Posts by DMR

Regardless of the specifics of the drive problem, having multiple Burning and emulation programs installed is a recipe for disaster.

Agreed; you're almost begging for software conflicts by installing multiple multimedia applications which want control over the same physical drive.

First up. Emergency action.

There should be a tiny round hole at front of the unit. With the PC turned off, unfold a metal paperclip, poke it in the hole and manually eject the CD that's in the drive.

Erm... didn't Kramerica and I post that info a few hours ago? :mrgreen:

Second up: Solving the problem

This behaviour is most often a software fault, and occurs when CD burning software confuses Windows. Uninstall all CD burning software....

True. If the drive is getting power, the BIOS correctly detects it, and Device Manager either doen't show the drive or reports that there are problems with the drive, here is a description and a solution for the most common software-related cause of that (from a previous post of mine concerning a similar problem:

An explanation and fix for the most common cause of what you describe can be found here:

http://support.microsoft.com/kb/q270008/

Although the article pertains to Win 2000, I've seen the problem occur with XP as well; the fix described for Win 2000 works for XP.

Please note that although the article only refers to the "UpperFilters" and "LowerFilters" entries in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet registry subkey, I've had to apply the fix to the similar entries (if found) in the HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x subkeys as well in order to make it work.
__________________

Giving us specific info about the computer and its configuration would really help it wouldn't be a Dell by any chance, would it?), but here are a couple of general thoughts:

1. "Cover previously removed" is just a warning message that some computer's will give you to indicate that the case has been opened before. The "warning" is harmless, and you should find a place In your BIOS to turn that notification off.

2. If the computer only has one drive installed, it will be "Drive 0". Again- look in the BIOS for anything related to detection of a second (possibly SATA) hard drive. If you find such an option enabled but have no second drive installed, disable that option.

3. It is perfectly normal for the BIOs to identify installed hard drives as "Auto" or "Auto detected".

kashfkb, I've merged your two threads into one. Creating a new topic for each useful website you find would result in a fair few threads cluttering up the forum, so it's better to keep it all together. ;)

Please post future useful networking links in this thread for now.

Yes, please do that. The Tech forums are really for solving specific questions/problems that our members are having. Scattering "check out this great site!" types of posts (regardless of how helpful the links you give may be) in those forums is not something we encourage, for the reason of "clutter" that CM mentioned.

Thanks for understanding.

When I typed in the unregistration command prompt instruction, it stated that the casmf.dll file could not be found.

Try using the full path of the file when you unregister it:

regsvr32 /u C:\Program Files\Cas\Client\casmf.dll

i think i got everything.

Almost ;)

1. Run HJT again and have it fix:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O4 - HKCU\..\Run: [zmmm] C:\PROGRA~1\COMMON~1\zmmm\zmmmm.exe

2. Delete the entire C:\Program Files\Common Files\zmmm folder.

3. Empty your Recycle Bin and reboot.

4. Run HijackThis again and post the new log.

Please do the following:

1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed).

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be …

You may not be seeing Aurora popups anymore, but pieces of the infection still exist on your computer (drpmon.dll is one; nail.exe is another).

I would also suggest uninstalling the MessengerPlus! 3 program; it comes bundled with spyware/adware. Also, just FYI- your filesharing and game downloads are probably what got you infected in the first place.

ewido has removed some of the Aurora infection, but you need to go through the full Aurora removal procedure:

You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the following instructions or save them into a text file using Notepad.

Open ewido and update the definitions to the newest files. Do NOT run a scan yet.

Download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very …

Please complete the following steps; they should clean up some of the things that HiajckThis alone isn't going to be able to clean:

1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. You have SpyBot already; in addition to that, please download, install, and run the following detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed).

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating …

Hi Atreyu, welcome to the site. :)

Unfortunately, you didn't post the full contents of your HijackThis log (the top half is missing). Please do this:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

In addition to Ad Aware and SpyBot, download, install, and run:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

Open each program, use its online update feature to get the most current definitions installed, at run it. After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find.

The ewido utility will generate a report log; save that file and copy/paste it into your next post.

If you have trouble running the utilities while boot into Winodws normally, run the utilities while booted into Safe Mode instead (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).

