Posts by DMR

...are you the facilitator?

Hi heritagetrails,

If you're asking about our site's administrator, that would be Dani (Danielle); her member name here is cscgal. :)

same problem yesterday, I ran microsoft antispyware it got rid of it.

http://www.microsoft.com/athome/security/spyware/software/default.mspx

Unfortunately, MS Antispyware does not get rid of the Aurora infection entirely. It does relieve some of the visible symptoms of the infection, but components of the infection will remain on your computer.

amandam,

Your log indicates more than the Aurora infection. Please do the following to get rid of as many of those infections as possible before we move on to the specific Aurora fix:

You will need to disconnect from the Internet for some of the following, so you'll need to print out the following instructions, or save them into a text file with Notepad.

1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed).

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & …

I don't see anything bad in the log either.

Given that, I'd suggest going through the following general virus/spyware removal proceedures to see if malicious infections really are part of the problem:

You will need to disconnect from the Internet for some of the following, so you'll need to print out the following instructions, or save them into a text file with Notepad.

1. Run at least three of the following online anti-virus/anti-spyware scans. Set their "auto clean" options if applicable, and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most

current updates installed).

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select …

Directory of C:\Documents and Settings\Xaminor

File not Found

The above entry indicates that you were in the C:\Documents and Settings\Xaminordirectory, not the C:\Documents and Settings\Xaminor\Desktop directory. Read and follow the directions in my last post again carefully.

Any other thoughts?

Yes, and hopefully they work.

One of our other members (thanks crunchie!) sent me these specific removal instructions early today:

* Download Killbox by Option^Explicit:
http://www.geekstogo.com/modules.php?modid=5&action=download&id=4

*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.

*In the killbox program, select the Delete on Reboot option.

*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\System32\sysmon32.exe
C:\WINDOWS\System32\msdirectx.sys

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the Pending Operations prompt.

* While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Run HijackThis and put checkmarks in front of the following items. Close all windows except HijackThis and click Fix checked:

F2 - REG:system.ini: Shell=Explorer.exe sysmon32.exe
C:\WINDOWS\System32\msdirectx.sys

* Boot back to normal and copy the part in bold below into notepad. Save it as unlegacy.reg (set filetype to "All Files")

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSDIRECTX]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msdirectx]

* Doubleclick the file you made and confirm you want to merge it with the registry.

* Reboot once more and post a new log.

As of right now my laptop does not detect a network though everything seems fine. I'm a newb when it comes to networking (obviously) perhaps you could give me a list of troubleshooting tips to look over?

That list could be rather long, as there are a number of issues involved.

I've just finished work for the day and need to follow up on a few other things here before I start dinner, so I can't post specific suggestions right now. I will try to do that tomorrow.

Perhaps this has something to do with the fact that i'm using a satellite based isp? I've generally noticed that the satellite connection receives at high rate but transmits at low, but I think this is the norm with satellite based internet.

You're right about the difference in up/down speeds with satellite; uplink speed can be as little as 1/10th of the downlink speed. That might not be the problem with your Vonage connection though, but since I've only set up a few Vonage connections and none have been on satellite service, I don't really have any suggestions on that right now.

Sorry, and Thanks, I will

And I see that you have now. Thanks. :)

You're welcome. glad we could help. :)

Good work on your part- your latest log is very clean. :)

Are you still seeing any symptoms of infections? If so, give us some specific info on that.

Hi kavos1234,

First of all- don't worry about being new to the whole "online support" thing, or being new to our site in particular. We'll answer any questions that you have, and will do our best to get your system clean.

There's one thing you need to take care of before we begin though:

C:\Documents and Settings\calvin\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

The log entry above indicates that you are running HJT from within a Temp/Temporary folder. Please do the following:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

Good job- that's a totally clean log now. :)

If the fix really worked, you should now be able to set your IE Start Page to whatever you want (the "hsremove.com" entry is obviously just left over from running hte HSRemove utility).

Let us know if you're still experiencing any problems or if things seem to be working correctly now.

Give us the exact make and model # of your motherboard. If you can give us that information we should be able to determine if your motherboard has built-in temperature sensing and if so, which utilities will work with that motherboard.

1.

Are there any utilities knocking about to tell me how hot everything is down there and at what point the fans kick in etc???

There are, but the ability to use them depends on whether or not your motherboard has temperature-sensing circuitry built into it; the software temperature monitors need physical "thermometers" to get their reading from.

