Posts by DMR

1.

I wasn't able to Open Windows Explore...

Why couldn't you open the program? Did you get any error message when you tried?

2.

I opened Explorer...

If you mean that you opened Internet Explorer, that won't work; you need to open Windows Explorer.

Hello ski38off, welcome to DaniWeb :)

Thanks for starting your own thread; you were right in thinking that each person's "fix" is slightly different. In your particular case, you have more than just the hacktool.rootkit infection, so we'll have a bit more work to do.

Before we start to remove your infections, there is one thing you have to take care of first:

C:\Documents and Settings\#1 MOM\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

The log entry above indicates that you are running the HijackThis from within a Temp/Temporary folder. Please do the following:

Create a folder for HJT outside of any Temp/Temporary folders and move the HijackThis.exe file to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

Once you've done the above:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and …

"Your computer is infected spyware..." messages are a common scare tatic used by disreputable companies to sell you their "antispyware" products. If nothing else, you are infected- by their pop-up warnings!

Please do the following:

Download the (free) HijackThis utility:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, follow these instructions to install and run the program:

Create a folder for HJT outside of any Temp/Temporary folders and move/extract HijackThis to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...".
Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log". Open the log file with Windows Notepad, and cut-n-paste the entire contents of the Notepad file here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

OK- your latest log looks more "normal", but I'm not sure A) how much of the following you can do, given the unstable state of your system, and B) how much of the damage was due to malicious infections and how much was due to the problems during the EA game installation. Let's see what kind of headway we can make...

1. Click on the "Run..." option in your Start menu, enter the following in the resulting "Open:" box, and hit OK:

services.msc

That should open the Services utility.

- In the list of services, locate the service named "Remote Packet Capture Protocol" or "rpcapd" and double-click on it.

- In the General tab of the Properties window that opens, click the Stop button if the service is not already stopped.

- Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK.

- Repeat the above steps for the SVCLOAD and SVCMGR
services. Close the Services utility after that.

2. Run HijackThis again and have it fix:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file …

Good job; your log is clean now :)

Hi kali2005,

Started from : C:\DOCUME~1\Will\LOCALS~1\Temp\Temporary Directory 1 for hijackthis-1.zip\HijackThis.EXE

The above entry in your startup log indicates that you are currently running HijackThis from within a temporary folder. Temp/temporary folders are not places where items of a permantent nature should be stored, and given that, you need to move HijackThis to a different location. Create a new folder for HJT outside of any Temp/Temporary folders and move the hijackThis.exe file to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Once you've taken care of the above, run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...".
Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log". Open the log file with Windows Notepad, and cut-n-paste the entire contents of the Notepad file here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

1.

I did not save the ewido log.

Why didn't you save the log? I asked for that log because its contents can tell us things that HijackThis can't.

2.

still get AVG popup re:fsaa.dll Trojan horse Downloader.Generic.AEL.

Does AVG tell you the exact location of that file? If so, post that information here.

3. Please do the following, and be sure to save (and post) the ewido log this time:

A) Run HijackThis again and have it fix:

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - (no file)
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O4 - HKLM\..\Run: [FastStart] C:\WINDOWS\system32\svcnut32.exe home

B) Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).

* Run ewido and have it fix all malicious items it finds. Save the log file that ewido will create after it finishes scanning.

* Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known …

Hello tseyigai, welcome to DaniWeb :)

Ad Aware and SpyBot alone aren't going to be able to cope with at least one of the infections that you have. Please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open SpyBot and AdAware and use their update features to download and install the most current spyware definitions file. Close the programs once they have completed their updates.

- Open Norton Antivirus and use its Live Update feature to make sure that you have the most current virus definitions installed. As with the above programs, don't run a scan with Norton; just close it once it is updated.

2. Download and install the CCleaner utility, but don't run it yet.

3. Run HijackTHis again, …

Hi walton,

A couple of things, before you resort to an entire system restore or reformat:

1.

This problem began after I blocked something that popped up on my Ad-Watch monitor

Can you tell us anything more specific about that? "Something that popped up" doesn't give us very much to go on at all.

