Posts by DMR

There are no obvious signs of infections in your log. If you can give us some details of the problem(s) you're having, that might help us.

trueblue,

I don't see anything obviously "nasty" in your log, but I do notice that you're running a slightly older version of HijackThis. The latest version is 1.99.1; just be on the safe side, please download that version (link is in my sig below) and post the log it generates.

Your TCP/IP software may have gotten corrupted. Remove and reinstall the software following the instructions in this Microsoft article:

http://support.microsoft.com/kb/q302861/

1. C:\Program Files\Internet Explorer\iexplore.exe

The log entry above indicates that you had at least 1 instance of Internet Explorer running when you ran HijackThis.
Before fixing problems with HijackThis, you must make sure to close/quit ALL instances of your web browser! HijackThis cannot fully perform its fixes while browsers are running.

2. Take care of the above, run HJT again, and have it fix:

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\AUserInit.exe
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [exkvux] C:\WINDOWS\exkvux.exe
O4 - HKLM\..\Run: [bavkrsd] C:\WINDOWS\bavkrsd.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/12ed64c...ip/RdxIE601.cab
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://63.241.168.238/ecwplugins/ncs.cab

3. Search for and delete (if found):

C:\WINDOWS\system32\AUserInit.exe
C:\WINDOWS\exkvux.exe
C:\WINDOWS\bavkrsd.exe

4. Your problem may not be due to malicious infections; have you thoroughly cleared out your Temp, Cookie, etc, folders lately? A lot of cruft can build up in those folders over time, and that can cause slowdowns and other problems with your browsers.

If you haven't done this already, please do:

Note: if you have data that you care about living in your Temp/Temporary Internet Files folders, please move it to a safe place before proceeding!
Temp/Temporary folders are just that- Temporary. They are not …

It sounds like you still have some leftover from dameon Tools which is reserving the E: drive designation for a virtual drive. Do you see any reference to a drive "E:" in My Computer, in the Disk Management utility, or anywhere else in the system?

OMG! What is this world coming to??

I mean, sure- even back when I was in high school there were those Bad Geeks who might try to offer you a few lines of COBOL or FORTAN, but that stuff was nothing compared to PHP!

:D

I will disable the chassis fan...also disable the -5v voltage

You don't want to disable those, you want to check them to make sure there are no problems.

The number of and locations of fans varies depending on the style of computer case. At the very least you probably have a fan (which may be intergral to the power supply) venting out of the back of the case, and you may have another inside the case as well. You'll just have to do a careful visual inspection to locate any fans and make sure they are all spinning freely and haven't accumulated any dust/dirt which could impede their performance.

In terms of the -5V error, I'd think it to perhaps be erroneous, given that you were able to reinstall Windows and use your system (other than the CD issue). Not being able to personally examine your system, I'm not really sure what to tell you about that.

In terms of the disk from your ISP, it may be defective, but you may not even need it. Depending on what type of Internet connection you have (dial up, cable, DSL), you may be able to just configure your network settings manually.

OK- keep us posted. Those really are the only possible causes I can think of given the info you've posted so far...

Yikes, hang on a minute- before proceeding with an upgrade to SP2, we need to get that system clean, and it isn't quite there yet.

These entries in the latest log still show signs of infection:

C:\WINDOWS\system.exe
C:\WINDOWS\ntrvs.exe
c:\windows\nic\taskmgr.exe
O4 - HKCU\..\Run: [Floppy Master] C:\WINDOWS\system.exe
O23 - Service: Microsoft Security Subsystem Provider (eProxy) - Unknown owner - C:\WINDOWS\ntrvs.exe" " (file missing)
O23 - Service: Task Manager Help (TskHlp) - Unknown owner - c:\windows\nic\taskmgr.exe

rmsmx,

In one of his previous posts, dlh6213 provided instructions which should have eliminated most of the above entries; did you follow his instructions exactly? At the very least, the entire c:\windows\nic folder should not exist anymore.

It seems like you don't have the Windows Scripting Host installed; you can download the Win XP/2000 version here:

http://www.microsoft.com/downloads/details.aspx?FamilyID=c717d943-7e4b-4622-86eb-95a22b832caa&displaylang=en

So a second monitor was OK at first, but got blurry after a short while too?

