Posts by gerbil

And because you saw this msg :
"No boot sector on hard disk - No bootable devices - press F1 to retry, F2 to go to options" - you were not actually booting from the cd. DBAN obviously wiped the disk but left the MBR intact, so the code from that has been loaded, but then it cannot locate the boot sector on the hdd... cos you wiped it. Anyway.. that is wot it is telling you. Reset your boot order using the F8 key at startup [F2?, or whatever key combo BIOS tells you to use] to set your cd as first boot device.

You have rundll32.exe in the wrong location. Please move it to C:\Windows\system32.
Then to do a quick check on rundll32.exe's functionality, rclick on your time in the task bar, select Adjust Date n Time. If that opens to show the clockface, then close it immediately - it means rundll32.exe is working. If you get the same error msg then please say so.

Thinking more on what you said and playing a little with files and saving, I am not at all sure how you got that double extension .reg.txt, or that Win32 message. It may have come about because of the way you have set things with the assoc command, and I am not at all keen to emulate that on my machine. So if you cannot run the fixkey.reg file by rclicking it, choosing Open With... and Registry Editor, then because I see you told jim laver that you had the cmd prompt available in normal mode you could enter these commands:
Go Start, Run, and enter cmd
Then in the command window enter:
assoc .exe exefile
assoc .cmd cmdfile

-and see how that helps.

Rayo, slow down, take a deep breath... then read the instructions I gave you in post #14, and follow them to the letter.
"fixkey.reg.txt" is NOT how that text should be saved, you MUST save it as "fixkey.reg".ie it MUST be a .reg file. See the bit about "all files"? When you use "Save as" you have the option of using the suggested file extension [in this case it is .txt because you are using notepad] or choosing from a list [in this case the only other option is "all files", meaning that the extension you set in "File name" will be the actual extension].
Another point, make sure there is a blank line after the last line of code in the notepad .
So re-read my instructions, follow them, and your sys should be okay. Actually you could simply rename the file you have already saved as fixkey.reg.txt to fixkey.reg, and then rclick it, and so on.
The advice you got from that other person was a wrong turn..:).

And that is not a usage for ping cmd. You can do this:
ping yahoo.com
or:
ping login.yahoo.com
But you cannot use it to enter email addresses or passwords ie, you cannot use ping to submit parameters to the target.

Rayo, you totally mistook what I was posting to you... By this: [key is an export from my machine] I meant that the key in the code box was a copy of that particular key from my machine, which is correct and working! Naturally, typing [key is an export from my machine] into the Run window would not work! I shall rewrite my post for clarification, and include a fix for another error you made that I query below.

Are you saying that this is what you actually did when the problem first appeared?:
"okay like the last thing i remember before my laptop got ruined was this
open cmd prompt
type: assoc .exe=.txt
press enter
type:assoc .cmd=.txt
press enter
...etc"

Why would you asscociate a file with a .exe extension with a file-type .txt [which is not a real file-type, by the way]?
Basically you are telling your sys to open .exe files with an application group called .txt, which I bet does not exist. Anywhere.
And.... you are telling your sys to open .cmd files with the same application.
A real association might look like:
assoc .rar WINRAR
So ..
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....

If you deleted.. Program Files\Java\jre 1.6....\bin\java.exe
...then you still have another java.exe on board. [Some trojans or other malware also use the name java.exe].
You will have a java.exe [legitimate] running from Windows\system32\... let's get the lil tinker..
In system32 delete:
javacpl.cpl
java.exe
javaw.exe
javaws.exe

Hi. For the moment I will just assume that it is a problem only with an exe file link. Run this [key is an export from my machine]:
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

Modification for your situation: you can copy that file to a floppy or thumbdrive and run it from there....

XP just works. Does everything I need, as I need it done, and like it done.
Sorta.

Use hijackthis to fix this entry:
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Interestingly, I do not see your Java listed as a BHO [which it is] ....? Or as a button or tools item [but you may have disabled those].
What version do you have? Go CP > Java > General, About... 1.6.0.7 is current.
Nothing shows as bad in that log.

You possibly have a dodgy bit of script calling it, instead of regsvr32.exe. Possibly you should be pleased about that. If MBAM does not find it post a hijackthis log.

Hi... a few points:
Visit the Symantec website for the removal tool for the version of their AV that you used before adopting Lenovo's solution.
Your Java is not updated.
Use hijackthis to remove this entry:
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

No problems are evident on your log.
Have you used another VPN before attempting to install Cisco's?
http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_22964707.htm
-scroll to bottom of page.

I guess you can only hope that there is some corrosion or whatever around tha ribbon connector on the mb. Try cleaning with a soft brush. You have reinstalled so it is not a driver issue. Flash the BIOS?
Sorry, not much help to offer.

