From Cumberland Mike & Dialing DSL - HJT

Cumberland Mike · 05-03-2005, 03:03 AM

HI all,

TO continue the thread started in a different forum: http://techsupportforum.com/showthread.php?t=51558

One more piece of info to add ... I have a firewall in my Belkin wireless router. Alll the computers are inside it, none set for outside (the DMZ).

HJT log follows
==================================
==================================

StartupList report, 5/3/2005, 5:50:57 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Windows\Desktop\Mike\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Windows\Desktop\Mike\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

PRONoMgrWired = C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
Ink Monitor = C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
SoundMan = SOUNDMAN.EXE
nwiz = nwiz.exe /install
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
NVCLOCK = rundll32 nvclock.dll,fnNvclock
nod32kui = "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

(Default) =

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Download Program Files:

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/downlo...22/wmv9VCM.CAB

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://v5.windowsupdate.microsoft.co...?1098219805359

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

--------------------------------------------------

Enumerating Windows NT/2000/XP services

AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
AMON: \??\C:\WINDOWS\System32\drivers\amon.sys (autostart)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Kodak DCFS2K Driver: system32\drivers\dcfs2k.sys (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
EPSON Printer Status Agent2: C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Hardware Clock Driver: C:\WINDOWS\System32\hwclock.exe (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
NOD32 Kernel Service: C:\Program Files\Eset\nod32krn.exe (autostart)
NVIDIA Display Driver Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 9,900 bytes
Report generated in 0.219 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

===========================================
===========================================
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Thanks to all for the help!

Mike

bry623 · 05-03-2005, 12:38 PM

Download CWShredder and run it. Click on 'I Agree' button if you agree with it. Click on 'Fix' (it will automatically fix anything it finds for you) and OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Download and install Spybot S&D. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation.

Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds.

Please download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Double click on the program to run it.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. The result.txt file will open up in Notepad. Copy the whole result.txt log and post it here. We do not need the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless.

Cumberland Mike · 05-04-2005, 04:09 AM

Hi,

OK I updated and ran CWShredder, didn't get any hits there.

Downloaded, updated and ran Spybot S&D ... couldn't finish a scan there. Keeps locking up in random spots. However in one of its partial scans it did find a tracking cookie that was successfully removed.

Ran AD-Aware got about half-dozen hits on tracking cookies and one data miner. Ran the VX2 tool with no hits

Ran HJT and the analizer. Posted that as requested.

Thanks so much!

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Eset\nod32kui.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Eset\nod32krn.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.98.2
Scan saved at 9:15:44 PM, on 5/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Windows\Desktop\Mike\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1098219805359
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

End of KRC HijackThis Analyzer Log.
====================================================================

bry623 · 05-04-2005, 05:33 AM

Your log is clean

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. Turn it back to create a new restore point by repeating the process.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools/programs provide

Cumberland Mike · 05-04-2005, 03:50 PM

The disconnection problem is still happening.

Is there something I can run that lists everything going on, and will list whatever piece of software is trying to dial somehow?

Maybe I just gotta bite the bullet and re-install XP

And suggestions will be helpful

Mike

Ried · 05-04-2005, 10:20 PM

Hello Cumberland Mike,

Let's use a program to scan for any trojans that may exist. Download TDS-3 http://tds.diamondcs.com.au/index.php?page=download. Learn how to use it at http://tds.diamondcs.com.au/index.php?page=easytouse. Make sure to update it after you installed it. You can get the manual updates at http://tds.diamondcs.com.au/index.php?page=update. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to 'System Testing' on the menu and choose 'Full System Scan'. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. If you have problems copying the text, look (or search) for a file named scandump.txt and see if that has the alarms - post that here.

Cumberland Mike · 05-07-2005, 08:28 AM

Hi,

I downloaded, installed, updated & ran TDS as requested. I could not scan my D drive though ... everytime I tried it would run for a few minutes and then completely shut down my computer. I set TDS to scan everything except D: top of screen results are
======================================
======================================

