Posts by gerbil

System Mechanic, Options. Is Restore/Undo changes one of those? Hit it.

Oops, 6.9 now. Do take care with it - it is not considerate of fools. For example, if you tell it to delete something it assumes you want it deleted. No "Are you sure" chances to back out...
It does very good scans for traces of old partitions and files. The help file is still clunky - just dclick doc\testdisk.html

Just take care with it - it aint considerate of fools. If you tell it to delete something it assumes you want it deleted. No "Are you sure" chances to back out... :)
It does very good scans for traces of old partitions and files.

moz, a tool you may like to play with is Testdisk 6.8.

Dave, the legitimate file is dllhst3g.exe, malware is dllhst3g.dll.
Check that you do have the valid one, if not, then insert your cd, run sfc /scannow.

:).

Ah, good to hear it's working so far. I may get back to Banff another year, dunno, been twice, it's a looong way and there are lotsa other places to try out in the world too.
Cheers, imperious. Tap that solved button if you are satisfied.

Arrgghh.... you formatted and reinstalled? Well, okay, but mostly I or someone else here can fix those sort of problems without going down that path. And we even enjoy doing it for you. Try us out next time you have problems.
Cheers, kv.

It is very early on in the loading that the Windows logo screen [with loading bar] is presented. BIOS has read the MBR code and transferred it into memory; that code then scans the partition table for an active partition and the code in that partition's first sector, the boot sector, is read into memory [overwriting the MBR code]. It is the boot sector that contains the particular code enabling the file structure [of the format type] in the boot partition to be read..; and it reads in ntldr. Ntldr reads boot.ini and so finds the partition where the OS is located. Basic hardware configurations are loaded and then that Windows logo is displayed. The next step is to read in kernel files and the SYSTEM reg hive to see which drivers should be loaded [if you pressed F8 and chose Safe Mode at this point a different reg key is used which specifies a reduced set of drivers].
It rather looks like ntldr is experiencing a fatal error at about this point, totally failing to load these items. Obviously the C: root file structure is intact, but it seems like the remaining file tables are being corrupted - this could explain the inability to load HAL or the drivers, or even to locate the reg hive, and also why the drive cannot be read in another sys as a slave. The MBR and boot sector are okay.
Try chkdsk repair option. If the file table is bad …

A different motherboard and chipset?.. it will not boot up, that's it. There is a fair to very good chance that you will have the wrong version of HAL, and certainly wrong drivers etc. A Windows Repair will not be a good option, either, because all that will do is take the old registry hive and copy it into %windir%\repair [and that will do you no good if you ever need it], rewrite some parts of it to form the new reg hive, and rebuild system files. Mostly, your apps and settings would be preserved.
Reinstall Windows.
Your old data files will not be overwritten if you do NOT format [but not doing a full format can give data recovery software a headache if in the future you should need to use it] ... You may lose email client files though. Somewhere during Setup make the choice to leave the current file system intact but let it delete the old Windows folder.
=Personally though, I would copy off the wanted data, downloaded application installation files etc to that new slave drive, build the sys, format and make a system partition about 8GB in size, install windows and make more partitions for data and apps. Copying out data will save you taking ownership of special windowss folders like My Docs. With a Repair chances are you will keep some of the old problems and instabilities that your old Windows was building up.

What... that's it? All fixed? But I would like to see the logs, there are always problems left behind to sort out. I'd be happy to look at them if you post them here.

I do hope it is. If you get strange shutdowns with absolutely no warning then it can be temperature related as I said before.... Cripes, Calgary?... just open the window.. :) How's the snow up at Banff? I was there last season...
Good luck. Lessee, no worm traces left, no viruses, good, clean sys files.. should work. Unless.....

Sometimes sfc is really processor-intensive [it is on my sys, the fan screams], and your CPU can overheat - the first thing you know about that is that the puter just shuts off. Power off at the wall [pull the plug], open the case and get to work on the CPU heatsink fins and fan with a soft, longbristled brush and a vacuum cleaner nozzle. Get rid of the dust... I bet tehere is heaps if you have not done this before..

