Posts by dlh6213

Hi Greg, welcome to DaniWeb :D

Go to Tech Talk, Microsoft Windows, Viruses, Spyware & other Nasties

Or click here:
http://www.daniweb.com/techtalkforums/forum64.html

Hi datry, welcome to DaniWeb :D

First go to Windows Update and get SP1a for both XP and IE (do not get SP2 at this time).

Update your antivirus program and run a full system scan, allowing it to fix whatever it finds.

Have a look at this thread:
http://www.daniweb.com/techtalkforums/thread24085.html

After you've done the above, and moved HijackThis, please post a new log.

Hi joker, welcome to DaniWeb :D

Download, install, update, and run these tools:

CWShredder -- http://www.intermute.com/spysubtract/cwshredder_download.html
about:Buster -- http://www.majorgeeks.com/download4289.html

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

Go to Start, Run, and type in cleanmgr, and then click OK. Select the drive XP is on, and check the boxes for Downloaded Program Files (move any files you wish to keep out of this folder first), Temporary Internet Files, Recycle Bin, Temporary Files, Temporary Offline Files, Offline Files, (and Compress old files & Catalog files for the Content Indexer if you wish), and then click OK. Click Yes to confirm you want these files deleted. It may take awhile for this to run, please be patient.

Note: if any of these temporary files cannot be deleted while in normal mode, try Safe Mode.

Run a at least two of these free online anti-virus/anti-spyware scans and have them clean what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

Then close any open browser windows, scan with hijackthis, and post a new log please.

Hi Melloncolin88, welcome to DaniWeb :D

Right-click on an empty area of your desktop and select New, Folder; give the folder a name (something like HJT or HijackThis), and then drag the hijackthis.exe icon that is on your desktop into this new folder.

If you don't already have it, get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Boot into Safe Mode and do a search for these files and delete any instances found:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

If any could not be deleted, (most likely param32.dll), run Pocket Killbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

Scan with hijackthis, and have it fix:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.ewebsearch.net/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0278/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.ewebsearch.net/
R3 - URLSearchHook: transURL Class - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - C:\WINDOWS\SYSTEM32\SEARCH~1.DLL
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...StatsClient.cab
…

Spybot and Adaware come up clean, but downloaded and ran "Adware Spy" today and it presented me with over 400 registry items mainly in Local Machine, IE, ActiveX Compatibility, that read like a who's who of every malware signature ever invented. Couldn't use it to fix the issues though as you have to buy before they do that.. And I was a little suspicous that such a huge number had bypassed the other adware checkers.. Not sure if it's just a sales gimmick?

It is most likely a gimmick; Adware Spy is identified as 'Rogue/suspect antispyware' here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm
Where you can find this statement regarding Adware Spy (and other products in this 'family'):
"... the dubious distinction of generating the most false positives on a "spyware free" system -- flagging hundreds of items as "spyware," including completely legitimate programs like Nero, Adobe Acrobat, and AdShield, among others."

You might want to give these a try:

CounterSpy (http://www.download.com/3000-8022_4-10337358.html)

Ewido Security Suite (http://www.download.com/Ewido-Security-Suite/3000-8022_4-10326287.html?tag=lst-0-1)

And if that doesn't clean it up, download and run Silent Runners.vbs -- http://www.silentrunners.org/.
Post the information from the log it generates in this thread.

Hi Bob, welcome to DaniWeb :D

Go ahead and post your HijackThis log here in this thread and we'll have a look at it.

My suggestions:

Antivirus

Nod32 (http://www.nod32.com/home/home.htm)

Firewall

If you have a broadband connection (DSL, cable, etc), I would recommend getting a hardware-type firewall such as those available from SMC, Linksys, or Netgear; and a software firewall; either the XP firewall, or one from Sygate (http://www.download.com/Sygate-Personal-Firewall/3000-2092_4-10332265.html?tag=lst-0-1), or Kerio (http://www.download.com/Kerio-Personal-Firewall/3000-2092_4-10322940.html?tag=lst-0-1)

Spyware and Adware

Ad-Aware SE (http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10399602.html?tag=lst-0-2)

Spybot Search and Destroy (http://www.download.com/Spybot-Search-Destroy/3000-8022_4-10401314.html?tag=lst-0-1)

SpywareBlaster (http://www.download.com/SpywareBlaster/3000-8022_4-10396039.html?tag=lst-0-1)

Other cleanup utilities you might like to try

CounterSpy (http://www.download.com/3000-8022_4-10337358.html)

Ewido Security Suite (http://www.download.com/Ewido-Security-Suite/3000-8022_4-10326287.html?tag=lst-0-1)

Naturally, you need to keep everything updated in order for it to be effective.

