Posts by DMR

Oh- one thing: can you please post the details of what the problem turned out to be, and how you finally resolved the issue. Having that info here could be helpful to other members in the future.

Thanks

Good work- that's a clean HJT log. :)
How do appear to be working now?

Cool- glad you got it sorted. :)

Yes- if Norton and Spy Subtract have expired, their effectiveness is already compromised, and they'll obviously only become less and less effective as time goes on. Run Windows' firewall and Defender; those, combined with AVG and some common sense when browsing, will go a long way toward keeping you out of trouble.
I'd also highly suggest using Firefox as your web browser instead of Internet Explorer. At the very least, Firefox doesn't rely on ActiveX and other Windows components that create such nasty security loopholes in IE.

OK- things still look pretty nasty, but we need to take care of something before we continue: Your HJT log indicates that are running both Norton's and AVG's anti-virus programs simultaneously; that is not recommended, as serious conflicts can arise between the two. It's OK (and advised) to run multiple anti-spyware tools, but you need to choose only one anti-virus product and disable/uninstall the other.
If your subscription to Norton has expired, uninstall that program. If your subscription is current, and Norton AV is installed as part of the whole Internet Security Suite, you may want to keep that program and uninstall AVG.

Regardless of what you choose to do:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

* Download and install the following utilities:

Windows Defender - http://www.microsoft.com/downloads/d...displaylang=en
CCleaner - www.ccleaner.com
Symantec's ISTBar Removal Tool - http://www.symantec.com/avcenter/venc/data/adware.istbar.html
ewido Anti-malware - http://www.ewido.net/en/download/
* When installing ewido, under "Additional Options" uncheck..

1. • Install background guard
   • Install scan via context menu
2. Launch ewido, there should be an icon on your desktop, double-click it.
3. The program will now open to the main screen.
4. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
…

i am using a modem and i have dsl but i am not sure.

You'll need to find out; it makes a difference. If your laptop was originally configured to connect directly to a DSL modem, chances are that you have DSL connection/dialer software installed. This software is not needed when you connect to anything beside a DSL modem, and will often cause conflicts such as you describe if you try.

Please try to give us as much specific information about the network(s) and devices you are trying to connect to. There are literally scores of different possible network configurations and devices out there; the more we know about your particular situations, the faster we can get yor problems solved.

What kind of Internet access to you currently use (DSL, Cable, etc.), and what device (wireless router, access point, or modem) is your computer trying to connect to?

Your logs look good :)

I'd suggest waiting for crunchie's (hopefully final) input on this, as he was your troubleshooter. He should be back online a bit later today.

Confused beyond belief now...

It's a marsupial thing; you wouldn't understand.....

my old post (http://www.daniweb.com/techtalkforums/thread45768.html) doesn't seem to be working...

Yes- your original thread seems to have gotten corrupted. In light of that, could you also post a current HJT log in this thread, please?

Thanks.

Let's see if your system and application log files can give us more specific information:

Open the Event Viewer utility in your Administrative Tools control panel and look through your System and Application logs for events flagged with "Error" or "Warning". Double-clicking on such an event will open a properties window with more detailed information on the error. If you find events which seem like they might relate to your problem, post the event's details here.

To do so:
In the Properties window of a given event, click on the button with the graphic of two pieces of paper on it; the button is at the right of the window just below the up arrow/down arrow buttons. You won't see anything happen when you click the button, but it will copy all of the details to the Windows clipboard. You can then paste the details into your next post here.

You will also need to get an antivirus. I reccomend ewido.

Erm... ewido is great for spyware and the like, but a dedicated anti-virus program it is not. :o

AVG is a great choice for your anti-virus utility, and it's free (forever) for personal use.

Hi tsahajdack,

Your latest HJT log is clean :)
However, I'd recommend that you keep the computer off the Internet as much as possible until tayspen comes back online and is able to sign off on this.

ok, i still have a prob :evil: .
sometimes i got redirected from google searching.
the first adress is: 'http://85.255.113.26/' then it apears another page...

You've got a variant of the SpywareQuake scumware; the entire range of IP address range of 85.255.112.0 - 85.255.127.255 is owned by the fine folks who distribute the infections.

Please give us a fresh HJT log (it's been a while since your last post) and we'll take it from there.

