Posts by DMR

MadDave123- welcome to you also. :)

Components of infections are evident in your HijackThis log. Please do the following:

You will want to print out these directions, as you will need to close all instances of your web browser while performing the fixes

1. Disable XP's System Restore feature. As explantion of how to do that (and why) can be found here.

2. Run HijackThis again, put a check in the boxes to the left of the following entries, and then clicck the "Fix checked" button:

F2 - REG:system.ini: Shell=Explorer.exe sysmon32.exe
O4 - HKLM\..\Run: [PPPOEO] pingppac.exe
O4 - HKLM\..\Run: [Mircosoft Update] wuampkd.exe
O4 - HKLM\..\RunServices: [PPPOEO] pingppac.exe
O4 - HKLM\..\RunServices: [Mircosoft Update] wuampkd.exe
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll (file missing)

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Locate and delete the following files:
sysmon32.exe
pingppac.exe
wuampkd.exe
C:\WINDOWS\System32\vbsys2.dll

- For every user account listed under C:\Documents and Settings, delete the entire contents of the following folders (but not the folders themselves):

(Important: One of the normal steps in eliminating malicious …

Hi sshohdi,

First of all- welcome to TechTalk!

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

Hi ThalesC, welcome to the site. :)

1. First of all, your log indicates that you don't have the most current critical fixes and security updates installed for XP/Internet Explorer. Please go to Microsoft's Windows Update site and install them now; having those patches installed will plug some of the loopholes through which "spyware" gets on your system in the first place.

2. Once you do the above, please follow the instruction I gave in this thread and then post a new HijackThis log after that.

Please follow the removal instructions I posted in this thread and post a new HijackThis log here after that.

There are still a couple of "nasties" indicated in your log, but the list of running processes in the log looks pretty short for a normal XP system. Did you run that HijackThis scan in Safe Mode? If so, please post a log generated while booted in Windows normally.

That does sound like corruption of a user profile, althought the cause might not be of a malicious nature. Do you if any changes at all were made to the system just prior to the problem occurring?

See if any of the information and suggestions in this thread can help:

http://www.experts-exchange.com/Operating_Systems/Q_21307901.html

You're right- running HijackThis (and then posting the log it generates) is the first step; here are instructions which should help:

Download the (free) HijackThis utility:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, follow these instructions to install and run the program:

Make a new folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

Drpmon.dll is a component of the evil Aurora infection. However, if you have the Aurora infection, you probably have other "unwanted guests" on your system as well. Please do the following so that we can get idea of the state of your system:

Download the (free) HijackThis utility:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, follow these instructions to install and run the program:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

You have more than just the Aurora infection, but let's work on Aurora first. The removal process should clean up some of the other nasties as well:

You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the following instructions or save them into a text file using Notepad.

Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then run Ewido, and run a full scan. Save the logfile from the scan.

Next run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

…

You still haven't told us what exact version of Windows you're using. We have two separate Windows forums- one for older (95/98/Me) versions and one for newer (2k/XP) versions. We'll know where to place your question once you give us the version you're running.

Very cool; glad we could help. :)

I hate to have to be this frank with you, but I don't think our forums are the right place for your questions. You said:

A) "im grounded, so im sneaking on to try and fix the comp".

B) "I cant do a full windows restore, cause My dad has a program which if deleted he'll have to buy a new one for quite a bit".

I'm sorry, but we aren't here to help people get around those types of restrictions any more than we're here to help people get around installation problems with an illegal copy of Windows.

Judging from what you've posted, it sounds like the computer you've mucked up is not your own personal-use computer, but a computer also used by others in the family. If so, my suggestion is this: if you know that you're really the one who hosed the system, just cop to it and deal; "im sneaking on to try and fix the comp" doesn't really sound like the right solution.

1.

Thanks, I see the "trusted site" has popped again.

I thought that it would; that particular one usually does. Here's what you need to do to remove it:

First, remove the site from your Trusted Zone:
Start Internet Explorer, click Internet Options on the Tools menu, and then click the Security tab. Click Trusted Sites, and then click Sites. Click the "crazywinnings" site, and then click Remove.

- Click on the "Run..." option under your Start menu, type "regedit" (omit the quotes) in the resulting "Open:" window, and hit OK. This will open the Registry Editor program.

- In the editor, press F3 to bring up the Find window, type crazywinnings in the find box, and hit enter. There may be more than one "crazywinnings" entry, so you need to keep repeating the find until you get the message "finished searching through the registry". Delete all instances of "crazywinnings" entries you find.

Do not delete or modify anything else in the registry!!!