You may find this thread somewhat informative as well:
http://www.daniweb.com/techtalkforums/thread16365.html

Yep, you are correct, you have Aurora again :(

So, let's go through this again...

Disconnect from the net and reboot into Safe Mode.

Double-click on the Nailfix.cmd that is on your desktop.

Run a full system scan with Ewido (remember you will be posting the log from this scan in your next reply).

Still in Safe Mode, scan with hijackthis and have it fix the following entries:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [epcchv] c:\windows\system32\gowzet.exe r
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Close any open windows and hit Fix checked.

Go to the following locations and delete the highlighted files:

C:\WINDOWS\Nail.exe
C:\windows\system32\gowzet.exe
C:\WINDOWS\svcproc.exe

Empty your Recycle Bin and do a search for each of those files and delete any instances found.

Empty your Recycle Bin again and reboot.

Download and run the BetterInternet removal tool from here:

http://securityresponse.symantec.com/avcenter/FixBinet.exe

Then, close any open browser windows, scan with HJT, and post a new log along with the Ewido log.

Yes i did system restore 3 weeks ago as soon as this thing appeared again. The system restore was successful but it made no difference. Do you think that repair would fix it? & if so, why do you think folk do a full format when there is a repair option on the windows disk that come with PC's.

Other than that, have you ant more ideas?

I don't know if the repair will correct your problem because I don't know what the problem is.

Many people, I believe, do a full format because they don't know the Repair option exists, or they don't know how to use it. Also, as far as I know, the Repair will not remove any malware, it will only fix and replace corrupted and missing Windows files.

I do have one other suggestion, but since I don't know a lot about it, I can only get you started, and then turn this over to one of our other members who is more familiar with it.

Please do the following:

Open the Event Viewer utility in your Administrative Tools control panel.

In the Event Viewer, look through the System and Application logs for entries flagged as Warning or Error; double-clicking on any of those entries will open a "details" window with more information about the error/warning. If you find any entries that seem to relate to program hangs/crashes or anything else related to the problems you're having, post the full …

Get the Pocket Killbox from here (it may be needed later in these instructions):
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Reboot into Safe Mode.

Scan with hijackthis and have it fix O4 - HKLM\..\Run: [fpdv] C:\WINDOWS\System32\fpdv.exe

Go to C:\WINDOWS\System32 and delete fpdv.exe

If fpdv.exe could not be deleted, run Pocket Killbox and paste the full file path in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot (reboot into normal mode). (Note: the 'file path' will be something like C:\WINDOWS\System32\fpdv.exe)

Close any open browser windows, scan with HJT, and post a new log please.

Hi derekn83, welcome to DaniWeb :D

I've split your post into it's own thread per the site rules:
"Every question or new thought should have its own thread. Replies to a previous post should be thread replies to that particular thread. Do not piggyback threads by posting your question as a reply to another question"

Forum rules can be found here: http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq

Go to Add/Remove Programs in your Control Panel and remove (if present):

Media Access
ISTsvc (may be Integrated Search Technologies or something similar)

You will need to be disconnecting from the internet, so you may wish to print these instructions.

Download Ewido Security Suite from here:
http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1

Install and update it, and then close the program (don't scan yet).

Download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to your desktop, but do not run it yet.

Disconnect from the net and reboot into Safe Mode.

Double-click on the Nailfix.cmd that is on your desktop. Your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.

Then run a full system scan with Ewido (note: you will be posting the log from this scan when back in normal mode).

