Posts by DMR

Hello Dennis, welcome to our site :)

Our announcement posted at the top of this forum does state that HijackThis logs should only be posted in our Viruses, Spyware, and other Nasties forum, but I've deleted your duplicate post in that forum, primarily due to the fact that your log shows no indication that malicious infections are the root of your problem. Given that, and the fact that our posting rules prohibit asking the same question in multiple forums, I think this forum is better suited to your question/problem, even if it does contain a HJT log.

It would be good to clarify one thing regarding your problem: is the "find a zip code" link on UPs' site the only link/site where you encounter the "Cannot find server..." messages, or does it happen at other sites as well? If so, please elaborate.

well that beets NO internet.

The Internet is made of beets? Well I'll be... Beat. :mrgreen:

Hi xcidius,

Welcome to the site :)

You are using a slightly older version of HijackThis; Please remove the version of HJT that you aqre currently using, download and install the latest version (1.99.1), and post a new log.

You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the following instructions or save them into a text file using Notepad.

Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Download Nailfix from here:
http://www.noidea.us/easyfile/file....050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then run Ewido, and run a full scan. Save the logfile from the scan.

Next run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [Windows Configuration] wincfg32.exe

Unfortunately, one of the drawbacks of programs like Cybersitter, NetNanny, etc. is that they can actually block legitimate sites and/or content. Their filter lists are not perfect, and can sometimes be a bit too "conservative".

1. Please give us the exact name of the file that you see in Task Manager and any other specific information that you might have concerning the infection.

2. I'd suggest that you remove SpyFighter and use reputable programs like Ad Aware and SpyBot instead. SpyFighter's accuracy is questionable, and the company apparently has advertising partnerships with some of the adware distributors.
You can read a bit more about SpyFighter and other suspect (or outright bogus) "anti-spyware" programs here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

It's a good idea to consult the list at the link above before downloading/installing any spyware-related utilities.

3. Run HijackThis again and have it fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {44FA143F-05A1-A796-536B-363BB7DC977C} - C:\WINDOWS\netyq32.dll

- Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Locate and delete the C:\WINDOWS\netyq32.dll file.

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of …

It looks like the R1's keep renaming itself.

You're exactly right- this infection (and others) can and does "morph" its filenames. This usually happens at reboot, so it's best not to reboot your computer during the disinfection process unless you're specifically instructed to do so.

1. Try this download link for about:buster.

2. Also download HSRemove.

3. Physically disconnect your Internet/network cable from your computer.

4. Run HSRemove, CWShredder, and About:Buster consecutively; have them fix whatever they find.

5. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Run HSRemove, CWShredder, and About:Buster again.

- Run HijackThis again and have it fix the following entries (don't worry if the actual filenames in the entries have morphed again):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ytjwq.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ytjwq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ytjwq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ytjwq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ytjwq.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ytjwq.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {6C3402C2-3A3A-A516-2790-602FF5091C3B} - C:\WINDOWS\system32\apihs.dll
O4 - HKLM\..\Run: [apihs.exe] C:\WINDOWS\system32\apihs.exe
O4 - HKLM\..\RunOnce: [addor.exe] C:\WINDOWS\addor.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner …

As the others have said- get a small switch. Although you can use a router as a switch, routers are made to do more than simple switching functions; a router would be overkill both cost-wise and complexity-wise in your case.

As Christian said, you should (depending on your location) be able to get a 4 or 5 port switch for around $30 USD.

Also:

www.linuxiso.org

if this is in the wrong forum feel free to move it im still figuring out where to put everything

No problem. :)

Your question is a valid technical question concerning Windows software packages, so I've moved it to our Windows Software forum.

You're infected with a variant of the "about:blank" hijacker, as well as a couple of other nasties.

Please do the following:

1. Download, install, update, and run these three about:blank removal tools; have them fix whatever they find:

CWShredder
HSRemove
about:Buster

2. Download, install, and run the following spyware detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed).

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. …

or could read my HJT log...

