Posts by DMR

I am having the same problem any ideas or suggestions

Hi blumps,

First of all- welcome to TechTalk!

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_policies

Thanks for understanding.

You HJT log looks clean, but as evidenced by the persisiting cmd.exe issue, the infection still seems to be (at least somewhat) active, .

You said you downloaded the smitrem utility, but that it didn't seem to work. Please run the utility again, as per the instructions from the utility's author. After doing so, post the contents of the "smitfiles.txt" file mentioned in those instructions.

Hi DougGass,

In accordance with our "one member's problem/question per thread" posting policy, I've split your question into a new thread of its own, which can be found here. Please submit all further posts regarding your problem to that thread.

Thanks for understanding. :)
================================================
In accordance with our posting rules, other members having similar problems should start their own threads and post their questions there. In order to help us help you most quickly, please include as much information about your problem as possible in your posts.
================================================

...so it seems I have to take some necessary steps to validate the key.

Yes, that would be the best thing to do. Microsoft is getting pretty agressive about "piracy", so there are an increasing number of resources (Windows updates and other product downloads) that you can't get from them without validating your copy of XP first. Also, our forum rules prohibit us from helping members who are are running an illegit version of Windows, so....

I was lucky enuff to keep reading through the posts on your site and finally ran the smitRem.exe file

The "smitfraud" family of infections that the smitrem program deals with can cause the errors that you were having; good work on finding that fix yourself! :)

the computer is obviously infected

Not at all; the problem could be caused by a number of things. Did SpyBot, Ad Aware, etc. turn up anything that makes you suspect a malicious infection?

Personally, I'd look for non-malicious causes first; it's been a loooong time since I've seen an "unwelcomed" program that mucks with CD drives in the way you describe.

The errors you're experiencing could be due to a few different things, so it might take some work to pinpoint/fix the exact cause. Can you help us narrow down the possibilities, please?

1. Was the spyware/virus cleaning done after the problem appeared, or before? Can you tell us the names (or even the symptoms) of any of the infections?

2. Run the System File Checker to see if it detects any missing/corrupt system files; instructions for/explanation of the SFC utility are here). If problems are found, it may prompt you for the XP install CD in order to retrieve good copies of the files it needs to refresh/replace.

3. Did anything else occur just prior to the errors occuring which might have contributed to them (new programs installed, old ones uninstalled, other changes to the system). Without making him feel like he's done something wrong, ask your son if he can shed some light in this regard.

4. How does the computer work when booted in to Safe Mode as opposed to when booted normally?

5. Open the Event Viewer utility in your Administrative Tools control panel and look through your System and Application logs for entries flagged with "Error" or "Warning". Double-clicking on such an entry will open a properties window with more detailed information on the error; post that info here. To do so:

In the Properties window of a given entry, click on the button with the graphic of …

Your log does show signs of a few "unwanted guests", so let's start with some general cleaning steps:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open Norton Antivirus and use its Live Update feature to make sure that you have the most current virus definitions installed. As with the above programs, don't run a scan with Norton; just close it once it is updated.

2. Download and install the CCleaner utility, but don't run it yet.

3. Run HijackTHis again, put a check mark next to the following entries, and then click the "Fix checked" button. Close HJT once it has finished performing the fixes:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {FB70BCA3-7711-56CC-4345-5F50DD5331E6} - C:\WINNT\system32\emjiawun.dll
R3 - …

I've never seen Norton interfere with HijackThis before, but that doesn't mean it isn't a possibility. Try running HJT with Norton totally disabled.

Do you think the complete system back up i did has lost some memory as i now have that error message when closing nero?

No, doing a backup has nothing to do with memory at all. The error message could be the result of a few things, but I don't have enough information about your system or its problems to start chasing that particular problem yet. As far as reinstalling Windows goes, there's no guarantee that doing so would fix the Nero error, and it really isn't recommended that you reinstall Windows over a currently unstable or infected install.

Is it really only Nero that has problems as far as you've seen?

Good- your latest log is clean :)
Do things seem to be working correctly now?