10:15:42 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
10:15:42 [Init] Started 07-05-05 10:15:42 Eastern Standard Time (UTC: 5), Internet Time @635.90
10:15:42 [Init] Loading TDS-3 Systems ...
10:15:42 [Init] • Priority : OK.
10:15:42 [Init] Token successfully adjusted.
10:15:42 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
10:15:42 [Init] • Plugins : OK. Loaded 13
10:15:42 [Init] • Exec Protection : Not Installed
10:15:42 [Init] WARNING: Your Radius.TD3 database needs to be updated!
10:15:42 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
10:15:42 [Init] Licensed users can use the Update facility from the TDS menu
10:15:42 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
10:15:47 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
10:15:47 [Init] • Systems Initialised [54077 references - 27887 primaries/13961 traces/12229 variants/other]
10:15:47 [Init] Radius Systems loaded. <Databases updated 05-05-2005>
10:15:47 [Init] TDS-3 Ready. <Windows@192.168.2.3, 127.0.0.1 - United States>
10:15:47 [Tip Of The Day] If you're suspicious about a certain file, use the String Extractor (from the Utilities menu). This will run through the file and strip out ANSI strings of 5 characters or more in length, enabling you in some cases to get a better 'view' of the file.
10:15:47 [TDS] Good morning Windows.
10:15:50 [Mutex Memory Scan] Started...
10:15:51 [Mutex Memory Scan] Finished (no trojan mutexes found).
10:15:51 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
10:31:44 [File Scan] Scanning in C:\ ...
11:05:46 [File Scan] Scanned 43453 files: 6 alarms in 2042.406 seconds (Avg 22.28 files/sec)
11:07:57 [Memory Scan] Memory scan started, please wait a moment ...
11:07:59 [Memory Scan] Memory scan complete.
11:07:59 [Mutex Memory Scan] Started...
11:08:01 [Mutex Memory Scan] Finished (no trojan mutexes found).
11:08:01 [Trace Scan] Started...
11:08:22 [Trace Scan] Finished.
11:08:22 [ServiceScan] Scanning for services and drivers ...
11:08:24 [CRC32] Started - verifying 29 files ...
11:08:24 [CRC32] File doesn't exist: C:\autoexec.bat
11:08:26 [CRC32] Test finished.
11:08:31 [ServiceScan] Scanned 305 services and drivers.
11:08:31 [Scan] Finished.

===========================================
===========================================

Scandump of bottom of screen:

Scan Control Dumped @ 11:26:43 07-05-05
Suspicious Filename: Dual extensions
File: c:\documents and settings\windows\desktop\mike\bittorrent-4.0.1.exe

Positive identification (DLL): Adware.MiniBug (dll)
File: c:\program files\aws\weatherbug\minibugtransporter.dll

Positive identification: Riskware.ProcessRestart
File: c:\program files\kodak\kodak software updater\7288971\6.3.2.62-7288971l\program\restart.exe

Positive identification: Riskware.ProcessRestart
File: c:\program files\logitech\desktop messenger\8876480\6.1.4.36-8876480l\program\restart.exe

Positive identification: RAT.Small.eo
File: c:\windows\system32\hwclock.0xe

Positive identification (DLL): Adware.WildTangent.b (dll)
File: c:\windows\wt\wtvh.dll

===========================================
============================================

I didn't do or change anything pending your advise.

Thanks again!

Mike

Ried · 05-07-2005, 09:42 AM

Ok Mike, couple things I'd like you to do:

Pleae print this out or copy to Notepad.

Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet.

I'd like to try another scanner if you don't mind.

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.

Reboot into Safe Mode.

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

c:\windows\system32\hwclock.0xe

Now, delete that file using Windows Explorer:

c:\windows\system32\hwclock.0xe

Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Normal Mode.

Run the Mwav Scan and post that log here
Also, could you post a new HijackThis Scan, do not run it through the Analyzer.

Also, I didn't see Weatherbug in your previous HJT logs:

WeatherBug - it's adware. If you didn't install this yourself, we'll address uninstalling it. If you did install it yourself, you may keep it and ignore the warnings in the TDS-3 or Mwav logs.

Cumberland Mike · 05-15-2005, 04:58 AM

<sigh> when it rains it pours....
I was running the scans above as recommended when my computer suddenly shut down ... hmmmm....... so I reboot and it won't start ... but it did after a few minutes!!! then it shut down again during the re-scan ... at a different spot! SO I pop the cover and sho'nuff the processor cooling fin block thing is all plugged with dust and its hot as heck. So I let it cool - it was too hot to touch - and take off the fan and remove the chip and get it cleaned off ... reinstall it and the computer won't re-boot .. pop off the chip to find I bent a couple of pins .... CRAP ... so I won't be continuing this thread for a little while.

Thanks to all who help - I think we were making great progress and I was learning a lot!

I'll be back!!!