2. The list of running processes at the top of your HijackThis log looks rather "light on content" for a normal XP system. Did you run that HijackThis scan in Safe Mode? If so (and if possible), run HijackThis while booted into Windows normally and post the log from that scan. The log you posted definitely shows signs of infections, but I'd expect to see more information in a log than exists in yours.

3. If you can access your Administrative Tools control panel, open the Event Viewer utility in that control panel and look through your System and Application logs for entries flagged with "Error" or "Warning". Double-clicking on such an entry will open a window with more detailed information on the error; post that info here.

Hi kali2005,

First of all- welcome to TechTalk!

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

I've moved your question into its own new thread, which can be found here: http://www.daniweb.com/techtalkforums/showthread.php?t=37165
We'll help you solve your problem in that thread.

For a full description of our posting guidelines and general rules of conduct, please see this page:
http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_policies

Thanks for understanding.

do I also have to delete the other registry?

The "other" registry? I don't understand what you're asking. If you made the hpdriver.reg file and merged it with the registry, it will have deleted the LEGACY_HPDRIVER registry key, which is the only registry entry you mentioned.

The confirmation prompt you received when you merged the .reg file I had you create does ask if you want to "add this information to the Registry", but in this case the .reg file actually performs a deletion, not an addition. Notice the hyphen at the beginning of the HKEY_LOCAL_MACHINE\... line in the .reg file; it is interpreted as a "minus" sign, telling the system to remove the key following it.

Ok- your log does show signs of at least two infections; please do the following:

Before we start to remove the infection, there is one thing you have to take care of first:

C:\Documents and Settings\Lindstrom\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
The log entry above indicates that you are running HijackThis from within a Temp/Temporary folder. Please do the following:

Create a folder for HJT outside of any Temp/Temporary folders and move the HijackThis.exe file to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

Once you've done the above:

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

- Open ewido. In the main …

Glad we could help :)

OK, looks good so far. Let's go for the loose ends:

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open Norton Antivirus and use its Live Update feature to make sure that you have the most current virus definitions installed. As with the above programs, don't run a scan with Norton; just close it once it is updated.

2. Download and install the CCleaner utility, but don't run it yet.

3. Run HijackTHis again, put a check mark next to the following entries, and then click the "Fix checked" button. Close HJT once it has finished performing the fixes:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\RunServices: …

I've heard that some types of fans are able to be super quiet even at high speeds...Would this brand be less noisy even though the amps are higher?

In general, some brands/models of fans are definitely quieter than other fans, as they are built with low noise in mind in addition to their cooling capability. NMB does make some fans with pretty low noise ratings, but you would have to compare the noise ratings of your particular models of fans to see if the new one is supposed to be any quieter than the old one.

If it turns out that I need to connect it to a different spot, will I be able to pick up a working adaptor, being that the plugs on Dell fans are proprietary (specially wired)?

The fan is meant to connect to the motherboard on that system, but nothing says that it has to. If you want to wire it right to the power supply but can't find an off-the-shelf adapter for the fan, it isn't a difficult job to rewire the fan with a connector that does fit the power supply.

The Temporary Internet Files folder is just that- temporary; you can delete everything in those folders:

* Open your Internet Options control panel.
* In the General tab, click on the "Delete files..." button.
* In the resulting window, put a check mark in the "Delete offline content" box and then hit OK.
* The deletion may take a while, so be patient.

If Defender is giving you problems, try uninstalling it entirely and reinstalling it.

I'd suggest that, if you haven't already, to not hook that up to the motherboard, but to hook it up to an ATX power connector. A fan that big might draw too much current if it's using the spots included on the mobo for smaller fans.

Excellent point. :)
The connectors (and their associated circuit traces) on the motherboard are much more fragile that the power feeds coming directly from the supply, so excess current flow through the mobo connectors can damage them. If your fan is made to connect to the motherboard, you can buy an adapter to convert the fan's power connector to one which will mate with the power supply feeds.

Overheating won't be a problem; quite the opposite, I'd imagine. The Wattage rating of the new fan is almost 4 times that of the old one, so (assuming that the fan is efficient) that puppy should move a heck of a lot more air than the old one did. Being a "beefier" fan though, it might also be noisier than the old one.

