Posts by DMR

... every time i boot windows, i get an error message that says windows cannot find C:/WINDOWS/Nail.exe

Nail.exe is part of the Aurora infection; we'll get rid of the error message in the course of disinfecting your system.

To begin with, please do the following:

1. Run HijackThis again and have it fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {DF83D71D-7E3C-905C-49E6-8B0B8142868F} - C:\WINDOWS\ntqw32.dll

O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [ipmg32.exe] C:\WINDOWS\ipmg32.exe
O23 - Service: hpdj - HP - C:\DOCUME~1\Sal\LOCALS~1\Temp\hpdj.exe

2. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Locate and delete the following file:
C:\WINDOWS\ntqw32.dll

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!

1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files

- Delete the entire content of your C:\Windows\Temp folder.

- Delete the entire content of your C:\Windows\Prefetch folder.

Note- …

When I try to load Explorer, I get an error message

Before we do anything else, you should post the full and exact text of any/all error messages you're getting.

Aurora is a right pain to remove; please follow these instructions carefully:

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us/easyfile/file....050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

I don't see any signs of malicious infections in your log. What happens if you just choose to accept or deny the change when prompted by Sygate instead of closing out of the window each time?

One possibility to check:

You have at least three programs controlling and monitoring your IE page settings (SpyBot, SpywareGuard, and SpywareBlaster). The attempted page change could be the result of one program thinking that one of your IE page settings should be changed to something other than its current page. In other words, perhaps all of your IE protection programs aren't all on the same, um... page. (ouch- bad pun)

You might want to get SpyBot; it's a good complement to Ad Aware. Susprisingly enough, Microsoft's AntiSpyware is actully a pretty good utility as well.

What bay area? There are a lot of bay areas on this planet. ;)

Nope; there's only one Bay Area- the San Francisco Bay Area. :mrgreen:

Hey servertweak,

I'm in Fairfax (Marin county); where are you?

A) Good job- that's a clean log. :)

B)

I downloaded NoAdaware before contacting you here, they claimed to be able to get rid of my problem. They failed, and were much more difficult to contact.

I think you mean NoAdware (not NoAdaware), yes? That program does not have a good track record at all; it is definitely not one of the programs we recommend (and most of the programs we do recommend are free).

You can read more about NoAdware and other questionable (or outright bogus) "anti-spyware" programs at the following site:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

It's always a good idea to consult the list of programs at the above site before installing any anti-spyware software (especially if you're planning on spending $$ on it).

C) Now that your log is clean, here are a few things you can/should do to minimize your chances of future virus/malware infections:

1. Enable Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely …

Unfortunately, svchost manages many different Windows files. Without being able to tell which exact file is faulting, I can't suggest any specific places to look.

...I get a reference to the file faultrep.dll

faultrep is part of the Windows error-reporting process itself; it most likely isn't responsible for the fault. Can you be more specific about the information you saw regarding the faultrep file?

- If the printer really was giving you trouble, did you make sure that you removed all of the components that were installed with the printer? I know that HP can load your system up with all kinds of "accessory" programs in addition to the basic printer driver software.

- Can you do a System Restore back to a day just prior to the time the problem started? That might help.

-

... when I open Windows Explorer, it needs a lot of time to find all the disks

There are a few things that can make that happen, but the first recommendation is to clean out old and unused items and then defragment your drive:

- Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account …

Did the System File Checker find anything wrong, or did it just complete without giving you any feedback?

Becasue the member who originally started this topic has not responded in 2 years, this thread is considered abandoned and has been closed.

In accordance with our posting rules, all members who may be having similar problems need to start their own threads and ask their questions there.

New members are advised to read our full posting rules in order to acquaint themselves with our guidelines regarding use of these forums:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks.

I do have some more suggestions, but I don't have time to gather them together and post them right now.

I'll flag your thread for follow-up, but please feel free to post a response here if no one has gotten back to you by tomorrow afternoon. We don't want to forget you, but threads can fall through the cracks....

Hi HelpMeh,

First of all- welcome to TechTalk!

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your questions and your HijackThis log there.

