Posts by gerbil

Moving to a new processor with two [synthetic two?] cores, Windows should have detected new hardware and requested new drivers? I take it that the Device Manager does not show both? Or if it does, that there are no errors shown?
numproc is only used to limit the number of processors used. By default all are used, and you do not need to add the numproc switch.

I am surprised that AVG8 has not caught this...
While you have it, use that old version of hijackthis to fix this entry:

O1 - Hosts: 194.165.4.145 eggbank.com

Now please discard that old version of hijackthis, and download : http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop.
==Download LSPfix from here http://cexx.org/LSPFix.exe -start it by dclicking the .exe....
On the opening screen, click the "I know what I'm doing" checkbox.
Check all instances of "mswsock32.dll" (and nothing else), and move them to the "Remove" pane. Then click Finish.
Note that mswsock.dll is a valid dll.
Then search for this file: mswsock32.dll, and delete it. It is possibly in C:\windows\system32\
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you... do not click the Save Logfile button.
When it completes examine the log: if some files are listed as Delete on Reboot then restart your machine before …

EXE2BIN [drive1:][path1]input-file [[drive2:][path2]output-file]

input-file Specifies the .EXE file to be converted.
output-file Specifies the binary file to be created.
...so you might use a command like:
exe2bin D:\applications\thefile.exe D:\bin_store\thenewfile.bin
You do not need to use the drive letter if cmd prompt is in the right drive.
You don't need a path1 if cmd prompt is in the folder containing thefile.exe:
If you do not give a drive and\or path2 then thenewfile.bin will be created alongside thefile.exe.
Of course, you can call the new bin file thefile.bin also.... no clash.
So instead you might go:
cd /d D:\applications
exe2bin thefile.exe thefile.bin
And that is it.
Just mind spaces in path and file names. If the folder was My Applications then you would write:
cd /d d:\"my applications" ...or:
exe2bin D:\"my applications\thefile.exe D:\bin_store\thenewfile.bin"
exe2bin "D:\my applications\thefile.exe" D:\bin_store\thenewfile.bin
...whatever, just so the name with a space is inside quotations.

Sounds handy for rebuilding a file sys in a replacement computer, etc, Jupiter. Just network the two and go gor it.

I do not know what was on that DVD, but this is starting up with windows, and it is an unknow n file. Use Hijackthis to remove this entry:
O20 - AppInit_DLLs: ztpnoe.dll
and then search for and delete the file. It will most likely be in system32 somewhere.
Next, because it is quite unlikely that that one file is the whole of any infection...
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you... do not click the Save Logfile button.
When it completes examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].

And turn on your Symantec Av service.

"ps. we can't install any software on our pc's." Oh? Then can you write something yourself? I don't mean with a pencil and paper... Anyway, it may be laborious, but if you can't install sware then maybe you could investigate the - tree - cmd.
Yeah... and if you think that will do then use Properties in the cmd window to... oh, heck, rclick the top blue? border of the cmd window. There you will find in Properties many options to alter the display of the cmd window to suit. And then you can screenshoot the thing, or use the Edit option to select and copy which gives you an editable listing. Go crazy.

I note that some of the dll files used by IE7 & 8 no longer require registering, simply loading suffices, therefore they no longer have register entry points, hence the above error.
You can repair ["reinstall"] IE by using the .inf file. I do not use IE unless forced to, so have not bothered with IE8. But the procedure for repairing IE8 is probably quite similar to that of IE6.
Rclick C:\WINDOWS\inf\ie.inf, [or go Start, run, and enter:
%windir%/inf -and locate ie.inf in that window....].
Check that it is the correct inf file for IE8... Properties?
... and then click Install. But you will require the IE8 files to be somewhere handy.

System32 also contains your drivers and libraries that third party applications, as well as Windows itself, use. In the main you can forget it is there. But sometimes it contains pests, too.

Ah, sorry, Coolin.. sometimes I take things for granted. Yes, it is indeed the tool you needed.

I'm sorry, I should have removed shdocvw.dll from that list [but no harm done]... because you are using Vista you should use the [manual] reset method covered in this page: http://support.microsoft.com/kb/923737/en-us

That file showing high CPu time share, being the module manager for F-Secure's Security suite means that a module is working overtime. You could check the logs to see what is happening, maybe turn off individual modules to check, and if you do discover a fault then you are faced with repairing the security suite installaion.

Email or phone works.

" Do I have to reinstall updates and service packs after the repair?"
"Maybe"
No maybe about it, you will need to dl all Windows updates again.

"So I need a 'snapshot' of all file access from when I click the 'Update' icon in AVG up to 3 or 4 seconds later when the denied access message comes up. I can't seem to get this type of 'snapshot' in Process monitor" You are kidding... or else you do not know how to use the tool. ProcMon will, if you so wish, log everything that happens from & to whenever you wish, including from as the kernal loads. And you can split out the file accesses with one click.

