Posts by DMR

That log is clean. :)

The Nail.exe entry in the HijackThis log is sometimes just a "leftover"; the Nail.exe file itself was probably deleted in the cleaning process.

Try deleing the icon, and let us know if you're still seeing any suspicious behaviour.

Welcome to the site, catherine! :)

well, I searched for ssk*.* and the only result I got was "C:\Documents and Settings\me\application data\sskcwrd.dll". I also tried searching for ssk.log and
SAHUninstall.exe, but found no results.

OK- different versions of the infection install different files; in your case, C:\Documents and Settings\me\application data\sskcwrd.dll is definitely one we need to get rid of.
Just to make sure that sskcwrd.dll is the only infectious file in C:\Documents and Settings\me\application data, please open Explorer again and have a direct look in that folder; the infection often drops at least one more malicious file in there.
HINT: aside from a "desktop.ini" file, there should normally be very few (if any) files "loose" in a user's Application Data folder; legit files are almost always contained within subfolders of the main App Data folder.

If you do find other suspicious files in the App Data folder, please give us their names.
If sskcwrd.dll is the only suspect you find, do the following:

1. Download The Killbox, save it to your desktop, and doulbe-click on it to run it.

2. Paste the following into the "Path of file to delete" box:
C:\Documents and Settings\me\application data\sskcwrd.dll

3. Select the "Delete on reboot" and "Unregister dll before deleting" options, and then click on the button with the red circle and an X in the middle.

4. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes" and let …

You're welcome- just send me $50 and we'll call it even. :cheesy:

Seriously though, post the ewido scan when you can and I'll look it over.

Bummer.

Oh well- sometimes a reinstall is necessary... we're taking about Windows, after all. :(

That's a clean log. :)

However, I'd suggest one thing:

The Messages Plus! 3 program has a "sponsored" installation mode which will install adware containing the Lop infection. If you aren't sure if you chose to install the program with or without the "sponsor", uninstall it and reinstall without the sponsor option.

DMR. That proxy may also be the cause of the problem too. I have noticed that a lot of programs like spywareblaster can only update with a direct connection.

Yeah, exactly; that's one of the places I was going with that one. Another thing I found suspicious is that an nslookup and whois search on the 90.0.0.1 IP address in the proxy entry did not turn up anything in regard to a domain name.

...not sure if i would actually trust the site enough to download an unistall program as well

Sometimes those uninstallers actually do work, but personally I'm with you on that one- it just seems too much like the thief who robbed your house asking if he can come back while you're gone so that he can return your items. :rolleyes:

In any event, you might want to post a HijackThis for us to review anyway, just ot make sure there are no "leftovers" lurking around on your system.

I don't see anything obviously nasty in that HijackThis log, but it would probably be a good idea to run ewido again and give us that log as well.

Run HijackThis again and post a new log. The log might gives some clues regarding the "grey page" problem.

A) Turn off Ad Aware's Ad-Watch feature for now; it might actually be blocking some of changes we're trying to make.

B) SurfSidekick doesn't fully uninstall when you try that through the Add/Remove Programs control panel; it has some hidden components that will cause it to come back (as you've found already found out). Please do the following so that we can determine which components your particular version of the infection is using:

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Click Explorer's Search button. In the Search pane, Click on "More advanced options" and make sure the System, Hidden, and Subfolders search options are checked/selected.

- In the "Look in:" box, select your C: drive.

- In the "All or part of filename" box, enter the following and then click Search:

ssk*.*

Post the full pathnames of all files found (for example: C:\Documents and Settings\me\application data\sskknwrd.dll)

Also search for, and give us the locations of:
ssk.log
SAHUninstall.exe

C) To verify that the C:\WINDOWS\system32\jalkqg.exe and C:\WINDOWS\system32\jalkqgaeg05.dll files have been deleted, have Windows Explorer set to show hidden files as I described above and look through your C:\WINDOWS\system32 folder to see if the files still exist. If they do, try to delete them manually.

