Posts by DMR

1.

Also, there is a program in my control panel named "The ABI Network- A Division of Direct Revenue". Should this be removed as well?

Absolutely- kill it.

2. Your HJT log is clean. :)

3. Is the slowdown you think you might be seeing an overall "sluggishness", or is it just that Windows seems to take a longer time to start up?

Very cool. Glad we could help you remove the "unwanted guests". :)

buuuurn, but kind of mean

Meant purely in good fun. :)

Both logs look good to me now, but since crunchie was driving this ship, I'd suggest waiting for his OK on things.

I did notice one thing in your logs that's got you just asking for trouble, though:

Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

The above entries indicate that you are seriously behind on your Winodws updates, which means that your missing a number of security patches and overall bug fixes.

Go to the Windows Update site and at least get Service Pack 1 and all related updates. You can update to SP2 if you want; the choice is yours.

How can I get rid of these?

Instructions are here:

http://www.daniweb.com/techtalkforums/thread13362.html

Your HJT log is almost clean now. :)

There are just a couple of leftovers to take care of:

1. You have the Messenger Plus! 3 program installed, and that program has a "Sponsored" (read: adware-driven) installation mode. If you aren't sure if you installed the Sponsor option when you first installed the program, uninstall it and reinstall it without the sponsor. Better yet- don't reinstall it.

2. Although not the result of malicious infections (it's probably the result of an incomplete program uninstallation), the following entry indicates a missing component in your networking software stack:

O10 - Broken Internet access because of LSP provider 'xfire_lsp_11078.dll' missing

To fix the problem, download WinsockXPFix, run it, and click the "Fix" button. Choose YES when asked if you want to proceed.

1. Both of the original Blue Screen errors pretty much point to a problem with a corrupt/conflicting Windows driver or service in your case, which could be the result of damage cause by the infections.

Check your hardware in Device Manager and see if any of your devices are reported to be having problems. If so, try uninstalling and reinstalling the problematic device and its drivers. You can also try a Repair installation of Windows to fix corrupted or missing files. More info on the Stop errors and instructions for doing the Repair install can be found here:

STOP: 0x00000050
STOP: 0x0000000A

2. The sysmon32.exe file is malicious, and may be related to the msdirectx.sys problem. Please do the following:

You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the following instructions or save them into a text file using Notepad.

- Run HJT again and have it fix:
F2 - REG:system.ini: Shell=Explorer.exe sysmon32.exe

- Reboot into Safe Mode.

- Disable System Restore. Instructions and explanation are here.

- - Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Search your entire drive for all instances of files named sysmon32.exe and delete them. Repeat this …

I can't help with this, just giving it a 'bump' so DMR doesn't overlook it :)

(I know how much he needs more to do)

Uh, yeah...thanks. I'll just ignore those 14 auto-notifications that piled up in my mailbox after only 6 hours offline and wait for you to throw me more fresh fish... :mrgreen:

yikyang,

Unfortunately, I was hoping that the Media Player error message might tell us exactly which module/file was causing the problem, but it only gives "faulting module unknown", which doesn't give us anything specific to go on. The cause of hte problem could be in a number of places, and since Media Player still crashes after you reinstalled it, I really don't have any suggestions right now. :(

For the possible reinfections, post a new log as dlh6213 suggested.

I saw your name reviewing this thread just as I hit the Post button.

Speaking of which- I know that definitely meant that I was up too late, but does it also mean that you got up at some unholy early hour just to sneak in a few posts here before work? :cheesy:

You said it was in a Windows machine before, so two possibilities come to mind first:

1. The drive would have been formatted as as NTFS or FAT32; something didn't quite go right when it was reformatted as a Mac drive.

2. The drive was installed in the Windows machine as a Slave drive, it's now the Master drive in the Mac, but the Master/Slave/Cable Select jumpers on the drive weren't reconfigured to reflect that change.

Of course, since you're getting the flashing "where the heck is the System Folder?" icon, it's aslo possible that the installation itself just didn't happen 100% correctly.