Nothing else comes to mind right now, but if it does, I'll post it. Hopefully one of our other members will be able to offer some suggestions in the mean time.

Looks clean to me.

Looks clean to me as well.

Glad we could help, Crissa86 :)
Does everything appear to be OK now? If so, we can mark this thread "solved".

1. Can you print documents from the local computer? Delete all currently-pending print jobs before trying this.

2. I know it sounds obvious, but make sure that the "Use printer offline" option in the printer's Properties/Preferences isn't checked.

Click on the "Run..." option in your Start menu, enter the following in the resulting "Open:" box, and hit OK:

services.msc

That should open the Services utility.

1. Open the Services utility in your Administrative Tools control panel.

* In the list of services, locate the service named "Userinit Logon Verification" or "UsrInitVerif" and double-click on it.
* In the General tab of the Properties window that opens, click the Stop button if the service is not already stopped.
* Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.

2. Run HijackThis again. Click on the "Config" button in the lower right corner of HijackThis' main window. In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Type the following in the box and click OK:
UsrInitVerif

Close HijackThis after that.

3. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu; check "Show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".
Look for the C:\WINDOWS\userinit.exe file and delete it if it still exists.
** Caution: There is a valid Windows file named userinit.exe that lives in the C:\Windows\System32 folder. Do not delete that file!! **

3. EWmpty your Recycle Bin, reboot the computer, run HijackThis again, and post the new log.

...... but how do i fix that?

* Run another scan with HijackThis.
* Place a check mark in the box to the left of the following entry:
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\SYSTEM32\winbrume.dll (file missing)
* Click the "Fix checked" button.
* Once HijackThis has completed the fix, close the program and reboot.
* Once rebooted, run one (hopefully) final scan with HJT to make sure that the "O2 - BHO: (no name)" entry is no longer present. Post that final log file here.

Glad you finally got it sorted out...

The HijackThis log is clean, which is a Good Thing :)
Have her "kick the tires", and also see if you can get a good resend of the ewido log if possible. The ewido reports can be pretty illuminating in terms of letting us know what specific components of the infection(s) were found and what was done about them.

Hi roswell1329, welcome to our site! :)

Your HJT log does show signs of the Antispylab infection, so let's get to work...

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install the following utilities:

CCleaner - www.ccleaner.com
ewido Anti-malware - http://www.ewido.net/en/download/

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open Windows Defender and check for/install the most current updates. Close the program after you've verified this.

- Open Norton antivirus and make sure that it has the most current virus definitions installed. Again- don't scan yet, just close the program once it's updated.

At this point, please close/quit all open programs and disconnect from the Internet.

2. Run another HijackThis scan, place a check mark in the boxes to the left of the following entries, and then click the "fix checked" button:
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe

3. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key just as your computer is starting up).

1. Those three dlls are legit components of your TCP/IP stack.

2. If you really are experiencing conflicts/problems caused by Norton (and that does seem likely given what you've posted so far), you'll need to have the option of uninstalling or at least disabling the program in order to definitively troubleshoot your system. Troubleshooting network connectivity problems with firewall/Internet security software active is just an excercise in tail-chasing. If you yourself don't have the rights to administer the Norton package, you should notify/involve the person who does.

That leads me to my last question.

Are ya still having problems?

Which leads to yet another question: What exactly are the problems?
If you can give us some idea of what troubles/symptoms you're experiencing, that would help. While HJT is a great tool for finding certain problems, it is by no means a comprehensive diagnostic (nor is it meant to be).

Apparently the Vonage adapter has some DCHP Server functionality...

Correctomundo!
If you've got Linksys RT312Ps, those are full-blown routers in and of themselves (the "RT" in Linksys product lines indicates "router"), so they can definitely act as DHCP servers. As a matter of fact, DHCP is active by default on those devices, at least the ones I've installed.

Good troubleshooting; glad you got it sorted :)
Does everything appear to be happy in IP Land now? If so, I'll mark this topic as "solved".

<EDIT>

I'll throw this link from Vonage's site in here just for reference; it contains info and instructions on connecting vonages devices in different network environments:
http://www.vonage-forum.com/setup.html

</EDIT>

Thanks for the info- that explains a lot. Madness indeed; I feel for 'ya. :mrgreen:

With the network configuration you've outlined, it sounds like you'll want to retain the DHCP functionality if for nothing else than the ease of connecting the visiting/floating laptops to the LAN. If so, I'd suggest going the route (no pun intended, of course) of configuring the router's DHCP server settings to use a range (scope) of IP addresses that don't conflict with any IPs that you've manually assigned.

