Posts by gerbil

Look. I can spell. Perfectly. It's just my fingers that get confused. I dunno how that works.

"I downloaded Avast last night and ran that too,"... if it was the antivirus service, I do hope you uninstalled AVG8 first. Please do not try to run more than one AV service; non-installing scanners are okay to combine... eg online scans. Or your sys will be unpredictably cranky.
I used AVG8 for a while, decided there must be better out there and switched to Avast. things seem better, but I cannot quantify that.
Most trojans like to call out, otherewise their is not much point to them [most are written as income earning exercises, paid by advertising, ppl being fooled into paying for rubbish sware] and a good firewall will trap that behaviour. Comodo [you can install only the firewall by choice, not the whole AV/AS/FW package] but it is a very busy thing, drives some folks nuts with its checking/querying - you gotta LIKE being asked things... Kerio... maybe ZoneAlarm.. maybe. Comodo is THE best.
If a virus lifts a finger, your AV should warn you. It aint, so it's not.
Be cool.

"When you assign a drive letter to a drive. It is permanent so virtual drives cannot take over your laptop or PC or Computer or Mac or Notebook." I know what you mean, but maybe fixed is a better word than permanent, because one can change them to an unused letter via Disk Mgmnt.
But sure, the sys will not vary them arbitrarily. It is the partition [drive] signature that is permanent.
"... Surely what gerbil said......doesnt make sense. I am putting DVDs in the drive and the DVD RAM is changing to CD Drive every time." Well, it should make sense - Explorer should reflect what the drive is seeing. To the point that if you insert eg. an audio cd the drive will change to Audio CD (X:). And so forth. But your device in Explorer does not.
1. When the drive is empty is shows as DVD Drive but as soon as I put a blank DVD into it, it shows as a CD drive.
2. When I try and burn a DVD from Sonic MyDVD it says "No valid recordable device was detected". - I still say that this points to a death in the family.
"By the way, my drive can read DVDs without a problem.". Ah, I was waiting for that... and it can be so. But may not burn any more.

Couple of points.... could we see a list of your software, please? Nothing fancy, a screenshot …

Run MBAM in Safe Mode. And then hijackthis. both can be downloaded and injected via thummbdrive.
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon, and UPDATE it.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you... do not click the Save Logfile button.
When it completes examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].

MBAM can still be installed and updated without a connection. Using a flashdrive on another system, download & save the installer file from http://www.majorgeeks.com/Malwarebyt...are_d5756.html, then dl the latest updates file: http://www.gt500.org/malwarebytes/database.jsp , both to a thumbdrive.
Run the installer, when it completes uncheck the Launch and Update boxes to finish. Next, dclick the mbam-rules.exe file, it will install into MBAM.
Start MBAM via the icon and ...
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe …

Why not get Process Monitor from Winternals? Start a capture session, dclick a file, and then sort through the events with the filters. The event times might be enlightening.

Not sure I agree with that drive letter order thing, Jupiter, although I have read it somewhere else.... my two DVD drives are just anywhere in the drive order list. I put them where I wanted them, one grouped with some image drives[ virtuals, if you prefer, cos I load them whenever I need them], one with a letter that suits it. Both work where they are. I also have unused drive letters waiting in the wings in the middle of the list cos not all disk space is assigned yet.
I'd hook up another drive. If the sys is happy it means the old drive is not. An online-ordered average, run of the mill drive [LG...] would be EUR20.

That is okay, claire. Vacfix.exe is a part of Smitfraudfix, which I think you have? You can delete it [SMF] when you have finished with it.
I don't have a very high opinion of Adaware right now...
Where did Spybot find the Win 32 cryptor trace, and what file name was it, please?

And there is a delete button your keyboard...
Now that might sound a bit flippant, but what software is going to know what is valuable to you, and what is not?

Check under Internet Options in IE, Security tab, to see your settings for ActiveX controls. [press the Custom Level button]. You should enable the downloading and use of signed ones.