2. In terms of the fans- some are just noisier than others, even if they're brand new. However, if you've noticed an increase in their noise, I'd look at replacing them. The noise increase usually means that the bearings or other mechanical parts are getting worn, and if that's the case, the fans will obviously fail entirely at some point.

3. In terms of your log, I see no indications of currently-active infections, although there are some entries that are leftovers of previous infections and possibly incomplete uninstallations of legit programs.

Run HJT again and have it fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {04079851-5845-4dea-848C-3ECD647AA554} - (no file)
O2 - BHO: (no name) - {397D7D63-816E-4ECF-8761-775C932C5CF1} - (no file)
O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - (no file)
O2 - BHO: (no name) - {E6B48BC7-4EA9-4643-A4B3-BB7C4F69287A} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Did the filesystem check(s) report anything in terms of errors?

Try this:

Reboot the computer into "Safe Mode with Command Prompt". You get to that boot option by hitting the F8 key just as the system is starting up. You must hit F8 before the Windows startup/logo screen appears, so it's a good idea to just start repeatedly tapping F8 when the computer begins to reboot.

Once at the command prompt:

- Type the following command and hit Enter to get in to your Desktop directory:

cd C:\Documents and Settings\Xaminor\Desktop

- Once in the desktop directory, run this command to see if the system recognizes the file:

dir /a ca58*

- If that returns a listing for the CA5803DL file, type:

attrib -h -r -s ca5803dl

- after that, try to delete the file with this command:

del ca5803dl

Let us know if that works or not.

Do me a favor please:

Download the free trial version of the TDS-3 trojan detection utility. Run the program, and post the log it generates. There are pieces of the infections you have that are hiding in areas that HijackThis doesn't probe, and there's a good chance that the TDS scan can identify the hidden elements.

There are only a few "loose ends" in your log, but nothing that looks like it would account for the problem. However- You are running a very old version (1.97.7) of HijackThis. Please download the lastest version (1.99.1) from the link in my sig below and post the log the new version generates.

It may indeed be a hardware problem though- the fact that the computer needs to sit for a while before it can be restarted is a good indication that you have thermal/overheating issues.

I'd suggest opening the computer's case and:

- Thoroughly blow/vacuum out all dust, dirt, etc. Pay special attention to the power supply assembly; a lot of debris can build up in there and cause the supply to fail or shutdown due to overheating.

- Make sure that all of your fans are rotating properly and freely.

- Make sure that all cards, connectors, RAM modules, etc. are firmly seated in their sockets.

- Examine the motherboard and all other components for visual signs of thermal damage. Also- have a good sniff around with your nose. Thermally-damaged components will often show no visible outward signs of the damage, but you can often identify such a component by that lovely "fried silicon" smell.

... I found it funny that it was 0 KB as well.

Yeah- that's one of the clues that something isn't right with the file or its entry in your Master File Table.

Also, is there anyway to remove programs from my "Add Remove Programs" when they are already uninstalled?

Yes, as a matter of fact there is. It's a Registry edit, and the instructions from Microsoft can be found here.

Very good; you're welcome. :)

Can you please post one final HijackThis log so that we can make absolutely sure that all signs of infections are really gone?

Thanks.

No problem concerning the time lag; we all have "real life" happenings that can keep us away from here.

1. Uninstall the WareOut program through your Add/Remove Programs control panel. WareOut is a bogus program; you can read more about it, and other disreputable "anti-spyware" programs at this site.

2. Run HJT and have it fix:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://127.0.0.1:80
R3 - URLSearchHook: (no name) - {D1AB6420-E125-3AA9-47D7-DE8FB557B8D0} - MsNetHelper.dll (file missing)
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\snzug.dll
O2 - BHO: Internet Explorer Hot Fix - {58D90D72-A99E-4D42-8307-62F86E1F8EDE} - C:\WINDOWS\System32\esmxe.dll (file missing)
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\snzug.dll
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [qwe] slamm.exe
O4 - HKLM\..\Run: [zantu] avpmondll.exe
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [zantu] …

Hi Maged,

First of all- welcome to TechTalk! :)

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

Good, your log is cleaner now. You're right though- there are still a couple of "nasties" lurking there.

Can you please do the following so that we can find out exactly what Norton is finding and when the infected files live:

1. Open Norton and use the Live Update feature to make sure you have the absolutely most current virus definitions installed. Don't run a scan yet though; just close Norton after it finishes updating.

2. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up) and run a full system scan with Norton. Have Norton fix everything that it can.

3. While still in Safe Mode:

- Run HJT again and have it fix:

F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Locate and delete the xpjava.exe file.

