Posts by gerbil

Yeah, the AV thing is a bit of a catch... I mean, there is so much talk about "layering" of services to catch stuff, but to resident, real-time AV it just does not apply.
Anyway, first off, would you go to this site http://www.f-secure.com/blacklight/ and download the trial scan software [link is at bottom of webpage]. Start it, accept the agreement, and start the scan. Post the log.
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected. Close ATF.
==Next try an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-the link to the scan is just above the padlock pic.... free online virus scan.. enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
==Finally, please rename Hijackthis.exe to clickme.exe and start it again, select Scan only and place checks against these entries [if they still exist], and press Fix checked.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O20 - Winlogon Notify: psfus - C:\WINDOWS\SYSTEM32\fusstub.dll

Make another log and post it along with the other two..

k. while we are looking you should make a decision on the AV - one of the two must go.

unnecessary post.

and that looks good to me. hope it's working for you. There is just one entry that you could fix if you wish - its a pgm related to your sound player which calls home with details. Some regard it as spying, others as a time and resource waster. Personally i would stop it - i like things clean and neat. Here it is:

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

That is a reg key which is set to start the pgm every power-up of your sys. If you fix it with HT that will stop it from starting, but it will remain on your sys for manual starting. Up to you. Cheers. [no need to repost if you do decide to fix it..]
[err.. to fix it you run a Scan only, check the box alonside that entry, and press Fix checked. And that is it.]

Good-oh, penman. Now start HT and press Scan only. Place checks against the following, and press Fix Selected button..

R3 - Default URLSearchHook is missing
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://www.king.com/ctl/kingcomie.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/40...02/Coupons.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{23A71157-5D75-4C9C-A34B-5808FC3D5B7A}: NameServer = 85.255.116.117,85.255.112.190
O17 - HKLM\System\CS1\Services\Tcpip\..\{23A71157-5D75-4C9C-A34B-5808FC3D5B7A}: NameServer = 85.255.116.117,85.255.112.190

...and that should do the trick. Do another HT scan and post the new log.
Cheers.

From http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe download fixwareout and save it to desktop.
From an explorer window > tools > folder options > view, set show all hidden files and folders.

Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.
Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.

Okay, run HT again and repost.

i dunno why you had trouble with those links..they both work for me still. The killbox one is still valid, and whether pocketkillbox or just killbox you get the same exe - from subratam it is killbox, from third parties it is pocketkillbox. Beats me.
And the Panda link is fine... I wonder if you have some hidden problems... for the final HT scan when you post me a log first rename Hijackthis.exe to rabbit.exe and run it as that. I am possibly overdoing it, but go here and download this trial scan and run it: http://www.f-secure.com/blacklight/ -link is at foot of that page.
Just in case.

Panda online scan is a beauty - i do not understand why you could not find it, cos there are two links to it on that homepage: one is " free Online virus scan" just above the padlock pic, the other is a huge blue link "Scan your PC now" . Please do it, but run the attribune temp file cleaner first. The scan only runs in Internet Explorer.... but it's one of the best...
You didn include the scan log from AVG antispyware....
After the pandascan [pls do it...], run HT "Scan Only" and put checks against the following:

O2 - BHO: (no name) - {2C48C717-8A2D-487C-A068-C65CB0D17D04} - C:\WINDOWS\system32\awvtq.dll (file missing)
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\fvjhikqx.dll (file missing)
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\julyioyo.dll",setvm

and then Fix them.
[that last entry is a registry entry asking the OS to run julyioyo.dll with parameter setvm, but it aint there to run. I hope.. :) Remember the error msg at startup saying it could not be found?]

===Finally: Java update!!! This is for security reasons. Go control panel > java > update, & press update now. Restart after installing the update, and then go into control panel again, add/remove pgms and remove all old versions of java. Vsn 1.5.0.11 is current....

Post the logs....

