News:

It appears that the upgrade forces a login and many, many of you have forgotten your passwords and didn't set up any reminders. Contact me directly through helpmelogin@dodgecharger.com and I'll help sort it out.

Main Menu

Any Windows XP guru's out there?

Started by Tilar, April 26, 2011, 09:38:04 AM

Previous topic - Next topic
Print
Go Down Pages1 2 All
User actions

Tilar

April 26, 2011, 09:38:04 AM
My brother brought me his computer because he had one of those popups that tell him his system is infected and if you buy their product they will uninistall this pesty bug they gave you. Windows Recovery I believe was the name of it.

I've ran Malwarebytes, SuperAntispyware, Spybot Search and Destroy, AVG antivirus all updated and even tried Combofix as a last resort but that wouldn't run right for some reason.

Anyway, everything is fairly well back to normal with the exception that I get the popup "Internet Explorer Script Error" and it will show a website like advertising.com, fastclick.net or something similar asking if I want to contirnue running scripts. I'm getting these errors as soon as the system boots up. I don't have to be on the internet or even connected to the net.  Any suggestions? I'm comfortable working with the registry if I knew where to go and what I needed to check.

I have pretty good luck with this sort of thing normally but this one is eating my lunch.
Dave  

God must love stupid people; He made so many.


Khyron

#1
April 26, 2011, 10:03:04 AM
Open IE, Click  Tools>Internet Options>
Click on the "connections" tab.
Click "Lan Settings"

Make sure nothing is checked by "automatically check settings"

click ok and exit

Open Explorer
navigate to
c:\windows\system32\drivers\ect

double click "hosts"

when prompted open with notepad

make sure it only says this.

Quote
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost



Before reading my posts please understand me by clicking
HERE, HERE, AND HERE.

BananaDan

#2
April 26, 2011, 10:58:48 AM
Click Tools, Manage Add-Ons.  Look for the offending script/applet and disable or remove it.

Dan
*This post brought to you by Carl's Jr.®*



Great spirits have always encountered violent opposition from mediocre minds. The mediocre mind is incapable of understanding the man who refuses to bow blindly to conventional prejudices and chooses instead to express his opinions courageously and honestly.  ~A. Einstein

Tilar

#3
April 26, 2011, 06:46:59 PM
I've checked the "Lan Settings" and I had checked the hosts file to begin with.  I also checked the addons in IE but I don't really see anything that really sticks out.  Maybe I can get a list of everything in the addons and post them.
Dave  

God must love stupid people; He made so many.


Khyron

#4
April 26, 2011, 06:53:23 PM
start> run> "msconfig"

look in startup and disable everything but your Anti virus and wireless
Click "services" tab, click the mark that says hide Microsoft services look in there

start> run> regedit

HKLM> software> microsoft> windows> current version> run

look for anything out of the norm and remove

HKCU> software> microsoft> windows> current version> run

same




Before reading my posts please understand me by clicking
HERE, HERE, AND HERE.

KS71owner

#5
April 26, 2011, 07:26:14 PM
I had this same problem a while back - the search engine reroute was giving me fits. If it's a rootkit like it was with mine, antivirus software won't remove it. Try TDSSkiller from Kaspersky Labs. Worked wonders for mine.


http://support.kaspersky.com/faq/?qid=208283363

BananaDan

#6
April 26, 2011, 08:51:51 PM
Quote from: Tilar on April 26, 2011, 06:46:59 PM
I've checked the "Lan Settings" and I had checked the hosts file to begin with.  I also checked the addons in IE but I don't really see anything that really sticks out.  Maybe I can get a list of everything in the addons and post them.
Yes, post your IE add-ons.  If it only happens when you launch IE, the problem is likely there.

Dan
*This post brought to you by Carl's Jr.®*



Great spirits have always encountered violent opposition from mediocre minds. The mediocre mind is incapable of understanding the man who refuses to bow blindly to conventional prejudices and chooses instead to express his opinions courageously and honestly.  ~A. Einstein

SRT-440

#7
April 26, 2011, 09:30:03 PM
I had this same thing (windows recovery console) on my computer at work yesterday...caught it from one of these automotive forums. My IT chic ran a anti-malware disc on it and then deleted it from the IE add-on...it gave my computer hell but now it's all good. Popped up all kinds of fake warnings...thought my hard drive was toast.
"It's not the size of the dog in the fight, it's the size of the fight in the dog..."