- Did the image degradation happen over time, or did the monitor just seem to kick out of focus at some point?

- When did you originally start noticing the problem, and was there anything that happened around that time (power problems, hardware/software changes, etc.) that might account for it?

If it isn't a problem with the monitor itself, these would be the other likely possibilities:

- The monitor cable (if you used the same one on both monitors, obviously).

- The driver could be an issue. Boot the computer into Safe Mode; that will force Windows to use its own generic VGA driver. See if you get the blurriness with that driver.

- The video card itself, even if new, could be failing. If a piece of electronic equipment is going to fail, it isn't uncommon for that to happen within the first three or so months of use.

- Although it doesn't sound the most likely cause in this case, electrical/electromagnetic interference could be the culprit. This could be introduced anywhere along the signal chain unfortunately, from a device within your computer "leaking" an interfering signal into the video card to something near your monitor throwing a magnetic field which is pulling the beam(s) out of focus. Eliminating those possibilities is a processs of trial-and- error:

- move or reposition the monitor.

I agree with Catweazle regarding the hardware faults- the fan and voltage warnings are coming from the BIOS; Windows hasn't even started to load at that point. You should definitely verify that all fans inside the computer case are operating properly, that the power supply is in working order, and that all cables and cards are firmly and correctly seated.

In terms of the Blue Screen errors from Windows, they point to some sort of damage to your drive, most likely a result of whatever faults are being reported by the BIOS. The 0x000000ED stop error is a general indication of problem with the boot drive; the 0xC0000032 parameter of the error specifically points to corruption of the Windows filesystem on the drive. More info on that from Microsoft can be found here:

http://support.microsoft.com/kb/q297185/

Should I update to SP2 anyway?

No, definitely not yet. Installing SP2 on an infected or otherwise problematic system is not recommended; you could easily end up with much larger problems than you have now.

You can (and should) make sure you've applied all of the current critical/security updates for your current version of XP, but hold off on the SP2 upgrade until your computer is clean.

How do I run that? It was associated with Xing player (video/MP3 software) but I've removed that association...

SilentRunners is just a VB (Visual Basic) script; if it somehow showed up as associated with Xing, that was a mistake on Windows' part.

The file should have a .vbs extension (if it doesn't, rename it so that it does), which would tell Windows that the file is a self-executing script. If the script won't run properly for some reason, try right-clicking on it, choose the "Open With..." option, and see if you have the option to open the file with the Windows Based Script Host. If you do, that program will run the script.

Thanks for the catch Danny- :)

I forget to mention I have also blocked a file called mcafee32.exe - judging by research I've done I think I should delete this too?

Yes- it's malicious.
Other than that though, the good news is that your log looks clean now.

As for the modem/Internet settings, I'm not sure about that and don't have the time to research it right now. I'll get back to you after I've had a chance to do so.

Hijack This needs to be in its own file! Please move it to a file labeled HiJack This or somthing simmilar.

Yes-

C:\DOCUME~1\Jason\LOCALS~1\Temp\Rar$EX00.391\HijackThis.exe

The log entry above indicates that you are running HJT from within a Temp/Temporary folder. Please do the following:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

-------------------------------------------------------------------------------------------------------------------

C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

The log entries above indicates that you had at least 2 instances of Internet Explorer running when you ran HijackThis.
Before fixing problems with HijackThis, you must make sure to close/quit ALL instances of your web browser! HijackThis cannot fully perform its fixes while browsers are running.

Please take care of the above and post a new log.

Theres more stuff that it says, but hope you get the idea as this is getting a tad to long a post!.

We'll deal with the long post. :)

Please give us as much specific information as possible, including the full and exact contents of all error messages. The numbers, etc. in the errors may look cryptic to you, but they may actually help us pinpoint the exact problem.

1. I have a good copy of HijackThis on my FTP site; download that and see if it runs. If so, post the log file it generates.

2. If you can get online reliably, run the free anti-virus/anti-spyware scans at the following two sites:

http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

3. Try running Ad Aware while booted into Safe Mode if possible.

... I'm still getting the 2 files I mentioned accessing the internet (sprmover.exe and winwiz32.exe - is it safe to delete them?