D) You're right; …

1. Turn off the router, modem, and both computers.

2. Plug both computers into the router via the wired Ethernet ports.

3. Turn on the modem; wait for it to fully initialize.

4. Turn on the router; wait for it to fully initialize.

5. Turn on both computers; wait until Winodws has fully finished with its startup process.

6. On the XP machine, click on the "Run..." option under your Start menu, type the folowing, and then hit enter:

cmd

In the DOS window that opens, type the following command and then hit Enter:

ipconfig /all

Post the full and exact information that the ipconfig command gives you.

7. On the 98 machine, click on the "Run..." option under your Start menu, type the folowing, and then hit enter:

command

In the DOS window that opens, type the following command and then hit Enter:

winipcfg

Post the full and exact information that the winipcfg command gives you.

Well that's a heck of a lot cleaner now. :)

Unfortuntely though, the new log still has a few loose ends, as well as an indication of a trojan, which wasn't present in your previous logs.

1. Run HJT and have it fix:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {F3D8DFCC-C963-F6D5-205B-07D798983E90} - C:\WINDOWS\system32\d3ya32.dll (file missing)
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\nthp.exe" /s (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

2. Reboot into Safe Mode again

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Search for the following files and delete them if found:
C:\WINDOWS\system32\d3ya32.dll
C:\WINDOWS\nthp.exe
C:\Program Files\WinPcap\rpcapd.exe (you can actually delete the entire WinPcap folder)

- Empty your Recycle Bin and reboot normally.

3. Run at least two of the following online anti-virus/anti-spyware scans and let them fix what they find:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

4. General (and hopefully final) cleanup:

- In addition to ewido, download, install, …

OK, let's try this:

Download and run the Killbox utility.

In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time, select the "Standard File Kill" option, and then click on the button with the red circle with the X in the middle after you enter each file. It will ask for confirmation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box:

C:\WINDOWS\system32\mrhkmr.exe
c:\windows\system32\aqyjnzxc.exe (<- or whatever filename it has morphed into)
C:\Program Files\Cas\Client\casclient.exe

- Repeat the above procedure for this files as well, with the following modification: in addition to selecting the "Standard File Kill" option, also select "Unregister dll Before Deleting" before clicking the red X (delete) button:

C:\WINDOWS\system32\lDprxy.dll

If you are unable to delete a file, just note its name and continue with the rest of deletions.

Reboot, post a new HJT log, and let us know what results you got with the Killbox.

Post the results when you can; one of us should be around to respond when (or shortly after) you do. :)

Looks good; I see only two "loose ends" that should be cleaned up. :)

Have HJT fix:

F2 - REG:system.ini: UserInit=userinit.exe,
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FE} - http://217.73.66.1/minidialler/mddl...899420_RMIL.exe

You've got a bit more than Aurora. :(

You need to take care of one thing before we continue:

C:\DOCUME~1\me\LOCALS~1\Temp\Rar$EX86.313\HijackThis.exe

The log entry above indicates that you are running HJT from within a Temp/Temporary folder ( C:\Documents and Settings\me\Local Settings\Temp). Please do the following:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

Once you've moved HJT to a safe folder, please do the following:

You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the following instructions or save them into a text file using Notepad.

Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, reboot your computer in Safe Mode by doing the …

1. You are running Sygate's Personal Firewall; which is the most likely culprit in terms of SpwareBlaster's conneciton problem. Disable the firewall completely and try SpywareBlaster again. If it connects, you'l have to manually configure Sygate to allow SpywareBlaster to connect.

2. The following entry in your log indicates that you are not connecting directly to the Internet, but are instead being routed through a proxy server first. Can you give us more information on that please?:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 90.0.0.1:3128

"Canned instructions" for HijackThis:

Download the (free) HijackThis utility:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, follow these instructions to install and run the program:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

Hi Marcus763,

First of all- welcome to our site. :)

You definitely have a variant of the "about:blank" family of infections, and possibly one or two other infections as well.

