Posts by gerbil

Get the PCI converter, connect up, leave the IDE HD set as master cos it is not important here, make a system partition [say 8 - 10GB for XP] on the SATA and mark as active, and install windows. [Or just do a fresh install and during setup make a windows partition on the SATA]. Copy your gear over and do what you will with the old IDE. Use it as a page file....
{the 8 - 10 GB windows partition? -you work out what you want as a setup.... windows in its own volume, apps in another, data in a third..?? Or as most do- one huge volume. c: rules...:rolleyes: }

windows is in c:, right? And you have window's page file as volume s: on same disk. There is absolutely no point in doing that. The idea is to put the page file on another DISK, not just another VOLUME: while the drive heads are accessing your page file, they are not accessing other gear, so if you are going to have sys vol and page file on same disk, well, it may as well be in c:.
Do you have any page file in c: ? To get page file access fast you could have one in c: and one in p: - that way the paging area on disk is physically close to the processes which are using it... ; having it in s: only means that it is physically remote. Your page files should be 1.5GB.
Now, is your sys optimised for programs and not system cache? Go CP >system>advanced > performance settings >advanced.[whew!] -set both proc scheduling and mem usage for programs.
If that doesn't work, then i'm out.

get emule, or limewire basic. I use em both, they in themselves are safe, but whether the files you download are, well, that is up to the bloke who put them up. Isn't it?

heck, u have the license, u have the key, just borrow a copy of 2000 from a mate. The cd, i mean.

Key Name: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
-----Delete this DWord:- Name: Wallpaper

Key Name: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
-----Delete these DWords:-
Name: NoActiveDesktopChanges
Name: NoActiveDesktop
Name: ForceActiveDesktopOn

And that should be the end of the problem. They are very likely not duplicated there, but check the corresponding subkeys under HKLM also, and duplicat actions. I imagine the bug acted on a current user basis.

good stuff. Google have a bad "web accelerator" also, if you are unlucky enough to be landed with a dud IP number that they assign. It actually does not work, and they will not fix it!

Glad you are on your way again.

well that's just gotta be a Yahoo!! thing, now doesn't it?
[not the website, but the original, happy cry of success]
Thanks for posting the fix...

Yeah, a search on those things would be easier .. RKR has a good explanatory web page, it will also be in your RKR folder as a .chm file - dclick it to open it to read.

...after 30 days AVG stops being a resident checker anyway.... and you just update it and run it on demand -when you have a problem.
Delete the SDfix backup file. It obviously does not contain anything you are missing, so it is okay to delete.
"you remove the start entry [O4, then stop and delete the process, and that should be it" not an instruction, more a dissertation on a train of events that should work. The lower section of the HT logs contains registry keys that are deemed worth checking by the HT author because they are registry locations that are often chosen by malware to initiate their various actions automatically. "Fixing" means that HT removes the selected registry entry, and only that one. An O4 key is a startup key that loads processes etc and runs them at start of windows. Various other specialty softwares eg Avenger, will remove the processes and many keys assoc with those processes.
"Is this what you meant by "those two entries will not go?"". Precisely. Something is regenerating those keys, even though their target files are missing - they can do no harm, but it irks me that something is still resident.
"stopping a process" - most will not let you delete them while they are running. Many malwares load copies of their processes into other areas/folders and when the main running process is removed will, if some other code is remanent, regenerate their functions.
As an …

gee, maui, i tried using the scroll bar in your pic to see all the processes... :). maybe you could stretch the window vertically so all processes show?

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \mside.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \sys32.exe
-these two subkeys are still showing up as O23 entries.

