Posts by DMR

I'm really not sure what happened to those logs, but given their incomplete state, there's not much of anything to work with in them.

Let's se if we can get things back to at least somewhere near normal:

1. Download and run IEFix. Reboot when finished.

2. Download and run CCleaner. Again, reboot when finished.

3. Do another run of ewido, MS Antispyware, etc.

4. Post another log; hopefully we'll see some improvement.

I hate to say this, but your HijackThis log looks like the Who's Who of Spyware Celebrities. :eek:

Also, you are using an outdated version of HijackThis. Please download the latest version and use that from now on.

Once you get the new version of HJT, please go through the general cleaning procedures below in order to get some/most of the "unwanted guests" off of your system:

You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the following instructions or save them into a text file using Notepad.

1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed).

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

3. Reboot into safe mode (you get to …

Is downloading the utilities on another computer and burning them to CD a possibility? That would be a good way to get them installed on to the infected machine.

If not, let me know ASAP and we'll have a whack at things with HJT and some manual surgery.

BTW:

Can you please post another (and hopefully final) HJT log to review? I'd like to give it a review before marking this one as "Solved".

Thanks.

The problem was the 2 files "apiqa" and "d3sh32".

Absolutely, but C:\WINDOWS\SYSTEM\APPNE.DLL is one I'd question as well.

When I uploaded them and got them scanned at an av website (the one with the multiple av engines) , both had trojan.downloader variants. Weird that AVG and Norton antivirus missed them.

The variants mutate and evolve too rapidly; that's why we have to resort to doing scans with multiple tools.

I got a warning message from Ad aware's live monitor - that the apiqa and d3sh32 were trying to do something again (though the files weren' there). So I went back into safe mode, deleted the registry keys that mentioned them. I also reran Hijack and "fixed" all the sectioins that linked to web addresses.

Good call.

I must say that this site and the people who post help are a godsend.

Aww, come on now... you'll make us :o:o

I am actually an IT worker and I consider myself "capable" of mainitaing a PC etc - but the newer forms of spyware really do bring one down with a bump. I'm not decrying the makers of AV and antispy products - but these new forms are worse than virii in my book.

No kidding. Not only do I see that here, but although most of my "real-life" work is supposed to revolve around systems installation and support, I usually end up spending the bulk of time running around in some silly-looking Spyware Warrior cape. :mrgreen:

…

Your log indicates that you did not perform the first step in my previous post:

"Please follow the instructions I gave in my first post in this thread."

You have to do the procedures I outlined in the post I linked to as fully, carefully, and completely as possible; HijackThis alone is not going to be able to get rid of your infections.

Here is what currently is enabled with msconfig in the startup section:

If you find no reference to Nail.exe in any of the msconfig tabs, then the entry is in the following Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini

Click on the "Run..." option in your Start menu, type the following in the resulting "Open:" dialog box, and then hit Enter:

regedit

In the left-hand pane of the Registry Editor, navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini folder and click on it to display its contents in the right-hand pane.

In the right-hand pane, look for a "Shell" value (or any other value, for that matter) which refers to "Nail.exe". If you find such an entry, just write down exactly what's listed there, but DO NOT edit/change anything yet!

If you don't see a Nail.exe reference in the main "system.ini" key, also look in the "Boot" subkey.

The only one item that I don't recognize is the ctfmon. I keeps on getting enabled after I disable it...maybe that's what causing the error message?

Here's the scoop on ctfmon.exe:

http://support.microsoft.com/?kbid=282599

That is truly weird; I've never seen that happen to a log before.

CWShredder and friends wouldn't be responsible for it; many of the missing entries are entirely legit and wouldn't have been touched by the utilities. This most likely isn't the case, but those logs weren't done in Safe Mode or anything like that, were they?

Also- what the heck is this new entry?:

C:\Documents and Settings\guy grenon\My Documents\Unzipped\IEXPLORE\iexplore.exe

I definitely don't like the looks of that one.

What browser are you using?

Elementary my dear Watermelon. It is an About:Blank infection, so logic and deduction must lead us to the conclusion that the suspect is none other than the notorious IE! :mrgreen:

the_joker,

Please follow the instructions I gave in my first post in this thread.