Still in Safe Mode, scan with hijackthis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search …

I don't see the typical signs of Aurora in your last log. Please post a new hijackthis log after doing the following (yes again, your Ewido log still shows a lot of stuff in these folders):

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

Go to Start, Run, and type in cleanmgr, and then click OK. Select the drive XP is on, and check the boxes for Downloaded Program Files (move any files you wish to keep out of this folder first), Temporary Internet Files, Recycle Bin, Temporary Files, Temporary Offline Files, Offline Files, (and Compress old files & Catalog files for the Content Indexer if you wish), and then click OK. Click Yes to confirm you want these files deleted. It may take awhile for this to run, please be patient.

Note: if any of these temporary files cannot be deleted while in normal mode, try Safe Mode.

Open Firefox, go to Tools, Options, and click on Privacy (padlock icon on the left); click on the Clear All button.

You will need to disconnect from the internet so you may wish to print these instructions.

Download Ewido Security Suite from here:
http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1

Install and update it, and then close the program (don't scan yet).

Disconnect from the net and reboot into Safe Mode.

Then run a full system scan with Ewido (note: you will be posting the log from this scan when back in normal mode).

Still in Safe Mode, scan with hijackthis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\sqlhv.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\sqlhv.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\sqlhv.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\sqlhv.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\sqlhv.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\sqlhv.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\sqlhv.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [NETEU.EXE] C:\WINDOWS\NETEU.EXE
O4 - HKLM\..\RunServices: [NTIX32.EXE] C:\WINDOWS\SYSTEM\NTIX32.EXE /s
O4 - HKLM\..\RunServices: [WINAO.EXE] C:\WINDOWS\WINAO.EXE /s

Close any open windows and click Fix checked.

Go to the following locations and delete the highlighted files:

C:\WINDOWS\sqlhv.dll
C:\WINDOWS\NETEU.EXE
C:\WINDOWS\WINAO.EXE
C:\WINDOWS\SYSTEM\NTIX32.EXE

If any of these files could not be deleted, please let us know in your next post.

Empty your Recycle Bin and reboot normally.

Close any open browser windows, scan with hijackthis, and post a new log along with the Ewido log.

Hi Melissa, welcome to DaniWeb :D

Simple solution -- take your husband with you when you go on vacation! :)

(Somewhat) harder solution --

Download, install, update, and run these tools:

CWShredder -- http://www.intermute.com/spysubtract/cwshredder_download.html
about:Buster -- http://www.majorgeeks.com/download4289.html

Be sure your system is set to Show hidden files and folders.

Right-click in an empty area of your desktop and select New, Folder; give the folder a name (like HJT or HijackThis), and then drag the hijackthis.exe icon that is on your desktop into the new folder.

Scan with hijackthis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\dnmwg.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\dnmwg.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\dnmwg.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\dnmwg.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\dnmwg.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\dnmwg.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\dnmwg.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {815F7C5F-448E-A479-1D2A-285401DC8A31} - C:\WINDOWS\SYSTEM\SYSEJ.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {BA224D00-9553-11d2-9D65-00A0CC22CBC4} - (no file)
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/gam...ts/y/dot8_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/gam...nts/y/et1_x.cab
O16 - …

That last log still shows it being in a Temp folder (C:\DOCUME~1\Tom\LOCALS~1\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe)

In the future, can you please copy & paste rather then attach the log? Thanks.

You can thank the folks at Dell for installing this for you :) Here is some info about it:
http://www.pchell.com/support/mywebsearch.shtml

Please review this thread:
http://www.daniweb.com/techtalkforums/thread24085-faster.html

After you've moved hijackthis, post a new log and we'll help you get rid of MyWay.

Download Ewido Security Suite from here:
http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1

Install and update it, and then close the program (don't scan yet).

Disconnect from the net and reboot into Safe Mode.

Then run a full system scan with Ewido (note: you will be posting the log from this scan when back in normal mode).

Still in Safe Mode, scan with hijackthis and have it fix the following entries:

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: *.frame.crazywinnings.com

Empty your Recycle Bin and reboot normally.

Close any open browser windows, scan with hijackthis, and post a new log along with the Ewido log.

Glad you posted that other hijackthis log, the first one scared me!

