Posts by DMR

Hi sdeguzman, welcome to DaniWeb :)

First of all, you need to give us the full and exact text of the error(s) you get, as well as any other details that might be related to the problem. The more information we have to go on, the faster we can help you get things sorted out.

If it seems that a HijackThis log would help, we'll give you instructions on just how to do that.

We are DONE here, folks! [IMG]http://www.stevewolfonline.com/Downloads/DMR/Visuals/angryfire.gif[/IMG]

This was a thread about Windows Vista.

This was not a thread about Mac vs PC, Windows vs Linux, or any other Geek Holy War. Nor was it a place to start baiting other members into debates on such (ridiculously meaningless) topics.

In the future, if you feel that absolutely must spew and spout, please at least have the courtesy to do so in the Geek's Lounge.

Sorry CasMax, but something in your last post corrupted this thread; I had to delete the post.

The good (?) news, though: I was able to read one thing that you posted which stood out. You said:

Under Threads, one is using about 97%:
sstts.dll!CreateProtectProc+0xae0

sstts.dll is a filename associated with the Vundo family of infections, and its presence on your computer would be a likely explanation for the abnormal CPU usage.

* Open Process Explorer again. Click on the "View" menu item, make sure that the "Show Lower pane" option is checked, and click "Dlls" under the "Lower Pane View" submenu option.

* Locate sstts.dll in the lower pane and tell us the full path to the file's location. I'd expect the location to be C:\Windows\System32, but it could live elsewhere.

Isnt this getting a bit off-topic now?

Ahh... yeah; very much so.
Let's get back on track, and leave this kind of thing:

Let's hash it out. Debate is good and it is fun.

for the Geek's Lounge, please.

Due to the fact that the member who originally started this thread has not responded in quite a long time, this thread is considered abandoned and has been closed.

In accordance with our posting rules, other members having similar questions or problems need to start their own threads and post their questions there.
In order to help us help you most quickly, please include as much information about your problem as possible in your posts.

If the member who originally started this thread wishes to have the thread reopened, please send your request, including a link to this thread, to one of our moderators via email or Private Message.

Thank you.

Hi sacheson, welcome to DaniWeb :)

We definitely appreciate new members who are willing to jump right in and help out, but please review threads before replying to them. Posting to long-abandoned threads (this particular thread is 1 1/2 years old), or posting to threads marked as "Solved", only distracts from the many currently-active threads that need to be worked on.

Thanks for understanding.

As the original poster's problem was resolved quite some time ago, this thread has been closed.

In accordance with our posting rules, other members having similar questions or problems need to start their own threads and post their questions there.
In order to help us help you most quickly, please include as much information about your problem as possible in your posts.

If the member who originally started this thread wishes to have the thread reopened, please send your request, including a link to this thread, to one of our moderators via email or Private Message.

Thank you.

Hey guys. I'm sorry about reviving a dead thread, but...

Hi ness151,

First of all- welcome to DaniWeb :)

We do ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Given that, I've moved your post into a new thread of its own, which you can find here. We'll follow up with you in that thread.

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_policies

Thanks for understanding.

OK- keep us posted...

* How often are you getting the 404 errors?
* Do they happen only at certain sites, or do they happen at random times on sites which usually work for you?

Keep in mind that unless you're getting consistent page errors on sites that you know should be functioning, it's likely that the problems are not with your computer but with the servers on which the web pages you are trying to reach reside.
_________________________________________________________________________________

The file you scanned is part of a known family of infections; please perform the removal procedures below:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

* Use Norton's Live Update feature to install the latest virus definitions for the antivirus program. Don't actually run a scan with Norton yet; just close the program once it has updated.

* Please download Ewido Anti-Malware it is a free version of the program.

1. Install Ewido Anti-Malware
2. When installing, under "Additional Options" uncheck..
   • Install background guard
   • Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double-click it.
4. The program will now open to the main screen.
5. You will need to update ewido to the latest definition files.
   • On the left hand side of the main screen click update.
   • Then click on Start …

No problem; it's a very common mistake.
Most tech support forums, including ours, have a "one member's problem per thread" posting guideline, because it just gets too confusing to follow a thread when mulitple people are trying to solve multiple problems within it.

