Posts by DMR

What did the last hijack scan report?

The last HJT log you posted was totally clean. Do we still have issues to work on?

Very cool; glad we could help :)

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Can you tell us anything about the proxy server setting in this log entry:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=localhost:1080

and the DNS server IP addresses in this entry:
O17 - HKLM\System\CCS\Services\Tcpip\..\{77EDD71A-5EDF-42D4-8B14-95D1316B2A2C}: NameServer = 172.16.240.250,172.16.240.251

2. Download and install the following utilities:

CCleaner - www.ccleaner.com
Webroot Spy Sweeper (14 day free trial) - http://www.webroot.com/shoppingcart...4011&vcode=DT02
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
ewido Anti-malware - http://www.ewido.net/en/download/

- Open Spy Sweeper, click on "Options", and then click on "Update Definitions" under the Program Options tab. Do not run a scan yet; just close the program once the update completes.

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open Avast! and make sure that it has the most current virus definitions installed. Again- don't scan yet, just close the program once it's updated.

3. Run HijackTHis again, put a check mark next to the following entries, …

Looks good to me. Does everything seem to be back in order now?

A)

I can't find the SVCproc file in the system start up section.

The svcproc.exe file appears to already have been deleted, but accordinbg to your HJT log, the svcproc service is still present. It needs to be deleted; let's try again:

* Open the Services utility in your Administrative Tools control panel.
- In the list of services, locate the service named System Startup Service or SvcProc and double-click on it.
- In the General tab of the Properties window that opens, click the Stop button.
- Once the service is stopped, choose Disabled in the Startup Type drop-down menu and then click OK. Close the Services utility.

- Open HijackThis, and click on the Config... button in the lower right corner of the main window.
- In the next window, click on the Misc Tools button at the top, and then click the Delete a file on reboot... button.
- Type SvcProc into the box, and click Open. A new window will pop up asking if you want to restart your computer now; click Yes.

B) The second major infection identified in your log is a variant of the "Virtumonde" parasite. Here is the removal procedure:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

Download VundoFix.exe to …

Glad you were able to get it sorted out :)

A) C:\WINDOWS\System32\ctfmon.exe is normally a valid component of the MS Office suite. There are infections which use a malicious file named ctfmon.exe, although the malicious versions of the file are usually placed in a directory other than C:\WINDOWS\System32.
You can check the validity of the C:\WINDOWS\System32\ctfmon.exe file by locating it in Windows Explorer, right-clicking on it, and choosing "Properties" from the resulting pop-up menu. In the Version tab of the properties window you should see information indicating that it is indeed the Microsoft file.

B) Open your Add/Remove Programs control panel and see if the Secure Shield program is listed there. If so (and if you did not knowingly install the program), uninstall it now.

C) To clean up the leftovers of "jake.scr" and other possible infections, please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install the following utilities:

CCleaner - www.ccleaner.com
ewido anti-malware (14 day free trial) - http://www.ewido.net/en/download/

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

…

1. NTVDM (NT Virtual DOS Machine) is a Windows component which provides a mechanism for running older 16-bit programs on newer (32-bit) versions of Windows. If you are not running such legacy programs, NTVDM shouldn't need to be running either.

2. It is normal to see multiple instances of certain Windows processes such as svchost and lsass running simultaneously. Those processes are responsible for managing categories of other Windows components such as network and security-related services. Because of that, you'll see one instance of the processes running for each group of services that it is managing. The underlying problem of svchost appearing overly memory-hungry is usually an issue with one of the processes/services which svchost is mannaging. Because svchost manages several sub-processes, the fix for the "memory hogging" depends on which actual process has run amok.

3. The ActiveSync process is for synchronizing certain handheld devices with your computer. If you're connecting such devices to your computer, you should leave it running, but if not, ActiveSync can be disabled.

4. BinaryMayhem is right about your log in general- there are no signs of anything malicious or abnormal. 50+ running processes is a bit on the high side, though; do you absolutely need to have programs such as Borland's InterBase server running?

As it stands now, your log is clean. However, items that have been disabled won't appear in the log, so please re-enable any startup items which were disabled in/with msconfig, run HijackThis again, and post a new log.

I need to know why this works and how and when to use it for the future. Is this as useful as msconfig? Or is this the magic tool like 'Restart' is for windows?