2. Other that the above, you're right- the log is clean. :)

Do things seem to be working normally now, or are you still experiencing browsing problems?

The smithfraud infection doesn't usually infect a computer so badly that it can't even run anything in Safe Mode.

- How did you determine that smitfraud was the culprit?

- Do you have any indication that there might be other infections involved?

- When you say "when I open in 'safe mode' it still wont let me start or run anything", do you really mean "anything"? What exact programs are you trying to run?

- Click the "Seach this forum" button at the top right-hand side of the main Viruses, Spyware, and other Nasties forum page and enter Smitfraud in the search box to view our previous threads on the subject.

- If none of those threads provide a solution, please do the following:

Download the (free) HijackThis utility:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, follow these instructions to install and run the program:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell us a lot about what "nasties" have crept …

Please give us more detail concerning the exact errors you get when you try to go to sites, as well as more information on your network/Internet connection (DSL? Cable? Dial-up? Is there a router involved?)

Also, you said: "I have tried other things but no help". Just so that we don't duplicate your efforts- what exactly have you done so far?

- Do you get any error messages when the freezes occur, or does the computer just "lock up"?

- Do the freezes occur when you run Windows in Safe Mode? To get to the safe mode boot menu option, start tapping the F8 key just after you power up the computer.

- Thermal problems? Open the case agian and make sure that all fans are running freely and smoothly, and that there are no dust/dirt build-ups on the components or in any of the venting paths.

All in all, from what you've posted it does sound like the motherboard was damaged when the power supply went south.

- The BIOS beep codes you hear might help isolate the problem. Please be more precise about the number and duration of beeps you hear, and tell us the make and vesion of your BIOS (beep codes vary between BIOSes).

- Open the computer and firmly reseat all boards, cables, and connectors.

- Give us the make/model of your computer. It may have built-in, low-level diagnostic utilities which can help us troubleshoot/test your hardware components.

- Remove all uneccessary components (network card, CD-ROM drive, sound card, etc.) one by one. Boot the computer after removing each and see if there's any change in the symptoms.

- If you have more than one RAM module, boot the system with only one module at a time installed. If the system exhibits problems only when you have a specific module installed, that module is probably fried.

- Reset your BIOS: unplug the power cord from the comuter and remove the CMOS battery (small, flat, watch-type) from the motherboard. Leave the battery removed (and te computer unplugged) for at least 30 minutes or longer before reinstalling it.

"Spybot" is the general name given to the family of a certain type of worm, but it has many variants and the removal procedures differ between those.

What anti-virus program are you using? Are you trying to say that the program can't clean the infection? If so, what information does the A-V program give you about the infection?

1. If it's true that your anti-virus program can't take care of the infection, try a few of these free online anti-virus scanners:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. If none of the above utilities can get rid of the problem, please do the following:

Download the (free) HijackThis utility:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, follow these instructions to install and run the program:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once …

Hi franzq, welcome to the site. :)

Let's start with this:

1. Go to your Add/Remove Programs control panel and uninstall SideStep if you find it listed there.

2. Run HijackThis again and have it fix the following entries:

O2 - BHO: SideStep Browser Helper - {08351227-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\Downloaded Program Files\SbCIe027.dll
O4 - HKLM\..\Run: [MMC] C:\WINDOWS\msi.exe
O4 - HKLM\..\Run: [ActiveX] c:\unn.exe
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe027.dll
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

3. - Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Delete the following files:
C:\WINDOWS\Downloaded Program Files\SbCIe027.dll
C:\WINDOWS\msi.exe
c:\unn.exe

- For every user account listed under C:\Documents and Settings\, delete the entire contents of the following folders (but not the folders themselves):

(Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!)

1. Cookies
…

Umm... knowing the name (and version) of the burning software you're using might help us. :mrgreen:

Might be a silly question, but have you tried uninstalling/reinstalling it yet?

An explanation and fix for the most common cause of what you describe can be found here:

http://support.microsoft.com/kb/q270008/

Although the article pertains to Win 2000, I've seen the problem occur with XP as well; the fix described for Win 2000 works for XP.

Please note that although the article only refers to the "UpperFilters" and "LowerFilters" entries in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet registry subkey, I've had to apply the fix to the similar entries (if found) in the HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x subkeys as well in order to make it work.

Support for drives/partitions greater than 137G did not appear until Service Pack 3, but even with SP3 (or 4) installed, there's still a Registry hack involved.

See the following Microsoft Knowledgebase article for the whole story:

http://support.microsoft.com/default.aspx?scid=kb;en-us;305098

Have you tried:

a) reinstalling the mouse driver.

b) Using a different mouse.

c) cleaning the sensors and rollers inside the mouse.