Nice! Spy Sweeper not only killed the avpe32.dll problem (and a few others as well), but the log contents also list the registry locations and associated infectious components that were responsible for making avpe32.dll so difficult to remove.
All looks good now; your HJT log is clean. :)

Try this:

1. Download the 14-day trial version of Webroot's Spy Sweeper. When you install it, just choose the "Typical" option, follow the prompts, and then run the program.

- Click on "Options" and then click on "Update Definitions" under the Program Options tab.

- Under the Sweep Options tab, select ALL options under 'What to Sweep'.

-Click the "Sweep" icon and then "Start" to begin scanning.

- When the scan completes, click Next to automatically quarantine all detected items.

- Click the Results icon, select Session Log, and then click Save to File. Save the scan results to your desktop and close Spy Sweeper.

2. Run HijackThis again and have it fix the following entry if still present:

O20 - Winlogon Notify: avpe32 - C:\WINDOWS\SYSTEM32\avpe32.dll

3. Reboot, run HijackThis again, post both the SpySweeper log and the new HJT log.

Hi kwarthc, welcome to DaniWeb :)

1. You are using a very old version of HiajckThis; please download the latest version, run it, and post the new log.

2. Please give us more detail/background on your problem and what you've already tried in terms of fixes.

1. Have HJT fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\system32\hpCE82.tmp (file missing)
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O4 - HKLM\..\Run: [cmd32] C:\cmd.exe

2. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Search for the following files and delete them if found:

C:\WINDOWS\system32\hpCE82.tmp
C:\cmd.exe

3. Empty your Recycle Bin and reboot.

4. Run HJT again and post a fresh log, and let us know if the homepage hijack is still present.

Sorry, I think I see where the confusion may lie- I was asking if you downloaded HijackThis from the link I gave in the body of my post, not the HijackThis link in my sig.
The reason I'm asking you to download HJT from that location is that the file there is not zipped/compressed; it is the "ready-to-run" hijackthis.exe program itself. I've never seen anyone have the particular problem you're having with HJT, so I'm just trying to eliminate the possibility that it has something to do with trying to run the program from within the downloaded compressed/zip archive or something like that.

PROBLEM SOLVED! Here's how.

I used these steps from another forum...

Lol. I found that exact site just yesterday while looking for a solution to a similar problem, and I bookmarked that puppy right away. Those are some very handy reg files. :)

That's a much cleaner log; good work.

- Run HijackThis and have it fix:

O4 - HKLM\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe /s

- Look for the C:\WINDOWS\System\svwhost.exe file and delete it if it exists.

- Empty your Recylce Bin and reboot.

- Run HJT again and post the new log.

I just want to make sure this isn't one of those new trojans out now.

Not that I know of; CLI.exe is part of the ATI Catalyst video card software.

I'll ask this again, since you didn't specifically answer my question:

Obvious question, but did you try downloading the file from the link I posted? That's the plain (unzipped) hijackthis.exe program on one of my own FTP servers; I know it works.

I need to log off and get some sleep right now, but I'll come back to this tomorrow.

Whoever you bought the computer from probably didn't install a legitimately licensed load of Windows. :sad:

You really should get a legit version of XP; running an unpatchable version of the original release is just asking for trouble infection-wise.

1. Once again, run HijackTHis, put a check mark next to the following entries, and then click the "Fix checked" button. Close HJT once it has finished performing the fixes:

O20 - Winlogon Notify: avpe32 - C:\WINDOWS\SYSTEM32\avpe32.dll
O21 - SSODL: hZYuTXZQYkJG - {6CAFE98C-C605-4326-4C28-ACD87FEDF798} - C:\WINDOWS\System32\ufcbi.dll

2. From the l2mfix folder, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. (If you get prompted for a password while running L2MFix, type: bye )

Copy the contents of the L2M log and paste it back into this thread, along with a new hijackthis log.

*Groan* Slap me with a wet trout please... [img]http://www.stevewolfonline.com/Downloads/DMR/Visuals/fishwhack.gif[/img]

I just realized that the "ipws.exe" entry in your log, which I thought was associated with the iPodWatcher program, is actually a piece of one of the infections.