Ok. It's neat that you can use a USB CDrom, and that you have the install disk. I want you to insert the disk and start Recovery Console [when you are prompted to repair or recover, press R].
First run checkdisk to see if there are any repairable errors - type and enter...
chkdsk /r -if any errors are reported then ...
chkdsk /f - and when it finishes restart your puter to see if it runs.
No? Then go back into Recovery Console. Let's start with the file that is mentioned in your error msg:-
C:\Windows\system32\config\software - we must first make a copy of this with another name, and then delete the original from its folder, so in recovery console type

cd C:\Windows
md regtemp
copy system32\config\software regtemp\software.bak
delete system32\config\software
copy repair\software system32\config\software
exit

-which will take you out of recovery console. See if your computer will start.
No? Then you must follow the same procedure by removing these other 4 files from \config into regtemp: system, sam, security and default; and then copy the originally saved files from \repair folder also [these are all the registry files saved by your system when you first installed it - if you have not since updated them. Most folks don't...]
...so just substitute those filenames for software in the above. You can try a restart after each substitution, or better still do them all at once.

…

it's a slow scan, isn't it, conscio. did you run the bitdefender scan before the hijack this scan? cos is there is a strange file appended where i did not expect to see one, right at the end....
C:\Documents and Settings\Brian\Application Data\RdrSoftHope\creative phone surf.exe == this one. Bitdefender deleted it.... it says.
Would you please search for it in your puter, and delete it if you find it? The path is there...
If you did not do it, pls follow the lop instruction in my previous post also.
And then pls do another HT scan and post.
Thank you.

if you've got an always-on connection i bet it is a whole swag of updaters phoning home. there are some real issues with some of those.

it just sounds like the adapter is having trouble translating instructions, rendering blocks etc. if it won't work from cold start, it's toast. you could reload drivers, firmware even.....

randaril, first help us n yourself by doing just what caperjack suggested in #10 above. BUT START a new thread. Please.

Hi, jinx... :), lucky for you you chose a benign tool to play with - you don't/did not have a fixwareout issue. But you do have virtumundo and another couple of pests. So let's start by stopping some things and then downloading some more help.
Run hijackthis again and check the following:

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [WinFlyer32.dll] "rundll32.exe" C:\WINDOWS\system32\WinFlyer32.dll,Run
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\ceamqwdk.dll",setvm

-close all other apps and press fix checked.

===Download killbox from here:- http://www.downloads.subratam.org/KillBox.zip -unzip it onto your desktop.
Dclick killbox to start it.
Select "Delete on reboot", click the "all files" button.

>Highlight the 2 pathnames in the following lines as one block and copy them into clipboard [press Ctrl+C] [ or rclick, copy...]:-

C:\WINDOWS\system32\WinFlyer32.dll
C:\WINDOWS\system32\ceamqwdk.dll

In killbox, go File menu, choose Paste from clipboard. Click the red and white X button, click Yes on the reboot prompt, click OK if a pendingfilerenameoperation box opens. [do not be concerned if it says it cannot find a file...]

===Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it, and click the Scan for Vundo button.
When scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed it will prompt …

video card.

an recyclers would hold a bit... if you have not cleared it.
you just gotta get outlook express folders, temp and tmp folders, IE folders like history, cookies n temp inet files, plus My Docs outta there.

you've swapped floppies and still the problem persists, so unless coincidence is out to get you it comes down to the cable/mobo, or the OS. do the simplest thing first- grab your XP Pro install disk n run
sfc /scannow.
err.. i'll enalrge upon that... go start > run, sfc /scannow, and insert the cd. Be prepared to hit enter a hundred times. Or so.

I see you have AVG antispyware - have you updated and run it to remove this? [you have a few lop.com adware components in there - panda has pointed them out but will not remove them for free; other software will.] Strange, though, that i cannot see any related sponsor software that may have put them there.
Anyway, I shall give you two ways to remove the offending software.
1. Go here, dl the file, dclick it and follow through the steps until it completes.
http://lop.com/new_uninstall.exe

2. Do this online scan: http://www.bitdefender.com/scan8/ie.html
-agree to the eula, start the scan, allow the activeX to dl if your OS blocks it.