Just an addendum.... when I created the partitions on that new drive I used drive letters higher than my CD/DVD and two drive images... I tried at least 3 times to start windows, but explorer would not work fully. I had my desktop, but the links would not work, explorer.exe was in TM as a process. What is a bit intriguing is that by using TM I could start a second instance of explorer, something which is not normally allowed [if in a running windows you try to start a second explorer shell a check is made to see if it is already running, if so then the second shell creation is dumped]. So although in the session where I created those partitions I could use them, in subsequent restart attempts explorer would not run properly.
I used PartedMagic to delete those partitions, and then to create a new one [drive letters are a Windows thing, Linux doesn't let you assign them]. Restarted the sys to Windows XP and it was/is fine.... XP assigned to it a spare drive letter lower than those of my CD/DVD & drive images, and seems satisfied. Okay, I know this is just a test sample of one, and is not exactly your problem, but I wanted to illustrate how Windows can fail if removable drives have lower letters assigned than hdd partitions. By lower I mean closer to A.
Does anyone know the reason?

Ah, thank you, Crunchie.. it was late, and when it was not at that first site I checked, I searched for fixwareout, and was lazy.... Amazing the difference a space makes. Fix Wareout finds it.

Hello, B_G, this message is caused by a pgm trying to access incorrect memory addresses, a pretty obvious thing in your case where it tries for 0x00000000. Bad programming is often found in malware, so may I assume that you have been infected by something which cannot even run properly? Unless its aim is just to break explorer [taskbar is part of explorer].
But explorer is just the GUI, and you can work without it.
Is Task manager working? [ctrl-alt-del, usually...]. If so, go to TM, File, New Task, and paste or type in:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

==Download that file to your desktop.
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
If that log file does not open, or you lose it, just type C:\Combofix.txt into that same Run window in TM.
Next: Run this:
http://www.majorgeeks.com/download5554.html
-copy that download to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer …

Sorry, I just assumed it, and forgot to ask: which drive contains your OS? I was thinking that you might have it on hdd lettered higher than a removable drive, in which case Windows can have trouble with it. It likes to be on drive letters lower than any removable, or removable disk, drive except for floppy drives which it expects to find at A:, B:.
Further, it does seem to prefer ANY hdd partitions to be lettered lower then removable drives. Just for fun I tested that last night by plugging in another, fresh Sata drive and formatting a partition onto it lettered higher than my cd/dvd drive; all was fine and usable until I tried a restart... windows took forever to load, and I just forced a shutdown in the end.
If your OS is on that removable drive C: then who knows how windows would behave? I have not seen an explanation for this behaviour... so I tend to think of it as a bug. It does not always behave badly when the OS is on a higher lettered drive than a removable. It does not seem concerned by drive images.
Anyone else got some enlightenment?

Is it the crashed flying saucer that bothers you, or the M$ fine possibility for being a foreign monopolist hegemonist capitalist? For a country that pays scant lip service to international patent law, that is a bit rich.. So you wish to sell modified software there?.. they will welcome you like a lost cousin.... they are masters of "redesign".

Crunchie, is Lonny's Fixwareout toast, now?
Could not find it over at bleeping crowd.

Oh, nice.
Cheers.

jado, after seeing that lot, I still have some curiosity left. Would you take the time to run this extra scan as another set of eyes? First clean...
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF. Repeat in other User profiles.
==Please use IE or Firefox to do an online scan at panda:- http://www.pandasecurity.com/activescan/index/
-First Register [otherwise there will be no disinfection, merely detection] with a valid email address for the free online virus scan and follow through.
Unlike Kaspersky this scan does not require Java.
Please ATTACH to your post the log it produces.

Would you mind listing all the drives of any sort [including your hdd partitions] that you have along with their drive letters, please? Include cd/dvd, zip...

ng... could I ask you about that domain name, asia.tel.com - it does not appear to be registered. Is that really your ISP?
Apart from that, you have a couple of trojans active there.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

Start Hijackthis, do a Scan Only and place checkmarks against all of the following, and then press Fix Checked:

O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O16 - DPF: {3195CF7C-E9E2-49B2-8B61-14F285298E1C} (Access Client web loader) - https://220.227.210.101/wa/AccessClientLoader.cab

Search for and delete these files:
C:\WINDOWS\TEMP\UTE6CA.EXE
C:\WINDOWS\system32\drivers\svchost.exe

Okay, please run HT again and repost.

.

Confused? Who? Me?
[an I know the coyote doesn assoc with Bugs...]

:)... isn't your point 4. loading the command.com DOS environment?
It is not the same as the cmd.exe application. And if you do not like black, then...