I just added to my post above...all you see happen is that black cmd window flash. Run sfc /scannow again and see if it works from the cd.

Good-oh... I hid it well, didn't I.. :)
Same trick, run this batchfile.... it will add a registry entry [or modify the one you have] so that it points to your CD/DVD drive. sfc /scannow should then find the I386 folder on the cd.

==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as modSetup.bat, as type "all files", to your desktop; dclick it to run.

______________________________________________
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup /v SourcePath /t REG_SZ /d D:\ /f
______________________________________________

The way things work is that because you did an online update to SP2 you have \I386 in c:\windows\ServicePackFiles -this is where the most up-to-date files are stored in your sys [some from Windows Updates]. For some reason sfc is not working with those and is asking for the cd.... this reg mod directs it to the \I386 folder on the cd. Try running sfc /scannow again.

Ah, this bit... if you run this batch file [follow the instructions] I will be able to see some relevant registry entries on your machine.
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt which will open on your desktop.
__________________________________________________________
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup" >C:\showkey.txt
start C:\showkey.txt
__________________________________________________________

Imperious, if you have a folder c:\windows\ServicePackFiles\I386 about 450MB in size, more or less, then you must have done an [online?] update to SP2? In that case there should be a registry entry pointing to that folder and Windows File Protection should be able to access it.
The command sfc [system file checker] is part of Windows File Protection - WFP automatically replaces any protected system files that are corrupted, altered or deleted, sfc additionally will copy into the protected file cache a fresh copy of such bad files from a cd or other folder, eg c:\windows\ServicePackFiles\I386 [if it is not empty? Tell me].
Could you please run that batch file for me so I can see stuff?

Heh.... some key gen. Not much is for free these days. You gotta realise, some folks don't like cracks and gens for their pgms being put about on the net so they make their own which are designed to cause you some trouble, other crack n gen makers are paid to put ad trojans in their lil pgms... either way, if you get a bad one you pay; problems are time, time is money.
Right, run these:
Clean:
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
and scan:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
and again:
==Please use IE to do an online scan at panda:-

dinesh... it is not common for exe files to be in the inf folder; one that is there is unregmp2.exe for Windows media player.
The normal files in the inf folder are .inf and related .pnf files which are used for loading software and drivers.
I would rename others.exe to others.exe.old; if your sys starts then delete it.

Hughv has it right. If you change the order in the Boot Menu [on my machine I reach that via F11 at startup] to CDROM [or DVDROM] then naturally the puter will try to boot from your cd. If the cd is actually not bootable then BIOS will next try to boot from the hd. Nothing in what you have said implies that the hd is bad.... just that it has no OS on it that can be detected - there are no boot files on it that can be loaded [it still may be bad].
Try to boot from the CD in another machine [and then abort Setup if it does actually run..]. If it does not boot then the cd is missing special cd boot files. Boot files or loaders on a cd are NOT the same as the boot files on a hd.
Easiest way out of this is to get a friend to burn you a copy of their XP SP2 cd...

I actually cannot guess what you have done... is svchost.exe running... can you see instances of it in task manager/processes? I actually don't know if windows can even start without it, and I don't know how you could interfere with it via gpedit.... but...

Okay...
=What is the name of your optical [eg, CD, DVD] drive in Explorer? Is it D:\
Open that CD and find the path to the I386 folder... it is likely in the root of the drive, eg D:\I386 -tell me.
=Do you have this folder [you may have to show hidden files to see it]?:
c:\windows\ServicePackFiles\ServicePackCache
=Could I have a look at the contents of this reg key....
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt
__________________________________________________________
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup" >C:\showkey.txt
start C:\showkey.txt
__________________________________________________________

If you have to buy your local puter shop should burn you one for just a couple dollars. It's not as if you are wanting the licence, which is where the real fee is.

Imperious, you are running SP2 now so that SP1 cd will not work. Do you think you could borrow a XP SP2 cd from someone?

