Posts by DMR

Moving the thread to the Virus forum

Thanks Christian.

Hi nicwat- wlecome to DaniWeb. :)

Please give us the information MichaelV asked for; the more specifics we have to work with, the faster we'll be able to help you get your system clean.

If you don't already have (and don't want to spend money to get) an anti-virus program like Norton/Symantec or McAfee), do the Trend Micro scan MichaelV mentioned, and also download this very good free anti-virus program called AVG from:

http://free.grisoft.com/freeweb.php

One thing you should know is that not all "nasties" that can infect your system are traditional viruses, and as such often cannot be detected and/or removed by tradtional anti-virus programs. If you cannot remove the infection(s) by following the suggestions we've given so far, please do this:

Download HijackThis:

http://www.majorgeeks.com/download3155.html

Once downloaded:

1. Create a folder outside of any Temp/Temporary folders for the HJT download and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

2. The downloaded file is a compressed "Zip" file, which will need to be unzipped. If you are using Windows XP, right-click on the zip file and choose the Extract option from the resulting menu. This will start the Windows file-extraction wizard; just follow the wizard's prompts to unzip the actual hijackthis.exe program

2. Double-click on the hijackthis.exe file to run the program. Do not have …

I gathered from the past dealings with this problem, that the idea of fixing the problem was to empty all of my temporary files and not to increase the size of them.

That is correct.

No offence meant to macseyco, but please do not follow his/her advice about increasing the size of your TIF cache; the smaller that folder is, the better.

I need to log off and start thinking about dinner at the moment, but these entries in your HJT log indicate that you do still have some unresolved problems; hopefully one of our other anti-spyware experts will come online shortly to assist you:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.coolsearch.biz/
O19 - User stylesheet: (file missing)

Strangely enough, sometimes Windows will give you an error to that effect if you try to delete a folder in a certain way, but will allow you delete the folder if you do it a slightly different way.

Try this exact method if you haven't already:

- Boot into Safe Mode again just to be on the safe side.

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- In the left-hand pane of Explorer, navigate to and click on the C:\WINDOWS\isrvs folder. This will display a list of the files contained in the isrvs folder in the right-hand pane of Explorer.

- In the right-hand pane, click on and try deleting each of the individual files listed there one at a time. For any file you encounter which cannot be deleted, note that file's name and continue deleting the rest.

- Go back to left-hand Explorer pane and click on the C:\Windows folder to display the list of that folder's contents in the right-hand pane.

- In the right-hand pane, navigate to the isrvs folder and try to delete it.

Application Hijacking has been detected
The application: C:\WINDOWS\system32\cisvc.exe try to launch another application: C:\WINDOWS\system32\cidaemon.exe

That one is actually a legit event; both of those .exes are Windows programs related to content indexing.

Keep in mind that firewall programs are not perfect, they may do not differentiate between valid and malicious activity (until/unless you tell them to do so), and they are not "aware" of all of the different programs/processes that might possibly generate network activity. When you first install a firewall package there can be a "learning period" wherein you will need to tell the software how it should handle events that it does not know what to do with. As you do so, the firewall program will eventually gain enough knowledge of your system to be able to handle events on its own. As you can probably guess from what I've just said, you'll need to know a bit about networking and network applications in oder to make your firewall most effective, because as it comes "out-of-the-box", the firewall may not be ideally configured for your particular situation.

I also figured out that another remote computer was accessing svchost.exe which somehow had something to do with my internet connection.

svchost is a Windows process which is responsible for handling many other Windows processes/services, so activity involving svchost is often normal. Good call on blocking the access attempt though; that sort of communication isn't something you just want to blindly allow.

In terms of …

Unfortunately, it won't be possible to retain your currently-installed Internet setup if your going to reinstall from scratch. However, depending on the type of Internet connection you have, that might not be such a big deal.

Internet Explorer will be included with the Windows OS, others can be downloaded.

