Posts by DMR

I don't have an answer for the ewido crashing at the moment (can you give us any more details?), but I do have a question: why are there new program entries in your latest HijackThis log? :

O4 - HKLM\..\Run: [Mercora] "C:\Program Files\Mercora\MercoraClient.exe" -startup
O4 - HKLM\..\Run: [VGAUtil] C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
O4 - HKCU\..\Run: [µTorrent] "C:\DOCUMENTS AND SETTINGS\USER\MY DOCUMENTS\My Downloads\utorrent.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart

Please don't install anything during our troubleshooting; it just confuses and complicates things.

I'm logging off for the night right now; I'll check back on this thread tomorrow...

I'm logging off for the night now, but I'll review your response when I return tomorrow...

That's better :)

There's one entry in your log which is hopefully just a leftover from the disinfection process. Please do the following "cleanup" procedures:

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these two utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open Norton anti-Virus and use its Live Update feature to make sure that you have the most current virus definitions installed. As with the above programs, don't run a scan with it; just close it once it is updated.

3. Download and install the CCleaner utility, but don't run it yet.

4. Run HijackTHis again, put a check mark next to the following entry, and then click the "Fix checked" button. Close HJT once it has finished performing the fix:

O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\l62slgf7162.dll (file missing)

I'm asking for a new log from the HijackThis program, not the L2Mfix program.
Run HijackThis again and post the log it generates in the same way you did in your first post.

Other than the fact that you have Weather Bug installed, your log is clean. The unregistered version of WeatherBug is ad-sponsored, so I'd register it if you haven't already, or uninstall it.

There's an L2M log in that post, but no log from HijackThis.

A) You should download and install Service Pack 4 for your version of Windows. SP4 is the most current (and last) update for Win 2K, so you should take advantage of the bug fixes and security patches included in it.

B) Your log shows signs of a couple of infections; so please do the following:

- Before performing the procedures below, uninstall the "Game Fiesta" software through your Add/Remove Programs control panel if you find it listed there; the program is classified as adware.

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open SpyBot and use its update feature to download and install the most current spyware definitions file. Close the program once the update is complete.

- …

I had asked for another HijackThis log in addition to the L2M log; can you post one please?

You still have a variant of the Home Search Assistant/CoolWebSearch family of infections. Please do the following:

You will need to disconnect from the Internet for some of the following, so you'll need to print out the following instructions, or save them into a text file with Notepad.

1. Download and run these specific about:blank/Home Search/etc. removal tools (before scanning/fixing with about:buster and CWShredder, use their online update features to make sure you have the most current updates installed):

CWShredder - http://www.intermute.com/spysubtrac...r_download.html
about:Buster - http://www.majorgeeks.com/AboutBuster_d4289.html
HSRemove - http://www.majorgeeks.com/HSRemove_d4286.html
Sp.html-Se.dll Hijack Fix - http://www.majorgeeks.com/Sp.html-S...00XP_d4617.html

2. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open your anti-virus program and use its update feature to make sure that you have the most current virus definitions installed. As with the above programs, don't run a scan with it; just close it once it is updated.

3. Download and install the CCleaner utility, …

You're welcome; glad we could help :)

Your log is clean. As far as the toolbar change goes, does SpywareGuard tell you anything more specific than the fact that it relates to the Goolge toolbar?

Good work; it took a little doing, but your log is clean now :)

Does everything seem to be functioning properly now?

OK- please do the following:

From the l2mfix folder, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

Hi Smokey29, welcome to DaniWeb :)

1. Yes- many of the malicious infetions do have the ability to "morph" the names of their files.

2. Unfortunately, the traditional anti-virus/SpyBot/Ad Aware trio is often not enough to rid your system of some of the more nasty infections that exist today. Microsoft Antispyware beta, ewido Security Suite, and Webroot Spy Sweeper are proving to be more effective against the newer spyware/adware threats, and infection-specific removal procedures are often necessary.

3. I haven't seen anything that definitively states that SpyAxe and the hacktool infections come hand-in-hand, but I've seen enough posts where both infections are present to start me thinking that there might be a connection. Even if that's not true, it definitely isn't uncommon for malicious infections as a whole to come as a "package deal"; if you've got one, chances are that you've got more than one.