Imperious, could you check the properties of this file for its owner details, please... see if you recognise it. If unknown, delete it-
C:\CF19715.exe
Please go Start, run, type or paste in
sfc /scannow
-insert your XP SP2 cd, press Enter as required. This will replace any system files damaged by the Alcra worm you had.

Imperious, could you run these scans to check for malware, please? First clean:
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
Okay, post those two logs, please, plus a fresh hijackthis log.

Hi again. Urk, I missed putting in a service to delete; we'll get to it.
May I say that you have been let down extremely badly by your AV? It really should have detected and removed your Fontra worm. And the VGADown Audio Adapter trojan. Tsk tsk... Is Norton set to scan ALL your files? Is it updating?
=When you ran ATF did you repeat the cleaning using the FF tab also? ...cos I really do not need to see all those cookies in the AVG log. Anyway..
=Before you ran AVG AS did you make the setting changes that I requested and follow the method? Because the log says no action has been taken against the malwares it detected.... please, it is important that you do the things I ask in the order I ask. That way, any mistakes or omissions will be my fault! May I suggest you copy this post to a notepad so that you may read it as you perform these steps? Okay, let's do stuff...
It appears that you have a vundo infection, or traces of one, so please rename hijackthis.exe to imabunny.exe - this is important.
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the …

Routers have firewalls in their software, generally. Restarting your router resets it.
Good-oh.

AVG AS saw nothing, I see nothing more now... is your problem still there? [grey task bar, sound failing etc.] Is another window still taking focus and activating over the top of the one you meant to be using?

Cheers, megaman... it truly is a maze out there...:)

Hi, alice ,
you have a short log but it is full of malware. We can clean it up, but be aware that your internet traffic has been monitored and your passwords may no longer be secure.
If you use your sys for banking etc then your accounts may be compromised!!!

• Download LSPfix from here http://cexx.org/LSPFix.exe
  
  
  • start it by dclicking the .exe....
  • On the opening screen, click the "I know what I'm doing" checkbox.
  • Check all instances of "od3mdi.dll" (and nothing else),
  • and move them to the "Remove" pane.
  • Then click Finish.
• Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
  
  
  • to run it dclick combofix.exe and
  • follow the prompts to start it.
  • When finished, it will produce a log, C:\Combofix.txt
  • post that log in your next reply.

A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll
O4 - HKLM\..\Run: [BM8767ee28] Rundll32.exe "C:\WINDOWS\system32\xfeqnari.dll",s
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows

Delete these files:

C:\WINDOWS\avp.exe
C:\WINDOWS\system32\windows
C:\WINDOWS\system32\xfeqnari.dll
C:\WINDOWS\system32\WinNB58.dll

Go Start, run, type or paste this line into the run text …

G'day, imperious,
Really this should have been posted over at Viruses n Nasties, but what the heck, you're here, I'm here...
Please do not do a Windows Repair, it's not really called for.
Let's fix your Hosts File:

• download HostsXpert from http://www.funkytoad.com/content/view/13/31/
  
  
  • click the top button Make Writable if it is available
  • click Restore MS Hosts File button.
• Now that that is done you should be able to go to Norton/symantec site - get the uninstaller tool for the AV you had and run it because you have active components still in your sys [you may run only ONE active AV service - they interfere.. Of course, you may wish to ditch Avast - your decision]

Use hijackthis to fix these two [benign] entries:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - Startup: services.lnk = ?

Good. Now I do not see what modified your hosts file so would you please:
Clean..

• Download this temp file cleaner from [url]http://www.atribune.org/ccount/click.php?id=1[/url] --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
  Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
  Close ATF.
  Scan..
• GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5 or here http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
  
  
  • Install it and UPDATE it.
• Start AVG a-s …

Pleased to be able to help, Susan..

Yep, firewall. Uninstall it, try net access with just Windows Firewall enabled. All okay? - reinstall your firewall.