1. Run HijackThis and have it fix:

O4 - HKLM\..\Run: [ipws.exe] C:\WINDOWS\ipws.exe
O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\guard.tmp (file missing)
O20 - Winlogon Notify: SharedDLLs - C:\WINDOWS\system32\ir2ul5f91.dll (file missing)

2. With Windows Explorer set to show hidden files and folders as we did before, look for the following files and delete them if found:

C:\WINDOWS\ipws.exe
C:\WINDOWS\SYSTEM32\mcrh.tmp

3. Empty your Recycle Bin and reboot.

4. Run HJT one more time and post the new log.

Glad we could help. Happy New Year to you also! :)

Ewido found and cleaned: C:\WINDOWS\system32\dn0q01d5e.dll -> Spyware.Look2Me

I saw that in your last L2M log, and there were a couple of other things we should take care of as well.

- In the folder where you unzipped L2MFix there is a subfolder named regfixes, and within that, a file named winlogondefaults.reg. Double-click on that file, and then click Yes in the resulting confirmation message box.

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

-Look in your C:\Windows\System32 folder for the following files:

dn0q01d5e.dll
ir2ul5f91.dll
guard.tmp

If found:

- Open the Killbox.
* Enter C:\Windows\System32\dn0q01d5e.dll in the "full path of file to delete" box.
* Select the "Replace on reboot", "Use Dummy", and "Unregister dll before deleting" options.
* Click on the button with the red circle with the X in the middle and then click Yes at the "Replace on Reboot" confirmation prompt.
* Click No at the request to actually reboot.

- Repeat the above for C:\Windows\System32\ir2ul5f91.dll

* Enter C:\Windows\System32\guard.tmp in the "full path of file to delete" box.
* Select the "Replace on reboot" option.
* Click on the button with the red circle with the X in the middle and then click Yes at the "Replace on Reboot" confirmation prompt.
* Click Yes at the request …

That was one heck of a troubleshoot you went through over at CTH; good work. :)

What exactly is wrong with your CD drive?

Weird; that folder location should be fine. Obvious question, but did you try downloading the file from the link I posted? That's the plain (unzipped) hijackthis.exe program on one of my own FTP servers; I know it works.

Is your copy of XP legal?

This particular forum may not be the right place for your question, as you've mentioned nothing related to virus/spyware/etc. infections.

Perflib files are generated by a number of programs/processes, and should be automatically deleted during a normal system shutdown. However, the files can become corrupt or orphaned by a system crash, possibly leaving them "stuck" on your computer. If you absolutely cannot delete them while booted into Window normally, reboot into Safe Mode (command prompt only) and delete them via DOS.

Sounds like some odd permissions problem; where did you save the HijackThis program and the log file? Please give the full and exact path of that folder.

- Download the Pocket Killbox utility.

- Run HijackThis again and have it fix the following entry; close HJT when the fix is complete:

O20 - Winlogon Notify: URL - C:\WINDOWS\system32\p6p6lg7s16.dll

- Select/hilight the bold text below and press Ctrl+C to copy the text to the Windows' clipboard:

C:\WINDOWS\System32\ir2ul5f91.dll
C:\WINDOWS\System32\p6p6lg7s16.dll
C:\WINDOWS\System32\sstwa.ini2
C:\WINDOWS\System32\sstwa.bak2
C:\WINDOWS\System32\sstwa.bak1
C:\WINDOWS\System32\sstwa.tmp
C:\WINDOWS\System32\sstwa.ini
C:\\WINDOWS\\system32\\dycprop.dll

- Open the Killbox.
* Click on the File menu and choose "Paste from clipboard". The filenames above should then be pasted into the "Full path of file to delete" box.
* Select the "Delete on Reboot" option.
* Click on the icon with the red circle and white X, and choose Yes when prompted to reboot.

- Once the system has rebooted:
* Run another HJT scan and post the new log.
* Run L2MFix using Option #1 again and post that log as well.

Good work; your log is clean now. :)

Does everything seem to be working correctly now?

