Posts by gerbil

hi, janj, great stuff and thanks for returning with your fix, and for the pat . You don't have that trojan problem referred to in that link you mention in your first post - you had a real break in the software [the trojan puts up a false warning, breaks your desktop to scare you, and then sells antispyware - pretty much the sys keeps working. Well, it has to so it can sell stuff..].
Bit of sfc background :

[sfc checks protected files being used by the sys for any overwriting; if it detects that it copies in new files from the dllcache; if the dllcache has corrupted files it asks for the CD.... but it beats me why the cache gets corrupted - i always have to load the CD...]

Yahoo!!!
IE7SUX. So they say. I certainly see a few problems in here with it. Now i would not be so crude... but i believe them. Thank you for the ammo... M$ would say that it was the website at fault... And stick with FF - I cannot decide between it and opera.....
[you may need 6 for that site tho..FF is not mentioned..]

Ok, looks like you can get into Advanced Startup Options [cos u got to the safe mode options..], so try Last Known Good Config [which is saved when windows last did a successful shutdown]. One other thing, since when u have the blank screen you can get task manager up, in the Run box paste this:
%systemroot%\system32\restore\rstrui.exe
-that will give u access to your restore points. Let us know how you go...

ok, just in case, go to the same subkey under HKLM and repeat actions. [you have to reboot after some of these changes, cos the entries have already been read by windows, and it must be forced to take another look..]

IE7. hahaha.... well, i would laugh if that was the cause. Backwards capability is not exactly builtin to IE7. If you think it may be then try an uninstall, revert to IE6.... I noted that Opera and firefox are not supported by the driving site.

[the alien process i was referring to before was DMJMGQVAO.EXE - an executable with a fake, constructed name. Your Revealer log was ok as far as it went. And somehow i missed that worm that popped up in your second HT log - it surfaced after we removed the files it generated. Sigh.]

Ennglish, help came in the form of PhilliePhan. There is a worm you need to remove. It's the "parent" of those other files we deleted. In task manager, processes, find logon.exe and stop it. Then go to WINNT\system32 and delete it. Run a new hijack this scan and fix this entry:
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINNT\System32\logon.exe.
Run a new scan and post it. Recheck your hosts file, and clean it as before with Hoster if needed, and retry those two security sites.

imabunny.exe.... :) i just get bored... :). Some malwares detect hijackthis and block it from detecting them.... so you change its name to thwart that. What to do now? You're looking clean now, so now for that drive test... I guess that it is running chkdsk, and i learnt something else about that this morning.... you can benefit from it.
To check your system drive you have to be not running the OS, so start chkdsk any way you prefer - easiest is Start > run, and type
chkdsk c: /f and OK, and answer Y to the question about running it on restart. Restart.
[another is to rclick on the drive you wish to test, eg Local Disk (C), properties, tools tab, press Check Now, and then Start. You will be given a report. If it finds stuff, tick both boxes and Start again. You will face the same question about checking on restart, answer Yes.]

anthrax n sexy together??? k. Anyway, put that post into a new thread otherwise it will be missed.. cos the original problem here is pretty well sorted.

Hello, ennglish. I cannot understand why if there is an alien process running, and you stop it [either via Task manager or Hijackthis] and then delete it in the same session that, if it is the root cause of blocking you from security sites such as Panda or Kaspersky, you then cannot get to those sites. Is your hosts file clean? [\windows\system32\drivers\etc\hosts - you open a new notepad and lclick drag hosts into it. There is advice, and the only entry needs to be
127.0.0.1 localhost
Actually, I've been hoping that someone else would hop in with a suggestion - there are other good scanning softwares but i would be uncomfortable advising you to run them because i do not know them intimately enough.
[the first two reports from Revealer are okay, it's jamming on ws2ifsl.sys is, it seems, a bug... with the only suggested workaround to run anolder version of RKR. Ha....]

You are doing nothing wrong... the two parameters /f and /r are parameters that instruct chkdsk to fix different things on your drive - chkdsk by itself just reports errors but will not fix them. It's my error; you can't run chkdsk on the system volume while the OS is using it, and even in safe mode it is still in use. Which is why you are asked if when you try to check the c: drive if you wish to run it on restart. I should have told you to say Yes.
[ To work properly chkdsk needs to have a volume locked, or not in use. [volume = drive, eg c:, or d:] which is why i got you to run it in safe mode, but that is not enough... :(]
By any chance do you have IE7?
Okay. If it will not run on restart, then do you have a XP install cd? Because from recovery console on that you can run
chkdsk /p which is a check only, and
chkdsk /r which repairs errors.

cool. I should have gone further and said that if chkdsk /f found problems then to run chkdsk /r. This may take a while.... let it finish! And then check completeness of repairs by running /f again. And if it still finds problems.. /r. You get the picture. One cycle sometimes is not enough.