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

1. Spyware and/or viruses may have damaged IE beyond the point where just removing the infections will fix things. You should try to get IE working again though, because you can't use the Windows Update feature with any other browser:

A. Try the free IEFix utility.

B. Reinstall or repair IE.

2. There are some security-related reasons why Netscape, Opera, Firefox, etc. are all more immune to many of the well-known exploits that can be used to compromise IE. Oncew you get beyond that though, the question of which browser is "better" is really a matter of personal preference.

3. The Sasser worm:

You should make sure Norton has the most current updates installed and run a full system scan to see if Norton picks up more pieces of the worm. Have it repair whatever infections it finds.

You might also want to run a couple of these free online anti-virus scans as well:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://us.mcafee.com/root/mfs/default.asp?cid=9914

4. Microsoft's firewall: Not as good as other firewall programs (especially when it come to blocking outgoing connection attempts) but better than nothing.

1. For the problems you're having with the ".dll" files, try running the System File Checker. It will scan your system to make sure you have good copies of the core Windows system files installed, and will tell you if any of the files or missing or corrupted. If it does find missing or corrupted files, it will prompt you to insert the Windows installation CD and will pull fresh copies of the files from that disk. More detail on using the Utility in Win 98 can be found on this page at Microsoft's support site:

http://www.microsoft.com/resources/documentation/windows/98/all/reskit/en-us/part5/wrkc27.mspx

2. For the problem you're having with the one web site, try this:

Open an MS-DOS window, type the following at the DOS prompt, and then hit Enter:

ipconfig /flushdns

OK- keep us posted; let us know what you find...

It's true- the longer you do freelance work, the more you run into people with some very strange personality quirks. Oh well... at least we don't have some boss telling us that we have to deal with those people.

The Desktop Search entry might not appear in the list of installed programs; don't worry about it if it doesn't.

For the files that you're having trouble deleting, try the "Delete a file on reboot" option in HJT's Misc. Tools page. Locate and select each of the four files for deletion one at a time. You will be asked if you want to reboot after you select each file; don't choose to do so until you've reached the last file.

...I left the freelance world.

I'm in that world, and I run across those sorts of reactions every once in a while. The thing I've learned is that you can't dwell on them; you just "let it roll" and move on. After all- if there's one upside to working for yourself, it's the fact that you can decide who is worth expending your energy on and who isn't. :)

Sorry- "real life" has kept me away from the site.

Try this:

- Open the Services utility in your Administrative Tools control panel.

- Locate the service named " 11Fßä#·ºÄÖ`I" (if it exists) and double-click on it to check its status. If the service is not reported as both "Stopped" and "Disabled", stop the service and set its startup type to "Disabled". Close the Services utility after that.

- Run HJT again and retry the service deletion process.

If that does not work, try deleting the service manually through the Windows Registry Editor:

- Click on the "Run..." option under your Start menu, type the following command in the resulting "Open:" box, and hit Enter:

regedit

- At the top of the Registry Editor window, click on File, and then Export. In the Export range panel, click All, give the file a name, then Save your registry as a backup to a location where you will be able to locate it easily if necessary.

- Navigate through the folder tree to the following locations and look for a sub-folder named " 11Fßä#·ºÄÖ`I". Delete the folders if found:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services

(Note that not all of the "ControlSet00X" folders listed above may exist on your particular system)

- Close the Registry Editor and reboot. Run HJT again and see if the O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - …

Glad we could help. :)

On top of using the "anti-spyware" utilities you installed for this troubleshoot, here are some other general suggestions that can minimize your chances of getting infected again:

Now that your system is clean, here are a few things you can/should do to minimize your chances of future virus/malware infections:

1. Enable Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks.

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here: http://tomcoyote.org/ieoe.php

5. Obviously-install a good anti-virus program and enable its "auto-protect" and email-scanning features.

6. Install a stand-alone firewall program such as Zone Alarm or Kerio Personal Firewall, or purchase the "Internet Security" packages offered by Symantec and McAfee.

7. None of your utilities are of much good if you …

Hi angelus88,

First of all- welcome to TechTalk!