The fix isn't a general "magic tool", nor is it anything like msconfig; it addresses a known problem that occurs with certain Windows components related to cryptographic services (digital signing, secure logins, etc.). Basically, these components (the .dll files referenced in my post above) become disassociated or corrupted, usuallly as a result of system crashes or malicious infections. The "regsvr32" command is used to manually re-register/reassociate the components with the operating system.
As far as I know, Firefox uses its own mechanisms to handle secure logins and the like, which would account for your being able to access the secure sites when using that browser.

Thank you so much you smart man you!

Awww... :o Glad we could help.

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. What can you tell us about this program that shows up in your list of running processes: E:\browser.exe ?

2. Download and install the following utilities:

CCleaner - www.ccleaner.com
Webroot Spy Sweeper (14 day free trial) - http://www.webroot.com/shoppingcart...4011&vcode=DT02
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
ewido anti-malware (14 day free trial) - http://www.ewido.net/en/download/

- Open Spy Sweeper, click on "Options", and then click on "Update Definitions" under the Program Options tab. Do not run a scan yet; just close the program once the update completes.

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open Norton and make sure that it has the most current virus definitions installed. Again- don't scan yet, just close the program once it's updated.

3. Run HijackTHis again, put a check mark next to the following entries, and then click the "Fix checked" button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start …

You're welcome; glad we could help :)

That's a clean log :)

Now that your system seems to be back in good order:

1. Flush out your old System Restore points and set a fresh new Restore Point. Explanation and instructions can be found here.

2. Have a read through these threads for further suggestions on protecting and disinfecting your system:

http://www.daniweb.com/techtalkforums/thread27519.html
http://www.daniweb.com/techtalkforums/thread27570.html

What exact errors do you encounter when trying to install Norton?

Regardless of how many detection utilities you have, you'll never be 100% protected due to the rate at which new malicious infections are created. However, with a few choice utilities and a bit of common sense, you can keep your system pretty infection free. Most of the recommended utilities are free, but if you are thinking of paying for a third-party utility, I'd recommend the full versions of ewido and/or Spy Sweeper.

General antispyware utilities to have installed (and obviously kept up-to-date):

MS Antispyware
Ad Aware
SpyBot Search & Destroy
ewido (the auto-protect and auto-update features of the free trial version will expire, but the program will still scan and fix; it will just need to updated manually)
Spy Sweeper
Spyware Blaster & Spyware Guard

More suggestions and info can be found in these threads:
http://www.daniweb.com/techtalkforums/thread27519.html
http://www.daniweb.com/techtalkforums/thread27570.html

The computer is only 2 or 3 years old, I don't think the cd-rom would be faulty.

Perhaps not, but until you test the posibility, you can't rule it out. Here are a few tests which could confirm or rule out a hardware problem:

- Change the ribbon (data) cable between the drive and the motherboard.
- If the motherboard has two IDE channels, connect the drive to the other channel. Pay attention to Master/Slave jumper settings when moving the drive.
- Install a known-to-be-working drive in place of the problematic one.
- Install the problematic drive in another computer.

Your HJT log shows no signs of "unwanted guests", and the utilities you've already run do a pretty godd job of cleaning, so I've no reason so far to believe that malicious infections are the cause. However, if you want to dig a bit deeper into that possibility, here are a few other detection and removal tools you can try:

ewido - http://www.ewido.net/en/download/
Microsoft Antispyware - http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en
Rootkit Revealer - http://www.sysinternals.com/Utilities/RootkitRevealer.html

Post a new HijackThis log and we'll see if we can remove the infection(s) manually from there.

No worries- I'm not the Software Police or anything like that :mrgreen:
I just like to see a company that puts out a good product get paid for that product when/where applicable.

Were you able to use NOD or Avast! to remove the Brontok infection? I'd be curious to know if either of those utilities actually worked.

All looks good to me. :)

Yes- you can re-enable System Restore and reset your Explorere settings now.

Good work; just a little cleanup to do :)

1. Run HijackThis again and have it fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll (file missing)

2. Locate and delete the C:\WINDOWS\blank.mht file and empty your Recycle Bin.

3. Reboot, run HJT this one (hopefully) final time, and post the new log.

Glad we could help. :)
Don't hesitate to ask if you need help in the future.

I just installed ewido and have not even run it yet per your instruction when suddenly a window popped and said,

" infected object found...