4. In terms of what you should or shouldn't do, or in what order you should do things, that can depend on which specific infections or variants of infections you are dealing with. Sometimes a "shotgun" approach works, but in other cases one infectious component must be removed before others can be sucessfully deleted. If you want to post a HijackThis log for us to review, we can probably give you a better answer to this.

Better still; only three leftovers to go...

1. Run HJT again and have it fix:

O2 - BHO: Class - {4A7341EB-80CF-9F8F-8388-6D50AD0366BF} - C:\WINDOWS\system32\netna.dll (file missing)
O2 - BHO: Class - {9FBCDEFF-A6FC-C42E-2DA5-84537095BAA5} - C:\WINDOWS\system32\appon32.dll (file missing)
O2 - BHO: Class - {EC0BF822-7720-175B-2901-9FA68F761D30} - C:\WINDOWS\d3lh.dll (file missing)

2. Reboot into Safe Mode again.

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Verify that the following files have truly been removed; if not, delete them now:

C:\WINDOWS\system32\netna.dll
C:\WINDOWS\system32\appon32.dll
C:\WINDOWS\d3lh.dll

- Empty your Recycle Bin.

- Perform one more scan/fix with ewido and save the new scan report log.

3. Reboot normally, run HijackThis again, and post the new (and hopefully final) log. Also post the log that ewido generated.

You have a version of the VX2/Look2Me infection. Please download L2mfix from:
http://www.atribune.org/downloads/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe,C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.

Great; glad we could help. :)

Yes you should be able to..

POP access isn't always available with the basic free accounts, though :(

Yahoo - you have to subscribe to the Mail Plus service in order to have POP access to your Yahoo mail.

Gmail - POP access is included at no charge.

MSN/HotMail - ... does support Outlook access with their free accounts... no, wait- they don't support it anymore... but, um... now they are supporting again. Krikey! MS has waffled back and forth on POP/HTTP access to their free accounts so much in the past few years that I don't even know where they stand today. If they are currently offering the feature with free accounts, I wouldn't lay bets on that being true 6 months from now.

There are third-party solutions which can provide POP access for free web-based email services which do not normally offer that service, but obviously, these solutions are definitely not supported by Yahoo and the like.

There are certain limitations to using POP access in Outlook to access web-based email service as well, and many people find these limitations frustrating.

For one thing, there is no correlation between the "personal folders" that you can create in your web-based account, and those you can create in the version of Outlook on your local computer. They are entirely separate beasties, and mail stored in a custom folder created in your webmail account will not be accessible by …

if u could even check what graphics card u are using so i know what to download

Um- you need to find out what graphics card you are using in order to know what driver needs to be installed for that particular video card.

Give us the details that Device Manager lists for your display adapter and we can probably point you to the correct driver.

1. You should only run one anti-virus program at a time, having two AV programs active can cause conflicts.

2. There are no obvious signs of infections in your HJT log. If Norton and/or AVG give you details on the infections you have (file names, folder locations, etc.), please post the full and exact details here.

Very cool. Glad we could help. :)

Many infections have been cleaned, but the main Home Search/about:Blank infection still appears to be present.

Please run the 4 about:blank-specific utilities (from #1 in my last post) again and post a new HJT log.

The other post is here

http://www.daniweb.com/techtalkforums/thread36670.html

Yup- and it's locked now, too. :mrgreen:

Krikey! As if I don't have anything better to do than chase down and lock Spam threads...

Looks good now; that's a clean log. :)

Does the system seem to be functioning properly now?

Far Too Much Time On Their Hands

Funny... I was thinking the same thing about the guys that came up with the 3.14 pie I linked to. :mrgreen:

You're welcome. :)

All looks good from here- Your HJT log is clean now, and ewido deleted a couple of other hidden "nasties" as well. :)

Does everything seem to be working properly now?

... so far, it's looking good.

And we hope it stays that way for a loooong time... :)

Glad we could help, summon :)

Can you tell us exactly which steps you took to get your system clean, please? Having that information posted here could be helpful to other members in the future.

Thanks.

"Mmm Pie"? That wouldn't be as in 3.14 Pie, would it?

Other than the following two "loose ends", which you should have HJT fix, the log looks clean:

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {301F1B2E-EBA7-430C-60B2-5DB343B2583B} - (no file)

The following entry is still present; try fixing it again:

O4 - HKCU\..\Run: [AlexaToolbar] C:\WINDOWS\alt.exe

Other than that though, the log looks clean.

