Posts by DMR

I tried a Linux boot CD and all the files were greyed out and unaccessable.

The fact that you could see the files under Linux says something. Is it possible that you just didn't mount the drive with the proper access permissions?

Sorry for not responding sooner- this week has been very busy; I haven't been able to spend much time here.

1. Do you know why this proxy setting exists?:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81

2.Download the Pocket Killbox utility.

3. Run HijackThis again and have it fix the following entries; close HJT when the fix is complete:

O4 - HKLM\..\Run: [h3yb0y] C:\WINDOWS\SYSTEM32\DRIVERS\etc\LSASS.exe C:\WINDOWS\SYSTEM32\DRIVERS\etc\service.exe C:\WINDOWS\SYSTEM32\DRIVERS\etc\conf.dll
O4 - HKLM\..\Run: [h3yb0y1] C:\WINDOWS\SYSTEM32\DRIVERS\etc\LSASS.exe C:\WINDOWS\SYSTEM32\DRIVERS\etc\system.exe C:\WINDOWS\SYSTEM32\DRIVERS\etc\serv-u.ini

4. Select/hilight the bold text below and press Ctrl+C to copy the text to the Windows' clipboard:

C:\WINDOWS\SYSTEM32\DRIVERS\etc\LSASS.exe
C:\WINDOWS\SYSTEM32\DRIVERS\etc\service.exe
C:\WINDOWS\SYSTEM32\DRIVERS\etc\conf.dll
C:\WINDOWS\SYSTEM32\DRIVERS\etc\system.exe C:\WINDOWS\SYSTEM32\DRIVERS\etc\serv-u.ini

5. Open the Killbox.
* Click on the File menu and choose "Paste from clipboard". The filenames above should then be pasted into the "Full path of file to delete" box.
* Select the "Delete on Reboot" option.
* Click on the icon with the red circle and white X, and choose Yes when prompted to reboot.

6. Once the system has rebooted, run another HJT scan and post the new log.

Due to the fact that the member who originally started this thread has not responded in well over 1 year, this thread is considered abandoned and has been closed.

In accordance with our posting rules, other members having similar problems should start their own threads and post their questions there. In order to help us help you most quickly, please include as much information about your problem as possible in your posts.

If the member who originally started this thread wishes to have the thread reopened, please send your request, including a link to this thread, to one of our moderators via email or Private Message.

Thank you.

Hi mdippa,

First of all- welcome to DaniWeb :)

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_policies

Thanks for understanding.

Malicious programs often add their own entries to the Registry or alter existing entries in order to modify the behaviour of your system to their benefit. There are a number of effects that can be achieved by these modifications; a few of the more common are:
* Denying access to system utilities such as msconfig, Task Manager, and the Registry Editor.
* Disbling/crippling anti-virus and anti-spyware programs.
* Ensuring that malicious components are auto-started when Windows boots.
* Hiding malicious files/folders from view in Explorer or Task Manager
* Lowering or disabling Windows security settings.
* Controlling network communications.

Custom/targeted .reg files can be constructed to undo the Registry modifications made by a given infection. In the particular .reg file I posted, the entries in the file:

#1: Re-enable the Windows Firewall.
#2: Re-enable DCOM (Distributed Component Object Model), which handles inter-process communication across networks.
#3: Re-enable Windows' Automatic Update feature.
#4: Restore the default access rights for anonymous logins.
#5: Delete an entry which runs the malicious "winPE.exe" program at Windows start-up.

Unfortunately, it can sometimes take the antivirus companies a bit of time to analyze a new virus and release a fix for it. Until that happens, manually removing the viral components (as you did) is the only option.

Your log looks pretty clean now; there are only a few things to clean up:

1. Open your Add/Remove Programs control panel and uninstall the Need2Search/MWSearch software if you find it in the list of installed programs.

2. The "O1 - Hosts: 127.4.7.4" log entries are malicious hosts file URL redirects; they prevent your browser from reaching the anti-virus & anti-spyware websites listed in the entries:

a) Open your C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS file with Windows Notepad (the file is a plain-text file) and delete all of the lines beginning with "127.4.7.4". Alternately, you can download the program Hoster which can restore your host file to its original state. To do that, run Hoster, click on the Restore Original Hosts button, and then exit Hoster.

b) The location of the valid Windows Hosts file on an XP system is in the C:\WINDOWS\SYSTEM32\DRIVERS\ETC\ folder, but malicious programs can install their own Hosts file elsewhere and direct Windows to that file instead of the valid Hosts file. Search your entire system for files names "Hosts" and delete any that are found in locations other than C:\WINDOWS\SYSTEM32\DRIVERS\ETC\.

c) Also check the Registry entry which specifies the location of the Hosts file and make sure …

I used this tool from Atribune: http://www.atribune.org/ccount/click.php?id=4
and it seems to be gone...