Go to Add/Remove Programs in your Control Panel and remove (if present):

Viewpoint (may be called Viewpoint Manager, ViewMgr or something similar)

Scan with hijackthis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

Close any open windows and hit Fix checked.

Go to C:\Program Files and delete the Viewpoint folder.

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

Open Firefox, go to Tools, Options, and click on Privacy (padlock icon on the left); click on the Clear All button.

Go to Start, Run, and type in cleanmgr, and then click OK. Select the drive XP is on, and check the boxes for Downloaded Program Files (move any files you wish to keep out of this folder first), Temporary Internet Files, Recycle Bin, …

Follow the removal instructions found here:
http://securityresponse.symantec.com/avcenter/venc/data/adware.neededware.html

Be sure to include the registry backup instructions.

Have hijackthis fix this entry:
O4 - HKLM\..\Run: [fpdv] C:\WINDOWS\System32\fpdv.exe

Go to C:\WINDOWS\System32 and delete fpdv.exe

Reboot, close any open windows, scan with hijackthis, and post a new log please.

Open Firefox, go to Tools, Options, and click on Privacy (padlock icon on the left); click on the Clear All button.

Go to C:\WINDOWS and delete Nail.exe

Empty your Recycle Bin and do a search for Nail.exe and delete any instances found.

Empty your Recycle Bin again, reboot, and do a search for Nail.exe again. Let us know if it still shows up, and where it's located if it does.

Just wondering, there is a 'repair' option on the windows disk. Don't know if i chose that after putting it in the drawer or if you go through bios & boot up with the Windows disk, but could that solve it? & would we lose all our files & settings using this option?

What you are referring to is an in-place upgrade (aka repair installation); instructions can be found here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;315341&Product=winxp

You shouldn't lose any files or setting but, as always, it's best to have everything backed up just in case. It's possible that could resolve your problem without having to reinstall Windows.

However, before you try that, have you tried using System Restore to return your system to a point prior to when you started having this problem? If you do this, you may need to remove the things we just cleaned off again because they could be a part of your restoration.

That self-extracting version should have put hijackthis into your Program Files, but since it didn't, please right-click in an empty area of your desktop and select New, Folder; give the folder a name (like HJT or HijackThis), and then drag the hijackthis.exe icon that is on your desktop into the new folder.

Get the Pocket Killbox from here (it may be needed later in these instructions):
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Follow the removal instructions described here:
http://www.sarc.com/avcenter/venc/data/dialer.asdplug.html

Be sure to include the instructions for backing up your registry before making the changes.

Go to Add/Remove Programs in your Control Panel and remove Ymutp (if present)

Scan with hijackthis and have it fix the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://community.derbiz.com/
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O4 - HKLM\..\Run: [Pqjpp] C:\Program Files\Ymutp\Jvmvilv.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitesla32.exe
O4 - HKCU\..\Run: [Info32x] c:\windows\system32\info32x.exe
Have hijackthis fix this O14 entry only if you do not want this as your home page:
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.co.uk

Be sure to close any open windows, other then hijackthis, before hitting Fix checked.

Go to the following locations and delete the highlighted files and folder:

C:\windows\system32\elitesla32.exe
C:\windows\system32\info32x.exe

C:\Program Files\Ymutp\Jvmvilv.exe

If any of the requested files cannot be deleted, run Pocket Killbox and paste the full file path in the box …

Hi lizbee, welcome to DaniWeb :D

You have an older version of HijackThis, please get the latest, self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html

Then close any open browser windows, 'Scan and Save Log' with hijackthis, copy the log, and paste it in this thread please.

Hi Katie, welcome to DaniWeb :D

Download, install, update, and run these tools:

CWShredder -- http://www.intermute.com/spysubtract/cwshredder_download.html
about:Buster -- http://www.majorgeeks.com/download4289.html

Be sure your system is set to Show hidden files and folders.

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

Go to Start, Run, and type in cleanmgr, and then click OK. Select the drive XP is on, and check the boxes for Downloaded Program Files (move any files you wish to keep out of this folder first), Temporary Internet Files, Recycle Bin, Temporary Files, Temporary Offline Files, Offline Files, (and Compress old files & Catalog files for the Content Indexer if you wish), and then click OK. Click Yes to confirm you want these files deleted. It may take awhile for this to run, please be patient.

