Posts by DMR

So are you saying that you managed to get it sorted out now? It isn't quite clear from what you posted.

a) Found Stuffit Expander 5.5 - worked like a charm.

Glad you were able to find the right version. :)

b) One of my problems was that I was downloading mac programs onto a PC disk using a PC.

Yes, that's a common stumbling block.

c) the 7.5.5 disk? Not useable on the Power PC.

Nope.

Is there anyway to identify a keystoke logging program?

There are certainly programs which target trojan keyloggers, and even the usual suspects of SpyBot, Microsoft Antispyware beta, and ewido Security Suite accomplish this to a degree. However, identifying possible components of a keylogger "by eye" isn't something the average user is going to be able to do; after all, one of the main goals of keyloggers is to install themselves in very obscure ways in order to avoid being noticed.

In terms of a "cure all" for all of the threats that exist out there, unfortunately- no such beast exists. You do need a combination of programs, but you don't need to spend hundreds of $$ for those programs, as many free programs exist (some of which often do a better job than "pay for" products). I need to log off shortly, but I'll post some of the recommendations when we take this up tomorrow.

Hi nick123, welcome to the site. :)

Also, please go to the front counter to collect your prize- that is the ugliest log I've seen in days. :mrgreen:

Seriously though- you are pretty infested. Please perform the following general detection and removal proceedures to get some of the nasties cleaned up:

1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed).

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file …

No signs of Aurora, but there are some other leftovers to deal with:

1. Uninstall WeatherBug via your Add/Remove Programs control Panel. "The Bug" contains adware/spyware components.

2. Uninstall AdwareAlert; it has a questionable reputation at best. You can read more about AdwareAlert and other disreputable and outright bogus "anti-spyware" tools here.

3. Run HijackThis again and have it fix:

O4 - HKLM\..\Run: [kzwgjg] c:\windows\system32\wtikjwi.exe r
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

4. Delete the following file:
c:\windows\system32\wtikjwi.exe

5. Empty your Recycle Bin, reboot, run HJT again, and post a new (and hopefully final) log.

Here's the standard Aurora removal procedure, which should clean up a few of the other things evident in your log:

You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the following instructions or save them into a text file using Notepad.

Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then run Ewido, and run a full scan. Save the logfile from the scan.

Next run HijackThis, click Scan, and put a check next to the following entries:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
…

Hi Rod, welcome to the site. :)

1. Uninstall WeatherBug via your Add/Remove Programs control panel; WB has adware/spyware components.

2. In addtition to the Houswecall and CA online scans, run these as well:

http://www.kaspersky.com/scanforvirus.html
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

3. In addition to Ad Aware and SpyBot, download, install, and run the following two detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed).

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

4. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data …

Hi plankton314, and welcome :)

1. I would avoid using SpyFerret and NoAdware; both of those programs are of dubious repute. More info on those programs and other rogue/suspect "anti-spyware" programs can be found at this site.

In addition to SpyBot and SpySubtract, these are the other most-recommended and respected utilities:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/

2. Can you tell us the exact name of the trojan that Norton identified?

3. The "Aurora" infection is a pretty popular "nasty" these days. We have a fix for it though, which we'll do after performing some more general cleaning procedures (sorry for the "canned answer" here; it takes too long to rewrite this every time I post it):

1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed).

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido …

Oh yes, definitely more than a few Gremlins in that log. :(

Although it looks like you've managed to remove some of the ABI/Aurora infection, let's start by going through the "official" fix. It should help to remove some of the other infections that you have as well:

You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the following instructions or save them into a text file using Notepad.

Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then run Ewido, and run a full scan. Save …

You've still got infections, but you need to take care of something first:

You've posted a log from a very old version (1.98.2) of HijackThis. Please download the current version (1.99.1) and post the log that version generates.

You've definitely got "unwanted guests", but just so that we don't repeat removal suggestions that you've already attempted, can you please tell us what proceedures and/or utilities you've tried so far? Thanks.

You are welcome; glad we could help you get things cleaned up. :)

Here are a few things you can do to minimize your chances of future virus/malware infections:

1. Enable Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks. IE-SPYAD is another helpful tool; it can be downloaded here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here: http://tomcoyote.org/ieoe.php

5. Obviously-install a good anti-virus program and enable its "auto-protect" and email-scanning features.

6. Install a stand-alone firewall program such as Zone Alarm or Kerio Personal Firewall, or purchase the "Internet Security" packages offered by Symantec and McAfee.