Weird- that's a link to the same VundoFix program that you said hadn't worked before. Well, whatever happened this time, the program appears to have done the job- your log is clean now. :)

Ok, I see. Are there any other kinds of error or warning messages in the Event Viewer?

yes.

Great; then we'll call this one "Solved" :)

Cool; glad we could help :)

At the very least least, you are infected with a variant of the W32/Rbot worm.
Judging from the following information in your HijackThis log's header, you are also running very outdated versions of XP and Internet Explorer:

Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Before doing anything else, download and install XP Service Pack 1a; the Service Pack fixes many bugs and security loopholes that allow malicious programs to install and run on your system.

1. I don't see any signs of an active antivirus program in your HijackThis log. If you do have an AV program installed, the worm may have disabled it; we'll attempt to fix that shortly. If you don't have an AV program installed, please download and install the free AVG antivirus utility now.

2. Open Windows Notepad, cut-n-paste the entire contents of the Quote box below into the new Notepad document, and then click the "Save As..." option under the "File" menu. In the Save As window, name the file RbotFix.reg and save it to your desktop:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="Y"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
"Start"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"restrictanonymous"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"ms ownage"=-

3. Download and install the following utilities:

CCleaner - www.ccleaner.com
Webroot Spy Sweeper (14 day free trial) - http://www.webroot.com/shoppingcart...4011&vcode=DT02
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
ewido Anti-malware -

Your assessment of the worm is quite accurate; compare it to Sophos Anti-Virus' overview of the infection:

When first run W32/Brontok-I copies itself to:

<User>\Local Settings\Application Data\br6591on.exe
<User>\Local Settings\Application Data\csrss.exe
<User>\Local Settings\Application Data\inetinfo.exe
<User>\Local Settings\Application Data\lsass.exe
<User>\Local Settings\Application Data\services.exe
<User>\Local Settings\Application Data\smss.exe
<User>\Local Settings\Application Data\svchost.exe
<Windows>\KesenjanganSosial.exe
<Windows>\ShellNew\RakyatKelaparan.exe
<System>\cmd-brontok.exe

The following registry entries are created to run br6591on.exe and RakyatKelaparan.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Tok-Cirrhatus-2784
<User>\Local Settings\Application Data\br6591on.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Bron-Spizaetus
<Windows>\ShellNew\RakyatKelaparan.exe

The following registry entry is changed to run KesenjanganSosial.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<Windows>\KesenjanganSosial.exe"

(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows>\Explorer.exe to be run on startup).

The following registry entry is set, disabling the registry editor (regedit):

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0

All of the files you listed, including those with names identical to valid Windows files (csrss.exe, lsass.exe, etc.), can and should be deleted, although I'm not sure how we can deal with this given how crippled the system is. How much can you accomplish in Safe Mode; do you have any more functionality in Safe Mode than you do when booted normally?

Not good; those errors could indicate a hardware problem with the drive or motherboard electronics; they could also indicate a problem with the motherboard's IDE driver. Here are some things to try:

* Reinstall/upgrade your motherboard's IDE controller driver software.
* Check the data and power cables. Make sure they are seated firmly, and that there is no physical damage (nick, cuts, etc.) to them. Try different cables if possible.
* Remove the drive and physically inspect the circuitry on the drive's controller card. Check for burned/cracked/discolored components. Use your nose- sniff around for that distinctive, telltale smell of overheated silicon.
* Install the drive as a slave drive and see if it still exhibits problems. Make sure to pay attention to Master/Slave/Cable Select jumper settings on the drives.

1.

The device, \Device\Harddisk0\D, has a bad block.

That error usually indicates a physically damaged spot on the hard drive. This is obviously not a Good Thing in itself, and it can also be an early warning sign of a failing drive. I'd suggest:

A) Running Windows' ScanDisk utility:
* Double-click My Computer
* Highlight a local hard disk drive by clicking on it once.
* Right click the highlighted local drive
* Click properties
* Click the tools tab and click check now to check the drive for errors.