Mike

05-03-2005, 03:03 AM	#1 (permalink)
Cumberland Mike Registered User Join Date: May 2005 Location: Rhode Island, USA Posts: 26 OS: WinXP	From Cumberland Mike & Dialing DSL - HJT HI all, TO continue the thread started in a different forum: http://techsupportforum.com/showthread.php?t=51558 One more piece of info to add ... I have a firewall in my Belkin wireless router. Alll the computers are inside it, none set for outside (the DMZ). HJT log follows ================================== ================================== StartupList report, 5/3/2005, 5:50:57 AM StartupList version: 1.52.2 Started from : C:\Documents and Settings\Windows\Desktop\Mike\HijackThis.EXE Detected: Windows XP SP1 (WinNT 5.01.2600) Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106) * Using default options * Showing rarely important sections ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Eset\nod32kui.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\interMute\SpySubtract\SpySub.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\Windows\Desktop\Mike\HijackThis.exe -------------------------------------------------- Listing of startup folders: Shell folders Common Startup: [C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup] Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run PRONoMgrWired = C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup Ink Monitor = C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe SoundMan = SOUNDMAN.EXE nwiz = nwiz.exe /install NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit NVCLOCK = rundll32 nvclock.dll,fnNvclock nod32kui = "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx (Default) = -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe -------------------------------------------------- Enumerating Active Setup stub paths: HKLM\Software\Microsoft\Active Setup\Installed Components (* = disabled by HKCU twin) [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP [>{26923b43-4d38-484f-9b9e-de460746276c}] * StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] * StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] * StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install [{7790769C-0471-11d2-AF11-00C04FA35D02}] * StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install [{89820200-ECBD-11cf-8B85-00AA005B4340}] * StubPath = regsvr32.exe /s /n /i:U shell32.dll [{89820200-ECBD-11cf-8B85-00AA005B4383}] * StubPath = %SystemRoot%\system32\ie4uinit.exe -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=INI section not found SCRNSAVE.EXE=INI section not found drivers=INI section not found Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE=Registry value not found drivers=Registry value not found Policies Shell key: HKCU\..\Policies: Shell=Registry key not found HKLM\..\Policies: Shell=Registry value not found -------------------------------------------------- Checking for EXPLORER.EXE instances: C:\WINDOWS\Explorer.exe: PRESENT! C:\Explorer.exe: not present C:\WINDOWS\Explorer\Explorer.exe: not present C:\WINDOWS\System\Explorer.exe: not present C:\WINDOWS\System32\Explorer.exe: not present C:\WINDOWS\Command\Explorer.exe: not present C:\WINDOWS\Fonts\Explorer.exe: not present -------------------------------------------------- Checking for superhidden extensions: .lnk: HIDDEN! (arrow overlay: yes) .pif: HIDDEN! (arrow overlay: yes) .exe: not hidden .com: not hidden .bat: not hidden .hta: not hidden .scr: not hidden .shs: HIDDEN! .shb: HIDDEN! .vbs: not hidden .vbe: not hidden .wsh: not hidden .scf: HIDDEN! (arrow overlay: NO!) .url: HIDDEN! (arrow overlay: yes) .js: not hidden .jse: not hidden -------------------------------------------------- Enumerating Download Program Files: [{33564D57-0000-0010-8000-00AA00389B71}] CODEBASE = http://download.microsoft.com/downlo...22/wmv9VCM.CAB [WUWebControl Class] InProcServer32 = C:\WINDOWS\System32\wuweb.dll CODEBASE = http://v5.windowsupdate.microsoft.co...?1098219805359 [HouseCall Control] InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx CODEBASE = http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab -------------------------------------------------- Enumerating Windows NT/2000/XP services AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart) AMON: \??\C:\WINDOWS\System32\drivers\amon.sys (autostart) Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Kodak DCFS2K Driver: system32\drivers\dcfs2k.sys (autostart) DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart) EPSON Printer Status Agent2: C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe (autostart) Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Event Log: %SystemRoot%\system32\services.exe (autostart) Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Hardware Clock Driver: C:\WINDOWS\System32\hwclock.exe (autostart) Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart) Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) NOD32 Kernel Service: C:\Program Files\Eset\nod32krn.exe (autostart) NVIDIA Display Driver Service: %SystemRoot%\System32\nvsvc32.exe (autostart) Plug and Play: %SystemRoot%\system32\services.exe (autostart) IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart) Protected Storage: %SystemRoot%\system32\lsass.exe (autostart) Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart) Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart) Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Secdrv: System32\DRIVERS\secdrv.sys (autostart) Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart) System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart) Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart) Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart) Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart) Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart) Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: PostBootReminder: C:\WINDOWS\system32\SHELL32.dll CDBurn: C:\WINDOWS\system32\SHELL32.dll WebCheck: C:\WINDOWS\System32\webcheck.dll SysTray: C:\WINDOWS\System32\stobject.dll -------------------------------------------------- End of report, 9,900 bytes Report generated in 0.219 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only =========================================== =========================================== ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all for the help! Mike

