Posts by dlh6213

Hi Red_chikita, welcome to DaniWeb :D

To resolve your problem you should start a new thread in the Virus forum (http://www.daniweb.com/techtalkforums/forum64.html) after you've followed the advice in the 'pinned' topics at the beginning of the forum (also in the links below).

Happy computing!

I don't see anything in your log that would indicate a problem.

The first thing I would check for is a loose connection inside the case (be sure to gaurd against damage via static electricity).

If this doesn't fix the problem, you should post your question in the Hardware forum (http://www.daniweb.com/techtalkforums/forum7.html), without the HijackThis log :)

Hi Violation, welcome to DaniWeb :D

Please follow the suggestions and instructions in the links below to help prevent reinfections, start the cleanup process, and to find out a bit about HijackThis.

When you've completed all that, and got SP1 (or SP1a) for XP and IE, please post a new log.

You are running an older version of HijackThis; You can get the latest version of HijackThis from here:
http://www.malwareremoval.com/downloads.html

Then close any open browser windows, scan with HijackThis, and post a new log please.

Well, Aurora has managed to get back into your system :(

Before cleaning that up again, please download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double-click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double-click l2mfix.bat and select option #1 for 'Run Find Log' by typing 1, and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or two, notepad will open with a log. Copy the contents of that log and paste it into this thread with your next reply.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Now go to post #5 in this thread again to remove Aurora:
http://www.daniweb.com/techtalkforums/thread28196.html

When you've finished, please post a new HJT log, the new Ewido log, and the L2MFix log.

You're welcome :)

Please download and run Kill2Me -- http://www.majorgeeks.com/downloadget.php?id=4166&file=9&evp=e994cf5e9abe6c93b47c01f2922c271f

Then, scan with HJT and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.shopnav.com/sidese...5362&id=1.20030
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binar...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...nt.cab31267.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1561f3a...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1105568661864
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binar...ro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binar...wn.cab31267.cab

Close any open windows, other then HJT, and hit Fix checked.

Reboot, close any open browser windows, scan with HJT, and post a new log please. And let us know if you're still having any problems.

I have a 19" LCD which has an actual viewable area of 19"; what's the viewable area on the 22" CRT?

Hi Traceur, welcome to DaniWeb :D

Please follow the suggestions and instructions in the links below to help prevent reinfections, start the cleanup process, and to find out a bit about HijackThis (like putting it in its own permanent folder).

When you've completed all that, and moved HJT, please post a new log.

Sorry, guys. I just read the basic cleanup thread. I'll do a little work on my own and post a new log.

Hi Tracey, welcome to DaniWeb :D

You can still do that, but this should cover most of what you need to do.

Go to Add/Remove programs in your Control Panel and remove:

Newdotnet
VIEWPOINT (or VIEWPOINT TOOLBAR, or something similar)

If Newdotnet is not there, go to http://www.newdotnet.com/removal.html and scroll down to the uninstall tool.

Scan with HijackThis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
O2 - BHO: IEHlprObj Class - {27D37EAE-7B53-41C9-8B54-7437A8EB00A3} - C:\WINDOWS\SYSTEM\MO030414S.DLL (file missing)
O2 - BHO: TChkBHO Class - {8E1C8755-A9EE-4D13-BA05-064A271E2E34} - C:\WINDOWS\SYSTEM\UMALEUO.DLL
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_88.dll (file missing)
O2 - BHO: LinkTracker Class - {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} - C:\WINDOWS\SYSTEM\LMF32V.DLL (file missing)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT TOOLBAR\VIEWBARBHO.DLL
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT TOOLBAR\VIEWBAR.DLL
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusear...US_ZBxdm115YYUS
O8 - Extra context menu item: &Viewpoint Search - res://C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT TOOLBAR\VIEWBAR.DLL/CXTSEARCH.HTML
Have HJT fix these O15 entries only if you did not put them in your Trusted Zone yourself --
O15 - Trusted Zone: *.taxsoftware.com

Please follow the suggestions and recommendations in the links below.

When you have finished, please post a HijackThis log here in this thread.

