Posts by gerbil

Please don't get yur foot caught in a stirrup when you get off that high horse of yours.
"Please do not advise anyone in these forums or anywhere else to do illegal things in order to fix the problem they encountered BECAUSE they did illegal things." - We do not.
" Also, there is absolutley NO TRUTH to any statements about one anti-virus program being better in any way than any other. " Utterly false statement of yours. Take time to read some reviews written after standardised tests have been run on several suites.
"Your malware problems are the fault of YOUR behavior. NOT the behavior of your security software." Not necessarily true. You should be very aware that AV bulletins are written in RESPONSE to new threats, and some AV companies issue them many times throughout the day. Not all AV detection is by behavioural analysis of processes.
Cheers. [ I do rather doubt that the threadmaker is still searching for help on this after two years...]

Ahem....
***In Windows OS:
C:\Documents and Settings\XXXX>chkdsk /?
Checks a disk and displays a status report.
CHKDSK [volume[[path]filename]]] [/F] [/V] [/R] [/X] [/I] [/C] [/L[:size]]

volume : Specifies the drive letter (followed by a colon), mount point, or volume name.
filename : FAT/FAT32 only: Specifies the files to check for fragmentation.
/F Fixes errors on the disk.
/V On FAT/FAT32: Displays the full path and name of every file on the disk. On NTFS: Displays cleanup messages if any.
/R Locates bad sectors and recovers readable information (implies /F).

***In Recovery Console:
chkdsk [drive:] [/p] [/r]

Parameters
Used without parameters, chkdsk displays the status of the disk in the current drive.
drive: Specifies the drive that you want chkdsk to check.
/p Performs an exhaustive check even if the drive is not marked for chkdsk to run. This parameter does not make any changes to the drive.
/r Locates bad sectors and recovers readable information. Implies /p.

choco, if all the sys does is restart whatever mode you choose to run Windows in from the choices menu then I am afraid that your only real option is to run a Windows Repair from an XP installation cd. during Setup ignore the first option to repair with the Recovery console, instead hit Enter and follow on to Repair yur chosen OS.
When Windows will not start at all there is no other magic bullet to find and cure the actual problem.

"keeps playing. "heal the world" ". Oh dear.... hippy music, I'd be bothered, too.
It is quite an infection you have there, this should clear most of it:

Could you please delete that old version of hijackthis, and:
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop.
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon, and UPDATE it.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you when it completes... do not click the Save Logfile button.
Examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Copy and post that log [it is also saved under Logs tab in MBAM].

=Start HijackThis by dclicking the .exe
-CLOSE ALL OTHER APPLICATIONS and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.

Take time to read what he has achieved since. His sys is okay, jus some data files cannot be accessed.

Hello, lieve, do you have an XP installation cd? You willl need it for the Recovery Console.

This, the DLL C:\windows|System 32\ rqRIaBRJ.dll is not a valid image... is the worrying bit. MoM.exe is a monitor, is all. Some legitimate files do have scrambled filenames, but that one looks suspect. Try this:
MBAM:
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon, and UPDATE it.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you when it completes... do not click the Save Logfile button.
Examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Copy and post that log [it is also saved under Logs tab in MBAM].
Then:
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop.
-in that folder start HijackThis by dclicking the .exe
-CLOSE ALL OTHER APPLICATIONS and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.
You can get both downloads in the first place, then run them.

To answer your question re the login, there is no need to login as Administrator [and you can only do that in Safe Mode..] if you are in the administrator's group. Just login as normal and try what I posted above.

I am assuming that you have XP Pro. Depending upon whether simple file sharing is enabled you will see in the file or folder Properties either that sharing, or Security and Sharing tabs. If so go to the Security tab for files or folders... you will see what to do there.

You must either enter your Recovery partition on your hard disk if it exists and copy over the system32/drivers/ntfs.sys file, or use a bootable cd such as an XP installation cd to copy that file from its i386 folder. Borrow one.

your files are sure to be there, just that perhaps you have lost permissions for them. Try logging on using the native Administrator account [not you as an administrator] by usinf CtrlAltDel at logon and seeing if you can either change their permissions, or copy them.

You must either enter your Recovery partition on your hard disk if it exists and copy over the system32/drivers/ntfs.sys file, or use a bootable cd such as an XP installation cd to copy that file from the i386 folder.

For a far more complete listing of startups you should use the Misc Tools section of Hijackthis. Msconfig gives you results from just a few registry keys.

