Posts by DMR

The infection you have (a Look2Me/VX2 variant) isn't uncommon, but:

A) Due to differences in the underlying structures of Win 98 and Win 2000/XP, HijackThis doesn't give us many (if any) clues as to the exact names/locations of the infected files when used on a Win 98 system. This makes it harder to prescribe an exact fix.

B) The tools that we would normally use to detect and remove current versions of L2M/VX2 infections only work on Win 2000/XP systems.

Download, install, and run the trial version of Webroot's Spy Sweeper; it is compatible with Win 98, and others have had success using it to removing certain versions of the L2M infection.

Please read the Help documentation that gets installed with the program, as it has easy-to-follow instructions for configuring and running the program. You'll want to run as thorough a scan as possible, and post the Sweep Results here if you can.

Before we dig in to the fix, please tell us if you knowingly installed (or know anything about) the "FireDaemon" program.

The trojan "rdriv.sys" file is delivered by a worm, which Symantec says must be removed before the trojan can be dealt with.

Have you tried Symantec's removal procedures for the worm and trojan yet:

W32.Spybot.NLX (worm)- http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.nlx.html

rdriv.sys (trojan)- http://securityresponse.symantec.com/avcenter/venc/data/trojan.cachecachekit.html

gcasDtServ.exe is part of Microsoft Antispyware, and exec.exe is part of your NetZero Internet connection software. Were they consuming a large portion of your resources, or did you mention them only because you didn't recognize them?

Nothing so far jumps out as the cause for the resource hogging. You should use our Advanced Search option at the right of this page to search for previous threads on "%100 CPU Usage" issues; we've had many threads on the topic (and its many causes).

Glad we could help :)

I don't use Avast!, but the folder you describe sounds like it could be Avast!'s virus quarantine folder or something similar; that would account for its growth.

Eicar files aren't malicious; they're virus testing tools. Think of them as "virus simulators". Here's more info from Symantec (Norton):

The Eicar Test String is not a real virus. It is a text file that is used to test antivirus software. By default, the file name is Eicar.com, but it could be renamed to anything. Eicar.com can be downloaded from the Eicar Web site at http://www.eicar.org/anti_virus_test_file.htm . It can also be created in any text editor. It is not a virus, and it cannot infect your computer. It contains the EICAR Test String.

Norton AntiVirus detects this as EICAR Test String.

If it was detected on your computer, it likely was downloaded or created by someone for testing purposes.

This test string cannot be repaired. To remove it, delete all files that are detected as EICAR Test String.

[img]http://www.symantec.com/avcenter/graphics/black.gif[/img]

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

Before beginning the procedures below, uninstall these programs using your Add/Remove Programs control panel if you find them listed there:

Ebates/MoeMoneyMaker
WeatherBug
ViewPoint

1. You already have ewido installed; download and install these additional utilities (but do not run scans with them yet):

Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open SpyBot and use its update feature to download and install the most current spyware definitions file. Close the program once the update is complete.

- Open AdAware, click the "Check for updates now" button, and follow the prompts to install the most current spyware definition database. Close the program once the update is complete.

- Open McAfee anti-virus and use its update feature to make sure that you have the most current virus definitions installed. As with the above programs, don't run a scan yet; just close it once it …

You have a number of malicious components listed in your log, but you need to take care of one thing first:

C:\DOCUME~1\Mike\LOCALS~1\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

The log entry above indicates that you are running HJT from within a Temp/Temporary folder. Please do the following:

Create a folder for HJT outside of any Temp/Temporary folders and move the HijackThis.exe file to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

Once you've done the above:

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

Before beginning the procedures below, uninstall these programs using your Add/Remove Programs control panel if you find them listed there:

Ebates/MoeMoneyMaker
WeatherBug
ViewPoint

1. You already have Microsoft Antispyware installed; download and install these additional utilities (but do not run scans with them yet):

ewido Security Suite …

Does Norton give you any specific information such as the names and/or locations of infected files? Having that information can help us more quickly what still needs to be done to remove the infection.

OK- you've definitely got "unwanted guests". Please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

Before beginning the procedures below, uninstall these programs using your Add/Remove Programs control panel:

ViewPoint/ViewPoint manager
Wild Tangent
MyWebSearch

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open SpyBot and use its update feature to download and install the most current spyware definitions file. Close the program once the update is complete.

- Open AdAware, click the "Check for updates now" button, and follow the prompts to install the most current spyware definition database. Close the program once the update is complete.