B) Visiting the drive manufacturer's support site and downloading their hard drive diagnostic utility; it will probably do a more comprehensive job of testing/repairing your drive than ScanDisk.

2.

Faulting application explorer.exe, version 6.0.2900.2180, faulting module wininet.dll, version 6.0.2900.2180, fault address 0x00037d96.

There can be a number of different causes for this error. Read/try some of the pertinent fixes in these Microsoft support articles on the issue.

You're welcome. :)
Are you indicating that things are OK now, or do you still have suspicions about anything that's going on with the 'puter?

Your chances of having success with recovery software will depend on exactly how/why the drive died, or whether it was really the drive that died, or some other component.

Some of the usual things to do when diagnosing a "dead" drive are:

* Check to see if the drive feels/sounds like it is spinning up.
* Check the data and power cables. Make sure they are seated firmly, and that there is no physical damage (nick, cuts, etc.) to them. Try different cables if possible.
* Remove the drive and physically inspect the circuitry on the drive's controller card. Check for burned/cracked/discolored components. Use your nose- sniff around for that distinctive, telltale smell of overheated silicon.
* Install the drive as a slave drive and see if it still exhibits problems. Make sure to pay attention to Master/Slave/Cable Select jumper settings on the drives.

- If the drive doesn't seem to power up/spin up regardless of what you've tried, and/or if you've found possible damage on the drive controller circuit card, your only option might be to replace the controller. That can be done, but it should be done by a professional.

- If, when you installed the drive as a slave, it drive seems to spin up and you can access its contents, you're obviously in pretty good shape. Copy your data off of the drive on to another hard drive, a CD, or whatever ASAP.

- If the drive seems …

1. Unless you're in an area where there is a lot of interference in the wireless frequency spectrum, or your wireless signal has to pass through lots of physical obstacles like thick concrete walls, you shouldn't have much trouble with dropouts or signal reception. The best thing to do is to test the positioning of your wireless access device and then install it in the location where you achieve the strongest signal strength over the widest area of coverage. Locating the device up high and out in the open (read: don't stuff it under your office desk) will usually give you the best coverage. If you want a good program for (among other things) monitoring wireless signal strengths, try NetStumbler.

2. Most (if not all) consumer wireless device have little if any security enabled by default, but you can certainly configure your wireless network so that it is secured against access by outsiders.

An nslookup of the exact IP yields:

Name: i3ED6C5A6.versanet.de
Address: 62.214.197.166

www.versanet.de redirects to Versatel, which is an ISP in the Netherlands. In other words, your computer appears to be trying to "phone home" to a computer on Versatel's Internet service.
I doubt this is what one would call a Good Thing.

* Have you run any virus/spyware utilities, and if so, what were the results?

* D0wnload the HijackThis utility:

Once downloaded, follow these instructions to install and run the program:

Create a folder for HJT outside of any Temp/Temporary folders and move/extract HijackThis to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...".
Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log". Open the log file with Windows Notepad, and cut-n-paste the entire contents of the Notepad file here.

The log contents can tell us if any "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

I have put a selective startup and stopped lsass from running because a dos popup was occuring on startup system32/cmd.exe.

That sounds suspicious; please do the following:

Download the (free) HijackThis utility:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, follow these instructions to install and run the program:

Create a folder for HJT outside of any Temp/Temporary folders and move/extract HijackThis to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...".
Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log". Open the log file with Windows Notepad, and cut-n-paste the entire contents of the Notepad file here.

Once we analyse the log we can tell you what to do from there.

SpyBot's "Tea Timer" protection feature may be interfering with the fix/file kill attempts.

1. Open Spybot and:
- In the Mode menu click "Advanced mode" if not already selected.
- Choose "Yes" at the Warning prompt.
- Expand the "Tools" menu.
- Click "Resident".
- Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box if it is checked.
- In the File menu click "Exit" to exit Spybot Search & Destroy.

2. Run HJT and have it fix the two ljhij.dll entries again.

3. Reboot the computer into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up) and:

- Run Cleanup! again.

- Try the Killbox deletion again.

4. Reboot Winodws normally, run HijackThis again, and post the new log.

There's a good chance that you may have other infections in addition to the Sober worm. Please do the following so that we can get a "snapshot" of the state of your system:

Download the (free) HijackThis utility:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, follow these instructions to install and run the program:

Create a folder for HJT outside of any Temp/Temporary folders and move/extract HijackThis to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...".
Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log". Open the log file with Windows Notepad, and cut-n-paste the entire contents of the Notepad file here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

Unfortunately, the two malicious entries in your first HJT log are still present in the new log you just posted. :(

Let's see if we can delete the malicious ljhij.dll file with a slightly more "brute-force" approach:

1.Download the Pocket Killbox utility and save it to your desktop or some other convenient folder. Don't run the program yet.