Get memtest86, or memtest86+ [they are pretty much the same]... the files you download will make a bootable floppy [or cd if you choose the iso]. Use the floppy to boot and check yur memory. One rror is failure.

I was trying to help you with this post of yours "Forgot to mention that when I turn my PC on, it says "CMOS Checksum Bad" probably really important. It never said that before." I thought my reply was germane...? If you wish for further explanation, please say so. No-one means for you to go away with your problem unsolved. A slow pc is not fun.
Anyway, you must elaborate a little: " Windows Media Player to look at some game videos I had recorded and it was lagging horribly and making weird sounds." What weird sounds? Were you running these from an optical drive or a hard disk? If optical, were the weird sounds from the drive itself, or from the speakers? Check Task Manager to see if anothe process is stealing a lot of CPU time... say, 30, 50%...
You disconnected a monitor.... I hope the sys was off if not an HDMI connection.
"I disconnected my 22' monitor to set up an HDTV Tuner." Set up the tuner to your sys, or to the monitor?
We can guess.. but it is not a great use of time. Tell us more.

I am not a tech, and have never had a drive go bad, or get errors, so have never deliberately run chkdsk. Life is not all bad, though. Not runing chkdsk to experience those parameters' actions has not left me feeling unworthy. I had always wondered, though, about the difference bewtween /p correctin errors [what errors] and /r fixing bad sectors. although when /r fixes bad sectors it just recovers what is readable and then checks that sectora as not to be used. Anyway, I happy to go with your version, cos Michael Stevens says so.

Heya, caper... :)
CHKDSK
chkdsk drive /p /r
The chkdsk command checks the specified drive and repairs or recovers the drive if the drive requires it. The command also marks any bad sectors and it recovers readable information.

You can use the following options:
/p Does an exhaustive check of the drive and corrects any errors.
/r Locates bad sectors and recovers readable information.
Note If you specify the /r option, the /p option is implied. When you specify the chkdsk command without arguments, the command checks the current drive with no options in effect.

http://support.microsoft.com/kb/314058

I love it...

Not necessarily. AVG8 is fine. REsponse time of the service company to new threats, a highly ranked performance against a slew of test viruses, satisfaction with the user interface, the load placed on your system, other components like antispyware, process monitoring.... all these things come into the equation.

If you must, use Safe Mode with Networking to dl this:
==Download this file to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
.....or this file: http://subs.geekstogo.com/ComboFix.exe
Right. Now run it in NORMAL MODE!! :
-IMPORTANT! : disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan. Don't forget to reset them before you go back on the web!
- to run it dclick the Combofix.exe icon and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

You have a hard disk problem.
In recovery console, the chkdsk parameters should be as follows:
chkdsk /p -corrects errors.
chkdsk /r -recovers readable info from bad sectors. /r implies /p included.
Cross your fingers. It does sound like you MBR is damaged.

Possibly time to reset the CMOS chip. It obviously has a data error in it, now, hence the checksum error [the data bits don't add up to what they used to, as a check]. So note the settings, then turn off the sysand pull the battery from the mb. Then either keep it out for several minutes, or use the jumper[ battery out!!].

Avast by Alwil. Google for it. It is a free AV for home use, and good. Another is Comodo, a complete protection service, but you may not like the firewall unless you appreciate what it is doing for you.

If the hardware is connected at startup, yes. BIOS sees and configures all hardware and passes that information to the OS. eg.. if there is even a USB thumbdrive connected it should be reported by BIOS. For hardware already connected at startup, if it is not seen [and configured] by BIOS, then it aint there, as far as the OS is concerned... [UPnP equipment connected after startup excepted, of course].
And there is not much you can do about it, either, except suspect connections and cables, plug to the rear USB ports... Your BIOS Detect UPnP devices setting is enabled, of course?

Does it happen with audio tracks on your hard disks? Or only with those played from optical drives? If the latter, go into Device Mgr and select your optical drive, > properties and uncheck Use digital audio playback.
Just something to try...
Does airforce training do that sort of thing to one? Brain washing...?

A simple way to get your sys loaded is to bypass the requirement for a SATA driver. You do this by setting in BIOS the Sata configuration as IDE, not AHCI. Then the driver is not required. Here is a wiki on AHCI functionality -most folks would not notice it missing... http://en.wikipedia.org/wiki/Advanced_Host_Controller_Interface
You get a blue screen? If I miss the F6 key I get a black screen [Windows has shut down to prevent damage to your ....] Oh, well.
You can add the AHCI driver later and modify registry to use it... but mos folk would lose a lot of hair trying it, maybe....