05-03-2005, 12:38 PM	#2 (permalink)
bry623 Manager, The Conversation Pit/Analyst, Security Team Join Date: Apr 2002 Location: NW Territory circa 1787 Posts: 10,367 OS: winxp pro sp2	Download CWShredder and run it. Click on 'I Agree' button if you agree with it. Click on 'Fix' (it will automatically fix anything it finds for you) and OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit. Download and install Spybot S&D. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation. Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds. Please download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Double click on the program to run it. 1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'. 2. If you don't get the intro screen, just hit Scan and then click on Save log. 3. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. The result.txt file will open up in Notepad. Copy the whole result.txt log and post it here. We do not need the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless. __________________ Scarlet and Gray in L.A. 9/13/08

05-04-2005, 04:09 AM	#3 (permalink)
Cumberland Mike Registered User Join Date: May 2005 Location: Rhode Island, USA Posts: 26 OS: WinXP	OK - more info Hi, OK I updated and ran CWShredder, didn't get any hits there. Downloaded, updated and ran Spybot S&D ... couldn't finish a scan there. Keeps locking up in random spots. However in one of its partial scans it did find a tracking cookie that was successfully removed. Ran AD-Aware got about half-dozen hits on tracking cookies and one data miner. Ran the VX2 tool with no hits Ran HJT and the analizer. Posted that as requested. Thanks so much! ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Eset\nod32kui.exe C:\Program Files\interMute\SpySubtract\SpySub.exe C:\Program Files\Eset\nod32krn.exe O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.98.2 Scan saved at 9:15:44 PM, on 5/3/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe C:\Program Files\Opera\Opera.exe C:\Documents and Settings\Windows\Desktop\Mike\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1098219805359 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab End of KRC HijackThis Analyzer Log. ====================================================================

05-04-2005, 05:33 AM	#4 (permalink)
bry623 Manager, The Conversation Pit/Analyst, Security Team Join Date: Apr 2002 Location: NW Territory circa 1787 Posts: 10,367 OS: winxp pro sp2	Your log is clean Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. Turn it back to create a new restore point by repeating the process. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools/programs provide __________________ Scarlet and Gray in L.A. 9/13/08

05-04-2005, 03:50 PM	#5 (permalink)
Cumberland Mike Registered User Join Date: May 2005 Location: Rhode Island, USA Posts: 26 OS: WinXP	Thanks again ... but The disconnection problem is still happening. Is there something I can run that lists everything going on, and will list whatever piece of software is trying to dial somehow? Maybe I just gotta bite the bullet and re-install XP And suggestions will be helpful Mike

05-04-2005, 10:20 PM	#6 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 18,166 OS: WinXP and Win98se	Hello Cumberland Mike, Let's use a program to scan for any trojans that may exist. Download TDS-3 http://tds.diamondcs.com.au/index.php?page=download. Learn how to use it at http://tds.diamondcs.com.au/index.php?page=easytouse. Make sure to update it after you installed it. You can get the manual updates at http://tds.diamondcs.com.au/index.php?page=update. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to 'System Testing' on the menu and choose 'Full System Scan'. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. If you have problems copying the text, look (or search) for a file named scandump.txt and see if that has the alarms - post that here. __________________ Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Keep this site free for all. Please consider, donating "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