VNC would do the trick. Here's a good (and free) VNC program:

http://www.tightvnc.com/

* Right-click on "My Computer" and choose "Properties" from the resulting menu.
* Click on the Hardware tab and then click the Device Manager button.
* In the resulting list of devices, click on the "+" sign next to Network Adapters to expand that category.

Is a wireless adapter listed there? If so, double-click on it to view its properties.. Make sure the device is reported to be enabled, and working properly.

1.

I tired so many thing , my brother tried a few things...

To begin with, please tell us exactly what you've done so far.

2. Please describe the connection problem in more detail. If you get error messages, tell us exactly what they are.

3. You posted this in our virus/spyware forum; is there anything in particular which leads you to believe that malicious infections are the cause of the problem?

OK:

1. See this link for the "16 bit MS-DOS Subsystem..." error; you must resolve that error before we proceed.

2. From the l2mfix folder, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. (If you get prompted for a password while running L2MFix, type: bye )

Copy the contents of the L2M log and paste it back into this thread, along with a new hijackthis log.

1. Did you try cleaning the infection by running Defender in Safe Mode as jaishankar suggested? Before going in to Safe Mode, use Defender's online update feature to make sure you have the absolutely most current virus detection database installed.

2.

I found the file it was believed to be in, and I deleted it, but when I ran another scan, it is still showing it being there.

Please tell us the exact name and location of the infected file.

3. Try at least two of the following sites for an online virus scan:

BitDefender Free Online Virus Scan
http://www.bitdefender.com/scan/licence.php
Make sure you tick AutoClean under Scan Options.

Panda ActiveScan
http://www.pandasoftware.com/active...n_principal.htm
Make sure you tick Disinfect automatically under Scan Options.

Housecall at TrendMicro
http://housecall.trendmicro.com/hou.../start_corp.asp
Make sure you tick Auto Clean.
When it completes, post back the full filename of any files that cannot be cleaned or deleted.

eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

4. If the above suggestions don't solve the problem:

Download the (free) HijackThis utility.

Once downloaded, follow these instructions to install and run the program:

Create a folder for HJT outside of any Temp/Temporary folders and move/extract HijackThis to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once …

OK- that looks right.
If you're comfortable editing the Registry you can just delete the LEGACY_HPDRIVER subkey yourself.

Otherwise:

* Open a new file in Windows Notepad
* Copy-n-paste the text in the Code box below into that document
* Save the file to your desktop as hpdriver.reg
* Double-click on the file to run it
* Click "Yes" when prompted to add the information to the Registry
* Reboot

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HPDRIVER]

There could be a few reasons for that. I'd start by using the Event Viewer utility in your Administrative Tools folder to review your System and Application log files. Look through the logs to see if there are any errors or warning messages which might relate to the program hangs. If you find such messages, double-click on them to display the message details and post those details here.

Yes. If System Restore is currently disabled, your _Restore folders are already empty; it is safe to turn the function on again.

I have new hard drive...

No, you have a used hard drive :mrgreen:

What you're seeing is a message from a utility which is used to perform "secure" wipes of hard drives. Large companies often use such tools to thoroughly erase sensitive data from computers' drives before disposing of them. In other words, it looks like your hard drive is "recycled".

In any event, the message means that your computer is bypassing the CD-ROM drive and trying to boot directly from the hard drive. There could be a few reasons for this:

1. The boot order specified in your computer's BIOS is set to boot from the Hard drive before trying to boot from the CD-ROM. To resolve this, enter your BIOS setup and adjust the boot device sequence such that the CD-ROM is tried before the hard drive.

2. Your BIOS is set to boot from the CD before the hard drive, but your XP install CD is damaged in some way. Not being able to boot from the CD, the computer proceeds to attempt booting from the hard drive. Try the install CD on another computer.

3. The CD-ROM drive itself is h0rked, causing the computer to bypass it during the boot sequence. Probably the least likey of the possibilities, but worth mentioning.

finally f8 worked but not always it only works once in a blue moon.

You only have a small window of time during the boot-up sequence (usually a couple of seconds) in which to press F8 and access the Boot Menu. If you hit F8 too early or too late, the computer will boot into Windows normally, and you'll have to restart and try F8 again.

When I use the arrow keys it wont let me move it up to put it on last good config...