Restart your puter and see how it goes. Repost a new hijackthis scan plus the log from bitdefender [if u do it, and you should....]
Pls follow crunchie's direction - it's just easier for us.

cool. glad to be of help.

tricky. see if you can boot into safe mode with command prompt.
No? Then now is the time to visit a friend with your harddrive under your arm, cos we have to copy a few files from a backup repository in your sys.
[what the error msg is saying is that your registry is a bit corrupted, and a bit is usually quite enough.... when you installed windows xp a couple of files were automatically stored as backup - these are the ones we wish to use to replace your corrupt \software file [and others..]. Naturally your sys will be taken back in time, but it will/should work, however a few applications will need to be reinstalled]
There is no simple fix if you cannot get into safe mode... you gotta be able to get hold of a cd drive, or another xp OS in another puter.

if you can get to safe mode use your xp install disc to run
sfc /scannow

um. ummmm. we talking IE? isn't this a setting that the web page maker does? in opera it is a setting you can make so that a link will open a new page in the browser. but in IE it is up to the page designer. I think. easily wrong here... but you can rclick the link and select to open in a new window... or just press the shift key as you click the link...
if all windows opened in a new window it would stuff the back button on yer mouse, now wouldn it?
go easy on me, i've been on a long holiday, n me brains gelled.
try it. open a web site, click on a benign ad like from a bank or similar - it'll most likely open in a new page. now click a link on that orig web page n i think you'll find it will most likely open in the same window. click the back button, click the same link with the shift key. now your back button will not work. same as with the bank ad. no history for the new window, see?

accursed things they can be. try uninstalling your burner software, and then reinstall it.

you didn get back, so i think i may make those instructions a lil clearer..
go programs > admin tools > computer mgmnt > disk mgmnt. Then rclick in the lower part of the righthand pane on the coloured box representation of the partition in the corresponding drive.. so you can do this you will obviously have the old drive in place, thus you will be looking at drive 1.

oops, that last bit won't let you copynpaste it. so go CP > system >advanced tab > startup n recovery settings > edit, which will give you a notepad with the boot.ini. Pls paste that here.

yeah. open computer management [via programs> admin tools]; in the right pane rclick the partition you wish to make active, and if it is not already then the option to do so will be boldened [enabled]. You can only have one active partition.
One other thing, if you get it going would you please do this...something is bothering me, n i cannot figure it out... go start, run, msconfig n enter. Click the boot.ini tab n please paste what it says here.

two xp's. This is interesting. The second installation on the newer drive should be the one that has the working boot.ini. Or did the installation modify the old boot.ini...? I am not sure... it should be the former - the new installation should have the controlling boot.ini... hmmmmm.
But did you mark this second XP's partition as active?

go ahead and install your third OS. But unless you make XP the last OS that you install you will need to get a boot manager. So. It's either get a boot manager, or uninstall Xp, install ME and then install XP again.
We should all have that much fun in our lives.

oh dear. there is a risk that you have been well n truly backdoored. i don't have time to help you just now, but don't use this notebook online until someone helps you fix it. It is NOT secure!! you should change your bank passwords, email pw's, the lot, after this.
[who do you know lives at Solomenskaya street. room 201, kiev, ukraine?]

ok. but there is some header information missing from your hijackthis log post, and we really need it. [it has the hijackthis version, plus info on your xp]. Please post it..
Meanwhile, can you tell me anything about this entry - did you put it in there?...
O4 - HKCU\..\Run: [DogMags] O4 - HKCU\..\Run: [DogMags] C:\DOCUME~1\Brian\APPLIC~1\RDRSOF~1\Date Media Once.exe
-or more specifically, if you wish to check the file, it can be found here....
C:\DOCUMENTS & SETTINGS\Brian\APPLICATIO DATA\RDRSOF~1\Date Media Once.exe
...i have a feeling that it is not a good one.
Also try an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-the link to the scan is just above the padlock pic.... free online virus scan.. enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.