- For every user account listed under C:\Documents and Settings, delete the entire contents of the following folders (but not the folders themselves):

(Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care …

Good- that's a much cleaner log. I only see one more item that needs to be cleaned.

1. Download the Killbox utility and save it to your desktop, but don't run it yet.

2. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Run HijackThis and have it fix the following entry. Close HJT after it finishes the fix:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm

3. While still in Safe Mode:

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".
Close Explorer after that.

- Run the Killbox, click on the button with the folder icon on it, and search for the shdocsv.dll file in the resulting "Browse for file" window. When you find the file, hilight it and then click "OK".

- Select the "Replace on reboot", "Use Dummy" options, and "Unregister dll before deleting" options.

- Click on the button with the red circle with the X in the middle and then click Yes at the "Replace on Reboot" confirmation prompt.

- Click YES at the request to reboot and let the computer reboot normally.

4. Run HJT again and post a new log.

why are you using dial up?

Probably because a lot of people still don't have a choice. :(

Which ping? The one by URL, the one by IP address, or both?

If only the ping by IP address worked, you most likely have a DNS problem, because DNS is responsible for translating the "www.somesite.com" URL into the actual IP address that the computer needs have in order to contact the site.

If both pings worked, your problem lies elsewhere. Is it only certain sites that you're having trouble reaching, or does the problem occur randomly occur regardless of where you're surfing?

It looks like that cleaned up a lot, but unfortunately, there are still infections present in your lastest HijackThis log. :(

I need to log off for the day very shortly, and I won't be back until tomorrow afternoon. In the mean time, can you please run the utilities I mentioned in my last post (ewido, Ad Aware, MS Antispyware, SpyBot) while booted into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up) instead of running them while booted normally?

Post a new HJT log after doing the above.

Your English is fine, and your HJT log is much cleaner now. :)

The log does still indicate signs of an about:blank/sp.htm infection though.

1. Please download and run this removal utility.

2. After running the above utility, run HiajckThis again and have it fix any of the following entries that still remain:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nvzcb.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nvzcb.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nvzcb.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nvzcb.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nvzcb.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nvzcb.dll/sp.html#55135
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {986EB30A-4B14-6249-1774-A75D9AEAC359} - C:\WINDOWS\system32\iehc.dll

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Locate and delete the following files:

C:\WINDOWS\nvzcb.dll
C:\WINDOWS\system32\iehc.dll

- For every user account listed under C:\Documents and Settings, delete the entire contents of the following folders (but not the folders themselves):

(Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, …

Dial-up connections can be pretty prone to dropouts and interference from electrical noise on the phone line; you might have a problem in that area.

The next time that you find that you can't reach a site through your browser:

- Open an MS-DOS window: Go to the "Run..." option under your Start menu and type "command" (omit the quotes), and hit Enter.

- At the DOS prompt, type the following command and hit Enter:

ping www.google.com

If the ping works, it should return 4 positive responses and some summary information. If it fails, tell us the exact error that it returns.

If the above ping does fail, try pinging Google by its IP address instead of by its URL:

ping 66.102.7.147

Let us know the results.

The nailfix link seems to be broken; here's an alternate link that will work.

Better, but not by much.

1. Please download this additional "Temp\se.dll" removal tool. Run the utility and click on the "start disinfection" button to initiate the removal procedure.

2. Run HJT again and have it fix the following entries if they still exist:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JEFFHO~1.JEF\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JEFFHO~1.JEF\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O18 - Filter: text/html - {BB19CEC2-134E-499A-BBC6-ABC7A0315BDC} - (no file)

3. Reboot, run HJT again, and post a new log.

There is a less "manual" Aurora removal procedure than that described in the link above. Please do the following:

You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the following instructions or save them into a text file using Notepad.

* Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

* Download Nailfix from here:
http://www.noidea.us/easyfile/file....050515010747824
Unzip it to the desktop but please do NOT run it yet.

* Open the Services utility in your Administrative Tools control panel.

- In the list of services, locate the service named "System Startup Service" or "SvcProc" and double-click on it.

- In the General tab of the Properties window that opens, click the Stop button.

- Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.

* Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in …

Not bad; aside from Aurora, I only see one other infection indicated in your log.

Here's the standard Aurora fix, with slight additions to deal with the other infection you have:

You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the following instructions or save them into a text file using Notepad.

* Download the free trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

* Download Nailfix from here:
http://www.noidea.us/easyfile/file....050515010747824
Unzip it to the desktop but please do NOT run it yet.

