Posts by DMR

... any ideas?

The 4 I gave in my last post?

One of those odd entries is still present, but it looks good aside from that.
Have HJT fix this one:
O4 - HKLM\..\Run: [// Browser Detec] c:\WINDOWS\System32\// Browser Detection

Glad we could be of assistance. :)
Let us know if any further problems crop up....

Are the 04 entries some sort of script you did? i have never seen anything like that.

It's javascript, but I've never seen it in a log. There are some similar posting at other support forums, but none of them explain whether the stuff is a result of an infection, or some other corruption.

Either way, the garbled entries should be deleted, so let's do that:

Run HJT again, check the following entries, and then click the "Fix checked" button:

02 - BHO: (no name) - {464A85DC-DE9C-3A3A-DFB1-1C7D5F2206F3} - (no file)
O2 - BHO: (no name) - {542B81FF-1330-FBFA-2F41-FB39CBD7B103} - (no file)
O2 - BHO: (no name) - {970AFABC-A8C9-94D0-8D5F-66EF852F2B74} - (no file)
O2 - BHO: (no name) - {B34A3D57-22E8-9B1C-F14D-54AE4F9B30C5} - (no file)
O2 - BHO: (no name) - {BF364FA3-3377-DBDC-66BF-B40D8A65C712} - (no file)
O2 - BHO: (no name) - {C0F801E8-B022-67A7-68DD-CBEC09276656} - (no file)
O2 - BHO: (no name) - {E0021B01-FF54-F0F2-3749-85057B36F6CC} - (no file)
O3 - Toolbar: (no name) - {BA200138-FEC7-4CF0-B09B-46230A8528A0} - (no file)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [IEMajor ] c:\WINDOWS\System32\IEMajor = 0;
O4 - HKLM\..\Run: [var gSafeOnload = new Arra] c:\WINDOWS\System32\var gSafeOnload = new Array();
O4 - HKLM\..\Run: [var d=docum] c:\WINDOWS\System32\var d=document;
O4 - HKLM\..\Run: [function setCookie(name, value) ] c:\WINDOWS\System32\function setCookie(name, value) {
O4 - HKLM\..\Run: [var expire = new Dat] c:\WINDOWS\System32\var expire = new Date();
O4 - HKLM\..\Run: [var today = new Dat] c:\WINDOWS\System32\var today = new Date();
…

OK- it looks like your original BSOD error was a 0x000000D1 DRIVER_IRQL_NOT_LESS_OR_EQUAL error, which is usually attributed to a device driver issue or faulty/mismatched RAM. The 0000001a error is the memory management error.

Given that two errors can be caused by RAM-related issues, and that you indicated that the problem had been present since the system was built, I would:

1. Check the mobo and RAM module specs; make sure the RAM is of a compatible type/speed for the mobo.

2. Check the RAM modules to make sure that they are firmly and properly seated into their mobo slots. Check all other connections and components while you're in there.

3. If you have more than one RAM module installed:
* Run the system with only one module installed at a time. If the system only BSODs when a particular module is installed, you've found a likely culprit.
* Run an extended test with the free memtest86 RAM test utility. I usually run the tests for at least hours.

4. Recheck the driver software packages you've installed. Make sure that there aren't any known compatibility issues with your particular versions and/or their related hardware devices. Update or reinstall drivers if no other likely causes have been turned up yet.

It advises me to inspect new or suspect drivers, how to get into safe mode, check for properly installed hardware or software, disable BIOS chaching and shadowing etc. Paraphrased because it's very long.

Yeah- that's pretty much the standard MS "canned answer" to most of their STOP errors. Basically, Microsoft is saying that they really don't know exactly what caused the error, so they advise you to just start mucking with everything until you find something that works. :eek: :mrgreen:

the technical information was as follows:
STOP: 0x000000C5 (0X00000000, 0x00000002, 0x00000001, 0x8055aE2)

Now that might be helpful...

The suggested Microsoft test/fix is described here:
http://support.microsoft.com/?kbid=291810&sd=RMVP
Give it a try and let us know the results. If it doesn't work there are other things we can try.