In terms of using HijackThis and posting a log, here's what you need to do:

Download the (free) HijackThis utility:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, follow these instructions to install and run the program:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

OK- your log is clean now. :)

In terms of the error message, did you see and/or disable a reference to Nail.exe in the System.ini tab of msconfig? What else (if anything) did you disable with msconfig?

Hi gokulb, welcome to the site. :)

I see multiple infections indicated in your log. Please perform the following general cleaning procedures to get some (and hopefully most) of it cleaned up:

1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed).

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but …

Hi kingdawiyd, welcome to the site. :)

You've got quite a few infections in that log, but you need to take care of a couple of things before we can work on it:

1. The formatting of the log you posted has strange line breaks and spacings in it, which makes it rather difficult to read. Have a look at some of the other threads here to see how a properly-posted log should look and post another log whose formatting resembles those.

2. You indicated that you edited your post to remove personal information. That's certainly OK, but if you removed entire lines/entries from your log in doing so, you will need to not do that when you post your next log. We need to see as much information as possible in order to identify and remove all of the infections you have. If want to protect information such as your name or your IP address, just replace that specific information with asterisks, but leave everything else as is.

Hi Fiendforeva, welcome to the site. :)

The log you posted definitely shows signs of infections, but there are a few things you need to take care of before we can begin to work onit:

1. Logfile of HijackThis v1.98.0

The log entry above indicates that you are using a very old version (1.98.0) of HijackThis. Please download the latest version (1.99.1) and post the log it generates.

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

2. C:\Program Files\Internet Explorer\iexplore.exe

The log entry above indicates that you had at least 1 instance of Internet Explorer running when you ran HijackThis. Before actually fixing problems with HijackThis, you should close all other open programs, especially your web browser and Windows Explorer. HijackThis cannot fully perform its fixes while any instances of your web browser are open.

3. The log you did post has odd line breaks and the like in it, which makes it difficult to read. Make sure the new log you post doesn't come out "fractured" like that.

In addition to CWShredder, download and run these "about:blank"-related removal tools (read any instructions given before downloading):

about:buster
HSRemove
Se.html-Sp.dll Hijack Fix

Post a new HiajckThis log once you've done the above; I think there will be more to remove.

Hello.

I'm new to the forums but have already had assistance in solving an irritating spyware problem.

Hmm... I knew the name "trydor" sounded familiar. :mrgreen:

You're welcome; glad we could help. :)

And yes- we hope that your system stays clean for a looong time. Surf wisely, and it just might.

Nope. You need root priviledges. If it's not your server, get permission from the admin. It might save you some heartache, or even your job, if installing unauthorized software is against your company's IT policy.

What he said (all of it).

"mugly" is a mass-miling worm; you might not see any effects of it, but I sure as heck wouldn't want pieces of it lurking around on my network. :eek:

The first page of this Google search has links to descriptions and removal instructions from 5 of the major anti-virus companies. You might want to have a look:

http://www.google.com/search?hl=en&q=mugly+worm&btnG=Google+Search

No problem swatkat.

We've only got a few really active responders here, so we try to pick up/follow up for each other so that members aren't left hanging.

Given that, feel free to jump in yourself if you see a thread-in-progress that needs a helping hand. :)

1.

I followed the instructions and killbox was only able to find one of the files you listed for deletion.

That doesn't sound right. I'd suggest searching for the files maually to verify that they really don't exist. Make sure to configure Explorer's View settings to show all files and folders before searching:

Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

2. The "Kavsvc" entry is still recreating itself; we'll need to find the hidden file(s) responsible for that.

A) Download the trial version of tds-3 anti trojan from here:
http://www.diamondcs.com.au/tds/downloads/...s/tds3setup.exe
Install it and Restart your computer when and if prompted
Don't run a scan yet, though!!

Update TDS-3 to the latest RADIUS database. Follow the instructions carefully:
http://tds.diamondcs.com.au/index.php?page=update
Use the Manual update procedure
Again, don't run a scan yet

B) Download Find_Qooligic.zip and unzip the file to a folder on your desktop. Again- Don't run it yet!