Hmm... It's dark, and I'm posting at the same time as dlh6213. That can only mean one thing:

I should have been in bed 3 hours ago! :eek: :mrgreen:

The Nasties are all yours until tomorrow, Danny; I'm logging off and heading for the Comfy Pillow now...

Hi, welcome to the site. :)

Unfortunately, you have more than the Aurora infection. To begin with, please follow these general cleaning procedures to remove (hopefully) most of the "unwanted guests:

1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed).

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not …

Hi jaysabz, welcome to the site :)

First, please perform the following general cleaning proceedures to get as much of the infections cleaned up automatically as possible:

1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed).

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One …

Open the Event Viewer utility in your Administrative Tools control panel and see if there are any helpful error/warning messages in your System and Application logs.

Just to clarify: is this the primary (boot) drive, or is it a second drive you've added to the system?

1. I see nothing in your log which indicates that malicious infections are the source of the problem.

2. In terms of the hosts file, you can restore it to its original state with a utility called Hoster (although I can't remember if it's designed to work on Win 98).

Run Find-Qoologic and HijackThis again and post a new log from both. That will llet us know if the items were truly deleted.

*grrr*

Something has retriggered pieces of Aurora and the "Win Server Updt" infection. Let's carefully and completely repeat the basic Aurora cleaning proceedure, with the following adjustments:

* Reboot into Safe Mode again.

* Once in Safe Mode, double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly (this is normal).

* Then run Ewido, and run a full scan. Save the logfile from the scan.

* Next run HijackThis, click Scan, and put a check in the box to the left of:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [qmvpymw] c:\windows\system32\yjasshe.exe

Close all open windows except for HijackThis and click Fix Checked.

- Close HijackThis.

* Open Windows Explorer, and in the Folder Options->View settings under the Tools …

Please perform the following Aurora removal procedure; it should take care of not only Aurora, but some of the other "nasites" indicated in your log as well:

You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the following instructions or save them into a text file using Notepad.

* Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

* Download Nailfix from here:
http://www.noidea.us/easyfile/file....050515010747824
Unzip it to the desktop but please do NOT run it yet.

* Open the Services utility in your Administrative Tools control panel.

- In the list of services, locate the service named "System Startup Service" or "SvcProc" and double-click on it.

- In the General tab of the Properties window that opens, click the Stop button.

- Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.

* Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows …

Please perform the following standard Aurora (ABI) removal proceedure; it will clean up a lot of the other "nasties" indicated in your log as well:

You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the following instructions or save them into a text file using Notepad.

* Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

* Download Nailfix from here:
http://www.noidea.us/easyfile/file....050515010747824
Unzip it to the desktop but please do NOT run it yet.

* Open the Services utility in your Administrative Tools control panel.

- In the list of services, locate the service named "System Startup Service" or "SvcProc" and double-click on it.

- In the General tab of the Properties window that opens, click the Stop button.

- Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.

* Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe …

You still have indications of the Aurora (DrPmon.dll) infection in your log. Please perform the following standard Aurora removal proceedure; it will probably clean up a lot of other leftover "nasties" as well:

You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the following instructions or save them into a text file using Notepad.

* Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

* Download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.

* Open the Services utility in your Administrative Tools control panel.

- In the list of services, locate the service named "System Startup Service" or "SvcProc" and double-click on it.

- In the General tab of the Properties window that opens, click the Stop button.

- Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.

* Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select …

The "morphing filename" trick is one of the methods that many of the newer infectious variants use to avoid removal. The morphing or respawning of such .exe files is controlled by a hidden .dll file (or files), but the names and locations of those "Mother dlls" also vary. Unfortunately, Ad Aware and SpyBot are falling more than a bit behind in their ability to deal with these newer threats.