Unfortunately, you can get infected within minutes if you do any Web surfing before all of your anti-spyware/anti-virus protections are in place. Judging from your log, that's what has happened in your case. Your new infection is different from the last one, so I've modified my previous instructions to target the current infection:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

2. Download and install the CCleaner utility, but don't run it yet.

3. Open the Services utility in your Administrative Tools control panel.

- In the list of services, locate the service named "MsLX32" and double-click on it.

- In the General tab of the Properties window that opens, click the Stop button if the service is not already stopped.

…

Good work; that's a clean log :)
How does everything seem to running now?

How often you do routine anti-malware maintenance is really up to you, and the way you use your system; there's no set timeframe. If you or other users of the computer surf high-risk places such as porn and online gambling sites, "free" music and filesharing sites, etc., you'll get infected more quickly and should scan more often. If you're responsible about your online habits and use common sense, your system should remain clean for quite some time.

When kept up to date, the combination of MS Antispyware, SpyBot's TeaTimer function, and McAfee will do a good job for you. Other suggested measures of protection can be found in this thread.

If you've already uninstalled MessengerPlus 3, have hijackThis fix the following entry:

O20 - AppInit_DLLs: MsgPlusLoader.dll

Other than that, your log is clean :)

You can find links to a few free firewall programs in this post.
I don't really have a recommendation for a pop-up blocker, as Firefox's built-in blocker does a good enough job for me.

That's a clean log, T :)

Your log shows signs of a few different infections. Please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Use your Add/Remove Programs control panel to uninstall WeatherBug; it has spyware components.

2. Download and install the following utilities:

CCleaner - www.ccleaner.com
Webroot Spy Sweeper (14 day free trial) - http://www.webroot.com/shoppingcart...4011&vcode=DT02
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
ewido anti-malware (14 day free trial) - http://www.ewido.net/en/download/

- Open Spy Sweeper, click on "Options", and then click on "Update Definitions" under the Program Options tab. Do not run a scan yet; just close the program once the update completes.

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open Norton and make sure that it has the most current virus definitions installed. Again- don't scan yet, just close the program once it's updated.

3. Run HijackTHis again, put a check mark next to the following entries, and then click the "Fix checked" button:

R0 - HKCU\Software\Microsoft\Internet …

You should do the other steps as well, because I see at least one component of a separate infection (not Smitfraud/SpyAxe/Spy Sheriff) in your log, and there are probably other malicious entities that HijackThis isn't reporting. Runnning ewido andAd Aware will help clean out those "loose ends".

Run those utilities, and then do another scan with HijackThis. Post the new HJT log and the log that ewido generates so that we can be sure your system is entirely clean.

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open Spy Sweeper. Click on "Options" and then click on "Update Definitions" under the Program Options tab. Close the program once it is updated.

2. Download and install the CCleaner utility, but don't run it yet.

3. Run HijackTHis again, put a check mark next to the following entries, and then click the "Fix checked" button. Close HJT once it has finished performing the fixes:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [Win32] C:\Win32\dll\Win32k.exe -starthide C:\Win32\dll\Win32.exe -local

4. Reboot into …

A) The "MessengerPlus! 3" has two installation options, one of which (the "sponsored" mode) will install adware/spyware. If you aren't sure whether or not you installed the program with the "sponsor" option, uninstall it. If you want to use the program, reinstall it after we clean your system, making sure not to use the sponsored installation mode.

B) Perform these general cleaning procedures:

You will need to disconnect from the Internet for some of the following, so you'll need to print out the following instructions, or save them into a text file with Notepad.

1. Download and install this utility (but do not run a scan with it yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open SpyBot and use its update feature to download and install the most current spyware definitions file. Close the program once the update is complete.

- Open AdAware, click the "Check for updates now" button, and follow the prompts to install the most current spyware definition database. Close the program once the update is complete.

- Open your anti-virus program and use its update feature to make sure that …

You've got quite a handful of "unwanted guests" there. :(

Please follow these general disinfection procedures carefully and fully:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open SpyBot and use its update feature to download and install the most current spyware definitions file. Close the program once the update is complete.

- Open AdAware, click the "Check for updates now" button, and follow the prompts to install the most current spyware definition database. Close the program once the update is complete.

- Open AVG and use its Update feature to make sure that you have the most current virus definitions installed. As with the above programs, don't run a scan with it; …

Your log is clean. Secure login problems aren't usually the result of malicious infections, but there are more than a couple of possible causes.

