Posts by gerbil

MyWebSearch is not a virus, merely malware for advertising. It contains files for recreating itself when parts are deleted. I do not think there is a better tool for removing MyWebSearch than this:
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon, and UPDATE it.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you when it completes... do not click the Save Logfile button.
Examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Copy and post that log [it is also saved under Logs tab in MBAM].

Ah, ok, you are in.... I have to ask, does your network card support promiscuous mode?

Not password issues. That is likely an ISP problem. But as a first step you should log in to your Verizon account and delete completely all emails after you deal with them.
A sniffer like Wireshark will enable you to see the login conversation between your sys and Verizon. Here is my login, the server holds 65 emails, 23234190 bytes total, and all have been downloaded before [c=client, s=server][naturally enough I have removed my login and pasword]:

DNS standard query response ptr pop.netspace.net.au
pop c: user xxxedout
pop s: +ok
pop c: pass xxxedoutalso
pop s: +ok Logged in.
pop c: stat
POP S: +0K 65 23234190
POP C: LIST
POP s: +OK 65 messages:
pop c: uidl 1
POP S: +OK 1 0000115b4a077fa9
POP C: UIDL
pop s: +ok
pop c: quit
pop s: +OK Logging out.

I once used an email client tool in conjunction with OE which automatically downloaded emails from yahoo. It increasingly gave password errors so I switched my email accounts to my ISP, reconfigured OE and it has run perfectly since.
It was a problem with Yahoo, not OE. Try creating another email account with your ISP, or deleting all mails in the ISP accounts you have. An email "folder" with a number of emails in it is simply a long file to which new emails are added serially; email separation is via the From/To and Date headers in each email. Any corruption in a single email will present as the whole folder being corrupted.

Hello, oldflatop, a quick glance through those logs shows no evidence of malware currently on your system. What the DDS scan shows is an amazing number of errors in your event log for the past week!! Many of them relate to failure to load files [drivers etc] from your hdd. Can you run chkdsk? Either rclick in explorer your system drive [C:], choose Properties, Tools, Error checking > press Check now, tick both boxes...., and restart your system.
...else paste, type into a run window this:
chkdsk C: /f /r
...and agree [press y]. Say how it goes.

Why are you trying to hack your own network? If you have set 128bit encryption I wish Cain lotsa luck. Simply plug in with a LAN cable, then via the router GUI either...
- un-hide the access point, let all your wireless equipment discover it, then re-hide it. And maybe check the authenticated stations list to see if your wireless was hacked while you were doing it.
- else enter somewhere the MACs you wish to have access.

Reinstalliing OE is fairly straightforward. [To uninstall you just uncheck it in CP > Add/Remove Windows Components and perhaps delete a few of its .exe files [not the .dlls, another client might need them!], but there is no point in your doing that].
Reinstalling: First clear all the mailboxes - save the emails you want, then go to the OE folder in your Docs n Sets folder and copy the .dbx files to a data store. Delete the originals. Then:
Part 1: msoe50.inf
-Open an Explorer window, search for msoe50.inf -the default location for this file is in the C:\Windows\Inf folder [show hidden files and folders].
-Right click the Msoe50.inf file, and then click Install.
-Insert your Windows XP SP2 CD-ROM when prompted and on it locate the I386 folder, click Open, and then click OK.
Outlook Express files have installed and registered.

Part 2. wab50.inf
-search for wab50.inf -the default location for this file is in the C:\Windows\Inf folder.
-Right-click the Wab50.inf file, and then click Install.
-In the I386 folder on the CD-ROM click Open, and then click OK.
Outlook Express address book has installed.

Outlook Express is now reinstalled. Start it to test its functionality. Recreate your identities. You can copy back in the old .dbx files at any time if you wish to use them [just inbox.dbx and any other special files.. ie mail folders...you created.
A note: if you delete any .dbx …

If you google "IE8 Outlook" you see a slew of complaints. Main solution seems to be to uninstall IE8, which is somewhat a problem if you have W7. M$ have a page on uninstallation, search "remove IE8".
The plaints seem to end around mid 2009... is your sys up to date?

Never!!
Anyway, your original error message, celine, was about a corruption of one of your registry hives. You can actually recover from that problem, usually with little loss. Next time, eh?
May I suggest a very good registry backup tool? Far better and more comprehensive than Sys Restore, free, and automatic. Get ERDNT. Set it to save the last seven days reg hives in your C: root [C:\]. The readme explains all.
To enlighten, this is the content of the shortcut that I have placed in C:\Docs n Sets\Me\Start Menu\Programs\Startup :
"E:\Program Files\ERUNT\AUTOBACK.EXE" C:\ERDNT\#Date# /noconfirmdelete /days:7
E:\ is the drive where my pgms are..., C:\ERDNT is where the backups are written.
To create such a shortcut you rclick on autoback.exe, choose Create shortcut. Next open the shortcut's properties and modify the target line, perhaps to what I have shown above. Then drag the shortcut file to the Startup folder I have indicated above.
And that's it.