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

Glad it worked for you. :)

You're welcome; glad we could help. :)

To answer some of your questions:

1. svchost.exe is a core Windows process which manages DLLs and Windows services. Because svchost is reponsible for handling a variety of tasks, you'll almost always see multiple instances of it running on your computer. Each of those individual instances of svchost is managing a certain type/group of sevices (networking-related tasks, for example).

2. To keep the utility programs from running automatically when Windows starts up, go into each programs properties/preferences settings and disable their "auto start" features.

3. Removing items that get "stuck" in your Add/Remove Programs control panel involves editing a key in your Registry. Instructions are here:
http://www.winguides.com/registry/display.php/110/

4. Yes, you can put the folder settings back to their defaults now.

And finally, here are some general suggestions that can help minimize your chances of getting reinfected:

1. Enable Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using …

Because the original threadstarter hasn't responded to this thread in over 1 1/2 years, this thread is considered abandoned and has been closed.

(Sorry if I revived a old thread)

Hi Wolfy, welcome to the site. :)

We do ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

If it indeed is gone i have some extra questions if you wouldnt mind answering.

Good work. :)

The infections do indeed seem to be gone; there's only one loose end left to take care of. Run HJT again and have it fix:

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

Other than that, your log is now clean, and of course we'll course we'll try to answer any further questions you have; just ask.

Try this:

- Open Windows Explorer

- Under the Tools menu, choose Folder Options

- Click on the "File Types" tab.

- In the resulting list of registered file types, hilight each type (jpeg, gif, etc.) for which you want to change the default program association and click the "Change" button. The rest should be self-explanatory.

For free Anti-virus programs, try either AVG or Avast!; they often do a better job of removal than some of the "pay for" products from companies like Norton/Symantec or McAfee.

Some entries in your log are indicative of the evil "bube.d" infection. Please follow the cleaning instructions in the following link fully and completely (the procedures will most likely clean up some of your other infections as well):

http://www.dslreports.com/forum/remark,12688162~mode=flat

After doing the above, run HijackThis again and give us the new log to review.

The gibberish characters in the service's filename may very well be confusing HijackThis, but it also looks like you were leaving out the first character of the filename (the blank space) when you entered the name into HJT's "delete an NT service" box.

Try this:

- Open the Services utility in your Administrative Tools control panel.

- Locate the service named "Workstation NetLogon Service" or " 11Fßä#·ºÄÖ`I" and double-click on it to check its status. If the service is not reported as both "Stopped" and "Disabled", stop the service and set its startup type to "Disabled". Close the Services utility after that.

- Run HJT again and retry the service deletion process.

If that does not work, try deleting the service manually through the Windows Registry Editor:

- Click on the "Run..." option under your Start menu, type the following command in the resulting "Open:" box, and hit Enter:

regedit

- At the top of the Registry Editor window, click on File, and then Export. In the Export range panel, click All, give the file a name, then Save your registry as a backup to a location where you will be able to locate it easily if necessary.

- Navigate through the folder tree to the following locations and look for a sub-folder named either "Workstation NetLogon Service" or " 11Fßä#·ºÄÖ`I". Delete the folders if found:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services

(Note that not all …

Good work- that's a clean log... :)

The "svhost.exe" entry in the log may just have been a loose end; the actual svhost.exe file itself was probably removed by one of the utilities you ran.

How do things seem to be working now?

Your log indicates that you have at least a couple of different infections. Let's see if we can some of it cleaned up with a few automated utilities before digging in with HJT and manual removal methods

1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed). After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

about:Buster
HSRemove
ewido Security Suite
Microsoft Anti-Spyware beta
Ad Aware SE Personal
SpyBot Search & Destroy

3. Run HiajckThis again and post a fresh log.

Hi adrules111,

First of all- welcome to TechTalk!

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Given that, I've split your post into its own thread, which you can find here:
http://www.daniweb.com/techtalkforums/thread24941.html

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

Remove VX2 manually

Like many other types of infections, there are numerous variants in the general VX2 family of transponder parasites. Unfortunately, that often means that a given set of manual removal instructions may not apply to the particular variant that your computer is infected with. :(

i have the annoying aurora popup too and have tried everything...

