Posts by DMR

1. You are infected by a worm, which is responsible for many of the entries in your log. A full description of the beast, including removal instructions, can be found at the following site:

http://securityresponse.symantec.com/avcenter/venc/data/w32.serflog.c.html#removalinstructions

2. There are other infections in addition to the worm. Please do the following to (hopefully) get most of the mess cleaned up:

Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed). After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido Security Suite
Microsoft Anti-Spyware beta
Ad Aware SE Personal
SpyBot Search & Destroy

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For …

Scan with hijackthis...

Yikes! Awake and posting a bit early this morning are we? :mrgreen:

Although I doubt this will solve your general browsing problems, that log needs a little clean-up:

1. Uninstall WeatherBug through your Add/Remove Programs control panel; the program has spyware/adware components. I would also suggest removing the Bodog Poker program; although I don't know if that particular gambling program comes with "unwanted guests", many such programs do.

2. Have HijackThis fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe (file missing)

3. Delete these folders entirely:

C:\Program Files\AWS
C:\Program Files\Bodog Poker

4. Empty your Recycle Bin.

Hope I can help others like you all have helped me alot! Thanks!

By all means, please stick around and learn- we could definitely do with a few more helpers in this forum... :mrgreen:

You have a couple of different infections there, including the rather nasty Aurora/Nail.exe infection. Please do the following:

(you should print out these directions, as you will need to stay disconnected from the Internet during the course of the fixes)

Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal …

We sincerely apologize that the relatively few of us who VOLUNTEER our time helping here did not get a chance to respond to your paricular post out of the hundreds that we work on each day.

crickey... :rolleyes:

You can post a HijackThis log for us to review if you'd like. If you do that though, please make sure to post it in a thread in the Viruses, Spyware, and other Nasties forum instead of in this forum.

1. Did you do anything software-wise (install, remove, update, etc. that might have caused the problem?

2. Items that have accumulated in your Temp folders, Temporary Internet Files folders, and other locations can cause sluggishness and other odd behaviour in IE. Give the system a good manual purging:

(The following assumes that you're using either Win XP or Win 2000)

Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: Th efollowing will entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!

1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files

…

I have been reading the threads and on one of them was the numbers for the web page instead of the www. address I tried this on the explorer and the pages came up

The "numbers" for the web pages are their IP addresses. If you can reach a site by its IP address but not by its URL (the "www." address), that usually indicates a problem with your DNS settings.

DNS is the method computers use to associate a site's URL with the correct IP address. All sites on the Internet are really identified by IP address and not their URL, so if DNS can't translate the "www.whatever.com" name into the right numeric IP address, your browser won't know what site it's supposed to contact.

Try to repair Internet Exploder with the free IEFix utility program; it might correct the problem. If it doesn't work there are other things to try, but they're a bit more technical, so run IEFix first and let us know what happens.

Can you give us any more info on the history of the problem?

- How long has it been happening?

- Had you installed/removed/updated any software at around that time?

- Have you had virus/spyware infections or any other problems with the computer lately?

You can try running the IEFix utility. I don't know if it will help with your particular problem, but it won't hurt.

hi that worked but i am know losing my taskbar any thoughts

What worked? Tell us exactly what you've done; that might give us a better idea of what caused the taskbar problem.

Try using WinsockXPFix instead of WinsockFix; it probably won't give you that error.

The log looks clean; what kinds of "weirdnesses" are you experiencing?

Thanks for helping with this. I'm learning something new everyday. Thanks!

You're welcome; that's why we're here! :cheesy:

I wonder if I can use their link and put it in my sig like yours so others can see it and try it as well?

I don't see why not. Most of us who do malware troubleshooting here have those kinds of links in our sigs for just the reason you mention: it's a good way of giving members access to useful resources without them having to search for the info themselves. :)

ok , I deleted .. " SpyBouncer"...

Good. You definitely should have some "anti-spyware" programs in your toolkit, but just make sure to use the reputable ones.

Ad Aware and SpyBot Search & Destroy are the two utilities most often recommeded for general spyware detection and removal, and both are available free of charge. Download links for both (as well as links to a few other useful programs & resources) are in my sig below.

Great; glad we could help you get it fixed so quickly. :)

The firewall was the problem. It must've been in a wedged state though...

Yes, you're probably right about that; it definitely does happen sometimes.

I'm feeling a little more confident about this one...

And you definitely should- except for one loose end, that's a clean log. Good job! :)

We need to get rid of the following entry, but it might be a little tricky due to the "gibberish" characters in the service's name:

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javasz.exe (file missing)

I need to log off to take care of some "real life" work right now, but I'll post info on how to fix the above problem when I come back on line in a few hours.

Not good; your log indicates some pretty heavy infestation. :(

You'll need to download and run some anti-virus/anti-spyware utilitities in order to get the majority of this cleaned up; HijackThis alone isn't going to do the trick. If your Internet connection on that machine is unreliable, you can download the programs on another machine and burn them to a CD in order get them installed on the infected machine.