05-07-2005, 08:28 AM	#7 (permalink)
Cumberland Mike Registered User Join Date: May 2005 Location: Rhode Island, USA Posts: 26 OS: WinXP	TDS3 update Hi, I downloaded, installed, updated & ran TDS as requested. I could not scan my D drive though ... everytime I tried it would run for a few minutes and then completely shut down my computer. I set TDS to scan everything except D: top of screen results are ====================================== ====================================== 10:15:42 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED) 10:15:42 [Init] Started 07-05-05 10:15:42 Eastern Standard Time (UTC: 5), Internet Time @635.90 10:15:42 [Init] Loading TDS-3 Systems ... 10:15:42 [Init] • Priority : OK. 10:15:42 [Init] Token successfully adjusted. 10:15:42 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 10:15:42 [Init] • Plugins : OK. Loaded 13 10:15:42 [Init] • Exec Protection : Not Installed 10:15:42 [Init] WARNING: Your Radius.TD3 database needs to be updated! 10:15:42 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3 10:15:42 [Init] Licensed users can use the Update facility from the TDS menu 10:15:42 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 10:15:47 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families 10:15:47 [Init] • Systems Initialised [54077 references - 27887 primaries/13961 traces/12229 variants/other] 10:15:47 [Init] Radius Systems loaded. <Databases updated 05-05-2005> 10:15:47 [Init] TDS-3 Ready. <Windows@192.168.2.3, 127.0.0.1 - United States> 10:15:47 [Tip Of The Day] If you're suspicious about a certain file, use the String Extractor (from the Utilities menu). This will run through the file and strip out ANSI strings of 5 characters or more in length, enabling you in some cases to get a better 'view' of the file. 10:15:47 [TDS] Good morning Windows. 10:15:50 [Mutex Memory Scan] Started... 10:15:51 [Mutex Memory Scan] Finished (no trojan mutexes found). 10:15:51 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering. 10:31:44 [File Scan] Scanning in C:\ ... 11:05:46 [File Scan] Scanned 43453 files: 6 alarms in 2042.406 seconds (Avg 22.28 files/sec) 11:07:57 [Memory Scan] Memory scan started, please wait a moment ... 11:07:59 [Memory Scan] Memory scan complete. 11:07:59 [Mutex Memory Scan] Started... 11:08:01 [Mutex Memory Scan] Finished (no trojan mutexes found). 11:08:01 [Trace Scan] Started... 11:08:22 [Trace Scan] Finished. 11:08:22 [ServiceScan] Scanning for services and drivers ... 11:08:24 [CRC32] Started - verifying 29 files ... 11:08:24 [CRC32] File doesn't exist: C:\autoexec.bat 11:08:26 [CRC32] Test finished. 11:08:31 [ServiceScan] Scanned 305 services and drivers. 11:08:31 [Scan] Finished. =========================================== =========================================== Scandump of bottom of screen: Scan Control Dumped @ 11:26:43 07-05-05 Suspicious Filename: Dual extensions File: c:\documents and settings\windows\desktop\mike\bittorrent-4.0.1.exe Positive identification (DLL): Adware.MiniBug (dll) File: c:\program files\aws\weatherbug\minibugtransporter.dll Positive identification: Riskware.ProcessRestart File: c:\program files\kodak\kodak software updater\7288971\6.3.2.62-7288971l\program\restart.exe Positive identification: Riskware.ProcessRestart File: c:\program files\logitech\desktop messenger\8876480\6.1.4.36-8876480l\program\restart.exe Positive identification: RAT.Small.eo File: c:\windows\system32\hwclock.0xe Positive identification (DLL): Adware.WildTangent.b (dll) File: c:\windows\wt\wtvh.dll =========================================== ============================================ I didn't do or change anything pending your advise. Thanks again! Mike

05-07-2005, 09:42 AM	#8 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 18,166 OS: WinXP and Win98se	Ok Mike, couple things I'd like you to do: Pleae print this out or copy to Notepad. Download KillBox http://www.greyknight17.com/spy/KillBox.exe. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet. I'd like to try another scanner if you don't mind. Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool. Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3) 1. Save it to a folder. 2. Reboot into Safe Mode. 3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything. 4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane. 5. In the Virus Log Information Pane...... Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file *Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files. Once you copy that to a Notepad file...highlight the text and copy it here. Reboot into Safe Mode. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot): c:\windows\system32\hwclock.0xe Now, delete that file using Windows Explorer: c:\windows\system32\hwclock.0xe Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Reboot into Normal Mode. Run the Mwav Scan and post that log here Also, could you post a new HijackThis Scan, do not run it through the Analyzer. Also, I didn't see Weatherbug in your previous HJT logs: WeatherBug - it's adware. If you didn't install this yourself, we'll address uninstalling it. If you did install it yourself, you may keep it and ignore the warnings in the TDS-3 or Mwav logs. __________________ Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Keep this site free for all. Please consider, donating "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

05-15-2005, 04:58 AM	#9 (permalink)
Cumberland Mike Registered User Join Date: May 2005 Location: Rhode Island, USA Posts: 26 OS: WinXP	thanks ... but <sigh> when it rains it pours.... I was running the scans above as recommended when my computer suddenly shut down ... hmmmm....... so I reboot and it won't start ... but it did after a few minutes!!! then it shut down again during the re-scan ... at a different spot! SO I pop the cover and sho'nuff the processor cooling fin block thing is all plugged with dust and its hot as heck. So I let it cool - it was too hot to touch - and take off the fan and remove the chip and get it cleaned off ... reinstall it and the computer won't re-boot .. pop off the chip to find I bent a couple of pins .... CRAP ... so I won't be continuing this thread for a little while. Thanks to all who help - I think we were making great progress and I was learning a lot! I'll be back!!! Mike