Posts by DMR

DMR, is "twiddle" a professional term?

Of course it is. Twiddling is a well-documented form of Frobnication. :mrgreen:

If I understand what you've posted correctly, you're trying to run qparted at the wrong prompt. Just press the Enter key at the boot prompt, let the system boot up until you get to the command prompt, and then type the qparted command there.

allyoop54,

I think your problem might fall into the "regardless of how similar your problem might seem" category that I mentioned in my last post.

In other words, in your case this might not be a question of infection by malicious programs. A Google search for the error you are getting returns at least one link which specifically relates the error message to an install of the autoshink program. Read the suggestion in the 4th post (by mrbass) in the following thread and also check out the link he posted there:

http://forum.digital-digest.com/archive/topic/22495-1.html

I never knew that! Thanks for this tidbit...

Yeah, it's a weird thing which I haven't been able to quite nail down yet. It doesn't happen with all/any folders displayed in the left Explorer pane, but I know I've experienced the exact behaviour in both Win 2000 and XP. I'm not sure if I've had it happen in Win 9x or ME though; I don't deal with those version much anymore. :?::?:

O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup

Robotman,

You should uninstall both spykiller and bestpopupkiller; they are both programs of at least, shall we say, "dubious repute". SwankSoft is the name of the company which makes both programs, and they are bogus! Read a bit about these wonderful folks:

http://www.google.com/search?hl=en&lr=&q=bestpopupkiller+swanksoft&btnG=Search
http://badbusinessbureau.com/results.asp?q1=ALL&q4=&q6=&q3=&q2=&q7=&searchtype=0&submit2=Search%21&q5=Swanksoft+Technologies&submit=Search

Danielle,

This entry in you HijackThis log indicates that you have at least 1 instance of Internet Explorer open when you ran HijackThis. HJT cannot fully perform all of its fixes while any instances of your web browser(s) are running, so you need to make sure all browsers are completely closed before having HJT fix anything. That said though, your latest log shows no signs of infection.

As for deleting the SearchUpgrader folder, you may have to go in to the folder and individually delete any files and sub-folders within the SearchUpgrader folder before you can delete the main folder itself. Try that, and if you find that you can't delete a certain file for some reason, tell us the name of that file.

--> Note- an odd quirk about Windows:

When you are viewing files/folders in Windows Explorer using the mode where Explorer displays the folder tree structure in a pane on the left and the contents of any selected folder in a pane on the right, it will sometimes not allow you to delete folders if you try to do it in the left-hand pane. If that's the case, go up one level in the left-hand folder tree so that the folder you want to delete is showing in the right-hand pane and try to delete it from there.

There's nothing in your HijackThis log to indicate that malicious infections are responsible for your problems, but I wouldn't jump to the conclusion that you need a new CPU yet.

1. Have you had a look through your system log files for messages/errors which might point to the problem? If not, you can view the logs by running the Event Viewer program in your Administrative Tools folder. Give the logs a look-over and post the exact text of any possibly helpful messages if you find them.

2. What is the history of your problems? That is, when did they start to occur, had you made any hardware/software changes at about that time, etc.? Give us some background info to go on.

3. Check your hardware:

- Are all of your fans working properly?
- Is the inside of the case free of dust and well-ventilated?
- Are you overclocking? If so, throttle the system back.
- Are all of your cards, memory modules, and cables seated properly and firmly?
- Failing RAM? If you have more than one stick of RAM, try running the system with only one stick at a time installed. If the system is less stable when using one particular RAM module, I'd suspect a faulty module.

Hi allyoop54,

First of all- welcome to TechTalk! :)

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

Hey again DMR! I'll perform these actions within the next few days

Cool- post a HijackThis log when you get the time; as I said, it will give us a good idea of what you've got crawling around in your 'puter.

as I have to do the conformist family christmas thing right now

[img]http://www.stevewolfonline.com/Downloads/DMR/Visuals/puke2.gif[/img] Need we say more?

as for you ppl bein pc geeks,hell there's nothin wrong with that... You should see the how I get judged be it with my long hair n my hippy dress and views!

lol. I was only joking about the geek part- I'm really a patchouli-wearing, acoustic guitar playing old hippie who just happens to love computers. :mrgreen:

What is the exact error you get when you try to delete one of those "strawberry" files? Sometimes these nasty little puppies set their permissions such that even the Administrator account is denied access to them; if that's the case you might have to twiddle with the permission settings under the Security tab of each files Properties window. Another possibility is the files are still somehow in use even in Safe Mode.