Process Monitor.

Right, you can ping sites but the browsers will not load them. That means that some of the dll files that explorer uses need re-registering. Other browsers may use some of those files also - they form a common library.
Try this:
Go Start / Run, enter regsvr32 urlmon.dll
-if that single change does not resolve the problem, repeat the process by running the following additional entries [paste in this complete line]:

regsvr32 Shdocvw.dll Msjava.dll Actxprxy.dll Oleaut32.dll Mshtml.dll Browseui.dll

Did you load this into the IE [any browser...] Address line?
69.147.114.224 -This is what I wanted you to load, not "yahoo.com"

And what happens if you put this into the address bar directly [it is yahoo.com]
69.147.114.224
Does http:// get immediately placed in front of it? And does Yahoo then load?
There is nothing wrong in your log. Those two orphaned no-file entries, O2 & O3, are related to Symantec.
Temporarily, to enable the following fix to proceeed...
=Windows Defender - please disable its Realtime Protection....
Open Windows Defender, click Tools, General Settings, Scroll to and uncheck Turn on real-time protection.
Click Save and close Windows Defender.
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]

And turn on Defender.

I do understand. Let's see if we can detect and remove your spywae/trojans.
==Please download*** Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you... do not click the Save Logfile button.
When it completes examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].

***MBAM can still be installed and updated without a connection. Using a flashdrive on another system, download & save the installer file from http://www.majorgeeks.com/Malwarebyt...are_d5756.html, then dl the latest updates file: http://www.gt500.org/malwarebytes/database.jsp , both to a thumbdrive.
Run the installer, when it completes uncheck the Launch and Update boxes to finish. Next, dclick the mbam-rules.exe file, it will install into MBAM.
Start MBAM via the icon and ...

I dunno what is wrong with this site... it will not take my edit [and it's not out of time]. So:
Hello, itme.
I am going to assume that you are not in the Ukraine. So we need to fix stuff, and we can.
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebyt...are_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you... do not click the Save Logfile button.
When it completes examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].
You have Avast AV running, but still traces of your old Symantec AV are active. Go to their website and download the correct version of their uninstaller, run it.
Post lastly a fresh hijackthis log.

MBAM can still be installed and updated without a connection. Using a flashdrive on another system, download & save the installer file from http://www.majorgeeks.com/Malwarebyt...are_d5756.html, then dl the latest updates file: http://www.gt500.org/malwarebytes/database.jsp , …

Hello, itme.
I am going to assume that you are not in the Ukraine. So we need to fix stuff, and we can.
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebyt...are_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you... do not click the Save Logfile button.
When it completes examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].
You have Avast AV running, but still traces of your old Symantec AV are active. Go to their website and download the correct version of their uninstaller, run it.
Post lastly a fresh hijackthis log.

MBAM can still be installed and updated without a connection. Using a flashdrive on another system, download & save the installer file from http://www.majorgeeks.com/Malwarebyt...are_d5756.html, then dl the latest updates file: http://www.gt500.org/malwarebytes/database.jsp , both to a thumbdrive.
Run the installer, when it completes uncheck the Launch and Update boxes to finish. Next, dclick the …

"But the people from ADSL came into my house"
Right here, I am blown away....
Wow. Oh, wow.
And youtube doesn't work? Life is better n better.
Your log shows clean.
I see no Antivirus working. You once had Symantec, there are traces of it still - go to the symantec website and download the tool to completely remove your version of their AV software.
And then get another AV product, perhaps a firewall also.

Sorry, pho, I did not notice your quick reply.... okay, here is a procedure for starting the RC. Because I do not know if you have a Sata or IDE hdd [hard disk drive], but do know that you do not have a floppy drive, this may appear complicated.... but it beats other methods.
If you have a Sata hdd then AHCI most likely is enabled [don't worry what that means, it just sets your drive to use enhanced Sata features]. If AHCI is enabled we must change that because you have no simple way of loading an enhanced-mode Sata driver because there is no floppy drive [and they aint on the Windows Setup cd....].
We must do without that driver.
- Start you machine. At the first BIOS screen press Delete to enter BIOS Setup [to better read, you can freeze BIOS by pressing Pause, Enter to continue].
I do not know what BIOS you have, but somewhere in there is a Configure Sata As choice. Set it to IDE [choices may be IDE, AHCI, RAID..]. Now there is no need for an enhanced-mode Sata driver.
-Exit and Save changes. The machine will restart.
**If you have an IDE drive, start here**
As your machine starts, at the first BIOS screen press F8 [or whatever key is required to enter the BIOS Boot Selection screen.
-select to boot your machine from the cd drive, insert your cd, press Enter.
- …

Good-oh, glad you are clean. But believe me on the RECYCLER/Recycle Bin thing... they are parts of the whole. You could have deleted those S-...com files manually from RECYCLERs, and run CCleaner to clear the temp files. And it appears that I have told you how to hide files and make em undeletable by normal methods. The end of that secret.