I do not understand this. AVG AV when it finally ran detected and removed mside.exe. Now a service loader entry has appeared [for the first time in the log].
sys32.exe was detected and quarantined by AVG 7.5, and its helpers removed by SDFix; I asked you to check that it was missing from your system32 folder [it was] and to fix the O23 entry, but it has remained right through.
These two backdoor trojans [the third was logon.exe which you stopped with HT..] should be easy to stop : you remove the start entry [O4, then stop and delete the process, and that should be it]. The damage can then be repaired. But those O23 entries will not go.
I asked you to fix the logon.exe entry: O4 - HKLM\..\Run: [Windows Logon Application] C:\WINNT\System32\logon.exe - but it pops up in the next scan!
And now another service startup has appeared, prob related to the DMJMGQVAO.EXE earlier - the new one is

O23 - Service: KSAWX - Unknown owner - C:\DOCUME~1\student\LOCALS~1\Temp\KSAWX.exe (file missing)

So please fix that one and these two also.
O23 - Service: Microsoft Sata emulation (mside) - Unknown owner - C:\WINNT\system\mside.exe (file missing)
O23 - Service: Windows System 32 - Unknown owner - C:\WINNT\sys32.exe (file missing)

See how you go...

AV, i spose... AVG free or Avast. But you can grab an antispyware eg AVG AS 7.5 when necessary. Instead of one of those, get Spywareblaster - that keeps out a lot of the known bad ones. and runs cleaner, lighter.

pls check your c: root for some strange files with names that seem to refer to photographs, and with extension .scr . But don't dclick them, or otherwise open or start them!!
Delete the SDFix backups folder contents.... the 3 files are at the bottom of your last post.

if your mum only goes to reputable sites... banks, etc, then all she needs is windows firewall, no AV, no AS. But who knows what mums get up to when the door is closed.

did you by any chance have the IE7 beta installed at one point, and then revert to IE6?
I'm looking at this entry - check it for fixing with HT, and fix it.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Click this:
http://activex.microsoft.com/controls/vb6/vbrun60.cab
POW!! and you're there, and ready to download. :) I could have given you this link straight off, but generally if it is at all useful i prefer to give the page the link is on.... to show what is happening, what you are getting, and if it's a small co, to expose you to their ads...

You're prob cranky at me for saying that but i don't know what is on your homepage, and flash player files running in the backgound can still put their audio out.
One other thing, go control panel > sounds and audio devices > sounds tab and select No Sounds, Apply and ok.

if it worked once, then the number of pins in the PSU plug should not be important. But their placement in the mobo socket will be. So i'd go on google with mobo make/model and psu model and get info, diagrams.... the latch/alignment mechanisms may not force necessarily the correct alignment.

get some free shredder software... [AVG A-S 7.5 includes one, ...from grisoft]. Shred the sensitive folders or files, delete everything else, then REINSTALL with partitions of different sizes to your original installation [reinstall with a full format of each partition..]

Norton Ghost is a pgm... i was being silly. :-|
just another wee thought...that home page of yours... it doesn't have any embedded gifs with crabs clicking claws, does it? Cos your log is clean.... leave your Norton alone... :)

IE7 is capable of many foul things... but it doesn't often remove PSU pins....
Anyway.. "reformat windows"... d'yu mean you formatted the system volume [partition] and reinstalled windows? Then you replaced the mobo and CPU, [so i guess the first reinstallation is a tad irrelevant here... :)] the HD, vid card and RAM...??!! there is only the NIC, burner and case left! Everyone has a burner...

have you got the XP install disk for your update level? eg XP + SP2..
run sfc /scannow
just in case svchost has a glitch, or some other process it handles.

norton's ghost fer sure.

...post another log... but run smitfraudfix first... only the first step ... #1.

I am not concerned with winlogon.exe - that is a valid M$ file....
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINNT\System32\logon.exe
I asked you to fix this one some days ago - it is still there. Either you missed fixing it, or it has been regenerated - one of the littlke knacks some trojans have. Logon.exe is sophisticated - it is not above calling for replacement files. Fix this entry, and see if it reappears. If it does, run Avenger as I advised. If Avenger cannot find the path and assoc keys then it does nothing. It would have removed this key, and any others of that family that do not show in HT.

