Posts by DMR

Download and run the anti-spyware programs after the virus scan. Anti-virus programs won't be much help in detecting and removing spyware.

In terms of the "error 82", what program are you trying to install? It sounds like a permissions problem- if you are trying to install the program while logged in as a normal user, log in under an Administrator account instead and try from there.

Quite possibly, yes. I would definitely takes Catweazle's suggestion and check out Ad Aware, SpyBot, and similar "malware" removal programs- you might be surprised at what they turn up. If you do find malware on your system and have questions concerning that, please start a thread in our Security forum, as that's where we deal with issues.

Tell us this- does the behaviour occur under any user account (including Administrator/Owner accounts), or does it only occur when logged in under a certain account?

I think I'm there.................

I think so- your log looks clean. :)

To keep it that way, make sure to stay current with the lastest critical fixes from Microsoft by using Windows Update, and always make sure to check for the latest updates for your anti-virus and anti-spyware utilities as well. Use the automatic update feature of those programs if available.

Grrr! You seem to have picked up more nasties.

Do you know what program this file relates to; it looks suspicious to me? The only info I could find on it is in languages which I don't speak or read: C:\WINDOWS\System32\ethernet32m.exe

And this one as well:
O4 - HKLM\..\Run: [pmh] C:\WINDOWS\pmh.exe

" O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

The above indicates infection by a version of the CoolWebSearch trojan. You need to download and run CWShredder (from the same site that you got HJT); it will attempt to fix CWS infections.

These are indicative of worm/trojan infections:

O4 - HKLM\..\Run: [Microsoft Update Time] wuam.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] wininimil.exe
O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe

Are you sure you're running full anti-virus and spyware scans with the most current updates to the programs? If so, I'd think your utilities should have caught much of this.

Also, there are still Incredimail references; did you at least try to delete it through you Add/Remove Programs control panel yet?

More on this later (it's dinner time in my end of the world), but Incredimail has not only a questionable history of what it does with the data it collects as you use the service and who they are affiliated with, but the program also has a history of causing bugs/crashes/conflicts such as you describe. Permanent and complete removal of the beast also seems to be somewhat difficult; I'll get back to you tomorrow with more info.

A) Get rid of Incredimail- it is "incredibly" questionable.

B) Have HJT fix the following:

O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\zwsixdcx.exe
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\xxncwcsg.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

C) Reboot into safe mode and delete:
-> C:\WINDOWS\System32\zwsixdcx.exe
-> C:\WINDOWS\System32\xxncwcsg.exe
-> Any remaining Incredimail files/folders if they exist
(Note that you should have Windows Explorer's view options set to view all hidden and system files when you do this)

D) Delete all cookies and the contents of all Temp/Temporary Internet and browser cache folders, empty your Recycle Bin, and reboot.

E) That might not have gotten everything, so post a fresh HJT log after doing the above.

...there are always still files remaining in the registry

That's rather unclear; could you be more specific or give us an example of what you're trying to describe there?

There are a few places where temp Internet info hides:

In C:\Documents and Settings\username\Local Settings you will find History, Temp, and Temporary Internet Files folders.

In C:\Windows\Temp you'll also find another set of History and Temporary Internet Files folders.

2 NICs sharing the same IRQ could be problematic. Try moving one of the NICs to another PCI slot; that might force a reallocation of IRQs on the PCI bus.

OK- we'll be here... :)

It depends on the make of BIOS you have, but basically you have to hit a certain key just as the computer is booting up (before Windows starts) to enter the BIOS setup. Some common BIOS access keys are F1, F2, and Del.

Once in the BIOS you have to locate the section which has the settings for your IDE channels and devices. Make sure both channels are recognized and enabled. Also make sure your IDE devices are being recognized correctly.

Judging from your HJT log, your %systemroot% folder is C:\Windows. If you want to be absolutely sure:

1. Click on the "Run..." option under your start menu.
2. In the resulting dialog box, type "cmd" (omit the quotes) and hit enter.
3. At the resulting DOS prompt, type the following and hit enter:

echo %systemroot%

If rundll32.exe is truly corrupt or missing, it can be reinstalled from the .cab files either on the hard drive or on the Windows installation CD. The restore process (and the location of the "fresh" copy of the file) may vary depending on your exact version of Windows; try some of the suggestions in this Google search:

http://www.google.com/search?hl=en&ie=UTF-8&q=rundll32.exe+cab+file+extract&btnG=Google+Search

Thanks JB- just start your own thread and post your log there (if you haven't already).