You are infected with a variant of the Qoologic trojan downloader. Please do the following:

Download the FindQoologic-Narrator.zip and save it to your Desktop.
http://forums.net-integration.net/index.php?act=Attach&type=post&id=134981

1. Extract (unzip) the files inside into their own folder called FindQoologic.
2. Open the FindQoologic folder.
3. Locate and double-click the Activesetup.vbs file to run it.
Please wait until a "Finished" message appears.

* When the set-up is complete a file named "Activesetup components[Machine ID][date].txt" will have been saved in the FindQoologic folder.

4. Locate and double-click the Find-Qoologic.bat to run it.

* The tool will open a DOS window and begin to check your system.
When it is finished a text file will open in Notepad called "file.txt".
* Save this text file in the FindQoologic folder.

5. Open the "Activesetup components[Machine ID][date].txt" file and the file you saved and copy / paste their contents to this thread (as a reply).

Hi stefan, welcome to our site. :)

To start with, please do the following:

Download the (free) HijackThis utility:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, follow these instructions to install and run the program:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

You've definitely got the Aurora infection, but you've got a lot of nasties as well. Please do the following before we move on the specific Aurora fix:

1. Go to your Add/Remove Programs control panel and uninstall any of the following programs if you find them listed there:

180 Solutions
Bullseye Network
Wild Tangent
Media Access
Viewpoint
WebHancer

2. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed).

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and …

That's a clean log now. :)

The name of the hp9C75.tmp file seemed to change at each power up so I used "delete C:\WINDOWS\System32\hp*.tmp"

Yes; good call. Many infections "morph" the names of their files on reboot to make it harder to detect and remove them.

The "Download, install, and run CleanUp!" couldn't be performed as the site appears to be suspended... Also, "http://www.zerosrealm.com/" seemed unavailable.

Right on both counts- the sites are down. As an alternative to the Cleanup! program, you can use CCleaner instead.

Odd things that occurred:
The CHKDSK function fixed something after rebooting when the machine crashed when trying to operate in safe mode by
pressing F8.

CHKDSK will run automatically after the system crashes in certain ways and try to fix any data/filesystem corruption that might have occured because of the shutdown. This is normal.

The 'Appearance and Themes' list for one of the users has lost the tabs that enable the desktop background
and the computer's theme to be selected. Only options are to change resolution or select a screen saver. Any clues as to what this is?

That alteration to your Display properties is the work of the smitfraud infection. See if this fixes the problem:

1. Download the following reg file by right-clicking on the link and choosing Save As. Save this file to your Desktop.

Smitfraud Fix Reg File

2. When it …

Hi ~Princessy707~, welcome to the site! :)

What sort of tips are you looking for? Let us know, and we'll help you out.

The drive might simply have failed, but:

1. Does the BIOS "see" the physical drive, and does it show up in Device Manager?

2. As Kramerica suggested:
If you want to get the stuck disk out of the drive, look for a small, round hole on face of the drive. It's usually somewhere below the CD tray, and inside that hole is the mechanical release mechanism. Carefully insert something like a straightened-out paperclip into the hole until you feel the end of the paperclip contact the face of the release lever. Press slowly but firmly to engage the lever; the drive tray's door should pop open enough for you to grab it. Gently pull the tray fully open, remove the disk, and slide the tray closed again.

3. If the drive's eject button and front-panel indicator light aren't even working, the drive may not be getting power. Hopefully, your power supply has a few spare power connectors on it; plug one of those into the problematic drive and see if that gives it any life.

4. If you can determine that the drive is at least getting power, try a new IDE cable.

5. If there is another drive on the IDE cable, remove it and try it with only the RW drive connected.

Hi moseynick21,

Welcome to our site. :)

Because your question concerns a valid problem with a piece of hardware, I'm moving your post to one of the forums in our technical section. You'll get more knwledgeable "eyeballs" on your problem that way.

Buckle up, we're going for a ride...

I bet you were the one that added an option to a poll I posted couple of months ago that said I like wombats. lol

I, er, um... :o

:cheesy:

You guys are money.

Yeah, now if we could only get money for doing this... :mrgreen:

Glad we could help. :)

Glad we could help. :)

However, some of the infections you had are difficult to completely remove, and they can come back to life if pieces of them are left on your system. Please post a new HijackThis log so that we can see if there are any "leftovers" that need to be cleaned up.