- Open your anti-virus program and use its update feature to make sure that you have the most current virus definitions installed. …

A. Spy Trooper is a spyware "remover" of dubious repute; uninstall it through your Add/Remove Programs control panel. You can read more about Spy Trooper and other bogus "anti-spyware" programs here.

B. Your HJT log does show malicious programs running on your system. Please follow the general cleaning/removal proceedures below to remove some/most of the "unwanted guests":

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

1. You already have MS Antispyware and ewido; download and install these additional utilities (but do not run scans with them yet):

Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open SpyBot and use its update feature to download and install the most current spyware definitions file. Close the program once the update is complete.

- Open AdAware, click the "Check for updates now" button, and follow the prompts to install the most current spyware definition database. Close the program once the update is complete.

- Open Norton …

Hi drajpatel, welcome to DaniWeb :)

I believe the problem may have started after installing and running the latest versions of "Ad-aware 6.0" and few similar like that then deleting the problem items that were found.

Good call- that's exactly right. "bridge.dll" is a spyware component, and while AdAware, etc. have removed the actual bridge.dll file, there is still a reference to the file in your Windows Registry.
You may also have other "loose ends" remaining on your system; please do the following so that we determine if that's true or not:

Download the free HijackThis utility:

Once downloaded, follow these instructions to install and run the program:

Create a folder for HJT outside of any Temp/Temporary folders and move HijackThis.exe to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...".
Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log". Open the log file with Windows Notepad, and cut-n-paste the entire contents of the Notepad file here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there. We can also tell you how to …

1. Are you sure you posted the entire contents of the HijackThis log file? It looks light on content, even for a Win 98 system.
Also- the log shows no signs of infections, but for the particular infection you have, a HJT log may not give us many clues on a Win 98 system.

Please do the following, and we'll go from there:

At the moment, you have HJT running directly from your desktop, which is not advised; the program should be put in its own separate folder. Create a folder for HJT outside of any Temp/Temporary folders and move HijackThis to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Scan with HijackThis. Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log". Open the log file with Windows Notepad, and cut-n-paste the entire contents of the Notepad file here.

i've never been able to get rid of psguard, though.

PSGuard is part of the "Smitfraud" infection. To clean the PSGuard entries from your Registry, please do the following:

- Download smitrem.exe and save the file to your desktop.
Double-click on the file and extract it to it's own folder on the desktop.

- Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

- When finished, the tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log in your next reply.

NetMeeting? PAL SPYREM? wild tangent? a few icons escaped detection, too. free ipod things... a file... s.dll

- NetMeeting is an Internet teleconferencing program from Microsoft; it comes bundled with Internet Explorer.
- PAL Spyware Remover (PAL SpyRem) is spyware "remover" of dubious reputation; you can read more about it here. Uninstall it through you Add/Remove Programs control panel if it is listed there; if it isn't, open Windows Explorer and delete the entire C:\Program Files\PAL SpyRem folder.
- Wild Tanget makes popular free game downloads, the "free" part meaning that the game are bundled with Adware. As with SpyRem, remove all Wild Tangent programs through the control panel and/or delete all Wild Tangent and WT folders found …

1. You still have one HijackThis log entry left over from the infection. Run HJT again and have it fix:
O2 - BHO: (no name) - {58F07DD3-924D-4141-BC74-299F523A95F1} - (no file)

2. I can't tell you exactly what happened in terms of the lost space at this point, but I can you that it isn't a normal side effect of infections (or removing them). There could be a few different reasons for the problem, though; let's see if we can narrow it down:

A) Look for "bloated" files or folders:

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Click on the Search button, and in the resulting "Search Companion" pane:

* Leave the "All or part of filename" and "word or phrase in file" boxes blank.

* Click on "When was it modified" and specify a date range that would most closely reflect the time during which the loss of disk space occured.

* Click on "What size is it? and select "Don't remember".

* Click on "More advanced options", select "all files and folders" for the type of file, and put a check mark next to the search options for system, hidden, and subfolders.

Let the search run, and when it completes, look for any items whose size looks abnormally large. Give us …

Hi fili00,

i didn't find where to post my problem in the forum so I try it this way.

We don't deal with technical questions/problems in this particular forum at all; Community Introductions is just a place for new members to say "Hello".

I see that you found an answer in our Shell Scripting forum though, so it looks like all is good.