I'm glad the Restore got rid of the bogus alert, but there were other indications of infections in your HJT log. If any of those infections were present on the date/time that you restored back to, at least some of the malicious components will still exist on your computer (whether or not you actually see any symptoms).

If you would like, I'd suggest scanning the newly-restored system with HijackThis and posting the log for our review. As the saying goes: better safe than sorry. :)

Read this Microsoft article carefully. I can't guarantee that it will fix your system, but the issue it describes is certainly identical or very nearly identical to the AU/esent.dll problem you are having.

Here's the direct link to the XP version of the patch/fix:
http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=363F50FC-049E-4504-A987-A78BA8746E39&displaylang=en

The logs look good :)
Are you still getting the error message?

The problem is still there :(

I'm not surprised- ewido detected a few hidden infections which are difficult to kill, and your HJT log is showing different indications of the infections.

Let's start with the Qoologic infection; Please follow these removal instructions:

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

* Download the most current updates for Norton, ewido, Defender, and Spy Sweeper.

* Downloadthe QooFix utility.
- Unzip the downloaded file into its own new folder.
- Double click on the file named Qoofix.exe.
- Click the Begin Removal button.
It may take a while to scan, and a reboot may be necessary if an infection is found. Once the scan/fix has completed, the utility will create a file named "Qoofix Logfile.txt" in the QooFix folder.

* Close all open programs/windows, (especially web browsers). Run another HijackThis scan, put a check in the boxes to the left of the following entries (if they're still present), and then click the "Fix Checked" button.
Close HijackThis once the fixes complete:

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\pebbf.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,bahfqpf.exe
O4 - HKLM\..\Run: [ymnofi] C:\WINDOWS\system32\yujwgk.exe reg_run
O4 - HKCU\..\Run: [uiuph] C:\WINDOWS\system32\yujwgk.exe reg_run
* Reboot your computer in Safe Mode by doing the following :

TRY FOLLOWING THIS LINK TO RESOLVE YOUR ISSUE:

That's the fix. Often just reregistering the dlls with the regservr32 command (as described toward the end of the above link) will do it.

Very good, then- I'll mark this one as "Solved". :)

L2MFix didn't work for me.
All I got was a command window with a blinking cursor.
Typing the 1 at the blinking cursor didn't do anything.

I hate to ask the obvious, but you did press the Enter key after typing the "1", yes?

You still have multiple malicious components indicated in your log (including Qoologic). Let's start with the following:

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

* Download the following utilities and save them to a convenient location:

ewido Anti-spyware (30-day trial version) - http://www.ewido.net/en/download/
QooFix
ATF-Cleaner

Install and Configure ewido:

• Close all other Applications and then run the ewido installer
• Select language click Ok
• Click I Agree
• Click next
• Click Install
• Click Finish
• Wait Ewido will open main screen automatically.
• Wait again a few minutes and Ewido Should Auto update itself. If it doesn't click update at top of screen.
• This in very important to get updates
• When updating has finished. Close Ewido.

* Close all open programs/windows, (especially web browsers). Run another HijackThis scan, put a check in the boxes to the left of the following entries, and then click the "Fix Checked" button.
Close HijackThis once the fixes complete:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R3 - …

The inability to access secure sites is usually the result of (non-malicious) problems with certain components of IE. Specifically, security-related .dll files become disassociated or "orphaned" in the Windows Registry, leaving IE "confused" as to how to handle secure sites and other authentication issues.

There is a standard fix which reassociates the dlls in question, although I honestly don't know if it works (or if it's even safe to use) with IE7.
As the upgrade to IE7 may just compound the current problem or create new problems, I'd highly suggest rolling back to version 6 before troubleshooting this any further. Performing a major application or OS upgrade (especially to a beta version) on a problematic system isn't really recommended, especially if there's a possibility that malicious infections are involved.

* Have you run any antivirus/antispyware scans yet? If so, which programs did you use, and what exact results did you get?

* If you have not checked for malware yet, this thread has information on, and links to, many of the free detection and removal tools that we recommend and use here.

That log file looks very light on content, but it does show one sign of malware. I suspect there are more "unwanted guests" lurking about.

Please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

* Download the most current updates for Avast!.