Sure, but you'll have to post the log in order for us to read it. :p

Is your current anti-virus program unable to delete the virus?

If so, and if you can get online for a long enough period, try some of these free online anti-virus/anti-spyware scanners:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

Hi gatnus,

First of all- welcome to TechTalk!

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

Just thought i would put my 2 cents in.

One way to stop a site from comming up is to add it to your HOSTS file...

Unfortunately though:

- You have to do that for each and every site that you want to block.

- You would (obviously) have to know the URL of every site that you want to deny access to.

- The kid could remove the host file entries in less time than it took to put them there.

Ok- you've definitely got "unwanted guests". Please do the following in order to get most (if not all) of the infections cleaned:

1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed).

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating …

Run memtest86 so that we can determine whether or not a physical memory failure has anything to do with this; memtest86 can do a more thorough job of testing than tools that run under Windows.

Another place to look for clues is in your system and application logs:

Open the Event Viewer utility in your Administrative Tools control panel.

In the Event Viewer, look through the System and Application logs for entries flagged as "Warning" or "Error"; double-clicking on any of those entries will open a "details" window with more information about the error/warning. If you find any entries that seem to relate to your problem, post the full and exact contents given in the detail windows.

Hi Grant,

Have you ever noticed how Deja Vu can come into play when you're out there Googling around for information?
Hint: I believe these are your footprints, yes? :mrgreen:

Unfortunately, in this case the log entries report "faulting module unknown" instead of identifying the actual file (module) that is causing the error. Because rundll32.exe is responsible for managing many Windows processes, "module unknown" doesn't give us as much to go on as I would like. :(

Can you give us more specific information about the problem such as when it started to occur, if you had added/removed/upgraded any software at about that time, or if you've had any recent virus infections? Anything you can think of along those lines could help us pinpoint the exact cause.

1. The ACPI error comes from a conflict related to the power management function in your BIOS and/or its interaction with a piece of hardware or its drivers. Some BIOSes are known to have problems with their ACPI implementaion, and some drivers are known to have non-standard or buggy ACPI-related code. You may need to either flash upgrade your BIOS or, if you've recently installed/upgraded any drivers, roll those back to the previous version. More info on possible causes and fixes can be found here:

http://www.google.com/search?hl=en&q=%22ACPI+BIOS+is+attempting+to+write+to+an+illegal+IO+port+address+%280x70%29%22&btnG=Google+Search

2. "The name "MSHOME :1d" could not be registered...". This is usually indicative of a NetBiIOS naming confilict between two machines on your network.
The official word from Microsoft is here:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q822659

If that link doesn't help, give us a detailed description of your network setup and we'll see if we can offer any suggestions.

3. " DCOM got error..." SymProxySvc is component of the firewall in Norton's Internet Security package; the fact that it is failing to start could be related to your other problems, but I can't say for sure.

- Open the Services utility in your Administrative Tools control panel, locate the SymProxySvc service, double-click on it, and clcik the Start button. Does the service start successfully when you do that, or does it still fail?

- You might want to try uninstalling and reinstalling the Norton package; I've found it to be somewhat prone to …

If you are on a home network/system with no services, no firewall is required or even recommended.

Um.......

A networked system running no services, eh? If you've invented such a system, I'd suggest you patent that puppy pronto! :mrgreen:

Seriously though- While XP service pack 2 is a bit better about this than previous versions of Windows, an installation of any version of Windows will leave you with at least a few unnecessary services enabled by default. Having active network services means that you'll have open network ports, and that's a Bad Thing security-wise. In addition, on top of the normal Windows services, many users also install programs like Instant Messaging, IRC (chat), etc., and those programs open up even more ports on their computers.

While a firewall (hardware or software) certainly can be used to monitor/block/filter ports, the proper way to secure your system is to disable the services that open those ports in the first place. After all, an active port is an active port even if you've got a firewall guarding it, and firewalls can definitely be compromised. If your firewall does get breached, your open ports present an unprotected attack vector through which malicious programs and people can compromise your system.

