Posts by DMR

You've got a few different nasties in your log; please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

1. Uninstall the Weather Bug, Dope Wars, Wild Tangent, and Media Gateway programs using your Add/Remove Programs control panel. All of those pieces of software contain adware/spyware components.

2. Download and install these two utilities (but do not run scans with them yet):

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

- Open ewido. If you receive a warning message saying "Database not found"; just click "OK" for this. Next, in the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open SpyBot and use its update feature to download and install the most current spyware definitions file. Close the program once the update is complete.

- Open Norton Antivirus and make sure that you have the most current update installed. As with the above programs, don't run a scan with Norton; just close it once it is updated.

3. Download and install the

WTF?! How did I do that! :p

Sheer talent, I guess. :mrgreen:

Seroiusly, though- your latest HJT log is clean. :)

Does everything seem to be functioning correctly now?

Hi sebryna808, welcome to DaniWeb :)

The g022lafo1d2c.dll file is malicious, and the related "Notify" Registry key is bogus. Also- the malicious file and Registry entry are components of a larger infection, and other pieces of that infection may still be present.

Please do the following so that we can get a better idea of exactly what "nasties" have crept into your system:

1. Download the (free) HijackThis utility:

Once downloaded, follow these instructions to install and run the program:

Create a folder for HJT outside of any Temp/Temporary folders and move/extract HijackThis to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...".
Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log". Open the log file with Windows Notepad, and cut-n-paste the entire contents of the Notepad file here.

2. Download the WinPFind utility. Following the usage instructions posted on the download site, run the utility and post the log it generates along with your HijackThis log from step #1 above.

Does it look ok now?

I can't tell; you've only posted the top half of the log... :o

Post the entire log; I'll review it when you do.

O21 - SSODL: SysTray.Exys - {7368D5FC-6F5C-4f5b-B964-E67214F67852} - C:\WINDOWS\system32\ggqafpck.dll

The above log entry is indicative of a trojan infection.

Also, your HijackThis log looks a bit strange. It is missing all of the "O4" entries, and those entries are pretty helpful in determining exactly what malicious files are loading when When Windows starts up.

Please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for some of the following, so you should print out the following instructions or save them into a text file with Notepad.

1. Download and install these two utilities (but do not run scans with them yet):

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

- Open ewido. If you receive a warning message saying "Database not found"; just click "OK" for this. Next, in the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open your antivirus program and use its Update feature to download and install the most current virus/spyware definitions file. Close the program once the update is complete.

2. Run HijackThis again, put a check mark in the box to the …

Any of the third-party buttons, menus, toolbars, etc. that you add to IE can be removed/uninstalled, but having them installed doesn't really have a negative effect on your Internet/network performance in general.

If you really do get a notice/warning specifically saying that your password has actually been changed (as opposed to the usual "invalid username or password" type message), your account may very well have been hijacked :(

I'm assuming you get this message when you try to access your saccount from any computer, yes?

You're welcome :)

I'm glad you were able to delete the malicious files and their associated "Run" entries in the Registry, but I'd suggest that you now do a couple of full anti-virus/anti-spyware scans to clean out the rest of the components of the infections. These days, infections are rarely comprised of a single file and a single simple adddition to the Registry.

Those files are components of malware (virus, spyware, adware) infections. :(

Please read the malware removal information in this thread and try the suggestions given there. If you have further questions about the infections or their removal, please start an entirely new thread in our Viruses, Spyware and other Nasties forum.

If you have the original installation CD, try a Repair Installation. You can also troubleshoot using the Recovery Console; although it's a more "manual" approach.

Going all the way to SP2 is definitely not recommended on a problematic or infected system, but you should at least install SP1 and all current, relevant updates. If the updates are done correctly, the header info in your HJT log will appear as follows:

Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

You will need to close/quit all web browser programs and disconnect from the Internet for some of the following, so you should print out the following instructions or save them into a text file with Notepad.

1. Download and install these two utilities (but do not run scans with them yet):

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

- Open ewido. If you receive a warning message saying "Database not found"; just click "OK" for this. Next, in the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open your Norton Antivirus program and use its Live Update feature to download and install the most current virus/spyware definitions file. Close Norton once the update is complete.

