mark

@dagonet' What undead said for sure. Sweet. DL

I'm not at that computer at the moment but if the driver has been deleted, it wasn't by me and also, keep in mind that when I put an autorun CD in, Windows runs the CD and I can close that window and then I can access the CD through 'My Computer' or where ever. The only CDs that I can't open are the ones with nothing but data on them. Thanks, DL

Ok, I've run highjackthis and 'fixed' the indicated lines. New highjackthis log attached below. I can throw a CD in the CD drive and now there is no flickering of the 'Windows Installer' window but still can not access the contents of the CD, but if I throw in an autorun CD, it runs and I can access the contents of that CD even though the 'Windows Installer' window pops up for a good solid second. Two desktop.ini files ( actually one that is opened twice ) have now started opening up upon Windows startup. They are from the Startup folder. !?!? attached below. I'm slowly bracing myself for a reinstallation. On a side note, my nephew just got a virus. Apparently a really nasty one. I'm going to check it out. Lucky for him, AVG is stopping further infestation. The virus in his box is trying to bring in more cr@p. AVG is storing the incoming stuff in a vault. I'ld like to take a look at that. If there is someone out there with a true shield for computers at a reasonable price, I think now is a time they are going to get wealthy. It seems that the production of more malicious stuff is on the increase. DL desktop.txt hijackthis_3_.txt

I've known a few AOL users and many who converted to the real thing after using AOL. Odd thing about some of the AOL users was that when you log on to AOL, you are basicly just logging onto their server and these people were quite happy just playing the AOL games and whatever and rarely did they actually get onto the internet. Very odd. DL

Thanks Tarun. Will do. Only question I have is about the fxsclnt.exe because we do use Windows fax. I guess the others, if need be, can be repaired or reinstalled. Got a couple of programs to check out also from what has been listed above. DL

Ran CWShredder and nothing. It gave a link to a 30 trial of TrendMicro AV. Downloaded, installed, ran it, it found one cookie, uninstalled. Downloaded EZ Antivirus, ran it, it found nothing. After dinner time now, long after, going home. I'll get back on this tomorrow. Thank you, DL

Ok, back. I'm going to uninstall all of the virus/trojan/whatever progs I have on the comp. I am going to install EZ Antivirus, keep hijackthis and run CWShred. Then I am going to check out Diskmon and PsFile. I ran Filemon last week and to say that was interesting would be an understatement. What a bunch of stuff goes on inside the box! It's really cool when you have a computer that will run x number of process and so forth, but when you see a list just stream by, it gives you a completely different view. Using Filemon, I took a snapshot (text, not a pic) of the processes that ran at the time of opening and closing the CD drive. That is one thing that triggers the activity. I pared down the text file by more than 90% and am attaching it, if you want to bother looking at it. spoolsv.exe starts the activity off and hpotdd01.exe, msiexec.exe, csrss.exe, svchost.exe and rundll32.exe are all heavily involved, then it ends with hpotdd01.exe (we have a hp scanner). Having fun, DL Edit: @Tarun, I don't know what I am supposed to do with this. Some of it, I know what it is and some not. There is the hpoddt01.exe.lnk that definately looks suspicious now that I have had a look at the log from Filemon.DL FilemonLog.txt

In this case, the vid has been reduced in size, both dimention and the amount of data. What's on the tv is a more complete vid. DL

Ok, was out of town for several days and back now. I appreciate all the replies, arguments and all because I will learn something but just don't go for the throat! I will get back to this later. I have other things I have to attend to first. Thank you, DL

Yeah, just saw the same commercial over Xmas and the row of lights that looks like a row of upstairs windows in the online vid actually says 'MerryChristmas'. The beer commercial is shorter that the online vid and because of that, it's not as good even thought the image is much better. DL

Googled 'stevanhogg' and this guy must spend all his time joining and posting similar stuff all over the web. There were at least 9 Google pages and it was all the same stuff. Rarely does he participate in a forum, just posting links and the occasional one line comment. DL

@ epic Downloaded the tools. Going to take a little time to do these things. (I have a real job to attend to aswell and since I'm heading out of town, I'm running out of time today) Your assistance is much appreciated. DL

It's tied in with our machine's ISP. Great! Thanks. Not an admin, just pretending to be one. Maybe with this, I can get down to the meat and potatoes. Thank you. I'll take a good look at that also. Sweet. Typing on the run. Will get back on this and back here as soon as possible. Again, thank you. DL

epic -Ok, turned off system restore, entered safe mode with f8 because I couldn't do it through msconfig. Ran ewido, NOD32, highjackthis and Spybot S&D. Came up with nothing. Couldn't access the CD drive either. Reinstalled Kaspersky while in safemode and it found nothing also. Restarted computer and it automatically went into safemode. Restarted, f8, selected standard boot method and it still went into safemode. While in safemode, I could use msconfig to change the mode of startup!? Anyway, the virus is still present. The IP addresses in the highjackthis log are to a local isp, no concern. Is there a program that can be used to track what might be active in the background? Something I could have running and when I see the Windows 'Installer window' pop up, look at a log file of somekind to see what the activity was? Any suggestions are appreciated. DL PS I will try to get back in here tomorrow but will be heading out to see family and won't be back until next week. Cheers and a festive holiday.