In FF, you might want to check this setting: Go Tools, Options, Advanced tab. In Connection Settings click the radio button for either No Proxy or Use System Proxy, Ok, Ok. [System Proxy is alright to use because then FF will adopt the proxy settings that are in force for IE, and your IE is working...]
You say Windows firewall is Off? Turn it on if you do not have another firewall application. One thing the Windows Firewall will NOT do, and that is stop anything going out...

Either way is fine. If you allocate 40GB during Setup for C: and leave the rest as Unallocated you can change this later. USe Partition Wizard [free]. http://www.partitionwizard.com
With that pgm you can make C: larger, smaller [if it is not full], create new partitions in the Unallocated space....

You actually read the manual??!! Must be a woman..... must be.

I value your opinion on that, caper, so I can't see myself throwing away a good XP licence. Bill has a problem. Realistically, though, considering the extent of most peoples' use of a computer M$ should not expect to continually sell new, more powerful platforms; always some will be quite happy with what they have. Just as it is in the nature of others to over-extend by creeping specification.

Server 2003 has RIS, XP does not. 14 computers. Are they identical? You could create the installation you want, precisely, and then clone it onto the other systems. But that requires plugging in a hdd to each machine sequentially... the software is free. But you MUST change the security identifier of each system before you hook them up to the network. And validate each, of course. You could lose half a day doing it to all of them. Acronis will do it over your network IF your machines are all PXE bootable [cost is USD20?]
Read this: http://help.lockergnome.com/general/Computer-Security-Identifier-Disk-Cloning--ftopict38998.html

Give me a play to keep my hand in, Member. First, to see where we stand...
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon, and UPDATE it.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you when it completes... do not click the Save Logfile button.
Examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Copy and post that log [it is also saved under Logs tab in MBAM].
Then...
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then...
-in that folder start HijackThis by dclicking the .exe
-CLOSE ALL OTHER APPLICATIONS and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.

XP-SP3. I use it, it does everything that I require of it. Now in that I do not see a reason for change. Security? I just don't get hit, but then, I don't trawl the darker corners of the web. Change to Vista? Not going to happen. W7? Why?

seagate barracuda 7200 - SATA HDD 250GB : it is SATA, so no need to be concerned with Master,slave, primary... just plug it into you SATA-1 socket and BIOS will automatically enter it as the number one boot device.
Go with NTFS.
If you wish to make another partition for an extra OS it is simplest to make space for it at Setup, but any free partition manager will shrink you C: drive and make space for it later.

I was just slightly concerned about the presence of this activeX control : {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/40...02/Coupons.cab
Normally, akamai is benign, but that dll can be related to it.
I would remove Viewpoint, although once again I have no issue with it. Unwanted ActiveX add-ons can be removed via IE, Manage Add-ons.
I see that you once used Symantec AV. You should run their removal tool to uninstall all traces of it : http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039
Remove this service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
- check first that the file really is missing [it is required to repair/reinstall Office]. Anyway....
- to do it, go Start, run, type services.msc -and press Enter. Maximise the window and at foot select Extended tab, scroll to the specific service, rclick it, select properties. Write down the exact Service Name. Press Stop if it is highlighted [you may have to set the service Startup type to Disable first]. Close Services, now type this line into the run text box and press Enter:
sc delete "exact Service Name" - don't be silly now....
Use hijackthis to remove this null entry:
O2 - BHO: IEGBH0 - {9F3209E2-334B-41E9-B09C-703F398742E7} - no file || it is from TM.

A better scan than Adaware might be...
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, …

You have some malware which is causing this. May I suggest first doing this...
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon, and UPDATE it.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you when it completes... do not click the Save Logfile button.
Examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Copy and post that log [it is also saved under Logs tab in MBAM].
And next...
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then...
-in that folder start HijackThis by dclicking the .exe
-CLOSE ALL OTHER APPLICATIONS and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.

...from crashed disks. That I gotta see. Anyway, the free trial may be worth it for some. Nice, casual appearing advert you wrote, though.... it's almost like you don't care. :)

Search your sys drive for win32extension.dll

I must be honest here - I don't, either.

Info on your system might be handy.... but it appears that you are going to have to use Recovery Console from your installation cd to check your hdd for errors. Insert the cd and boot from it, choose R to repair your OS... then when in, run
chkdsk /r

Yep, not a problem, I was just interested in those extra green immovables.
Cheers.

