mctonale

Why would you want to install 98se on a system that already has xp.sp2 + 2K? 98se isnt being installed because your hard drive uses NTFS file system? (98se can only be installed on fat32) If you realy want to install 98se you will have to revert to fat32. I learnt everything i know from 98se. but xp is soooooooooo much better.

I have a recuring trojan (long story) called installer.exe (c:\documents and settings\me(or any other login)\local settings\temp\.) searched for files containing text "installer.exe" none but spybot reg backups. on startup it(?) opens www.freewebs.com\anywho\plays.html (may not be exact). Searched for files containing text but none exist. It also deactivates my sp2 firewall on startup. Don't want to think about what else it is donig. Removed all: Viruses (AVG - up to date) Adware (Ad-aware - upto date) Spyware (spybotS&D - uptodate) Managed to remove malware with Windows-KB890830-V1.4-ENU.exe (easier said than done). AVG detects and removes (or heals) it. but the next time i restart there it is again. I didn't restart very often because of a faulty RAM module. (easier and cheeper to hibernate). Found this http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453075415 but none of the files it suggests exist. I think it has been spread from my computer. got 900 undeliverable e-mail reports in 3 hours (Now supressed using junkmail filter). (I think that was the malware though it seems to have stoped trying to send). Can anyone help?

All running fine now. Thank you so much.

Here is the one with trojan deleted. Logfile of HijackThis v1.99.1 Scan saved at 22:25:53, on 29/05/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Common Files\Stardock\SDMCP.exe C:\WINDOWS\Explorer.EXE C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe C:\Program Files\McAfee\QuickClean\Plguni.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\System32\jflv.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\System32\oxlbcawg.exe C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe C:\WINDOWS\system32\devldr32.exe C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE C:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe C:\Program Files\3B Software\Ad Blocker Pro\Ad Blocker Pro.uzy C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe C:\Program Files\BHODemon 2\BHODemon.exe C:\Program Files\3B Software\GhostSurf\GhostSurf.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Opera\Opera.exe C:\Documents and Settings\Tony\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212 R3 - Default URLSearchHook is missing O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_3_12_0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\system32\IETie.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file) O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_3_12_0.dll O4 - HKLM\..\Run: [msnappau] C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe O4 - HKLM\..\Run: [imonitor] C:\Program Files\McAfee\QuickClean\Plguni.exe /START O4 - HKLM\..\Run: [AdBlocker] C:\Program Files\Tweak-XP Pro\AdBlocker.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Ad Blocker Pro] "C:\Program Files\3B Software\Ad Blocker Pro\Ad Blocker Pro.exe" -minimized O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Norton Antivirus 7.0a] C:\WINDOWS\System32\jflv.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [updater] C:\WINDOWS\System32\oxlbcawg.exe O4 - HKLM\..\RunServices: [system Updates Manager] winserv32.exe O4 - HKLM\..\RunServices: [Device Microsoft System] devsrv.exe O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe /startmonitor O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [msnmsgr] C:\Program Files\MSN Messenger\msnmsgr.exe /background O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet O4 - Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe O4 - Startup: GhostSurf.lnk = C:\Program Files\3B Software\GhostSurf\GhostSurf.exe O4 - Global Startup: LG SyncManager.lnk = ? O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Allow personal info to reach this site - file://C:\Program Files\3B Software\GhostSurf\info.allow.html O8 - Extra context menu item: Allow popups on this site - file://C:\Program Files\3B Software\GhostSurf\popup.allow.html O8 - Extra context menu item: Allow this advertisement - file://C:\Program Files\3B Software\GhostSurf\menu.allowimg.html O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Block personal info from this site - file://C:\Program Files\3B Software\GhostSurf\info.block.html O8 - Extra context menu item: Block popups on this site - file://C:\Program Files\3B Software\GhostSurf\popup.block.html O8 - Extra context menu item: Block this advertisement - file://C:\Program Files\3B Software\GhostSurf\menu.blockimg.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll O9 - Extra button: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\Program Files\3B Software\GhostSurf\LaunchPCC.exe O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\Program Files\3B Software\GhostSurf\LaunchPCC.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5...b?1106346043992 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/tool/files/MotivePreQual.cab O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: System Updates Manager (WinManager) - Unknown owner - C:\WINDOWS\System32\winserv32.exe" -service (file missing) Thanks for your help.

Got a hijack this report. (with trojan removed) will this do or will you need one with the trojan active?

Who should want know what anyone does with their computer and why. my tin-foil hat is staying on for now thankyou.

And if you cant find it there? Google it. (include the extension)

I try to do mine every couple of weeks and it still takes ages.

Might seem obvious but have you tried defragmenting the drive?