Yes, definitely- we'll get to that in a moment.

1. Housecall found infected files in your System Restore folder; you'll need to turn off the Restore function to flush those out. Instructions are here: http://www.daniweb.com/techtalkforums/thread13362.html.

2. Reboot into Safe Mode again, and:

- Delete the following files:

F:\WINDOWS\System32\winwiz32.exe
F:\WINDOWS\System32\sprmover.exe
F:\WINDOWS\System32\smbdins.exe
F:\WINDOWS\System32\sethcd.exe

- Delete the entire contents of your C:\Windows\Prefetch folder.

- Empty your Recycle Bin.

- Reboot normally.

3. Run HJT again and post a new log.

1. C:\Program Files\Internet Explorer\iexplore.exe

The log entry above indicates that you had at least 1 instance of Internet Explorer running when you ran HijackThis.
Before fixing problems with HijackThis, you must make sure to close/quit ALL instances of your web browser! HijackThis cannot fully perform its fixes while browsers are running. Since you shouldn't be accessing the Internet during the course of the troubleshoot unless you're instructed to do so, it would probably be best if you printed out any directions we give you.

2. Turn off XP's System Restore function. A description of how to do that (and why) is here: http://www.daniweb.com/techtalkforums/thread13362.html.

3. Go to the following 2 sites and run their free online anti-virus/anti-spyware scans:

http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

4. Run HijackThis again and have it fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\sppuy.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\sppuy.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\sppuy.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\sppuy.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\sppuy.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\sppuy.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0D4822D9-38AF-1742-C18E-C086C715E5B7} - C:\WINDOWS\apihc32.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O4 - HKLM\..\Run: [ipds32.exe] C:\WINDOWS\system32\ipds32.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusear...?p=ZNxdm414YYUS
O9 - Extra …

On an as-needed basis; it's not a scheduled sort of thing in ant way.

No floppy drive :?:

Groan... I hope it's not XP- six floppies just to do it that way. Blah!

Laser, what is the exact version of Windows that you need to install?

so? how does it look?

Much Better, but you still have a couple of "unwanted guests". try the following and post a fresh log after that:

1. Have HJT fix the following entries:

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL (file missing)
(if you didn't purpously uninstall SpyBot, the above entriy might indicate that SpyBot got corrupted and needs to be reinstalled)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\PYNIX.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [czyuoyp] c:\windows\system\czyuoyp.exe

2. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).

- Open Windows Explorer and navigate to the View menu->Folder Options->View tab.

- In the View options, click "Show all files", and uncheck "Hide file extentions for known file types.

- Click "OK" to close the optiond windows.

- Locate and delete the following 2 files (let us know if you are unable find/delete either of them):

C:\WINDOWS\SYSTB.DLL
C:\WINDOWS\PYNIX.DLL
c:\windows\system\czyuoyp.exe

- Empty your Recycle Bin.

3.Reboot normally, run HJT again, and post a fresh log. Also let us know what problems, if any, you're still experiencing.

4. !!! -> your log shows absolutely no indication of an installed anti-virus program. :eek:

If you don't currently own …

It definitely does look scary, even to someone like me who's gone that deep into byte-level partition manipulation once or twice before- be careful, and stop to ask questions before making any choices/changes that you aren't sure of. Also- the trial version is only good for 8 days, sooo....

Logfile of HijackThis v1.98.2

You are running a rather old version of HJT. The latest version is 1.99.1, which you can download from the link in my sig below. Please uninstal version 1.98.2 through your Add/Remove Programs control panel, install the new version, and use that from now on.

Thank You so much for the info :mrgreen: I apperciate it ...
Sincerely Jennifer

And soooo... where's your HijackThis log? ;)

Post it here and we'll tell you what you need to do.

is that what yall needed?

Yup- but before we proceed we also need you to tell us if you've already run about:Buster, HSRemove, and have followed any of the other suggestions given in the links that dlh6213 provided. If you haven't, please do so now.