Is there any thing else I could use that would find similar problems that the MS would?

ewido is the closest; I find using the two programs together to be very effective.

I just noticed the information below in your HJT log headers:

Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Those entries indicate that your versions of XP and Internet Explorer are very out of date. Before we go any further, download and install XP Service Pack 1a; the Service Pack fixes many bugs and security loopholes that allow malicious programs to install and run on your system.

I don't know about your "blacklight" program. As soon as I downloaded it, I was beset with some program called "raze spyware"

That was definitely not from the BlackLight download; F-Secure is a very reputable company, and I've used that download link myself with no issues whatsoever.

Run another scan with Blacklight, but this time, in the list of found items, have it rename (use the Rename button) all of the files except
wbemtest.exe. Reboot when BlackLight prompts you to do so.

Once the system has rebooted, there will be a new log in the BL folder. Post that log, along with a new HijackThis scan log.

That's better, thanks. Your log doesn't look too bad, but there are enough leftovers from Look2Me and other infections that a bit more general cleaning is probably in order.
There's one thing to take care of before we continue, though:

C:\DOCUME~1\Carla\LOCALS~1\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

The log entry above indicates that you are running HijackThis from within a Temp/Temporary folder. Please do the following:

Create a folder for HJT outside of any Temp/Temporary folders and move/unzip the HijackThis.exe file to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

- Open …

It seems that my desktop is an .html page. Is that part of the problem?

Good catch; you're right on the money. The altered desktop is an overlayed HTML page, and it was put there by one of the infections. We'll take care of that, but first we'll go after the "Look2Me" infection mentioned in your ewido log:

Download L2MFix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts. Then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing Enter. This will scan your computer and it may appear nothing is happening.
After a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 or any other files in the l2mfix folder until you are asked to do so!

In that case, I honestly don't know why AVG keeps alerting you about the file. I suppose one other way to check for the file is to boot into "Safe Mode (command prompt only)", type the following command at the prompt, and then hit Enter:

dir C:\Windows\system32\fsaa.dll /a

If the file is found, type the following two commands, hitting Enter after each:

attrib -r -s -h C:\Windows\system32\fsaa.dll
del C:\Windows\system32\fsaa.dll

That looks like an infection-free log to me. :)

Does everything seem to be working properly now?

Glad we could help :)

We also appreciate your appreciation; it's the only pay we get around here... :mrgreen:

Sorry we didn't get to you sooner, Dingo_Tristan; we're a bit shorthanded lately. :(

You definitely have a few "unwanted guests" on your system, but your HJT log also indicates that you're running Norton, AVG, and McAfee simultaneously. You should only run one antivirus program, as multiple AV programs can conflict with each other and cause further problems.

Once you've sorted out the antivirus program issues, please perform the following general cleaning procedures:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open SpyBot and AdAware and use their update features to download and install the most current spyware definitions file. Close the programs once they have completed their updates.

- Open your antivirus program and use its update feature to make sure that you have the most current virus definitions installed. As with the above programs, don't run a scan with it; just close it once it is updated.

…

There are two "leftovers" in your HijackThis log that need to go, but everything else looks good. :)

Run HijackThis and have it fix:

O18 - Filter: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)

After doing the above, reboot, run another HJT scan, and make sure those entries aren't present in the new log.

There's only one leftover that I see in your log; run HJT again and have it fix:
O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\system32\msctl32.dll (file missing)

There are a few variants of the "hacktool.root" infection, and not all of them install components that are detected in a HJT scan. Given that, do scans with Norton and your other utilities come up clean now? If not, please give us the exact details (file names, file locations, etc.) of the detected infections.

Hi Toad53, welcome to DaniWeb :)

Spyaxe is one of those infections that demands special removal steps; Norton, SpyBot, etc. alone can't kill it.