2. Run hijackThis again, put a check mark in the boxes to the left of the following entries, and then click the "Fix Checked" button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AzEntretien Class - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - %SystemRoot%\azentretien.dll (file missing)
O2 - BHO: ZToolbar Activator Class - {da7ff3f8-08be-4cac-bc00-94d91c6ae7f4} - C:\WINDOWS\system32\azesearch4.ocx (file missing)
O3 …

Unfortunately, you are still infected. :(

Please do the following:

1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download, install, and run the following detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed).

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

3. Download and run CCleaner. Instructions for using the program are available on their website.

4. Run HijackThis again and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
O4 - HKCU\..\Run: [Service Manager] C:\windows\dxsound.exe
O13 - WWW. Prefix: http://%65%68%74%74%70%2E%63%63/?
O19 - User stylesheet: (file missing)

5. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key …

...The problem seemed to be my Norton Anti-virus.

Glad you got it (painlessly) sorted out. :)

I'll second tylerg's recommendation, Dani- AVG is light, fast, frequently updated, and free for personal use.

I've used it on my own machines for quite some time, and it's also what I install on clients' machines, usually right after I discover that they let their subscriptions to Norton or McAfee run out. :mrgreen:

but surely a software-based one would be sufficient in its place?

By the time an intruder hits your software firewall, he's already at the front door of your system. The external firewall provides an extra layer of protection in the form of a "perimeter defense ".

Sure- there are a variety of wireless printer servers on the market.
Just Google for "wireless print server" and read through the resulting links for models, prices, and reviews.

Hi osb139, welcome to DaniWeb :)

Based on the contents of the log you posted, there are two issues you need to take care of before we proceed:

1. Logfile of HijackThis v1.97.7

The above entry indicates that you are using a very old version of HijackThis.
Please download the current version (1.99.1), run it, and post the log that version generates. The new version does a more thorough scan of Windows 2000 and XP systems than does the older version. See #2 below before running the new version, though.

2. C:\Documents and Settings\Mom\Local Settings\Temp\HijackThis.exe

The log entry above indicates that you are running HJT from within a Temp/Temporary folder. Please do the following:

Create a folder for the new version of HJT outside of any Temp/Temporary folders and move hijackthis.exe there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

Unfortunately, your latest HJT log still shows signs of infections. There are two things you need to take care of first though:

A) The following information in your HijackThis log's header indicates that you are very behind in your Windows and Internet Explorer updates:

Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Please use the Windows Update feature to download and install the most current updates for your system; many of the updates fix security holes and bugs through which spyware and viruses can infect your system. I wouldn't suggest upgrading to Service Pack 2 until your system is infection-free, but you should at least get Service Pack 1 and all of the most current related updates.

When properly updated, the information in your HJT log header should read as follows:

Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

B) C:\DOCUME~1\Craig\LOCALS~1\Temp\Rar$EX00.453\HijackThis.exe

The log entry above indicates that you are running HJT from within a Temp/Temporary folder. Please do the following:

Create a folder for HJT outside of any Temp/Temporary folders and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else.

…

I see no obvious "suspects" in your HJT log.

Do you have any Internet access at all (email, Instant Messenger, etc.)? This could be more of a general connection problem; please give us more info/details if possible.

You're welcome, sauronflorik; glad we could help :)

Paddy,

You might know the reasoning behind Safe Mode scans already, but I'll post the basic info just for reference:

When Windows is running in its normal start-up mode, spyware and virus removal programs can have difficulty removing some malicious infections due to the fact that components of the infections have already loaded themselves at Windows start-up, and are active at the time the removal programs try to delete them. While the removal programs can terminate many of the active nasties, others present more of a problem.

One reason for this is that many infections install multiple files which act as guardians for one another; monitoring each other's "health". When one of the files gets shut down by a removal utility, another guardian file senses this, and restarts (and in some cases actually recreates) the file that was killed. Additionally, infections can use hidden .dll files which are activated at boot-up by obscure registry entries, and these dlls can be quite difficult to detect and deactivate.

In Safe Mode however, Windows loads only a bare minimum of services, drivers, and processes; it ignores most normal startup items, and it does not process the entire registry. This means that many of the "autostart" techniques used by infections are also ignored, making the infections essentially dormant in Safe Mode. The fact that the infections are inactive makes it much easier for removal programs to thoroughly remove them …

1. Friggin' good job; it looks like you got them. Your latest log is clean :)

2.

i did as you said "replace on reboot" but when i selected that option, nothing at all seemed to happen after i clicked teh button.