Believe it or not, the "loads of numbers" and any other information which you can gather from the error messages could very well help us to home in on the cause. Please post as much specific information as you possibly can and we'll try to help from there.

For fairly recently-deleted files, a program like Norton Utilities' Unerase can obviously be of help. For reading/recovering data that was deleted some time ago though, you're probably looking at spending some serious $$ for a professional data-recovery application, because the areas of the disk in which that data was stored have most likely been overwritten multiple times. Your chances of being able to "decode" the magnetic signature of old disk-writes diminish greatly if that's the case.

Of course, utilities do exist for reading/recovering such data; some of them only available to law-enforcement and other government agencies. Depending on your exact needs, your best bet would probably be to do some Googling for keywords such as: data recover format unerase.

You should be able to just blow the Linux partition away using XP's Disk Management utility in your Administrative Tools folder. If not, boot into rescue mode from the Linux install CD and delete the partition with Linux's version of fdisk.

If you need more help with that, let us know exactly what distro (including version) of Linux you're using.

Just last week I had one of my multi-drive/multi-partition/multi-operating system computers take a serious hit, which ended up totally hosing the partition layout of one of the drives.

In my search for a solution I found a free trial verison of a very cool recovery tool that absolutely and saved my butt:

http://www.dfsee.com/

It's more than a bit cryptic to use if you aren't famiiar with low-level drive/partition manipulation (you can definitely blow your drive away entirely if you make a mistake) but in my case it was able to rebuild the scrambled partition table and restore everything.

1. That sounds more like a problem within the monitor itself; can you eliminate or verify that possibility by connecting the monitor to another computer?

2. If the monitor has a decent built-in configuration menu, you can try twiddling with its convergence/alignment/focus/moire settings. Also try degaussing it if it has that option.

3. If, by any chance, you have any devices on/near the monitor which emit an electromagnetic field (speakers, for example)- move them.

Um... bummer. :(

It sounds like you'd recognize the boot order option in the BIOS if you saw it, and without knowing the BIOS version I really don't know what else to suggest at the moment... :-|

Here's my little "regular maintenance checklist"... By the way, certain programs just leak memory like mad.

Both good points, especially considering the fact that cantes903 doesn't have many non-essential processes running at all. Unfortunately, the Norton/Symantec components are probably the biggest resource hogs in the list, but there's not much that can be done about those ; the protection they provide is necessary.

Sorry- I didn't realize that it's a dial-up modem; the Properties are layed out a bit differently for that. Something still seems amiss though- you should have a "Networking" tab in the modem properties; your TCP/IP settings would be under that.

It sounds like you know what you're looking for (and that you are looking in the right place). Not being able to physically site down at your machine, I don't really know what to suggest except to keep poking around. :?:

Well... there seem to be a lot of unhappy people out there who've had similar problems with that version. Unfortunately, some of them were never even able to get a solution; they had to uninstall it.

Here are a couple of things to look at; you might at least be able to narrow things down by checking these out:

1. Look through the list of applications that McAfee has configured for Internet/network access. Make sure it hasn't mistakenly decided to block access for any applications or services that it shouldn't have. If it has done that, you'll need to manually reset the access permissions for those programs.

2. Try temporarilly disabling individual components of the firewall package such as IDS (incoming intrusion detection), privacy filters, etc.

3. If you can, eliminate the possibility of a specific conflict with your wireless card/configuration by plugging the computer directly into the router with an Ethernet cable.

Hey Chris- Thanks; I see you found the right thread.

Did you just happen to stumble across it on your way back home from that wild Linux goose-chase I sent you on? :o

Not that this will solve you're problems, but the following entry in your log indicates that you are running a slighty older version of HijackThis:

"Logfile of HijackThis v1.99.0"

Please uninstall your current version of HJT through your Add/Remove programs control panel, download the most recent veraion (1.99.1) from the link in my sig below, and use that version from now on.

... Which forum should I try next?

I'll take care of that for you now- I'm moving this to the Internet Explorer forum. Although your issues also involve Outlook, I think you'll get the best responses/suggestions in the IE forum.

I'm guessing what probably happened is that Linux got confused by my twisted boot setup, having it share a hard drive with 98, and having XP on a different hard drive. Could this be a possible explaination?