-- here I go to mess with the structure of my hd using the rescue cd...

Right then- tell us how it goes, and please let us know if have any questions or problems; it's better to ask before you click the wrong button...

:mrgreen:

Whomever you are,yer awesome for helpin my @$$ out man!

Oh, right- as far that that part goes: those of us who work here are just computer geeks who have no real life, so we volunteer all of our free time helping other people fix their problems. :mrgreen:

DMR:I spelt the pctptt.exe wrong,so I guess this one is legit.

OK- that's what I thought. Let's assume that one is legit at least for now.

As for the netdaemon,I did as you said n saw no reference whatsover to it... A nasty eh?

Yes, sounds quite possible. I'm moving this thread to our "Viruses, Spyware, and other Nasties" forum, because I think that's the direction in which we might be headed here.

Please do the following so that we can get a "snapshot" of possible problem areas on your computer:

2. Download HijackThis:

http://www.majorgeeks.com/download3155.html

Once downloaded, follow these instructions to install and run the program:

Create a new separate folder on your drive for HijackThis, move the program into thids folder, and run it from there. (Don't run HJT from within any Temp or Temporary Internet folder, and don't run it directly from your desktop.) Do not have HJT fix anything yet, only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here. The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

Do the above, and we'll take it from there. …

Thumbs.dbf files are legit (and automatically generated) Windows files; don't worry about any of those that you run across.

As for the other files I'm not sure; let me get back to you on those.

Hi daruk,

First of all- welcome to TechTalk!

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

Oops- my bad; sorry. I meant to ask you about the proxy setting when I last posted, but the intention somehow just went *poof*. Good catch!

:)

If you need to manipulate the NTFS partition, fips won't do; it can only handle FAT/FAT32. Unfortunately, this is true of many of the free open-source partitioning tools.

As mentioned, qtparted should work:

http://freshmeat.net/projects/qtparted/?branch_id=36614&release_id=154236

1. Close all running programs.

2. Run HijackThis again and have it fix the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://toolbar.webfile.com/side.php
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-D7F2-F66AB690AD7D} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D7F2-F66AB690AD7D} - (no file)
O4 - HKLM\..\Run: [Windows Update System] C:\win32core.exe
O4 - HKLM\..\RunServices: [Windows Update System] C:\win32core.exe
O16 - DPF: {4E7BD74F-2B8D-469E-D7F2-F66AB690AD7D} - http://toolbar.webfile.com/webfile.cab

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

- Delete the C:\win32core.exe file, empty your trash, and reboot.

You just got rid of your authentication server...

Yup. Unless you've promoted another server to DC status, you not longer have centralized authentication. In that situation you will need to log on to the 98 box using an account which exists locally on that box.

You can probably also delete the file when booted into Safe Mode; it's most likely that the file won't be running in Safe Mode.

There's a larger issue though: you're obviously infected, and it's highly likely that the wndllsys.exe file is not the only "unwanted guest" on your system. You should have a read through the threads in our Viruses, Spyware, and other Nasties forum to find out how to check your system for further infections. If you find that you need more help along those lines, please start a new thread in that forum, as that is where we deal with those sorts of issues.

netdaemon.exe is probably a nasty. Locate the file in Windows Explorer, right-click on it, and choose "Properties". Is there any company name/version information listed anywhere in the Properties tabs?

I'm not sure about "pcttptt.exe"; did you spell that filename correctly? pctptt.exe (note the single "T") is a legit file related to PCTel modems, but I find no info for the exact filename you gave.

If you suspect malicious infections, have a read through the threads in our Viruses, Spyware, and other Nasties forum for info on free utilities you can use to check for infections. If you do determine that viruses, spyware, etc. are the issue and would like help getting rid of them, please start a thread in that forum.

