond to you before I get back, please follow any instructions they give you and let us know the results.

<EDIT>:

Well that was quick- I see that caperjack is on it already....:mrgreen:

Thanks cj!

</EDIT>

1.

...when deleting my temp files and cookies I couldn’t delete Index.dat as it just wouldn’t delete! Should I delete the folder that it is in?

Note what I mentioned earlier regarding the index.dat (and desktop.ini) file:

Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

2.

BTW (fingers crossed) this seems to have eradicated the hotoffers problem.

Yes, but you are still infected with other nasties; see below:

3.

I'll have to wait til moro nite to try the KVS DL for Bube as its late now (11pm here) to start, but I take it that should be my next port of call??

Absolutely; do that as soon as you can. Entries in your last log still do indicate the bube.d infection. Also submit the netcheck.exe file for scanning as crunchie adivsed and give us the feedback on that once you've had a chance to do so.

As long as it doesnt start smoking im not gonna worry about it.

But if it does start smoking, you should definitely start worrying. :mrgreen:

"Sizzling" isn't exactly what you'd call a definitve technical term by any stretch, but when a monitor or TV is making that sort of noise it can often be indicative of arcing or other Bad Things going on with the flyback circuitry and/or other high-voltage areas of the device. Since "high-voltage" means tens of KiloVolts when you're talking about CRTs, and also considering the fact that the CRT tube itself is a giant capacitor which stores that charge even long after the power cord has been disconnected, I would highly suggest that anyone experiencing such problems not casually crack the chassis just to poke around in there...

*Groan*

Yeah- given the fact that the fixes in the links I gave didn't work for 100% of the others who've had this problem, I'm not surprised that they didn't solve it for you either. As I said before, MS doesn't seem to have published an official fix for this particular one yet, so you might just be stuck with it until they do.

You can certainly go the route of removing WMP to see if that makes a difference; the program does have a history of security-related issues, and there are better media players out there anyway. I'm not sure if doing so will keep the update from trying to install itself, but it can't hurt to try...

- Believe it or not, people are reporting Good Things about Microsoft's new Anti-Spyware utility. It's only a beta release right now, but you might want to give it a try.

- There are couple of anti-virus programs out there which are keeping a few steps ahead of Norton/Symantec and McAfee in terms of "spyware" detection and removal:

KAV: http://www.kaspersky.com/products
AVG: http://www.grisoft.com/doc/1

- Tighten up some of Internet Explorer's default settings to make it more secure. Some info on that can be found here: http://tomcoyote.org/ieoe.php

- Install a stand-alone firewall program such as Zone Alarm or Kerio Personal Firewall, or purchase the "Internet Security" packages offered by Symantec and McAfee.

- In addition to SpywareGuard & SpywareBlaster, install IE-SPYAD as an addtitional measure of protection.

- Obviously, make sure to keep your system current on all of the latest Windows critical fixes by using Windows' Automatic Update feature.

In terms of the Viewpoint software: you might find that it returns at some point in the future. The software is used with online multimedia content, so if you visit a site which uses that type of content, the program may get reinstalled.

It's a known issue, but as far as I could find, Microsoft hasn't published an official fix.

Here are a few links to other discussions of the problem; it might involve a bit of "trial and error", but see if any of the suggested fixes work for you:

http://www3.telus.net/dandemar/828026.htm
http://www.annoyances.org/exec/forum/win2000/t1067828483
http://forums.wugnet.com/-KB828026-ftopict346665.html
http://www.maxpc.co.uk/tips/default.asp?pagetypeid=2&articleid=33781&subsectionid=718&subsubsectionid=562

That's a very clean log, but I do see one "nasty" there.

1. Have HJT fix:

O4 - HKLM\..\Run: [KavSvc] C:\WINNT\System32\pvvirz.exe

2. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types". Locate the C:\WINNT\System32\pvvirz.exe file, delete it, and then empty your Recycle Bin.

3. Run HJT again and gives us a new log.

No- that is definitely not normal, and may be indicative of failing electronic circuitry in the monitor itself.

No luck. Any more suggestion?

A long shot, but coincidence perhaps? Which exact sites are you now having trouble with, and are the access problems limited to only those sites?

If the "problem" reoccurs, you may just have some valid program or process running which needs to take priority over other processes every once in a while. Anti-virus programs and other programs with "auto-update" features can cause the sort of behaviour you're seeing.

Hi jay2511,

Your HJT log doesn't show any indications that malicious programs are the cause of your problem.

Since you've already determined that something is spiking your CPU usage, I'm assuming that you've discovered that through Task Manager. You can sort your running processes in the Task Manager by their CPU usage just by clicking on that heading; what are the the most CPU-intensive processes listed there?

Alright, here we go. And yes- it will be messy, especially given that you're on dial-up and the "nasties" are mucking with your ability to download.

First of all- Do you have access to a (non-infected) computer with a faster Net connection and the ability to burn a CD? If so, we can give you the download links for the utilities that might be helpful in your case and you could install them on the infected machine that way.

Whether or not you do, let's start with some of manual removal and see where that gets us. Please print out the following instructions and then physically disconnect your phone/modem line from the computer during the course of this unless we specifically ask you to go online.

1. Have HijackThis fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hzimiaeqdiepbmogecdfa.co...UJFKrntDyD.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/271/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ulead.com/register/reg.htm
R3 - URLSearchHook: (no name) - _{0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
R3 - URLSearchHook: transURL Class - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - C:\WINDOWS\SYSTEM32\SEARCH~1.DLL (file missing)
F1 - win.ini: run=C:\WINDOWS\SYSTEM\msoffice.exe
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: (no …

...and we will attempt to clean up what we can...

*Groan* Just give me a moment to remember where I put that pair of surgical gloves first, OK? :D

Other then ones mentioned earlier...Turn off SSID. There is no reason to tell everyone your WiFi AP is there, and your machines should know about it already, right?

Yup- been there... ;)

Disable SSID broadcasting so that your SSID is not visible to the outside world.

Dial-up eh? Yes, that can make things more tedious, but try to bear with us. Unfortunately, some of these infections are very difficult to remove, hence the need use multiple utilities in the cleaning process.

Do the bube removal process when you get a chance and give us a fresh log after that. When you do go through the removal steps, make sure to run both programs (Kaspersky's and Microsoft's) mentioned in the article crunchie linked to; neither one alone seems to fully take care of the infection.

That still looks pretty ugly. :(

Did you have a chance to follow (exactly and completely) the bube infection removal procedures in the link that crunchie gave earlier?

If not, you need to do that now. While you definitely have other "unwanted guests" on your system, the bube infection is probably the most persistent of all, and it should be dealt with first.