* Open the Services utility in your Administrative Tools control panel.

- In the list of services, locate the service named "System Startup Service" or "SvcProc" and double-click on it.

- In the General tab of the Properties window that opens, click the Stop button.

- Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.

* Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select …

This file behaves the same way in both locations, the "shortcut" on my desktop (shown below) and in C:\Documents and Settings\Xaminor\Desktop.

C:\Documents and Settings\Xaminor\Desktop and "my desktop" are the same location; the file isn't a shortcut. ;)

The "Cannot delete file: Cannot read from the source file or disk" message, combined with the fact that it's 0 KB in size, would most likely suggest that the file and/or its entry in your filetable is corrupt.

If you have a disk/filesystem repair utility such as Norton Disk Doctor, I'd run that and see what it comes up with. If you don't have a third-party program like Norotn, run Windows' disk checker:

Open My Computer, right-click on your C: drive, and choose Properties. Go to the Tools tab in the Properties window and click on "Check now..."

Hi carolerose, welcome to the site. :)

You're right about the fact that portions of the Aurora fix are "customized" for the particular computer in question, but the general Aurora removal procedure is the same for all computers. Most of the reason that instructions are customized is due to the fact that a computer is rarely infected with Aurora alone; there are almost always other "unwanted guests" on a given system.

The detection and removal programs used in the cleaning processes are trusted and reputable, and we'll walk you through any questions you might have in terms of using them.

The first thing we need to do is have you run the HijackThis utility; it will give us a good "snapshot" of the state of your computer:

Download the (free) HijackThis utility:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, follow these instructions to install and run the program:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell us a lot about what …

1. Run HJT again, put a check mark in the box to the left of the following entries, and then click the "Fix checked" button:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111193458} - file://c:\x.cab
O20 - AppInit_DLLs: NVDESK32.DLL,wbsys.dll

2. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Locate and delete the following files:

xpjava.exe
c:\ied_s7.cab
c:\x.cab
wbsys.dll

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files

- Delete the entire content of your C:\Windows\Temp folder.

- Delete the entire content of your C:\Windows\Prefetch folder.

- Empty your Recycle Bin.

- Reboot normally.

* Once you've done the above, Run HijackThis again and post a new log.

Mainly i was just trying to clean useless stuff up, and get rid of annoying startup programs and the like.

OK- I just needed to check; that's the shortest log I've ever seen from an XP system.

That said, every single entry in the log except the last one indicates the "about:blank" infection. Please follow the removal instructions in my first post in this thread, and give us a new log after that.

No, the log is very clean.

What specific signs or messages did you get that make you think that you've been reinfected?

1. C:\Program Files\Internet Explorer\IEXPLORE.EXE

You have 7 instances of the above entry in your log, which means that you have 7 different instances of Internet Explorer running (whether you know it or not; it's probably mostly the work of the infections).

Before fixing problems with HijackThis, you must make sure to close/quit ALL instances of your web browser! HijackThis cannot fully perform its fixes while browsers are running. To make sure that IE is definitely not running, simultaneously hold down Ctrl+Alt+Delete and click on the Task Manager button in the resulting window.

Under the Applications tab, hilight any/all IE entries (one at a time), and click the "End Task" button. Under the Processes tab, hilight any/all IEXPLORE.EXE entries and click "End Process". Wait a few moments and recheck both tabs again to make sure that no IE entries have "respawned".

2. Once you've taken care of the above, run HJT again and have it fix:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://127.0.0.1:80
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Internet Connection …

Very good. We'll call this one solved then. :)

Now that your system is clean, here are a few things you can/should do to minimize your chances of future virus/malware infections:

1. Enable Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks. IE-SPYAD is another helpful tool; it can be downloaded here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here: http://tomcoyote.org/ieoe.php

5. Obviously-install a good anti-virus program and enable its "auto-protect" and email-scanning features.

6. Install a stand-alone firewall program such as Zone Alarm, Sygate Personal Firewall, or Kerio Personal Firewall, or purchase the "Internet Security" packages offered by Symantec and McAfee.

7. None of your utilities are of much good if you don't check for updates frequently; updates …

McAfee is supposed to be able to deal with at least one of the infections you have. Have you run a full system scan with McAfee after making sure you've installed the most current virus definitions? Do that if you haven't already.

There will more cleanup to do after this, but to start with:

1. Look in your Add/Remove Programs control panel to se if the WareOut program is listed there. If it iss, uninstall it; the program is spyware disguised as a spyware remover. Go here for more information on WareOut and other "rogue" anti-spyware programs.