7. None of your utilities are of much good if you don't check for updates frequently; updates for anti-spyware/anti-virus programs can be released as …

1. Are you sure that is a full and complete log from a scan done while Windows was booted normally (not booted into Safe Mode)? It looks pretty "short on content" for a normal XP system running in normal mode.

If you did do the HijackThis scan in Safe Mode for some reason, please scan while booted normally and post that log; a Safe Mode scan doesn't reveal everything.

2. The following entries in your log indicate a DNS hijack.

O17 - HKLM\System\CCS\Services\Tcpip\..\{14731893-7A21-4660-8D67-3DCFD1412569}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CS1\Services\Tcpip\..\{14731893-7A21-4660-8D67-3DCFD1412569}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CS2\Services\Tcpip\..\{14731893-7A21-4660-8D67-3DCFD1412569}: NameServer = 69.50.176.196,195.225.176.110

What that basically means is that a virus/trojan has forced your computer to look up website locations by using malicious/bogus DNS servers instead of using your ISP's real DNS servers. The damage done there is that when try to visit www.microsoft.com or any other legit URL, you could instead end up at www.reallysickporn.com. Fun, eh?

3. The "Security Center" warning is almost certainly bogus. If you click on the "Yes" button in the warning, you'll probably be sent to some site advertising bogus "anti-spyware" software, a porn site, or maybe both.

Please do the following to get some (and hopefully all) of the nasties cleaned up:

A) Run at least two or three of the following free online anti-virus/anti-spyware …

Good job; that looks like a clean log to me. :)

Now that your log is clean, let's flush out any possible nasties that might be hiding in your System Restore folders:

1. Log in as a user with Administrator privileges.

2. Right-click on the My Computer icon on your desktop and choose the "Properties" option.

3. In the System Properties window, click on the System Restore tab and then put a check in the box next to the "Turn off System Restore" option and hit the "OK" button.

4. Click "Yes" in the resulting confirmation box. You will experience a slight delay as your change is applied and the Restore folders are being emptied; the Properties window will close automatically when the operation is complete.

5. Reopen the window and uncheck the "Turn off System Restore" box. This will re-enable System Restore and set a new, clean Restore Point.

Yeah, both Norton's and McAfee's firewalls have a tendancy to get a mind of their own sometimes. They should ask you what to do when they come across a non-trusted or unknown applicaition's request for network access, but it just doesn't always work that way... :(

Unfortunatley, if you see a lot of satellite hookups in your area, that's probably a pretty good indication that you're too far out for DSL. :(

OK- you'll still need to keep the wired connection though; what I said about the wireless management restriction still stands.

- Can you at least ping the router?

- Are you sure that the router's default password hasn't been changed? Anyone with a bit of security sense would have done that when the router was first set up.

will i now attempt to follow the steps in crunchies most recent post?

Yes- please do that.

If after completing the steps crunchie posted, a subsequent scan with HJT still shows signs of the items we're trying to kill, please do the following:

1. Download the trial version of Ewido Security Suite from here:
http://www.ewido.net/en/download/

Install it, and while installing, under Additional Options, uncheck Install background guard and Install scan via context menu.

From the main Ewido screen, click on Update in the left menu, and then click the Start update button. After the update finishes (the status bar at the bottom will display Update successful), close the program (don't scan yet). If you have problems updating see here:
http://www.ewido.net/en/download/updates/

Note -- When you do run Ewido for the first time, you will get a warning Database could not be found!, click OK when you do; the message is non-critical.

2. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up) and run a full scan with ewido. Save the log it generates; you'll need to post it in your next response here.

While still in safe mode:

- Run HJT and have it fix any of the following entries which still exist (ewido may have cleaned some of these up already):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

Please do the following:

1. Download the trial version of Ewido Security Suite from here:
http://www.ewido.net/en/download/

Install it, and while installing, under Additional Options, uncheck Install background guard and Install scan via context menu.

From the main Ewido screen, click on Update in the left menu, and then click the Start update button. After the update finishes (the status bar at the bottom will display Update successful), close the program (don't scan yet). If you have problems updating see here:
http://www.ewido.net/en/download/updates/

Note -- When you do run Ewido for the first time, you will get a warning Database could not be found!, click OK when you do; the message is non-critical.

2. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up) and run a full scan with ewido. Save the log it generates; you'll need to post it in your next response here.

While still in safe mode:

- Run HJT and have it fix any of the following entries which still exist (ewido may have cleaned some of these up already):

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

Having Norton running won't have caused any problems. :)

Please follow the instructions given by "29wood" in the second post of this thread. Post your results here when you have completed those steps..

Although HijackThis is far from the final word on this, I don't see anything in your log which indicates malicious infections.

Can you give us the IP address and port number associated with the suspicious connection? Post anything else in your firewall, etc. logs that might help as well.

The symptom you describe is not one that I know to be related to a particular infection, but to see if that's a possiblity, here are some general (and free) detection and removal procedures you can perform:

1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed).

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these …

1. Open the Services utility in your Administrative Tools control panel.

2. In the list of services, locate the service named "Network Security Service", "NSS", or " 11Fßä#·ºÄÖ`I" and double-click on it.

3. In the General tab of the Properties window that opens, click the Stop button.

4. Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.

5. Run HijackThis and try delting the service again:

Click on the "Config" button in the lower right corner of HijackThis' main window. In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Type the following in the box and click OK:

NSS

If the operation is sucessfull, have HijackThis fix the following entry and then locate and delete C:\WINDOWS\crru.exe:

O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\crru.exe

Reboot after that, run HJT again, and post a new log.

i'm not sure if this is the right forum to post this in, if not, coul someone please let me know where to go?

It does sound like a hardware problem, so I'm moving this to the appropriate forum now...

Unfortunately, Windows' foreign language support can't do actual translations; it only allows you to view and/or type foreign language characters. :(

1. Sounds like the router has "auto-sensing" ports; you shouldn't have to worry about the crossover issue.

I know you said the connection didn't seem as slow when you were using DSL, but just to cover some general bases:

2.

...we have the min 4 wires ran between the buildings for ethernet.

While 10/100Mb Ethernet only uses four of the wires, a Category 5 Ethernet cable (required for full 100Mb operation) usually contains eight separate wires. If the cable you ran only has four wires total, verify that it's truly a CAT5 cable.

3. A CAT5 cable's performance can be greatly degraded if the cable is stretched, twisted, kinked, etc. in any way. You might want to either run a new cable, or pull back the existing one and examine it for physical damage.

4. The "Link" lights on a switch or router are no indication of the actual signal quality, they just indicate that there's enough of a signal level present to establish a connection. You can't reallly rely on the lights to tell you much more than that.

5. Can you connect the office computer directly to the inter-building wire? That is, bypass the switch and any associated patch cables on the office end of things.

6. If possible, connect another computer to the office side of the connection and se if it also exhibits poor performance.

Hi rockstar_cs_32,

First of all- wlecome to the site. :)

Can you give us more specific information please?

- Which exact version of Windows are you using?

- Are you using any firewall or other "Internet security"-type software?

- What steps have you already taken to try to fix the problem?

- What exact errors do you get from the different programs that have the conneciton problems?

If you're working with XP SP2, the first thing you should try is to completely disable the built-in Windows firewall on both machines.

Because you say that you "live in the middle of nowhere", the first thing you'll have to do is to check the availability of DSL at your particular address. The usual residential flavor of DSL has a distance limit of about 15,000' - 18,000' from the central office (where the DSL switching equipment lives). That distance is measured "as the wire runs", not "as the crow flies", and even within that limit, the actual speed of the conneciton will drop significantly as the distance from the CO increases toward the limit.

Also- just because a neighbor down the street has DSL does not necessarilly mean that it's available to you. Depending on the physical path that your neighborhood's main telephone trunk line travels, the neighbor might be just under the limit but you might be just over it.

Assuming that you are within the limit, the next thing you should do is to ask AOL if they support the exact make/model of modem that you have. If so, once you subscribe to their service, they may just ship you a setup kit which contains a disk of their connection software and a few line filters (you need the filters to separate the voice and DSL data signals, as they both travel down the same physiacl phone wires). The modem might not even be a issue though; DSL and cable providers often have free installation deals which include a modem. If so, they'll just ship the modem as part …

You have the correct default user name and password, but remote administration via a wireless connection is disabled by default on those routers. You will need to connect to the router directly (via an Ethernet cable) in order to access the setup pages.