...The absolute, very last try: get IEFix.zip from this page. It pretty much reinstalls IE6 for you from your CD or OEM source. Instructions are on the page.
http://windowsxp.mvps.org/IEFIX.htm

ok. this is my last throw. can you access other secure sites?..eg try any bank's login page [whether you have an account or not...they should load]
And on the Advanced Internet options page, try unchecking Allow third party browser extensions, and restart.[about 15 options down..] If it's no help, recheck it.....
Could be a cookie gone bad? clear temp inet files n cookies.
That's it. I'm not a code kiddie, so I know nothing more. Best of luck.

And restart your firewall... it won't be that. No sense waving a flag.

one more... if u go start and then rclick Run what do you see in the wee white box that opens? Run? or Create shortcut????
And see in c:\Windows that you have update kb908531..... or control panel [check show updates box]

ok. i thought perhaps your page was not displaying properly. Your internet security is set too high - drop it to medium. [inet explorer window, tools > internet options > security tab > custom level and select medium. In advanced tab choose to set Defaults.

Start your Recovery Console from the CD. Type
chkdsk /p ...and OK. If it finds any problems, type
chkdsk /r ...and when it finishes do the /p again to check if all is good.
Does it work now? If not, back into Recovery Console and type
fixboot

.

OK. that policies sub-key again... above system you should see ActiveDesktop.... check its entries - delete any Dword other than default. The entry that is stopping you is prob called NoChangingWallpaper - as i said, delete it or change its value to zero.

i assume that you have java installed?

you have another thread running on this same topic...

hmmm. I'm a bit surprised that you reinstalled - that is a big gun. I think that you only had a bit of registry damage. If we could not have got you going again I would have recommended a Repair installation at most..we would have saved your files.
Anyway, i could guess that you installed a second copy of windows, that there is a prob with the volume sector of the first and that it is now invisible.
If you used a Microsoft install CD you would have selected new installation if it pointed to your old windows...did setup in fact point to your old installation? If you elected a new installation it should have prompted for a format. So if there is nothing in your files that you want to keep, reinstall properly.
You can use the recovery console in your install CD to format the HD...cmd is format c: /Q
Just for a joke, do this....
Start, run, type sysdm.cpl and press ok. Go Advanced tab, Startup n Recovery, Press settings, click Edit, cancel, cancel. Now post that notepad.

Use your powerDVD pgm?
With NERO you just load the dvd, check the finalise boxand select burn.

Ow. Let's do this first.
==Delete your copy of hijackthis. Go here and get a fresh copy: http://216.180.233.162/~merijn/files/HijackThis.exe
-install it to a new folder alongside your program files and then rename the Hijackthis.exe to imabunny.exe.
==Download Look2Me-Destroyer: http://www.atribune.org/content/view/28/ ...copy the instructions on that page into a notepad.

In control panel go to add/remove programs and uninstall surfsidekick, newnet (newdotnet) and Viewpoint manager if they are listed.
Now rescan with imabunny and check these entries [if they exist] for fixing:
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.7.0\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.7.0\IEViewBar.dll
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
---and press Fix Checked.

Now, following the instructions on that webpage run Look2me Destroyer and post the log, plus a new hijackthis log.

go to this link and get TCPView. Install it into its own folder cos you may find it worth keeping along with like troubleshooting gear.
Start it by dclicking the .exe. Now have a look and see what is using your connection.
http://www.microsoft.com/technet/sysinternals/networkingutilities.mspx [a source of very good stuff]
By the way, why do you have hp as a home address? Personally i would fix/remove all your R1 and R0 entries [with hijackthis]... but you may think otherwise.
-I do not think that your problem is spyware based, rather that an autostart pgm is trying to download updates. Or something like that.
For example you have a time synch auto start. XP with defaults already does that for you every time you connect to the web, or at least once per week.
So i would remove those R's, and run TCPView. Come back with what you find.