The Internet connection problems could definitely be the work of the infections.

You will need to disconnect from the Internet for the following fixes (I'd suggest physically unplugging the cable), so you should either print out these instructions or save them into a text file using Notepad.

1. Run HijackThis again, put a check in the boxes next to the following entries, and click the "Fix checked" button:

F2 - REG:system.ini: Shell=Explorer.exe mcafee32.exe
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
O4 - HKLM\..\Run: [Regmgr] scvhost.exe
O4 - HKLM\..\Run: [Microsoftf DDEs ContDLL] rune.pif
O4 - HKLM\..\Run: [PPPOEOE] winlite.exe
O4 - HKLM\..\Run: [Microsoftf DDEs ContrDL] runm.pif
O4 - HKLM\..\Run: [McAfee Windows Protection] mcafee32.exe
O4 - HKLM\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKLM\..\Run: [msci] D:\DOCUME~1\YIKYAN~1.ITW\LOCALS~1\Temp\200562817262_mcinfo.exe /insfin
O4 - HKLM\..\RunServices: [Microsoftf DDEs ContrDL] runm.pif
O4 - HKLM\..\RunServices: [Microsoftf DDEs ContDLL] rune.pif
O4 - HKCU\..\Run: [Windows Media Player] mcafe32.exe
O4 - HKCU\..\Run: [Regmgr] scvhost.exe
O4 - HKCU\..\Run: [Norton Personal Firewall] lah.exe
O4 - HKCU\..\Run: [NAV Auto Protect] navprotect.exe

2. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Locate and delete the following files:
mcafee32.exe
xpjava.exe

1. You have signs of an "about:Blank" infection. Please downlod and run the following removal tools. Before scanning/fixing with about:buster and CWShredder, use their online update features to make sure you have the most current updates installed:

about:buster
CWShredder
HSRemove

2. Download and install these two anti-spyware tools. Again- make sure to get the most current updates before actually running the scans. Run the programs consecutively (the order doesn't matter) and have each one fix whatever "bad" items it finds.

Ewido Security Suite (free trial download)
Microsoft AntiSpyware beta

3. Run HiajckThis again, post a new log, and we'll work on any remaining items from there.

OK- you log does show signs of infections, but I can't respond fully right now (time for sleep in my end of the world). If one of our other members doesn't pick up on this in the mean time, I'll follow up here when I come back online.

We keep our Australian brethren free from that vile disease!

Yes, I know; but I do believe the most rare (and most dangerous) species of Wombat inhabits your part of the world, yes?

The Hairy-Nosed Mooning Wombat:
[IMG]http://www.stevewolfonline.com/Downloads/DMR/Visuals/WombatMoon.gif[/IMG]
[IMG]http://www.stevewolfonline.com/Downloads/DMR/Visuals/Smilies/WombatMoon.gif[/IMG]
OK, so I probably shouldn't have done that, but I did... oh well. :cheesy:

What's going to happen to you?

You'll be attacked and eaten alive by rabid marsupials in exactly 477 posts, that's what.

:mrgreen:

Please post a new HijackThis as well.

So this is where all the smart kids hangout ey?

LOL.

Smart "kids", eh? Watch it there now; most of us are us rather crust old-timers... :mrgreen:

Welcome to our site A_S! :)

WOW...you guys are amazing...

Aww... careful now- you'll make us blush. :o

Seems to be no signs of infestion. Thanks. Should I just keep the installed sotware like HJT and nailfix and Ewido??? Thanks!!!!!

You're welcome.

In terms of what prevention/detection/removal tools you should have and/or keep, see the response I posted (at the end of the thread) earlier today in answer to that same question from another member:

http://www.daniweb.com/techtalkforums/thread25186.html

You're welcome. :)

Sometimes a reinstall is the fastest solution to elusive/random problems, especially if you have the option of being able to back up your crtical data first. Glad you got it sorted.

Hi Ibex,

I see that this is your first post; welcome to the site. :)

Unfortunately, the CWS infection is actually an entire family of infections, and many of the newer variants can be quite difficult to remove. In addition to that, you log indicates other infections as well.

HijackThis alone isn't going to be able to fully clean the infections, so please do the following in order to get things cleaned up a bit:

1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed).