2012 SRT8 392 Challenger (SOLD)
2004 Dodge Stage 1 SRT-4 (SOLD)
1970 Plymouth Road Runner Clone w/6.1 HEMI (SOLD)
1971 Dodge Dart w/440 (SOLD)
1985 Buick Grand National w/'87 swap and big turbo (SOLD)

mikepmcs

#8
April 27, 2011, 06:00:59 AM
lay off the porn.   :D
Life isn't Father Knows Best anymore, it's a kick in the face on a saturday night with a steel toed grip kodiak work boot and a trip to the hospital all bloodied and bashed.....for reconstructive surgery. But, what doesn't kill us, makes us stronger, right?

resq302

#9
April 27, 2011, 06:46:04 AM
my wifes netbook has something similar.  I ran all the Avast antivirus and such and came back clean.  The only problem she keeps having occasionally now is that if she loads up say www.dodgecharger.com, it goes there for a sec and then gets redirected to another web location.  Is there any fix for this?  Its driving her nuts which is causing me to go nuts!
Brian
1969 Dodge Charger (factory 4 speed, H code 383 engine,  AACA Senior winner, 2008 Concours d'Elegance participant, 2009 Concours d'Elegance award winner)
1970 Challenger Convert. factory #'s matching red inter. w/ white body.  318 car built 9/28/69 (AACA Senior winner)
1969 Plymough GTX convertible - original sheet metal, #'s matching drivetrain, T3 Honey Bronze, 1 of 701 produced, 1 of 362 with 440 4 bbl - auto

elacruze

#10
April 27, 2011, 06:51:15 AM
Google chrome.
1968 505" EFI 4-speed
1968 D200 Camper Special, 318/2bbl/4spd/4.10
---
Torque converters are for construction equipment.

BananaDan

#11
April 27, 2011, 09:09:18 AM
Quote from: elacruze on April 27, 2011, 06:51:15 AM
Google chrome.
Agreed, Chrome or Firefox are more secure browsers.  For your IE issue, grab a screenshot of your Manage Add-Ons screen and post it here.  It's likely a similar issue.  You could also try another AV scanner, like AVG or Microsoft Security Essentials.  I put instructions on how to get to your add-ons in IE above in this thread.  When you have the window open, hit Alt-PrintScreen.  Open Microsoft Paint, hit Ctrl-V to past your screenshot into Paint.  Save the file as a .jpg and upload it here.

If the list is long and requires scrolling, you'll have to post multiple screenshots showing the entire list.

Dan
*This post brought to you by Carl's Jr.®*



Great spirits have always encountered violent opposition from mediocre minds. The mediocre mind is incapable of understanding the man who refuses to bow blindly to conventional prejudices and chooses instead to express his opinions courageously and honestly.  ~A. Einstein

BananaDan

#12
April 27, 2011, 09:13:13 AM
Quote from: Khyron on April 26, 2011, 06:53:23 PM
start> run> regedit

HKLM> software> microsoft> windows> current version> run

look for anything out of the norm and remove

HKCU> software> microsoft> windows> current version> run

same

Yes, cleaning these keys out is a good thing to do/check when infected, or even regularly because non-malware will deposit junk in here and cause extra resources to be used because they have processes autostart from here.  RealPlayer, Adobe and iTunes are notorious for this.  But, if you don't know what you're doing, don't delete anything from the registry.  You're better off posting the screenshots of these registry keys and asking what can be safely deleted if you aren't sure.

Dan
*This post brought to you by Carl's Jr.®*



Great spirits have always encountered violent opposition from mediocre minds. The mediocre mind is incapable of understanding the man who refuses to bow blindly to conventional prejudices and chooses instead to express his opinions courageously and honestly.  ~A. Einstein

Khyron

#13
April 27, 2011, 09:55:20 AM
Or contact me tonight and I'll remote into your machine, take your porn and then clean your machine :)


Before reading my posts please understand me by clicking
HERE, HERE, AND HERE.

twodko

#14
April 27, 2011, 11:00:09 AM
Quote from: KS71owner on April 26, 2011, 07:26:14 PM
I had this same problem a while back - the search engine reroute was giving me fits. If it's a rootkit like it was with mine, antivirus software won't remove it. Try TDSSkiller from Kaspersky Labs. Worked wonders for mine.


http://support.kaspersky.com/faq/?qid=208283363



Same thing happened to my laptop. It was a nasty "redirect" virus that could not be removed by Norton, Kaspersky or anything else I could find. Ended up reformating my HD and reload the XP OS.
FLY NAVY/Marine Corps or take the bus!

Tilar

#15
April 27, 2011, 12:34:31 PM
Quote from: Khyron on April 26, 2011, 06:53:23 PM
start> run> "msconfig"

look in startup and disable everything but your Anti virus and wireless
Click "services" tab, click the mark that says hide Microsoft services look in there

start> run> regedit

HKLM> software> microsoft> windows> current version> run

look for anything out of the norm and remove

HKCU> software> microsoft> windows> current version> run

same


Nothing looks out of the ordinary in the registry keys you mentioned. I ran msconfig and the only thing I'm finding that is questionable is something called mccicmservice.exe. I did a search on it and it might be something to do with his Centurylink internet but i'm not sure.