Please download Kill2Me -- http://www.majorgeeks.com/downloadget.php?id=4166&file=9&evp=e994cf5e9abe6c93b47c01f2922c271f

Run it to remove Look2Me from your computer.

Download WinPFind -- http://www.bleepingcomputer.com/files/winpfind.php

Right-click the Zip Folder, Select Extract All, and Extract the file to a convenient location, such as your Desktop, but don't do anything with it yet!

Reboot into Safe Mode.

Now, double-click WinPFind.exe

Click Start Scan; it will scan your entire system, so please be patient.

Once the Scan is complete, go to the WinPFind folder, and locate WinPFind.txt; copy and paste the results in your next post.

Scan with Ewido again, and post the results with your next reply.

Reboot (normal mode).

Scan with HJT and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.shopnav.com/sidese...8464&id=1.20030
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.shopnav.com/sidese...8464&id=1.20030
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus9.hpwis.com/
O2 - BHO: Band Class - {00027925-0017-4faf-9539-90E4AC0B9EC5} - C:\WINDOWS\ttext.dll
O2 - BHO: SDWin32 Class - {25BC5023-012B-4883-B5CB-523A8409C73A} - C:\WINDOWS\System32\llqrl.dll
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - C:\WINDOWS\System32\ylthpdta.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsj19.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [qbet] C:\WINDOWS\qbet.exe
O4 - HKLM\..\Run: …

Hi Destiny, welcome to DaniWeb :D

If you're still having problems with this, please follow the suggestions and instructions in the links below. If you need additional help after that, please start a new thread in the Virus forum.

Hi Rajes_hk, welcome to DaniWeb :D

Please post your question in the VB forum:
http://www.daniweb.com/techtalkforums/forum4.html

Hi Johnhofmann, welcome to DaniWeb :D

It sounds as if you should start of in the Web Design forum to me:
http://www.daniweb.com/techtalkforums/forum15.html

Good luck!

Hi Manchandap, welcome to DaniWeb :D

Hi Glassdanse, welcome to DaniWeb :D

Please follow the suggestions and instructions in the links below to help prevent reinfections, start the cleanup process, and to fix a few of the HijackThis entries yourself.

After you've finished with the part about HijackThis, follow the instructions in post #7 (LOP removal).

When you've completed all that, please post a new HJT log, and let us know if you are still having problems.

PurityScan is an adware program that downloads and displays advertisements on a computer. To stop the ads, run the uninstaller found here:

http://www.purityscan.com/uninstall.html

Ok, that appears to have fixed everything. Thank you greatly for all of your help. Here's the new HJT log. If there are no more nastys in there you can close this thread. Thanks again!!

That log looks clean to me :)

You're welcome!

Post a new HJT log :)

Try this patch from MS:
http://www.microsoft.com/windows98/downloads/contents/WURecommended/S_WUFeatured/Win98SE/Default.asp

Hi SeizureBear, welcome to DaniWeb :D

Please follow the suggestions and instructions in the links below to help prevent reinfections, start the cleanup process, and to find out a bit about HijackThis.

When you get to the third one, go to post #6 to resolve most of your problems.

After you've done this, please post a new HJT log.

Hi MagicTwists, welcome to DaniWeb :D

Please follow the suggestions and instructions in the links below to help prevent reinfections, start the cleanup process, and to find out a bit about HijackThis.

Download Ewido Security Suite from here (if you're using Window XP):
http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1

Install and update it, and then close the program (don't scan yet).

Download the self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html

Reboot into Safe Mode and do a full system scan with Ewido, allowing it to fix whatever it finds (note: you will be posting the log from this scan with your next reply).

Reboot normally, close any open browser windows, scan with HJT, and post the log here along with the Ewido log.

I believe this is a part of, or related to, CoolWebSearch (CWS), which can add addresses to the HOSTS file, redirect search and start page settings, and may put the hijacker's web site in your browsers Trusted zone.

Please follow the recommendations and instructions in the links below to help protect and cleanup your system. When you get to the third thread, go to post #6 to (hopefully) remove CWS/evker.