Linux could have gotten confused by itself, but your setup is nowhere near as "twisted" as one of my systems (which hasn't had any such problems), so what you ran into might be a result of the way in which you installed each OS or the way that you set up the bootloaders:

My "twisted" system (which includes, all drives considered, 21 separate partitions):

A lowly P-III 500

- Hard drive #1: 1 FAT32 partition; Win 98 SE

- Hard drive #2: Mandrake 8.0 and various FAT32 and ext2-formatted data storage partitions.

- Hard Drive #3 (on a Promise Ultra-ATA PCI controller card): Win 2000 Pro, Win XP Pro, Redhat 9.0, Redhat 7.3, and more ext2/ext3/FAT32 data partitions.

Depending on your particular drive setup, and assuming that you want to use a Linux bootloader to handle the multi-boot process, you may need to add "map" directives to your LILO or GRUB config file. You can find more info on that in these links:

http://www.google.com/linux?hl=en&lr=&q=lilo.conf+grub.conf+windows+map&btnG=Google+Searchh

I put in a box of mac and cheese (after I finish the laundry)

And you get back a Mac computer with an extremely GUI keyboard ;)

Me puts in a PDP-11....

You get lundray duty!

And you get back a long-overdue spelling lesson.

Hi OneHit,

Sorry for the delayed response; "real-life" work has been hectic in the last couple of days.

Judging from your most recent log, it does look like you've gotten rid of the "nasties". I'm jugling about 10 different posts on three different support sites at the moment though, so let me contact a few of our other troubleshooters and ask them to review your log as well, just in case I've missed something.

As I said, it does look like you've nailed it, but please hang in there until I can get one or more of the others to verify that.

... though I am not sure what date or whatever to restore to....sorry to be so dense about this stuff.

Definitely no need for apologies- until this tidal wave of "spyware" crud washed ashore few years ago, regular computer users never had to worry about or know about the stuff that they need to delve in to these days. It's a Thing That Should Not Be.

In terms of the system restore, crunchie meant that you should make a new Restore Point, not go back to a previous Restore Point. The way that you get to the option where you can set a new restore point varies depending on whether you are using Win XP's "default" Start menu configuration or the "classic" (win 2000-type) configuration. The following link gives instructions for both:

http://support.gateway.com/s/SOFTWARE/MICROSOF/7509595/System_Restore/SystemRestore.shtml

I only reviewed this thread quickly, but I don't think we've suggested that you set Explorer's View options to show all files and folders. If you haven't done so yet:

Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

Look for the files in question after setting the above options.

It has to be there, unless something has gotten seriously fouled up on your computer.

Specific directions for XP (you'll need to be logged in under an account with administrative permissions):

1. Under your Start button menu, go to Settings->Control Panel->Network Connections.

2. Right-click on the entry for your particular network connection/device and choose "Properties".

3. In the "This connection uses the following items" list in the General tab of the Properties window, scroll down to the Internet Protocol (TCP/IP) item and double-click on it.

4. Your basic DNS settings will be displayed in the resulting properties window; click on the "Advanced " button to bring up the "Advanced TCP/IP Settings" and then click on the "DNS" tab to access your full DNS settings.

OK- if you've reformatted, and the problem hasn't resurfaced since, we don't need those files.

Just FYI, though- the files live in your /boot/grub directory.

Run the free online anti-virus scans at the following two sites:

http://housecall.trendmicro.com
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Let us know if those two scans come up clean. If they do, the root of problems are probably not malicious; I'll move this thread to a more appropriate forum.

...how do you turn Explorer view options to show all?

Open Windows Explorer, and in the Folder Options->View settings under the Tools menu:

- Select "show hidden files and folders".

- Uncheck "Hide protected operating system files".

- Uncheck "Hide extensions for known file types".

Of course, some files really don't have any extensions.

Before you delete the files entirely, try scanning with these other 2 AV programs and see if they can heal some of the infected files:

Free online scan: http://www.pandasoftware.com/activescan/com/activescan_principal.htm

AVG, a free downloadable Anti-virus program: http://free.grisoft.com/freeweb.php/doc/2/