Interesting behaviour by AVG.... let's clear your System Restore Points [that is where it is hiding, but it cannot do anything unless you use an infected restore point..]
System Restore Points Clearance:
== you do this by toggling System Restore Off then On again. So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
Now make a fresh, clean restore point: Start > programs > accessories > system tools > system restore and create a restore point now!!
Now see if AVG finds any more of them.
You may remove those two UAC...log files from spybot's quarantine.

Perhaps you could dl hijackthis.exe and load it into your pc? Unload the log and post it.
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe
-CLOSE ALL OTHER APPLICATIONS and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.
Btw, can Explorer [not IE] accesss the web? Just type a URL or IP addy into the address box...

Look up a bit to my lockergnome post. Do you see the lost profile in Docs & Settings?

Thank you, Justiin.
Cheers.

Hello, Claire, I take it that Gmer successfully killed that driver, C:\WINDOWS\system32\drivers\UACfkilrnjhdrdagis.sys?
These files seem to have been missed, pretty harmless on their own, but you may as well clean up. Delete them manually. Are there any other system32\UAC*.* files?

C:\WINDOWS\system32\UACmuoeronpqfuaikt.dat
C:\WINDOWS\system32\UACuvogtblhqghkhtt.log
C:\WINDOWS\system32\UACghcwpnnatbjtxvv.log
C:\WINDOWS\system32\UACpxwwsboyebokuvf.log
mm.. I see that a couple of them were caught by Spybot.
Now clean with this feller... it's neat to keep:
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
Run CCleaner in any other Accounts.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
And off you go.
Cheers.

That's fine. But I would run MBAM anyway.. some consider it more efficient than Spybot.
Cheers.

That MBAM log is 2 weeks old.
If it still jams go into Safe Mode and run it from there to begin with. You can also uninstall it, rename the installer file and install, rename the run file....
Don't forget to update MBAM.

If it was just an ad server malware, and you're not getting ads anymore, then consider yourself clean. Post the MBAM log for scrutiny if you wish.
Cheers.

Ignore the minutiae of AV arguments... I use Avast [free], am very satisfied with it. Most reputable ones will do a job of protecting you, all will fail sometime on some particular virus [which, of course, you may never get..] because they just won't be ready for it. I'd try Comodo's package but... why go to the bother of changing?

You still have a hefty vundo infection there, JR.
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon, and UPDATE it.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you... do not click the Save Logfile button.
When it completes examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].
Finally, a fresh hijackthis scan log, please.

Hello, Justin... please reastart in Safe Mode, rename MBAM.exe and run it in there with these instructions [it is updated?, if not, use SM with Networking and update there]:
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you... do not click the Save Logfile button.
When it completes examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].
And perhaps then we shall see what the problem is. Nothing shows in that hijackthis log.

They were not all AV scanners... some were anti-malware/spyware types. But yes, I did notice the ummm... overload of them. Avast by itself should do the job; only if you find/suspect a problem should you run anti-malware scans. I almost never run a full scan for anything... if something tries to start it is then that your AV should prompt about it.
Rarely scan? nope, but I don't poke about on the web pulling dead rats from drains, either.
cheers.

Re the iexplore.exe permissions, you wrote "i think it was under System Tools - Process Explorer". Sorry? Process Explorer is a pgm from Winternals [sysinternals]. I really need to know the registry key you took the permissions from.
Was it this one - [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer]? All I know about permissions is that you navigate to the particular key in registry [run regedit.exe], rclick it, choose Permissions, and uncheck any Deny boxes [Deny overrides Allow].
Hope that helps.