Does it let you select any of the options? If so, select Safe Mode or VGA Mode and see if you can at least get a usable display that way. From there you may be able to undo whatever changes you made to the display preferences.

i don't see the R0 thing, now.

Neither do I, which means that your log is clean now. If msdirectx.sys and xz.bat don't exist on your system anymore, you should be good to go.

At this point I'd suggest that you delete your old (and possibly infected) System Restore points and set a fresh new Restore point. Instructions and further explanation are here.

The full registry entry for hpdriver-

HKEY_LOCAL_MACHINE/SYSTEM/ENUM/ROOT/LEGACY_HPDRIVER

:-( I just noticed that was a waste of time... you hit it right on target besides the "CurrentControlSet" part.

Can you check that path again, please? There is no (valid, at least) ENUM subkey directly under the HKLM\SYSTEM key; the ENUM subkeys should only appear under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet and HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x subkeys.

Yeah- old tricks tricks from The Deep Dark Days of DOS :mrgreen:

What surprised me was how well Excel dealt with the imported data from the text file. It sort of fscked header and summary info, but the actual filenames and attributes fall into the rows and columns pretty nicely.

1.

Can this error result from changes in services ?

That's definitely possible; why do you ask? If you made adds/removes/changes to your services or any other software components just prior to the problems occuring, please give us the details.

2. Without the logs, finding clues will be difficult. I'd suggest you start by running the System File Checker (SFC) utility and see if it finds any missing/corrupt system files or other inconsistencies. More info from Microsoft on the SFC is here.

Hi wwwusuario1, welcome to DaniWeb :)

Using DOS is still one easy way of doing what you want to do:

1. Open an MS-DOS box:

- Click on the "Run..." option in your Start menu
- In the resulting "Open:" box, type the following and then click "OK":

CMD

2. At the command prompt in the DOS window:

- Type CD C:\ and then hit Enter.
- Type dir /A/S >AllFiles.txt and then hit Enter.

The above version of the dir command will create a text file named "AllFiles.txt" in your C:\ directory which contains a listing, by directory, of all files on your C: drive. The default listing will include each file's date/time stamp and size, but you can modify which file attributes are included by adding the apprpriate switches to the dir command (type dir /? for help on that).

3. The contents of the AllFiles.txt file can then be imported into an Excel worksheet if you want to manipulate the individual filedata, although you should be aware that the entire contents of the file may not fit onto one worksheet:

- Open a new worksheet in Excel.
- Under the "Data" menu, go to Import External Data->Import Data...
- In the resulting Select Data Source window, navigate to the C:\AllFiles.txt file and double-click on it to begin the import process.
- Follow the prompts during the import to format the …

1.

I did not find any msdirectx files. Is this odd?

Not necessarily. Does the C:\xz.bat file still exist, or does it also appear to have been deleted?

2. I'm concerned about the "R0" entry that I asked you to fix in my last post; it's still present in your latest log. Did HJT appear to succeed when you had it fix that entry?

Hello jgrieco, welcome to DaniWeb :)

You have a version of the "Look2Me" infection; please do the following:

Download L2MFix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts. Then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing Enter. This will scan your computer and it may appear nothing is happening. After a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 or any other files in the l2mfix folder until you are asked to do so!

1.

But some things you listed for me to delete with HijackThis did not appear there.

That is a Good Thing. The anti-spyware/anti-virus utilities you ran before you ran HijackThis should have fixed some of those entries; I had you check your HJT for the entries just to make sure there were no "loose ends" left after the cleaning.

2. I missed one entry in your log which needs to be fixed; please run HJT again and fix it now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fvbnxbgctaf.com/E5UVHJZD...zW6tlI8kexU.htm

3. There are a few different infections which use the "msdirectx.sys" file, which is the rootkit component of the infections. Please do the following to see if any versions of msdirectx.sys still exist on your system:

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- In Explorer, click on the "Search" button and enter the following criteria in the Search pane at the left-hand side of the Explorer window:

All or part of the file name: msdirectx
Look in: Local Hard Drives (C:)
Click More Advanced Options:
Type of File: (All files and folders)
Check/Select: Search system folders, Search hidden files and folders, Search subfolders

Perform the search and tell us the results. If any versions of the msdirectx file are found, give us …

That sounds right- hpdriver.sys does have two or three related Registry entries, but I'm pretty sure ntfsprotect.exe doesn't.