:)

You might want to choose the "Prompt" option instead of "Enable" for Active X; allowing any and all Active X controls to run makes your system more prone to infection by spyware, trojans, hijacks, etc. With the options set to "Prompt" at least you'll be asked for permission before a control is allowed to run.

Could be a number of causes for that problem- do any of the links in the following Google search shed any light?:

http://www.google.com/search?hl=en&ie=UTF-8&q=BROWSEUI.DLL&btnG=Google+Search

Glad you got it sorted. :)

If by chance you get an error when you start Windows that alludes to bridge.dll not being found (which can happen once spyware removal utilities delete the file):

1. In the "run..." dialog box in your Start menu, type "regedit" (omit the quotes)

2. Navigate to HKEY_LOCAL_MACHINE->Software->Microsoft->Windows->CurrentVersion->Run

3. In the right-hand pane of the editor, locate the entry which references bridge.dll

4. Right-click on that entry and choose Delete.

5. Exit the editor

Not sure about msn, but quite a few other people seem to have had similar problems with their msn (and hotmail) logins. You might want to do a search here and at Google for "msn" "login".

By the way:

oh uh... have you done anything that would require rundll32.exe to run.

A user may not have done anything explicitly which would cause rundd32.exe to run; like svchost.exe, that program is responsible for loading legitimate system programs. "Malware" programs can abuse rundll32.exe, but the pure fact that rundll32 is active is not necessarilly indicative of a problem.

(Again though- the rundll32 shutdown error would have me looking at a virus/malware infection as well)

oh uh... have you done anything that would require rundll32.exe to run. if not, it sounds like some malcious program is using it for its own puposes... pull out HijackThis and post your log.

BinaryMayhem,

I do agree that is probably a malware issue, but please do not ask members to post HJT logs in any forum except our Security forum. We had to create the security forum primarily due to the overwhelming postings of HJT logs across this entire site, and do ask that members concentrate their "malware"-related posts there. Read Dani's (our site admin) post at the top of each forum concerning this issue:

http://www.daniweb.com/techtalkforums/announcement.php?f=10&announcementid=1

Thanks,

DMR

Don't sweat the SpyBot DSO message- it's a known bug. You can read about it here:

http://forums.net-integration.net/index.php?showtopic=17159&st=0&#entry81148

The presence of FireDeamon.exe and sud.exe indicate a possible trojan infection. See if the following applies to you:

http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q294/7/28.ASP&NoWebContent=1

Is it possible that you simply have a DNS problem? The conditions you desrcibe are exactly what would happen if your system couldn't contact a DNS server in the process of resolving URLs to their IP addresses.

Try this:

- Open a DOS box

- Type:
ping 64.233.167.99

and then:
ping www.google.com

If the first works, but the second doesn't (both pings should reasch Google), check the DNS server IP entries in your TCP/IP properties and make sure the IPs are present and correct.

Thanks.

Marking as solved...

Marking as (um, I guess...) solved.

:mrgreen:

if you are still unsure of what to do, you can turn of the stupid prompt for the OS in windows. right click my computers, select properties, goto advanced, click start up and recovery, then UNCHECK "display list of operating systems for xx seconds".

Yes- if you don't to risk mucking up your boot.in file (and hence your booting), do as BM suggests.

As the original problem in this thread has been solved, this thread is essentially closed.

Members who might be experiencing similar problems should start their own thread and state their questions there.

shortone,

Being new to this site I'm sure you aren't aware of this, but we do ask that members start their own thread when they have a question rather than "piggybacking" the question onto a thread previously started by another member (regardless of how similar the 2 problems might seem).

For one thing, the piggybacking diverts the focus of the thread away from the original poster's problem, and for another, your question won't get the attention that it would if it were in its own thread.

With that in mind, please post your question in its own thread, and try to provide as much detailed info as possible when you do (the exact text of error messages, your version of Windows and the program(s) you're having trouble with, etc.)

Thanks for understanding.