inside system32, check the size of your notepad.exe - it should be 67.5kB, or 68kB on disk..

be really sorry about the form. pls repost - turn off wordwrap in notepad or whatever.

heck, even cheaper than a elect contractor is a wired mouse. five bucks tops from a cheapo store? buying one to see if it eliminates your problem would be a great n obvious first step. the transmission from a wireless mouse is digital, encoded randomly, limited to about 4m range, and as such is fairly secure. you could suspect a bit of nastiness in your pc such as backdoor trojans...
of course, you reinstalled your mouse driver, didn you..?
[and why the piggyback?? if you're really interested in solutions, start a new thread. respect DMR.]

Perhaps MSN tried to update, and failed doing that... Why? i could guess that your Windows Installer is broken [this is the pgm that installs windows components...]. Go to microsoft, dl windows installer 3.1. Then via CP uninstall your current version, and next install your new copy.

did you get sorted? if not, this will restore the default registry settings for lnk file associations.
Unzip, dclick the reg file and answer yes.
'Course, you'd do a restore point first, wouldn you? i mean, that would be just smart....
http://www.dougknox.com/xp/fileassoc/linkfile_fix.zip

err.. i cannot get into redrival.
What happened with that reg tweak you wished to try?

[##] is just a marker in the instructions....
I'm going to guess that something has corrupted a few registry entries for you. For a start, try this: go start > run, type devmgmt.msc and OK. Is there a yellow icon beside the DVD and USB entries? Expand the DVD/CD entry, highlight your DVD drive, [##] and go Action, select Scan for h'ware changes. Nothing more than a brief msg box should open. Do the same for your USB Controllers. Anything work now?
Yes? ...great.
No? ... well, that happens. Follow the instructions again to [##]. Now rclick your DVD drive and select Uninstall and follow through.
In the run box type regedit, OK. Navigate to this subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}
Highlight that subkey by lclicking it - in the right pane if you see Upperfilters and/or Lowerfilters then rclick on those names and Delete them, and close the Registry window. Reboot your pc. DVD working? Good, now update the DVD drivers...

an if you need instructions on repairing OE just buzz.

Yep. Corruption is the key to OE. It's built-in, i think... :).
Open an explorer window and do a search for your OE account name - it will lie in a nest of folders something like local settings\outlook express - there may be anothe folder with a string of gibberish [ i dunno exactly cos i moved mine out of the sys vol and gave it a sensible path... :) ]
Open your account folder and rename the sent and outbox folders to Sent Items.dbx.old and Outbox.dbx.old...
You will see that OE will generate new, clean folders to replace the lost ones. Now try an email. If you only have junk in the old folders and everything is fine, just delete them. Now if your issue is solved by this, and if you really wish to read/keep the text contents in those two renamed folders keep in mind that they are corrupted, so DRAG them into a new notepad.... scroll away and copy sections you want. [note that your pics in there are text-based also...[ i don't mean a pic of a wet dog is called a pic of a wet dog - all the pixel info is in text characters] isn't email a wonderful thing?]

if you are getting an error msg like Error loading op sys then your BIOS is running, and you can therefore get into it. Read your documentation, watch the screen for instructions during POST, hit Delete... whatever opens your BIOS on your pc. With an error msg like that i think your BIOS is just not recognising/reading your HD.

well, yeah, if that works i dunno why not. Just rclick propertyhandler subkey, export the key as a .reg file and save it somewhere safe., then just go ahead and delete the Value. Don't like what happens? ..then simply dclick the .reg file.
[easy way to get to that key in XP is just to search for systemfileassoc]
What happens if u go into explorer > folder options > file types and change the default player to another one that you may have instead of WMP?

