Posts by DMR

Hi kgraczyk, welcome to the site. :)

Please do the following and then post a new HJT log after that:

1. Use Norton/Symantec's Live Update to make sure that your anti-virus program has the most current updates installed and then run a full system scan.

2. Run the free anti-virus scan from Kaspersky, and also run Microsoft's new AntiSpyware tool. Both of those programs can deal with one of the infections you appear to have. Instructions for using the programs and some background info on the infection can be found here.

The modem may have been thrown into some weird state by the power outage.

1. Have Charter run a test on your modem from their end as soon as they clear up the "outage" problem.

2. If Charter gave you a modem/Internet connection setup CD, run the setup program again.

3. What's the exact make & model # of the modem?

Of course, it's possible that the problem is with your computer and not the modem, but try to verify that the modem is OK first.

kgraczyk,

I've split your post into it's own separate thread, which you can find here:
http://www.daniweb.com/techtalkforums/showthread.php?t=21507

OK- give us an update when you can...

Your welcome. :)

Please keep us posted on your progress.

Chris- I can't tell you how good it is to have you "back in the trenches" again. :mrgreen:

got it out, thanks

Can you tell us exactly how you got out please? Posting that info here could help other members who run across the same problem.

Thanks.

Did you guys just give up?

No, but please keep in mind that none of us who work on these support forums are paid for what we do. Our efforts are on an entirely volunteer basis, and if we're away from the forums for any amount of time, that means that our real-life responsibilities haven't left us with any free time to dedicate to our work here.

In terms of your problem though:

- Unfortunately, Event ID 1004 is too general an ID to be of much help, even with the other information you've supplied.

- Also unfortunately, ole32.dll is a Windows operating system shared library file which can be used be any number of programs and processes. Given that, and the fact that I can't physically sit down in front of your computer, I can't narrow things down any further at this point.

The only suggestions I can offer are some of the standard recommendations:

1. It's definitely possible that your issue could be the result of installing SP2; many programs that worked with previous versions of XP will "break" under SP2. The list of programs and program versions that are reported to have problems under SP2 is quite extensive, so I'm afraid you'll have to research that yourself to make sure that the particular software components on your machine are compatible with SP2.

2. Obviously- scan your system thouroughly for viruses, spyware, etc.; infections can corrupt files and …

There could be a few reasons for that. To begin with, please run HijacKThis again and post a new log.

Hi jonas1234,

First of all- welcome to TechTalk!

Secondly though, we do ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

Sorry, but given the content on the websites we're getting in to, I've had to edit some of the links in our discussion here.

Going to www.my*****.*** and to www.googl.com bring up entirely different pages for me. Yes- the my*****.*** site does bring up the porn links as you said, but simply going to "www.googl.com" does not.

It seems that we're getting off of (or perhaps more deeply into) the original question, so I should advise the following:

Please don't post any further references to the "my*****.***" site/URL. They will be immediately deleted, as that site contains content that is entirely inappropriate here.

However, it just seemed to me that if nobody could sign on to the network because all the available slots were full, then there would not be a security issue.

Yes, but what if one or more of your legit users/computers were not on the network at the exact time someone tries to gain access from "the outside"?
That would leave an open "slot", as you put it, for a cracker, because the "limit number of users/connections"-type options don't perform any authentication in terms of exactly who is connected.

That being the case, if you relied on the connection-limit alone as your security measure, you might find youself denied access to the network if someone hacked into your system while your computer was off the network for some reason.
Fun thought, eh? You wouldn't be able to rejoin you own network at all until your "unwanted guest" signed off and freed up the slot he'd taken. :mrgreen:

If you can't get on, you can't mess with anything, scenario...

No- network traffic can actually still be "sniffed" without the person doing the sniffing having to officially/technically "join" your network, and this is much more true of wireless transmissions than it is of wired connections.

Can they "mess with anything" in terms of mucking with your internal network? Less likey if they can't actually join your network/workgroup/domain, but still not impossible.

Can they still intercept and capture specific data transmitted over your wireless connection? Absolutely, especially if …

Glad you got it sorted joecastro, and thanks for posting that info; it might help other members who are having similar problems.

:)

If you mean that the disk is physically stuck in the drive and won't eject, look for a small (about paper-clip diameter) hole somewhere on the face of the drive. If you find such a hole, that's how you access the "manual eject" mechanism.