That's normal. Nothing visible does happen; Killbox just silently whacks the files when you reboot the computer.

3. R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.suicidegirls.com/

Suicidegirls, eh? Erm, yeah... nooooooooo comment. :mrgreen:

You're welcome :)

By the way, would you give me some tips to make kazaa safe?

You probably knew this was coming, but...

Don't use it.

Seriously- filesharing/P2P networks as a whole are, unfortunately, great conduits for the delivery of malicious programs; by not using them, you avoid that risk altogether. If you do choose to use them, your only real recourse is to protect your system as much as possible. This thread has several useful suggestions on how you can accomplish that.

Good work- your latest log is clean :)

Does everything seem to be functioning correctly now?

Thanks for the follow-up, flipboi15 :)

Perfect; thanks!

Please do the following:

1. Download the Pocket Killbox utility into its own new folder. Don't run the program yet, though.

2. Run HijackThis again, put a check in the box to the left of the following entries, and then click the "Fix Checked" button. Close HJT after it completes the fixes:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O20 - Winlogon Notify: Mixer - C:\WINDOWS\SYSTEM32\sndmix.dll

3. Run the Killbox.

- In the "Full Path of File to Delete" box, copy and paste the following
C:\WINDOWS\system32\sndmix.dll

- Select the "Replace on reboot", "Use Dummy", and "Unregister dll before deleting" options.

- Click on the button with the red circle with the X in the middle and then click Yes at the "Replace on Reboot" confirmation prompt. Click No at the request to actually reboot.

- Copy the file names below to the clipboard by highlighting them and pressing Control-C:

c:\secure32.html
C:\WINDOWS\system32\paytime.exe
C:\winstall.exe

- In the Killbox, go to the File menu, and choose "Paste from Clipboard".

- Select the "Delete on …

Well i tried all that and it seemed to work

Unfortunately, it didn't work; your latest HJT log indicates that almost all of the "nasties" are still present. Are you sure you followed all of my suggestions properly?

:o Actually, if you really did follow everything I suggested, you would have deleted the HijackThis program, because I missed something in your first log that needs to be dealt with before anything else:

C:\DOCUME~1\LARRYC~1\LOCALS~1\Temp\Rar$EX00.766\hijackthis.exe

The log entry above indicates that you are running HJT from within a Temp/Temporary folder. Please do the following:

Create a folder for HijackThis outside of any Temp/Temporary folders and move HJT there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders (which I did ask you to do in my last post). Given that, if HijackThis and/or other data that you care about is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

There is one file in your log that I'd like to get more information on if possible please; it looks suspect to me:

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select …

I'm assuming that full system scans with your McAfee, ewido, etc. turn up nothing which would account for the problem, right?

I disabled the Enable Third-Party Browser Extensions from the IE tool, internet options, advance tab... and the problem stopped

Although they're legitimate, you do have quite a few IE add-ons loading; one of those could be corrupted or causing a problem in some other way. You might want to see if you can pinpoint a culprit by disabling the extensions one at a time. IE doesn't offer this functionality itself, but you can do it with the handy (and free) Toolbarcop utility.

how do I fix the ProtocolDefaults?

Fixing them with HijackThis will set them back to their correct, default value- just put a check mark next to each entry and then click "Fix Checked".

Again... Thanks for the help.... :-)

You're welcome; glad we could help :)

I'd suggest installing the free SpywareBlaster utility; it blocks known "bad" addresses/domains, including abcsearch. A short tutorial on installing and updating SpywareBlaster can be found here.

Also- you should try running AdAware and SpyBot in Safe Mode if you haven't already; they might be able to find/fix more "nasties" that way:

- Before booting into Safe Mode, open SpyBot and AdAware and use each program's online update feature to make sure that you have the absolutely most current spyware definition databases installed. Do not run scans yet, just close each program when it finishes installing its updates.

- Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).

- Run both utilities (the order doesn't matter) and have each program fix everything it finds.

- Reboot normally.

Wait for somebody to come along that can read HJT logs. Like DMR :)

Aww- I'm flattered... :o :mrgreen:

Hi presmmbb,

1. The IP address that your computer is accessing is within a block of IPs
(216.143.70.0 - 216.143.71.255) associated with McAfee. Since you do have McAfee's Internet Security package installed, my bet would be that the TCP connection is bieng established by that software.