C) Boot into Safe Mode again and:

Launch TDS-3. In the top bar of tds window click system testing> full systemscan.
Let it completely finish scanning---Even if it appears to hesitate at times
Give this time to finish
Detections will appear in the lower pane of tds window after the scan is …

I didn't uninstall AVG before I installed Mcafee antivirus.

*groan* Very sorry about that- your HJT log even shows the two programs running concurrently but I totally overlooked it. :o

Are you saying that you were finally able to delete the malicious files once you got the conflict cleared up?

That looks clean now; I was afraid that the vljgst.exe entry would "respawn" after you deleted it, but it hasn't. :)

Now that the log is clean, you should delete your existing (possibly infected) System Restore points and create a new, clean Restore Point. An explanation of that, and instructions on how to do it, can be found here.

Also:

Here are a few things you can/should do to minimize your chances of future virus/malware infections (some of which you're obviously already doing):

1. Enable Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks. IE-SPYAD is another helpful tool; it can be downloaded here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here: http://tomcoyote.org/ieoe.php

5. Obviously-install a good …

BTW - when I run the rootkit revealer, I get the following:

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 7/7/2005 4:30 PM 80 bytes Data mismatch between Windows API and raw hive data.

Is there something specific to do for this condition?

No- that message would be expected in this case.

The message itself means that the data in a Registry entry was updated during the time that RootKit Revealer was scanning the Registry. In the case of that particular Registry key (the Random Number Generator seed), the system automatically changes the seed value many times a minute to maintian the "randomness" (and therefore the security) of the cryptographic keys it generates.

You're welcome; glad we help. :)

Hi, I have completed all the above but the rlvknlg.exe file didnt seem to exist.

If you're sure that the file doesn't exist, that most likely means that the file itself was deleted during the cleaning process, but the related "Run" entry in your Registry wasn't.
Since the O4 - HKLM\..\Run: [OSS] C:\windows\system32\rlvknlg.exe -boot entry no longer appears in your log, I'm assuming that's the case; it happens sometimes.

Your lastest log is clean. Does everything seem to be working now?

If so, you should set new, clean System Restore point now. An explanation of what I mean by that, and instructions on how to do it, can be found here.

Aww- now I'm going to have to find another conspiracy. Oh well, back to the fridge....

:mrgreen:

Only certain features of ewido expire after the trial (automatic updates, real-time protection, etc.), but you should still be able to do manual updates and run scans. More on this tomorrow; it's dinner time for me right now....

... Is there something specific to do for this condition?

I'll have to check for more info on whatever version of this beast that you have, but I won't be able to do that until tomorrow.

Before I got infected I was already running...

Yeah, what I posted is just a "canned answer" that I paste from a text file; most people are already doing at least some it. :)

The middle half of your log is missing; can you post another please?

That's looking much better now. :)

I only see one malicious entry left in your log, although it could be indicative of further "nasties" hiding elsewhere in your system.

* Have HJT fix:

O4 - HKLM\..\Run: [ligqbrj] c:\windows\system32\vljgst.exe r

* Delete the c:\windows\system32\vljgst.exe file and empty the Recycle Bin.

* Reboot, run HJT again, and post another log.

Well that sucks.

Tell me about it.

I'm still looking for a definitive fix though; you're not the only one who's been hit with the beast by a long shot. :mad:

There are still a couple of indications of infections in your latest log:

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [OSS] C:\windows\system32\rlvknlg.exe -boot

Also- you seem to be running two anti-virus programs (Norton and AVPersonal). Running more than one AV program isn't advised, as conflicts can occur. Choose one AV program or the other and use that alone.

Please do the following:

1. Run at least two or three of the following online anti-virus/anti-spyware scans and select their "auto clean" (or similar) options to let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).

3. Run HijackThis and have it fix the following entries if they still exist:

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [OSS] C:\windows\system32\rlvknlg.exe -boot

4. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Delete the C:\windows\system32\rlvknlg.exe file.

- Delete the entire C:\Program Files\winupdates folder.

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not …

Also a technician on in an apple store told me to go to Apple>Control Panel>Startup disk and select the system folder to boot from, but that didnt work ethier.