Task Manager's Performance tab. Urk. The figure at the foot of the PF Usage chart is in MB, other figures are in KB, and the conversion factor is 1024.
PF Usage is a misnomer in Task Manager : the figure at the foot of the Page File Usage graphical monitor is the Commit Charge, which is actually the sum of RAM in use + Page File in use.
Commit Charge [KB] = curent total memory usage [of both RAM + PF][KB]. It is just the amount of virtual memory the OS has committed to the running programs.
Limit CC = Most of installed RAM + Page File size. Most of RAM? XP always keeps a variable amount of RAM in reserve. If you disable your page file you will see that CC Limit is less than Total Phys MEM [RAM] by about 50KB or so, the reserve. This rises rapidly as you have more processes running, probably because the OS calculates that there is a bigger chance of an emergency memory call occurring.
At bottom of TM you see that PF Usage number repeated as Commit Charge [Total]. The second figure there is Commit Charge Limit, now in MB ...[x 1024 to get KB].
"620/964". You can see that you are using a lot of your Page File. Of course, XP is not going to be using all of your RAM before it switches some allocations over to the page file. How much of your …

Nice enough, SSSD. You can see straight away that you have some fragmenting of rarely modified files still. i wonder why it did not fix those...? Only a few, though.
Would have been nice to have seen the "before" SMARTplacement.

For some, this works: Go into Explorer > Tools > folder options > View tab, and elect to show protected operating system files. Search for your desktop.htt and delete it; restart your computer.
If that does not work, then modify this key as shown:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\SafeMode\Components
Change the value of DeskHtmlVersion to zero instead of decimal 272.
If you are uncomforatable about entering the registry because of all the hoodoo stories...
Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg to your desktop; dclick it to run... agree; if it instead opens in notepad then rclick the icon [file], choose Open with, Registry editor.... or Merge.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\SafeMode\Components]
"DeskHtmlVersion"=dword:00000000

Hello, matt. Your search for desktop.htt will not work if you do not go into Explorer > Tools > folder options > View tab, and elect to show protected operating system files.
What was the result of doing this : "The regedit I gave to the OP in the first case [and then removed] seems to work in all cases:-
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\SafeMode\Components
Change the value of DeskHtmlVersion to zero instead of decimal 272.
Cheers."?

Post back with pics of before and after using PerfectDisk if you will, SSSD. I'd like tosee the effect, and what a couple of those green blocks actually are.

Bloatware. List it. Some companies, like HP, install their own versions of drivers, services. You remove it and discover it was valid, necessary too, even though perhaps bloated with unwanted options and company branding. You possibly removed something that the chipset required.
For some it pays to buy a naked sys and a copy of the M$ bloatware [Windows].

The large green immovable block is your page file. Have you set it as dynamic, or fixed? If dynamic you may find other blocks being created here n there.
The white spaces everywhere are not a problem. Files that are modified often will be kept away from files that are not.
The other green blocks - I don't know how many files you have but it may be that your originally allocated Master File Table and reserve is full, and the system has assumed extra space for it.

Why not get this free trial to play with?
http://www.perfectdisk.com/products/home-perfectdisk11-home-premium/key-features
It will analyse your disk and show you what the blocks are in some detail.

The more intensely you defrag a partition ie go past just removing fragments and into over-consolidating your files, the sooner your files will fragment again. Windows has spread out the files on my C: drive [only the OS in there] with lots of spaces, so it doesn't fragment them too much, i find. Every time your sys reads and writes back a file it is going to fragment if it is a part of one consolidated chunk.

This will delete them:
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
Browse to the file, rclick it, choose Unlocker, remove any hooks...[ If the file or folder is locked then a window will appear with a list of processes locking the file or folder. Select the locks and click Unlock and you are done. It is recommended to Unlock wisely and to close open processes locking files or folder if any, but if only Explorer.exe is the culprit, do not hesitate!]
...choose Delete, and delete it.
And with them gone, that should do it. For peace of mind, run MBAM as i mentioned.

http://support.microsoft.com/kb/555223 - to clarify terms.
http://www.petri.co.il/pagefile_optimization.htm - how to set your Page File. Also buried in here is a cute lil tool by Bill James which monitors your page file usage, showing min and peak use during a session. You have 2GB of RAM, may I suggest you set a min size of 500MB, max of 1500MB for your Page File?

couple of problems show there:
O4 - HKLM\..\Run: [Dgejay] rundll32.exe "C:\WINDOWS\oricejalafoqipof.dll",Startup
O4 - HKCU\..\Run: [Fvizikunodij] rundll32.exe "C:\WINDOWS\kbczit.dll",Startup
fix them with Hijackthis, and delete the files if you can find them.
I'd reinstall MSoffice, McAfee obv could not repair it.
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon, and UPDATE it.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you when it completes... do not click the Save Logfile button.
Examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Copy and post that log [it is also saved under Logs tab in MBAM].