You have an older version of HijackThis, please get the self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html

Then close any open browser windows, 'Scan and Save Log' with hijackthis, copy the log, and paste it in this thread please.

Hi bultoki, welcome to DaniWeb :D

Scan with hijackthis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = javascript:window.close()
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O2 - BHO: (no name) - {4FA1766B-07EE-5651-C8D7-FCBCE42A8EE5} - C:\WINDOWS\apiva.dll (file missing)
O3 - Toolbar: (no name) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
Have hijackthis fix any of these O15 entries that you did not put in your Trusted Zone yourself --
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: http://www.neededware.com
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/...lim/install.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.c...sharingctrl.cab
O16 - DPF: {66B30EA0-C033-4D4B-9F90-EA0AF07363AF} (BugsMediaPlayer Control) - http://so.bugs.co.kr/BugsOggPlay_6.CAB
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_04) - http://online.ccsd.k12.co.us:8011/w...e-1_4_1-win.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...StatsClient.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -

Hi Musclesweet, welcome to DaniWeb :D

You have quite a bit to cleanup there, but before you start you should take a look at this thread:
http://www.daniweb.com/techtalkforums/thread24085.html

After you've moved hijackthis, please post a new log.

If you do a net search for hijackthis tutorials, you'll find several (such as this one -- http://www.bleepingcomputer.com/forums/index.php?showtutorial=42)

Using the tutorials and a lot of net searching is the best way to analyze hijackthis logs.

There is no list of 'normal vs abnormal.' If you look around this forum you'll find many examples of clean logs, that are all different, and infected logs, which are all different as well.

And, since there are new threats coming out daily, I doubt if any such 'list' could ever be created and kept current.

Hi Rhonda, welcome to DaniWeb :D

You will need to disconnect from the internet so you may wish to print these instructions.

Download Ewido Security Suite from here:
http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1

Install and update it, and then close the program (don't scan yet).

Download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to your desktop, but do not run it yet.

Disconnect from the net and reboot into Safe Mode.

Double-click on the Nailfix.cmd that is on your desktop. Your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.

Then run a full system scan with Ewido (note: you will be posting the log from this scan when back in normal mode).

Still in Safe Mode, scan with hijackthis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50249
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50249
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50249
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - …

Hi Cheeba, welcome to DaniWeb :D

Sorry for the delay in responding to this, it's been pretty busy here lately.

Run a at least two of these free online anti-virus/anti-spyware scans and have them clean what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

Please take a look at this thread:
http://www.daniweb.com/techtalkforums/thread24085.html

After you've moved hijackthis, post a new log please.

Hi thenudedude2002, welcome to DaniWeb :D

You should first go to Window Update and get the Critical Updates for your system.

Then review this thread:
http://www.daniweb.com/techtalkforums/thread24085.html

After you've moved hijackthis, please post a new log.

Hi Flaviuscrispus, Welcome to DaniWeb :D

Sorry for the delay in replying to this; as you can see, there are a lot of people with problems and not many of us available to help.

Aside from the legal aspects, malware is the next biggest problem with file sharing programs such as Limewire.

You shouldn't need to clean each users account; as long as your logged into the Administrator account, that should be good enough.

You will need to disconnect from the internet so you may wish to print these instructions. If you have problems with the Ewido scan again, continue on with the remaining steps.

The first thing you need to do is go to Window Update and get SP1a for both XP and IE (don't get SP2, at least until your system is clean).

If you have more then one partition or drive in your computer, scan only the C drive with Ewido, for the time being anyway (when requested).

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

If any requested files cannot be deleted, run Pocket Killbox and paste the full file path in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will …

Thanks DMR, a lot of good info there :)

But unless yikyang mistyped, he doesn't have msdirectx.sys, he has msdiretx.sys; do you know if it's related or if the MS fix will work for it?

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Boot into Safe Mode and do a search for jiorzm.exe and delete any instances found.

If any could not be deleted, run Pocket Killbox and paste the full file path in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\windows\system32\jiorzm.exe or C\windows\prefetch\jiorzm.exe)

Reboot (normally), empty your Recycle Bin and search for the file again to make sure it's gone.