If you can follow up on my request regarding the ds3m32.dll file, we can continue with a fix.

I can be a right bloody Muppet sometimes. :-|

I'm very sorry, but I omitted a critical piece of the HijackThis "fix" instructions in my last post, which basically resuted in some items not getting fixed at all...

I have edited my last post, with the correction added in red and bold. Please repeat the entire procedure and post the resulting new logs.

Again- sorry for the trouble...

OK- the next steps:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

* Please download Ewido Anti-Malware it is a free version of the program.

1. Install Ewido Anti-Malware
2. When installing, under "Additional Options" uncheck..
   • Install background guard
   • Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double-click it.
4. The program will now open to the main screen.
5. You will need to update ewido to the latest definition files.
   • On the left hand side of the main screen click update.
   • Then click on Start Update.
6. The update will start and a progress bar will show the updates being installed.
   (the status bar at the bottom will display ("Update successful")

Don't actually run a scan with ewido yet, just close it for now.

* Please download ATF Cleaner by Atribune. Save the file to your desktop or any other convenient locaiton. Again- don't run hte program yet.

* Run another HijackThis scan, put a check in the boxes to the left of the following entries, and then click the "Fix Checked" button. Close HijackThis once the fixes complete:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O4 - …

Which version is right for me, XP SP2?

This one.

What do I do with it?

The download is in .zip format. Save the download to your desktop, right-click on it, and choose "Extract all.." frome the resulting menu. Follow the file-extraction wizard's prompts to extract the actual "procexp.exe" program file.
Once you've done that, click on procexp.exe to run it.
There is a good help file available under the program's Help menu item; a full description of the program's usage isn't something I can post here.

What would I be looking for?

As with Task Manager, you are looking for a specific process with a consistently high CPU usage (disregard the "System Idle Process").

You will need to close/quit all open programs and disconnect from the Internet for some of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Please download ATF Cleaner by Atribune and save the file to your desktop. Do not actually run the program yet!

2. Click on the "Run..." option under your Start menu, type "CMD" (omit the quotes) in the resulting "Open:" window, and hit OK. This will open a DOS window.
* At the DOS prompt, type the following three commands one at a time, hitting the Enter key after each:

ipconfig /flushdns
sc stop AOL ACS
sc delete AOL ACS

* Close the DOS window after the third command completes. If you receive any errors while doing the above, tell us exactly what they were.

* Open HijackThis again and run another scan. Put a check in the box to the left of the following entry (if still present), and then click the "Fix Checked" button after that:

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

3. Next, please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options …

Much bettter, but there's still some cleanup to do by the looks of your latest log:

1. Run HijackThis again, put a check in the boxes to the left of the following entries, and then click the "Fix Checked" button. Close HijackThis once the fixes are complete:

O2 - BHO: Nothing - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - C:\WINDOWS\system32\hp100.tmp (file missing)
O4 - HKLM\..\Run: [39243471.exe] C:\WINDOWS\system32\39243471.exe
O4 - HKCU\..\Run: [39243471.exe] C:\Documents and Settings\David\Local Settings\Application Data\39243471.exe
O20 - Winlogon Notify: winepi32 - winepi32.dll (file missing)

2. Reboot into Safe Mode again and:

* Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

* While still in Explorer, search for and delete the following files if they still exist:
C:\WINDOWS\system32\hp100.tmp
C:\WINDOWS\system32\39243471.exe
C:\Documents and Settings\David\Local Settings\Application Data\39243471.exe
C:\WINDOWS\system32\hvcycg.dll
winepi32.dll <- This file is probably in your C:\WINDOWS\system32 folder if it exist at all, but search your entire C: drive for the filename

* Run another complete system scan with ewido; as before, have it clean all items it finds. Save the new log.

* Empty your Recycle Bin and reboot normally.

* Run HJT again and post the new log. Also post the new ewido log.

-

...here is the complete log:

You have no 016 - 019 entries?

The log is clean; the Restore must have erased the culprit.