* Download and install the following utilities:

Windows Defender - http://www.microsoft.com/downloads/d...displaylang=en
ewido Anti-spyware (30-day trial version) - http://www.ewido.net/en/download/

To Install and Configure ewido:

• Close all other Applications and then run the ewido installer
• Select language click Ok
• Click I Agree
• Click next
• Click Install
• Click Finish
• Wait Ewido will open main screen automatically.
• Wait again a few minutes and Ewido Should Auto update itself. If it doesn't click update at top of screen.
• This in very important to get updates
• When updating has finished. Close Ewido.

* Download ATF-Cleaner and save it to a convenient location. Don 't actually run the program yet.

* Close all open programs/windows, (especially web browsers). Run another HijackThis scan, put a check in the box to the left of the following entry, and then click the "Fix Checked" button.
Close HijackThis once the fix completes:
O4 - HKLM\..\RunServices: [Microsoft Update 32] explorer.exe

* Reboot your computer in Safe Mode by …

I have gotten rid of all the viruses and spyware associated with this.

Unfortunatley, your HJT log disagrees with you... :mrgreen:

You have a variant of the Spy Falcon/Spyware Quake malware, the removal of which requires the use of a specific procedure.
The most up-to-date version of that procedure can be found here. Please follow the instructions fully and carefully. When you have completed the removal procedure, please post the contents of the C:\smitfiles.txt and C:\Program Files\RoguesScanFix\task.txt log files which were created during the procedure.

You've definitely got a few unwanted guests, but I'd like to see the log file that L2MFix generated before proceeding. If you don't have that log, please run L2MFix again to create a new one:

* Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing Enter. This will scan your computer and it may appear nothing is happening.
* After a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
IMPORTANT: Do NOT run option #2 or any other files in the l2mfix folder until you are asked to do so!

* Was Trend able to clean/disinfect the files? You obviously don't want to restore them if they're still infected.

* What antivirus program do you have installed on your computer? Run a full system scan with that program (after downloading the most current updates for the program, of course) and see if it can clean the files.

* If you can tell us the name(s) of the infection(s) Trend found, we may be able to give you a more specific solution.

Great- glad we could help you get it sorted out. :)
Does everything seem to be back to normal now?

Dump files have their own formatting, which can be understood by utilities such as the "dumpchk" program. Unfortunately, even after "decoding" the contents of a dump file, the resulting output can often take some work to decipher.

When the system creates dump files, it usually also logs an error report in one of the Event Logs; you might find a clue there:

Open the Event Viewer utility in your Administrative Tools control panel and look through your System and Application logs for entries flagged with "Error" or "Warning", especially those whose time-stamps coincide with the occurence of the crashes. Double-clicking on such an entry will open a properties window with more detailed information on the error; post the details from a representative sample of some of the different error messages (please don't post duplicates of a given entry, or flood us with the entire contents of the logs).

To post the details:
In the Properties window of a given entry, click on the button with the graphic of two pieces of paper on it; the button is at the right of the window just below the up arrow/down arrow buttons. You won't see anything happen when you click the button, but it will copy all of the details to the Windows clipboard. You can then paste the details into your next post here.

Unfortunately, infected downloads aren't uncommon at all, which is why it's recommended that you only downloaded from reputable, trusted sites.

I'm glad you were able to find and remove the beast, though. Also- the HJT log you posted is clean, so it may be that the infection hadn't really gone "full-blown" yet.

Due to the fact that the member who originally started this thread has not responded in nearly one year, this thread is considered abandoned and has been closed.

In accordance with our posting rules, other members having similar questions or problems need to start their own threads and post their questions there.
In order to help us help you most quickly, please include as much information about your problem as possible in your posts.

If the member who originally started this thread wishes to have the thread reopened, please send your request, including a link to this thread, to one of our moderators via email or Private Message.

Thank you.

A few Squid resources:

http://www.deckle.co.za/squid-users-guide/Main_Page
http://www.tldp.org/HOWTO/TransparentProxy.html
http://www.tldp.org/HOWTO/Bandwidth-Limiting-HOWTO/install.html

Also, remember that Google for Linux is your friend when it comes to finding Linux-related resources.