I like to think I'm adored anyways ;)

We all adore you, Dani. [img]http://www.stevewolfonline.com/Downloads/DMR/Visuals/loves.gif[/img]

:mrgreen:

Was the system sluggish before you deleted the files you mentioned?

desktop.ini and thumbs.db are two of the files you were seeing. They are valid Windows files which are normally hidden, but they got revealed in the process of removing the infections you had. I know that Windows will generate a new thumbs.db file when needed, and the same may be true of desktop.ini. System performance should not be affected by the lack of either file.

To "hide" such files again, open Windows Explorer, and in the Folder Options->View settings under the Tools menu, deselect "show hidden files and folders", and check "Hide protected operating system files" and "Hide extentions for known file types".

Sorry for the delayed response- this thread slipped through the cracks on me.

i couldn't find the file C:\stub_113_4_0_4_0.exe anywhere on my computer. i used the search thing and nothing came up...

That's OK- the file isn't listed in your HJT log anymore either, so we should be good. The log as whole is clean now. :)

Let's start by getting a snapshot of the state of your system.

Download the (free) HijackThis utility. Once downloaded, follow these instructions to install and run the program:

Create a folder for HJT outside of any Temp/Temporary folders and move HijackThis to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...".
Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log". Open the log file with Windows Notepad, and cut-n-paste the entire contents of the Notepad file here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

There are no signs of anything malicious or unusual in your HJT log.

The cpu usage is getting stuck at 100%. ...

Does Task Manager give you an indication of which programs/processes seem to be hogging the CPU time?

Log is clean now; looks good :)

When I tried to delete "skype" using hijackthis, I received this message: "The service 'skype' is enabled and/or running.... so I used the services.msc thing on my computer...

:o Sorry; my fault- I forgot the instructions for disabling the service first. Glad you figured it out.

Just let me know if it's all fixed (besides the Party Poker :cool: )

O'tay- that's you're choice in the end, but PartyPoker is an "unwanted guest"...

Your performance hit could be caused a few things; I'd start with this:

See which programs and processes are using the most CPU time and RAM by hitting Ctrl+Alt+Delete and then clicking the Task Manager button in the resulting window. When Task Manager opens, click the "Processes" tab to view the list of running processes and the system resources they're using. You can sort the list (highest to lowest) by CPU or Memory Usage by clicking on the corresponding headers in the list.

If you see anything running that seems to be hogging a lot of your system resources, give us the details.

Sorry to hear about the strep; that's no fun... [img]http://www.stevewolfonline.com/Downloads/DMR/Visuals/sick.gif[/img]

Your log is entirely free of any signs of malicious infections, so I doubt that's the source of the system slowdown. Can you give us more detail/background on the problem, please?
- Did you start noticing the slowdown after installing or updating a certain program?
- Did it coincide with anything else that might have happened to the system (adding/removing hardware, for example) ?
- Did the system start bogging down gradually, or was it a case of seeming to be fine one day and slow the next?
- Give us the system specs, especially for the RAM and CPU.

You can see which programs and processes are using the most CPU time and RAM by hitting Ctrl+Alt+Delete and then clicking the Task Manager button in the resulting window. When Task Manager opens, click the "Processes" tab to view the list of running processes and the system resources they're using.
You can sort the list (highest to lowest) by CPU or Memory Usage by clicking on the corresponding headers in the list.

(I see that you have AOL installed, and that package can really put a load on a system, especially the latest version. Your HiajckThis log shows that no less than 9 different components of AOL were running when you ran your scan, and I'll bet a few of those will be at the top …

Seems that the CleanUp! utility somehow recognizes the winxp style as a temp file and deletes it!!

Oh, crud... you're right, d0rk. Buried in the release notes for the new version of Cleanup! is an obscure reference to fixing an issue with Temp files and XP themes. [img]http://www.stevewolfonline.com/Downloads/DMR/Visuals/crap.gif[/img]

One possible ways to restore the "XP Themes" option:

Right click on the desktop and choose Properties. Choose the "Browse..." option in the Themes drop-down menu, browse to the C:\Windows\Resources\Themes\Luna.theme file, and double-click on it.

Good work; we're almost there :)

One last symptom of the infection has surfaced in your latest log, but it looks like everything else got cleaned.

- Scan with HijackThis again and have it fix:

O23 - Service: Skype Messenger (Skype) - Unknown owner - C:\WINDOWS\skype32.exe (file missing)

- When the fix has completed, click on the "Config" button in the lower right corner of HijackThis' main window.

- In the next window, click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Type the following in the box and click OK:

Skype

Reboot, run HJT again, and post the log for a (hopefully) final review.

