Posts by DMR

Due to the fact that the member who originally started this thread has not responded in almost one year, this thread is considered abandoned and has been closed.

In accordance with our posting rules, other members having similar problems should start their own threads and post their questions there. In order to help us help you most quickly, please include as much information about your problem as possible in your posts.

If the member who originally started this thread wishes to have the thread reopened, please send your request, including a link to this thread, to one of our moderators via email or Private Message.

Thank you.

Hi Daradus,

First of all- welcome to the site. :)

1. The standard fix for the Aurora infection can be found here.

2. In terms of general detection and cleaning, have a read through the suggestions in this thread.

3. If you need specific help from us after following the suggestions in the above links, please do the following:

Download the (free) HijackThis utility:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, follow these instructions to install and run the program:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

Nothing in your log stands out as an obvious suspect. If you haven't already, entirely disable your firewall software; that's first step to take when troubleshooting what appear to be global/cross-browser connection problems.

Glad we could help; feel free to ask us if you have any further questions. :)

1.

I followed all instructions and that seemed to solve my problem.

Just so that we can be sure that you're really free of infections now, can you please run HijackThis again and post the new log for us?

2.

But now, some of the web pages are coming up blank. What can be done about that?

Please give us more specifics as to what exact pages you're having problems accessing. Having that info could help us solve the problem most quickly.

Congratulations- your latest HJT log is clean. :)

Also I had my windows set up to automatically download updates but when i went to update manually it told me my windows wasn't licensed. This comp was built for me and i think they used a pirated version of xp.

Quite possible.

So do i need to go buy one or what?

Yes.

Or should I complain to the guy who built the pc for me.

That won't do you much good; the guy probably knew what he was (wrongly) doing, so I doubt confronting him will get you very far.

I think he does it on the side for extra cash so I'm probably screwed. Just buy one I guess.

Yes, and yes.

Do you know of any useful links?

If you mean links for info on Firefox, I'd suggest checking out the resources on their site.

Can you run firefox and ie on the same comp?

Of course; you can install and run as many web browsing programs as you want. Actually, even if you do choose to use Firefox as you primary browser, you'll still need to use IE to get updates from Microsoft; MS (unfortunately) doesn't let you do that with browsers other than IE.

In terms of your latest HJT log- it looks much better, but there are still a few leftovers to clean up. Please do the following:

1. Run another HJT scan and have it fix these entries:

O4 - HKLM\..\Run: [stb] C:\WINDOWS\system32\stb.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/W...e/bridge-c3.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.c..._ap1001_sp2.cab
O18 - Filter: text/html - {DFAA31C8-A356-4313-9D95-5EDAB46C5070} - C:\WINDOWS\system32\qlink32.dll

2. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).

* Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

* Locate and delete the following files:

C:\WINDOWS\system32\stb.exe
C:\WINDOWS\system32\qlink32.dll

* Empty your Recycle Bin.

3. Reboot …

Unfortunately, your system is fairly infected; please do the following:

You will need to disconnect from the Internet for some of the following, so you should print out the following instructions or save them into a text file with Notepad.

1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed).

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido Security Suite - http://www.ewido.net/en/download/
(If you initially receive a warning message from ewido saying "Database not found" when you first run the program, just click "OK" for this. Next- in the main screen, click "Update" and click "Start Update". After the update completes, run the full system scan.)

Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

…

Hi CrosbyBrownlie,

First of all- welcome to our site. :)

Your log definitely does indicate infections, but it also looks incomplete to me. On an XP computer, there should be much more information beyond the "O4 - HKLM...." entries at the end of log you posted. Please do the following:

Run HijackThis again, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log into your next post here.

Thank you again. I had made a copy of the thread and read over it.

:O) It's good to know that there are people here that are willing to help us, that get into trouble. I do appreciate all the help.

Thanks for that, and we're glad we could help.. :)

Due to the fact that the member who originally started this thread has not responded in almost 1 year, this thread is considered abandoned and has been closed.

In accordance with our posting rules, other members having similar problems should start their own threads and post their questions there. In order to help us help you most quickly, please include as much information about your problem as possible in your posts.

If the member who originally started this thread wishes to have the thread reopened, please send your request, including a link to this thread, to one of our moderators via email or Private Message.

Thank you.

Well, you dared me...

Yeah; I'm just a sucker for a good challenge. :cheesy:

OK-

There are still a couple of unwanted entries in your HJT log. Please do the following:

1. Run a HJT scan and have it fix the following two entries:

O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab

2. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types". Locate and delete the c:\eied_s7.cab file, and then empty your Recycle Bin.