Hi Lanii, welcome to DaniWeb :)

Your log shows no signs of any obvious nasties. Please give us more details on the following:

"This problem seemed to surface when my ip address changed"

You have quite a few malicious entries in your log, and I also see no indication of any installed anti-virus or anti-spyware programs.

If you really don't have an A-V program, download and install the free edition of AVG anti-virus now.

Next, please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open SpyBot and use its update feature to download and install the most current spyware definitions file. Close the program once the update is complete.

- Open AdAware, click the "Check for updates now" button, and follow the prompts to install the most current spyware definition database. Close the program once the update is complete.

- …

Is it possible to share files across the two Linksys routers?

Yes, but the real issue comes down to sharing files across two networks, because that is what routers do- they manage traffic between two or more different networks.

Please give us details of the logical configuration of your routers and computers, such as the WAN and LAN IP addresses of each router, the IP addresses assigned to the computers connected to each router, whether or not the routers are supplying the computer IPs via DHCP, etc.

Your latest log is much cleaner, but there are two entries which did not get fixed, and one new entry as well.

1. Run HijackThis again and have it fix:

F3 - REG:win.ini: run=C:\WINDOWS\inet20099\winlogon.exe
O4 - HKCU\..\Run: [AlexaToolbar] C:\WINDOWS\alt.exe
O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll (file missing)

2. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Locate and delete the following files if they still exist:

C:\WINDOWS\system32\st3.dll
C:\WINDOWS\alt.exe

3. Empty your Recycle Bin, reboot normally, run HijackThis again, and post the new log. Also let us know if the "can't connect" message still appears or not.

i did what u said and the same log appeared.

That's strange. I don't know why that's happening, and without the full log I can't tell if you have signs of infecitons left on your computer or not.

In terms of the "SpyAxe" infection though, removal instructions for that specific infection can be found here. SpyAxe is often associated with the larger "Smitfraud" family of infections; the link I gave for SpyAxe removal also links to instructions for removing smitfraud if you need to go that route.

To (hopefully) fix other infections which could possibly be lurking on your computer, you can follow these general removal proceedures:

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en
SpyBot Search & Destroy - http://www.safer-networking.org/
Ad Aware SE Personal - http://www.lavasoftusa.com/

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

…

That's a clean log, tayspen :)

For future protection, I'd recommend that you install Microsoft Anti-Spyware beta; it does a good job of removing "nasties" and also provides real-time protection.

Hi Adi, welcome to DaniWeb :)

Your log indicates quite a few "unwanted guests", and it also indicates that you have a couple of "bogus" anti-spyware programs installed.

A) SpyFighter and AdwareAlert are programs known to display false positives in an effort to coax/scare you in to paying money for their products; you should uninstall both programs using your Add/Remove Programs control panel. Before downloading/installing/purchasing any adware or spyware utilitiy, you should check this site to see if the program is reputable or not.

B) Please perform the following disinfection proceedures:

You will need to disconnect from the Internet for some of the following, so you'll need to print out the following instructions, or save them into a text file with Notepad.

1. Download and run these specific about:blank/Home Search/etc. removal tools (before scanning/fixing with about:buster and CWShredder, use their online update features to make sure you have the most current updates installed):

CWShredder - http://www.intermute.com/spysubtrac...r_download.html
about:Buster - http://www.majorgeeks.com/AboutBuster_d4289.html
HSRemove - http://www.majorgeeks.com/HSRemove_d4286.html
Sp.html-Se.dll Hijack Fix - http://www.majorgeeks.com/Sp.html-S...00XP_d4617.html

2. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open …

Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

The above information from your log indicates that your versions of Windows XP and Internet Explorer are very out-of-date, which makes your computer extremely vulnerable to malicious infections.

While it is definitely not advised to upgrade an infected and/or problematic system to Service Pack 2, you should at least install Service Pack 1a in order to fix many of the bugs and security flaws which malicious programs exploit.