2. Run HJT again and have it fix:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm
R3 - URLSearchHook: (no name) - {5590E23D-D864-CA4C-3697-FDC87F0F87A6} - bingo9.dll (file missing)
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ylyel.dll (file missing)
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ylyel.dll (file missing)
O4 - HKLM\..\Run: [Fast Start] C:\WINDOWS\system32\svcnt.exe home
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SysEntry] sbin.exe
O4 - HKLM\..\Run: [uio] progmen.exe
O4 - HKLM\..\Run: [hygnrrd] c:\windows\system32\wgqnopm.exe r
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [NsCplTray] MSTCPDLL.exe
O4 - HKCU\..\Run: [prcmon] nmdllw.exe
O4 - HKCU\..\Run: [corrida] ftbar.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{42989C9C-B187-4175-A9E2-790A73F68EBB}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CS1\Services\Tcpip\..\{42989C9C-B187-4175-A9E2-790A73F68EBB}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CS2\Services\Tcpip\..\{42989C9C-B187-4175-A9E2-790A73F68EBB}: NameServer = 69.50.176.196,195.225.176.110

3. Reboot into …

Hi lori2246,

First of all- welcome to TechTalk!

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

You need to start your own thread in this forum and post your question there.

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

* By the way- for an answer to the problem of anti-virus programs not being able to fix infections found in your C:\_RESTORE folder, go here.

hmmm, Sorry about the strange line breaks again, it looked alright in the preview.. :(

I edited the post to clean up the formatting a bit. :)

That log looks very short on content for a normal XP computer, and it's missing a lot of entries that appeared in the first log you posted. Did your latest log come from a scan done while booted into Safe Mode? If so, you need to do a scan while booted normally and post that log.

Yeah- I didn't really think the hosts file was a problem, but I thought I'd suggest it since you asked.

Can you give us the specifics of your network setup please (type of connection, makes/models of modem, router, etc.)? The cause of intermittent loss of abilty to reach sites could really lie anywhere in your network chain.

You missed out another good software (and it's free too), called Ewido.

I'm really impressed with ewido, but remember that the free download is just a 30-day trial; after the trial period some of the full features will get disabled (auto-update, real-time protection/monitoring,etc).

Otherwise though, the program does still work after the trial expires. The only real inconvenience is that you'll have to get updates manually, which isn't really any a big deal.

OK, post the log if and/or when you can.

I definitely understand what you're saying about the state of the machine and what a hassle it would be to to do a fresh install. I've got quite a few clients who are still using old P-IIIs running 98, have no install/driver disks, and haven't done a backup in years. Rescuing/restoring those machines is always Big Fun. :eek:

When you do get around to rebuilding the machine, here are a couple of suggestions:

1. After verifying that the current drive is malware-free, buy a new drive, do a clean install to that drive, and install the existing drive as a slave drive. That way, you'll have all of the original data intact, and in the same locations that the person was used to having it in.

2. Secure the machine immediately after the install. Previous estimates were that an unpatched and unprotected computer could be infected withinabout 30 minutes of connecting to the Internet (which I've personally seen happen), but the massive increase in malware has brought that time down to less than 15 minutes according to more recent studies and surveys.

Here are some things you should do before "releasing the computer into the wild":

1. Enable Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied …

You're welcome.

Post the new log when you can; I'll be around for most day.

The bogus error message is the work of the "Smitfraud" infection, but your log indicates several other infections as well. HijackThis alone isn't going to be able to thoroughly fix things.

Please follow these general cleaning instructions to get rid of as much of the infections as possible:

You will need to disconnect from the Internet for some of the following, so you'll need to print out these instructions, or save them into a text file with Notepad.

1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most

current updates installed).

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows …

It's not against the rules, but we don't really encourage it either. This is a pretty busy forum, and those of help out are only doing so as volunteers on our free time, so it isn't unusual that a thread may go unanswered for 24 hrs or more.

I'm going to sleep shortly, but I do have this thread flagged, and will get back to it tomorrow.

MSplg7.dll does still exists in the system32 folder. Is it dead or just dormant?

Sorry I didn't address that earlier. Can you give us the creation date, modification date, and size of the file please?

As for ewido, try running it in Safe Mode. There may be something else running in normal mode that's conflicting with it.

Great; good work. :)

Does everything seem to be working correctly now?

OK. I had started a response dealing with last log you posted, but had to log off for a few hours before I could finish. I'll wait until you post the new log, as its contents may differ from the last log.