1. Please describe the exact symptoms you are experiencing in as much detail as possible.

2. I'm suspicious of the C:\WINDOWS\SYSTEM32\ds3m32.dll file listed in your HijackThis log, but I can't find any information on the file at all (one of the reasons for my suspicion). Please go to this site and submit the file for analysis.
To submit the file, click on the "Browse..." button at the top of page I linked to above; a "File Upload" window will open. In that window, browse to your C:\WINDOWS\SYSTEM32 folder, hilight the ds3m32.dll file, and then click the "OK" button.
Post the results of the filescan in your next post here.

Due to the fact that the member who originally started this thread has not responded in quite a long time, this thread is considered abandoned and has been closed.

In accordance with our posting rules, other members having similar questions or problems need to start their own threads and post their questions there.
In order to help us help you most quickly, please include as much information about your problem as possible in your posts.

If the member who originally started this thread wishes to have the thread reopened, please send your request, including a link to this thread, to one of our moderators via email or Private Message.

Thank you.

Hello idontno, welcome to DaniWeb :)

Hi ,

First of all- welcome to DaniWeb :)

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

In light of the above, I've moved your post into its own thread, which you can find here. We will continue your troubleshoot in that thread.

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_policies

Thanks for understanding.

Thanks- that did the trick. :)
Your log indicates that you still have startup entries in your Registry which reference NVidia files.

*Run HijackThis again, put a check next to the following entries, and then click the "Fix Checked" button:

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

* Close HJT once it has finished the fixes, reboot, and see if you still receive the error messages.

-

I'd also have a look at the configuration of the "Pure Networks" software components, your firewall rules, and your router's configuration (assuming you use a router). Configuring remote access to your home network would not necessarily involve installing malicious software on your computer.

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\4HXAYPYJ\HijackThis[1].exe

The log entry above indicates that you are running HijackThis from within a Temp/Temporary folder. Please do the following:

Create a folder for HJT outside of any Temp/Temporary folders and move the HijackThis.exe file to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

kylethedarkn-

Ping.exe is a valid process

Not when it's running from a folder named " C:\WINDOWS\system32\CROSOF~1", it isn't. :mrgreen: The entire "CROSOF~1" folder is bogus.
(Besides, the ping command normally sends only 4 ping requests and then quits; it's not a persistent process.)

I've got to log off and get some sleep right now, but from what I can see, you've dealing with PurityScan/OIN infection there.

-

The free Process Explorer utility is a much more powerful "task manager" than the Windows built-in utility; it may help you shed more light on the subject.

1. I see no signs of any terribly malicious programs in your log, although I'd highly suggest opening your Add/Remove Programs control panel and uninstalling the MyWay/MyWebSearch programs. At the very least, they slow down your browsing and your computer in general; at the very worst, they are adware.

2. You have both PeoplePC and AOL connectivity components installed and running. Do you use currently use both services?

3. Is it only the one site that you're having problems reaching/viewing?

Post your HijackThis log here; not only will it give us an indication of whether or not infections are present, but it may also show us where the nvmctray.dll and nvcpl.dll errors are coming from.

1. Create a folder for HJT outside of any Temp/Temporary folders and move the HijackThis.exe file to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

2. Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...".

3. Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log". Open the log file with Windows Notepad, and cut-n-paste the entire contents of the Notepad file here.

Deleted R0-R1 : Personal Info
Deleted O13-O19 : Personal Info

We absolutely understand the need for privacy, but every single one of those categories can illuminate a malicious infection. We cannot, in all honesty, assess your system correctly unless we have the full log.

Congratulations- you are the proud father of a healthy, active Smitfraud infection! :mrgreen:

Please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

* Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

* Please download Ewido Anti-Malware it is a free version of the program.