OrgName: America Online, Inc
OrgID: AMERIC-59
Address: 22080 Pacific Blvd
..they don't do viruses or trojans there, but the link may be slow.... is it a search engine?

man, you have been hijacked so badly. bump your post. Oh, i guess i'm doing that now... :) I'd help you fix it but i'm busy. actually, repost it in viruses form.

.....if you have the XP install cd then in that run window type
sfc /scannow
and load the cd. Be prepared to hit enter quite a few times. Come back with the result...

To sort out if it is a hardware related problem, restart your pc, and then hit delete to enter BIOS. Let it sit there for a while to see if it is an overheating/power problem. If it works ok, then go to safe mode and run chkdsk /f.
===Restart your computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode with Command Prompt and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the Administrator account and password. NOTE: The password is blank by default unless you set a password.

well, gee!... i hope you got those precious photos off the drive before you reinstalled windows..... or at least they were on a volume that you did not format....

whoa! yes, goldeagle, i was confusing it with power problems setting in BIOS.... IF you can get into safe mode...
===Restart your computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode with Command Prompt and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the Administrator account and password. NOTE: The password is blank by default unless you set a password.
Then type
sysdm.cpl and <enter> ...go advanced tab, startup n recovery - settings, and uncheck Automatically Restart.
While you are in there see if you can run chkdsk command successfully in Safe Mode. [ chkdsk c: /f ]
But if you cannot get into safe mode then a repair job using the XP install cd is the only next option.

..you mention recovery with win xp disc. what do you mean? since you have that disc, did you go into recovery console and try fixmbr command? that should sort the partition error problem. It may even make the HD bootable again.

of course, to get that CD file and to burn it you will need a friend.... an I quietly curse ppl who alter links so that you will go first to their homepage for the ads etc.... Use this link:
http://www.webtree.ca/windowsxp/Tools/bootdiscs/xp_rec_con.zip

We gotta stop the trojan for a start, cos to fix hal while it is running would invite problems. With your XP install CD proceed to Recovery Console -it's about the first option/decision point you will arrive at.... just use delete to remove that system32\37B.tmp file. To be sure when you boot from the CD it will not be running!!
Done that? then say so n we'll go from there. [if you broke hal then you def won't get any part of windows running til we fix it]

To save a posting relay because you may not be in possession of an Xp install CD, here's a boot disc with a recovery console on it; the console runs from the cd so you don't need an xp cd or any files from your C drive. I know it works. All you need is an image burner like Nero 6, CD Writer...
Tips... unzip the file to get the iso and then BURN THE IMAGE. Do not use Data CD or any other mode cos all you will get is a copy of the iso [which you have already...and your new CD will not be bootable]; if you look at the files on your new cd and see .iso mentioned anywhere, start over. If you use Nero 6 then the defaults for image burning are fine, skip the silly advice that you may find on the web. Burn it to a CD-RW if you wish; there is no …

into your BIOS [delete key on boot], advanced settings i think, and disallow autorestart on error. Then you will be able to read the error screen at leisure. Tell us.

Quick fix.
Move Hijackthis to a new folder next to your program files. It's okay to use it to scan from your desktop, but not to run fixes from there. While you are at it, rename it to simplesimon.exe.
Start simplesimon, press scan only, put a check against
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
..press Fix Checked.
Update to SP2. It's for your own good. Ignore IE7.
Post another scan log.

You will have to finalise the dvd. Then it will run fine.

a quick reply.. that key you exported is 2000's record of searches and search parameters used recently, so it looks like registry does not launch that .exe file. I'll try to get back later today on a suitable tool to track down that process.

Nothing more to do, log is clean and as straightfwd as can be. I do not have access to AOL so i cannot advise you on any aspects of it, except to say that you can use it as an ISP without needing to take the utilities and auxiliary services. These are probably loaded depending upon settings you choose when you install the software. Try a custom install if it exists as an option and see what choices are provided.
Cheers, g.

Of course, you would have tried rclick on desktop, properties, desktop tab, customise, and restore default icons? Highlight an icon and click restore default.