Thanks epic. Well, this has been proven true currently even though it has worked well in the past. Avast is one of the programs I ran and didn't use NOD32 because of the sign up but I've gone ahead and downloaded it now. Will run it. Somebody else does use MS Office on this comp. Not sure about the IP addresses, I'll check. Yeah, I know. Odd thing is, is that we used to run Norton and it created all sorts of problems and with the pile of programs I have installed, there wasn't one single glitch. Not one. I did expect something but they ran as described. One would pick up a stray attachement that another had put in place or something but all went well. Yeah, I know it's a no-no. Yep, safe mode is the next step with restore disabled. I'll try the McAfee because I do know my computer is infected. Will report back captain.DL

Shop computer, several users, started getting boggy. About 2 weeks ago, someone noticed a window flickering on the screen of a Windows Installer saying 'Preparing to Install' and this would happen on computer start up and at random times. They mentioned this to me a couple of days ago. I looked for anything that had been downloaded recently that would account for it and found nothing. But there has been a lot of web surfing. Starting two days ago, we began getting returned emails that were undeliverable. Dozens of them and we hadn't sent any of them. This is the text in one of the returned mails: At this point I am unable to connect to our email. I will have to talk to my ISP tomorrow to see if they have blocked it. We keep regular backups and today, I went in and started doing thorough backups of everything again. It was a pain. I couldn't just throw in a CD and burn the info. The Windows Installer window would flicker and there was no access to the CD drive. I figured out that I needed to pop a CD in before windows started, ran Nero and burned the files. When Nero finished it couldn't verify the data because it was now denied access to the CD drive. Restart the computer, toss a CD in before windows etc..... I checked the CDs on another comp and they are fine. I ran hijackthis. I ran Windows Live Safety Center: 1 virus=HTML/DialogArg.B @ c:\install.htm (deleted) Avast: found nothing AVG: found nothing (You will notice in the returned email it states that AVG is out of date. Come to find out that AVG was not able to connect to their server to update. I downloaded the most current version, installed it and was able to download a current update) Kaspersky:found nothing Spybot S&D: Got some cookies and nothing else. Had to turn it off to run other proggies. MS AntiSpyware: found nothing (ten days ago it found CoolWebSearch Browser Modifier) AdAware: found nothing Sysinternals RootkitRevealer: found nothing UnHackme: Clicked 'Check me now' and very quickly a window popped up saying 'That's alright. There is no trojan found'. It was too quick for the program to have done anything. ewido: found 42 cookies and removed Worm.Myfip.l @ c:\program files\nlite\Data\modpe.exe (this copy of nlite was installed in June of 2004 and never run. It was when I discovered MSFN) Whatever it is that I am searching for is still in this computer. A quick test is to put a CD in a try to access it. A CD sits in the CD drive, spins and gets read, but when you go into My Computer it states the drive is empty. Regardless of the outcome, I am going to format and re-install as it has been a long time since XP was installed and to many users. In the mean time, I would really like to know what has gotten into the computer. Any sugestions would be much appreciated. I'm tired and going home to bed now. DL hijackthis.txt

We're a bit to far south to get much in the way of decent snows. Once or twice a year if we are lucky and it doesn't usually go over 5 or 6 inches at best and is gone in a day or two. People in the south clamor for snow and those in the north clamor for sunshine. The grass is always greener on the other side of the fence. Hey, whatever works. DL

Hearsay only but it makes sense: The two cleanest things in a bathroom are the toilet and the doorknob. The toilet because it has fresh water rinsing it constantly and the doorknob because people use a freshly pulled papertowel to open it. Everything else in the bathroom ends up with mist and spray on it. Even the warm air hand dryers are not clean because they cycle the dirty air and mist. Bon appetit. DL

Uhhhh, didn't Neo come back to life after Trinity kinda made the ahhhhh, promise of ahhhh piece of ahhhh.... Wouldn't you come back from the dead for that? That would jump start my cardiac arrest. So it's Trinity who has that power. DL

@MrMister - The forum rules can be found at the link in the second bar down from the top of any page. DL

@gamehead - Yes, that's the av. When I first came to MSFN, you had that avatar. I guess you must have picked it for the same reason I found it eyecatching. There is something peculiar about the movement when it is sped up that way. Did you deliberately video that motion or did you just cull it from a longer length you had? Mentally, I always associate your name with that avatar and vice-versa. I'm sure that you will outgrow it age wise but it will always be you. Now all I have to do is to try to get Simonsays to go back to his monkey theme. DL

Nice pictures and a nice place gamehead. I see your pool is covered. Not into the polarbear club? Chicken. It would allow you to have your shaking head avatar again but in real time! Well for us it has been an ice storm. 830,000 without power. Which for us means no water. We're on a well. I've got a generator to run the fridge!?! and a couple of lights and a fireplace to heat. It'll be like this for a couple of days. No biggie, I look around and there are worse circumstances to be in. It would have been much nicer as snow. Once I left the house this morning, I wished I had had my camera. It was beautiful outside. The world was crystalized. All gone now except for the cold. DL

@Zxian and prathapml - Thank you. I was a little wary of posting my feelings about bums. I was directing it purely at bums and not those in need like the victims of Katrina, here in the U.S. I watch the debates that get heated and quite enjoy them. The to and fro is fun to watch as one calls the other an id*** without saying so. And I like the friendlyness and comraderie that is always present. Some of the technical stuff goes over my head but reading the thread is still a pleasure. It's an odd thing when you base how you feel or think of someone on one or two posts that are responses to a query or the like. From day one at MSFN, I have always felt positively about the crew here. The hardest thing for me to get used to is when someone changes avatars. Disconcerting. There is another thread in 'polls' that asks how many comps you have. I have a couple of extra ones with low processing power that I'm got to do more experimenting on with Linux. DL

How did it know? DL

5. Two used, two that will be used again and I don't know if it even counts but I have an old NEC laptop that boots off a floppy. DL