Well how the heck would that work if the system won't even boot :?: :mrgreen:

Did you check out my suggestion about verifying the correct
Master/Slave jumper configuration?

* Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

* Download the Killbox utility and save it to your desktop, but don't run it yet.

* Run HijackThis and have it fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
O2 - BHO: (no name) - {04AB1929-AE01-B383-9992-F5A24BEB8F66} - C:\WINNT\System32\t81tJHOP.dll
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: www.redfunny.com
O15 - Trusted Zone: www.skymasters.biz
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://C:osuch.mht!http://195.95.218.173/dl/adv439/x.chm::/load.exe
O20 - Winlogon Notify: ATINotify - logonnfy.dll (file missing)
O20 - Winlogon Notify: drct16 - C:\WINNT\SYSTEM32\drct16.dll
O21 - SSODL: DCOM Server - {2c1cd3d7-86ac-4068-93bc-a02304bb8c34} - C:\WINNT\System32\msdcom32.dll
O21 - SSODL: DCOM Server - {2c1cd3d7-86ac-4068-93bc-a02304bb8c34} - C:\WINNT\System32\msdcom32.dll
O21 - SSODL: DiwIDfScQg - {04AB1923-AE01-B389-E00E-E4B64BEB8F63} - C:\WINNT\System32\owmk.dll

* Reboot into …

Unless you're using a combo broadband modem/router (which the BEFSR41 isn't) the speed capping will be happening in the modem, not the router.

However, hacking the modem usually violates the ISP's Terms of Use Agreement; some people who have been caught doing this have been banned from using their ISP's service for life.

Discussions of such hacks are also prohibited in these forums.

Some people have removed the program that way, but I myself have trouble recommending that someone trust a removal tool offered by the same company that gave you the infection in the first place.

You can do one of two things:

A) Use their removal tool and see what happens. Paranoid bugger that I am, I would do full system scans with ewido, Norton, and probably a few other utilities right after I used the online removal tool.

B) Since we're seeing no other signs of Aurora other that the Add/Remove Programs entry, remove the entry from the A/R P control panel manually:

http://support.microsoft.com/?kbid=314481

Also:

Now that your system is clean, here are a few things you can/should do to minimize your chances of future virus/malware infections:

1. Enable Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks. IE-SPYAD is another helpful tool; it can be downloaded here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here: http://tomcoyote.org/ieoe.php

5. Obviously-install a good anti-virus program and enable its "auto-protect" and email-scanning features.

6. Install a stand-alone firewall program such as Zone Alarm, Sygate Personal Firewall, or Kerio Personal Firewall, or purchase the "Internet Security" packages offered by Symantec and McAfee.

7. None of your utilities are of much good if you don't check for updates frequently; updates for anti-spyware/anti-virus programs can be released as often …

Glad we could help. :)

In terms of cleaning your daughter's computer, do keep in mind that each computer is configured differently, and will probably have different types of infections in addition to Aurora. Given that, some of the infection removal procedures are computer-specific, as are the results you'll get from HijackThis scans run on different computers. Always ask before fixing anything that you have the slightest question about.

Your ISP should have given you an email account (which would probably be accessible through webmail and POP) when you set up your service with them; why can't you just use that? After all, you're already paying them for the service, right?

The advantages to non-webmail accounts (POP and IMAP) are basically that your messages are stored locally on your computer as opposed to being stored on your email provider's servers, and that you can take advantage of the features of email client programs such as Outlook, Thunderbird, Eudora, etc.

The downside to POP/IMAP-only accounts, of course, is that if you want to check your mail on others computers, you'll have to set up a new account for yourself in the email client program on every computer from which you want to check your mail. Aside from the inconvenience of that, there are obvious security/privacy risks involved as well.

You definitely have a variant of the "about:blank" family of infections, and possibly one or two other infections as well.

We'll need to run a few automated removal tools in order to clean things up most thoroughly. Please do the following:

1. Download and install these three about:blank removal tools into their own separate folders:

CWShredder
HSRemove
about:Buster

2. Open CWShredder and about:buster and click each program's Update button to install the latest detection definitions. Do not run a scan with either program yet; just close each one when it has finished installing its updates.