O16 entries are safe to be fixed with hijackthis, they will be removed, but any legit ones will be restored next time you visit the site; it's just easier (and cleans up the log more) if they are all fixed rather then researching each one to seperate the good from the bad.

The easiest way to find out about the O17 entry is to contact your ISP and ask if that IP address is theirs.

Post a new log after the Norton scan and fixing the noted HJT entries :)

Glad to hear everything is working as it should :)

However, you should post new hijackthis and Ad-Aware logs so we can verify your system is clean.

You should post a new hijackthis log so we can varify your system is clean.

Hi Finman101, welcome to DaniWeb :D

Go to Add/Remove Programs in your Control Panel and remove:

Viewpoint Manager (or Viewpoint, ViewMgr, or something similar)

Scan with hijacthis and have it fix the following entries:

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://www.investorweb.com.au/download/CfxIEAx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1094020184308
O16 - DPF: {827E9F50-96A4-11CF-823E-000021570103} (Graphics Server Extended Graph) - https://www.superlink.net.au/cabs/graphs32.cab

Close any open windows, other then hijackthis, before hitting Fix checked.

Go to C:\Program Files and delete the Viewpoint folder.

Do a search for neededware and delete any entries found.

Empty your Recycle Bin, reboot, close any open browser windows, scan with hijackthis, and post a new log please.

Doesn't look good; locate the file, right-click on it, select Properties, and post whatever info you can get on it (Company, version, etc.)

Hi fishmn, welcome to DaniWeb :D

It may be a bit late now, but read this thread -- it may come in handy:
http://www.daniweb.com/techtalkforums/thread16365.html

The first thing you need to do is go to Windows Update and get SP1a for both XP and IE (don't get SP2 until after your system has been cleaned up).

Download, install, update, and run about:Buster -- http://www.majorgeeks.com/download4289.html

Scan with hijackthis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\kendall\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\kendall\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {491989B4-99F6-4D3B-B6DB-7D27FE8616CF} - C:\WINDOWS\System32\lbhm.dll
O18 - Filter: text/html - {68DA7C78-CDE1-4C5F-83A8-E36DE9BB4683} - C:\WINDOWS\System32\lbhm.dll
O18 - Filter: text/plain - {68DA7C78-CDE1-4C5F-83A8-E36DE9BB4683} - C:\WINDOWS\System32\lbhm.dll

Close any open windows, other then hijackthis, before hitting Fix checked.

Go to C:\WINDOWS\System32 and delete lbhm.dll

Empty your Recycle Bin, reboot, close any open browser windows, scan with hijackthis, and post a new log please.

Hi yikyang, welcome to DaniWeb :D

Is that a complete log scanned while in 'normal' mode (not Safe Mode)? It looks very short.

Right-click in an empty area of your desktop and select New, Folder; give the folder a name (like HJT or HijackThis), and then drag the hijackthis.exe icon that is on your desktop into the new folder.

Xpjava.exe is part of a worm, scan with hijackthis and have it fix this entry:

F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe

Close any open windows, other then hijackthis, and hit Fix checked.

Do a search for xpjava.exe and delete any entries found.

Msdiretx.sys is probably a malacious driver, but I don't see it in your log.

Download and run Silent Runners.vbs -- http://www.silentrunners.org/. Post the information from the log it generates in your next reply.

Empty your Recycle Bin, reboot, close any open browser windows, scan with hijackthis, and post the entire log along with the Silent Runners log.

That looks like a clean log to me :)

There is still some spyware in C:\Documents and Settings\Hello Kitty\Local Settings\Temp -- please be sure to clean out that folder completely.

WildTangent is still showing in that log as well. Go to C:\Program Files and delete the WildTangent folder.

After you clean up those two things, run cleanmgr, and then post a new hijackthis log please.

Well, I see a few things there that should be corrected, but nothing that really explains (to me) why the problem keeps reoccuring.