That said though, your average user doesn't even know what services and ports are, let alone know which services should be disabled and which services are needed. Given that, a firewall can provide at least some measure of protection …

The is one more error that is related to my local network...

If you have details of those errors, please post them.

The "SymProxySvc" reference is related to your Norotn/Symantec programs, but I don't have time to research the exact eror messages right now. h

Hello dfederman,

Given the fsct that I've been through these issues with many of my "real life" clients, I have to agree with Christian and Catweazle.

Basically: there is no technology-oriented solution that will solve your problem. While the Internet is an absolutely essential tool for doing schoolwork, there is really no foolproof way to limit your child's use of any given computer to only that sort of work.

Here's what I would suggest:

Get him his own computer; base models that will serve his needs education-wise are fairly cheap. The computer doesn't need to be capable of doing anything more than the basics needed for his work. Complaints about things like the graphics card not being able to support the games he wants to play and the like should obviously be ignored.

This one I've unfortunately been through with one of my clients, even after she did get a dedicated computer for one of her kids:

The teenager ignored all of my recommendations, and also refused to use any of the protective programs I installed. Being "his" computer, he also had convinced his parents that his user account had to have administrative rights, which obviously meant that he could undo/uninstall/disable any of the utilities I installed.

I eventually told the parents that it wasn't in their best interest to keep paying me to come over and clean up this computer, and that I would no longer do so; they agreed.

The …

You've got more than the Aurora infection. :(

Please follow the instructions below carefully and fully; they are specifically for Aurora removal, but should also clean up some of your other "unwanted guests" as well:

Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Download Nailfix from here:
http://www.noidea.us/easyfile/file....050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then run Ewido, and run a full scan. Save the logfile from the scan.

Next run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well …

As lloyd suggested, can you boot into Safe Mode or Safe Mode with Networking? If so, does the system seem stable in those modes?

By the way- I've deleted your earlier post on the matter, as it was essentially the same as this post and hadn't gotten any responses.

Hey T_I,

Do you have an anti-virus program doing email checking? If so, turn that option off. Since you said the problem is not confined to one particular program, I'd start there first.

Hi barney_cc,

First of all- welcome to TechTalk!

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

Does the system even have a chance to write any errors to the log files? Use the Event Viewer to check those logs and let us know if you find anything.

Hi drrtybyl,

First of all- welcome to TechTalk!

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

Hi ggames, welcome to our site. :)

To begin with, please do the following in order for us to (hopefully) get a more specific idea of the exact cause of the problem:

Open the Event Viewer utility in your Administrative Tools control panel.

In the Event Viewer, look through the System and Application logs for entries flagged as "Warning" or "Error"; double-clicking on any of those entries will open a "details" window with more information about the error/warning. If you find any entries that seem to relate to your problem, post the full and exact contents given in the detail windows.

If you want to eliminate the possibilty of bad RAM (which you should do), run the memtest86 utility. Instructions and download link are here:

www.memtest86.com

*groan*

Right now I can't think of anything in addition to what we've suggested so far, but you might want use our forum search function to review some of the threads we've had that deal with "cannot find server...", etc. problems. The possible causes of those types of problems are many and varied.

To do that, go to our main "Microsoft Windows" category, click on the "Search This Forum" button, and try the following keywords/keyphrases in your search:

"cannot find server"
"dns error"
problems accessing "web sites"

Although I doubt it will help in this particualr case, it might: download and run the free WinsockXPFix utility.

OK- you've definitely got some "nasties" there, but we need to take of one thing first:

In my previous instructions I asked that you download HiajckThis into its own separate folder outside of any Temp folders. However, the following entry from your log indicates that you are running HijackThis from within a Temp folder:

C:\DOCUME~1\ADRIAB~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

As I posted before:

"Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do."

Once you've taken care of the above, please run at least two of the following free online anti-virus/anti-spyware scans and have them fix/clean everything they find:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://www.pandasoftware.com/active...n_principal.htm
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

After that, run HijackThis again and post a fresh log.