Aw... so much... is the DSL light on? Maybe "Internet" flickering... Is the LAN light on? Try running in a command window..
ipconfig -do you see the IP addy of the Router under Default Gateway? No? Then next run...
ipconfig /release -and next.
ipconfig /renew
ipconfig /flushdns
If none of that works it could be your firewall.... not windows firewall, but a third party one.Stop it, uninstall it, try to connect. Reinstall the firewall.

The RC should still work as it is not actually replacing any files, it is merely loading a small OS.

The Recycle Bin is a composite of all RECYCLERs, and shows all the deleted files' names. But only if they are in those S- folders. You will not see any file that you dragged into a RECYCLER, you must look in that RECYCLER. Try it... drag in a text file, and then browse to it and open it with Word, or Open Office....

S-0-0-75-100020897-100014327-100022846-4120.com
.COM??!! Yep, you found a pest, there should be no .com on the end of that S- folder name. :)
Trust me, the Recycle Bin shows as RECYCLER in explorer partitions, one per partition [and if your sys is set to show it, Recycle Bin at the bottom of your folder view tree].
RECYCLERs contain maybe more than one S- folder, and the folder names are just S- numbers, but should NOT contain any VISIBLE files. So open all your RECYCLERs and delete any folders that you can [you cannot delete the one from the current day], but you can empty it. Rid your sys of those S-....com folders. Update and retry MBAM.
Nice work.
When you do a normal deletion the file is left on disk where it was and renamed, its position on disk marked as available; the new coded name plus old name are put into a RECYCLER folder; windows can then find it to restore it. But you cannot see it in that RECYCLER, normal third party software cannot either. eg photoshop, or a music player.... However the RECYCLER is just another folder, albeit a bit special. Nothing to stop you dragging files into it, and you can see those. And it is a place that can be used by malware for just that reason. Cos funnily enough, emptying the bin will not remove files you dragged into it, and looking in the Recycle Bin will not show …

If you have an OS disk, such as a Windows XP setup/installation cd, that would do fine, just go into the Recovery Console with it [RC is a mini version of XP] and do what I said. Or... if you so wish mount your other drive in the machine [as Master if IDE, Sata does not have such fusses] with the suspect one, and put a temporary XP installation onto it and use that to test your failing? drive. I did mean for you to slave your failing drive in another existing machine... but doing it this way would be just the same thing.
Mind that you can do all with just the Recovery Console on the XP cd, and it is quicker.
In RC you want chkdsk /p -if it finds errors run chkdsk /r

The recycle bin is a strange place, and emptying it does not always work. Ask Bill Gates. It [they] may show in explorer as having 0 bytes, and in properties as anything up to many MBs... even after you just emptied the bin, or used tools to do it. Unhide Protected opSys files, open Recycle Bin, delete any S-1-.... folders. The RECYCLERs [each one] should come down to about 85 bytes if you check properties.
And if I am on the wrong track still, let me know?

These entries point at the continued existence of a trojan which is using these two to redirect your connection.:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;

Please post your Malwarebytes log, plus...:
Combofix:
==Download this file to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
.....or this file: http://subs.geekstogo.com/ComboFix.exe
-IMPORTANT! : disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan. Don't forget to reset them before you go back on the web!
- to run it dclick the Combofix.exe icon and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

Hello, pho... your error refers to a problem NTFS.sys is having. This is the driver that controls reads/writes to your NTFS disk. The problem may lie with the driver file itself or with the disk..ie a hardware failure. Solution involves using another disk [**] with an OS on it - either place one such in your machine and boot from it, or connect your failing drive into another machine as a slave. After starting the OS run CHKDSK on your failing drive. If it passes, then try to boot from it as per normal. If not, then copy in a new NTFS.sys [into windows\system32\drivers].
By disk [**] I mean either a bootable disk such as a Windows installation disk [in which case you would use the Recovery Console to run CHKDSK and copy in a new ntfs.sys], or another hard drive you snatched from another machine, or just happened to have lying around.

RECYCLER is your recycle bin... there is a bin for each partition. May I suggest that you go into explorer, tools, folder options, view, and Hide Protected OpSys files?
Next:
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you... do not click the Save Logfile button.
When it completes examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].