Hello rab512003,

You might want to read the announcement at the top of this forum's main page, which states, in part:

Please do not post support requests here. They'll just get lost in the madness, and they won't be targeted towards the experts who can help you out.

Please cut-n-paste the contents of the file directly into your post and/or post the full and exact text of the error message.

* Good- your new HJT log is clean, and ewido seems to have disinfected a few other malicious items. :)

* In terms of the TrustIn Contextual folder, it may have been deleted already, as it was marked as "(file missing)" in your first HJT log. If you search for the folder in the way I suggested, but didn't find it, it most likely doesn't exist anymore.
Sometimes the names of programs that have been sucessfully uninstalled get "stuck" in the Add/Remove Programs control panel's list and need to be removed manually, and this might be the case with your TrustIn entry. To remove the entry from the control panel, see this Microsoft support article.

* Are you still experiencing shutdown issues or other problems? If so, please give us the details.

It seems to be hit or miss who gets it.

It hit me (ouch!)

I can't figure out how to uninstall anything without the start menu. Can I get to the control panel another way?

Sorry- I wasn't thinking....
Yes- you may be able to open the control panel by typing the following in theTask Manager's New Task box: appwiz.cpl

The two links didn't seem to help any. Thank you so much for your time.

OK- there's another possible solution, but I need to log off right now; I'll post the fix tomorrow.

* What about the IE issues and IEFix?

Then you can mark this thread as solved...

Got it.

This is the sign of infection still visible in your HJT log: C:\WINDOWS\system32\dmssp1.dll

One thing, though: your previous log contained much more detail and indicated many more running programs than your latest log. If you ran the latest scan while Windows was booted in Safe Mode, or while startup programs were disabled via MSConfig, please re-enable all startup items and post the log from a HJT scan done with Windows booted normally.

...but what about the fact of the speed its coming and going and the increasing port on which it is sent...

That's exactly why I said "isn't neccessarily indicative..."; the particular behaviours you point out are definitely suspicious.

1. A few general things to do security-wise:

* Obviously, get all of your machines patched with the most current critical fixes from the Winodws Update site. If your machines are compromised, getting them to current patch levels may close some of the loopholes through which the infection is operating.

* Disable non-critical (and known-to-be-exploited) services such as UPnP, SSPD Discovery, NetBIOS over TCP/IP, etc. A list of Windows services and their recommended settings is here. (Disabling services essentially closes their associated ports).

* Restrict ports on a per-protocol or per-port basis on your router.

2. Free online virus/malware scanners: see this post

3. Free downloadable trojan/rootkit scanners:
BlackLight - https://europe.f-secure.com/blacklight/
RootKitRevealer - http://www.sysinternals.com/Utilities/RootkitRevealer.html

4. Antivirus/anti-malware utility linkage:
http://www.daniweb.com/techtalkforums/thread27570.html

5. This is usually reserved for our malware forum, but since that may be what we're dealing with, please do the following on one of the possibly-infected computers:

* Download the free HijackThis utility. Once downloaded, follow these instructions to install and run the program:
* Create a folder for HJT outside of any Temp/Temporary folders and move the HijackThis.exe file to …

1. Your HJT log looks like very "light on content"; logs usually contain much more info that that. Did you run the scan while Windows was running in Safe Mode, or when you had startup items or other programs disabled (via MSConfig, perhaps)? If so, please post another log from a scan done while booted normally and with all normal startup items enabled.

2. Do you know what this file is?:
C:\Documents and Settings\User\Desktop\programs.exe
If not, right-click on it and choose Properties from the resulting drop-down menu. In the Properties tabs/pages, look for identifying information (Company name, creation/modification date, etc.) and post any such info you find.

3. It would be very sloppy troubleshooting not to eliminate the possibility of a non-malicious fault. Replace your keyboard with another (known to be working) keyboard if you haven't done that already.