Sorry for the delay- the rest of the week just got very crazy.

Ok- you have a handful of nasty trojan/backdoor infections as well as a couple of bits of spyware.

I see that you're running both AVG and Norton; you should only use one AV program at a time. I'd highly suggest making sure your virus definitions are up to date and running a full system scan with one of those utilities. Additionally, you should probably do one of the free online virus scans:

http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.ravantivirus.com/scan/

-------------------------------------------
In HJT, check and fix the following:

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [W1N32.DLL] C:\WINNT\WINLOGON�*.exe
O4 - HKLM\..\Run: [NAV Live Update] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\lknqXXX.exe
O4 - HKLM\..\Run: [Windows Explorer] Explorer�*.exe
O4 - HKLM\..\Run: [Services] C:\WINNT\system32\cab\back32.exe C:\WINNT\system32\cab\service.exe
O4 - HKLM\..\Run: [Norton AntiVirus] C:\WINNT\SYSTEM32\fqqe.exe
O4 - HKLM\..\Run: [msupdate32] c:\winnt\system32\vga.exe
O4 - HKLM\..\Run: [Microsoft Netview] gesfm32.exe
O4 - HKLM\..\Run: [gqegbvqvc] C:\WINNT\SYSTEM32\fqecvs.exe
O4 - HKLM\..\Run: [vaxxa] C:\WINNT\SYSTEM32\vdars.exe
O4 - HKLM\..\Run: [davadqqec] C:\WINNT\SYSTEM32\fdfdq.exe
O4 - HKLM\..\Run: [Ssdqwa] bgdw.exe
O4 - HKLM\..\Run: [vdata] C:\WINNT\SYSTEM32\fqecs.exe
O4 - HKLM\..\Run: [sghvvnra] rFeaturePres
O4 - HKLM\..\Run: [bsfqwa] ggwdw.exe
O4 - HKLM\..\Run: [gvrcub] C:\WINNT\mymw.exe
O4 - HKLM\..\Run: [BDDVK] C:\WINNT\system32\BDDVK.exe
O4 - HKLM\..\Run: [RecoverFromReboo] C:\WINNT\Temp\RECOVE~1.EXE
O4 - HKLM\..\RunServices: [Windows Explorer] Explorer�*.exe
O4 - HKLM\..\RunServices: [Microsoft Netview] gesfm32.exe
O4 - HKLM\..\RunServices: [Ssdqwa] bgdw.exe

If this seems to happen only for secure areas of sites (such as the "payment page" at ebay that you mentioned), I check through the security settings in you Internet Options control panel; something there (SSL settings perhaps) might have gotten altered somehow.

Also- can you get to Microsoft's Automatic Update site? If so, make sure you install all of the lastest patches/upgrades for IE and Windows itself.

If you can download another browser such as Netscape, Opera, or Firefox, do so and see if the problem occurs there as well.

OK- just got back from my girlfriend's kid's birthday dinner, and I'm off to bed soon. If no one picks up on this before tomorrow morning I'll get back to you then. Your log shows some obvious "nasties" in it, but it also has some suspicious looking stuff in it that I'm not sure about and just don't have the time to research tonight.

So if you just need fast help how come you didn't post your log in you own thread yet .

Oh, come on cj- go easy on the newbies... :mrgreen:

EvilSp0rk-

In all seriousness, what cj is alluding to is correct- all of the people who post here need fast help, and the best way for them to get that is to start their own thread. By doing so yourself you'll get more expert "eyeballs" focussed on your particular problem.

thanks guys but it was a regristry thing. I had to delete files in ie browser helps. I am okay for now, opened, surfed, checked mail accounts, played games, and then able to close, on five attempts it worked!

Does the above mean that you've solved the problem? If so, I'll mark this thread as solved.

Cool- we'll be here.

And yeah- you'll definitely want to relax with some golfing before the shock of dealing with the 300+ pieces of malware that Ad Aware and SpyBot are going to find on your system...

:mrgreen:

Marking as solved... :)

You've still got major problems. Before proceeding with HJT, download and run Ad Aware and SpyBot. Allow them to fix whatever they find and then post a fresh HJT log.

Links to the downloads are in my sig below. Also- follow the configuration instructions in the "Setting up Ad Aware and SpyBot" link before running the programs.