1. Install Ewido Anti-Malware
2. When installing, under "Additional Options" uncheck..
   • Install background guard
   • Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double-click it.
4. The program will now open to the main screen.
5. You will need to update ewido to the latest definition files.
   • On the left hand side of the main screen click update.
   • Then click on Start Update.
6. The update will start and a progress bar will show the updates being installed.
   (the status bar at the bottom will display ("Update successful")

Close Ewido for now.
==============

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
Close the program for now.
==================

Next, please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon …

For some reason, many of the infected files appear to be refusing to be deleted. Please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

* Download these two utilities and save them to a convenient folder:

ATF-Cleaner
Killbox

* Run HijackThis again, put a check next to the following entry, and then click the "Fixed Checked" button. Close HJT after the fix completes:
O20 - AppInit_DLLs: scanregw.dll

* Reboot the computer into Safe Mode again; you get to the safe mode boot option by hitting the F8 key as your computer is starting up. (this is an important step!)
Once in Safe Mode:

* Open ATF-Cleaner.
- In the main window, put a check mark in the "Select All" box and then click the "Empty Selected".
- Click "OK" when you get the "Done" dialog and then click the "Exit" button in the program's main window.

* Open Killbox.

- In the "Full Path of File to Delete" box, copy and paste the following
C:\WINDOWS\System32\scanregw.dll

- Select the "Replace on reboot", "Use Dummy", and "Unregister dll before deleting" options.
- Click on the button with the red circle with the X in the middle and then click …

Yeah, it turned out that a Zoom router modem was needed. It's all fine now. Thanks a lot.

I'll bet it was more that Zoom devices are what your ISP supplies, so those are the only devices their tech support folks will deal with. :mrgreen:

Glad you found a solution though...

-

No Nasties evident, but put a check in the box to the left of the following "loose end" and then click "Fix Checked":

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

-

1. Open your Add/Remove Programs control panel and uninstall all programs related to "My Way", "My Search", "My WebSearch" "MyWay Search Bar", "My Bar".

2. You have a SpywareQuake infection, which requires a specific removal procedure. The most up-to-date version of the procedure is posted here; please follow the instructions in the "Automated Removal" section of the link fully and carefully.

Once you've completed the SpywareQuake removal steps, post a new HijackThis log here, along with contents of the C:\Program Files\RoguesScanFix\task.txt file (which will be created during the removal process). We will work on removing any possible "loose ends" at that point.

-

Thanks a lot mate, but I reinstalled windows a few days ago :S

I just have one question though, when I reinstalled windows, everytime I rebooted it changed back my res. to 800 x 600 or something and I'd have to reset it to 1280 x 1024. The problem's gone now but I'd just like to know what was wrong.

It sounds like there was a (seemingly temporary) problem related to either your video card driver or your Display preferences, although you shouldn't quote me on that. The fact Windows seems to have sorted it out "automagically" is a bit rare.

the stratup i couldnt find in the hijackthis program.

That's OK- if you deleted the "csrss" shortcut file in your Start menu before you ran HijackThis, HJT won't list the
"O4 - Startup: csrss.lnk = ?", because you had already deleted it.

1. Your HijackThis logs aren't showing as many signs of the infection as I would expect, although that could be due to the fact that the infection tries to hide itself by making modifications to your Registry.
Let's see if a few of the antivirus/antispyware programs can turn up the hidden pieces:

* Visit at least two of the following sites for an online virus scan (if the scanners find any malicious items, note their names and include that information in your next post):

BitDefender Free Online Virus Scan
http://www.bitdefender.com/scan/licence.php
Make sure you tick AutoClean under Scan Options.

Panda ActiveScan
http://www.pandasoftware.com/active...n_principal.htm
Make sure you tick Disinfect automatically under Scan Options.

Housecall at TrendMicro
http://housecall60.trendmicro.com/e...orp.asp?id=scan
Make sure you tick Auto Clean.

eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

Also run this online trojan scanner: TrojanScan
* Visit at least two of the following sites for an online virus scan:

BitDefender Free Online Virus Scan
http://www.bitdefender.com/scan/licence.php
Make sure you tick AutoClean under Scan Options.

Panda ActiveScan
http://www.pandasoftware.com/active...n_principal.htm
Make sure you tick Disinfect automatically under Scan Options.

Housecall at TrendMicro

* 3 actual files; the others are local shortcuts and web shortcuts.

* I really need to log off and get some sleep right now. Please do the following, and I'll come back to this tomorrow:

1. Delete the C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\csrss file

2. Run HijackThis again, put a check in the boxes to the left of the following entries, and then click the "Fix checked" button:
O4 - HKLM\..\Run: [csrss] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Startup: csrss.lnk = ?