Aurora is definitely annoying (and that would be putting it mildly), but judging from your log, it doesn't look like you've gone through the specific Aurora removal process yet. Your log also indicates that you may have other infections, and some of the following should clean those up as well:

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

…

Hi media_luvvie, welcome to our site :)

Don't worry about being confused when it comes to trying to figure out which programs you should use to protect yourself from all of the possible threats out there; given the huge amount of "nasties" that Windows users can suffer from, your question is well worth asking.

Use McAfee until your subscription runs out if you'd like. I wouldn't suggest renewing it after that though, and nor would I suggest switching over to Norton's products as an alternative. The offerings from McAfee and Norton are both "pay for" products to begin with, and Norton's programs have the same sort of subscription-renewal plan as McAfee's. In addition, there are other (free) programs which often do a better job.

My suggestions would be:

1. Installable anti-virus programs:

AVG: http://www.grisoft.com/doc/40/lng/us/tpl/tpl01
Avast!: http://www.avast.com/eng/down_home.html

2. Free online anti-virus scanners:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

3. Some specific "anti-spyware" detection/removal/protection programs:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/
SpywareBlaster and SpywareGuard - http://www.javacoolsoftware.com/downloads.html
IESpyad - https://netfiles.uiuc.edu/ehowes/www/resource.htm

4. Firewall programs:

Kerio Personal Firewall - http://www.kerio.com/kpf_download.html
Zone Alarm - the direct …

Unfortunately you're right- even though the utilities I asked you to run may have found and/or removed many infections, the log still indicates that some of your "unwanted guests" don't want to go. That isn't unusual, as some of these beasts are very difficult to remove.

Pleae print out the following instructions or save them into a text file using Notepad; you will need to disconnect from the Internet for much of the rest of this.

1. I would highly suggest that you uninstall the MessengerPlus3 program; it comes bundled with adware/spyware components.

2. Close all running/open programs, physically remove your network cable fom your computer, run HijackThis, and have it fix the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quulciwxsibucjktbisse.co.../aNHRUeARk.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fdljtqkxgbclmd.com/IBQyR...7PL9kHpfMI.html
O2 - BHO: (no name) - {71C666C8-C2AD-5D21-462A-BC634F3EACDE} - C:\DOCUME~1\PAUL~1.PAN\APPLIC~1\INSIDE~1\One Byte.exe (file missing)
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [amok vga bind regs] C:\Documents and Settings\All Users.WINDOWS\Application Data\Rect upload amok vga\WarnAxis.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [SDAv] C:\WINDOWS\svhost.exe
O4 - HKCU\..\Run: [IDLE LESS] C:\DOCUME~1\PAUL~1.PAN\APPLIC~1\OWNSPO~1\PileName.exe

3. Reboot into Safe Mode and open Windows Explorer again; make sure Explorer is set to show hidden files/folders as I described before.

Locate and delete the following file:
C:\WINDOWS\svhost.exe

!! There is a valid Windows file named svchost.exe; make sure that you do not delete …

Hi Rosette, welcome to the site :)

Can any of you share your DaniWeb experience

Hmm, let's see... for me it began about a year and a half ago, when I was drugged and kidnapped in the middle of the night by Dani, our site admin and all-around Forum Goddess.

When I awoke the next day (still a bit groggy, I might add), I found that the word "Moderator" had been tatooed on my forehead, and that my Private Messages box was overflowing with requests from members who needed me to help them decipher very strange and cryptic documents which they referred to as "HijackThis logs".

The rest is more than a bit of blur, but I still have a faint, lingering recollection of the possibility that I actually did have a "real life" before all of this happened...

But seriously:

and tell us why you would recommend DaniWeb to others?

Many reasons really, but here's my summary:

On the technical side-

We cover a relatively wide range of computer-related topics here, and even though we're only a mid-sized support site, we have some very knowledgeable and helpful members here whose skillsets cover that range.
Those of us who volunteer our time here as troubleshooters are pretty dedicated as well; we try to stick with the threads we've offered help in until the members' problems get resolved. For example: many of us are working from different locations around the world, …

If you want to get all insulted over nothing and turn it into a flame war then I'll be happy to rip you a new one.