Quote from: KS71owner on April 26, 2011, 07:26:14 PM
I had this same problem a while back - the search engine reroute was giving me fits. If it's a rootkit like it was with mine, antivirus software won't remove it. Try TDSSkiller from Kaspersky Labs. Worked wonders for mine.


http://support.kaspersky.com/faq/?qid=208283363


I downloaded this and it will not run.

Quote from: BananaDan on April 27, 2011, 09:09:18 AM
Agreed, Chrome or Firefox are more secure browsers.  For your IE issue, grab a screenshot of your Manage Add-Ons screen and post it here.  It's likely a similar issue.  You could also try another AV scanner, like AVG or Microsoft Security Essentials.  I put instructions on how to get to your add-ons in IE above in this thread.  When you have the window open, hit Alt-PrintScreen.  Open Microsoft Paint, hit Ctrl-V to past your screenshot into Paint.  Save the file as a .jpg and upload it here.

If the list is long and requires scrolling, you'll have to post multiple screenshots showing the entire list.

Dan

Here is the list of addons:

Name          Shockwave Flash Object
Publisher     Adobe Systems Incorporated
Status        Enabled
File date     Friday, November 12, 2010, 8:37 PM
Version       10.0.45.2

Name          AcroIEHlprObj Class
Publisher     Adobe Systems, Incorporated
Status        Enabled
File date     Tuesday, December 14, 2004, 2:56 AM
Version       7.0.0.1333
Load time     1.05 s

Name          AVG Safe Search
Publisher     AVG Technologies
Status        Enabled
File date     Friday, March 25, 2011, 5:43 AM
Version       10.0.0.1319
Load time     8.81 s

Name          XML DOM Document
Publisher     Microsoft Corporation
Status        Enabled
File date     Monday, June 14, 2010, 3:41 AM
Version       8.100.1052.0

Name          Windows Media Player
Publisher     Microsoft Corporation
Status        Enabled
File date     Wednesday, August 25, 2010, 11:36 PM
Version       11.0.5721.5280

Name          Diagnose Connection Problems...
Publisher     Not Available
Status        Enabled

Name          Windows Messenger
Publisher     Not Available
Status        Enabled

Name          {53707962-6F74-2D53-2644-206D7942484F}
Publisher     Safer Networking Ltd.
Status        Enabled
File date     Monday, January 26, 2009, 3:31 PM
Version       1.6.0.0
Load time     12.86 s

Name          Java Plug-in 1.5.0_10
Publisher     Sun Microsystems, Inc.
Status        Enabled
File date     Thursday, November 09, 2006, 4:21 PM
Version       1.5.0.10

Name          SSVHelper Class
Publisher     Sun Microsystems, Inc.
Status        Enabled
File date     Thursday, November 09, 2006, 4:21 PM
Version       5.0.100.3
Load time     2.52 s

Name          Sun Java Console
Publisher     Sun Microsystems, Inc.
Status        Enabled
File date     Thursday, November 09, 2006, 4:21 PM
Version       5.0.100.3

Name          YInstStarter Class
Publisher     Yahoo! Inc.
Status        Enabled
File date     Sunday, July 30, 2006, 2:25 PM
Version       2004.11.7.1

Now, one thing I've noticed is in his Windows/Prefetch directory there are file names with different sizes than my originals. Take the TDSSkiller.exe file for example, The original file is 1.31 megs in size and the one in the prefetch directory is named tdskiller.exe-1DE72614.pf and it is 11kb in size. Is this normal?

I wish it were a hardware problem because I have pretty good luck with that, but software gives me a hard time sometimes.

Quote from: mikepmcs on April 27, 2011, 06:00:59 AM
lay off the porn.   :D

Damn, that's gonna break his heart.  :lol:
Dave  

God must love stupid people; He made so many.


Khyron

#16
April 27, 2011, 12:48:38 PM


Before reading my posts please understand me by clicking
HERE, HERE, AND HERE.

Khyron

#17
April 27, 2011, 12:50:23 PM
let me know when it's installed


Before reading my posts please understand me by clicking
HERE, HERE, AND HERE.

Tilar

#18
April 27, 2011, 01:00:01 PM
Alright give me a few minutes and I'll get it downloaded.

The thing that is odd is I don't have to have internet explorer open to get these errors.
Dave  

God must love stupid people; He made so many.


Khyron

#19
April 27, 2011, 01:02:46 PM
Im goin gto PM you my cell number, when its installed and open, text me the login and password it give you, let me take a look :)


Before reading my posts please understand me by clicking
HERE, HERE, AND HERE.