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings …

There are two things I see in your log:

1. C:\WINDOWS\csrss.exe

There is a valid Windows file named csrss.exe, but on XP systems it lives in the C:\Windows\System32 folder; not in the C:\Windows folder. A file named csrss.exe in the main Windows folder usually indicates an infection.

2. O21 - SSODL: System - {15712FAF-9FB2-4F4D-AA0E-1585B7FC9DBB} - mcsys.dll (file missing)

The above is also indicative of an infection.

What makes you mention NavHelper? It's true that NavHelper is considered a security risk, but I see no signs of it in your log.

I'd suggest that, in addition to a full scan with Norton (make sure to get the most current updates installed before scanning), you also run a few of the following free online anti-virus/anti-spyware scans and set them to automatically clean what they find:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

Once you're done, run HijackThis again and post a new log.

That looks good , but since crunchie is driving this tour bus right now, I'd wait for his response. :)

1. That latest log looks good, except I'm curious about these entries:

O4 - HKLM\..\Run: [SystemTraySR] C:\WINDOWS\SYSTEM\SRSystemTray.exe
O4 - HKLM\..\Run: [MonitorSR] C:\WINDOWS\SYSTEM\SRMonitor.exe

Any idea what program they belong to? I've never seen them before, and I can't find any info on them at all.

2. In terms of future protection and what programs you should have:

For one thing, you should have a look at this site; it is pretty much the definitive list of reputable vs "bogus" anti-spyware programs. For example, on that site you can read a bit about the shady past of XsoftSpy and NoAdAware. ;)

Detection and removal tools break down into two categories: general anti-spyware programs, and programs which are targeted at a certain type of infection.

- Of the general programs, the following are probably the most often recommended:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/
Spyware Doctor - http://www.pctools.com/spyware-doctor
SpySubtract - http://www.intermute.com/products/spysubtract.html

Given the rate at which new threats are discovered (and old threats "morph" into nastier versions) it's a good idea to keep at least three of the above programs in your toolbox. One of those utilities will often catch something that another missed.

- On the other hand, About:Buster, CWShredder, Sp.html-Se.dll--hijack fix, and the …

1. The desktop icons and at least some of the pop-ups are due to the CasinoClient infection identified in this log entry:

O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"

Symantec has a description of the infection and removal instructions here:

http://www.sarc.com/avcenter/venc/data/adware.casinoclient.html

2. This log entry is a right pain to remove:

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\uuhluj.exe reg_run

Please do the following:

A) Open Windows Notepad and copy the following bolded text into the Notepad file:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KavSvc"=-

In Notepad click FILE->SAVE AS
!! IMPORTANT: Change the "Save as Type" to All Files.
Name the file fix.reg

Save this file on the desktop, but don't run it yet.

B) Boot into Safe Mode, double click on fix.reg. You will get a message asking if you want to add or merge to the Registry; choose to do so.

C) While still in Safe Mode, open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

Search for C:\WINDOWS\system32\uuhluj.exe and delete the file if you find it.

D) Empty your Recycle Bin and reboot normally.

3. Run HJT again and post the new log.

crunchie is right- your logs show signs of numerous infections. :(

In addition to SpyBot and Ad Aware, please download, install, and run the following two utilities; use each program's online update function before running them to make sure you have the most current updates installed.

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

It would probably be a good idea to also do the following general cleanup:

- Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!

1. Cookies
2. Local …

Have you checked the running processes?

Yes; it sounds like another program/process is firing up in the background and taking the focus away from your currently-active window or program. It could even be something malicious firing up another instance of Internet Explorer, or at least another (possibly hidden) IE window.

The next time the problem occurs, look in Task Manager and see if there are any suspicious programs or processes listed there. Also see if there are multiple instances of IEXPLORE.exe listed in the Processs tab.

If you think that spyware/viruses/etc. might be the cause of the behaviour, please do the following:

Download the (free) HijackThis utility:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, follow these instructions to install and run the program:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

Hi kwaldeck,

In addition to Begin2Search, you also have the evil Aurora/Nail.exe infection and the WhenUSave parasite.

Please follow these instructions carefully and completely. You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the instructions or save them into a text file using Notepad:

1. Open your Add/Remove Programs control panel and uninstall WhenUSave if you find it listed. Also remove the Ebates/MoeMoneyMaker program if it is listed.

2. Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then run Ewido, and run a …

LOL

That's not an addiction - it's an occasional pastime :D

he he.
Should we tell them about the shakes, cold sweats, divorces, and other joyous symptoms that start to set in after the 1,000-post mark?

ethernet cable?!!?! i've been using a slinky! :cheesy:

[img]http://www.stevewolfonline.com/Downloads/DMR/Visuals/jesterlaugh.gif[/img]

It's definitely possible that the router is b0rked; let us know what happens with the new replacement.

1. dlh6213 is right- your log does look a bit short. If you did run the HijackThis scan in Safe Mode, please run HJT while booted into Windows normally and give us that log.

2. In terms of the Silent Runners program, you need to right-click on the download link and then choose the "Save target as..." menu option to save the file into a folder on your computer.

Once you've done that, double-click on the Silent Runners.vbs file to run it. The script will take a little while to run, and you won't see anything happening while it does. When it finishes running, it will display a message telling you where it saved the log file. You need to then open that log file in Windows Notepad and copy-n-paste the full text of the log file into a post here.

3. Your log shows signs of at least three worm infections:

- A W32/Sdbot variant, which is responsible for msdirectx.sys and friends.

- A W32/Agobot variant, indicated by the O4 - HKLM\..\RunServices: [Regmgr] scvhost.exe log entry.

- A W32/Rbot variant, indicated by the runm.pif and rune.pif log entries.

Since AVG isn't able to remove those infections, I suggest you run these free online anti-virus/anti-spyware scans and see if they can clean things up a bit:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

Hi dc3128,

Please do the following:

Download the (free) HijackThis utility:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, follow these instructions to install and run the program:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

... it doesn't necessarily mean that they're constantly sitting there staring at the monitor screen :)

Well, unless that's my account you're looking at... :mrgreen:

So far my day has been kind of [img]http://www.stevewolfonline.com/Downloads/DMR/Visuals/puke2.gif[/img], but I think a few [img]http://www.stevewolfonline.com/Downloads/DMR/Visuals/beerdrink.gif[/img]will help.

I've become addicted to answering posts in the forum.

Hmm...

Profile info for Troy:
Total Posts: 96 (4.60 posts per day)

4.6 posts per day??

Bloody Slacker... :mrgreen:

You've still got a bit of spyware stuck between your teeth. :mrgreen:

1. Uninstall WeatherBug through your Add/Remove Programs control panel; the program comes bundled with "unwanted guests".

2. Run HJT again and have it fix:

O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1

3. Delete the entire C:\PROGRAM FILES\AWS folder, emty your Recycle Bin, and reboot.

4. Post a (hopefully) final log for us to review.

Your latest log is clean. :)

I seem to still have spyware issues though

What exact issues are you still experiencing?

The modem is upstream of the router, so when you're trying to ping the router from your computer, the modem isn't even part of that signal path. You'll need to get a conneciton between the computer and the router before worrying about the router-to-modem side of things.

What you said about the modem does bring something to light though: if the modem is using a LAN adddress of 192.168.0.1, it must have some router functionality built into it as well. The 192.168. IP range is reserved for internal use only; addresses in that range cannot be used out on the Internet. However, the fact that the modem is using that IP address shouldn't present a problem for the Linksys router, because bridging two separate networks/subnets (192.168.1. and 192.168.0. in your case) is exactly what routers are supposed to do.

I'm sure this is a stupid question, but: you are connecting the computer to the router with an Ethernet cable at this point, right? If not, you'll need to; it's doubtful that you'll be able to do the router setup if you try with a wireless connection. And that brings up another question: have you tried using a different Ethernet cable? The cable you have could be flaky or outright bad.

Hi jackdog1,

I can give you some answers to your questions, but they'll have to wait until tomorrow. Hang in there.

Is this $#%@ gone?

Not entirely. There are pieces of the infection that do not show up in a HJT log, but the following entry in your log is one Aurora leftover:

O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing)

Please do the following to remove that entry:

1. Run HJT again and have it fix the above "023" entry.

2. Once HJT completes the fixes, click on the "Config" button in the lower right corner of HijackThis' main window. In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Type the following in the box and click OK:

svcproc

3. Reboot, run HJT again, and post a new log.