3. Empty your Recycle Bin and reboot.

4. Run HijackThis again and post the new log.

-

Have you try to install spybot and run it in your system? Don't forget to update it first.

Psst!
From the HJT log:
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
:mrgreen:

djnate,

Your log indicates a Smitfraud/SpyAxe infection; please do the following:

* Download smitRem and save the file to your desktop.
Doubleclick it and choose install. This will create a new folder on your desktop with the name smitrem.

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against next:

O2 - BHO: Nothing - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - C:\WINDOWS\System32\hp100.tmp

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

* Reboot back into Windows normal mode.

Post a new HijackThis Log and the contents of smitfiles.txt which is present on your Homedrive (C:\ in most cases) in you next reply.

* What is the exact model/chipset of the NIC?
* What driver module are you using?
* Your rig's description says that your are running Fedora on that box as well; what stats/info does Fedors tell you about the NIC and driver?

Log in as root and open a terminal window.
* Use one of the following commands to verify that your card is at least basically identifying itself to the system:
lspci -vv |less
less /proc/pci
cat /proc/pci

In the resulting output, look for the "Ethernet Controller" entry. It should contain information about your model of card and/or its chipset, as well as IRQ, I/O port, and memory address values.

* Run the ifconfig command; information concerning your NIC should appear in the resulting output. You should also see stats for the loopback (lo) device 127.0.0.1. If you've already tried to enter your IP info (inet addr, Bcast, Mask) through a GUI network configuration utility, verify that those values are correctly reflected in ifconfig's output. Also check for RX/TX errors and collisions. If eth0 is not listed when you run ifconfig, try "ifconfig -a"; the "-a" option forces ifconfig to report all network interfaces, active or not. If eth0 appears only when you run ifconfig with the -a option, it is definitely not correctly configured.

* Verify that the correct module is being loaded for your ethernet card by issuing the "lsmod" command; you should see the module name …

So does this file exist or not.
C:\Documents and settings\owner\core\ppinfo.dat

If it does reboot to safe mode by tapping F8 during start up and delete it.
That should solve the problem.

That probably won't do it. The ppinfo.dat is being called by another component of the program, so it's that component (and its startup entry) which needs to be located and removed.

racecar22,

We may be able to spot the culprit in a HijackThis log; please do the following:

Download the (free) HijackThis utility. Once downloaded, follow these instructions to install and run the program:

Create a folder for HJT outside of any Temp/Temporary folders and move the HijackThis.exe file to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...".
Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log". Open the log file with Windows Notepad, and cut-n-paste the entire contents of the Notepad file here.

Hi ajinkya0124, welcome to DaniWeb :)

To begin with, please do the following:

Download the (free) HijackThis utility. Once downloaded, follow these instructions to install and run the program:

Create a folder for HJT outside of any Temp/Temporary folders and move the HijackThis.exe file to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...".
Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log". Open the log file with Windows Notepad, and cut-n-paste the entire contents of the Notepad file here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

Whoof! Things seem pretty jacked up there. :(

1. You do have a couple of infections
2. Your Norton reinstallation seens to have gone awry: you've got critical pieces of it running from within your \Local Settings\Temp folder, which is just Not Right.
3. Some of the symptoms you describe definitely sound like non-malicious conflicts, but you've made so many changes to the system that I really don't know where to suggest that you start.

Can you download/run files without issue? If so, please do as much of the following as the state of your machine allows:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

* Use Norton's Live Update feature to make sure you have the most current antivirus updates installed.

* Download the following utilities:

Windows Defender - http://www.microsoft.com/downloads/d...displaylang=en
ATF-Cleaner - http://www.atribune.org/content/view/25/2/
ewido Anti-malware (14-day trial version) - http://www.ewido.net/en/download/
CWShredder - http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe

* Install Windows Defender according to the (yes, somewhat sparse) directions on the download site. Don't run a scan with it yet, just close it once the installation and updates are complete.