Nothing shows in those logs. What is imageitencrypt used for..?
I would follow up on crunchie's recommendation to scan with an online scanner , especially after combofix found such a string of malware files. Especially.
First:
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF. Repeat in other User profiles.
Then:
Panda Online Scan:
==Please use IE or Firefox to do an online scan at panda:- http://www.pandasecurity.com/activescan/index/
-First Register [otherwise there will be no disinfection, merely detection] with a valid email address for the free online virus scan and follow through.
Unlike Kaspersky this scan does not require Java. Panda will clean only virii, but it is superb at listing other malwares which can then be targeted.
Please ATTACH to your post the log it produces.

Have you ever placed your email account into a public webpage, such as a site like this, or used it to fill out an application for something? If so it can be found by special bots which trawl webpages looking solely for email addresses [the @ gives them away...].
If you have a keylogger on board then your details are all gone.... using secure sites like Paypal is not a defence. Here is a detector... I don't know how good it is... http://dewasoft.com/privacy/kldetector.htm
If your email addy is being used, but not your bank account, I would not suspect a keylogger. Heck, if I had your em addy and bank account details, do you think I would just be an email pest? Ok, I think I am honest, but he's not...
Citibank uses a movable [and changing] keyboard picture on your desktop for you to input your password by mouse click - beats keyloggers and screen captures.

It's a baddie, and it has associated files in your machine.... Malwarebytes will remove it.

Ah. Right. You did that deliberately..? But has it been overwritten? If not, it is still there, and the partition can be rebuilt.
On another point, XP should certainly be installable on that machine. what happens when you try?
To amplify, on the main disk on my machine I have moved partitions , deleted some during initial setting up of it. Because it is a disk with plenty of free space still, some of those old partition [boundaries] and their files exist still, and with software I can recover them and the files if I so wish. I don't, but I can see the files, and they are good.

This I do not follow. My sister has an HP, she made the recovery discs; I see that the recovery partition exists still on her machine, and is still accessible by F11. Why cannot you access it still, unless you managed to delete the recovery partition and overwrite it?
Admittedly I have almost no practice with HP lapppies, but I do not know why they say to make the recovery disks as a first step on initial startup. I also don't know why they fill 4 [FOUR!!] dvds....

You SHOULD uninstall DAP and use hijack this to remove all traces of it.
Nothing else is bad, there, Michael. But you use a lot of software I would not dream of employing.... google apps, yahoo search and toolbar, yahoo homepages on browser, search protection, Spybot running as a service, not as a scanner...
As far as Spybot being used as a guard.. you have Avast, and that also works as a spyware guard, not just as an AV. Keep spybot for onetime scans.

And the symptoms are what, exactly... michael?

K, Michelle. As long as the mouse is not actually operating anything when it wanders.... it's a wired mouse, isn't it? Clean it.. sometimes you get a bit of lag if another process is taking a lot of CPU time.

Nothing shows in that log, Michelle, as being out of place. You might use Hijackthis to generate a Startup log [Misc tools, check the List minor sections box]. If you see nothing that is unwelcome in that, then try running an antispyware scan to check for hidden software. This one might do the trick:
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon, and UPDATE it.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you when it completes... do not click the Save Logfile button.
Examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Copy and post that log [it is also saved under Logs tab in MBAM].

Hello, Jess...
Uninstall these: System Search Dispatcher, Media Access Startup, Internet Saving Optimizer

Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O2 - BHO: System Search Dispatcher - {CDBFB47B-58A8-4111-BF95-06178DCE326D} - C:\Program Files (x86)\System Search Dispatcher\1.2.0.750\ssd.dll
O2 - BHO: Media Access Startup - {25B8D58C-B0CB-46b0-BA64-05B3804E4E86} - C:\Program Files (x86)\Media Access Startup\1.3.0.790\HPIEAddOn.dll
O2 - BHO: NP Helper Class - {35B8D58C-B0CB-46b0-BA64-05B3804E4E86} - C:\Program Files (x86)\Internet Saving Optimizer\3.3.0.4160\NPIEAddOn.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...tup1.0.1.1.cab
Trash
You may or may not want this one.... it just steals a line in your screen:
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files (x86)\AOL Toolbar\aoltb.dll

Then check in Pgm Files that folders relating to the three pgms above are deleted.
Say how you go...

Hari, have you tried uninstalling [not just stopping] your firewall [if third party] and AV service, then reinstalling them?