That's obviously too broad a subject to be directly answered here, but to start with, you should be able to find some references and resources at www.tldp.org.

Hi clement, welcome to the site. :)

I want to move your post into the Linux section of our forums, because your question will get more exposure there. However, to help me get a better idea of which exact Linux forum best suits your question, can you please give us a better idea of the requirements for the project and/or any specific areas in which you might be interested in focussing?

After all, "application oriented" is a pretty broad description. :mrgreen:

No problem; that's what we're here for.

Welcome to the site. :)

Hi JeannieM, welcome to the site. :)

The Community Introductions forum is just a casual place for new members to introduce themselves, but it isn't someplace where technical questions get answered. Since you definitely do have a technical problem that needs to be solved, I'm moving your post to forum where you will get more Macromedia-savy "eyeballs" on your question.

We're off to the Graphics and Multimedia forum; buckle up...

1. SQL is a database program; the patches mentioned don't apply to you.

2. You can't selectively delete Restore Points; you either flush them all or you don't. Also, there's nothing to say that files in the Restore Points you choose to keep might not be infected also. A bit more info on that can be found here. However, for just the reason you mention, I'd suggest waiting until your system is clean before deleting your old Restore Points.

3. The infection you have places an entry in the Windows Registry which automatically runs the malicious MSplg7.dll file every time Winodws starts. This is what is making the file difficult to delete.

Please do the following so that I can (hopefully) see exactly where/what that Registry entry is:

Download the (free) HijackThis utility:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, follow these instructions to install and run the program:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell …

That's better; thanks.

There is only one set of entries in your log which need to be fixed, but they won't be cause of the problems you describe. They look like the result of either a prior trojan/spyware/virus/etc infection, or a simple mistake.

Run HijackThis again, put a check in the box to the left of the following items, and then hit the "Fix checked" button:

O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)

You can quit/close HJT after that.

Can you give us any more information concerning the problems you've described please? Anything that might give us some clues as to the possible cause would help.

- When did the problems start to occur?

- Had you added/removed/upgraded any software at around that time (think carefully)?

- Have you received any other errors aside from the "cannot find file" error? If so, please post the full and exact text of the errors.

- What exactly does happen when you try to get Windows Updates?

- …

Very good. :)

Now that your system is clean, here are a few things you can/should do to minimize your chances of future virus/malware infections:

1. Enable Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks. IE-SPYAD is another helpful tool; it can b e downloaded here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here: http://tomcoyote.org/ieoe.php

5. Obviously-install a good anti-virus program and enable its "auto-protect" and email-scanning features.

6. Install a stand-alone firewall program such as Zone Alarm or Kerio Personal Firewall, or purchase the "Internet Security" packages offered by Symantec and McAfee.

7. None of your utilities are of much good if you don't check for updates frequently; updates for anti-spyware/anti-virus programs can be released as often as every …

Hi computergrammy, welcome to the site. :)

We need to take of a couple things before we proceed:

1. Logfile of HijackThis v1.99.0

You are using an older version of HJT. please download the latest version (1.99.1) from the link below and post a log from that version:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

2. C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\KVLJQU7T\HIJACKTHIS[1].EXE

The log entry above indicates that you are running HJT from within a Temp/Temporary folder. Please do the following:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

Moving to the appropriate forum now...

Were you able to remove the toolbar and/or any other "unwanted guests" that you found?

1. The HijackThis tool scans a computer and reports information about areas of the system which are known to be targeted by infections. The log it generates is useful in helping us determine what exact infections a user has, and HJT itself can (obviously) be used to help remove some of those infections. However, it isn't a good idea to follow instructions for performing fixes with HijackThis that have been posted for someone else's problems. The contents of HJT logs are specific to the system that was scanned, and the configuration of that system will almost always differ from other systems in some ways.

In addition, the names of infected/malicious files will often differ between computers, because many infections create randomly-named files in order to make it harder to detect them. That being the case, the fact that the infected computer in the post you read had a malicious file named "ptcqqwd.exe" in no way means that you'll find a file of that name on your computer, even if you were infected with same general strain of spyware/virus/etc.

2. The infected msdirectx.sys file will return if you try to delete it; there is at least one other hidden piece of the infection which will recreate the msdirectx.sys file if it is removed.