Right- the browser software will be installed with Windows. It has to be actually, because Internet Explorer is part of the Windows operating system itself.
Depending on how your ISP set you up, you may have to configure your Internet connection manually, so it would be a good idea to copy down your current networking information (IP address, subnet mask, DNS server IPs, etc.) before you wipe the machine.

If it's the disc from your ISP, you will probably need to request a new one.

Also- you may not even need any special software; many ISPs do supply a custom browser and/or their own connection software, but you often don't really need such software to set up and use your connection:

- If you're on dial-up, you should be able to run the Windows "Make new connection" wizard and enter your access phone numbers, user name, password, etc. in the wizard to set up the connection.

- If you have Cable, your ISP most likely uses DHCP to configure your network setting automatically. If that's the case you shouldn't have much problem; Windows defaults to using DHCP, so it should automatically get its connection info when you …

Even more, I disabled the internet connection in case some opportunistic hackers get in when the door is open.
foxkueh

Good thinking.

Did the LOP remover have anything informative to say? How are things running now?

Hi gfuller,

You are running a rather old version (1.98.2) of HijackThis. Please download the latest version (1.99.1) from the link in my sig below and post the log the new version generates.

Thanks.

Hi mnh00002- welcome to DaniWeb. :)

One of our guidelines for posting in these forums is that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Given that, I've split your post into its own thread, which you can find here:

http://www.daniweb.com/techtalkforums/showthread.php?t=21716

Yes, disable Avast. Different malware detection and removal utilities don't always coexist peacefully. Sometimes one utility will incorrectly interpret the actions of a second utility as abnormal/viral behaviour and will (or will attempt to) keep the second utility from doing its job.

Giving us the exact model # of your laptop would be helpful... ;)

Hi there; welcome to DaniWeb. :)

Please give us some background info concerning the problem (when it started happening, if you made any changes to your system at or around the time problem first occured, what version of Windows you're using, etc.) and also give us as much detail as possible about your network/Internet setup

Once we have more specific details to work with, I'm sure we can definitely help you out.

Thanks.

Great, glad we could help! :)

Now that your system is clean, here are a few things you can/should do to minimize your chances of future virus/malware infections:

1. Use Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will greatly reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks.

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here: http://tomcoyote.org/ieoe.php

5. Obviously-install a good anti-virus program and enable its "auto-protect" and email-scanning features.

6. Install a stand-alone firewall program such as Zone Alarm or Kerio Personal Firewall, or purchase the "Internet Security" packages offered by Symantec and McAfee.

7. None of your utilities are of much good if you don't check for updates frequently; updates for anti-spyware/anti-virus programs can be released as often as ever two or three days.

I can not log onto planetringtone.net, it jsut refreshes the page and their tech support won't help me.

Do you have the login problem only at that particular site, or do similar problems occur with other secure sites (sites where you have to log on with a username/password)?

Good job- I don't see any more evidence of the "nasties" in your latest log! :)

Here are a few general things you can/should do to minimize your chances of future virus/malware infections (some of which you seem to be doing already):

1. Use Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will greatly reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks.

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here: http://tomcoyote.org/ieoe.php

5. Obviously-install a good anti-virus program and enable its "auto-protect" and email-scanning features.

6. Install a stand-alone firewall program such as Zone Alarm or Kerio Personal Firewall, or purchase the "Internet Security" packages offered by Symantec and McAfee.

7. None of your utilities are of much good if you don't check for updates frequently; updates for anti-spyware/anti-virus programs can …

OK- to get rid if the ACCRA reference, try this instead:

1. Open Windows Notepad and copy the bold lines below into the notepad document. Save the file to your desktop as "fixaccra.reg" and save as "Type" *all files*

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ACCRA]

2. Double click the fixaccra.reg file and answer "yes" at the prompt to merge.

3. Reboot, run HTJ again, and see if the ACCRA service has been removed.

Nope, she's run SpyBot, Avast, and Norton Antivirus

There are many infections out there that the above programs cannot detect, or cannot properly remove. Given that system lags/slowdowns are often indications of "unwanted guest", I'd suggest that there's still a chance that the computer is not 100% clean.