And I'll be happy to lock your account if you even consider doing so. There will be no flame wars here.

A better way to have handled this would have been, in your first post, to politely advise GerryD that his question was miscategorized. Had you done so, this wouldn't have escalated to the point of needing moderation.

I'm moving this thread to an appropriate forum now, but I will lock it if there's any further squabbling. Play nice...

There's still a little clean-up left to do:

1. Close all open programs, run HijackThis again, and have it fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

2. Open Windows Explorer and delete the entire C:\Program Files\DAP folder if it still exists.

You should be able to reset your homepage to something other than about:blank once we're done cleaning your system; that probably was just a side effect of our fixes.

Were you able to find and delete the C:\WINDOWS\System32\rir.exe file? It's still listed in your log, and if you did delete it once already, that probably means that there's a hidden malicious file which is recreating it. If so, we'll need to find that file by running another scanning utility.

Please do the following:

Download rkfiles.zip
http://skads.org/special/rkfiles.zip
Unzip the contents to a permanent folder.

Reboot in Safe mode.

Run HijackThis and have it fix:

O4 - HKLM\..\Run: [rir] C:\WINDOWS\System32\rir.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sdksd32.exe (file missing)

Once HJT completes the fixes:

- Click on the "Config" button in the lower right corner of HJT's main window. In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Paste the following in the box and click OK (omit the qoutes, and note that there is a blank space before the first "1"):

" 11Fßä#·ºÄÖ`I"

- Again in the "Misc Tools" window, click on "Delete a file on reboot". In the Explorer windows that opens, navigate to C:\WINDOWS\System32\rir.exe and double-click on it. Click "NO" when when the system asks you if you want to reboot now.

Doubleclick …

Your first run of ewido got a lot of the nasties, but not all. Please perform the following full Aurora removal procedure:

Open ewido and update the definitions to the newest files, but Do NOT run a scan yet.

Download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

Ok- ewido cleaned up quite a bit; let's finish:

1. Close all Internet Explorer and Windows Explorer windows, run HijackThis again, and have it fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [rir] C:\WINDOWS\System32\rir.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sdksd32.exe (file missing)

2. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Delete the following file:
C:\WINDOWS\System32\rir.exe

- Delete the following folder entirely:
C:\Program Files\AWS

- For every user account listed under C:\Documents and Settings, delete …

Great, that did the trick.

1. Your log is clean, except for the following two leftovers. Have HJT fix them, and you're good to go:

O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

2. ewido found infections in the System Restore folder, but it might not have found/cleaned all of them. You should probably clear out your System Restore folder and set a new Restore Point. Instructions for doing so can be found here.

3. And finally, some general protection measures to reduce the chances of future infection:

1. Enable Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will greatly reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks.

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here: …

Glad we could help you get it fixed so quickly. :)

Sorry- the URL I pasted into the link had an extra character in it for some reason; fixed now.

1. See if you can reach the problematic sites by entering their IP address into your browser instead of their URL.

www.gmail.com's IP is 216.239.57.107

www.us.army.mil's IP is 143.69.243.36

2. Try clearing your DNS cache:

Open a DOS window, type the following command at the prompt, and hit Enter:

ipconfig /flushdns

The function of DNS is to resolve a given site's URL to its corresponding IP address; it plays no direct part in finding a given page and/or file on or within that site.

I wish to send some data to a website in a dns query in this format..where mypage.htm would not be a webpage requested rather it would be the data i wish to send..

You need to clarify that; depending on what you're really after, this question might actualy be more suited to one of our other forums.

Hi Latinflo,

Can you please post a new HijackThis log as well?

Thanks.

The hard reboot didn't work, but the web pages instructions did!!! I am going to keep checking it for a few days, but I think it may have done the trick.

Thanks a great deal for your help!

Sagan

Can you please post a final log from HijackThis for us to review before we sign off on this one?

Removal procedures often fix the visible signs of infections, but there may still be dormant or "dangling" remainders which need to be taken care of.

Thanks.