When you get a chance, please download the free RootkitRevealer utility. Run a scan of your system with the utility (the scan will take a fair amount of itme to run), …

You're welcome. :)

For the Media Player problem:

- What is the exact error that it gives you?

- Open the Event Viewer utility in your Administrative Tools control panel and look through the System and Application logs to see if there are any error messages there which might contain more information on the problem.

Didn't forget; just the holiday weekend and all that.

The particular Qoologic variant that you have seems to be one of the newer and nastier versions; very difficult to remove.

Please do the following:

1. Download the trial version of Ewido Security Suite from here:
http://www.ewido.net/en/download/

Install it, and while installing, under Additional Options, uncheck Install background guard and Install scan via context menu.

From the main Ewido screen, click on Update in the left menu, and then click the Start update button. After the update finishes (the status bar at the bottom will display Update successful), close the program (don't scan yet). If you have problems updating see here:
http://www.ewido.net/en/download/updates/

Note -- When you do run Ewido for the first time, you will get a warning Database could not be found!, click OK when you do; the message is non-critical.

2. Reboot into Safe Mode and run a full scan with ewido. Save the log it generates; you'll need to post it in your next response here.

3. Run HJT and have it fix:

O2 - BHO: (no name) - {27EC7A73-1DAE-2286-3EC4-DE9CB9B786A9} - (no file)
O2 - BHO: (no name) - {89FA1EB2-08ED-7251-FB49-5488A62EF444} - (no file)
O2 - BHO: (no name) - {E344A1E5-30C3-CC52-D301-FC6F53F6E17C} - (no file)
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\unlazl.exe reg_run

4. While still in Safe Mode, Run the Killbox.

- In the "Full Path of …

run Ad-Aware SE Professional Edition in safe mode by holdin F8 KEY when starting up your computer then run the scan. Also run Norton antiviruse in safemode sure take care of your problem.

Unfortunately, even that may not work. Even when run in Safe Mode, Ad Aware, SpyBot, Norton, etc. cannot deal with many of the current threats out there.

Post back with the info I asked for when you can, and good luck with getting the DSL stuff sorted out. I know how much of a pain that can be. :(

I thought .bin and .hqx comes automatically with the system.

Nope; at least not with that version of Mac OS. .bin and .hqx files are compressed, so you'll need to get a decompression utility like Stuffit Expander in order to deal with them. The "Expander"-only version of Stuffit was (still is?) a free download, but unfortunately I think you might have trouble finding a download site that has a version compatible with such an old version of Mac OS.

Google for "Stuffit Expander" and see what you can come up with.

I didn't find solution from the other posts.
Thank you

Hi Vaso, welcome to our site. :)

To avoid having us suggest procedures that you've already tried, could you please give us more inforamtion on what steps you've already taken? Thanks.

You indicate that you think this to be the work of an external attacker; can you please tell us the specifics that led you to that conclusion? From what you've posted, there is no direct information from which to draw the conclusion that "this guy is in the computer". It's very possible that you do have a trojan infection or rootkit hack; but we need more to go on in order to pinpoint the culprit.

Log entries from your firewall software would help, as would any other direct clues that you have.

One time, I even had to take the battery out of the motherboard, as I beleive he had some kind of hook in the bios that kept sending him a message or link of some kind that allowed him access to my hardrive. Is this possible?

That sounds like a bit of a stretch actually.

Now, the problem is that when I am surfing, the computer stops. No slow downs, just stops. I was using Netscape, now firefox.

Quite possibly the work of malware, but have you looked through your System and Application logs to see if there are any enlightening error messages there?

Sorry for the late response.

A) userinit32.exe is a component of a malicious infection. You can find more info and removal instructions in some of the links here:

http://www.google.com/search?hl=en&q=userinit32.exe&btnG=Google+Search

B) Media Player can get corrupted by viruses/spyware, but it can also break for other reasons. Uninstall and reinstall it and see if that clears thing up.

C) Some general things you can/should do to minimize your chances of future virus/malware infections:

1. Enable Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks. IE-SPYAD is another helpful tool; it can be downloaded here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here: http://tomcoyote.org/ieoe.php

5. Obviously-install a good anti-virus program and enable its "auto-protect" and email-scanning features.

Welcome to the site Charliebot!
Questions? Ask away- we're here to help. :)