If the computer was working faster before you reinstalled Windows, and you've changed nothing hardware-wise, it would be likely that the reinstall didn't quite go correctly.

- Why did you need to reinstall?

- Did you do a fresh, clean reinstall, or did you reinstall on top of the existing install?

You'll have to give us more specific information about the crashes in order for us to help you most quickly. Judging from what little info you've given, the root of your problem could be almost anywhere in hardware and/or software.

- Do you get any error messages? If so, post the full and exact text of those messages.

- Does the computer crash at a definitive point (such as X minutes after starting up, or only when you are performing certain tasks) or are the crashes totally random?

- Had you installed/uninstalled/upgraded any software around the time the crashes started to occur?

- Does the computer crash when you boot Windows into Safe Mode? You get to the Safe Mode boot option by hitting the F8 key as your computer is starting up.

Unfortunately, 500' exceeds the maximum length limit (100 meters) of an Ethernet cable run, so unless you run a fiber optic cable, a wired solution isn't going to do it for you. Fiber would work quite well for your situation, but it would be rather expensive. The cable itself isn't cheap, and you would also have to buy two Ethernet-to-Fiber media convertors in order to interface it with the systems in each building.

If you've got clear line of sight, wireless is probably the way to go (although it will be slower than a wired connection). Exactly what equipment you will need depends on what you've already got set up (network-wise) in each building. If you give us a specific description of that, we can advise you from there.

And please proof read your posts. Maybe I'm just a stickler for spelling, but last time I checked 'prtect' wasn't in the dictionary...

Hey now, go easy on the new members, JJ___. We all make "finger fouls" once in a while. :)

Nexus Titan,

As Catweazle said, your question does belong in one of our Windows technical forums. Please tell us what version of Windows you're using so that we can move this to the appropriate forum for you.

Depending on your location, there may be a Computer Users Group in your area. If so, that might be a good resource to check out. Those groups are often involved in some sort of volunteer work or another, and even if they can't help you directly they can probably at least give you some leads.

Sorry I didn't get back to this sooner; I haven't been present here very much in the past week or so.

Good job- except for two small items, your log is clean. :)

You should remove WeatherBug and any WildTangent programs that you have installed; they contain adware/spyware components. You should be able to uninstall them through your Add/Remove Programs control panel.

Once you've uninstalled those programs:

1. Run HijackThis again and have it fix the following two entries (if they still exist):

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

2. Open Windows Explorer and look for the following two folders. Delete them entirely if they still exist:

C:\Program Files\WildTangent
C:\Program Files\AWS

Sorry I didn't get back to this sooner; I've been pretty much offline for the last week or so.

Good job; your log looks clean now. I don't see any signs of the infections that were present in your earlier log. :)

Do things seem to be working OK now?

1.

I re-read your instructions and they made sense the first time. I must of read them too fast. I didn't see a local settings folder anywhere I looked.

The Local Settings folders definitely exist, but if you didn't have Explorer's "show hidden files and folders" View option set as I described before, they would not be visible.

2.

I deleted the contents of the guest and my cookies folder but it wouldnt let me delete my index file. I could only delete the guests. Should i sign on as a guest so i can delete it? ( wont let me delete it while its in use)

Don't worry about the index file; as I posted before regarding the desktop.ini and index.dat files:

"...Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK."

3. Your latest log is clean; the Begin2Search infection seems to be gone now. :)
Test-drive the system for a bit when you get a chance, and let us know how things go.

I looked at Event Viewer and found a lot of warnings and errors in system and applications, but I dont know how to post them, because it wont let me copy and paste. Is there another way?

Yes there is, but like many things Microsoft, it's not really obvious at all:

When you double-click on any log entries to open the details/properties window for the item, there will be a vertical row of three buttons at the right of the window. The top two buttons have (respectively) an "up" and "down" arrow on them, but the bottom-most button has a picture of two overlapping pages on it. If you click on that button, it will automatically (aqnd without giving you any feedback) copy the entire contents of the window into the Windows clipboard.

All you need to do after hitting that button is to hit the Reply button in this thread to open a reply/response text window and then paste the clipboard contents into that text entry box by either simultaneously holding down the "Ctrl" and "V" keys or by going to your browser's Edit menu and choosing "Paste".

Heres my scan;

Service load: 0% 100%

File: wmiprvse.exe
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 075ea6c849ab0fe416a3d6dd65c3cf41
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
…

Alright; let us know if you have any further questions. The switch won't need any software or configuration, so it should just be plug 'n go.