2. Can you explain IE's CPU usage in more detail please? IE definitely does hit the CPU pretty heavily when it first starts up (I get up to an 80% CPU usage spike), but there shouldn't be much of a sustained load on the CPU after IE settles down.

3. When you say "hijacked", are you just referring to the IP address issue mentioned above, or are you also experiencing true hijacks (being redirected to unwanted sites/pages)? The reason I ask is that I see no indications of malicious infections in your HJT log.

4. There are, however, a few irregular entries in the log, which you should fix unless you (or one of your legitimate programs) specifically made the modifications:

O15 - Trusted Zone: www.macromedia.com
O15 - Trusted Zone: www.slickdeals.net
O15 - Trusted Zone: http://www.windows.com
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol …

Glad it turned out to be an easy fix for you :)

1. The following information in your HijackThis log's header indicates that you are very behind in your Windows and Internet Explorer updates:

Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Please use the Windows Update feature to download and install the most current updates for your system; many of the updates fix security holes and bugs through which spyware and viruses can infect your system. I wouldn't suggest upgrading to Service Pack 2 until your system is infection-free, but you should at least get Service Pack 1 and all of the most current related updates.

When properly updated, the information in your HJT log header should read as follows:

Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

2. Please give us any and all specific information that Norton gives you concerning the names and locations of the infected files it is finding.

3. Open the Services utility in your Administrative Tools control panel.

- In the list of services, locate the service named "MicroSoft Media Tools" and double-click on it.

- In the General tab of the Properties window that opens, click the Stop button.

- Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.

4. Run HijackThis again and have it fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - …

Hrm, that didn't work as well as it should have...

Let's try this:

1. Download the 14-day trial version of Webroot's Spy Sweeper. When you install it, just choose the "Typical" option, follow the prompts, and then run the program.

- Click on "Options" and then click on "Update Definitions" under the Program Options tab.

- Under the Sweep Options tab, select ALL options under 'What to Sweep'.

-Click the "Sweep" icon and then "Start" to begin scanning.

- When the scan completes, click Next to automatically quarantine all detected items.

- Click the Results icon, select Session Log, and then click Save to File. Save the scan results to your desktop and close Spy Sweeper.

2. Run HijackThis again and have it fix the following entry if still present:

O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\n2l80c3uef.dll

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Locate and delete the following files if still present:
C:\WINDOWS\system32\n2l80c3uef.dll
C:\WINDOWS\system32\iieshare.dll
C:\WINDOWS\system32\m2820cloefqc0.dll
C:\WINDOWS\system32\f00olad31d0.dll

- Empty your Recycle Bin and reboot normally.

4. Run HijackThis again and post the new log. Also post …

Hi Lartones, welcome to DaniWeb :)

Please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

1. Run at least two or three of the following online anti-virus/anti-spyware scans. Some of these scanners have "auto clean" scan options; make sure to choose that option if it exists.

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Run HijackThis and have it fix the following entries. Some of these may have been cleaned by the above scans; fix all that still exist:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKLM\..\Run: [Windows Spooler Services] spool.exe
O4 - HKLM\..\RunServices: [Windows Spooler Services] spool.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\system32\sywsvcs.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

3. Download and install the following (free) detection and removal tools. Open each program and use its online update function …

i think thats supposed to say related?

Indeed it should. Hmm... I guess Dani's dog ate her spellchecker. :mrgreen:

It keeps on giving me error saying illegal key ...Please let me know if there is a way around it

Hi johnabraham747,

Unfortunately, discussion of issues involving illegal software violates our site rules. If your copy of Winodws is truly "pirated", I'm afraid we can't help you with "a way around it".

Post when you can, we'll be here :)

Your log shows signs of at least a few infections, but there's something you need to take care of before we begin the cleaning process:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HijackThis.exe

The log entry above indicates that you are running HJT from within a Temp/Temporary folder. You need to create a folder for HJT outside of any Temp/Temporary folders and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

After moving HijackThis to a safe location, please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for some of the following, so you should print out the following instructions or save them into a text file with Notepad.

1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download and install …

Flooded with spyware + others..

That would be an understatement. :eek:

Please do the following so that we can (hopefully) get most of the mess cleaned up:

You will need to close/quit all web browser programs and disconnect from the Internet for some of the following, so you should print out the following instructions or save them into a text file with Notepad.

1. Open the Services utility in your Administrative Tools control panel.

- In the list of services, locate the service named "System Startup Service" or "SvcProc" and double-click on it.