You've got more than the Aurora infection. :(

Please follow the instructions below carefully and fully; they are specifically for Aurora removal, but should also clean up some of your other "unwanted guests" as well:

Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Download Nailfix from here:
http://www.noidea.us/easyfile/file....050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then run Ewido, and run a full scan. Save the logfile from the scan.

Next run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, …

Hi Andrew, welcome to our site. :)

Please do the following so that we can get a better idea of what specific infections may exist on the computer:

Download the (free) HijackThis utility:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, follow these instructions to install and run the program:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

There's a little bit of cruft in your HJT log, but nothing which looks like it would be the root of your problem. That, and the additional fact that a DHCP release/renew sometimes fixes the problem, makes it sound like this could be more of a general network connectivity issue than a virus/spyware-specific problem.

Have HijackThis fix these, and then delete the entire C:\Program Files\WebSavingsfromEbates folder if it exists:

O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)

Here are a few things to try/check (if you are running any firewall software, disable it entirely before doing any of the following. Firewall programs quite often get "confused" or corrupted, causing problems such as yours):

1. Download and run the free IEFix utility.

2. When the problem occurs, see if you can reach sites by their actual IP addresses instead of their URL. For example, if you find that you can't reach http://www.google.com, put the following in your browser's location/address box instead and see if the Google home page comes up:

http://66.102.7.147

3. When you can't reach a site through your browser, see if you can at least "ping" the site. Again using Google as an example:

- Under your Start menu, go to Programs->Accessories->Command Prompt.

- In the …

No problem. With the log open in Notepad:

- Click on the Edit menu option at the top left of the Notepad window.
- Click on the Select All option under the edit menu. All of the text in the log should become hilighted.
- Click on the Copy option under the edit menu.
- Start a new post here by clicking the Reply button.
- When the Reply window opens, click your mouse in the text/message entry box.
- Then click on the Edit menu option at the top of your web browser's window and click the Paste option under the Edit menu.

That should put a copy of contents of the HijackThis Notepad file into your post. Just click the Submit Reply after that.

Hi Larry,

Please do as dlh6213 suggested and we'll go from there:

Please get the self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html

Then close any open browser windows, 'Scan and Save Log' with hijackthis, copy the log, and paste it in this thread.

By the way, I see that this is your first post. Welcome to the site :)

If you already know that you've got one type of infection, it's pretty likely that you have others as well. Please do the following so that we can get a better idea of the state of your system:

Download the (free) HijackThis utility:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, follow these instructions to install and run the program:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

The infections are morphing and creating new infectious files. It will be difficult to fix this with HijackThis alone, so let try a few automated detection and removal methods:

1. 1. Use Norton's Live Update feature to make sure you have the most current updates for Norton Anti-virus and run a full system scan.

2. Run at least a couple of these free online anti-virus/anti-spyware scans:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://www.pandasoftware.com/active...n_principal.htm
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

3. - Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!

1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files

- Delete …

Hi csymo,

First of all- welcome to TechTalk!

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem; in your particular case posting a HijackThis log would be advised.

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

1. I only see one suspicious entry in your HijackThis log (but I don't think it's the source of your Explorer problems). Please do the following:

a) Run HJT again and have it fix:

O4 - HKLM\..\Run: [RunDlI] C:\windows\systemp\server.exe

b) Delete the C:\windows\systemp\server.exe file and empty your Recycle Bin. If you can't use Explorer to locate and delete the file, try it from a DOS window:

- Under your Start menu, go to Programs->Accessories and click on Command Prompt.

- type the following command at the DOS prompt and then hit Enter:

del C:\windows\systemp\server.exe

- Close the DOS box when the command completes.

2. The .mdmp (minidump) and appcompat.txt files are log files that Windows creates when a program crash occurs. The contents of the files can help programmers debug the crashing application code, but unfortunately they won't be of much help to us.

Let's see if your system and application log files can give us more specific information:

- Open the Event Viewer utility in your Administrative Tools control panel.