Just to clean things up, have HJT fix this:

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

And, if you no longer have UltraVNC installed, fix this also:

O23 - Service: VNC Server - Unknown - C:\Program Files\UltraVNC\winvnc.exe (file missing)

I'm almost positive that the entire "Business Logic" folder should get the axe. The only places I've seen references to such a folder have been in threads on other support forums where people are dealing with an infection almost identical to yours. "Business logic" is a programming term; I've found nothing to indicate that is the name/brand of a piece of legit software that any normal user would have on their system, and I've never seen such a folder on any system I've ever worked on.

As far as the undeletable folders in the Content.IE5 folder, I'm afraid that the way to go is to start deleting the individual files until you can pinpoint the exact files which are refusing to be deleted. That way we'll at least be able to know the names of the offending files, and that might give us a clue as to how to delete them. By selecting blocks/groups of files for deletion, you should be able to narrow it down fairly quickly.

Hi xtfree,

First of all- welcome to TechTalk!

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread In this forum and post your HijackThis log there.

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

1. I'm pretty sure you can't delete those remaining Recycler folders- they represent your currently-active Recycle Bins as far as I know. Every drive/partition will have one of its own. No problem as long as they're empty.

2. Interesting; I'll look in to that.

3. Cool- let us know the results.

you have to run hijackthis out of its own directory...

Yikes- Thanks for the catch!

goodtaste:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders (as we've already instructed). If HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else! :eek: :eek:

Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

I have to use the onscreen keyboard

What "onscreen keyboard" are you referring to?

Given everything you've described, I'd try a different keyboard first; it sound's like yours might be getting flaky.

... internet explorer keeps popping up at random...It just pops up with stupid adverts on.

You are infected.
When you say "I have checked for spyware and virusus", what exact programs did you use?

Moving to the Viruses, Spyware, and other Nasties (damn, Dani- why did you have to make that name so long!) forum...

1. Viewpoint Manager: it does, at the very least, "phone home" to check for updates. The program's maker says that you can disable that function through the VM control panel, and also says VM collects no user data or the like.

Care to believe them? ;)

You can safely remove VM if you want. After doing that from the Add/Remove Programs control panel, check to see if a Viewpoint folder still exists on your hard drive; delete it if you find it. Also check your registry for Viewpoint entries and delete those if found.

2. You are using eDonkey, which has adware components. You can opt not to install those components when you install eDonkey, but if you didn't specifically do that, the adware will have been installed automatically.

3.

O23 - Service: WebSeach Toolbar support NT service - Unknown - C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)
O23 - Service: WinTools for IE service - Unknown - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

You should delete the entire C:\PROGRAM FILES\Toolbar and C:\Program Files\Common Files\WinTools folders if they still exist.

1. In Safe Mode, and with your Explorer's View settings set to show hidden/system folders as crunchie instructed, delete everything in the C:\Recycler folder.

2. "Local Page"="c:\\winxp\\system32\\blank.htm" <-- note the double slashes in that path; that's abnormal. Is that really the way the entry reads, or is that a typo?

3. Can you see the "hidden" winxp directory if you reboot into DOS mode (command prompt)? At the prompt, type the following command and see if the winxp directory is listed:

dir /w/p/A/O:gn

If so, see if you can access it and view the directory's contents:

cd C:\winxp
dir /w/p/A/O:gn

What's in that directory?

There's nothing suspicious in your log, but that doesn't mean you're not still infected.

Disable ME's System Restore function, reboot into safe mode, and try deleting the contents of the Temp folders again:

1. How to disable System Restore.

2. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

- Delete the entire contents of all Temp and Temporary Internet Files folders.

Note - if you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.

- Reboot normally.

well you have this strange entry in your log:
O2 - BHO: wowfawk - {5CE88842-FCF5-7575-9F91-520F80390773} - C:\WINNT\System32\WOWFAWK.dll
I can't find any info on it

Nor can I; have HijackThis kill it.
When you can't find any info whatsoever on a .dll, .exe, etc., it's a very good bet that the beastie is malicious.

I don't think this entry should be there either.
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

Right- it shouldn't be there. Delete the entire C:\Program Files\Ebates_MoeMoneyMaker folder if it still exists.