2. Close/quit all open programs (including your web browser), run hijackThis again, put a check in the boxes to the left of the following entries, and then click the "Fix checked" button:

O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\system32\ljhij.dll
O20 - Winlogon Notify: ljhij - C:\WINDOWS\system32\ljhij.dll

Close HJT when it completes the fixes.

3. Run the Killbox.

- In the "Full Path of File to Delete" box, copy and paste the following
C:\WINDOWS\system32\ljhij.dll

- Select the "Replace on reboot", "Use Dummy", and "Unregister dll before deleting" options.

- Click on the button with the red circle with the X in the middle and then click Yes at the "Replace on Reboot" confirmation prompt. Click Yes at the subsequent request to actually reboot.

4. Once the computer reboots, run HijackThis again and post the new log.

IT'S FIXED!!!! All of a sudden new updates came in from ewido...

Good to hear :)
Does everything seem to be functioning properly now?

Sorry, but I have very little experience with NOD; I don't really have any suggestions as to what might be going on there.

Can you give us the full information dispayed in the Blue Screen error please?

Please download the most current updates for ewido and Spy Sweeper and then reboot into Safe Mode and run scans with both programs. Have the programs fix all malicious items they find, reboot normally, and then post the logs that each program generated. Having those logs in addition to the HJT log will (hopefully) give us a better idea of where the hidden "nasties" are lurking.

... until I can get the disks back for Office from someone.

Yes; my first thought would be to run the Office repair utility, which may very well ask for the install CD.

Also, why does my NOD32 keep calling out when my computer is doing nothing?

Can you elaborate, please; I take it NOD isn't just doing something like checking for updates, right? What info do you have concerning the communications?

Open the Event Viewer utility in your Administrative Tools control panel. Look through the Application and System logs for "Error" or "Warning" entries; double-clicking on the entries will open a properties window with more details. If you see any entries whose details look like they might relate to the problem(s) you're having, post the full and complete contents of the details window(s) here. Here's the easiest way to post those details:

- In the Properties window, click on the button with the graphic of two pieces of paper on it; the button is at the right of the window just below the up arrow/down arrow buttons. You won't see anything happen when you click the button, but it will copy all of the details to the Windows clipboard.
- Paste the details into your next post in the same way that you paste your HijackThis log- by choosing "Paste" from the "File" menu or by hitting CTRL+V.

1. "sass.exe" is a component of a trojan infection, but I see no signs of that particular trojan (or any other "nasties", for that matter) in your log.

2. C:\WINDOWS\system32\Lsass.exe is a valid Windows program/process; is that possibly what you saw?

3. Do your antivirus/antispyware programs flag anything malicious/suspicious?

4. What is the name of the suspicious folder on the desktop? What are the names of the files inside the folder?

We're here when we can be; this is a volunteer gig, after all. :)

1. Odd log entry here:

Scan saved at AA 12EETING!! 8:06:14 AM, on 1/11/2006

I'd suggest discouraging your anti-spyware utilities from cross-breeding with your scheduling applications; it isn't usually recommended. ;)

2. I see nothing amiss in your log, although I doubt a HJT scan would show us anything helpful in regard to the problem you describe. Can you give us any details/background info concerning the Word weirdness?

The presence of the C:\winstall.exe file in your HJT log likely indicates an infection by "Spy Sherrif", a member of the smitfraud family of parasites. Removing the smitfraud infections (spysheriff, spyaxe, spyware fighter, etc.) requires following a specific procedure, which is outlined here. Please follow the procedure carefully and fully.

When you have completed the procedure, please run HijackThis again and post the new log. Also post the contents of the ewido and smitfiles logs that were generated during the removal process.

That HijackThis log looks like it is from a scan done in Safe Mode. If so, we'll need the log generated from a scan done while Windows is booted normally.

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install the following utilities:

CCleaner - www.ccleaner.com
Webroot Spy Sweeper (14 day free trial) - http://www.webroot.com/shoppingcart...4011&vcode=DT02
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
ewido Anti-malware - http://www.ewido.net/en/download/

- Open Spy Sweeper, click on "Options", and then click on "Update Definitions" under the Program Options tab. Do not run a scan yet; just close the program once the update completes.