- In the General tab of the Properties window that opens, click the Stop button.

- Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.

2. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

3. Download and install these two utilities:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

- Open ewido. If you receive a warning message saying "Database not found"; just click "OK" for this. Next, in the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS …

OK- L2MFix identified 3 "nasties":

dxgest.dll
f00olad31d0.dll
n2l80c3uef.dll

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

Please download the L2MFix.exe utility.

Save the file to your desktop and double-click "L2MFix.exe".
Click the "Install" button to extract the files and follow the prompts.
Open the newly added L2MFix folder on your desktop.
Double click L2MFix.bat
Select option #1, "Run Find Log", by typing 1 and then pressing enter.
Notepad will open with the scan results after a minute or two. Please be patient as it will appear that nothing is happening during the scan.
Copy the contents of that log and paste it into your next post.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Yes, try the BIOS settings. Also- look for newer versions of the drivers and try those if they exist. The drivers referenced on that site probably are out of date by now; I don't think the site was updated.

1.

I'm probably wrong ..

Nope, you're right- loss of date/time is the classic sign of a dead CMOS battery. It should be replaced.

2. For rundll32.exe, try extracting a fresh backup copy of the file from your Win 98SE CD or from the hard drive:

If you have a folder on your hard drive named C:\Windows\Options\Cabs:

Go to Start->Run, type SFC and click ok to start the program. Select the "Extract one file from installation disk" option, type Rundll32.exe and click on Start. Select the C:\Windows\Options\Cabs folder as the source, and C:\Windows as the target (Save in).

If you do not have a folder on your hard drive named C:\Windows\Options\Cabs, but you have the Win 98SE install CD:

Go to Start->Run, type SFC and click ok to start the program. Select the "Extract one file from installation disk" option, type Rundll32.exe and click on Start. Select the Win98\Win98_46.cab folder on the installation CD as the source, and C:\Windows as the target (Save in).

Hi Sienna,

First of all- welcome to DaniWeb!

We do ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need. Given that, you should start your own thread and post your question there.

Before you start a new thread in this particular forum though, you should have a read through this thread in our Viruses, Spyware, and other Nasties" forum and try some of the virus and spyware removal programs/procedures described there. The reason I suggest this is that on a Windows 2000 or XP system, the legit "svchost.exe" file lives in the C:\WINDOWS\System32 folder, not the C:\WINDOWS folder. The presence of a file named svchost.exe in your C:\WINDOWS folder is usually an indication that you have a malicious infection.

Thanks man, I havnt seen that site and didnt see anything to helpful.

So you tried the suggestions under the "What can we do???" section but nothing helped?

Your log is clean, and a general rundll32.exe problem like that isn't usually due to malicious infections anyway.

Can you give us a bit more background on the problem please (when it started occuring, whether or not you made any software changes just prior to the start of the problem, etc.)? Also- give us the full and exact text of the error you recieve.

DMR,

Is it possible that it was the very same router that affected my service through two different providers?

Possible? I suppose. Likely? No.

Hi Bomba,

Very basically, routers are devices that are used to connect two different networks together; allowing computers on one network to communicate with computers on other networks. Without routers, computers on any given network can normally only communicate with other computers on that network.

It's like dialing telephone numbers- without dialing an area code, you can only connect to other numbers in your local calling area. Think of that local calling area as your local network.

To communicate with people who live outside of your local network, you have to dial an area code (or country code, for that matter) to reach them. When the phone company's system sees that you've included an area code in the number you've dialed, it knows to send your call through a certain piece of equipment which will lead outside of your local network to the specific area where the number you are trying to reach is located. For computer communications, IP addresses are the equivalent of phone numbers, and routers are (one of) the devices used to connect "calls" to their proper destination.

You can find routers in use in many places: ISPs have huge routers in their networks to connect all of their customers to the Internet. Businesses have routers in their networks to connect all of the company computers together, and also to allow those computers to connect to the Internet or other external networks. Small offices or homes with multiple computers will also have small …

minidump contents won't help me, as I don't have the tools to analyse them. The problem you're having is definitely a well-documented bugger though, and I haven't seen anything to indicate that it's truly been dealt with yet by MS or NVidia.

I don't know if it will help (or if you've seen this before), but this site has some suggestions and workarounds:

http://members.home.nl/marf/Infinite%20Loop.html