Of course, there are definitely other reasons for slowdowns; does the behaviour only occur in Internet Explorer, or is it noticeable when working with other programs as well?

Yes, I think a HijackThis log would be a good thing at this point.

However: Please be sure to post your HJT log in a separate new thread in our Viruses, Spyware, and other Nasties forum. That forum is where we concentrate on HJT log analysis.

Thanks.

I am guessing the problem is with my computer because somehow svchost.exe is changing itself to: (supposed to be blank).
i have a trial version of hacker eliminator and that is what it says.

Can you clarify what you're trying to say there or give us the full text of the warning/message please? It's a bit unclear as to just what is being changed, but it could be the sign of a malicious infection.

When I go to manage programs DCHP is off and has an error...

Again, specifics would be good; the more information you can give us up front, the faster we'll be able to help you track down the cause of the problem.

Not wanting to contradict our young padawan :), you should delete the F3 entry in your log.

D-oh! No contradiction at all- I totally missed that F3 entry. Thanks for the catch. :)

First of all THANK YOU to you, Crunchie, and DMR. You guys have been AWESOME!!

Thanks to you as welll. As volunteers here, appreciation of our efforts counts a lot; glad we could help. :)

I am wondering where and what you saw in my log to know that it was infected.

[Yoda]
Anti-spyware force very strong it is in this "crunchie" one. Question not do we what he knows and what he does; if speak It he does, true then It does be.
[/Yoda]

Seriously though:

- Your latest log looks infection-free.
- You should delete the entire C:\WINNT\isrvs folder. It, and any contents within it, were created by one of the infections you had. If you can't delete the folder while booted into Windows normally, try it while booted into Safe Mode as I described earlier.

Let us know if you hve any further problems...

-

Hi quicksilver,

First of all- welcome to TechTalk!

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

OK, good. Test-drive the system for a while and let us know if anything abnormal crops up.

I have recommended the use of the uninstaller countless times and have not had one user return saying that it caused problems with their PC :).

Agreed. The LOP removal utility is entirely legit, but as I said before- one of your other detection/protection tools my be warning you simply because its name contains "lop".

Since Linux is a UNIX variant, a book on UNIX can give you some good general info and background. However- file/folder structures, command syntax, and many other things vary not only between the AT&T and BSD UNIX, but also between different versions of UNIX variants like Linux as well.

The threads in this search link will give you many more suggestions for online and hardcopy Linux resources:

http://www.justlinux.com/forum/search.php?action=showresults&searchid=1080882&sortby=lastpost&sortorder=descending

The early Partition Magic did have some issues but I have adjusted and created partitions on hundreds of systems without a single problem with the newer version 8.

Right. As I said earlier, newer versions of Partition Magic don't seem to cause the types of problems that earlier versions did.

Also- even the earlier versions of PM worked fairly well with Windows systems; problems cropped up more often for non-Windows users. IIRC that had, at least partially, something to do with the way that PM dealt with partition and cylinder boundary alignments.

Please post the full and exact contents of the error you are getting. We''l be able to help you much more quickly that way.

It sounds as though one of your anti-virus/anti-spyware programs is still active in some way and is blocking your attempt to run the LOP removal utility, perhaps because the utility itself contains the word "lop".

You'll need to find out which program is stopping you from runnning the utility and make sure that program is entirely shut down; just choosing "Disable" from a program's options doesn't always completely turn it off if the program is already up and running.

Thanks for the details. Information on the "MRxSmb" log entry and possible fixes for the problem can be found in some of the following links:

http://www.google.com/search?hl=en&lr=&q=MRxSmb+%22The+redirector+failed+to+determine+the+connection+type%22&btnG=Search

Messages #2 - #4 are cascading results of the error indicated in the initial MRxSmb message, messages 5 & 6 are the result of your system trying to recover fron the initial error and reconnect to the DHCP server (the router in this case), and message 7 indicates that the router is rejecting that request.

Earlier, you posted:

we tried assigning a static IP, no luck, or we did it wrong.