We'll need to run a few automated removal tools in order to clean things up most thoroughly. Please do the following:

1. Download and install these three about:blank removal tools into their own separate folders:

CWShredder
HSRemove
about:Buster

2. Open CWShredder and about:buster and click each program's Update button to install the latest detection definitions. Do not run a scan with either program yet; just close each one when it has finished installing its updates.

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open CWShredder and run it by clicking the "Fix" button. Close the program when it finishes with its fixes.

- Open about:buster and click the "Begin Removal" button. Close it when it finishes.

- Open HSRemove and click "Scan and Remove". Close it when it finishes.

4. While still in Safe Mode:

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed …

1. Since we don't have any info on the programs mentioned in the "040" log entries, let's leave them alone for the moment.

2. Does the system freeze while you're booted into Safe Mode? (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

3. The MBR/partition table change sounds abnormal; regular programs (except partitioning tools like Partitoin Magic) don't make changes to that area of your hadr drive. Does AVG give you any more specific inforamtion on that message?

4. The 02-BHO entries you listed are all legit. The fist (the "no name") entry is a compnent of the SpyBot utility, and yes- the last entry is related to your ISP's software.

1.

I am not able to access my Internet Explorer...

I guess that would make it rather difficult to for you to follow the instructions I posted, eh? Sorry about that- I'm often juggling a few different threads at the same time and sometimes get my responses confuzzled. :o

2. Your inability to get online or to use Windows Explorer properly is going to make this a bit difficult. I'll need to see what info I can find on the infected files you listed and what removal options I can come up with.

In the mean time, can you tell us the actual names of the trojans (not just the names of the infected files) that McAfee says you're infected with? If you can also tell us the locaitons/folders in which the infected files are found, that would help as well.

3. Run HijackThis again and have it fix:

R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe

4. If you can use Windows Explorer at all, open it and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

Navigate to the C:\WINDOWS\System32\hookdump.exe file, delete it, and Empty your Recycle Bin.

You're welcome; glad you got it sorted :)

Can you please post a final HJT log for us to look at, though? Some of these infections can be very persistent, and can "respawn" themselves if not fully removed.

Hi John,

Please try to be patient. This particular forum is very busy, and we're more than a bit short-handed in terms of troubleshooters. Also, those of us who do help out do so on a purely volunteer basis, and real life responsibilites such as jobs, family, or school sometimes don't leave us with much free time to dedicate to our efforts here.

You will need to disconnect from the Internet for most of the following procedures, so you should print out these instructions or save them into a text file using Notepad.

1. Download the Killbox utility and save it to your desktop, but don't run it yet.

2. Run HijackThis again and have it fix:

O2 - BHO: (no name) - {27EC7A73-1DAE-2286-3EC4-DE9CB9B786A9} - (no file)
O2 - BHO: (no name) - {89FA1EB2-08ED-7251-FB49-5488A62EF444} - (no file)
O2 - BHO: (no name) - {E344A1E5-30C3-CC52-D301-FC6F53F6E17C} - (no file)
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\unlazl.exe reg_run

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Run the Killbox. In the "Full Path of File to Delete" box, copy and paste each of the …

1)

When safe-mode deleting all the cookies, temps, history etc. There was one file "Index.dat" or "index" that would not delete. It said "can not delete, file in use by other program"

Right; that's OK. There's a note in my instructions which explained that:

"If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main folders themselves; this is normal and OK."

2) Open a DOS box by typing "command" (omit the quotes) in the "Run.." option under your Start button menu.

At the command prompt in the DOS window, type the following two command, hitting Enter after each:

                 regsvr32 /u C:\WINDOWS\system32\lDprxy.dll

                regsvr32 /u C:\Program Files\Cas\Client\casmf.dll

Close the DOS window after the second command completes.

3) Run HijackThis.