This may help with the problem, but no guarantees... Scan with HijackThis and have it fix the following entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.red.clientapps.yahoo.com/...www.yahoo.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\System32\IEDriver\IExplore.exe /U
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O9 - Extra button: (no name) - {1A00C40B-DA85-4aa3-A67F-582D9347EECD} - C:\WINDOWS\System32\td.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {1A00C40B-DA85-4aa3-A67F-582D9347EECD} - C:\WINDOWS\System32\td.exe
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/gam...ts/y/pote_x.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.ne...ab/67yf61fg.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/D.../bridge-c18.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...467&clcid=0x409
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/UK/install.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by3fd.bay3.hotmail.msn.com/r...es/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/22028cf...ip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...n/bin/cabsa.cab
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet.com/wr_5_4/controls/ybrequest.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...nt.cab31267.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yah...utocomplete.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tec...ta/SymAData.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: …

In addition to what DMR suggested, Open Firefox, go to Tools, Options, and click on Privacy, and click the Clear All button.

Either location would have been fine for HJT :) (C:\Documents and Settings\user\Desktop\hijackthis\HijackThis.exe or C:\Program Files\Hijackthis\HijackThis.exe)

You will need to disconnect from the internet so you may wish to print these instructions.

Download Ewido Security Suite from here:
http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1

Install and update it, and then close the program (don't scan yet).

Download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to your desktop, but do not run it yet.

Disconnect from the net and reboot into Safe Mode.

Double-click on the Nailfix.cmd that is on your desktop. Your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.

Then run a full system scan with Ewido (note: you will be posting the log from this scan when back in normal mode).

Still in Safe Mode, scan with hijackthis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hfmsxuhtcveqhfpztdg.info...GJWu07BobK.html
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 64.233.167.104 www.symantec.com
O1 - Hosts: 64.233.167.104 www.sophos.com
O1 - Hosts: 64.233.167.104 www.mcafee.com
O1 - Hosts: 64.233.167.104 www.viruslist.com
O1 - Hosts: 64.233.167.104 www.f-secure.com
O1 - Hosts: 64.233.167.104 www.avp.com
O1 - Hosts: 64.233.167.104 www.kaspersky.com
O1 - Hosts: 64.233.167.104 www.networkassociates.com

Hi frenemy, welcome to DaniWeb :D

Go to Add/Remove Programs in your Control Panel and remove (if present):

WildTangent

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Boot into Safe Mode and do a search for these files and delete any instances found:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

If any could not be deleted, (most likely param32.dll), run Pocket Killbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINNT\System32\param32.dll)

Scan with hijackthis, and have it fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/278/
O1 - Hosts: 69.50.173.4 lycos.com
O1 - Hosts: 69.50.173.4 www.lycos.com
O1 - Hosts: 69.50.173.4 altavista.com
O1 - Hosts: 69.50.173.4 www.altavista.com
O1 - Hosts: 69.50.173.4 amazon.com
O1 - Hosts: 69.50.173.4 www.amazon.com
O1 - Hosts: 69.50.173.4 aol.com
O1 - Hosts: 69.50.173.4

Hi GoodmanHR, welcome to DaniWeb :D

It's possible I could have overlooked something, but I don't see anything bad in your log.

The clicking sound, however, sounds to me like your hard drive could be failing. I'm not sure if that would cause the light to stay on or not.

Anyway, unless someone else here has some other ideas, I would recommend you back up your data as soon as possible and replace your hard drive.

Hi Xceptioner, welcome to DaniWeb :D

Aside from the legal aspects, malware is the next biggest problem with file sharing.

Nail is a part of Aurora.

Please review this thread:
http://www.daniweb.com/techtalkforums/thread24085.html

After you've moved HijackThis, please post a new log and we'll help you get the computer cleaned up.

Well, I think you answered your own question in your post "single user Norton antivirus 2005"

But if you read your License Agreement with Symantec, you will find the following statement:

"You may:
A. use one copy of the Software on a single computer. If a License Module accompanies, precedes, or follows this license, You may make the number of copies of the Software licensed to You by Symantec as provided in Your License Module."

Download and run Silent Runners.vbs -- http://www.silentrunners.org/. Post the information from the log it generates in your next reply.

Please get the self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html

Close any open browser windows, 'Scan and Save Log' with HijackThis, and then copy and paste the log here.

These programs will (hopefully) help us locate the problem.