You should try that again, and this time also disable the DHCP client service on the machine in question when you do. I can post details on that later (I don't have time right now), but unless your network card or perhaps the router have gotten confuzzled (yes, "confuzzled" is a valid technical term), this really sounds like a DHCP issue.

Sorry, I forgot that the service has to be disabled before it can be deleted.
Do the following (logged in as a user with Adminstrator rights):

- Open the Sevices utility in your Administrative Tools control panel.

- Locate the ACCRA service and double-click on it to open its Properties window.

- Click the "Stop" button and wait for Windows to terminate the service. If the service enabled but not currently running, the Stop button will be greyed out; just go the next step.

- In the "Startup Type:" drop-down menu, choose Disabled.

- Click OK to close the Properties window, and then close the Services utility.

Yes, you can go back on the Net now.
Here are some general recommendations that you should follow ASAP to minimize your chances of getting reinfected once you do go back on line (I see that you've done some of them already):

1. Use Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will greatly reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially …

Also:

Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities "harden" areas of your system known to be vulnerable to malicious attacks.

Hi phobos- welcome to TechTalk. :)

This may be a long shot, but the "wake on lan" (WOL) networking feature sometimes causes this behaviour.

If you haven't done so already, disable WOL in the BIOS, and uncheck the "Allow this device to bring the computer out of standby" option in the Power Management tab of your network card's Properties window.

I suggest opening up another thread and, when you do, tell us about the environment between the wireless components in detail.

Yes.

Hi lammerlaws_kid, welcome to DaniWeb! :)

To avoid confusion, we do ask that members who need assistance start their own thread rather than "tagging" their questions on to a thread belonging to another member. Being new to this site, you should have a read through our posting guidelines to get acquainted with our general forum policies:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks.

Good job- I don't see any signs of active nasties in your new log. :)

You may just be able to delete the Viewpoint software through the Add/Remove Programs control panel, but I wouldn't sweat it if you can't. Viewpoint deals with multimedia content, and it gets on your system from sites that display such content. The program isn't a true infection, but it does "phone home" to Viewpoint's servers without notifying you, so it's considered to be a privacy infringement. That's the reason I suggested you get rid of it.

The following entry seems to be stuck in your log, although the actual malicious file is being reported as missing, so the entry is probably juat a loose end. See if you can make it go away by doing the following:

In HijackThis, click on Config, then Misc Tools, and then press the Delete an NT service.. button. When it opens, enter "ACCRA" (omit the quotes) and then press OK.

Your latest HJT log looks much better. :)

Crunchie is offline right now, but he should be back in a few hours.
Since he's got this ball rolling in a certain direction, I'll let him finish rather than suggesting anything myself for the moment.

But...I still don´t have a place to go to ask questions about Firefox.

We're discussing that in one of the staff forums right now, and actually, it's your very post here which caused the question to be brought up. :)

Judging from the staff feedback so far, it looks like the Internet Explorer forum is probably going to be renamed and expanded into a general web browser forum some time soon.

One suggestion. On posts by those folks without a sig, there should be some more white space at the end - esp, if the post is a one-liner, it´s almost lost...

Agreed; I'm having a bit of a problem with that as well.

Ahhh... much better on the eyes; thanks.

Variants of this particular parasite can be difficult to remove, so this will be a multi-step process.

Credit: most of the following instructions have been shamelessly snorfled from our member "crunchie".

A. Download CWShredder 2 from here. Run it and press the *fix,* not scan and allow it to clean the infection. Close all browser and explorer windows before hitting the fix button.

B. Download about:Buster, unzip to your desktop, run it, and then:

1. Click "Update".
2. Click "Check For Update"

(If no new version is available, skip to step #4.)

3. Click "Download Update", and wait for it to be installed.
4. Click "Start".

(Wait for the initial ADS scan to complete.)

5. Click "Yes", to shutdown any IE session currently open.

(Wait for the about:blank scan to complete.)

6. Click "Ok", to scan once more.
7. Click "Yes", to shutdown any IE sessions currently open.
8. Click "Yes", to begin the second pass.