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open Norton Antivirus and make sure that it has the most current virus definitions installed. Again- don't scan yet, just close the program once it's updated.

2. Run HijackTHis again, put a check mark next to the following entries, and then click the "Fix checked" button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O4 …

OK- I thought the TCP-related entries were legit; just wanted to make sure.

What exactly happens when you try to run .exes? We'll need to resolve that first, and I might have a fix, but I'll need some details on the problem first.

Removing the smitfraud family of infections (spysheriff, spyaxe, spyware fighter, etc.) requires following a specific procedure, which is outlined here. Please follow the procedure carefully and fully.

When you have completed the procedure, please run HijackThis again and post the new log. Also post the contents of the ewido and smitfiles logs that were generated during the removal process.

You have a few separate, distinct infections; please follow the malware removal instructions below carefully and fully:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

Before continuing, open your Add/Remove Programs control panel and uninstall the WinHound and SideFind programs if you find them listed there.

1. Download and install the following utilities:

CCleaner - www.ccleaner.com
Webroot Spy Sweeper (14 day free trial) - http://www.webroot.com/shoppingcart...4011&vcode=DT02
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
ewido Anti-malware - http://www.ewido.net/en/download/

- Open Spy Sweeper, click on "Options", and then click on "Update Definitions" under the Program Options tab. Do not run a scan yet; just close the program once the update completes.

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open Norton Antivirus and make sure that it has the most current virus definitions installed. Again- don't scan yet, just close the program once it's updated.

2. Run HijackTHis again, put a check mark next to the following entries, and then click the "Fix checked" …

Looks good. Your HTJ log is clean now, and ewido apppears to have done its job as well.

Does everything seem to be functioning properly now?

I see no signs of malicious infections or other problems in your HJT log. Can you please give us some details and background on the problem?

Although my first hunch would be to check for legit program which might be scheduled to perform automatic updates at that time, there is one nasty infection evident in your HJT log. Please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

Download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning. It should look like this: Quote:
  VundoFix V2.15 by Atri
  By using VundoFix you agree that you are doing so at your own risk . Press enter to continue....
  
• At this point press enter one time.
• Next you will see: Quote:
  Please Type in the filepath as instructed by the forum staffand then press enter:
• At this point please type the following file path (make sure to enter it exactly as below!):
  • C:\WINDOWS\system32\ljhij.dll
• Press Enter to continue with the fix.
• Next you will see: Quote:
  Please type …

1. Detemining which services/processes/programs are being handled by each instance of svchost isn't the easiest thing to do, and it does take some knowledge of Windows internals to figure out exactly what's going on. Windows' Task Manager is pretty useless in this regard, but there is a freeware program called Process Explorer which displays process dependencies in a way that we mere mortals can somewhat understand.

2. As far as which startup processes can be safely disabled, you can get a fairly good idea of that yourself (I don't have time to go through your entire process list for you right now) by looking up the names of the .exe files at this site.

I thought I recognized that log... :mrgreen:

Please see the response I posted in your other thread; you've got infections that we should clear up before we do anything else. Let's work on all of this in that thread.

1. In IE's address bar, try entering Microsoft's IP address instead of "www.microsoft.com":

http://207.46.198.30

Let us know the result.

2. Click on the "Run..." option in your Start menu. In the "Open:" box of the resulting window, type "cmd" (omit the quotes) and hit Enter. This will bring up a DOS window

- At the DOS prompt, type the following commands, hit Enter after each, and tell us the results for each command (you should receive 4 positive responses followed by some summary info):

ping 207.46.198.30
ping www.microsoft.com

- Again at the DOS prompt, type the following command and hit Enter. You won't see any result from the command, but when it completes a second prompt with a flashing cursor will be displayed; close the DOS box once that happens:

ipconfig /all >ipconfig.txt

The above command will have created a text file on you desktop named ipconfig.txt; double-click on the file to open it in Notepad, and then cut-n-paste the file's contents in your next post.

3. There is a free utility called IEFix which you can download and run. I've had it fix more problems with IE than those that the download site says it fixes.

... IE gives me so much trouble, still, when it loads, it wants to go to a strange place: Lycos.

If you want to run HijackThis again and post the new log, that might tell us where some of the strange IE behaviour is coming from.