Slowly push a paper clip or some other thin (and blunt-ended) instrument into the hole. If the eject mechanism on your particular drive is truly manual/mechanical, you may have to use a bit of force to engage the eject lever behind the hole, but once you do, that should pop the drive's tray open enough for you to remove the stuck disk.

Ba careful though- some drives don't use a mechanical eject mechanism; they use a "software" eject switch instead, and the computer will need to be turned on for it to work. If you hear or feel just a slight "click" when you insert the paper clip, you're hitting that switch.

Hi CiscoJP,

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

Your modem may have taken a hard enough hit from the power outage that it will need more of a reset than a simple power on/off gives it. Contact your ISP and have them run a test on the modem from their end to begin with.

the link DMR gave you doesn't work for me so I'm not sure what you've tried already.

Dammit, you're right- the new search link has "expired" now too. As I said, it's happened before; I'll see if Dani has any idea what gives with that.

I have just run 'msconfig' and adapted how windows starts up... Im not sure what this has to do with the problem but hey it all works now!!

Can you tell us exactly what modifications you made with msconfig please? That info would be helpful to us, and also to other members who be having problems similar to yours.

Thanks.

An infection that redirects URLs but doesn't show up in a HJT scan? That's not good.
Glad you were able to get rid of it, although I can't tell you which of the infected entities was responsible.

About Googl as a porn side. Try clicking on Images on the the main page.

There is no Images choice on the googl page I'm looking at. :?::?:

As far as seeking legal retribution- that could be a long and frustrating process; the address/contact info in their WHOIS record is bogus...

Hey DMR, I'm just curious about how many rep points you got to have 2 green boxes for your repution. Do you remember?

Actually, I don't. When I first started here, rep points were displayed as numbers just like your post count. Somewhere in there the points rating display was changed to the green boxes, but I can't remember how many actual points I had when that happened.

Um... might want to check the date on your calendar.

All sorts of strange things happen out here in cyberspace on the 1st of April.... :mrgreen:

Upload/download speeds depend on the type of Interenet connection/service you have, and they are often not equivalent.

For example, most DSL users have the ADSL "flavor" of DSL; the "A" stands for Asynchronous, meaning that the download speed to your computer will be higher (usually significantly higher) than upload speed from your computer.
The rates for a typical ADSL connection could be something like 768-1.5Mbps for the download speed, but perhaps as low as 128Mbps for the upload speed.
Given that, you probably are going to have problems if a lot of files, or large files, are being sucked from your computer.

...and then an error message comes up on screen

What's the exact error message?

I've found you can't give rep points to anyone twice in a row either.

There are certain limits put in place on the whole points system to avoid abuse such as boosting Rep Points by getting friends to repeatedly "pad" your positive Rep, or "Rep bombing" someone with negative points because you have some childish grudge against them. Limiting how frequently (note that I said "how frequently", and not "how many times") you can give someone points is part of this.

Here's a link to an older discussion we had about the whole deal:

http://www.daniweb.com/techtalkforums/showthread.php?t=856&page=2&pp=30&highlight=reputation+points

Hi nuclearian,

Yes- let's start with a HijackThis log and take it from there.

Ah well- as I said, I thought those suggestions would be longshots.... :(

In your first post you said that the "googl.com" site was a porn site, but when I go to googl.com it takes me to a page titled "Search Guide". The main page has links to a lot of topics (entertainment, travel, real estate, etc.), but definitely no porn.

I did some research on googl.com and its associated IPs, and although they are possibly in a bit of a legal tangle with the real Google, I found no mention of porn. The company involved seems to be (as someone from the real Google called it) "Typo Squatting" on Googl to send people who mis-type Google to their search page instead.

Just out of curiousity, can you determine the IP of the "porn" googl site?

OK- keep us posted...

If SBC isn't giving you a static IP, you can't just assign yourself a static, Internet-routable IP on the WAN/Internet side of the router; that could cause problems/conflicts. However, your SBC-assigned IP shouldn't really change that often, even if it is technically dynamic, unless you're constantly turning off the actual modem and/or the router.

If it will help though, you can turn of the LAN-side DHCP server feature on the router and just assign static IPs to the computers instead. Linksys routers usually use the (private) 192.168.1. IP range and a subnet mask of 255.255.255.0, so you just need to know the address of the router itself and your SBC DNS server IPs. Give the computers IPs of something like 192.168.1.2 and 192.168.1.3, enter the router's IP as the Gateway, enter the DNS IPs, and you should be good to go.