No, I meant that, for each user account, you should delete only the contents of the folders that I listed above. Sorry, I guess my wording could have been better.

These folders are the ones whose contents you should delete:

1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files

Do NOT delete any folders or files in the user accounts' folders other than the four above.

Happy (belated) birthday, Dave!

Thanks Danny :)

Hi, I think I properly installed and ran the Hijack this program, then copie& pasted the log and sent it to you. That was on Friday. It's Tues. morn and I've had no reply-- [I understand your time is limited but just want to make sure it was rec'd.

larry H

Sorry to leave you hanging Larry,

My birthday was on the 10th, I had relatives visiting from then until the 17th, I took a much-needed trip to Yosemite National Park somewhere in there, and also lost my Internet service for a few days too boot... a long week & 1/2.

You definitely have a version of the About:Blank infection at the very least.

1. Download, install, and run the MS AntiSpyware program that buddylee614 linked to; let it fix everything it finds.

2. Try these alternate download links for About:Buster and CWShredder:

about:buster
CWShredder

3. Also download this "about:blank" removal tool.

4. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Run the three removal utilities I linked to above consecutively.

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under …

Hi cjillson7030,

dlh6213 has done a good job of walking you through the process of removing the obvious "nasties" that were present on your system. I would definitely do as he asked in terms of having the wmiprvse.exe file scanned; that file is normally a valid Windows file, but a file of that name is also known to placed on systems by some malicious programs. Other than that though, I agree with him on the fact that you're system isn't showing any more signs of infection.

Given that, your system logs may hold some clues as to the cause(s) of your "not responding" program crashes/hangs. I'm inclined to believe that those errors are not related to the infections you had, or that the infections may have caused the errors, but the damage done won't be fixed just by removing the infections themselves.

Please do the following:

Open the Event Viewer utility in your Administrative Tools control panel.

In the Event Viewer, look through the System and Application logs for entries flagged as "Warning" or "Error"; double-clicking on any of those entries will open a "details" window with more information about the error/warning. If you find any entries that seem to relate to program hangs/crashes or anything else related to the problems you're having, post the full and exact contents given in the detail windows.

If you were able to reach the sites while connected to another network, then yes, that would point more to a problem somewhere in your (usual) network rather than a problem on your computer itself.

Please give us as much of a detailed description of your entire network setup as possible. We can definitely help you check/troubleshoot the entire network, but having as much information as possible up front will obviously let us do that most quickly.

Afterthought:

When you tried entering the IP addresses I gave you in your browser, did you prefix them with "http://"? For example:

http://216.239.57.107

I wasn't as specific on that as I should have been.

1. The 2wire message was just alerting you to the fact that you were (at least as far as the 2Wire software knew) exceeding a bandwidth usage limit, but I'm almost positive that the reference to the Blaster worm was only a suggestion on 2Wire's part, as Blaster and similar worms have a tendancy to generate an unusually high amount of network traffic. However, that doesn't necessarilly mean that the 2Wire message is wrong; something on your computer certainly could be generating excessive network traffic, even if you're not aware of it.

2. Let's work on the obvious (Begin2Search) infection indicated in your HijackThis log first:

a) Open a DOS box by typing "cmd" (omit the quotes) in the "Run.." option under your Start button menu. At the command prompt in the DOS window, type the following commands one at a time, hitting the Enter key after each:

regsvr32 /u C:\WINDOWS\system32\trgen.dll
regsvr32 /u C:\WINDOWS\system32\ic2_win.dll

b) Run HijackThis again and have it fix:

O2 - BHO: ohb Class - {22B720C7-5FA6-40A8-9F8F-8584BF669690} - C:\WINDOWS\system32\trgen.dll
O2 - BHO: ohb Class - {988CAFC4-DC0D-4D8C-A35E-5028ABE9E641} - C:\WINDOWS\system32\ic2_win.dll
O3 - Toolbar: Begin2Search.com Bar - {207AEF46-0596-4966-A7BF-098F247E85BB} - C:\WINDOWS\system32\ic2_win.dll

c) Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files …

You're welcome; that's what we're here for. :)

It can be difficult to track down connection problems when they only occur at one or two sites, but here are a few things you can try:

1. Disable any firewall software you might have running.

2. Manually clean out the folders where "stale" files accumulate over the course of Internet surfing and general computer usage:

- Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: the following steps will delete the contents of all Temp/Temporary folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!

1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files

- Delete the entire content of your C:\Windows\Temp folder.

- Delete the entire content of your C:\Windows\Prefetch folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to …

Unfortunately, there are just too many possible topics/questions/problems or even categories of those to make a such a list.