3. Download and run the free trial version of the ewido Security Suite utility; it should detect and clean up any hidden loose ends left behind by the infections you had. If you initially receive a warning message saying "Database not found" when you first run the program, just click "OK" for this. Next- in the main screen, click "Update" and click "Start Update". After the update completes, run a full system scan and save the scan report it generates.

4. Reboot after ewido finishes its scan, run HJT again, and post the new HJT log as well as the scan report log that ewido generated.

5. For the IE browsing problems:

* Download and run the IEFix utility. I've seen it …

Due to the fact that the member who originally started this thread has not responded in over 1 year, this thread is considered abandoned and has been closed.

In accordance with our posting rules, other members having similar problems should start their own threads and post their questions there. In order to help us help you most quickly, please include as much information about your problem as possible in your posts.

If the member who originally started this thread wishes to have the thread reopened, please send your request, including a link to this thread, to one of our moderators via email or Private Message.

Thank you.

Great; glad we could help. :)

Now that your computer is clean, you might want to have a look at this thread for some good suggestions on how you can protect yourself from future infections.

Short and oh so sweet. :)

Glad we could help. :)

Does everything seem to working properly now? If so, please let us know so that we can mark this thread as "Solved".

Thanks.

Your latest log is clean. :)

All looks good now. Are you still experiencing pop-ups or any other problems, or do things appear to be running properly now?

Just as I was getting into your post DMZ, I found that you still havent posted your second half of it (about wireless security). I know its been a long time now but enouf for you to post it right?

Sorry- too many "real-life" issues that I've needed to deal with have happened since my last post; due to those, I just haven't had the time to do the write-up I promised. I definitely do want to post the rest of the info, but quite honestly that falls fairly low on my list of onlne and offline priorities right now.

OK I hope this is right.

Yes- you got it right this time. :)

Your log indicates more than a few infections; please do the following:

You will need to disconnect from the Internet for some of the following, so you' should print out the following instructions or save them into a text file with Notepad.

1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed).

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido Security Suite - http://www.ewido.net/en/download/

* When you first run ewido, you may receive a warning message saying "Database not found" when you first run the program, just click "OK" for this. Next- in the main screen, click "Update" and click "Start Update". After the update completes, run a full system scan and save the scan report it generates.

Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy -

@DMR, thank you very much, for your help:D

You're welcome swatkat, and thanks for having a look at that thread I was trouble with. :)

arcangel_1231,

For the benefit of other members who might encounter similar problems, can you please tell us which of our suggestions finally helped to solve your problem?

Also, please do follow up on swatkat's previously-posted suggestions and let us know the results so that we can be sure that your system is really clean.

Thanks.

Please do the following:

1. Download ewido Security Suite and install it, and then open the program. If you initially receive a warning message saying "Database not found" when you first run the program, just click "OK" for this. Next- in the main screen, click "Update" and click "Start Update". After the update completes, run a full system scan and save the scan report it generates.

2. Reboot after the scan completes.

3. Run another HijackThis scan, post the new log, and also post the ewido log.

Hi Technoob,

Please do the following:

Download the (free) HijackThis utility:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, follow these instructions to install and run the program:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

Wow - looks like this thread helped a lot of people!...glad it helped so many!

And so are we, antioed; thanks for the info. :)

Due to the fact that the member who originally started this thread has not responded in quite a long time, this thread is considered abandoned and has been closed.

In accordance with our posting rules, other members having similar problems should start their own threads and post their questions there. In order to help us help you most quickly, please include as much information about your problem as possible in your posts.

If the member who originally started this thread wishes to have the thread reopened, please send your request, including a link to this thread, to one of our moderators via email or Private Message.

Thank you.

Sorry you had to resort to that, but now that you have a clean system, you should follow the suggestions in the threads dlh6213 linked to above. They'll help protect your computer from getting infected in the future.

There are only a few minor things in your log. Please do the following:

1. Uninstall WeatherBug via your Add/Remove Programs control panel (if you see it listed there).

2. Open the Services utility in your Administrative Tools control panel.

- In the list of services, locate the service named "mmkehxwmrvqx" or "tppjugkh6" and double-click on it.

- In the General tab of the Properties window that opens, click the Stop button.

- Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.

3. Run HJT again and have it fix:

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {57C95EA7-A4A2-09BC-9661-94B198CADCBF} - (no file)
O2 - BHO: (no name) - {84F778A7-12FF-B0E8-F149-8670D8E1A681} - (no file)
O2 - BHO: (no name) - {DC902912-931B-5CCD-6774-0E5F378CFB89} - (no file)
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O23 - Service: mmkehxwmrvqx (tppjugkh6) - Unknown owner - C:\WINDOWS\System32\vounzgau6.exe (file missing)

4. Once HJT finishes the fix, click on the "Config" button in the lower right corner of HijackThis' main window.

- In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Type the following in the box and click OK:

tppjugkh6

5. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show …

I'm out of ideas on removing those remaining infected files, so I've asked a couple of our other troubleshooters to have a look at at this thread. Hopefully they'll have a suggestion or two.