Please post the full and exact path of the Registry entries. For example:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HPDRIVER

where is the spyware, viruses and other nasties forum?

Here.

so I should download hackthis! and post the log on that forum right?

Yes.

Hi pathfinderb, welcome to DaniWeb :)

A) Try completely uninstalling and reinstalling AdAware.

B) If the My Way entry remains in your Add/Remove Programs control panel even after uninstalling the program and rebooting, follow these instructions to remove the entry from the control panel.

C) Your log shows no signs of infections or any other problems, but a clean log isn't necessarily indicative of a clean system as a whole. Please do the following in order to remove possible "nasties" that might exist on your computer:

You will need to disconnect from the Internet for some of the following, so you'll need to print out the following instructions, or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open your anti-virus program and use its update feature to make sure that you have the most current virus definitions installed. As with the above programs, don't run a scan with it; just close it once it …

You're welcome, Jerre; glad we could help :)

Thanks for reposting, ; I'll delete your post in the other thread. :)

Please perform the cleaning procedures below:

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

(Before proceeding, uninstall Download Accelerator Plus if the version you have is the free version; the free version is adware)

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open SpyBot and use its update feature to download and install the most current spyware definitions file. Close the program once the update is complete.

- Open AdAware, click the "Check for updates now" button, and follow the prompts to install the most current spyware definition database. Close the program once the update is complete.

- Open Norton Antivirus and use its Live Update feature to make …

Glad to hear that. :)

Could you post the details of your solution here? Doing so could help other members in the future.

Thanks.

Good work :)

All looks clean now, except this one last thing:

The last line of your ewido log reminded me that you should delete the entire C:\WINDOWS\wt folder; it's a leftover from the WildTangent infection.

That's a bit of a bummer, because even if your intention was good, you do have an illegal version of Windows installed now, and that will lock you out of upgrades and other downloads/support from Microsoft. You should contact the retailer to see if you can get a legit XP CD, or perhaps contact Microsoft directly.
Computers sold with valid versions of XP installed should come with some sort of documentation containing a Windows authentication code/key (often found on a sticker on the computer's case) which can prove that you did originally own a valid load of Windows.

Unfortunately, because your version of Windows is pirated, we also can't help you troubleshoot your problem. From our Forum Rules:

Do not post anything warez relaetd or related to other illegal acts. This includes tech support troubleshooting pirated software or P2P programs (i.e. Gnutella, Kazaa) used to obtain pirated software.

Your log is clean; the entries which you couldn't find had already been removed by ewido and the DAP uninstaller, so all is good as far as that goes. :)

As for an alternative to DAP, I can't really recommend one because I don't use "download accelerators".

Those messages are telling you that you don't have a legal copy of Windows installed on your computer. What can you tell us about that?

1.

I found a I found a file (folder) named Temp-Installtemped...

Which is it, a file or a folder?

2. If it is a folder, what are the names of the files within the folder?

3. Regardless of whether it's a file or folder, within what folder did you find it (C:\, C:\Windows, C:\Program Files, etc.)?

4. Go ahead and post a HijackThis log for us to review; it might yield some clues.

You're right; the log is clean.
However, the following information in your log's header indicates that your versions of Windows and Internet Explorer are very out of date:

Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

For a number of reasons, including better protection against malicious infections, you should update your system to either Service Pack 1a or Service Pack 2. Updating might also resolve the Net lag. I'd also suggest installing Microsoft Antispyware beta for real-time spyware protection. SP1a, SP2, and MS Antispyware are all available for download at Microsoft's site.

Plz dont include the path(C:\windows) and the extensions(.exe, .sys) while searching the registry

Right; if you search the Registry for "hpdriver" or "ntfsprotect", you may find a a few leftover entries.
In terms of the actual files, if you searched for the filenames in the way I described in my last post but didn't find them, that means that your utilities found and deleted them.

O yea i also can't be held responsible ethier bbb2k4life...If somthing does go wrong

#include <disclaimer.h>.