Given what you've said and tried already, I think it's time for us to see aHijackThis log to get a better idea of what's really going on. Please do the following:

Download the HijackThis utility:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, follow these instructions to install and run the program:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

How you access/change a laptop drive depends entirely on the make and model. With some laptops you only need to take out a screw or two, but with others you need to disassemble half of the machine. If you're getting price quotes of $70, my bet is that your particular laptop isn't one of the easier models to get into.

There are "teardown" instructions which you can find on the web; Google for the terms:

<your laptop's model> drive replace

you might get lucky.

If you don't see an SATA hookup on your motherboard...

Yeah, the "Deluxe" version of the A7N8X has SATA, but the straight-up A7N8X doesn't.

The basic Hotmail service is web-based only; you have to subscribe (pay) for the feature that lets you access your mail via a POP3 client program. There are a few ""workarounds" to that, but I haven't tried them. More info here:

http://www.moztips.com/wiki/index.pcgi?page=ThunderbirdFaq

Online teardown manuals for laptops can often be found online, but it really depends on the make/model. Give us that info and we'll see what we can come up with.

Can you download any utilities at all?

If so, please perform as many of the procedures I outlined in my first post in this thread as possible:

http://www.daniweb.com/techtalkforums/thread27059-cwshredder+about%3Abuster+hsremove.html

We can use HijackThis to clean out a lot of your infections if it's absolutely necessary, but given the number of different "nasties" you have, it would be an evil process.

You're welcome; glad we could help :)

Do things seem to be working correctly now?

Something look familiar here?

O20 - Winlogon Notify: f3dsl - C:\WINDOWS\SYSTEM32\MSplg7.dll

Bingo- that's what I was looking for. Let's try this:

1. Download the Killbox utility and save it to your desktop, but don't run it yet.

2. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Run HijackThis and have it fix:
O20 - Winlogon Notify: f3dsl - C:\WINDOWS\SYSTEM32\MSplg7.dll

- While still in Safe Mode, Run the Killbox.

- In the "Full Path of File to Delete" box, copy and paste the following
C:\WINDOWS\SYSTEM32\MSplg7.dll

Select the "Replace on reboot", "Use Dummy" options, and "Unregister dll before deleting" options.

- Click on the button with the red circle with the X in the middle and then click Yes at the "Replace on Reboot" confirmation prompt.

- Click YES at the request to reboot and let the computer reboot normally.

3. Run HijackThis and another anti-virus scan; see if any references to MSplg7.dll still exist.

The HijackThis log is clean now.

Since ewido keeps turning up "nasties" in your C:\System Volume Information\_restore folders, but your HJT log no longer shows signs of infections, let's flush those folders to get rid of any possibly remaining "unwanted guests, and set a new, clean Restore Point.

To do this, you just disable and then re-enble XP's System Restore feature:

Disable System Restore

1. Log in as a user with Administrator privileges.

2. Right-click on the My Computer icon on your desktop and choose the "Properties" option.

3. In the System Properties window, click on the System Restore tab and then put a check in the box next to the "Turn off System Restore" option and hit the "OK" button.

4. Click "Yes" in the resulting confirmation box. You may experience a slight delay as your change is applied; the Properties window will close automatically when the operation is complete.

Once you've done that:

Reactivate System Restore

1. Log in as a user with Administrator privileges.

2. Right-click on the My Computer icon on your desktop and choose the "Properties" option.

3. In the System Properties window, click on the System Restore tab, uncheck the box next to the "Turn off System Restore" option, and hit the "OK" button. There will be a slight delay as Restore reactivates; the Properties window will automatically close when the operation is complete.
A fresh new …

Hi bultoki,

1. The HijackThis log you posted is from a scan done in Safe Mode. The ewido scan should have been Safe Mode, but we need a log from a HijackThis scan that's been done when booted into Windows normally.

2. Getting rid of the "crazywinnings" entry takes a little manual work; it will just keep returning if you try to fix it with HijackThis:

This procedure involves editing your Registry, so I would highly suggest making a backup of the Registry before performing any edits. Information on making a Registry/System State backup can be found here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;322756

- First, remove the site from your Trusted Zone:
Start Internet Explorer, click Internet Options on the Tools menu, and then click the Security tab. Click Trusted Sites, and then click Sites. Click the "crazywinnings" site, and then click Remove.