Have you scanned for adware and spyware? if not try these they're free: http://www.download.com/Spybot-Search-Destroy/3000-8022_4-10289035.html?tag=lst-0-2 http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10319876.html?tag=lst-0-1 Also you might want to think twice about using internet explorer, below is a link for firefox. http://www.download.com/Mozilla-Firefox/3000-2356_4-10335582.html?tag=lst-0-1

I have had this problem many times. you have an English keyboard with the " and 2 as the same button. When you reinstall windows it automaticly configures for an American keyboard. To cange it back to English go to control panel\regional and language options. Click languages tab and in Text services and input languages click details and add the English keyboard. Once this is done you can remove the American one.

After my computer has been on for a couple of hours it tends to slow down. I had done a full system scan earlier using AVG, Ad-aware, Spybot and 3b software win reg repair pro. When the system slowed couple of hours later I ran them all again AVG found nothing Spybot found nothing but the usual dso exploits But 3b reg repair found entrys for intralaunch and removed them. my system was imdeiently running at full speed. I have never had this program installed and dont like what i have been able to find out about it. Anybody got any theories on how it got there, what it was doing and how I can stop it happening again. thanks [Edited by mctonale on 2005-02-16 18:41:43]

Lol thanks alex. Looking at what you said about IRC is it possible that i picked up this infection from someone i was talking to on MSN Messenger?

you kind of lost me there alex. thanks anyway. i have had no proper training, everything i know i have found out for myself. removed entrys by hand. just looked into RegSvr32.exe fund this @ http://vil.nai.com/vil/content/v_99144.htm ref virus: DDoS-Apbot@MM A new variant of this threat was discovered on July 27, 2001 by Virus Patrol, a newsgroup scanning service by McAfee AVERT, using heuristic algorithms. This is an IRC bot and mass-mailing worm which attempts to delete certain security software. It may be received in an email message containing the following information: Subject: Virus Alert! Body: Businesses of all kinds have suffered today as a virus has been unleashed, please find the attatched cleaner and run it. You cannot tell if you have this virus until you run the cleaner. Attachment: Regsrv32.exe When run, it copies itself to the WINDOWS SYSTEM directory as REGSRV32.EXE (not to be confused with the valid REGSVR32.EXE) and creates a registry run key to load the worm at startup: Unfortunate typo. anything else you think i should check for? if they only used this as part of an attack, maybe there is other items on my computer that they have put there?

removed active x intralaunch.maincontrol but reg entrys still there, neither 3b reg repair or mcafee quickclean recognise these entrys as a problem? tryed disabling all active x controls but couldn't get windows update to run (even if it is set as a trusted site) should i go through the registry myself or not worry about it as the program itself is now gone?

have been using firefox for a couple of weeks. has reappered in registry pointing to a damaged active-x control. (intralaunch.main control) dependencys are: C:\windows\d...\intralaunch.ocx* damaged c:\windows\syst...\msvbvm50.dll* 1,355.776 c:\windows\syste...\asycfilt.dll* 63,536 version 3,3,0,2 shall i remove or update it? The only other person using this screen is 3 years old and....... i just realised he has admin status (i'm prety sure thats not how i set it up but changed it back to limited anyway) Just had a look at firewall but can't find how to block an active-x control.

My friend got a dell pc (old server running win2000) from a company that went bust. She started using it on the internet without any anti-virus. I have managed to remove the viruses by installing AVG but can't remove adware because ad-ware, after starting scan causes isass.exe to interupt and shutdown windows. Followed path for isass.exe (showing all hidden and protected os files) the programe doesn't exist. Don't want to spend money on more adware to find it also doesn't work. Can't boot from disc (don't have one).

Wasn't sasser, ran fix but no infection found. Managed to run ad-aware and removed 1500 critical items. Ran spybot but still getting the odd pop-up and iexplore closes itself occasionally.

working fine (fingers crossed). Thanks everybody.

No luck. even told me it was disabling them before it told me it had found them. Did have Adaptec Direct CD and easy CD creator installed a fue days before update. But uninstalled them when I found out you have to pay for the upgrade.

Spoke too soon. cd writers disabled on startup. I don't have any cd burning software installed. But windows has disabled all of my cd/dvd drives. Folowed the link for media player fix but site not found redirects too: nhttp://www.microsoft.com/library/errorpages/smarterror.aspx?404;http://www.microsoft.com/windows/windowsmedia/windowsxp/roxio.asp

All working fine thanks.

I think thats all I have for you. Been looking but havn't found any other way of doing it. Are you sure these sites dont have a mute key?

Will any of the installed updates stop my download working?

You can do the same by adding a screen saver and checking the 'on resume display welcome screen' check box. Don't know how you did it in 'power options' though.