Have you gone through the system and manually flushed out the contents of all of your Temp, Temporary, Cookies, etc. folders yet?

How long has this been happening?

What sort of network/Internet setup do you have?

1. Did you only format the disk through XP, or are you saying that you actually installed XP on the disk?

2. Check your cabling connections and the Master/Slave jumper settings on the drives again.

3. Remove the new drive. Does the system boot properly then?

There's no indication of infection in your log, nor any indication that you're running many non-essential programs and processes. What exact sorts of symptoms are you experiencing?

I tried to access the thread you recomended but it said it was unavailable.

I've had this happen with search links I've posted in the past; I think our search engine just gets a bit wonky sometimes.

Let me try again:

http://www.daniweb.com/techtalkforums/search.php?searchid=355403

1. Did you try any of the suggested fixes in the threads in the link I gave at the bottom of my first post?

2. I've been assuming that the "uk.htm" in the following log entry is legit. Is it?:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm

Can you tell us anything about this file?:

C:\Program Files\Voyager100Test\fts.exe

Although I've seen it cropping up lately, I've found no definitive word on whether or not the file presents a threat. Locate the file in Explorer, right-click on it, and then choose the Properties option in the resulting popup menu.

- Is there anything in the Properties windows (such as a company name) which would help identify the file?

- Are there any other files in the Voyager folder which might shed some light on the subject?

I am running my connection through AOL if that's worth anything, also is it worth trying any other firewalls or is Norton pretty good?

I was suggesting that you install a dedicated hardware router/firewall, not another piece of firewalling software. The router is a small device that you connect between your computer and your Cable/DSL modem; it blocks probes/attacks before they even reach your computer(s).

Great; glad we could help! :)

The formatting of that last post makes the log a bit hard to follow, but as far as I can see it's clean.

1. Uninstall P2P networking; it is an adware/spyware threat.
If you are using an older version of GetRight, there's a good chance that it contains adware as well. GetRight stopped bundling adware in their new versions, so you should upgrade if necessary.

2. Have HJT fix:

R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.c...ex/HMAtchmt.ocx

3. As I said before- your problem may lie elsewhere, but do the above and let us know the results.

This is odd. The HijackThis logs of others with the "Googl" redirect problem all had indications of malicious infections, but as far as I can see, your log does not.

There are only 2 more things I can think of at the moment, although they're longshots at best:

1. Open a DOS window. type the following at the command prompt, and hit Enter:

ipconfig /flushdns

2. While still in the DOS window, enter the following command to start the Registry Editor utility:

regedit

In the Editor, hit F3 to open the search box and type in googl as your search criteria, make sure the "Keys", "Values", and "Data" boxes are all checked, and hit OK.

See what the search comes up with. If the search finds one instance of "Googl", there may be more; keep hitting F3 to continue searching until you get through the entire registry. For any instances of "Googl" found, write down the location of the entry or entries and pass that info on to us.

Depending on exactly how you "shut down" Zone Alarm, it may still not be entirely disabled.

The following article at Zone Labs describes how to configure ZA to allow certain actions such as Adobe PDF viewing/downloading:

http://forums.zonelabs.com/zonelabs/board/message?board.id=AllowAccess&message.id=61

Give the suggestions in the article a try and see if they help.

Should I delete all those 127.0.0.1 entries...

In this case, no.

The hosts file can be used for good things and bad things; in your case the entries are helpful:

Those entries have been added by SpyBot and/or another anti-spyware program as a protection measure against sites known to deliver pop-ups and other unwanted content.

Give us new HijackThis log.

DMR You are the greatest

Aww... cut it out now- you'll give me a complex or something. :o

I am but a lowly geek with an insatiable desire to help people fix their problems; glad I could help with yours.

:)

Glad we could help, and glad you appreciated our help.

Let us know if anything crops up in the future; I'm sure we'll be here to help again....

:)

OK, we're getting closer.

1. Have HJT fix:

O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\kmvkkr.exe

2. Again: try to delete C:\WINDOWS\system32\kmvkkr.exe; use Safe Mode if necessary.

3. For the "01" entries:

Open your C:\WINDOWS\system32\drivers\etc\hosts file in Notepad and look for any entries related to 69.20.16.183.

A normal hosts file will contain only some comment lines (which begin with a "#") and the following IP->URL map line:

127.0.0.1 localhost

If there are further entries in the hosts file, they should be deleted.