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

=SOUNDMAN.EXE places an icon in your system tray for diagnostic services on your Realtek sound sys. If you don't want it use its option list to kill it.
=RealPlay.exe puts a quick launch icon in your system tray - if you don't use it, remove it. If i did use a quick launch icon for it, …

In your "multithreading" machine the various threads are assigned priorities - these priorities for some threads are dynamic, for realtime processes they are not. The thread with the highest priority is assigned a moment [or more] of computer time, then the next, and so on. If not much is happening eventually the thread with the lowest priority [zero] gets some CPU time. That is the system idle process. If nothing else is requesting CPU time then the thread that is the idle process gets it. What does it do? It accounts for the time when nothing else wants the CPU. Yours is 99% and that is fairly typical for most pc's in normal use. If you dl a file, visit a gory web page or play some music you will see that figure drop somewhat.
So your machine is humming along just fine.
If however, if in TM you tap the Performance tab and see CPU usage as approaching 100%, then some real process is working overtime. It can be due to a faulty application, or just a process that demands a lot of CPU time, like a virus or spyware sweep. Play music and it could run at 5 - 12%. Play a video and expect maybe 5 - 25%.

In TM, selct processes as before, go up to View, select columns and ensure CPU Usage and CPU Time are checked.
In CPU column.... eyeball some average figures for the bigger numbers showing and report them here withe the process name [they prob correspond to the larger times in CPU Time].
[you've reported memory usage figures n i cannot tell much from them...]
Page file is the hard drive portion of your virtual memory. Backup RAM if you like.

After that, well, you get rid of SpySherriff.
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the install checkboxes to only open from the recycle bin. It's neater that way.

Now run Ccleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon and the Windows tab; press Run Cleaner. Next select the Applications tab and Run Cleaner again.

Before the next step memorise these instructions... or copy them to notepad.
Ok, you're done with the net. Shut it down.
Check that a Restore point has been made. The path to this is via Start > all programs > accessories > system tools> system restore.
==Restart your computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the Administrator account and password. NOTE: The password is blank by default unless you set a password.
Note: Close all open …

ws2ifsl.sys should only be in WINNT\system32\drivers. [typing error? ws2fsl - there should be no such file in 2000/xp]
Search for ws2ifsl in your C: drive. It should only occur the once, as above.
DMJMGQVAO.EXE is not a known process. Use task manager to stop it running, search for it and delete it. If it starts again on reboot then it and its registry keys are being hidden.
Kaspersky and Panda scans I have listed above are online scans - u must be connected...although they download activeX controls as scanning machines and files of identifying strings they only run connected.
Go Start >run, type regedit and <enter>. Highlight My Computer at top in lh pane, then under Edit tab click find, and type in DMJMGQVAO and press <enter>. If it finds anything please export that key: look for the open folder icon in the left pane, highlight it with a lclick, go File, export... , save as DMJMG with file type .txt. Close regedit and post that txt file and any news of DMJMGQVAO.EXE behaviour after deletion.

which process is using the time? check in task manager. It can be due to one of your constantly running pgms gone bad, and which needs reinstalling - it may show under applications tab. Net usage? Is that correspondingly high? Need a bit more info.

btw, your DSclock pgm. XP does a time synch test every time you connect to the net [unless you specifically stopped the service]. It keeps your pc within 10-15secs of real time. Atomic clock synch services take no account of packet travel times to/from your puter, so do not expect to be totally accurate.

No, it's not as far as we can go. If it is that your computer is still hijacked by a trojan then it is concealed. Try these scans and post any positive results. For the first two do not use your computer while it scans.
==blacklight beta from http://www.f-secure.com/blacklight/ -download is at foot of page. Install it, start, accept the agreement and Scan.
==RKR from http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx -read that page, dl the file at foot, start it and Scan.
==Pandasoftware ActiveScan from http://www.pandasoftware.com/products/activescan? -link is at right above the padlock: free online virus scan; just follow through the pages, supply a "valid" email address... To reduce the number of detections run CCleaner first to remove cookies.
==Kaspersky online scan, from http://www.kaspersky.com/virusscanner -press the Kaspersky Online Scanner button, follow through....
And if they do not find anything then we shall examine the traffic from your pc, find what is running.
Of course, you may be blocked from those sites..
alternative site
blacklight: http://www.majorgeeks.com/F-Secure_BlackLight_d5156.html

maybe i should do it myself more often :P

er.. i think that could be off-topic...:eek:

Good-oh, then you are clean. Just start AVG a-s, infections tab and remove sys32. It pays to have a look at what AVG has in quarantine before you do a mass removal, cos it does occasionally pick up false positives.
Cheers.