9. Click "Save log", and post this log back along with your new log.
10. Click "Exit".
11. Click "Exit".
12. Reboot.

C. Download and run HSRemove.

D. Reboot, run HJT again, and post a fresh log.

What in the world can I do in order to have a Login page be displayed (or something) when I click on my Desktop Internet Explorer Icon?

Internet Explorer doesn't have that functionality itself; you usually set that up in the connection software supplied to you by your DSL provider. The exact procedure would depend on the particular software package your provider gave you though, so I can't be any more specific at the moment.

Welcome to Daniweb mylo2002, I think if you post your question in the internet explorer forum then you will get a better reply.

Yup.
Buckle up- we're off the Internet Explorer forum now...

The tracks are there in mp3 format on the cd's

Unless you've got an mp3-capable player in your car, you just answered your own question. ;)

The CD players in cars (and a lot of home stereos, for that matter) don't recognize the mp3 format; you have to burn your disks in the "Red Book" audio CD format. You must have changed the format setting in your burner software somewhere along the line.

Is there a possibility that you could try to post that log again?
As you can see, the line break/spacing came out pretty strangely, making it difficult to correctly interpret the log's contents.

The first thing to do when troubleshooting network/Internet related problems, especially problems involving security/privacy issues, is to make sure that your firewall software is completely disabled.

Since you said you had McAfee, I'd suggest that you go into the program's options, turn off the option to start the program automatically when Windows starts, and then reboot. Simply choosing "Disable" in McAfee's options once the program is already running doesn't usually shut down all of that program's components.

If you can log in to the site in question once McAfee is turned off, that's a pretty good indication that some preference/setting in McAfee needs to be adjusted.

Well, blatant advertising for Firefox shouldn't be in the IE forum either as it has nothing to do with IE :cheesy:

Sure it does- This is a forum for fixing problems with IE, and Firefox certainly does that. :mrgreen:

If you haven't already, download another web browser (Firefox, Netscape, etc.) and see if it experiences the same problem. That could help you determine if you have a hardware problem, or a software problem.

Then, close all browser windows...

Yes. HijackThis cannot properly perform all of its fixes while Internet Explorer is running. The following entries in your log indicate that you had at least 3 instances of Internet Explorer running when you did your HJT scan:

C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

Blue Screen of Death

A fatal error which brings the machine to a halt. When this happens, the system with cough up a blue screen with an error message on it and perhaps some cryptic numeric codes.

BSODs can be caused by anything from viruses to faulty hardware; the exact error message and codes from a given BSOD may be useful in determining the exact cause.

These need to be fixed also:

O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O4 - HKLM\..\Run: [requester] "C:\WINDOWS\system32\requester.10.exe"

The "requester" file is a malware variant that can morph its name, so you might have other "requester.some random number.exe" files on your system. Find and delete any/all files with names that fit this description.

Almost there; just a few more things:

1. Have HJT fix:

O2 - BHO: (no name) - {01E7D903-F1EB-E2D7-883D-ADCD90AFD7E2} - (no file)
O2 - BHO: (no name) - {28933B1B-FB04-2726-F639-2605F5CA345F} - (no file)
O2 - BHO: (no name) - {8948B04A-7947-2192-28B5-3B9B67B96AC8} - (no file)
O2 - BHO: (no name) - {D6DBE33B-0B69-B08E-878F-D3A57CD4B60D} - (no file)
O4 - HKLM\..\Run: [Yahoo Messenger] NETSTATT.EXE
O23 - Service: ileudoeujjek (MsUpdate6) - Unknown owner - C:\WINDOWS\system32\msupd6.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\SYSTEM32\r_server.exe" /service (file missing)

2. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types". Search for and delete the NETSTATT.EXE file; it's part of a backdoor trojan infection.

There are no indications of malicious infections in your log.

Are you still experiencing any of the problems?

You might want to have a look in your application and system logs to see if whatever is causing this is also logging some indication of its activity there.

Use the Event Viewer utility in your Administrative Tools folder to display the logs and let us know if you find any possibly relevant messages in them.