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open CWShredder and run it by clicking the "Fix" button. Close the program when it finishes with its fixes.

- Open about:buster and click the "Begin Removal" button. Close it when it finishes.

- Open HSRemove and click "Scan and Remove". Close it when it finishes.

4. While still in Safe Mode:

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of the following folders …

1. Although the suggestions in the link below relate to the "HotOffers" infection, I believe they apply to SpecialGoods as well. Try them and let us know the results:

http://www.daniweb.com/techtalkforums/post114046-41.html

2. Once you do the above, run HijackThis again, put a check mark to the left of the following entries, and then click "Fix Checked":

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.specialgoods.info/ad/ad0456/
O4 - HKLM\..\Run: [cAg0u] C:\WINDOWS\SYSTEM\D255CA40.hta

3. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

Locate and delete the C:\WINDOWS\SYSTEM\D255CA40.hta file.

4. Empty your Recycle Bin and reboot.

5. Run HijackThis again and post a new log.

I believe my pc is pretty ****** up with a lot of spyware etc, so the log will probably look bad.

But first the virus, can anyone help me ???

You definitely have a lot more going on that the msdirectx.sys problem. I'd suggest taking care of those first and then working on what remains of the RootKit infection after that:

1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed).

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating …

NoAdware Seems to to find lots of stuff, but I found that it was a total scam.

Yup, and they aren't the only scammersw out there. :(

Before downloading/purchasing any "anti-spyware" utilities, you should always consult this list of recommended vs bogus utilities and websites first:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

There another infectious file hiding somewhere that's bringing those infections back to life. :(

The latest version of Microsoft's Malicious Software Removal Tool is supposed to be able to deal with at least some variants of the "msdirectx.sys" infection.

Information, instructions, and the download link for the tool are here:

http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

Run it and see if it does the job. Let us know the results.

You are welcome; I'm glad we could help. :)

Were you able to fix the "Broken Internet access..." problem with WinsockXPFix?

You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the following instructions or save them into a text file using Notepad.

* Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

* Download Nailfix from here:
http://www.noidea.us/easyfile/file....050515010747824
Unzip it to the desktop but please do NOT run it yet.

* Open the Services utility in your Administrative Tools control panel.

- In the list of services, locate the service named "System Startup Service" or "SvcProc" and double-click on it.

- In the General tab of the Properties window that opens, click the Stop button.

- Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.

* Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

* Once in Safe Mode, double-click on Nailfix.cmd. …

Your log still shows indications of a full-blown Aurora infection. Please follow the instructions below carefully and fully:

You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the following instructions or save them into a text file using Notepad.

* Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

* Download Nailfix from here:
http://www.noidea.us/easyfile/file....050515010747824
Unzip it to the desktop but please do NOT run it yet.

* Open the Services utility in your Administrative Tools control panel.

- In the list of services, locate the service named "System Startup Service" or "SvcProc" and double-click on it.

- In the General tab of the Properties window that opens, click the Stop button.

- Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.

* Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting …

Your log is essentially clean, but I'd suggest removing the SurfMonkey garbage using your Add/Remove Programs control panel. It's a *barf* *gack* "kid safe" content filtering program that Earthlink now bundles with their connection software.

You don't need it to connect/surf, and since it acts as a "traffic cop" between your computer and the Internet, analyzing your Internet communications, it may have at least something to do with the conneciton lags.

Hmm... that didn't work as well as it should have. :(

Please do the following:

You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the following instructions or save them into a text file using Notepad.

1. Download the Killbox utility and save it to your desktop, but don't run it yet.

2. Run HJT again and have it fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...sario&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\system32\richedtr.dll (file missing)
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\system32\PSof1.exe
O4 - HKLM\..\Run: [richup] C:\WINDOWS\system32\richup.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\hmajlj.exe reg_run
O4 - HKLM\..\Run: [checkrun] c:\windows\system32\elitefpz32.exe
O4 - HKLM\..\Run: [hpascte] c:\windows\system32\pyauxp.exe r
O4 - HKCU\..\Run: [Z0tmRON8T] asyvcctl.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0009.exe
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll

3. Copy-n-Paste the …