Hello, Claire... gee, but days off go quickly....
Who needs inlaws, really? They come around, drink all your beer, get crisps crumbs under the sofa cushions.... and the blokes are even worse.
Right, we must kill the driver of that rootkit; this is it: C:\WINDOWS\system32\drivers\UACfkilrnjhdrdagis.sys
In Normal Mode, start Gmer; after the preliminary scan reject the full scan. Select the Rootkit/Malware tab and uncheck all but Services.
Scan and then highlight that driver C:\WINDOWS\system32\drivers\UACfkilrnjhdrdagis.sys
Rclick and choose Delete Service, agree.
Reboot and rerun Gmer as above, delete any other services [ie, .sys files] identified as a rootkit. Reboot.
Good. Now Update and run MBAM -it should be able to identify and clean the unprotected malware files now:
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you... do not click the Save Logfile button.
When it completes examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].

Heya, natasha... I took a couple of days off.

Use hijackthis to fix these entries, in Safe Mode if you will [the first 3 are benign, but orphans]

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O4 - HKLM\..\Run: [lphc3tnj0et9p] C:\WINDOWS\system32\lphc3tnj0et9p.exe

Now delete this file:C:\WINDOWS\system32\lphc3tnj0et9p.exe

This one... I don't recall Sysinternals applications renaming themselves to run...? PPYDG.exe is not a pgm I can find. I am not familiar with all their tools.. does their rootkit scanner rename itself?
O23 - Service: PPYDG - Sysinternals - www.sysinternals.com - C:\DOCUME~1\natasha\LOCALS~1\Temp\PPYDG.exe
Tell me if you recognise it, or ran a tool of theirs.
Now, from the MBAM log, Registry Keys Created section... in registry this key- Image File Execution Options - can be used to redirect operations from the named exe to another of choice....ie it can block these exes from running. But MBAM does not show the complete value for each key it lists. I do see in there many of the usual AV and firewall executables, as well as Hijackthis.exe, regedit.exe.
Did you allow MBAM to quarantine and delete those objects upon reboot? Below are the instructions that you should follow to get MBAM to fix problems. Rerun it accordingly, please.
=ensure that it is set to update.
Select …

"1. Explorer shows my DVD drive as a CD drive"
Explorer will show you the drive type according to what disk type is currently in it, or was just in it. If you empty the drive and start a new explorer window you should see it represented correctly.
"I have tried for months but have finally given up."
It is quite possible that the drive itself gave up months before you did. I just got a brand new DVD multiwriter that would not recognise any DVD I inserted, but read /burnt cds at 100 mph [it shrieked]; I returned it and got an upgraded one which worked just fine. Stuff dies, it is a fact of life.
I have trouble understanding how a wireless usb modem could interfere with a sata or ide optical drive. Sure easy to check out, though.

Hello, claire.
Yep, as i suspected there was a rootkitinvolved in preventing MBAM and hijackthis from running. It will be simple enough to fix. But first, the GMER log also shows its source... you must get rid of the crack/keygen shown in the log before I can help you further. I don't like to be a boor, but it is site policy -we cannot be seen to be assisting people to circumvent copyright/ownership of software.
So do that.. come back clean and i can help. Anyway, with the source of the rootkit still active and present on your sys it would just reinfect you.
And I'm on a couple of days off atm.
By the way, I imagine the iexplore.exe you see running and restarting all the time is actually the real and uncorrupted M$ version of Internet Explorer [that is its .exe], it is just that the malware files hidden by the rootkit are using it to go out onto the web. So give it back its permissions.

Thinking about it, I am a little nonplussed by those instructions from the HP webpage.... I don't know why they want you to got to the system32 directory.... ntldr is not in there.
COMPACT is also in cmd.exe. Because it appears that you can start your computer you can just go Start, Run... and enter:
cmd
Then in the cmd window type these commands, entering each:
cd c:\
compact ntldr /u c:\ntldr
exit
All done. And easier.