In the main HJT window, click the "Misc Tools" button and in the resulting window click "Open Process manager"

While holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

mrhkmr.exe
aqyjnzxc.exe
casclient.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

4) Scn with HJT and …

Glad we could help you get it sorted out. :)

Glad you finally got it to work. :)

The difference in GBs that you're seeing is mostly due to the fact that Windows and drive manufacturers use two different number/counting systems; binary and decimal. This results in the real, usable size of the drive being some percentage less than the size of the drive as advertized by the manufacturers. Because the difference is percentage-based, the actual difference in the amount of reported disk space can get quite sizable when you start working with multi-GB drives (over 17G for a 250G drive).

It's a bit confusing if you're only used to using our normal (decimal) counting system. but a bit more of an explanation can be found here:

http://personal-computer-tutor.com/abc3/v30/vic30.htm

You're welcome; glad that worked for you. :)

You're welcome; glad that worked for you. :)

Yes- try the reg fix again in Safe Mode.

I don't recommend deleting the file as it may be critical to your systems function.

That file is dropped/created by the trojan; it should be deleted.

Simply deleting the file will not, however, remove the infection itself. Infections usually drop several different components and make several modifications to your Registry in order to make it more difficult to eradicate them. If you do not fully clean the infection, chances are very good that it will simply "respawn" itself. Additionally, if you've identified one infection on your computer, you probably have other "unwanted guests" as well.

Here are some general virus/spyware/etc. detection and removal steps that you can try:

1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed).

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

3. Reboot into …

1. Please uninstall WeatherBug and Surf Sidekick through your Add/Remove Programs control panel; both programs have adware/spyware components.

2. Please follow these Aurora removal instructions fully and carefully:

You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the following instructions or save them into a text file using Notepad.

Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then run Ewido, and run a full scan. Save the logfile from the scan.

Next run HijackThis, click Scan, and check:

R1 - HKCU\Software\Microsoft\Internet …

Hi marksummy,

First of all- welcome to the site. :)

The files you mention are pieces of the evil Aurora infection, although it looks, judging from your log, that you've been able to remove some of that infection already.

To start with, please follow these Aurora removal instructions fully and carefully:

You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the following instructions or save them into a text file using Notepad.

Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then run Ewido, and …

lol. :mrgreen:

Welcome to the site dark7angelx07. :)

Hi Sundown, welcome aboard! :)

You're welcome :)

How do things seem to be running now? If everything seems like it's back to normally, I'll call this one good and mark it as Solved.

Due to the fact that the member who originally started this thread has not responded in quite a long time, this thread is considered abandoned and has been closed.

In accordance with our posting rules, other members having similar problems should start their own threads and post their questions there. In order to help us help you most quickly, please include as much information about your problem as possible in your posts.

If the member who originally started this thread wishes to have the thread reopened, please send your request, including a link to this thread, to one of our moderators via email or Private Message.

Thank you.

Awww, and I was having such a nice day. Oh well...

[img]http://www.stevewolfonline.com/Downloads/DMR/Visuals/possessed.gif[/img]

That's better; the main indications of Aurora have been removed. However,

A) There are still a couple of signs of infections:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://msaps.dll/search.html
O4 - HKLM\..\Run: [oyzjbu] c:\windows\system32\nadsxw.exe

The first entry is indicative of an infection by a variant of the StartPage trojan. The second entry is also malicious, but the gibberish/random oyzjbu and nadsxw.exe names will change each time you reboot, making it hard to delete. There is probably also a hidden "mother file" which is creating the randomly-named .exe; we'll need to kill that file as well or the infection will respawn itself.

B) The Aurora removal instructions asked that you also post the log from your ewido scan. Can you do that now please?

C) It's time for a few more automated detection and removal tools. Please do the following:

1. Run at least two or three of the following online anti-virus/anti-spyware scans. Choose their "auto clean" (or similar) option to have them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed).

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix …

Go through the instructions I posted fully and carefully, and respond when you can. It doesn't matter if it takes a few days; we won't lose track off you (this forum will automatically notify me when you make your next post).

i would appreciate if stupid people would no comment on my profanity and whatever else i want to do. this site sucks anyway. i havent gotten any help i think i should go find a site that ACTUALLY helps! :twisted:

dlav3nd3r,

You posted your question in someone else's thread, apparently posted some profanity in that post, and now you're posting an abusive response. Nothing in Christian's post was deserving of such a reaction from you, and to be honest with you, the behaviour you've exhibited here won't get you much help on any technical support site.