Hello, g, and welcome... could you repost that lot in a new thread, please - it saves confusion, because solutions are rarely identical.

Your HalfLife 2 is DVD... and it sounds like your drive does not accept dvd's. Can be an age thing, if it originally was meant to.

The only way you will be able to "save" pgms from your old 160 if you boot with the 500 is if you have the installer files.... but you can get all your data.
The 7B error comes because driver files on the 160 are incompatible with your new hardware.. but a Windows Repair via Setup [you choose the "To set up Windows XP now, Press ENTER" option ...] should be possible.
Your BIOS is set so that it looks to the drive in Sata-0 for the system files. First unplug the 500, plug the 160 into Sata-0, and boot from your CD [F8 key?]. When the files are installed your sys should boot from the hd on its restart [the sys does an automatic restart, and boot.ini is modified so that it will boot from the hd, but it does put up that Press any key to boot from CD msg - do not touch anything...].
[okay, I'm typing Sata-0 to your sata-1]. You do not need the key.

I could point out that if you can use the Administrator account to log in [because you did not password it also...] then to save coming back to this website from safe mode, just copy the post above as a txt file onto a floppy and copy/paste the URLs from that... should work.
And if you do not have an administrator account without a password... then most likely you can't do any of that. I don't want to suggest that you slave that drive into another sys cos you might infect that one also.. but do you have a spare hard drive lying around that you could temporarily load an OS onto [disconnect your main, infected drive first; use a drive letter that is NOT on your old drive, and no need to register the OS with microsoft], than add the infected drive and instead of those things above do this scan:
==Please use IE or Firefox to do an online scan at panda:- http://www.pandasecurity.com/activescan/index/
-First Register [otherwise there will be no disinfection, merely detection] with a valid email address for the free online virus scan and follow through.
Unlike Kaspersky this scan does not require Java.
Please ATTACH to your post the log it produces.

A few ideas, darkfly.. so let's play, see just what we can do without the keyboard.
I assume you have at least one account without a password, like the Administrator? If you are able, restart your sys in Safe Mode with Networking.
Go Start, and paste this into the Run window:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
...and this is what you do with that download:
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
Still in Safe Mode, paste this into the Run window:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\
=Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will then restart.
The tool will run again and complete the removal process then display Finished; press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also …

Hello, jado, this should help:
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
O2 - BHO: 750623 helper - {3CCCCEF1-D6D1-4BD0-84D3-BA6E364E7DCD} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {D46BEAA4-A304-40B3-A9DA-EC7F7F501F25} - (no file)
O3 - Toolbar: (no name) - {65742936-8079-408B-9F3C-874B78030A72} - (no file)
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Search for and delete this file:
C:\WINDOWS\system32\drivers\svchost.exe

There are traces of a couple of trojans being there once. Just to satisfy my curiosity would you please run this tool:
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file to install the application and ensure that it is set to update and start, else start …

Hello, cap.. re the MBAM scan log, it was this that concerned me in all the detections:
eg: C:\WINDOWS\system32\iifGwxuS.dll (Trojan.Vundo.H) -> "No action taken."!!!
I wanted to see "Quarantined and deleted successfully.". Hence, in my abbreviated instruction set [because you had already used the pgm] I included this:
Make sure that everything is checked, and click Remove Selected. !!!
As I pointed out, some things disappeared but some which I expected to be removed, were not.

Right, to clean up: start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O20 - AppInit_DLLs: wlvhhh.dll
O24 - Desktop Component 0: Privacy Protection - (no file)

Go Start, and paste this into the run window:
C:\Documents and Settings\hp\Desktop\ComboFix /u

Search for and delete this file:
C:\Windows\system32\wlvhhh.dll

Go to the Symantec site and dl the correct tool for removing the version you had of Symantec AV.
Should be it.

Boot menu F key varies....

Sigh... so I missed one lil word....:( You'd be amazed at how silly I can be sometimes.
Yeah, washing a lappy keyboard may well hose it.

Won't hurt the keyboard, dortz. Only the contacts are exposed, the rest is sealed with lacquer or sandwiched in plastic layers. If he has a cheap one the whole thing is a sandwich with no contacts exposed, and washing won't fix it.
Cripes, if he pulled it apart and wiped the contacts with a damp cloth.. what would be the difference? Except that it would do the better job... just comes with a chance of scattering the keys... :)

Beeps come from the system speaker, and are quite distinct.

Nice load you are carrying there, cap. Now do this re MBAM [perhaps you already did this step, because some of the reported items should show in the HJT log, and do not, some should have been caught, and were not...; anyway, if you did, skip this step]:
Select "Perform Full Scan", then click Scan; the application will guide you through the remaining steps.
Make sure that everything is checked, and click Remove Selected.
Post the Notepad log [it is also saved under Logs tab in MBAM].
Next:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
And finally, produce a fresh hijackthis scan log, please.