With a network range of 192.168.1.x and a subnet mask of 255.255.255.0, one common configuration is to set the starting address of the DHCP server's scope to 192.168.1.100, and to then assign all static IPs working from 192.168.1.1 (usually used/reserved for the router itself) up to 192.168.1.99.

Um... hang on here- just how many computers do you have on this LAN, and out of those, how many existed "pre-switch installation"?

The error messages you've posted are what you would expect on a network in which the computers are using a mix of dynamically assigned (DHCP) and statically assigned IP addresses, but where the scope of IP addresses handed out by the DHCP server (the router, in your case) overlaps the range of static IP addresses you've chosen.

As an example: You have a network (with or without a switch; the switch really is transparent here) in which the router is configured to assign computer IP addresses via DHCP from the private IP address range of 192.168.1.1 -> 192.168.1.50.
However, you also have 2 computers on that network which you have manually (statically) configured to use the IP addresses 192.168.1.7 and 192.168.1.8. In this scenario, the router has no way of knowing that the IPs 192.168.1.7 and 192.168.1.8 addresses are already in use, and, as those IPs are within its DHCP scope, it tries to assign those IPs to other computers on the network. Since each computer on the network needs a unique IP address, you can see where/why the conflicts occur.

Assuming I'm shooting somewhere close to the bull's eye here, you have two options:

1. Don't use DHCP at all; just configure all of the computers to use static IPs. For smallish networks …

Last time i had a vid card go bad i could atleast see the bios start so im worried this is a mobo problem or cpu rather than a vid card.

It could be a lower-level problem than the vid card, but even at the BIOS stage, the vid card is still part of the signal flow. The reason that one sometimes sees good output during the BIOS stage but not after that is that the card swtches to a different display mode once Windows takes over in the boot process. In other words, a vid card can fail in such a way that it can display the "primitive" output used by the BIOS screens, but not the more advanced modes used by the OS.

In the normal hierarchy of troubleshooting a problem such as yours, testing with a different video card would be the next logical step unless you have specific reason to suspect another component.

... the lights on router's ethernet ports would flash quickly and never be able to hold solid...so I'm off to the store today and if it doesn't work with the second one, I'll be back...

Ok- hopefully it's just a duff switch, but if the new gives you problems too, we'll be here... :)

... and its not working.

Well now, that certainly gives us a lot to go on... :mrgreen:
Please give us as many details as possible on your IP addressing scheme as a whole, what exact errors you've encountered, etc.

As far as the switch goes, the EZXS88W is nothing fancy, and there aren't any special configuration settings or the like involved with that device AFAIK. The only thing to keep in mind is that when using the uplink port on that switch, the normal/PC port directly adjacent to the uplink port becomes disabled; the two physical ports are shared internally, so the uplink and PC connections cannot both be used at the same time.

1. It's a bit unclear from your description: Do you get a proper display during the BIOS/POST phase?

2. Does the problem occur if you boot into Safe Mode?

3. If possible, connect another (known-to-be-working) monitor. Does the problem persist?

4. Change the video card.

Hello,

i have the same problem

Hi amandak,

First of all- welcome to DaniWeb :)

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your HijackThis log in that thread. The log you posted here does show signs of at least three separate infections, so you should get that thread started ASAP...

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_policies

Thanks for understanding.

Huh??

It's a Quantum Physics thing; don't sweat it... :mrgreen:

Keep us posted on your progress...

1. Try using the wifi adapter with no other USB devices connected and see if that makes a difference.

2. Your event logs may have some clues in them. Open the Event Viewer utility in your Administrative Tools control panel and look through your System and Application logs for entries flagged with "Error" or "Warning". Double-clicking on such an entry will open a properties window with more detailed information on the error; post the details from a representative sample of some of the different error messages (please don't post duplicates or flood us with the entire logs).
To do so:
In the Properties window of a given entry, click on the button with the graphic of two pieces of paper on it; the button is at the right of the window just below the up arrow/down arrow buttons. You won't see anything happen when you click the button, but it will copy all of the details to the Windows clipboard. You can then paste the details into your next post here.