Try this fix first:

Register the following system files
Click Start > Run
Type “regsvr32 softpub.dll (w/o quotes)
Press OK
Repeat the above steps for the following:
regsvr32 wintrust.dll
regsvr32 initpki.dll
regsvr32 dssenh.dll
regsvr32 rsaenh.dll
regsvr32 gpkcsp.dll
regsvr32 sccbase.dll
regsvr32 slbcsp.dll
regsvr32 cryptdlg.dll

Reboot the system after doing the above.

If that doesn't work, search our Windows forums for combinations of the following keywords to find other possible fixes:

hotmail login secure password "page cannot be displayed" MSN

You have a variant of the Smitfraud/SpySheriff/AntiVirusGold/SpyAxe/etc. family of infections, which require a special proceedure to remove:

You will want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

Please download smitRem.zip and save it to your desktop.
Right click on the file and extract it to its own folder on the desktop.

Please download, install, and update the free version of Ewido Security Suite:

1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
2. When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
3. From the main Ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes, the status bar at the bottom will display "Update successful"
5. Exit Ewido. DO NOT run a scan yet.

If you do not already have Ad-Aware SE 1.06 installed, follow these download and setup instructions. Also check for updates:
Ad-Aware SE Setup
Again, do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as …

You are infected with a variant of the Brontok worm, which I don't think AVG can deal with yet.
Also, speaking of AVG: you mentioned "other staff's pc". The version of AVG that you are running (AVG Free) is only for personal use; you are violating AVG's terms of use by deploying the program in a business environment.

Sophos indicates that their AV products can deal with the worm; I've also read that the NOD and Avast! antivirus programs can do the same.

Hi cjfb_1,

Sorry we didn't get to this sooner; we've been pretty busy and a bit shorthanded here lately.

Your log is clean- there are no signs of infections or anything else amiss. If you can provide specific details of the DNS issues/errors, that would give us something to go on in terms of helping you pinpoint the cause.

Good work- you've cleaned out a fair number of "unwanted guests".
There are still infections present though, so:

First: C:\DOCUME~1\OWNER~1.UPP\LOCALS~1\Temp\Rar$EX00.438\HijackThis.ex

The log entry above indicates that you are running HijackThis from within a Temp/Temporary folder. Please do the following:

Create a folder for HJT outside of any Temp/Temporary folders and move the HijackThis.exe file to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.
-------------------------------------------------------------------------------------
You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Open the Services utility in your Administrative Tools control panel.

* In the list of services, locate the service named "NTBOOTMGR" and double-click on it.
* In the General tab of the Properties window that opens, click the Stop button if the service is not already stopped.
* Once the service is stopped, choose Disabled in …

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. C:\DOCUME~1\default\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

The log entry above indicates that you have been running HijackThis from within a Temp/Temporary folder. Please do the following:

Create a folder for HJT outside of any Temp/Temporary folders and move the HijackThis.exe file to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

2. Once you've fixed the above problem, download and install the following utilities:

CCleaner - www.ccleaner.com
Webroot Spy Sweeper (14 day free trial) - http://www.webroot.com/shoppingcart/tryme.php?bjpc=64011&vcode=DT02

- Open Spy Sweeper, click on "Options", and then click on "Update Definitions" under the Program Options tab. Do not run a scan yet; just close the program once the update completes.

3. Run HiajckThis and have it fix:

O4 - …

:mrgreen:

[img]http://www.stevewolfonline.com/Downloads/DMR/Visuals/GroupGrins.gif[/img]

NTFS doesn't change the files, it just changes the way they are stored on the disk.

Exactly- NTFS is just a more (than FAT) efficient and secure filesystem format in which to store files on a drive; the type, function, and contents of files themselves are independent of the filesystem on which they are stored.

Still would like some feedback of just deleting the hard drive, re-installing with an XP Home disc, but instead of using product key of the disc use the OEM product key, would that work ?

In theory, yes- that should work. However, I can't give you a 100% guarantee on that; "real life" doesn't always subscribe to theory, and OEM setups can have their own peculiarities.

It sounds like you're overcomplicating/overthinking this a bit. If you have an XP Home disc, why are you worried about hanging on to the option of the OEM's factory restore? Conversely, why think about reformatting with an XP install CD if you have the factory restore option? If the system gets hosed badly enough that you have to use either option, you're looking at a reformat of the drive and a full reinstall of the OS and all of your applications. The FAT vs NTFS issue becomes pretty moot at that point.

If the Time company you refer to is the UK-based computer company, they are still in operation as far as I know. You can find customer support numbers on the following site; why not ask them directly?:
http://www.totalcaresupport.com/

A HijackThis log?