Maybe the cat weeed on it while you weren't watching. Swirl it in very warm water with dishwashing detergent, rinse well with clean water, shake and let dry.
The multiple characters come because all "switches" in the keyboard are interconnected in a matrix. Caper is correct. Do not use soaps.

Do you have HP's multifunction printer? Then the file c:\windows\system32\HPZinw12.exe is okay, a driver. Get Kaspersky to ignore it.

Annoying. I had that with trying to update after a forced repair when I had to change some hardware. Search for and delete anything with "jre" or "java"in it, then dl the offline installer.
http://javadl.sun.com/webapps/download/AutoDL?BundleId=23111

If there is power to the mb the processor fan will run at some speed... your cd drawer will function; the mouse will light up if there is even standby power..
Beep codes will consist of long and/or short beeps, a certain number of each. Search the web for beep codes and your BIOS provider.. eg American Megatrends, Phoenix... I could guess that 3 of any is too many.
Basically, because your monitor is functioning, it means your sys is not. Power off and replug everything you can get your hands on. If still nothing get the voltages from your PSU checked. If they are okay then try with only the mb, CPU and RAM connected [no drives, other cards etc]: still nothing on the monitor? Then one of the foregoing is toast.

http://www.avast.com/eng/avast_4_home.html
Consider....

Hello, Erin... I would not go on the web without a firewall of some description; I cannot tell if you have Windows Firewall activated. I use ZoneAlarm, and it is not a sys hog for me, in fact vsmon.exe hardly ever stirs as far as processor time goes. May I suggest that you restart Zonealarm then got into Task Manager, Processes tab, and check how much CPU time vsmon.exe uses. It pretty much should show 00.
Is your version up-to-date?
I notice that you have AVG AS, SAS [superantispyware] and SpyBot... actually, is AVG still providing updates for AVG AS 7.5?
I would cut that down to just one spyware scanner; actually, for the longest time I ran no resident spyware scanner at all, just had an on-demand one or two waiting in the wings. But now I use Avast, and one is incorporated with the AV scanner, so... actually, I have Spybot ready and updated, but I seem to be able to stay clean so I have only run one scan recently. Just to see. Look, try being sensible with online link-clicking, and run no active AS. Just keep Spybot updated in case.
Tea-timer is not a load, though, it just monitors for attempts to mod your registry.
"128 mbs of ram and 480 whateverbites processor"... I do see what you mean... 480 whateverbites is very slow buy today's stds, and 128 mbs of RAM is not much. If you took the time to …

Brianan, mostly I don't hop forums.. atm I am playing in the other one, but chased you over here.... you would be able to delete that file from Safe Mode, unless they were very cunning.... but in any event this is a very handy tool:
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.

You cannot expect pestware writers to do the best job with their uninstallers.. this file may need removing, also:
C:\WINDOWS\SYSTEM32\mysidesearch_sidebar_uninstall.exe

Mmm... yeah, whish iw why I added the last line.. but at least now he knows how the start menu is built, and he can script his installer to place shortcuts into those folders so that they appear in All Pgms.

Try uninstalling MySide Searchbar Assistant via CP > Add/Rmv Pgms, Brianan.
Then start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: mysidesearch search enhancer - {ae6c19eb-981d-8a4f-57fd-ef9896f5cb6b} - C:\WINDOWS\system32\dxzenhbjqqwnrvrar.dll

Delete this file if it still exists:
C:\WINDOWS\system32\dxzenhbjqqwnrvrar.dll
Say how you get on...

Ram, try opening the drive from Start, Run, enter the drive letter, eg C:
Check that there is no autorun.inf file in the root; if there is, delete it.

Unlike rdisk which counts physical disk units from zero and up, the Partitions number from one and up. So Partition(1) is the first partition in the physical order on the disk(0), and it is the partition that boot.ini is directing ntldr to in order to load the OS.
\WINDOWS is the OS's directory name.
The stuff in " " is just a descriptor, can be anything you like.

Skip the reg file idea.... the Start, All Pgms menu is part of Explorer. The content of that list comes from the sum of All Users and "Your" shortcuts [or links] included in the folders under Docs &Settings\User\Start Menu\Programs. So just rclick your file and create a shortcut, name it how you would like it to appear, and drag it to Start Menu\Programs under the User of your choice. And presto! it will be listed in All Pgms. It does not have to be a link to an executable... it can be a link to a photo of your mum. Or a batch file....
Hope this is what you wanted. But if you wished to script it into the installer, then someone else will be your man, not me.