Good- it looks like the rpcapd service is finally gone. What a bear!
You can safely delete the rpcapd.reg file on your desktop now; it's just a safety backup of the "pre-edited" state of the HKEY_LOCAL_MACHINE\SYSTEM Registry key. If something had gone wrong with the Reg edit that you did, we could have used it to undo the edit, but since you did the edit correctly we no longer need the backup. :)

Your HJT log is clean as well, although you can fix the following "leftover" from Webroot's Spy Sweeper program:
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

This is more than a bit frustrating; I've never had so much difficulty removing that service, and I don't (at least from this distance) have any idea why we can't delete it.
The one thing left to try (before re-enabling Defender) is to go into the Registry and manually delete the rpcapd entry:

* Click on the "Run..." option under your Start menu.
* Type the following command in the resulting "Open:" dialog box and then hit Enter to open the Registry Editor: regedit
* In the left-hand column of the Editor, navigate to the My Computer\HKEY_LOCAL_MACHINE\SYSTEM folder.

- First, make a backup of the SYSTEM folder:
- Right-click on the SYSTEM folder and choose "Export" from the resulting menu.
- In the Export window, name the file rpcapd.reg and save it to your desktop.

- Once the backup file is saved:
* Beneath the HKEY_LOCAL_MACHINE\SYSTEM folder you will find subfolders named ControlSet001, ControlSet002, ControlSet003, etc. (there will also be a folder named CurrentControlSet, but we aren't concerned with that one).
* Under each of the ControlSet00x folders that exists on your system there will be a subfolder named "Services", and under one or more of those ControlSet00x\Services folders will be a folder named "rpcapd".
* For every ControlSet00x\Services\rpcapd folder found, right-click on that folder, choose the "Delete" option, and then choose "Yes" at the confirmation prompt.
* Reboot the computer. The rpcapd service should not still be present …

Somewhat obvious suggestions, but worth mentioning:

1. Simply uninstalling the software for those devices and reinstalling it from scratch will often clear up the freezing/hanging problem.

2. Wireless devices often have specific instructions regarding their installation. For example, the instructions for some NICs say to disable Windows' Wireless Zero configuration utility before installing, while others will tell you to install the NIC using Windows' Found New Hardware and Wireless Zero utilities. Additionally, some device's instructions say to install the software before connecting the device, but other's instruct that you install the device before the software. Follow your particular card's instructions carefully.

Strange that the power supply should decide to die coincidentally with the move to a new location...

Strange coincidence indeed, but computers do have a pretty twisted sense of humor some times, don't they?
Glad the new supply did the trick; beats having to replace the mobo, I guess...

Is there a way to get the power supply to switch on in isolation, or is a signal from the mbo needed to get it to power up?

Well- yes, and... yes. Computer power supplies usually need to be connected to a load in order to fire up, so you'll need to leave the main power connector plugged into the motherboard. However, you can "jump start" the supply by shorting the Power On pin to ground manually. By doing that, you might be able to determine if the supply is putting out any juice at all (that it is, for example, at least capable of powering the fans). Details on the procedure, with a diagram of the mobo connector pinout, can be found here.

Also, is the power supply supposed to provide 12v to components, such as hard drives when it comes on?
It appears that the problem is in the power supply or the mbo.

Yes- when functioning correctly, the supply should provide +12V, -12V, +5V, -5V, and +3.3V on the mobo connector. It should provide +12 (Yellow) and +5 (Red) on the 4-pin drive connectors.

Try "hotwiring" the supply as described in the link I posted and let us know the results.

One pin of the supply cable to the motherboard has 5v and another 4.1v but the rest measure only a few mV (23.6mV to be exact).

The 5V line carries the standby voltage, which should be present whether the machine is booted or not. The 4.1V is obviously not standard/correct; did you measure that voltage under load, or not? That is, did you get that reading while the power supply cables were connected in their respective sockets, or while (all of) the power leads were disconnected?

Also- did you try booting with only the bare minimum of hardware attached/installed, and did you try the whole "process of elimination" hardware removal/replacement steps we suggested? IF not, please do so; it's about the only way you'll be able to pinpoint or rule out the problematic component.

Hmm- a light bulb has just clicked on in my tiny little brain, and it's a light which probably should have clicked on many posts ago:

You are running Windows Defender, and I have a feeling that Defender may be preventing the removal of the rpcapd service. One of Defender's jobs is to prevent changes to certain Windows components, including services, but in your case it may be doing too good of a job.