OK- until them, here are some general suggestions:

- Your error could be an indication that the tape drive is faulty, or is at least in need of some maintenance. All tape devices (data, audio, video) suffer from mechanical wear-and-tear as well as a gradual build-up of dust, dirt, tape particles, etc. on the heads, rollers, and guides. Sometimes a good cleaning of the tape path with anhydrous alcohol and a lint-free cloth does the trick.

- If the drive has a utility for re-tensioning tapes, try that as well.

- Check your cables, termination (if the drive is a SCSI device), jumper settings, etc. Make sure everything is correctly and firmly connected.

Well, I deleted everything from that Temp folder...

There may be duplicate copies elsewhere. Also, did you do the deletion while booted into safe mode? If not:

1. Turn off System Restore. As previously posted, instructions are here:
http://www.daniweb.com/techtalkforums/thread13362.html

2. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders:

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

Your system might have a mirror of the above folders in the following location; if so, delete the contents of those folders as well:

C:\WINDOWS\system32\config\systemprofile\

- Delete the entire content of your C:\Windows\Temp folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.

You get to the Safe Mode boot option by hitting the F8 as the computer starts up. You have to hit the key just before/as Windows starts to load, so if you miss it first time just reboot again and start hitting F8 a bit earlier.

the download is called HSRemove 2.40

A brief description of how to use HSRemove can be found here:

http://www.majorgeeks.com/download4286.html

Common you should understand ....

Sorry, but the language of your posts aren't common here. :rolleyes:

No problem riddle; many new members aren't aware of our guidelines. Again- thanks for understanding.

Just start you're own thread as I suggested and we'll be there to help.

:)

Thanks for the follow-up; glad we could help. :)

And some other informational linkage:

http://www.bleepingcomputer.com/forums/index.php?showtutorial=42
http://www.help2go.com/article153.html
http://aumha.org/a/parasite.htm
http://www.doxdesk.com/parasite/

And there was much rejoicing... yay. :mrgreen:

Hi riddle,

First of all- welcome to TechTalk!

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

win98_42.cab or win98_46.cab maybe? Sorry, but I forget exactly which one it is, and I think it differs between 98 and 98 SE.

You should also be able to have the System File Checker (SFC) do the job for you. Try this:

Go to Start->Run, type SFC and click ok to start the program. Select the "Extract one file from installation disk" option, type Rundll32.exe and click on Start. Select the C:\Windows\Options\Cabs folder as the source, and C:\Windows as the target (Save in).

First off it doesnt show the HJT version...

Yes- your log is missing that bit of information, and it is important. If you don't have it already, you can download the latest version of HijackThis (1.99.0) from the link in my sig below.

and dont run internet explorer while scaninng with HJT

Again, yes- HijackThis cannot fully perform its fixes while you have any instances of your web browser running. The following entry in your log indicates that you did indeed have at least one instance of Internet Explorer running when you ran HJT:

C:\Program Files\Internet Explorer\IEXPLORE.EXE

Please print out the instructions that we give you before performing any fixes we suggest. Because your web browser needs to be closed when you do the fixes, you won't be able to refer to what we post here as you are following our instructions.

However, after deleting the symantek key (or I would presume any key in there for others with this problem) the install disc of win2k ran just fine.

It's funny (or not) that it was Norton's RunOnce entry that was triggering the error; I've run across many other reports where it was also the Norton RunOnce entry that was causing similar problems/errors.

Anyway- you're welcome; glad we could help! :)

OK- it looks like you may very well have the new VX2 variant. I haven't had much experience with that one, but crunchie seems to know how to deal with it. Let me contact him and see if he can have a look at this for you. Hang in there...

Since you seem to have the cabs in your C:\Windows\Options folder, you should be able to extract a fresh copy of rundll32.exe from there:

extract /a win98_40.cab rundll32.exe /L c:\windows

If Windows isn't automatically detecting the video card, you will have to tell us the exact make and model # of the card before we can tell you where to get the drivers for it.

Knowing the exact make and model of the computer itself will help too.

Also - could you please type in full, complete sentences? We're a tech support forum, not a chat room. Making your posts as clear and concise as possible is important if you want us to help you most efficiently and quickly.

Have you tried eBay? You can often find old software there for not a lot of $$.

Can we have the exact make and model of the tape drive please?