When you've finished, please post a HijackThis log for review.

Hi NoExpert, welcome to DaniWeb :D

Please follow the suggestions and instructions in the links below to help prevent reinfections, start the cleanup process, and to find out a bit about HijackThis (like putting it in its own permanent folder).

After you've finished the first post (about HijackThis), see post #8 for links to fixes for smitfraud; you may also want to try the suggestions in post #4.

When you've completed all that, and moved HJT, please post a new log.

Hi KLaura, welcome to DaniWeb :D

Please follow the suggestions and instructions in the links below to help prevent reinfections, start the cleanup process, and to find out a bit about HijackThis (like putting it in its own permanent folder).

After you've finished the first post (about HijackThis), follow the instructions in post #4 (HotOffers), and then go to post #8 for links to fixes for SpySherrif.

When you've completed all that, and moved HJT, please post a new log.

Follow the 'Cleanup' procedures in the second link below (including CCleaner) and that should do it. Are you still having any problems?

Try these suggestions:

IEFix -- http://windowsxp.mvps.org/IEFIX.htm

Winsockfix -- http://www.softpedia.com/get/Tweak/Network-Tweak/WinSockFix.shtml

Have you checked your firewall settings to see if anything there could be blocking some sites?

You can also try another browser to help determine if the problem is with IE or not. You can get Firefox from here:
http://www.mozilla.org/products/firefox/

Let us know the results :)

Sorry, I missed a step. Open Windows Explorer, go to Tools, and then Folder Options; when the Folder Options window opens, click on the View tab. You should find these entries in the list under Advanced settings. Select Show hidden files and folders, and deselect (uncheck) Hide protected operating system files.

For any of the popup messages you're getting, don't click on any of them, not even to close them; either right-click and select Close, or use Task Manager (Ctrl-Alt-Del) and End Task.

Post a new HJT log with you're next reply (after you've fixed/deleted the bad entries).

Glad to hear it :)

You're welcome!

Is IE working properly now?

Hi Robin, welcome to DaniWeb :D

Are you using Outlook or Outlook Express?

What browser are you using? If it's IE, see if any of the suggestions here work:
http://www.outlooknewsgroups.net/group/microsoft.public.outlook/topic1261.aspx

If it's Firefox, try this:
http://www.slipstick.com/problems/firefox.htm

Hi Magictwists, welcome to DaniWeb :D

Please follow the recommendations and instructions in the links below. The first one will help you protect your PC from further intrusions, the second will get you started cleaning up your system, and the third should give you the information you're looking for about HijackThis. If you need clarification on anything, please don't hesitate to ask :)

Try these suggestions:

WinsockXPFix -- http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/WinsockXPFix/WinsockXPFix.exe

IEFix -- http://windowsxp.mvps.org/IEFIX.htm

Have you checked your firewall settings to see if anything there could be blocking some sites?

You can also try another browser to help determine if the problem is with IE or not. You can get Firefox from here:
http://www.mozilla.org/products/firefox/

I fixed with Hijack this, but when I went to delete in Windows/system, it wasn't there. Does that cause a problem?

No, that's not a problem, as long as it's gone :)

Your log looks clean to me, are you still having any trouble?

It was supposed to go away, but it's being stubborn :(

Make sure your system is set up to 'Show hidden files and folders' -- Open Windows Explorer, go to Tools, and in Folder Options, select Show hidden files and folders, and deselect (uncheck) Hide protected operating system files.

Reboot into Safe Mode.

Scan with HJT and have it fix the following entries:

O4 - HKLM\..\Run: [checkrun] E:\windows\system32\elitecla32.exe
O4 - HKLM\..\Run: [System service62] E:\WINDOWS\etb\pokapoka62.exe

Close any open windows, other then HijackThis, and hit Fix checked.

Go to the following locations and delete the highlighted file and folder:

E:\windows\system32\elitecla32.exe <-- File

E:\WINDOWS\etb <-- Folder

If you still can't find or delete these, open HijackThis again and click on the Config... button in the lower right corner of the main window. In the next window, click on the Misc Tools button at the top, and then click the Delete a file on reboot... button. Copy and paste E:\windows\system32\elitecla32.exe into the box, and click Open. A new window will pop up asking if you want to restart your computer now; click Yes.