Good job d0rk, your logs look good :)

As far as losing the themes (and perhaps other graphical presentation elements of Windows) goes, there is a side-effect of the smitfraud infection which might be at the root of that problem.

To find out if this is the case, right-click anywhere on your desktop and choose "Properties" from the resulting pop-up menu. If you don't see all of the following tabs in the properties window, or cannot change the settings within the tabs, perform the fix given below:

Themes
Desktop
Screen Saver
Appearance
Settings

The fix:
- Download smitfraud.reg and save the file to your desktop.
- Once downloaded, double click on the file and when Windows asks you to merge the data, click Yes.
- Reboot your computer.

You should now be able to change your desktop settings to your liking. If your desktop still looks strange, go into your display properties and click on the Themes tab. Change the theme to Windows XP and you will now be using the default Windows XP settings. Then change them as you see fit.

hey...i just noticed. step 3... all of the things i need to check and fix, in hijack this. are not in my hijack this log.

Yoiks!! You are absolutely right! :o

Very sorry about that. Friggin' cut-n-paste errors on my part; working on too many posts at the same time...

I've edited my last post so that the instructions now reflect the infections on your system (what a concept, eh?).

Nooooooo!!!!!

Don't even THINK about following the above suggestions!!!

Good lord- not only will deleting the user account not fix the infection, but it could easily cause you a huge pile of additional problems.

:eek: :eek: :eek:

dork,

The "big red and black box" and "red circle with a white x on the taskbar" you describe are the signature symptoms of the Antivirus Gold/SpySheriff/Smitfraud group of infections. Your HJT log indicates a couple of other infections as well.

To begin with, please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open SpyBot and use its update feature to download and install the most current spyware definitions file. Close the program once the update is complete.

…

Yes- In addition to violating the laws in many countries, providing, linking to, or even suggesting the use of "cracked" or otherwise illegal software sofware directly violates our forum rules.

Try booting into "Safe Mode" or "Last known good configuration" and let us know if one of those modes works. If so, you can then check your boot.ini file (as per nanosani's link) from there.

You get to the menu which displays both boot options by continuously tapping the F8 key just as your computer is starting up.

Hi Jess, welcome to the madhouse! :mrgreen:

Welcome, Glynis! :)

rofl.sys is definitely a component of a rootkit infection, and Norton may not be able to delete it when Windows is booted normally. We'll deal with that in a moment, but first we need to remove a couple of other "unwanted guests".

Please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

1. Uninstall the following programs using your Add/Remove Programs control panel (if they appear there). All of these pieces of software contain adware/spyware components:

Weather Bug
Wild Tangent
Viewpoint
My Web Search
Party Poker

2. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite - http://www.ewido.net/en/download/
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

- Open ewido. If you receive a warning message saying "Database not found"; just click "OK" for this. Next, in the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open SpyBot and use its update feature to download and install the most current spyware definitions file. …

Good work :)

Your HijackThis log is clean, and your ewido log indicates that ewido not only cleaned the files we wanted to remove, but also caught a couple of other "nasties" as well.

Now that your system has been disinficeted, you might want to have a read through this thread for suggestions on how you can keep your system protected from future infections.

A.

also... what program is making random words on pages, into little green links?

Those are "sponsored links", and they're done on the webserver's side. The technique is a relatively new (and pretty irritating) form of advertising.

B.

something c:/recyclers s-1-5-21-304614 blah blah blah

"Recyclers" folders are where items in your Recycle Bins are kept; they can be safely deleted.

C. You've got a handful of nasties in your log; please do the following:

1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download and install these utilities (but do not run scans with them yet):

Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

- Open ewido. If you receive a warning message saying "Database not found"; just click "OK" for this. Next, in the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open Adaware, click on the "Check for updates now" link, and follow the prompts …

Hi jaishankar,

We definitely do appreciate your desire to help. However, there are a few things to keep in mind when offering help in this forum:

1. You appear to have linked to an older version of XSoftSpy. As new infections and new variants of existing infectiosn are discovered almost daily, it is very important that members are given the absolute latest version of the detection and removal programs we recommend and/or provide.

2. The download link you provided for XSoftSpy leads to a file-sharing site, and such sites cannot (for what I hope are obvious reasons) be considered "trusted" download locations. Given that, we do not recommend that members obtain their utilities from those sites, but rather from the software vendors themselves or from trusted software repositories such as majorgeeks.com. (XSoftSpy's site does have its own direct download for the current release of the free version of their product).