4. "dumprep" is part of Windows' error-reporting scheme; the fact that you're seeing it in Task Manager may mean that Windows is noticing something amiss.
Open the Event Viewer utility in your Administrative Tools control panel and look through your System and Application logs for entries flagged with "Error" or "Warning", especially those whose time-stamps coincide with the occurence of the problem(s). Double-clicking on such an entry will open a properties window with more detailed information on the error; post the details from a representative sample of some of the different error messages (please don't post duplicates of a given entry, or flood us with the entire …

Hi Emilymomof3,

** Your HJT log indicates that you are running both the McAfee and Norton packages simultaneously! **
Running more than one antivirus or firewall program is definitely not advised, as conflicts between the two will occur. Of the two programs, choose one to keep (the choice is yours; the packages are about equal) and entirely uninstall the other.

As your logs point to no obvious suspects in regard to the desktop/taskbar/explorer problem, I can't guarantee that the following utilities will work, but it definitely won't hurt to try them. They are designed to repair problems at least similar to yours:

1. For the Desktop/Taskbar/Explorer issues.

* The following two tools are scripts which attempt to repair desktop and taskbar damage. To download these tools, right-click on the links below and choose the "Save Link as..." or "Save Target as..." option. Save the files to any convenient folder, as saving to your desktop obviously won't work in this case. If you get any messages warning you about downloading or running scripts, choose to allow the actions:

xp_taskbar_desktop_fixall.vbs
enabledisabledesktopicons.vbs

To run the utilities, just double-click on them and follow the prompts given by the scripts.

* Although not usually associated with Vundo infections, "dissapearing" desktops, icons, etc are a well-know side effect of Smitfraud infections. The following technique, although it refers to the Smitfraud infection in particular, might fix your desktop issues as well:

…

Some general info, which may give you an idea or two:

* Addresses in the range 169.254.0.1 through 169.254.255.254 aren't "outside" addresses, they are private IPs reserved for DHCP autoconfiguration. More on that here.
The 169.254.220.220 address in your logs could very well be the autoconfig IP of the router.

* IP addresses with .255 as the final octet are "broadcast" addresses, meaning that packets with such an address are sent to, and received by, all machines on the local subnet.

* Port 137 and 138 are NetBIOS ports, the traffic you see on those ports is NetBIOS broadcast traffic.

* Your logs are showing two different 192.168. subnets (192.168.234. and 192.168.15.). Any idea what that's all about?

* The 70.58.142.60 IP is assigned to Quest Communicaitons. Are you using any of their services?

* The 239.255.255.250 IP and Port 1900 are used by UPnP devices such as some network printers. This traffic can be normal on Windows networks, but UPnP is also an avenue for external exploits. UPnP should be disabled on your network devices unless you know that you need it.

*The "127.0.0.1;192.168.234.201;ICMP;Allowed" entries: ICMP doesn't, AFAIK, use ports and sockets, hence the above message means that the local machine is sending an ICMP control message to its 192.168.234.201network interface.

Most of the trafffic you're seeing isn't neccessarily indicative of anything malicious; do …

Please give us some specifics, such as:

* The exact version of Windows you are using.
* The Web Browser you are using.
* The type of Internet conneciton you have (Cable, DSL, etc.).
* The details of your physical network configuration and the devices (modem, router, etc. ) involved.

OK- good luck with the rest. :)

There is only one abnormal entry in your HJT log. Put a check in the box to the left of the entry and then click the "Fix checked" button:
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\

There are definitely infections which modify the Registry and create the symptoms you describe, but becuase we have no names or other clues as to the exact identities of your "unwanted guests", we'll have to probe a bit more:

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

* Download and install ewido Anti-spyware (30-day trial version) - http://www.ewido.net/en/download/

Install and Configure ewido:

• Close all other Applications and then run the ewido installer
• Select language click Ok
• Click I Agree
• Click next
• Click Install
• Click Finish
• Wait Ewido will open main screen automatically.
• Wait again a few minutes and Ewido Should Auto update itself. If it doesn't click update at top of screen.
• It is very important to get updates
• When updating has finished, don't run the program, just it for now.

* Reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options …

OK, that explains why nothing is showing up in your HJT log.

1. "Win32:CTX" has been found in "C:\WINDOWS\system32\ActiveScan\pskavs.dll" file.
This is essentially a false-positive; Avast! is detecting the remnants of the online Panda scan you performed. You can safely delete the entire C:\WINDOWS\system32\ActiveScan folder, as it was created by Panda and is no longer used/needed.