If you only did a repair there may be a chance. That problem often is derived from a hardware malfunction. Power off, and replug every connection in there - IDE cables, videoa cards, network, and RAM. No go? and you've got multiple RAM sticks? Pull one, try, swap, try. Course, everyone cleans the thing while the case sides are open....
No go still? Ooooooo....
K, pull the HD and put into another pc as slave. Get your stuff off it if it will let you.

ok. blue screen with error - tell us the error. Can you get into safe mode?
===Restart your computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode with Command Prompt and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the Administrator account and password. NOTE: The password is blank by default unless you set a password.
See if you can run chkdsk command successfully in Safe Mode. [ chkdsk c: /f ]

Panda fixes viruses usually for no charge; AVG will get the spyware that Panda would otherwise charge you for. I was mainly interested in seeing the panda log, plus knowing the timing of that last HT scan log...

Did you run that last Hijackthis scan after you did panda and AVG antispyware scans?

Panda would have fixed the viruses, correct? Did it fix the rootkit? And yes, they do charge to fix spyware, but there are other tools, and they do identify the targets. Post the panda log.
AVG antispyware is a good scan; I'd not worry about the Trend scan.

Please run CCleaner, and then try these two:
==blacklight beta from http://www.f-secure.com/blacklight/ -download is at foot of page. Install it, start, accept the agreement and Scan.
==Kaspersky Online Scan, from http://www.kaspersky.com/virusscanner -press the Kaspersky Online Scanner button, follow through...
-post their logs too.
I still see that logon.exe startup reg entry there.. now if you ran that last Hijackthis scan AFTER AVG and Panda then we can asuume that logon.exe is being protected.
If so, download Avenger from http://swandog46.geekstogo.com/avenger.zip
You must be in an Administrator-privileged account to run this procedure!!
-unzip it to your desktop and start it; select “Input script manually” and then click the magnifying glass icon. Paste into the box this line:-

C:\WINNT\System32\logon.exe

...and click Done, and finally the green light. Follow promps to reboot your machine.
Do a fresh hijackthis scan and post the fresh log, please. Look for this file and post it also: C:\avenger.txt
Do post the blacklight and kaspersky logs also.

i changed my earlier post, then saw you were now talking thumbdrives... but decided still to put up my mod post to make the thread sensible.... :)

well, yeah, a floppy will be FAT.
Lots of stuff to comment on here.
First off, you can put more than one partition on a disk, and you can mix the formats on it to have both NTFS and FAT32, or have several of either all FAT32 or all NTFS. Or FAT if you wish to have MSDOS.
You are using XP, and i shall asssume that it will continue to be your main opsys. XP will only let you format up to 32GB as FAT32, but it will read on a partition much larger [depends on your BIOS] - you just gotta set up the partition with other software. Generally though, XP can handle the building of them, within limits.
Bootsectors and stuff. When you set up the partition(s) on the disk a boot sector will be written for each volume; one, and one only, of them must be marked as active, unless this is a slave disk. There will be only one boot sector per volume [or drive, if you wish.. eg d:]. The disk's master boot record will be written at the same time. Only one of these per disk.
Now I may be way off beam here, explaining what you don't wish to know, but i'll continue.
Windows expects/demands to be on the first partition on the master [hence usually found in c:, or g: if you name it that...]
Startup. BIOS whirs, searches for the master boot record …

spywareblaster, avg free or avast, avg antispyware , zonealarm and adaware. Google for the homesites.

Go to this page and download the visual basic 6 service pack [link is just under the More Information subhead]- save it to a download folder. Dclick the file vbrun60.cab to extract its content [to the same folder will do], then dclick that vbrun60.exe - it self-installs files into your system.
http://support.microsoft.com/kb/823746
Then try to run HT again.