Okay, what you need to do is uncompress ntldr.
Let's assume that Windows directory is in your C: drive, and so you have C:\Windows\ [your systemdrive], then ntldr will be in the root, C:\ [but it is hidden]
So, if using Recovery Console then you would type the commands:
cd c:\
attrib -c ntldr
exit

Otherwise, using the HP recovery interface..
1- Turn on the computer. When the initial logo screen appears, press the F10 key repeatedly until a message about starting recovery appears.
2- At the Recovery screen, click Advanced Options and then press the Alt and D keys at the same time to go to a command prompt.
Then your commands would be:
c:
cd \windows\system32
compact ntldr /u c:\ntldr
exit
Click Quit. Say how you go...
Just a note. Systemdrive... if you go start, and paste into the Run box:
%systemdrive%
explorer should open in it.. it is usually C:

Heya, natasha...
This file, c:\windows\system32\bootok.exe, is okay. It is in the dllcache, also, from which the copy came: c:\windows\system32\dllcache\bootok.exe
Event Viewer log records your deletion attempt and the replacement, it is verified M$.
You have your very own executable!!? c:\documents and settings\natasha\natasha.exe
Do this now:
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg to your desktop.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"lphc3tnj0et9p"=-

Right, into Safe Mode...
=dclick fixkey.reg to run it... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....
=delete this file:
c:\windows\system32\lphc3tnj0et9p.exe
Still in safe mode, rename MBAM.exe to MAMBO.exe, run it.
Rename hijackthis.exe and try to run it.
Post your results.
[56kb of GMER... too much!!]

Hello, Claire... go into Safe Mode, kill the iexplore.exe if it is running, rename MBAM.exe to MAMBO.exe, see if it will run as that. Rename hijackthis.exe also, try to run it.
If you cannot run those, then perhaps a check for rootkits is called for...
Download gmer.zip from http://www.majorgeeks.com/GMER_d5198.html
-dclick on gmer.zip and unzip the file to its own folder or to your desktop.
-disconnect from the Internet and close all running programs including those in the system tray (bottom righthand corner ).
-dclick Gmer.exe to start it; uncheck Sections, IAT/EAT, use remaning default settings [ensure your system drive (C: ?) is the only drive checked] just click the Scan button and wait for the scan to finish (do not use your computer during the scan).
-click on the Copy button - this will copy the results to the clipboard. Open Notepad and paste into it.
The result - please zip it and post as an attachment via Go Advanced.

Just run and post a hijackthis log, for starters..

You're playing to a tough crowd here, cohen.

I think you may have entered a wrong command syntax? "compaq not recognizable" ... I think you typed COMPAQ.
COMPACT is the command...

C:\Documents and Settings\XXX>compact /?
Displays or alters the compression of files on NTFS partitions.

COMPACT [/C | /U] [/S[:dir]] [/A] [/I] [/F] [/Q] [filename [...]]

/C Compresses the specified files. Directories will be marked
so that files added afterward will be compressed.
/U Uncompresses the specified files. Directories will be marked
so that files added afterward will not be compressed.
/S Performs the specified operation on files in the given
directory and all subdirectories. Default "dir" is the
current directory.
/A Displays files with the hidden or system attributes. These
files are omitted by default.
/I Continues performing the specified operation even after errors
have occurred. By default, COMPACT stops when an error is
encountered.
/F Forces the compress operation on all specified files, even
those which are already compressed. Already-compressed files
are skipped by default.
/Q Reports only the most essential information.
filename Specifies a pattern, file, or directory.

Used without parameters, COMPACT displays the compression state of
the current directory and any files it contains. You may use multiple
filenames and wildcards. You must put spaces between multiple
parameters.

This is the page for selecting the correct tool, for reference:
http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039
There is a thirdparty? tool also out there, SymNRT.
Perhaps you have already paid for N2009, and so are rightly affronted by it, but remember the excellent free AV services out there... eg Comodo.

"I have already removed the older version of Norton using the Windows "Add or Remove Programs""
-use the Norton removal tool specific to that old installation. They publish it for a reason.

You may use hal.inf for that, rclick and Install, or if you know which hal you want:
expand .....\I386\HALxxx.DL_ C:\Windows\System32\HAL.DLL
eg HALMACPI.DL_

It appears that you only have one partition on your disk... is it filling? Maybe it's time to run the defragmenter? Is any process showing as using a lot of cpu time in these freezes in Task Manager?