Let's start with the first step; please do the following:

Download the (free) HijackThis utility:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, follow these instructions to install and run the program:

Create a folder for HJT outside of any Temp/Temporary folders and move/extract HijackThis to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...".
Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log". Open the log file with Windows Notepad, and cut-n-paste the entire contents of the Notepad file here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

Kerio Personal Firewall is another possibility:
http://www.kerio.com/us/kpf_download.html

Your log shows no signs of malicious infections, although it does show that you have/had installed some useless "fluff" like the Butterfly Oasis screensaver and Big Fish Games. Many of those kinds of programs come bundled with adware (Butterfly deifinitely does), so they should be avoided.

Can you give us the system specs of the computer please (CPU type/speed, RAM, etc.), as well as a bit more history/detail concerning the slowdown problem?

1. realsched.exe is a component of RealPlayer, and it definitely doesn't need to be running.

2. 68 processes is pretty extreme; if there are that many processes running just after starting Windows (that is, before opening up any programs), I'd be suspicious. A "normal" XP system usually has around 40 running process.

Post a HijackThis log; that will give us a good idea what's going on, and we can use HijackThis to disable any unnecessary processes from running.

Hi HadYourPhil,

I've edited your above post to include the HijackThis log in the body of the post. In the future, please paste your logs directly into your posts as opposed to attaching them; it makes it easier to follow the troubleshoot that way.

As for the infection, please do the following:

- Download F-Secure's BlackLight into its own separate folder.
- Open Blacklight and have it run a scan.
- Once the scan is complete, click the "Next" button a couple of times (until it isn't an option anymore), and then click "Close"
- The scan will have created a logfile, which will be in the same folder that you saved the BlackLight program; post the contents of that log here.

One infection you have is the Aurora/Nail.exe infection, which takes a few special steps to remove.
The standard removal procedure can be found here. In the part of the procedure where you fix entries with HijackThis, these are the entries to fix in your particular case:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll (file missing)
O4 - HKLM\..\Run: [dfvxfqw] C:\WINDOWS\system32\aqyjnzxc.exe
O4 - HKLM\..\Run: [hmieml] c:\windows\system32\giujpuz.exe
O4 - HKLM\..\Run: [xazrxu] c:\windows\system32\gudzxwm.exe r
O4 - HKCU\..\Run: [Microsoft Updates] wkssvr.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Once you've performed the removal steps, post the resulting HijackThis and ewido logs here.

The shield, the bogus spyware warning, and the desktop hijack point to a variant of the smitfraud/spysheriff/spyaxe family of parasites. Here's the standard cleaning proceedure for those infections:

You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

Please download smitRem.zip and save it to your desktop.
Right click on the file and extract it to its own folder on the desktop.

Please download, install, and update the free version of Ewido Security Suite:

1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
2. When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
3. From the main Ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes, the status bar at the bottom will display "Update successful"
5. Exit Ewido. DO NOT run a scan yet.

If you do not already have Ad-Aware SE 1.06 installed, follow these download and setup instructions. Also check for updates:
Ad-Aware SE Setup
Again, do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before …

I use, and would definitely recommend, AVG. I haven't used Avast! at all, but the people I know who do use it are quite happy with it.

Being that both programs are free, why not test drive each one (not at the same time!) and see which you prefer.

Your log definitely shows signs of at least two different infections, but if you're unable to run programs or access the Internet, it's going to be a little difficult to start the cleaning process.

1. You said you had no luck with Safe Mode, but what exactly does "no luck" mean? Did you havce the same problems as when booted normally?

2. When you booted into Safe Mode, did you log in under your normal user account or under the Administrator account? If you didn't use the Administrator account, try that and let us know if things are at least workable.

3. Have you tried the "Last known good configuration" boot option?

Hi Darren1979,

You have a variant of the Smitfraud/SpySheriff/AntiVirusGold/SpyAxe/etc. family of infections, which require a special proceedure to remove:

You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

Please download smitRem.zip and save it to your desktop.
Right click on the file and extract it to its own folder on the desktop.

Please download, install, and update the free version of Ewido Security Suite:

1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
2. When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
3. From the main Ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes, the status bar at the bottom will display "Update successful"
5. Exit Ewido. DO NOT run a scan yet.

If you do not already have Ad-Aware SE 1.06 installed, follow these download and setup instructions. Also check for updates:
Ad-Aware SE Setup
Again, do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of …