4. Post a new log.

It sounds like you'll need to download HijackThis onto a different computer, copy it to a floppy, and install/run it on the infected computer that way.

Once the HJT scan is done, you'll need to save the logfile back to the floppy, take the floppy back to a computer with working Internet access, and post the log from there.

I have a copy of the current HJT program on my FTP site. If you need me to email it to you I can do that. Please don't post your email address in this thread though; send it to me privately via my email address or a PM.

Congratulations saytim- that is still, by a long shot, the most evil log I've seen in weeks. :eek:

This is going to be a multi-step process, and some of the things that we initially remove will come back, but let's start with this:

1. Have HJT fix:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [muqhumw] c:\windows\system32\muqhumw.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\System32\pacis.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitehuz32.exe
O4 - HKLM\..\Run: [C:\WINDOWS\IEXPLOR.EXE] C:\WINDOWS\IEXPLOR.EXE
O4 - HKLM\..\Run: [AtxBrw] C:\WINDOWS\IEXPLOR.exe
O4 - HKLM\..\Run: [vjnliqqttqnohnqmovmr] C:\WINDOWS\nbfvdtpq.exe
O4 - HKLM\..\Run: [2Fmi35T] qwitview.exe
O4 - HKLM\..\Run: [sixtysix] C:\WINDOWS\sixtypopsix.exe
O4 - HKLM\..\Run: [RUNGogoTools] C:\Program Files\GogoTools\Gogoware\LaunchAdware.exe
O4 - HKLM\..\Run: [jkgywxa] C:\WINDOWS\System32\yfrip\jkgywxa.exe
O4 - HKLM\..\Run: [sbay] C:\WINDOWS\System32\conh\sbay.exe
O4 - HKLM\..\Run: [vnwbyct] C:\WINDOWS\System32\jilblndm\vnwbyct.exe
O4 - HKLM\..\Run: [morys] C:\WINDOWS\System32\nwborru\morys.exe
O4 - HKCU\..\Run: [Jo5sRRfmO] qh4fw32.exe
O4 - Startup: DLHelperEXE.exe
O4 - Global Startup: Microsoft Windows.hta
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com

That's a squeaky-clean log; what problems prompted your post?

Right then- time to move on. We're going to run L2MFix again, but this time actually have it perform its fixes rather than just perform a scan.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

Your welcome!

I don't know why, but we've recently had a few other members who've also had trouble with downloaded HJT zip files, so I'd already whacked a copy of the actual HJT executable up on my FTP site for just that reason. :)

Do you need us to review your HJT log? If so, post away....

1. Have HJT fix:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)

2. Open Windows Task Manager and click on the Processes tab. In the resulting list of running processes, look for any instances of ntddetect.exe.
If you find any, hilight them one at a time and click End Process for each.

3. Delete the C:\WINDOWS\System32\ntddetect.exe file and empty your Recycle Bin.

Warning: There is a valid Windows file named "ntdetect" (note the single "d"). Do not delete that one!!

4. To remove the "015" entries, download DelDomains.zip to your desktop:

http://www.help2go.com/modules.php?name=Forums&file=download&id=267

Extract the Deldomains.inf file from the zip file, right click on the deldomains.inf file and then click Install.

5. Run HijackThis again and post a new log.

2. You'll probably have to edit your Registry to get rid of the "crazywinnings" entries; they'll just keep reappearing if you don't.

- First, remove the site from your Trusted Zone:
Start Internet Explorer, click Internet Options on the Tools menu, and then click the Security tab. Click Trusted Sites, and then click Sites. Click the "crazywinnings" site, and then click Remove

- Click on the "Run..." option under your Start menu, type "regedit" (omit the quotes) in the resulting "Open:" window, and hit OK. This will open the Registry Editor program.

- In the editor, press F3 to bring up the Find window, type crazywinnings in the find box, and hit enter. There may be more than one "crazywinnings" entry, so you need to keep repeating the find until you get the message "finished searching through the registry". Delete all instances of "crazywinnings" entries you find.

Do not delete or modify anything else in the registry!!!

I would suggest uninstalling WeatherBug, as it's adware at teh very least.

Other than that though, there are no obvious signs of infection in your log. Please give us some background/details on the reason why you posted the log.

Good grief- have you ever heard of paragraph breaks, nls3?! :mrgreen:

Seriously- that post is extremely difficult to follow with its current formatting (or lack thereof).