2. "Win32:FakeAlert [Trj]" has been found in "http://locator1.cdn.imagesrvr.com..."
The above location appears to be a Web shortcut. You should find the shortcut and delete it, as the "SysProtect" program is malware.

3. The "javainstaller" files:

* Open your Java Control Panel
* In the General tab of the control panel, click the "Delete files..." button.
* Put a check mark in all boxes and click OK.
* Close the Java CP.
If that doesn't work for some reason:

* Boot into Safe Mode again
* Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".
* Manually delete everything in the C:\Documents and Settings\Mark\Local Settings\Temp folder.
* Empty your Recycle Bin and reboot normally.

-

Also, if the state of your computer allows:

* Visit at least two of the following sites for an online virus scan (if the scanners find any malicious items, note their names and include that information in your next post):

BitDefender Free Online Virus Scan
http://www.bitdefender.com/scan/licence.php
Make sure you tick AutoClean under Scan Options.

Panda ActiveScan
http://www.pandasoftware.com/active...n_principal.htm
Make sure you tick Disinfect automatically under Scan Options.

Housecall at TrendMicro
http://housecall60.trendmicro.com/e...orp.asp?id=scan
Make sure you tick Auto Clean.

eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

Also run this online trojan scanner: TrojanScan
* Visit at least two of the following sites for an online virus scan:

BitDefender Free Online Virus Scan
http://www.bitdefender.com/scan/licence.php
Make sure you tick AutoClean under Scan Options.

Panda ActiveScan
http://www.pandasoftware.com/active...n_principal.htm
Make sure you tick Disinfect automatically under Scan Options.

Housecall at TrendMicro
http://housecall60.trendmicro.com/e...orp.asp?id=scan
Make sure you tick Auto Clean.

eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

Also run this online trojan scanner: TrojanScan

Does Avast! give you any specific information as to the exact locations of the remaining infected files?

Hi crazy girl, welcome to DaniWeb :)

While startup and/or shutdown problems can definitely be caused by non-malicious problems, I do see indications of at least one malware program in your HJT log.
Before we begin cleaning though, there is one thing you need to take care of:

C:\DOCUME~1\STEPHA~1\LOCALS~1\Temp\~AceTemp\hijackthis\HijackThis.exe

The log entry above indicates that you are running HijackThis from within a Temp/Temporary folder. Please do the following:

Create a folder for HJT outside of any Temp/Temporary folders and move the HijackThis.exe file to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.
____________________________________________________________________________________

Once you've fixed the above problem:

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

* Open your Add/Remove Programs control panel and uninstall any software related to "TrustInBar" or "TrustInCash" if you find it listed there.

* Download the …

Yes- your latest HJT and ewido logs are both clean, and it appears that your hosts file is clean as well.

You should wait until kylethedarkn gives a final OK to this as well, as he was your primary troubleshooter on this issue.

1. Delete the entire C:\WINDOWS\system32\AdCache folder if it still exists, and then empty your Recycle Bin.

2. You're right- malicious entries are no longer present in your latest HJT log. This is a Good Thing :)

3. You may find some clues regarding the Explorer trouble in your System and Application logs:

Open the Event Viewer utility in your Administrative Tools control panel and look through your System and Application logs for entries flagged with "Error" or "Warning", especially those whose time-stamps coincide with the occurence of the problem(s).

Double-clicking on such an entry will open a properties window with more detailed information on the error; post the details from a representative sample of some of the different error messages (please don't post duplicates of a given entry, or flood us with the entire contents of the logs).

To post the details:
In the Properties window of a given entry, click on the button with the graphic of two pieces of paper on it; the button is at the right of the window just below the up arrow/down arrow buttons. You won't see anything happen when you click the button, but it will copy all of the details to the Windows clipboard. You can then paste the details into your next post here.

Apologies for the delays- we seem to be a bit shothanded lately.

You are absolutely right about the suspicious files- they are part of your infections, although there are other malicious files which are recreating the ones you are trying to kill.

Please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

* Download the most current updates for Norton AV and Spy Sweeper.