You did not run ATF cleaner first, did you...? That would have removed those cookies and emptied the recycle bin. Running a cleaner before a scan can cut the report dramatically.
Anyway let's go after msmss.exe.
===Download pocket killbox from here:- http://www.downloads.subratam.org/KillBox.zip -unzip it onto your desktop.
Dclick killbox to start it.
Select "Delete on reboot", click the "all files" button.
>Copy the pathname in the following line into the textbox:-

C:\WINDOWS\system32\msmss.exe

Click the red and white X button, click Yes on the reboot prompt, click OK if a pendingfilerenameoperation box opens. [do not be concerned if it says it cannot find a file...]
When the pc starts see if that file has been removed from the system32 folder.
Any popup?

can i clarify something here? what exactly do you wish to put on this USB bootable device? DOS? ie MSDOS, which runs command.com, or cmd.exe, which is what runs in the command window in XP if you type cmd and OK in the run window?

oops, i pulled it cos after i posted i saw that u were talking USB. Well, i spose it holds germs of usefulness, so i'll put it back....

.

..nothing shows in your log. I'd reload excel....

"Quoted by gerbil:
you have another thread running on this same topic...

the other one was about my desktop problem and now its my hard drive >:"

"ok i just reinstalled with an XP cd
everything seems to be working fine but... i have another problem now
it indicates i have 60gb of data unaccounted for
i cant seem to find where it is coming from, i was hoping to restore it completely new w/o using a recovery cd since i lost mines"

...Oh yes you dooo..... anyway, i wasn't chipping you, not my job, i was merely pointing out in a mild way that i had posted on this problem in the other thread.
Are you sorted yet? I was wondering if you ran fixmbr if that would rewrite the partition table in the mbr to show the hidden partition.. dunno, never had this partic problem...

Heh... OK, then. These next steps are to kill two birds... we may be able to see if you have any infections which might also be the cause of your intermittent shutdowns [some viruses do that], and may be able to guide you in ways to unburden your pc of unnecessary processes which slow things down.
If and when that XP disc turns up, try running a scan which checks the integrity of many windows processes.
Insert the cd, and go Start, run, type sfc /scannow ...and OK. Be prepared to hit Enter many times while it runs.
Meantime, get hijackthis: http://216.180.233.162/~merijn/files/HijackThis.exe
-install it to a new folder alongside your program files.
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-Click the Scan and Save a Logfile button. Post the log here.
And how is the pc performing so far? Still shutting down? That can be temperature induced - unplug the power, whip the sides off the case and gently go to work with a vacuum cleaner and soft, long-bristled brush. Get the fan on the processor board clean.

So you removed that jumper, set it to clear position? and nothing? does the floppy drive start if you load a floppy in it b4 power on? If so, dl a flash file, unzip it onto a floppy, insert it and see what happens when you power the thing up. Or try a thumb drive....
And now i'm out of ideas. Get the CMOS reloaded by a tech or take the opp to upgrade your mobo.
Someone else in here is sure to know more....

good-oh, i clicked on it while checking ur log just to make sure. it dl'd me a virus inside 5 secs!!

hang on, first do this as a matter of urgency!!
Start hijackthis, do a scan and put a check against this entry:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = xxxxxxxxxx [zinblog]
and press Fix Checked.
You go there, u get a virus. I killed the link in the post so no-one would click on it... :)
AND DO THAT PANDA SCAN FIRST, right after the ATF cleaner runs.

hello, sexy.
===Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1
--click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox at the top, Select All again, and Empty Selected again.
Close ATF.
===Get Adaware SE Personal from http://www.lavasoft.de/software/adaware/
- install it. Update it. Explore what settings you can change in it [via the cogwheel icon up top, if you are comfortable with that... you won't hurt anything, but for the present please keep the default settings]. Put an icon on your desktop for regular use.
===GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5 -the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and update it.
===Restart your computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the your account if an admin type, or Administrator account and password. NOTE: The password is blank by default unless you set a password.