Hello, megaman.. and Susan... I am sure I know what your problem is, and it is not a fault in your mouse or drivers, rather a facility that some people find useful has been turned on - it is called X-mouse. It comes in two stages: with only stage one the window you hover the mouse over gains focus, if you have stage two of X-mouse then that window is also activated. With stage two if your mouse leaves the window it heads to the taskbar... ie. it minimizes. Sound like your problem? Stage one is useful if you wish to read info from a bunch of windows, Stage two if you are manipulating data in a bunch of windows... but with stage two each window much rest on the task bar otherwise they will close before you can get a mouse into them...else if they do not rest there you instead rclick that window's taskbar icon and then you can scoot your mouse over a gap and into the window..! Anyway.....
Now there are a few registry entries associated with these settings, and they are a bit tricky... so the easiest way out is for you to get Powertoys for Windows : TweakUI from Microsoft. Google for it. Install, open it, expand Mouse, go to Xmouse and uncheck the setting boxes there. And you should be ok...
While you are in TweakUI go to General , Focus: you may find it useful to set Prevent other windows …

Windows File Protection is what is copying in a replacement msconfig.exe as soon as you delete or rename or modify the original.
The source file is in system32\dllcache.
Not all system32 files are guarded by this protection, just those listed in a library or with extensions exe, sys ocx, dll.. and a few others... The command sfc involves it in its own check; sfc will also copy in from the CD any files missing or damaged in the cache.
If after running sfc /scannow msconfig still will not work, then go Tools, Folder options, View and select Show hidden files and folders, and uncheck Hide protected op sys files. Now navigate to system32\dllcache\msconfig.exe - dclick it; does it open?
Rehide that stuff when you are finished...

Liz, did you ever sort out the svchost.exe issue? Without svchost running no services can run under it. No networking....

Hello, cookie... if you have a desktop with icons, a task bar or Start/All programs visible then Windows Explorer is running. Internet Explorer is totally different, although some functions are similar. [I wrote a lil bit about W E to a poster named cynikal in Viruses, Nasties forum [last page of thread] to point out the basics of what it is..]
I suggest you remove one of your AV services... since you have AVG suite [paid] you could remove Avast. Anyway... you choose, but do it NOW.

I guess if it was a problem on my machine I would use Process Monitor to log events, and the moment an IE window opened I would stop the logging and filter it so that only IE related events showed. You should be able to see in the log what called IE, reg entries used etc. Be prepared for some log scrolling, quite a lot happens for such a seemingly insignificant event like opening a browser window. Get PM from Sysinternals... okay, from technet...
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
Pls don't post the log tho, even in zipped form... unless someone else is willing to read it?

Cynikal, whenever you have a window open which shows your drives and files/folders you should have in the top toolbar Files, Edit... Tools. Anyway, you found the same Folder Options in CP, and that is fine. Combofix does turn it off, a lot of folks like to see them but it depends upon what you do with your sys. In retrospect you personally should probably leave it off. If you look in explorer at C:\Windows you will now see a lot of blue folders - they are some examples of hidden folders, and there are a lot of others now showing below which are not coloured blue. Most likely you will rarely need to involve yourself directly with them; perhaps you should reset that option to not show them. And me? - I know some generalities, a few details.... I know it is not even 1%.. :)

Hatespy, it is most likely not a problem with your computer, more likely Paypal was momentarily down and IE then fooled with the URL. If you want a complete explanation [or one, anyway] click on the link in your post above and then in the webpage that opens click the link How you got here...
Com.org is benign.

Hello, mani... as for the poster above..
==download hijackthis: http://www.majorgeeks.com/download5554.html
-install it to a new folder alongside your program files. Make a fresh log for us.

Heya, cynikal... we'll get there....
In a standard windows installation Windows Explorer [explorer.exe] is the user's point of contact with the OS, it is the shell, the outside casing if you like, of your OS and everything else runs inside or around it; it [or a modified replacement] is always running when logon is completed. You can stop it if you wish but then you lose being able to easily interact with the OS... your running programs will continue running, you can start new ones etc but not in the normal way.
When you dclick My Computer you are opening a graphical interface, a window to Explorer. Another window is the taskbar, still another is the desktop. There are other ways of opening a window, and you can open many such windows to it at a time, but there is only one explorer.exe running, ever. These windows provide you with a simple and useful way to manipulate your files, including programs, which all exist and operate independantly of explorer.exe. Where am I going with this...? ...listening to Thea Gilmore's Contessa and enjoying it.... okay, just one of those independant programs is Internet Explorer [iexplore.exe] which is actually more than just a web browser, but here we are not concerned with it at all.... since we normally use Windows Explorer to see our files or operate the OS it is that which we must adjust to control that view; Folder Options is one such control.. and you get to …