Hello EvilSp0rk, welcome to Tech Talk. :)

Please read this entire thread thoroughly- we (the moderators) have posted about 5 comments concerning our rule against having members post their questions in someone else's thread. When multiple people start asking multiple questions in a single thread, it quickly becomes confusing to follow which answers relate to which questions. It also distracts the focus of the troubleshoot away from the original poster's problem.

Please start your own thread and post your question there. Also- have a read through our posting guidelines in general:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

redboy,

It sounds like spyware/hijackware. Have a read through the "Helping yourself" post at the top of our Security forum for information on detecting and removing the pests.

I think the power thing was just coincidence

Probably not a coincidence. The components on the vid card had probably already been weakened by heat due to the fan's failure; the voltage irregularities caused by the power outage were enough to finally kill something on the card.

Glad it was only a minor death though. :)

There are a few remote access options that the two of you could use without needing third-party hosting. XP Pro has a built-in Remote Access server (XP Home does not); SSH and telnet are a couple of other options. SSH is recommended over telnet for security reasons.

Glad we could help AJ; I hope you're getting well paid for this new-found role of "Family Computer Fixer" that you seem to have falllen into.... :mrgreen:

- Marking as solved

DMR,

You’re right. Sorry about that.

Phas,

I've split your posts into their own thread. The new thread is located here:

http://www.daniweb.com/techtalkforums/thread7168.html

Ah, OK -that is a slightly different question.
Killer_Typo is right- to get to those characters, activating numlock should do you.

(By the way- The second "full stop" on the key you describe is actually a decimal point)

My laptop is second hand so I have no manual.

Um, yes- but neither do we... :mrgreen:

Care to at least tell us the make/model of laptop?

You don't see a ' symbol anywhere on the keyboard?? That's weird.

CRC errors (and random system restarts) can be the sign of bad RAM. Download and run the following RAM-testing utility:

http://www.memtest86.com

Run the utility multiple times for a real "stress test" of your RAM. If you have multiple sticks of RAM, remove them; run memtest on each stick individually.

Now I am happy to report that there is a cure:
Adware Away.

Which is, unfortunatley, only a 5-day trial; after that you have to buy it. Funny that you'll find no mention of the fact that the trial is a download unless you dig to the bottom of their FAQ... :rolleyes:

Some info on the trojan:

http://www.google.com/search?hl=en&ie=UTF-8&q=Dyfica+Trojan&btnG=Google+Search

Note the references to disabling System Restore and running your utilities in Safe Mode. If system restore is enabled, and the virus was present at the time your last restore point was taken, the virus can be reintroduced to your system that way.

Good to know Leo- thanks. :)

Sure,

The first thing to do is to have a read through the following thread:

http://www.daniweb.com/techtalkforums/thread5690.html

In it you'll links to spyware detection/removal utilities, instruction on their usage, and tips to help you avoid getting reinfected. The utilities are free; download them, read their documentation, and run them. Repost here when/if you run into problems or simply have questions.

:)

That seriously sounds like the result of spyware/hijackware.

I'm moving this to our Security forum. Have a read through other posts there and follow the spyware detection/removal instructions posted by our security experts crunchie and caperjack; repost here if you still have issues after that.

Any pertinent error messages in your event logs?

A) You're running HJT from within a temp/temporary folder; you need to create a separate folder on your hard drive for HJT and run it from there.

B) Have you run through the standard SpyBot/Ad Aware/CWShredder/etc. drill yet. If not, do so and then post a fresh HJT log. (Links to the utilities and usage directions are in my sig below).

* Your best bet is to run the utilities while booted into Safe Mode; they may able to more effectively remove the nsties you've got that way.

Some (extremely un-fun) info concerning Look2Me and its removal:
http://www.kephyr.com/spywarescanner/library/look2me/index.phtml

Hunterbar:
http://doxdesk.com/parasite/HuntBar.html

Have you gotten the absolutely most recent patches and fixes from Microsoft? If not, do so now- your system needs to be kept thoroughly up to date to lessen your vulnerability. Also, download and install SpywareBlaster if you haven't already; it blocks the installation of malicious programs which exploit ActiveX controls:
http://www.javacoolsoftware.com/spywareblaster.html