BananaDan

#20
April 27, 2011, 01:24:15 PM
Quote from: Tilar on April 27, 2011, 12:34:31 PM

Nothing looks out of the ordinary in the registry keys you mentioned. I ran msconfig and the only thing I'm finding that is questionable is something called mccicmservice.exe. I did a search on it and it might be something to do with his Centurylink internet but i'm not sure.


This is ok, it's for your modem.

Quote

Here is the list of addons:

Name          Shockwave Flash Object
Publisher     Adobe Systems Incorporated
Status        Enabled
File date     Friday, November 12, 2010, 8:37 PM
Version       10.0.45.2

Name          AcroIEHlprObj Class
Publisher     Adobe Systems, Incorporated
Status        Enabled
File date     Tuesday, December 14, 2004, 2:56 AM
Version       7.0.0.1333
Load time     1.05 s

Name          AVG Safe Search
Publisher     AVG Technologies
Status        Enabled
File date     Friday, March 25, 2011, 5:43 AM
Version       10.0.0.1319
Load time     8.81 s

Name          XML DOM Document
Publisher     Microsoft Corporation
Status        Enabled
File date     Monday, June 14, 2010, 3:41 AM
Version       8.100.1052.0

Name          Windows Media Player
Publisher     Microsoft Corporation
Status        Enabled
File date     Wednesday, August 25, 2010, 11:36 PM
Version       11.0.5721.5280

Name          Diagnose Connection Problems...
Publisher     Not Available
Status        Enabled

Name          Windows Messenger
Publisher     Not Available
Status        Enabled

Name          {53707962-6F74-2D53-2644-206D7942484F}
Publisher     Safer Networking Ltd.
Status        Enabled
File date     Monday, January 26, 2009, 3:31 PM
Version       1.6.0.0
Load time     12.86 s

Name          Java Plug-in 1.5.0_10
Publisher     Sun Microsystems, Inc.
Status        Enabled
File date     Thursday, November 09, 2006, 4:21 PM
Version       1.5.0.10

Name          SSVHelper Class
Publisher     Sun Microsystems, Inc.
Status        Enabled
File date     Thursday, November 09, 2006, 4:21 PM
Version       5.0.100.3
Load time     2.52 s

Name          Sun Java Console
Publisher     Sun Microsystems, Inc.
Status        Enabled
File date     Thursday, November 09, 2006, 4:21 PM
Version       5.0.100.3

Name          YInstStarter Class
Publisher     Yahoo! Inc.
Status        Enabled
File date     Sunday, July 30, 2006, 2:25 PM
Version       2004.11.7.1

I'd disable everything in red.  In addition, try to avoid installing IE toolbars, even from reputable companies like Google and Yahoo.  They crud up IE with extra crap, slow it down and tend to include tracking/spyware code.

QuoteNow, one thing I've noticed is in his Windows/Prefetch directory there are file names with different sizes than my originals. Take the TDSSkiller.exe file for example, The original file is 1.31 megs in size and the one in the prefetch directory is named tdskiller.exe-1DE72614.pf and it is 11kb in size. Is this normal?

Yes, prefetch is not the actual file, it's a cached chunklet of the file.  Don't worry about that.
*This post brought to you by Carl's Jr.®*



Great spirits have always encountered violent opposition from mediocre minds. The mediocre mind is incapable of understanding the man who refuses to bow blindly to conventional prejudices and chooses instead to express his opinions courageously and honestly.  ~A. Einstein

Khyron

#21
April 27, 2011, 02:07:50 PM
He has the new version of the AV2011 virus, Im in his machine now. It's a java exploit to get in.
I just cleared all temp folders and files, purged the bug out of the registry, im now removing java and will install the new version that is protected.


Before reading my posts please understand me by clicking
HERE, HERE, AND HERE.

Tilar

#22
April 29, 2011, 09:36:41 AM
Well, I'm going to wait till this new RAM gets here which should be Monday before I go any further. This thing is still awful slow rebooting but it is running faster once it gets completely booted up.

The new Java is installed but I'm still getting the script errors.
Dave  

God must love stupid people; He made so many.


Tilar

#23
May 07, 2011, 02:07:33 PM
Well, I gave up. 

I did everything that I was familiar with, I uninstalled, disabled, reinstalled everything that was suggested. Khyron spent quite a bit of time trying to repair it and really made it run a lot better, but we just couldn't get rid of that friggin script error.  I just did a fresh install of XP on it.  Anyway, I just wanted to say "Thank you" to everyone for the suggestions and help.  :cheers:
Dave  

God must love stupid people; He made so many.


Khyron

#24
May 08, 2011, 08:36:50 AM
Sorry I haven't been around to help more :-(


Before reading my posts please understand me by clicking
HERE, HERE, AND HERE.
Print
Go Up Pages1 2 All
User actions