Hello, zombie... especially for you.
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Restart your computer in Safe Mode.
- Open the SmitfraudFix folder and double-click SmitfraudFix.cmd, select option #2 - Clean [type 2 and Enter]
You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer Y and Enter [which will remove the desktop background and clean registry keys associated with the infection].
The tool will next check if wininet.dll is infected- if it is you will be prompted to replace the file ; type Y and press "Enter".
It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\
Restart in normal Windows. Please post C:\rapport.txt
[You may also have to restore your desktop background...
If so, go Start >run, type regedit and <enter>. Navigate to this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Please export that key: in the left pane highlight system with a lclick, go File, export... , save as bluewall with file type .txt. Close regedit and post that txt file.]
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan …

Get a mate to bring his lappy over and hook up. Are you behind a router?

Hi again. Just open an Explorer window [eg to your C: drive] and go Tools, Folder options, View tab.. I like to see my hidden files and folders and also all file extensions.

It should be alright to delete vundofix and its backups if you are sure that it deleted all that it found, and your sys is working well again.

Hello, nuhjski, you cannot do what you are doing and expect your sys to run properly - you can only have ONE active AV service running. Out of the three, Mcaffee, AVG and Symantec keep only one... Mcaffee, I guess, cos you are paying for it.
Symantec does not look complete but nevertheless is active; to remove it properly you need the removal tool from their website. Merely uninstall AVG AV.
Did you intentionally remove windows Messenger? msmsgs.exe is missing.... but a couple of related items remain:
Use hijackthis to fix these 3 entries:

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
and...
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Cool. Now I know you say you use Windows Explorer to go on the web, but I can see 4 instances of IE open. So it looks like IE starts when you click the desktop link but does not open a window that you can see. Fine.
Navigate to C:\WINDOWS\inf\ie.inf [you must have hidden files and folders visible] or alternatively open explorer in C:\Windows and do a Search for ie.inf.
Right click the ie.inf file, and then click Install.
-Insert your Windows XP SP2 CD-ROM when prompted and on it locate the I386 folder, click Open, and then click OK.
Internet Explorer will be installed.

Go …

Heya, heidi, it does all depend upon the versions you have, that is, whether they are fulltime protection services or on-demand.
Spybot teatimer is a fulltime registry guard, not much load there.
Spywareblaster is no load on your sys at all.
Adaware, AVG AS and Spywareguard - if you update and then run on demand they are no load, if they are paid up, full time guard services then one should be sufficient. I have Adaware and AVG AS but run them on-demand, maybe once every few months or when I am bored.
You NEED a firewall!!! so keep Comodo.
Hijackthis? Delete it. Only dl and run it when you need help.
Firewall or no, you MUST have a fulltime AV service, and you have not mentioned one. Ok, Norton, but you say that is going... get a free AV, one of :
AVG Free 7.5 at http://free.grisoft.com/doc/5390/lng/us/tpl/v5
Avira personal free at http://www.free-av.com/
Avast home edition at http://www.avast.com/eng/avast_4_home.html

And that is it...

Before you contemplate a complete windows repair you should try to reinstall just Messenger from your XP installation CD. The CD should match your SP status... eg XP-SP2... Not got one? - borrow it.
-Open an Explorer window, do a search for msmsgs.inf -the default location for this file is in the C:\Windows\Inf folder [or show hidden files and folders and navigate to it].
-Right click the msmsgs.inf file, and then click Install.
-Insert your Windows XP SP2 CD-ROM when prompted and on it locate the I386 folder, click Open, and then click OK.
The Messenger files are installed and registry entries corrected.
Say how you get on.