Not much seems to have changed in the new log. Almost all of the original malicious entries are still present, and as a matter of fact, one new piece of adware has been installed as well.

Please follow these instructions fully and completely:

1. Open your Add/Remove Programs control panel and uninstall WeatherCast and any programs you find that are related to "WhenU".

2. Visit at least two of the following sites for an online virus scan:

BitDefender Free Online Virus Scan
http://www.bitdefender.com/scan/licence.php
Make sure you tick AutoClean under Scan Options.

Panda ActiveScan
http://www.pandasoftware.com/active...n_principal.htm
Make sure you tick Disinfect automatically under Scan Options.

Housecall at TrendMicro
http://housecall60.trendmicro.com/e...orp.asp?id=scan
Make sure you tick Auto Clean.

eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

Also run this online trojan scanner: TrojanScan

3. Update ewido, MS Antispyware, and Spyware Doctor. DOn't run scans yet, though; just close the programs after doing the updates.

4. Open the Services utility in your Administrative Tools control panel.
* In the list of services, locate the service named Content List Management Sub System or clmss and double-click on it.
* In the General tab of the Properties window that opens, click the Stop button.
* Once the service is stopped, choose Disabled drop-down menu and then click in the Startup TypeOK.
* Repeat the above steps for the …

You can:

A) Open the Event Viewer utility in your Administrative Tools control panel. Look through the Application and System logs for "Error" or "Warning" entries; double-clicking on the entries will open a properties window with more details. If you see any entries whose details look like they might relate to the problem, post the full and complete contents of the details window(s) here. Here's the easiest way to post those details:

- In the Properties window, click on the button with the graphic of two pieces of paper on it; the button is at the right of the window just below the up arrow/down arrow buttons. You won't see anything happen when you click the button, but it will copy all of the details to the Windows clipboard.
- Paste the details into your next post in the same way that you paste your HijackThis log- by choosing "Paste" from the "File" menu or by hitting CTRL+V.

B) Run another set of scans with ewido and MS antispyware. Post the new log from ewido, as well as a new HJT log.

Aside from the two MyWay references below, your log is clean.

Run HijackThis again, put a check mark in the boxes to the left of the following entries, and then click "Fix Checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

Once you've done the above you can set your home page to something other than the MyWay-sponsored Dell page.

I don't see any other evidence of MyWay components in your log; if you did try to uninstall MyWay from the Add/Remove Programs control panel, it appears that the uninstall worked for the most part. Sometimes the names of programs that have been sucessfully uninstalled get "stuck" in the control panel's list and need to be removed manually, and this might be the case with your MyWay entry. To remove the entry from the control panel, see this Microsoft support article.

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install the following utilities:

CCleaner - www.ccleaner.com
Webroot Spy Sweeper (14 day free trial) - http://www.webroot.com/shoppingcart...4011&vcode=DT02
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
ewido Anti-malware - http://www.ewido.net/en/download/

- Open Spy Sweeper, click on "Options", and then click on "Update Definitions" under the Program Options tab. Do not run a scan yet; just close the program once the update completes.

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open Norton Antivirus and make sure that it has the most current virus definitions installed. Again- don't scan yet, just close the program once it's updated.

2. Run HijackTHis again, put a check mark next to the following entries, and then click the "Fix checked" button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&
clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - …

The above said, you were next in line, sooo....

There are no obvious "nasties" indicated in your log, so the crash may not be infection-related. If you want to do some more in-depth cleaning just to be sure, please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install the following utilities:

CCleaner - www.ccleaner.com
ewido anti-malware (14 day free trial) - http://www.ewido.net/en/download/

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open AVG and use its online update feature to make sure that it has the most current virus definitions installed. Again- don't scan yet, just close the program once it's updated.

2. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).

Open CCleaner.
- Go to Options-> Advanced: Uncheck "Only delete files in Windows Temp folders older than 48 hours"
- Go to Options>CustomFolders>Add Folder>Navigate to these folders (click on bold file …

Please don't "bump" your thread.

For one thing, we actually try to work on threads from oldest to newest, so bumping actually puts you further down the list. Also, we're very short on troubleshooters right now, but pretty long on members who need help; so please try to bear with us on that.

Is the computer a Dell? Dell has been shipping their systems with the MyWay Search crud for a while. We can remove it manually, but what exectly happens when you try to uninstall it via the A/R programs control panel?

By the way- your HijackThis log was not included ;) Post one for us and we'll give it a review.