No, but close- I was after a log generated by the "smitrem" utility, an infection-specific removal tool :)

Smitrem seems to think it's doing its job, but I take it you still have the tray icon and the bogus warning bubble, yes?

Why should you try to fix the problem? You just got the computer from Best Buy, so you should return it to them. It's a warranty repair issue, and given that you're already having this problem, there could be other things wrong with the machine as well.

A) Can you post the exact details that SpyBot gives you on those registry locations?

B) Your HJT log does have a couple of "nasties" in it. Please do the following:

1. Download F-Secure's BlackLight into its own separate folder. Do not run the program yet.

2. Run HijackThis, put a check mark in the box to the left of the following entries, and then click the "Fix checked" button:

O4 - HKLM\..\Run: [dflnl.exe] C:\WINDOWS\system32\dflnl.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{15A767B0-F421-471A-910D-A7B81CBDD8DE}: NameServer = 85.255.116.154,85.255.112.188
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FCE1CB0-7A2F-41CA-ACAA-EBC93803732B}: NameServer = 85.255.116.154,85.255.112.188
O17 - HKLM\System\CCS\Services\Tcpip\..\{36613CE7-4DF5-4D89-89DA-13D51237EDC7}: NameServer = 85.255.116.154,85.255.112.188
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C66D07F-B996-49B7-8F7C-E2B2C22FF39D}: NameServer = 85.255.116.154,85.255.112.188
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC923032-E4AD-4B67-8D72-484580BE3DE6}: NameServer = 85.255.116.154,85.255.112.188
O17 - HKLM\System\CCS\Services\Tcpip\..\{DA04E73B-C85B-4D65-BDE7-CF880BB15BD0}: NameServer = 85.255.116.154,85.255.112.188
O17 - HKLM\System\CS1\Services\Tcpip\..\{15A767B0-F421-471A-910D-A7B81CBDD8DE}: NameServer = 85.255.116.154,85.255.112.188

3. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types". Delete the C:\WINDOWS\system32\dflnl.exe file if it exists.

4. Open Blacklight and have it run a scan.
- Once the scan is complete, click the "Next"
- In the resulting list of found items, have it rename (use the Rename button) all of the files except wbemtest.exe (which is …

If this is a large enough concern, contact law enforcement....

Agreed. This is, if anything, a matter for the forum's owners and/or law enforcement officials to pursue.
Given that, and the fact that the question itself is quite off-topic for this particular forum, this thread has been closed.

what happens to the installation (hidden files) on the hard drive...

Nothing, usually. Are the restoration files stored on a separate partition on the drive?

1. Unfortunately, I have no idea what's going on with HijackThis; I've never seen that problem before.

2. You can try the recommended SpyAxe fix without using HijackThis. Give it a try and then post the contents of the smitfiles.txt log file genreated by the fix.

3. The Nero corruption may or may not be related to the infection; the error you're getting has been reported by others in cases where spyware was not involved. The first thing I would suggest is to uninstall Nero entirely and reinstall it.

Yes - it is working great now, THANK YOU!!

Glad we could help :)

Do you recommend enabling system restore on my computer?

Yes, now that the computer is clean, that would be recommended.

Do you think that I have way too many processes running? Would you suggest reducing the number? Please let me know.

You do have a number of processes listed in your HJT log that don't need to be run as startup items, and disabling those will reduce some of the "drag" on your system resources. It's best to use each program's preferences/options settings to disable the "autostart" option if possible, so look through the programs' settings for such options before removing their "040" entry in/with HijackThis.

# include <disclaimer.h>:
The processes listed below don't necessarilly need to be starting automatically when you boot Windows, although depending on your particular needs and your system configuration, you may want/need to leave some of them active. Also- please be aware that disabling some of the components can have adverse effects on some programs or Windows itself. If you experience anything abnormal after disabling a given process, re-enable it.

mm_tray.exe - a component of the MusicMatch software
VTTimer.exe - related to VIA/S3 graphics hardware
realsched.exe, rnathchk.exe - online update components of Real Player software
hpsysdrv.exe - HP monitoring utility. Disabling this has caused documented problems
hphupd05.exe - online updater for HP PhotoSmart software
hphmon05.exe - another PhotoSmart component; related to reading …

Glad we could help :)

Does everything still seem to be OK? If so, please let us know so that we can mark this thread as "Solved".

Thanks.