* Download and install the following utilities:

Windows Defender - http://www.microsoft.com/downloads/d...displaylang=en
ewido Anti-spyware (30-day trial version) - http://www.ewido.net/en/download/

To Install and Configure ewido:

• Close all other Applications and then run the ewido installer
• Select language click Ok
• Click I Agree
• Click next
• Click Install
• Click Finish
• Wait Ewido will open main screen automatically.
• Wait again a few minutes and Ewido Should Auto update itself. If it doesn't click update at top of screen.
• This in very important to get updates
• When updating has finished. Close Ewido.

* Download ATF-Cleaner and save it to a convenient location. Don 't actually run the program yet.

* Close all open programs/windows, (especially web browsers). Run another HijackThis scan, put a check in the boxes to the left of the following entries, and then click the "Fix Checked" button.
Close HiajckThis …

Hi teksun, welcome to Daniweb :)

Your primary issue is a "Spy Falcon" infection, a variant of the Smitfraud malware. Please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

* Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

* Download ewido Anti-Spyware (30-day trial) - http://www.ewido.net/en/download/

Install and configure ewido:

• Close all other Applications and run hte ewido installer.
• Select language click Ok
• Click I Agree
• Click next
• Click Install
• Click Finish
• Wait Ewido will open main screen automatically.
• Wait again a few minutes and Ewido Should Auto update itself. If it doesn't click update at top of screen. (It is very important to get the updates)
• Don't run a scan with ewido yet; just close the program when the updating has finished.

* Download ATF Cleaner by Atribune. Save the folder to your desktop or to another convenient location, but do not run it yet.

* Run HijackThis again, put a check mark in the boxes to the left of the following entries, and then click the "Fix checked" button. close HJT once the fixes are completed:
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} …

HI bluewalker, welcome to DaniWeb :)

Your log indicates WebHancer adware, as well as one leftover from the Smitfraud infection.
Your log also indicates that you (or someone) downloaded a "Yazzle" game package. Has Yazzle actually been installed yet?

Please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

* Download and install the most current updates for ewido and Avast!.

* Download ATF Cleaner and save it in a convenient location.

* Run another HijackThis scan, put a check in the boxes to the left of the following entries, and then click the "Fix Checked" button. Close HJT when the fixes complete:
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yazzl...cab?refid=1123
O20 - AppInit_DLLs:
O21 - SSODL: furnariidae - {89e4aaba-3b21-49b3-b922-8ca35193c68e} - (no file)

* Reboot your computer in Safe Mode.

* Run ATF-Cleaner
- Double-click ATF-Cleaner.exe to open the program.
- Under Main choose: Select All
- Click the Empty Selected button.

If you use Firefox browser : Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser: …

Keep us updated on your progress; we'll be here... :)

Hi genusarmy, welcome to DaniWeb :)

To begin with, please do the following:

Download the (free) HijackThis utility:

Once downloaded, follow these instructions to install and run the program:

Create a folder for HJT outside of any Temp/Temporary folders and move the HijackThis.exe file to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...".
Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log". Open the log file with Windows Notepad, and cut-n-paste the entire contents of the Notepad file here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

I see signs of multiple infections in your log (in addition to the symptoms you describe, which sound like Blaster worm doings). Let's see if we can gain back some control with the utilities you currently have:

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

* If the NT Authority/RPC/Generic Host Process errors are giving you the 60-second shutdown timer, do the following before the timer expires to abort the shutdown:
- Click on you Start button, and then click the "Run..." option.
- In the resulting "Open:" dialog box, type the following and then click "OK":
shutdown -a

* If your computer allows, download and install the most current updates for AVG and Spyware Doctor.

* Physically disconnect your network cable from the computer.

* Open the Services utitilty in your Administrative Tools control Panel
- Locate the service named "Microsoft Time server 1" and double-click on it.
- In the General tab of the Properties window that opens, click the Stop button.
- Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK.
- Close the Services utility after that.

* Run another HijackThis scan, put a check in the boxes to the left of the following …

Glad you got rid of the symptoms, but there's a good chance that pieces of the infections are still present. There were signs of infection in your last HJT log; if you would like to post a new log for us to reveiw, please do.