In addition, many questions can (at least initially) appear to be suited to more than one of our forums. For example: a member posts that they're having problems with their Internet connection, but they can't give us much more to go on than the fact that they randomly lose the connection every once in a while. The problem is obviously of a technical nature, so it belongs somewhere in the Tech Talk section, but in which exact forum? The root of the problem could lie with network settings in software, an issue with their networking hardware, or it could be the result of a virus or spyware infection. However, until we get more specific information on the problem, even we won't know which forum the post really belongs in.

To give yourself a better general idea of which forums are best suited for a given topic/question/problem, click on the links to the pages of our top-level forum categories (Web Development, Coffee House, Tech Talk, etc.). On those pages, you'll see that the sub-categories listed in each have a short description of what general topics the sub-categories deal with (programming issues, technical problems, etc.). If you go to any of the sub-categories, each of their main pages will have a similar description for the individual, specific forums they contain.

Basically- if you familiarize yourself with the topics that each …

Sorry for the delayed reponse, I've been offline for a few days.

Good work. :)

In your latest log, I only see one "loose end" that needs to be cleaned up, but other than that the log is clean. Have HijackThis fix the following entry; it's a leftover from one of the nasties that was infecting your system:

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

Hi c21werner,

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

Hi Fausta,

Sorry for the delayed response; my Internet access was down for a few days.

Finding and deleting the suspicious files may have done the trick, but it would be a good idea to follow the suggestions I gave and then post a new HijackThis log for us to review. Manually deleting infected files can neutralize the symptoms of the infections, but can also leave other components of the infections lurking in different areas of your system. To make sure that your computer is really infection-free, it's best to verify that with a few reputable anti-virus and anti-spyware programs.

Sorry to leave you hanging here; we've been a little short-handed this week. :sad:

1. Your current log does indicate an infection by the Begin2Search Adware program, but I don't see an indication of a Blaster infection in the log.

You posted: "The computer says its a blaster type virus". Can you tell us exactly which program is giving you that message, and if possible, the full contents of the message please? The fact that your Anti-virus program isn't picking up the virus could mean that the warning message is just a bogus pop-up delivered to you by your adware infection. A good indication of that would be if the warning message says some come-on phrase like "Click here to scan your PC for free!" or similar.

2. You are running an older version (1.99.0) of HijackThis. Please download the latest version (1.99.1) from here, run it, and post the log that new version generates. Make sure to use the new version from now on.

3. Did you get a chance to run any of the online anti-virus/anti-spyware scans I linked to in my first post? If not, please do so before posting a new HijackThis log.

Okay. Last night i ran the memtest86 and it came back with no errors.

That's a good sign. However, Coconut Monkey is right about letting the tests run for an decent amount of time; extended testing is more strenuous and may uncover errors that shorter scans don't. If you only ran a relatively short scan with memtest86, you should do a longer one. A run of at least 4 hours is recommended if you want the most definitive diagnosis.

I've been really busy lately and haven't had a chance to look at the application logs, but the last time i did know there were tons of program hangs. I think there were errors, and i will get them posted asap. Are program hangs significant at all? or just the errors?

Since you indicated that you've been getting a lot of "illegal operation" application terminations, you should examine any log entries that appear to relate to program hangs/crashes/errors. In looking through the details of all such log entries, you may uncover a pattern which could help us determine the source of the problem(s).

Look for log entries whose details indicate a that a problem occurred, and whose time/date stamps correspond to times when you've gotten the "illegal operation" errors. Post the full contents of the details windows of those entries when you get a chance.

why are we still getting these trojans when Norton detected them in 2001???

The names that these infections are identified by usually refer to the general, overall type/family of the infection, but the problem is that new variants of many of these infection continue to appear. Think of it in terms of biological viruses. For example- how many versions of hepatitis are there now as compared to those we knew of only a few years ago.

Norton detected mine but I couldn't get rid of it from quarantine. Can anyone explain why that is?

That could depend on a couple of things, including exactly where Norton found the infected files. There are some directories/folders which A-V programs like Norton have permission to scan/read, but do not have permission from which to delete files. See this for an explanation of one such area of your system where this can happen.

Hello cmhdover, welcome to our site. :)

Your log certanly does indicate "unwanted guests", including the rather nasty "Aurora" infection.

To begin with, please follow the Aurora removal instructions below carefully and fully. In addition to removing Aurora, they should clean up at least a few of the other nasties you have:

You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the following instructions or save them into a text file using Notepad.

Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Download Nailfix from here:
http://www.noidea.us/easyfile/file....050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then run …