1. See if the information in this Microsoft article helps you fix the SFC error; it would be good to see if we can get you to a point where you can run the SFC scan.

2. Is it possible that you got the wrong version of the wininet.dll file?

Also, the following might help:

* Click on the "Run..." option under your Start menu and type the following in the resulting "Open:" box:

regsvr32 c:\windows\system32\wininet.dll

Reboot and see if the problem persists.

1. Uninstall MyWebSearch via your Add/Remove Programs control panel. If the program isn't listed in the control panel, manual removal instructiond can be found here.

2. Download ewido Security Suite and install it, and then open the program. If you initially receive a warning message saying "Database not found" when you first run the program, just click "OK" for this. Next- in the main screen, click "Update" and click "Start Update". After the update completes, run a full system scan and save the scan report it generates. Reboot after the scan completes.

3. Run another HijackThis scan, post the new log, and also post the ewido log.

1. Uninstall WeatherBug via your Add/Remove Programs control panel. WeatherBug contains adware/spyware.

2. The fix for AdBlaster is posted on Norton/Symantec's support site; give it a try:

http://securityresponse.symantec.com/avcenter/venc/data/adware.adblaster.html

Try the hackroot.toolkit removal procedures posted at Trend Micro's support site:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FROOTKIT%2EK&VSect=Sn

You've got a lot more than the Winfixer problem going on there. :(

Please perform the following general cleaning procedures:

You will need to disconnect from the Internet for some of the following, so you' should print out the following instructions or save them into a text file with Notepad.

1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed).

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

At this point you should really get the most current Windows updates installed as I suggested in my previous post. Also, you can find more suggestions for protecting your system from future infections in this thread.

1. Uninstall the MyWebSearch program via your Add/Remove Programs control panel.

2. Close all open/running progrms, run HJT again, put a check to left of the following entry, and then click the "Fix Checked" button:

O4 - HKLM\..\RunOnce: [MyWebSearch bar Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -2

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of the following folders (but not the folders themselves):

(Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!)

1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files

- Delete the entire content of your C:\Windows\Temp folder.

- Delete the entire content of your C:\Windows\Prefetch folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those …

1. Please give us any specifics that Norton reports, such as the names ands locations of the infected files.

2. Download Ewido Security Suite and install it. Then run, you will receive a warning message saying "Database not found", click "OK" for this. Next in the main screen, click "Update" and click "Start Update". After the update process, run a full system scan. Save the scan report that ewido generates.

3. Reboot and run HijackThis again. Post the new HJT log, as well as the ewido log.

Hey switty- welcome; glad you like the site. :)

Hi jesskorb, welcome to the site! :)

We deal with virus problems and the like in our Viruses, Spyware, and other Nasties forum, so here's what you need to do:

1. Read this post for instructions on how to download and use the HijackThis utility.

2. Follow the specific Aurora removal instructions in this thread.

3. Post your results in a new thread in the Viruses, Spyware, and other Nasties forum. Don't post the results here, as this particular forum is just a place for new members to introduce themselves; we don't work on technical problems here.

One of us will follow up on your new thread once you post it.

1. Open the Services utility in your Administrative Tools control panel.

- In the list of services, locate the service named "Remote Packet Capture Protocol" or "rpcapd" and double-click on it.

- In the General tab of the Properties window that opens, click the Stop button if the service is not already stopped.

- Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.

B) Run HijackThis again, do another scan, and put a check in the box to the left of the O23 - Service: Remote Packet Capture Protocol v.0 entry, and then click "Fix Checked".

C) Once HJT finishes the fix, click on the "Config" button in the lower right corner of HijackThis' main window. In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Type the following in the box and click OK:

rpcapd

2.Download and run the Pocket Killbox utility.

- In the "Full Path of File to Delete" box, copy and paste the following
C:\WINDOWS\system32\CxdLineExt03.dll

- Select the "Replace on reboot", "Use Dummy", and "Unregister dll before deleting" options.

- Click on the button with the red circle with the X in the middle and then click Yes at the "Replace on Reboot" confirmation prompt. Click No at the request to actually reboot.