In terms of the infection:

The trojan "rdriv.sys" file, which Norton identifies as Trojan.Cachecachekit, is delivered by a worm, which Symantec says must be removed before the trojan can be dealt with. Try Symantec's removal procedures for the worm and trojan:

W32.Spybot.NLX (worm)- http://securityresponse.symantec.co...spybot.nlx.html

rdriv.sys (trojan)- http://securityresponse.symantec.co...hecachekit.html

Try the above procedures and let us know the results.

Hi HadYourPhil, welcome to DaniWeb :)

A) To remove the "crazywinnings" references:

- First, remove the site from your Trusted Zone:
Start Internet Explorer, click Internet Options on the Tools menu, and then click the Security tab. Click Trusted Sites, and then click Sites. Click the "crazywinnings" site, and then click Remove.

- Click on the "Run..." option under your Start menu, type "regedit" (omit the quotes) in the resulting "Open:" window, and hit OK. This will open the Registry Editor program.

- In the editor, press F3 to bring up the Find window, type crazywinnings in the find box, and hit enter. There may be more than one "crazywinnings" entry, so you need to keep repeating the find until you get the message "finished searching through the registry". Delete all instances of "crazywinnings" entries you find.

Do not delete or modify anything else in the registry!!!

1. Download and install ewido Security Suite (trial version) - http://www.ewido.net/en/download/

2. Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open SpyBot and use its update feature to download and install the most current spyware definitions file. Close the program once the update is complete.

- …

Hi summon,

Your HijackThis log is very incomplete; please run HJT again and post the log according to these directions:

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

After a lot of anti-spyware and cleaning actions it seems to be solved!

Good work. Except for the following two entries, your last HJT log does look clean:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - Default URLSearchHook is missing

Hi kstrass111, welcome to DaniWeb :)

Before doing anything else, uninstall the Spyware Vanisher and UnSpyPC programs using your Add/Remove Programs control panel. Both programs are disreputable in that they report false positives in order to "scare" users into purchasing their full product.
Before downloading/purchasing/installing any supposed "anti-spyware" product, you should consult this list of trusted vs bogus programs.

You will need to disconnect from the Internet for some of the following, so you'll need to print out the following instructions, or save them into a text file with Notepad.

1. Download and run these specific about:blank/Home Search/etc. removal tools (before scanning/fixing with about:buster and CWShredder, use their online update features to make sure you have the most current updates installed):

CWShredder - http://www.intermute.com/spysubtrac...r_download.html
about:Buster - http://www.majorgeeks.com/AboutBuster_d4289.html
HSRemove - http://www.majorgeeks.com/HSRemove_d4286.html
Sp.html-Se.dll Hijack Fix - http://www.majorgeeks.com/Sp.html-S...00XP_d4617.html

2. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after …

I thought as much. FireDaemon is a Windows "service manager" application and in itself isn't malicious. However, it can be installed and (ab)used by malicious programs, which looks like the case here.

First:

C:\Documents and Settings\David Bradford\Local Settings\Temp\HijackThis.exe

The log entry above indicates that you are running HJT from within a Temp/Temporary folder. Please do the following:

Create a folder for HJT outside of any Temp/Temporary folders and move/extract HijackThis to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.
Once you've moved HJT to a proper folder, please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
…

The "red circle with a white x" is the signature symptom of the Antivirus Gold/SpySheriff/Smitfraud group of infections. Your HJT log indicates a couple of other infections as well.

Your log also shows no signs of an anti-virus program running. If you really don't have an A-V program, download and install the free edition of AVG anti-virus now.

Next, please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open SpyBot and use its update feature to download and install the most current spyware definitions file. Close the program once the update is complete.

- Open AdAware, click the "Check for updates now" button, and follow the prompts to …

Erm... Fnrfle??? [img]http://www.stevewolfonline.com/Downloads/DMR/Visuals/dunno.gif[/img]

Hi Anthony, welcome to DaniWeb :)

This particular forum is a place for new members to introduce themselves, but it's not a place where we handle technical questions.

You should start a new thread in our Windows Software forum and post your question there; I'm sure some of our other members will have some suggestions for you.

Hi liane,

Welcome to DaniWeb :)

Sorry for the delayed response; our "staff-to-member ratio" is a little skewed toward the member side right now.

As to your question regarding dial-up and WiFi, you should start a new thread in our Networking forum and ask the question there. This particular forum (Community Introductions) is basically just a place for new members to say "Hi", so we don't deal with technical questions here.