Repeat the delete on reboot instructions for E:\WINDOWS\etb\pokapoka62.exe.

Do a search for drawbend and duperealpure and see if you can find out anything about these now. It's no longer in your log, but if it's something bad we should make sure it's actually gone.

Back in normal mode, scan with HijackThis and post a new log.

Hi NormalGirl, welcome to DaniWeb :D

I can offer a couple of suggestions, but I first need to know what operating system you're using.

PInfoand WareOut are both folders (not files), and should be found as shown --

C:\Program Files\PInfo
C:\Program Files\WareOut

(Be sure your system is set up to 'Show hidden files and folders')

If you don't find them there, do a search for:

PInfo
WareOut

And delete any instances found.

Other then that, you log looks clean, are you still having problems?

I just see one more thing to fix there; I wasn't sure before so I had to do a bit of research.

Scan with HJT and have it fix

O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k

Remember to close all windows before hitting Fix checked.

Go to C:\PROGRAM FILES and delete the Acceleration Software folder.

Empty the Recycle Bin and reboot.

According to the Ewido Log, it looks like she has, or had, the Qoologic trojan.

Please get Find_qoologic.zip (by baskar1234) from:
http://home.earthlink.net/~firestrike/antispy/findqoologic.zip

After you download it, unzip it; go to the new qoologic folder and double-click on qoologic.bat to run it. It will take a few minutes to scan the drive, so be patient. When it has finished, open My Computer, double-click on the C: drive, and copy & paste the contents of the below logs into this thread.

C:\log.txt
C:\win.txt
C:\start.txt

It's very likely that your problem is caused by some form of malware and it's not recommended to get SP2 on an infected machine.

Follow the recommendations and instructions in the links below, and then post a HijackThis log in the Virus forum (not in this thread) to establish whether or not your system is clean.

Hey Hammy, long time no see.

In the future, remember to close any open browser windows before scanning with HJT.

I believe 'pokapoka' is your main problem. Scan with HJT and have it fix the following entries:

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [checkrun] E:\windows\system32\elitecla32.exe
O4 - HKLM\..\Run: [System service62] E:\WINDOWS\etb\pokapoka62.exe

Close any open windows, other then HijackThis, and hit Fix checked.

Go to the following locations and delete the highlighted file and folder:

E:\windows\system32\elitecla32.exe

E:\WINDOWS\etb

If either cannot be deleted, try booting into Safe Mode and deleting it from there.

Do you know what this file is for? duperealpure.exe If not, do a search for it, right-click on it, go to Properties, and get whatever information you can from there (Company, version, etc.)

Reboot (normally), close any open browser windows, scan with HJT, and post a new log please.

Hi Michael, welcome to DaniWeb :D

First, right-click in an open area of your desktop and select New, Folder; give the new folder a name (such as HJT or HijackThis), and then drag the hijackthis.exe icon that is on your desktop into the new folder.

Now, scan with HijackThis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost
R3 - Default URLSearchHook is missing
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\system32\iecust.dll
O4 - HKLM\..\Run: [Lisa] C:\Program Files\PInfo\Dialers\Lisa\Lisa.exe /dontdial
O4 - HKLM\..\Run: [HotBlondes] C:\Program Files\PInfo\Dialers\HotBlondes\HotBlondes.exe /dontdial
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} - http://go-in-now.com/tl7000.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared...76/mcinsctl.cab
O16 - …

Hi Jon, welcome to DaniWeb :D

I could be overlooking something, but I don't see anything wrong in your HijackThis log.

Have you recently installed a firewall? Did you get SP2 around the time the problem started?

What browser are you using?

Good catch! No, it's not good, it's part of Javatv32.exe which is a Trojan/Backdoor. Sorry I overlooked that last time.

Scan with HJT and have it fix this line:

O4 - HKLM\..\Run: [ATLEV32.EXE] C:\WINDOWS\SYSTEM\ATLEV32.EXE

Then go to C:\WINDOWS\SYSTEM and delete ATLEV32.EXE

If you can't delete it, try booting into Safe Mode and deleting it from there.