- In the "Full …

Hi AFPD26,

Your log definitely shows signs of a few different infections. Please do the following:

1. Download and run these specific about:blank/Home Search/etc. removal tools and post a new HJT log once you've done that (before scanning/fixing with about:buster and CWShredder, use their online update features to make sure you have the most current updates installed):

CWShredder - http://www.intermute.com/spysubtrac...r_download.html
about:Buster - http://www.majorgeeks.com/AboutBuster_d4289.html
HSRemove - http://www.majorgeeks.com/HSRemove_d4286.html
Sp.html-Se.dll Hijack Fix - http://www.majorgeeks.com/Sp.html-S...00XP_d4617.html

2. You will need to disconnect from the Internet for some of the following, so you'll need to print out the following instructions, or save them into a text file with Notepad.

1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed).

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search …

Hi ouch,

You've posted the wrong information from HijackThis, and you're also using a very old version of HijackThis. Please do the following:

Download the latest version of HijackThis:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, follow these instructions to install and run the program:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

Also, your log indicates that you are very behind on your Windows and Internet Explorer updates. Once we're sure that your system is totally clean of infections, you should at least install Service Pack 1 and all of the most current updates for that version, or install Service Pack 2.

You should also have a look at the following thread for information on things you can do to protect your computer from future infections:

http://www.daniweb.com/techtalkforums/thread27519.html

1. A) Open the Services utility in your Administrative Tools control panel.

- In the list of services, locate the service named "MSUpdate " or "Microsoft Update Service for 2005" and double-click on it.

- In the General tab of the Properties window that opens, click the Stop button if the service is not already stopped.

- Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.

2. Run HijackThis again, do another scan, put a check in the box to the left of the following entries, and then click "Fix Checked":

O4 - HKLM\..\Run: [Media Gateway] C:\PROGRA~1\MEDIAG~1\MEDIAG~1.EXE
O4 - HKLM\..\Run: [angeleyes] C:\Program Files\iSOad\msdll.exe
O23 - Service: MSUpdate (Microsoft Update Service for 2005) - Unknown owner - C:\WINDOWS\msupdate24.exe

3. Once HJT finishes the fix, click on the "Config" button in the lower right corner of HijackThis' main window. In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Type the following in the box and click OK:

Microsoft Update Service for 2005

4. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected …

Glad we could help you get things cleaned up. :)

The rating/reputation button is the one at the top right of each post with the icon of a scale on it. But I'm not too fussed about my rep; I know I'm good :mrgreen:

Now that we've gotten rid of the nasties, check out this thread for some good suggestions as to how to protect your system from future infections.

1. Run HijackThis again, put a check in the boxes next to the following entries, and then click "Fix Checked": (Before fixing problems with HijackThis, you must make sure to close/quit ALL instances of your web browser! HijackThis cannot fully perform its fixes while browsers are running.)

F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT2\System32\System32.exe
O2 - BHO: CIEObject Object - {5D647E9C-6B37-4636-9A78-DADB1EB93BDF} - C:\WINNT2\System32\CtxPopup.dll
O2 - BHO: (no name) - {74229664-DE88-3CCE-2C24-260883A74E04} - C:\WINNT2\system32\CV6g61e0.dll (file missing)
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINNT2\system32\dcom_9.dll

2. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Locate and delete the following files:

C:\WINNT2\System32\System32.exe
C:\WINNT2\System32\CtxPopup.dll
C:\WINNT2\system32\CV6g61e0.dll
C:\WINNT2\system32\dcom_9.dll

(And why do you have a C:\WINNT2 folder? That is not normal.)

- For every user account listed under C:\Documents and Settings, delete the entire contents of the following folders (but not the folders themselves):

(Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along …

Sorry for the delayed response; "real life" has kept me away from the forums for a few days.

You will need to disconnect from the Internet for some of the following, so you'll need to print out the following instructions, or save them into a text file with Notepad.

1. Download and install the latest updates for ewido, Spybot, Ad Aware, and MS Antispyware. Don't run scans with the programs, just make sure they're all updated.

2. Run HJT again and have it fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\guard.tmp

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Locate and delete the following …

All is well. Problem solved. 4 days and no evidence of the virus.

Very good. :)

Have a read through this thread for a number of good suggestions on things you can do to better protect your system from future infections.

"supersub.dll" is an AOL component, and the associated " ...C0000005 occurred in module msxml3.dll" error is also known to be caused by problems with AOL components. I'd suggest uninstalling AOL and reinstalling it from scratch.

Actually, your log isn't entirely clean. Please try some of the suggestions given in this thread and post a new HJT log after that.

All looks good; your latest log is clean. :)

OK, but as I asked in my last post- what exact problems are you experiencing? I don't see anything obviously suspicious in your HijackThis log.

First of all, can please give us specific information on which router settings you were "playing around with". Since you indicated that your problems seemed to have started after that, having that info could be helpful.