I don't believe that BIOS would need upgrading [flashing] just to cope with W7. More so, it probably lies with it correctly recognising your hdd with W7 on it. You could try switching your disk controller to IDE mode instead of AHCI in BIOS. There is opinion that W7 can in some cases cause problems with AHCI.

Ah, so there is another difference. I really do not know how those O20 changes occurred between hijackthis versions. But anyway, your last log shows everything as fine, as it should be for SP3.
I cannot help further on the slow sys problem, except to suggest uninstalling [not just turning off] your AV and testing. Disconnect from the net while you do.

Now why didn't you use that link I gave you? Your hijackthis is way out of date, and so does not show all information the newer version collects.
Anyway.... the problem lies here :
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
You have SP3. The Winlogon key for SP3 is supposed to start dimsntfy.dll [a vital part] of the logon process, and that file is missing. Your Winlogon key is also set to start to start WgaLogon.dll, and it should not be so [that M$ check of your genuine? software is gone from SP3].
So search for a copy of dimsntfy.dll in your sys - it should be in ServicePackFiles or SoftwareDistribution and copy it into system32.
Next you might delete that Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll registry entry by placing a checkmark against...
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll... and pressing Fix Checked.
I am sure about the first part, not so sure about the second... it won't do any harm if you leave that there. It aint in my SP3, either that registry entry OR the file, Wgalogon.dll.
Something is strange about your SP3 update....

Umm.... your BIOS checked its DMI pool data [info it has collected about your system hardware, and which is stored in a table in CMOS], found it had to update your AMD K8 processor data [normal procedure for AMD] and then failed - either hung during that updating or the next bit which is accessing your hdd [BIOS sends that info to Windows if you set it to do so]. So either BIOS is a bit corrupt, or it does not like some BIOS settings relating to your new hdd ie its configuration in BIOS.
What to do..? Clear BIOS, check the new hdd is detected properly [read the info about it in BIOS], chage the hdd physical configuration/order....
Of course, I may be talking through my hat.

If they provided a restore partition then I bet they did not provide a cd. And if he had it, he would not be asking about recovering the deleted partition. Likely enough.
And robert, welcome to the world of email bots. Viagra ads are on their way.

Fooling around with ProcMon and Msconfig i find that the only key that is queried for boot.ini is HKLM\Software\Microsoft\Shared Tools\Msconfig. The query is for a subkey, boot.ini. In my machine it does not exist. And I have the tab. [0.1msecs later the actual file itself is opened and read for Msconfig.exe].
Further, I note that if I uncheck a startup item a subkey is created for it under Msconfig\Startupreg; I check it again and the subkey is removed. So. Perhaps check the above path for Msconfig\boot.ini. If it exists, save the key and then delete the boot.ini subkey.

How long ago? If it has not been overwritten, there are plenty of tools which will recover the deleted partition. One is Partition Wizard 5.0 [get the bootable cd iso using another computer, burn a cd, use it to boot your own sys and then scan the disk].
Another is Testdisk... you could dl it to and run it from a flashdrive. Easy.
Both tools are free. Google for them.

That would be VirtualBox? I shall read up on its capabilities. Thank you.
http://www.virtualbox.org/manual/ch01.html#id2611614

"running Windows XP inside of Windows Vista"... I'd not thought of that. I probably won't get around to trying it cos I loathe Vista. Will XP run inside XP? Okay, that question seems rather silly on the face of it... but with Virtual software?

Mmm... possibly something wrong with permissions on that file.. check them. Else go into RC with your cd and run..
bootcfg /default
-it will rewrite the file, and perhaps set permissions correctly.
Else use bootcfg /rebuild
http://support.microsoft.com/kb/291980

.

nyamo, you should be able to delete any file belonging to the other installation... to the running OS they are just any old file or folder. Delete Windows\ and Docs and Setts\ [you might wish to copy stuff out of the unwanted folders first].

Every boot? That means she loses all emails, anything she's downloaded and saved, AV updates.... You need to create another partition for data, move the email files there, place her downloads folder there.... They would be untouched upon recloning, and likely uninfected by anything if the AV is up to scratch.
Thesisters have the solution. I don't use sandboxes [Sandboxie is one], so I don't their possibilities. You can drag emails, files etc out of the sandbox if they are safe and you wish to keep them. Sandboxie would work for you.

You're quite welcome, Dilwar.

Ah, not services, but under the startup tab. Okay, recheck them in msconfig. Then run Hijackthis again, press Scan, and search for them under O2 and O4 and possibly O20 [they may appear multiple times]. Check them, press Fix checked.
The actual files would once have been in system32, but are now not there, hence the intial error messages you posted about.