Mmm... that log shows no problems, but a lot of our input is your actual experience. Only if all is okay with your sys then are you clean. So? Any popups from Rogers?

I'm orright, PhilliePhan... you still eating the cheese? :))
Go the Phillie Phlyers... or... I dunno...
Yeah, re the MBAM run, I seem to have done it too, to someone's sys... it broke after a run and he has not come back.

When windows goes to the logon screen it has changed from 16bit colour to the graphics that you have set for your GPU. Obviously something is amiss in what you have set, and you are now blind. Restart in Safe Mode [it uses 16bit colour], access your graphics as before and be sensible this time. No files are lost. Good luck.

Mmm.. works okay for me. Just did a test loading of a zip file..

Get the Norton removal tool from their tech website for your old norton AV service. You may find you need to reinstall the new version.

Xp will recognise up to 4GB, 3GB in practice; 64 Xp 128GB... Here:
http://msdn.microsoft.com/en-us/library/aa366778.aspx#physical_memory_limits_windows_xp

I don't much like them being there. Being batch files they could be doing quite a lot... as I said, they are in a Temp directory so are subject to arbitrary deletion, so let's do that. Fix those 3 entries with Hijackthis, then scoot into that directory and delete iehome.bat.
CCleaner is a great lil cleaner, and would empty Temp for you anytime you like, amongst a host of other things.
Post a new log and I'll check it tommorrow,,, it is way past my bedtime right now..

I do not see an infection.... but...
Did you create these?... or at least the batchfile and the startup link?

O4 - S-1-5-18 Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'SYSTEM')
O4 - .DEFAULT Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'Default user')
O4 - .DEFAULT User Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'Default user')
Temp is no directory for storing such files..... maybe some software installation left the reg entries, I don't know, but obviously iehome.bat still exists.
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
Run CCleaner in any other Accounts.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]

It could be that wlnotify is having trouble with damaged accounts. Can you enter Administrator in Safe Mode? If so, create an account with another name. Try to start into that, if it works copy over your files.

When you prepare to install the new Comodo Security Service I believe it gives the option to install the firewall only. cmdagent.exe [plus the service] and cfp.exe are the firewall component of the Comodo Security Service. .
If MABAM installation still freezes, try renaming the setup file to anything else. MAMBOstup.exe, frinstance.
This has showed up:
O4 - HKLM\..\Policies\Explorer\Run: [lSU3Jomu11] C:\Documents and Settings\All Users\Application Data\uxqfgrcr\wzapevip.exe
It will start with windows... and deleting or fixing it will simply involve us with chasing our tails. It won't get a chance to start in Safe Mode; try running MBAM from there [safe mode with networking].

Rule 1. Don't have CD drives as first boot device in BIOS. If you wish to boot from a cd just set the BBS? [one-time boot device] to cd drive as and when you need it.
Setup modifies boot.ini. Show what you have... you can use Recovery Console to get it.
It all depends on what your mate did to initialise Setup... if he formatted [quick or full] then Setup will overwrite your old Windows; does Setup recognise it when you enter the RC?.
If he did not format then your old Windows should appear as an option to repair with RC. Setup would install a fresh copy alongside. We need to rewrite your boot.ini.
"thorough" and "complete" formats.... there is not really such a thing. Both quick and full formats overwrite the master file tables [and that takes mere seconds]; a full format also performs a surface scan of the partition or drive.

"It seems that demiweb does not allow zip Upload files"
Go Advanced, Manage Attachments, browse to your .zip file.

exe2bin is something dragged over into cmd.exe from the DOS era. It is limited to programs of less than 64KB. M$ gives these as the cause of that error:
Cause: The program to be converted has one of the following problems:

* The program has an origin of 0100h but a different entry point.
* The program requires segment fixups.
* The program code and data are larger than 64 KB.
* The program has more than one declared segment
* The file is not a valid .EXE-format file.
exe2bin has found your pgm from the path given, otherwise you would have received a "path not found" error.
exe2bin c:\speed.exe c:\speed.bin