Very good- your log is clean now. :)

Here are some general things you can/should do to minimize your chances of future virus/malware infections:

1. Enable Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security loopholes, switching to another browser such as Netscape, Firefox, or Opera will reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks. IE-SPYAD is another helpful tool; it can b e downloaded here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here: http://tomcoyote.org/ieoe.php

5. Obviously-install a good anti-virus program and enable its "auto-protect" and email-scanning features.

6. Install a stand-alone firewall program such as Zone Alarm or Kerio Personal Firewall, or purchase the "Internet Security" packages offered by Symantec and McAfee.

7. None of your utilities are of much good if you don't check for updates frequently; updates for anti-spyware/anti-virus programs can be released as often as …

DeskMate needs to go as it is [BargainBuddy] adware related.

Thanks mate; I missed that one. :o

You should also be rid of Bearshare.

Agreed. As I said earlier, peer-to-peer filesharing programs/networks are primary conduits for spyware and adware (not to mention the legal "piracy" issues); avoid using them.

Aside from that I see nothing else, but I will leave the final clearance to DMR.

Aside from DeskMate, that log looks good to me. :)

Atreyu,

Here are a few general things you can/should do to minimize your chances of future virus/malware infections:

1. Enable Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security patches and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security loopholes, switching to another browser such as Netscape, Firefox, or Opera will reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks. IE-SPYAD is another helpful tool; it can be downloaded here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found …

Well,like if I could make a forum.

If you're asking if a member can create a new forum within this site, no; that's an admin function. However, we do take input from members into consideration when we're planning forum modifications, so if you have a suggegestion, feel free to post it in our News and Feedback forum.

Or how to upload a avatar!

Modifying your avatar/signature and customization of other profile options is done through your User Control Panel. To get to the main page of your personal User CP, just click the Control Panel link at the very top of our pages.

To upload a custom Avatar, click on the Edit Avatar link at the left of the CP page. In the resulting Avatar page you can choose an avatar from one of our pre-existing categories, or, you can follow the directions at the bottom of the avatar page to upload or link to a custom avatar of your own. Note that the size limit for custom avatars is 120 by 120 pixels or 53.7 KB (whichever is smaller).

1. The only obvious "malicious" entry in your log is this:

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

Wild Tangent programs come bundled with adware/spyware: I would suggest you remove those programs through your Add/Remove Programs control panel.

2. You might want to reconsider your use of SpyKiller and Best Popup Stopper; those programs are of questionable repute to say the least. Please visit the following site for much more information on recommended vs "bogus" anti-spyware programs:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

3.Aside from that though, I see nothing in your log which would account for general "slowdowns". Can you provide us with any more specific information which might give us clues?

There is a standard Aurora removal procedure now, but judging from your HTJ log, it doesnt look like you've done it yet:

You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the following instructions or save them into a text file using Notepad.

Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then run Ewido, and run a full scan. Save the logfile from the scan.

Next run HijackThis, click Scan, and check:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - Default …

One question does beg asking there- why do you not have root access on a machine upon which you are trying to install a rather major piece of software?

You've stated your view clearly in this topic. Why do you need to repeat it on numerous subsequent occasions when others express conflicting outlooks?

Elementary my dear CatWatson: it is simply what jwentings do here.
Certainly you've followed his history of opinionated rants and studied his behaviour here in general long enough to know that, have you not? ;)

I probably should extend that to include...

No kidding- Amen to that.

There's one leftover from the Aurora infection, but other than than that your latest log is clean. :)

Please do the following to remove the leftover:

- Open HijackThis again and click on the "Config" button in the lower right corner of HijackThis' main window.

- In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Type the following in the box and click OK:

svcproc

- Reboot, run HJT again, and verify that the O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing) is no longer present. If it is still present, or if you got any errors during the deletion process, let us know.