"CompUSA says ....... cannot provide me with a backup copy." They've just gotta be joking. It is the license key that you pay for, the CD and its files is just 50c worth of fancy plastic. Get hard with them. Is there a local branch? - they should just burn you a copy out of hand. Sheesh. Your cd may have had a special image made for you, it may have had the OEM key on it in an unattended installation winnt.sif file [which could be why they will not replace it..??!!]... - i dunno. OEM keys only work with OEM cd's.
BUT...But IF you have the COA with your own key [or otherwise know your key] then this should work: get an Xp cd with the SAME sp as you had... eg XP+SP2... from a friend, plus his key.... [now you will be scaring him.. :)]. Install using his key, ### go to activation - you should be informed that the key is in use but will be given the option to change the key: plug in your own. Bingo. I think. Pretty sure, actually....

### or at this point, instead of activating, use this software to change the key to your own and then activate normally. http://www.majorgeeks.com/download4138.html
Don't know your key, but the pc is still sorta working? Then that lil pgm, Rock XP, will find it for you...
Tell us how you get on, and what you did...

Generally, if your hardwares are performing okay then driver updates are not necessary. Ppl give themselves all sorts of problems by say, flashing BIOS - if your pc boots, what else can you expect? Will new PCI drivers deliver more? More what? Speed? About the only one to consider is the vid card, but check what the update actually delivers rather than automatically dl it.
Others may have other ideas... :)
And your manufacturers give you any new drivers freely.
avi looping? not a clue...

and encrypted files? how do they fare? I mean, if you use a real password like "i bought my dog as a black puppy in may" or "I first saw Chicago on a calm spring day" no brute forcer is ever going to crack those...

The only reason i can think of for having a separate page file partition on your sys drive is to make defragging that page file partition unnecessary. Cos windows defrag cannot do it. If the page file is in C: and you have a lot of temp files in there also [OE, internet, cookies.... temp...] [windows writes itself all over the plot too as it is used, so as to make the bits used most more accessible] then the pf can get fragmented , and that will slow things down marginally. Diskeeper has a defrag that will fix it, but u pay for it. But if you put the pf into c: you can temp remove it to another partition, defrag c:, and then put the pf back into c: Takes 60 secs. :). Voila, pf is whole again! But you have a second HD, and that is where the pf should be.
This was the bad bit :- "To get page file access fast you could have one in c: and one in p:" ...what i meant was have one in c: and another in p: on ANOTHER HD. Don't put two pf on the same HD!!
"Now, is your sys optimised for programs and not system cache? Go CP >system>advanced > performance settings >advanced.[whew!] -set both proc scheduling and mem usage for programs." - did you check that also?
Apart from that, make sure your video driver is up to date.

set your BIOS to auto-detect the HD. and make sure cd is at top of boot order. Then format and repartition.

Hmmm, closer n closer... desktop.html. Okay, you could do a search in registry for that name cos it is not a windows file. I think it will turn up under this key...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
where you will find that pathname C:\WINDOWS\Web\desktop.html - delete the Dword. Could be under HKCU. May be in an internet explorer\desktop subkey also.... feel free and safe to delete the Name containing that pathname in those subkeys.
Check also to see if is revealed in the Web desktop settings for your display now.

harding, could you please repost that log and request into a new thread? And define your problem for us also... symptoms are important.
In a new thread it will get individual attention.

XP home passwords. When you install xp a specilal Computer Administrator profile is created with a default blank password [hit <enter>]. When you create a profile with administrator privileges you have the same privs as the original CA. You have passworded your profile, now go into safe mode which is the only? way to access that CA profile now, log in as the Computer Administrator, and give it a password also. And if you forget it ever, you will be faced with a reinstallation. There is no way out of that if you have SP2. So write it on the inside of your wardrobe door. Wherever.
And then set dear lad up as a user.

Ok, that was really poorly written. What i meant, but barely? got across, is that you should put your pagefile on the non-sys HD. But if you are going to put it on the sys HD, then put it in c: or p:.