- Click on the "Run..." option under your Start menu, type "regedit" (omit the quotes) in the resulting "Open:" window, and hit OK. This will open the Registry Editor program.

- In the editor, press F3 to bring up the Find window, type crazywinnings in the find box, and hit enter. There may be more than one "crazywinnings" entry, so you need to keep repeating the find until you get the message "finished searching through the registry". Delete all instances of "crazywinnings" entries you find.

Do not delete or modify anything else in the registry!!!

Everyone's HJT logs will be different, because the contents and configurations of everyone's computers are different.

There is a standard Aurora fix though, which we can expand on to fit your particular system:

You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the following instructions or save them into a text file using Notepad.

1) Open the Services utility in your Administrative Tools control panel.

In the list of services, locate the service named "System Startup Service" or "SvcProc" and double-click on it.

In the General tab of the Properties window that opens, click the Stop button.

Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.

2) Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

3) Download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.

4) Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, …

I guess you can find a conspiracy in anything

lol.

I thought I found a conspiracy in my fridge once, but it just turned out to be some potato salad I'd forgotten about for a few months...

how can a half-geek find a decent gf???

Umm... get a life? :mrgreen:

Hi KBrown, welcome to the site. :)

The Community Introductions forum is just a casual place for new members say hello, but we don't ask or answer computer-related questions here.

Given that, I've moved your post to one of our technical forums so that your question can get some exposure.

Sorry- my bad. The service needs to be disabled before it can be deleted:

1. Open the Services utility in your Administrative Tools control panel.

2. In the list of services, locate the service named "System Startup Service" or "SvcProc" and double-click on it.

3. In the General tab of the Properties window that opens, click the Stop button.

4. Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.

5. Run HijackThis and try deleting the service again:

- Put a check next to the O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing) entry and then click "Fix Checked".

- Once HJT finishes the fix, click on the "Config" button in the lower right corner of HijackThis' main window.

- In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Type the following in the box and click OK:

svcproc

6. Reboot, run HJT again, and see if the SvcProc entry still appears.

I'm not saying that Akamai's services aren't immune to abuse, and I'm not certainly not saying that everything Akamai does or has done is all "warm and fuzzy" either. Akamai, however, is not a "cyberterrorist" or anything close to that.

- Who's your ISP? Perhaps they've recently started using Akamai's services.

- The possibilty certainly exists that there's something fishy going on; I just don't see any indication of that at all in your HJT log.

Looks like you've done some further removal on your own; that log is a lot cleaner than the last. :)

There's a very effective utility called ewido Security Suite (the download is a 30-day free trial) which might nail the rest of the suspects:

1. Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files.

2. Run a full scan with ewido and save the scan log it generates.

3. Reboot, run HijackThis again, and post both the HJT log and the ewido log.

Yes- I still see a couple of infections in your log, but they're pieces of a new variant which is proving very difficult to kill. I'll need to ask around and see if someone has developed a reliable fix for these. Please bear with me; I'll post that information as soon as I can find it.

1. I honestly don't know what the "glba" files are. Locate one or more of the files in Windows Explorer, right-click on it, and choose Properties. See if there is any identifying informatio sucha company name, creation/modification date, or the like which might help us determine if the files are legit or not.

2. In terms of the Temp folders, you should delete everything that lives under those main folders. As to the "desktop.ini" files, choose "Yes to all" the first time that you're prompted to delete one. Here's the explanation from one of my earlier posts:

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

3. For the "URL that will be used when fixing hijacked/unwanted MSIE pages..." question: yes- you can change that to whatever URL you want.

Not so "friendly" after all.

http://pressf1.co.nz/archive/index.php/t-33444.html.

Umm... did you happen to notice that the person who posted the "information" you're referring to:

A) Gave no verifiable sources of that information, nor any supporting evidence for his claims whatsoever.