Run Adaware, doing a full system scan and finally remove all that it finds [rclick in the scan results window and select all, go next..]. If Adaware finds anything apart from cookies or your MRU list …

Is this the end.

heh, i bet it felt like it.
POWER OFF AT THE WALL [pull the plug], inside the case ground yourself by touching the metal framing with both hands, pull the CMOS battery and swap the jumper - check your instruction book if you have one, or got to the Asus site if you don't know where it is, otherwise just leave the battery out while you have lunch. Replace the jumper after, oh, 20 secs, and the battery. BIOS's have a bit of programming inside which cannot be flashed like the CMOS.... you restore it to that by killing the CMOS coding.
The thing should start when you power up. Now try a flash again from Asus. If for some reason you cannot get online with the pc a floppy flash should be available.

I do not know what put that msmss.exe file in your pc. Related to the popup, so it has to be a trojan. It is strange that the popup mentioned it....
If Adaware does not find anything, try this antispyware pgm:
===GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5 -the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and update it.
Start AVG a-s 7.5; under Scanner/ Settings set Recommended actions to Quarantine, and run the scan. Save the log file and only then click Apply all actions. Post the log file.

I cannot see any linkage between your hard drive failure warning and a popup for Themida.
For a start, I would heed the warning [which comes from software built into the drive] and backup the good stuff.
The themida popup...[does it still include a newdotnet reference?]
First off, find msmss.exe in task manager under processes tab [click the name header to alphabetise the entries], then stop it [if it is there]. Next search for it in your system32 folder and rename it to msmss.exe.old
Ok.

===Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1
--click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox at the top, Select All again, and Empty Selected again.
Close ATF.
===Get Adaware SE Personal from http://www.lavasoft.de/software/adaware/
- install it. Update it. Explore what settings you can change in it [via the cogwheel icon up top, if you are comfortable with that... you won't hurt anything, but for the present please keep the default settings]. Put an icon on your desktop for regular use.
Run Adaware, doing a full system scan and finally remove all that it finds [rclick in the scan results window and select all, go next..]. If Adaware finds anything apart from cookies or your MRU list then, after removing those items you should repeat the scan [and removal] and so on until it comes up …

Very likely... but just so we don't do too much damage, ok any damage, would you please export that subkey and post it here?
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Lclick explorer in the left pane to highlight it, go files, export, name the file bungdesktop and save as .txt.
Do the same for the \system subkey also [you choose the filename this time.. :)].

There is no need to worry about going in to safe mode to run chkdsk, because you are getting in to normal mode. chkdsk makes that offer to run on restart! It then runs before the Operating System [windows] loads. It will do checks of your volumes [volumes are the partitions represented by your drive letters eg c:, d: are volumes] while windows is running, but will not do fixes.

for your info..:
===To restart your computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode[ with Command Prompt, or other options] and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using your account [if it is an admin account] or the Administrator account and password. NOTE: The password is blank by default unless you set a password.

Oops, i've confused you.....
Just for a start, you don't need Vista if you like having $150 in your pocket. XP works fine for me; I cannot see myself changing to Vista - what would the reason be? And it needs more RAM than XP. Think bloat.....
IE7? hand me that bargepole and the garlic. IE6 works; so do Firefox and Opera, and better...
Now to the chkdsk problem.
To check your system drive you have to be not running the OS, so start chkdsk any way you prefer - easiest is Start > run, and type
chkdsk c: /f and OK, and answer Yes to the question about running it on restart. Restart.
[another is to rclick on the drive you wish to test, eg Local Disk (C), properties, tools tab, press Check Now, and then Start. You will be given a report. If it finds stuff, tick both boxes and Start again. You will face the same question about checking on restart, answer Yes.]
...and at restart, chkdsk should run before windows loads...
Running it from the XP cd was just another option.... :). But yeah, if when your mum comes good with it, and if you think the puter is full of junk, well go ahead and reinstall - set the thing up the way you want it.