Please turn off/disable Defender and then try to delete the rpcapd service again. After that, reboot the computer, run HJT again, and fix the associated "023" entry if it is still present.
Let us know if the fix works this time.

Given that the computer was moved, something may have become unseated or loosened in the process. If so, it may not be that power supply itself is bad, but that a connection fault is preventing the system from powering up properly. The general troubleshooting drill is this:

* Disconnect all peripheral devices (printers, USB devices, etc.) and see if removing those items has any effect on the problem.

* Open the computer's case and:
- Remove and then firmly reseat the RAM modules.
- Do the same for all PCI cards.
- Check all power and data cable connections on the motherboard and all internal devices. Make sure the cables are firmly seated into their respective connectors.
- Look for (and smell for) signs of shorted connections, heat-damaged chips, etc.
- If you have (and know how to use) a voltmeter, check the internal power cables to see if they're supplying any kind of voltage. Normal, healthy voltages you'd expect to find on the different connectors would include 12V, 5V, and 3.3V.

* If you detect no physical signs of damage and have verified that the connections/cables are OK, but the system still does not boot:

Remove/disconnect all non-critical internal components and external peripheral devices. In other words, pare the system down to: the boot drive, 1 RAM module, the video card, mouse, keyboard, and monitor. If the system boots normally with that minimal configuration, reconnect the removed components one at …

You're welcome. Does that do the trick for you?

OK, we'll be here; get back to us when you can.
Our site's auto-notification feature will alert me that you've posted, so this won't get "lost in the haze" even if it takes you a while to respond.

I cannot locate "Remote Packet Capture Protocol" or rpcapd. I have "Remote Procedure Call (RPC) Locator"; and "Remote Procedure Call (RPC)". I'm pretty sure I'm looking in the right place...

If you've found RPC and RPC Locator (which are valid Windows services), you're definitely in the right place.
There is a good chance that my original attempt to delete the actual "rpcapd" service did work, and that the related Registry entry we see in your HJT log is just a loose end. If you haven't already, run another scan with HJT, put a check in the box to the left of the O23 - Service: Remote Packet Capture Protocol... entry, and then click the "Fixed Checked" button.
Once the fix is completed, close HJT, reboot the computer, run a new HJT scan, and see if the entry is still present (hopefully, it won't be). Let us know the results.

Also- if you do have any questions regarding the broadband connection problems you're having, feel free to ask us if you'd like.

1. The Yumgo software is a downloadable "homepage hijack protector" program. It isn't known to be malicious, but if you didn't knowingly install it, I'd suggest uninstalling it through your Add/Remove Programs control panel. Simply "fixing" its entry in HijackThis will stop the program from running each time Windows boots, but it will not remove the software from your system.

2. My attempt at removing the rpcapd service didn't work; let's try it another way:

*Open the Services utility in your Administrative Tools control panel.
* In the list of services, locate the service named "Remote Packet Capture Protocol" or "rpcapd" and double-click on it.
* In the General tab of the Properties window that opens, click the Stop button if the service is not already stopped.
* Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.
* Run HijackTHis, put a check mark next to the following entry, and then click the "Fix checked" button:
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
* Once HJT finishes the fix, click on the "Config" button in the lower right corner of HijackThis' main window. In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Type the following in the box and click OK; close HJT …

THINK ABOUT DISPLAYING THE TIME OF THE USER ACCORDING TO HIS TIME ZONE ALONG WITH WHAT YOU SHOW RIGHT NOW

Each user can set the the displayed timestamp to that of their own time zone. To do so:

* Click on the Control Panel link that appears in the header at the top of the forum pages.
* Click on the "Edit Options" link in the "Settings and Options" sidebar on the left of the main User Control Panel page.
* Modify the Date and Time settings (found near the bottom of the page) to your liking.

(This is just my opinion, but I doubt it would be useful to display both the user's local timestamp and the forum's default timestamp.)

Do you anticipate a problem ??

Well... it did crash once before, yes?

Actually:
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

You should probably uninstall the Broadjump Client Foundation software that is mentioned in that entry of your HijackThis log. The Broadjump/Motive software is part of the broadband installation software, and since you said that the first install attempt crashed, it would be better to start the next install entirely from scratch.