- Look through the System and Application logs for entries flagged as "Warning" or "Error"; double-clicking on any of those entries will open a "details" window with more information about the error/warning. If you find any entries that seem to relate to your problem, post the full and exact contents given in the detail windows.

3. You should try the following to …

Hi lisafigs, welcome to DaniWeb. :)

Your log does show signs of the evil Aurora, as well as a few other infections. To begin with, please follow the Aurora removal instructions below carefully:

Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Download Nailfix from here:
http://www.noidea.us/easyfile/file....050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then run Ewido, and run a full scan. Save the logfile from the scan.

Next run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the …

*runs away*

You mean *bounces* away, right? Tiggers tails are made of the spring, after all...

Sounds good. Let us know if anything seems to crop back up.

It is not letting me delete nntqws32.dll, it says it is in use

Even when you're booted into Safe Mode?

Try unregistering the dll before deleting it:

1. Run HijackThis again and have if fix the O2 - BHO: Class - {DF83D71D-7E3C-905C-49E6-8B0B8142868F} - C:\WINDOWS\ntqw32.dll if it still exists.

2. Open an MS-DOS window, type the following command at the prompt, and then hit Enter. Close the DOS window when the command completes:

regsvr32 /u C:\WINDOWS\ntqw32.dll

3. Reboot into Safe Mode and try deleting the file again.

When you install your router for the first time you can select for example WEP to encrypt the signal

You can also set up WEP and other security options post-install via the router's built-in setup utility.

In addition to WEP/WAP encryption, here's a bit more on security-related wireless settings from an earlier post of mine. The discussion was concerning a Linksys router, but the basic ideas are not Linksys-specific:

Most of the configuration is done in the router's setup utility, so open your web browser and point it to http://192.168.1.1, which is the default IP for that model of router.

Speaking of "defaults", it is never a good idea to leave settings such as the IP address, device name, aministrative password, SSID, etc. of a wireless router or other wireless access device at their defaults. The default settings for different manufacturer's devices are well known, and getting just one of those pieces of information can give an attacker a lot to go on.

For instance: if I wander around downtown San Francisco with my laptop, I can usually pick up at least 7 wireless networks in any given place. Most of the time, 3 or so of those networks will be broadcasting the default SSID "Linksys". Just from seeing that, I can be 99% sure that at least one of those networks:

- Is not using WEP encryption.
- Is using the Linksys default IP of 192.168.1.1 for the router.

There are a few different things that could cause the problem. Can you give us more specific info to help us narrow things down:

- Which exact burning program are you using?

- You say the software "is not working"; please give us more detail on that. Do you get error messages? If so, what exactly do the errors say?

- Does the burning software even recognize that the CD drive is physically present?

- What types of files are you trying to burn (music, data, etc.?)

- As root, open a terminal window, type the following command, and see if your CD drive is detected:

cdrecord -scanbus

and the root partition certainly qualifies as "in use".

Yes, it certainly does. :mrgreen:

Resizing any partition presents the possibility of data loss, but you're definitely asking to get hosed if you try to resize an active OS/system partition. Also remember that with your particular partition scheme, all branches of your filesystem (/usr, /boot, /home, etc.) live in the root partition. If something goes wrong with the resize, you could lose everything on the drive.

One possibility is to boot from a rescue CD or a "live" CD like Knoppix and run a partitioning tool from the CD, but even that isn't foolproof. The fact that you're using reiserfs makes things even a bit more iffy, because many partition manipulation utilities (even the "pay for" Partition Magic) don't support reiserfs well, if at all.

Given that you're planning on upgrading SuSE soon anyway, I'd back up all of your critical data to CD or a spare hard drive and start from scratch. This time though, plan for expansion: slice the drive into several smaller partitions so that you have some spare space to play with in the future.

There are no indications of Aurora or any other infections in that log, which is a good start.

Are you still seeing any signs of "unwanted guests", or do things seem to be working properly now?