3. When participating in a thread where troubleshooting is already in progress, please do not suggest alternate "fixes" until the threadstarter has posted the results of performing the proceedures already given them by the person currently assisting them. Doing so can confuse or sidetrack the person we are trying to help, and malware removal is most effictive when done in a methodical way.

Thanks.

Hi funnygirl, welcome to DaniWeb :)

You've got a handful of "unwanted guests" in your HijackThis log; please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/

- Open ewido. If you receive a warning message saying "Database not found"; just click "OK" for this. Next, in the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open Adaware, click on the "Check for updates now" link, and follow the prompts to get the latest updates. Close the program when it has finished installing the updates.

- Open SpyBot and use its update feature to download and install the most current spyware definitions file. Close the program once the update is complete.

- Open Norton Antivirus and make sure that you have the most current update installed. As with the above programs, don't run a scan …

I rebooted, pressed F8, selected "Last known good configuration" or whatever its called, and it started up ok. But now I've no sound again!
I ran ewido and it found 2 items...

Unfortunately, the "Last known Good" configuration isn't always good. :(
If your computer was infected at the time that Windows saved its last system configuration "snapshot", infected files and the modifications they made to your system were backed up with everything else. Restoring your system to that point will restore the malicious entities along with the valid configuration info.

1. Please run HijackThis again and post the new log.

2.

Doesn't help that I can't copy and paste what it says

You can actually, and having the full details (Event ID, Source, faulting module, etc.) would help. Here's how to copy-n-paste that info:

- Double-click on an error to open the error's Properties window.

- In the Properties window, click on the button with the graphic of two pieces of paper on it; the button is at the right of the window just below the up arrow/down arrow buttons. You won't see anything happen when you click the button, but it will copy all of the details to the Windows clipboard.

- You can then paste the details into your next post in the same way that you paste your HijackThis log- by choosing "Paste" from the "File" menu or by hitting CTRL+V.

it sems as though i cant do secure things on my computer

A fairly common problem, and there are a few different causes (and fixes) for it.

First, try this fix from Microsoft's support site.

If that doesn't work, click here, enter the following two words in the "Search by keyword" box, and then hit Enter:

hotmail login

Some of the fixes in the threads returned by the above search are Hotmail-specific, but many fix access problems with secure sites/pages in general.

Due to the fact that the member who originally started this thread has not responded in nearly a year, this thread is considered abandoned and has been closed.

In accordance with our posting rules, other members having similar problems should start their own threads and post their questions there. In order to help us help you most quickly, please include as much information about your problem as possible in your posts.

If the member who originally started this thread wishes to have the thread reopened, please send your request, including a link to this thread, to one of our moderators via email or Private Message.

Thank you.

Hi pozer666,

First of all- welcome to TechTalk!

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

Good work; almost there :)

1. Run HJT again and have it fix:

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [qffm] C:\stub_113_4_0_4_0.exe
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\g804lidq180e.dll (file missing)

2. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

Locate and delete C:\stub_113_4_0_4_0.exe, empty your Recycle Bin, and reboot.

3. Once rebooted, please run HJT one more time and post the (hopefully final) log.

Hi keeppunching, welcome to the site! :)

We don't deal with technical issues in this particular forum; it's just a casual place for new members to introduce themselves. To get help with your question, please post it in the most appropriate subforum of our Software Development Section.

Hey Ryan, so umm yah yey- welcome to DaniWeb! :mrgreen:

You missed step #2 in my last post...

Or... not, perhaps?
Was I smoking crack, or was the WinPFind log not in your reply when you initially posted it? If it was, I totally missed it. [img]http://www.stevewolfonline.com/Downloads/DMR/Visuals/dunno.gif[/img]

OK- Both WinPFind and L2MFix identified a number of malicious files, so:

From the l2mfix folder, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

Your log is clean now. :)

Can you give us more info concerning the sites that you're having trouble accessing? Any details that you can give us would be helpful.

To see if the freezes have left any clues, open the Event Viewer utility in your Administrative Tools control panel. Look through the Application and System logs for "Error" or "Warning" entries; double-clicking on the entries will open a window with more details. If you see any entries whose details look like they might relate to your problems, post the full and complete contents of the details window(s) here.

Thanks for that, RR. :)

You're right- at this point, SP1a is the available option to SP2.

You missed step #2 in my last post, but we can skip that now; your HijackThis log has illuminated the suspect.

Please do the following:

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!