B) Mentions that the Israeli government uses Akami's services as thought there's something ominoius about that, but conveniently forgets to mention that other governments (including the US) also use Akami.

C) Ends his post by going off on a rather paranoid rant about cyberterrorists and how he might "blow the cover" on Akami himself?

I won't even go into his mind-bogglingly convoluted discourse on the use of "dashes" in Akami identification strings at the beginning of the post.

Akami is a company which provides a number of Internet services. Some of them are irritating (serving streaming/animated ads for customers' websites, for example), while some of them are quite legit (hosting websites, download, and DNS services for many major corporations, providing streaming video for major sports events, etc.). Even Microsoft and Symantec have used Akami servers (and may still) to deliver their online updates in ordeer to take some of the load off their own servers.

So the upshot is this: If you visit a major site on the web, there's a good chance (15% was the estimate I read last year) that the comany whose site you're visiting is piping you at least some of their content from an Akami server. This is why …

1.

Thanks again! How many of these antivirus sites are there? How do you know which are reliable?

You ask people like us. :D

Here's a list of some of the most-often recommended online scanners:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. I missed one leftover (from the Aurora infection) in your HJT log. Please do the following:

- Open HijackThis again and click on the "Config" button in the lower right corner of HijackThis' main window.

- In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Type the following in the box and click OK:

svcproc

- Reboot, run HJT again, and verify that the O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing) is no longer present. If it is still present, or if you got any errors during the deletion process, let us know.

3. Remove the Viewpoint Manager program using your Add/Remove Programs control panel. Also uninstall any MyWay/MySearch/MyBar-related programs as well if you find them listed there.

4. Reboot into Safe Mode and:

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- …

There is something still embedded in my system.

Yes, the lDprxy.dll and KavSvc entries are being persistent, which most likely means that there are hidden files controlling their behaviour.

Please do the following so that we can get a more in-depth look at what's going on:

1. Download SilentRunners.vbs, save it into its own folder, and then double-click on it to run it. It will save a log file into the Silent Runners folder.

2. Download rkfiles.zip and unzip the contents to its own folder.

3. Reboot in Safe mode, and doubleclick rkfiles.bat.
It will scan for a while, so please be patient. rkfiles will save the results of its scan to the file "C:\log.txt".

Wait till the DOS window closes and reboot back to normal mode.

4. Once rebooted, post the rkfiles and SR logs.

Shall I go through the entire process in safe mode?

Yes, try it that way once you get the Rootkit Revealer program downloaded.

Also- what are the full and exact errors you get when the computer Blue Screns?

The Fish is pretty cool, but he sometimes gives you some pretty amusing interpretations... :cheesy:

Hi greycat,

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Given that, I've split your post into its own separate thread, which you can find here:
http://www.daniweb.com/techtalkforums/showthread.php?t=27544

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

A good place to find all kinds of drivers, especially drivers for older versions of Windows, is www.driverguide.com. You do have to register with them in order to download from their site, but the registration and downloads are free, and they won't use your email to flood you with spam.

I checked, and Driverguide does have Win 98 drivers for the CL-5446 chip. They have a few different versions though; I'd try the latest version first.

Hi warrenforty,

Just for future reference- HijackThis logs are only to be posted in our Spyware, Viruses, and other nasties forum for use in removing malicious infections.

Cool; just wanted to make sure.

One suggestion though: disable the wireless/remote management option again, or anyone with half a mind who gets in range of your router will be able to have a lot of fun with your network. :eek: :eek:

Good work; I only see one item in your HJT log that needs to go. :)

1. Close all open programs, including Internet Explorer, run HJT again and have it fix:

O4 - HKLM\..\Run: [mrqapp] c:\windows\system32\qiifcvw.exe

2. Delete the c:\windows\system32\qiifcvw.exe file and empty your Recycle Bin.

3. Run ewido again to see if it finds any leftovers.

4. Reboot, run HJT again, and post a new log.