Reboot (normally), close any open browser windows, scan with HJT and post a new log please.

Hi Joseph,

I've split your post into its own thread per forum rules (http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules)

Try these suggestions:

IEFix -- http://windowsxp.mvps.org/IEFIX.htm

Winsockfix -- http://www.softpedia.com/get/Tweak/Network-Tweak/WinSockFix.shtml

Have you checked your firewall settings to see if anything there could be blocking some sites?

You can also try another browser to help determine if the problem is with IE or not. You can get Firefox from here:
http://www.mozilla.org/products/firefox/

If it still doesn't work, go to the third link in my signature block below (Infection removal), and follow the instructions for getting and posting a HijackThis log.

Hi ElGringo, welcome to DaniWeb :D

Congratulations on getting your system functioning properly again!

It is often recommended to disconnect from the net and boot into Safe Mode when removing malware, though actually removing the NIC card is unnecessary.

Go ahead and post your HijackThis log and we'll have a look to make sure everything is clean. Post the Ewido log as well, if you saved it.

Hi Georgia,

Please move HijackThis to its own permanent folder as shown in any of the 'good' examples below --

C:\ Documents and Settings \me\Local Settings\Temp\HijackThis.exe <-- Bad, HJT in Temp folder
C:\HIJACKTHIS.EXE <-- Bad, HJT running directly from hard drive
C:\Documents and Settings\User\Desktop\HijackThis.exe <-- Bad, HJT running directly from desktop
C:\Documents and Settings\me\My Documents\HijackThis.exe <-- Bad, HJT not in its own folder
C:\Documents and Settings\User\Desktop\HJT\HijackThis.exe <-- Good, HJT in its own permanent folder
C:\Program Files\hijackthis\HijackThis.exe <-- Good, HJT in its own permanent folder
E:\Utilities\HijackThis\HijackThis.exe <-- Good, HJT in its own permanent folder
C:\HJT\HIJACKTHIS.EXE <-- Good, HJT in its own permanent folder

Download Ewido Security Suite from here:
http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1

Install and update it, and then close the program (don't scan yet).

Reboot into Safe Mode and run a full system scan with Ewido allowing it to fix whatever it finds... save the log from the scan results.

Reboot normally, close any open browser windows, scan with HijackThis, and post a new log along with the Ewido log.

You're welcome :D

Hi Tina,

You're not being a pain. We'll try this first, if you still don't have it on the Administrator's desktop, we can try saving it somewhere else.

Open Internet Explorer and click on this link (for Nailfix):

http://www.noidea.us/easyfile/file.php?download=20050515010747824

When the 'File Download' window comes up, click on Open; a new window should pop up named 'Nailfix.zip' and on the left side there should be an option to Extract all files. Click on that box and the Extracton Wizard should come up. Click Next, and in the next window select Browse. A 'Select a destination' window will come up; find Desktop and click on it to highlight it, click OK, and you will be brought back to the Wizard. Click Next, and then Finish.

Nailfix.cmd should now be on your desktop; try rebooting into Safe Mode and logging in as Administrator, and see if the file is now on the desktop. If it is, follow the Aurora removal instructions.

If it's still not there (or you can do this initially if you think it will be easier), reboot normally and follow the above instructions for downloading and extracting Nailfix, but this time when you select a destination, go to 'My Computer,' then your 'C' drive, 'Windows,' 'Temp;' click OK, then Next, and Finish.

Now when you boot into Safe Mode and log in as Administrator, go to C:\WINDOWS\Temp and Nailfix.cmd should be there. You should now move it to the desktop …

Go to Add/Remove Programs in your Control Panel and remove 180Solutions, if present.

Do a search for 180Solutions and delete any instances found.

Follow the recommendations and instructions in the 'Cleanup' and 'Protection' links below.

Then, carefully follow the instructions in post #5 of the 'Infection Removal' link.

When you've finished, please post the new HJT and Ewido logs.