Install and Configure ewido:

• Close all other Applications and then run the ewido installer
• Select language click Ok
• Click I Agree
• Click next
• Click Install
• Click Finish
…

Hi- sorry for the delayed response.

I don't see any obvious nasties in your log, but the log's header info indicates that you are using a fairly outdated version (1.99.0) of HijackThis. Please download the latest version (1.99.1) and post the log generated by a scan with that version.

Hi carminae7,

Thanks for starting your own thread on this and submitting the HJT log; the log does show a couple of signs of the "Chod" MSN worm.

The worm uses random file and folder names, so I'd like to see if we can find out exactly where it lives before we start the removal process. Please do the following:

1:
* Click on your "Start" button and navigate to the Programs->Startup->csrss file.
* Right-click on the csrss.lnk file and then click the Properties option in the resulting drop-down menu.
* In the Properties window that opens, click on the "Shortcut" tab.
* Give us the full and exact path listed in the "Target:" box.

2:
* Double-click on your My Computer icon to open Windows Explorer. In the Folder Options->View settings under Explorer's Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".
* Click on the "Search" button.
* In the "All or part of the file name" box, type csrss
* In the "Look in" drop-down menu, select your "C:" drive.
* Click on "More Advanced Options.
* In the "Type of file" menu, select "All files and folders".
* Put checkmarks in the Search System, Hidden, and Subfolders options.
* Click the Search button; wait for the search to finish.
* Post the full names of the files found, …

Hi carminae7,

Even if you do have an infection, yours may not be the same infection that Screwy is talking about, and may therefore need an entirely different remedy.
Please follow the suggestion I gave in my last post. Once you do that, we'll be able to tell you if you have an infection, and if so, how to remove it.

Additionally, our forum rules advise against members tagging their questions/problems on to a thread started by another member, so you really do need to present your problem in a thread of your own.

Thanks.

Oh yeah- you've got Nasties, and they're even using the "Microsoft" name in their infections. Very tricky.

Please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

* Use Norton's Live Update feature to make sure you have the most current antivirus updates installed.

* Download the following utilities:

Windows Defender - http://www.microsoft.com/downloads/d...displaylang=en
CCleaner - www.ccleaner.com
ewido Anti-malware (14-day trial version) - http://www.ewido.net/en/download/

* Install Windows Defender according to the (yes, somewhat sparse) directions on the download site. Don't run a scan with it yet, just close it once the installation and updates are complete.

Install and Configure CCleaner:
1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. …

Thanks for understanding- any progress on the problem?

There are still signs of components of the PurityScan software in your new log; please follow the directions for using the PurityScan uninstaller.
Once you've done the above, run HijackThis and ewido again and post the contents of the new log files.

-

Hi carminae7, welcome to DaniWeb :)

If you do want to pursue the possibility of a virus infection (and I think that's wise), please do the following:

Download the (free) HijackThis utility. Once downloaded, follow these instructions to install and run the program:

Create a folder for HJT outside of any Temp/Temporary folders and move the HijackThis.exe file to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...".
Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log".

Start a new thread of your own in our Viruses, Spyware, and other Nasties forum (we do not work on virus issues in this particular forum). Open the HJT log file with Windows Notepad, and cut-n-paste the entire contents of the Notepad file into the new thread you created.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

Thanks- HijackThis needs to see all programs/processes running in order for it to fully report on them. The new log indicates that you do indeed have a Smitfraud infection, and that you may have a Qoologic infection as well.

Let's go after Smitfraud first- please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

Download smitRem.exe ©noahdfear, and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.
Place a shortcut to Panda ActiveScan on your desktop (in Internet Explorer, right click on Panda ActiveScan link select "Copy Shortcut" then right click on your desktop and select "Paste Shortcut" or in FireFox right-click the link and select "Save Link As" and save it to your desktop).

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Now …

Ok- let's dig a little deeper:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

* Download CCleaner and save it to your desktop or another convenient location.
* Download FixWareout and save it to your desktop or another convenient location.

* Install and configure CCleaner:
1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

Now, install the program. Open it, and choose the 'Options' tab. Inside, hit the 'Custom' tab, and add the following folders (Note: Not all of these files are on every computer. If one of these …