Use device manager to find the drivers you have, google them and updates may show in some of the articles. And use dev mgr to get device types, use them to google..eg, plug in your LAN type/make. You can also use the codes that look like this: PCI\VEN_1969&DEV_1048 - you don't need the last of the line that follows with &SUBSYS_... That first bit of code is the maker and the maker's device ID. [in this case it is Intel and an integrated graphics display]
Oh, and you cannot change the systemdrive letter. It is so integrated into thousands of registry entries that it is well-nigh impossible to do. Windows has recorded where it is, and that is it. Expect a blue screen immediatley, or on next startup.

Use environment variable setting. [control panel, system, advanced tab]. But some installers don't give any option to select where they write their temp files, don't use the environment variable - they just expect C: to be the system drive, and go there.

We..ell, by partitions I actually meant drives.... eg, C:, D:... etc all on the one [or more] hard disk drives.
But if you have only one drive [C:] on your hard disk it is rarely worth upsetting the status quo to make room for others. [if there is only one drive on a disk I try not to call it a partition...].
Go with what you are doing, collecting like files into folders, and arranging those into a tree of such. Basically it's all just grouping like stuff so it is easier to find. The My Whatever folders are not always the best way to go.

Ah... I see where you are. Files and folders are it, just build a good structure with different aspects well separtated for easy location. I start right from the top with different partitions for say, graphics, music, accounting, and work on down from there. a database is not what you want... but if you did, there is OpenOffice. Free. With spreadsheets, word processor, presentation manager and more. It's right up there with M$ Office, and compatible with much of that.

A database?

A bsod can be caused by memory failures....
Simply download the correct version of memtest86 3.5 or memtest86+ 2.0.11 using another sys to load into a floppy or to burn a cd if you do not have a floppy drive... it creates a bootable medium. If using a floppy simp;y set your sys to boot from it - it will check your mem thoroughly in about 10 mins. A single error means failure.

"O1 - Hosts: 142.29.221.23 zenwsimport" ... is okay. From my limited knowledge of the web and its workings.... and Windows... what this entry does is simply point your browser to the IP 142.29.221.23 when you enter "zenwsimport" into the address bar, alleviating the need to type www, or wondering what is the correct domain, what country code..... There is no need for a DNS search because the hosts file completes the IP [before inserting a protocol to test if none is suppplied in the address, windows first checks the Hosts file for redirection entries].
I don't actually see anything wrong in the log, but another scan won't hurt.

Mmm... I don't use Bearshare, but another. any chance your ISP has decided to block file sharing on the port/port range Bearshare uses? Can you change ports used...? go into the gamer range, 10000+.

For a start...
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe
-CLOSE ALL OTHER APPLICATIONS and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.

Do you have to port-forward in your router for that?

lappoo, if it is still under warranty get it back to the shop.

Your lass is looking capable and involved there, pj.... trust her - seems like we all are. :)

That sorted things out, and revealed more.
==Again please disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan:
Copy the text in the box to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to your desktop.

Killall::

File::
c:\windows\010112010146118114.dat
c:\program files\Common Files\yhawisedi.com
c:\program files\Common Files\tawym.scr
c:\program files\Common Files\woziwas.bin
c:\program files\Common Files\mipaxigaky.ban
c:\program files\Common Files\ykulu.bat
c:\program files\Common Files\vaqin.lib
c:\program files\Common Files\himalavid.lib
c:\program files\Common Files\comer.exe
c:\program files\Common Files\uhejata.vbs
c:\program files\Common Files\ibutixare.vbs
c:\program files\Common Files\wyjo.scr
c:\program files\Common Files\sijuv.db
c:\program files\Common Files\cijaw.dll
c:\program files\Common Files\coqeqisu._sy

Folder::
c:\documents and settings\All Users\Application Data\97999836
c:\documents and settings\All Users\Application Data\17989844

Registry::
[-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{55F992BA-1D26-E5AF-0907C8AEF5A56624}]

Good. Now drag the CFScript.txt icon onto the Combofix icon on your desktop. Combofix will start, let it run, if your firewall prompts then allow all; post the log.
Run hijackthis after, and post that log ALSO with your comments, please Matty.

I think you will find that the disk controller is in the hard disk package... Why? Because it alone knows where everything is on the disk surfaces. The OS just asks for things to be done[read/written].. the controller knows where it physically is or will go, not the OS.
If you did a full format during setup that would check the disk surfaces with chkdsk - and if that passes, the issue s most likely not with the hard drive. A quick format is no check at all.