Kyle, we would have strongly advised you to install ComboFix to your desktop and to run it from there....
I don't much like the look of this driver: yxksognn.sys - if you can find it, delete it.
Then go to a cmd window and run this:
c:\documents and settings\Kyle Rinkes\My Documents\Firefox Downloads\ComboFix.exe /u

Looks like your sys has been pretty well booted if you are getting the choice of which level of OS to load [Safe, Normal etc...].If you select Safe mode do you see a list of drivers loading [they scroll rapidly in B&W on your screen]?

Formatting is not the same as wiping the drive... all it does is reset the drive's MBR partition table. Well, that is the quick format. A full? format does that plus scan the disk for errors. No actual file deletion is involved, just the losing of them. One of Setup's jobs is to find old installations, and it does not need the partition table for that. Looks like it found yours, and Setup will not overwrite it if it does find one, unless you force it to by deleting and creating a new installation partition.

Oh. You do not need that registry cleaner [and there are good free ones out there..], you need the Nero General Clean Tool from here:
http://www.nero.com/enu/tools-utilities.html
It is the only way to remove Nero properly.

That code, PCI\VEN_8086&DEV_4220&SUBSYS_27018086&REV_05\4&16793A72&0&20F0 would be for an Intel Pro/Wireless 2200BG? So get the driver for that from Intel's site, and browse to it to install it. Just take the latest version. Google this: Intel Pro/Wireless 2200BG driver

This key should be in place to launch explorer.exe at logon. It may be simpler for you if you just copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"

...

jB, if you come on could you please remove that URL w3.av5scan.com? Folks are sure to click it to see what it is and a javascript will lock down their browser until they click that and get loaded with a problem. [Best solution if you do click something like that is to close the browser process in Task Manager...]

"source file error: C:\Documents and Settings\JIM.JIM-ADM\ntuser.dat"
This is you, Jim, in the registry, as a user. It is your HKCU reg file, the HKEY_CURRENT_USER hive.

Jim, if setting that service to Manual start worked then I should worry no more. SDFix reported an error in your registry; that is why I suggested you try another account.

You might also do this: start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {1F8A0CCA-BCC1-404C-B4D4-7AEFC6C75C86} - (no file)
O4 - HKLM\..\Policies\Explorer\Run: [Mpk.exe] C:\Program Files\KGB\Mpk.exe
O20 - Winlogon Notify: ddcYrRjI - ddcYrRjI.dll (file missing)

Delete this file and the KGB folder: C:\Program Files\KGB\Mpk.exe

Yes.
When you install the RC at the beginning the sys is under the control of Windows Setup, and it happily recognises your cdrom. Once the RC is installed the sys is under its control, and it will not recognise removable drives [your cdrom]. It is supposed to be for security.. it is truly regrettable.
Look, go into RC and try using those SET commands I gave you... the restriction may have been removed in later disk versions...

Yeah.. it was not very thoughtful of M$ to place that restriction [for security?] in the RC.
RC will not work with removable drives [once it is the OS] without that reg change. Unfortunately you have to do it before you need to use the console.
You will have to install an OS into another partition or onto another drive and use that to copy in your file, else slave the drive and do it..

The Recovery Console has some restrictions applied by default. It will not let you acess filesin My Documents or on a removable drive ; you need to do a couple of things:
Save this as a .reg file on your desktop and run it:

Windows Registry Editor Version 5.00

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole
"SetCommand"="1"

Start RC from your disk, then make these commands at the prompt:
set allowallpaths = true
set AllowRemovableMedia = true
set AllowWildCards = true
[set NoCopyPrompt = true]

And see what you can do.

looking around, it dows seem that you must keep the same make/model mb, or similar replacement from that manufacturer, igor. But then again, it does seem also that M$ makes exceptions and accepts other mbs in some cases. They make the rules, they enforce or bend them. As I said it is up to them.

Anna, perhaps you would check what I wrote in this post: http://www.daniweb.com/forums/thread162461.html
Good luck, and please come back with what you find.

jobot, if you cannot start windows in any form it comes down to making a parallel installation on another hard drive, or in a spare partition on the problem unit, or slaving the drive in a well-protected machine.
Then? Run AV/AS progrms on it... MBAM, Spyware Doctor, online scans such as:
==Pandasoftware ActiveScan using IE or Firefox from http://www.pandasecurity.com/activescan/index/ - Register by supplying an email address, and follow through... To reduce the number of detections run either CCleaner or ATF cleaner first [to remove cookies].
==Kaspersky Online Scan, from http://www.kaspersky.com/virusscanner -press the Kaspersky Online Scanner button, follow through....
or http://www.kaspersky.com/service?chapter=161739400
==Bitdefender Online Scan using IE only: http://www.bitdefender.com/scan8/ie.html -use the Download button for the 30 Days Trial product; post the results, please.
I don't know if this is the result of an infection but if you get positive results from those scans we would love to see them.
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you... do not …