1. If your network connection is stable enough, run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed).

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View …

Not a personal attack at all.

I would give a very similar critique of, and similar advice regarding, any network security service or software which represented itself to be a more "be all and end all" tool than it really was.

Additionally, I do tend to be a bit more adamant about my assessment when the accompanying text that describes the tool and the dangers that one faces without it are written in such a way that they may (purpously?) instill in the average user a bit more fear of threats than is actually warranted.

That said, my assessment of the usefullness of GRC's offerings stands, as does my statement that doing your own Intrusion/penetration/etc. testing will give you a much better idea of how secure your particular network is a whole.

There are no indications of malicious infections in your log. You do, however, have a lot of programs/processes set to auto-run when Windows starts, and those can seriously chew up your system resources. Some of them, such as the Norton/Symantec components obviously need to be running (even if they are resource hogs), but it wouldn't hurt to disable auto-start on some of them and just run them manually when you need to.

Here's a list of your non-critical auto-start components. Note that even if you disable them now, some of them can get reinstalled by their parent program in the future. Also note that you may need some of these enbaled depending on the way you use your computer:

Ati2mdxx.exe and atiptaxx.exe - System Tray icons for easy access to the ATI graphics card settings panel

thotkey.exe and TFncKy.exe - Provides functionality for the "Fn" and F1-F12 keys

TPSMain.exe - Toshiba-specific replacement for Windows' Power Saving/Power Management funtionality

NDSTray.exe - enables easy switching of network connection devices on Toshiba laptops

SmoothView.exe - enables visual "Zoom" in some applications

iTunesHelper.exe

qttask.exe

NeroCheck.exe

MsgPlus.exe (if you did not specifically install Messenger Plus without the "sponsor" option, it installs adware/spyware)

dxdllreg.exe - a leftover from a DirectX install/upgrade

HPWuSchd.exe - "phones home" to check for HP software updates

realsched.exe

ctfmon.exe - enables extended input functionality for MS Office applications

msmsgs.exe - Windows Messenger (not MSN messenger). Has security …

I use VPN and my company prefers we use a non-XP machine for security reasons.

For security reasons they want you to use Windows 98?? Now there's a twist... :eek:

I cannot get a browser to run... However, I can still run Yahoo IM, and get to shared directories on other machines in my house.

All three of those functions utilize different ports and protocols, so it's quite possible for one to be "broken" but not the others. However, the fact that you can browse your LAN and use IM means that your network/Internet connectivity isn't totally b0rked.

I cannot download updates for NAV, Adaware, Spybot, etc. I suspected my browser was hijacked, so I opened the hosts file. But, it did not exist. There was a file called hosts.sam

Good thought on your part, but no, Windows 98 does not, by default, have a hosts file. The ".sam" in the hosts.sam filename is short for "sample"; the file is an example/template that you can use to make your own hosts file.

... my machine is now extremely sluggish... Below is my hijackthis log.

I see no indication of malicious infections in that log.

- What exact errors do you experience when you try to browse web sites?

- Can you reach any websites in your browsers?

- You are running a Symantec firewall program. Before doing any other troubleshooting, you need to disable the firewall completely to eliminate the possiblility that the fualt lies with …

After looking at Event Viewer it looks like there is something wrong with the WIA service, so I have set this one's start up type to "manual", and after that, these pop-ups have disappeared.

To start with, double-click on the WIA-related messages in Event Viewer and post the specific information that appears in the detail windows. Having that info can be helpful in terms of pinpointing the exact cause of the problem.

Thanks DMR,
did as you said above
looks like this problem is now solved can you mark this thread as such... and this old fart can again enjoy using this damn machine without the annoyance...

Marking as Solved.

... and from one old fart to another: I'm glad we could help you get it sorted out. :mrgreen:

Were you ever able to get rid of the "LEGACY_MSLLR" entry? If so, you look good to go.

If not, try this:

1. Open services.msc and make sure that the NS/MSLLR service is either not present, or has been disabled.

2. Reboot into Safe Mode and log in as Administrator.

3. Try deleting the [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NS (MSLLR) key.

3. If you can't delete the entire LEGACY_NS key, double-click on the key to display its subkeys and/or values in the right-hand pane of the editor. Try deleting all of those individually, and then see if you can delete the key after that.

Good work; glad we could help you get it sorted out. :)

Now that your system is clean, here are some general things you can/should do to minimize your chances of future virus/malware infections:

1. Enable Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will greatly reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks.

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here: http://tomcoyote.org/ieoe.php

5. Obviously-install a good anti-virus program and enable its "auto-protect" and email-scanning features.

6. Install a stand-alone firewall program such as Zone Alarm or Kerio Personal Firewall, or purchase the "Internet Security" packages offered by Symantec and McAfee.

7. None of your utilities are of much good if you don't check for updates frequently; updates for anti-spyware/anti-virus programs can be released as often as ever two or …

Dear DMR,
thanks it does look like I'm now clear of this virus/trojan
thanks for all your help
just one last question how do I terminate this thread?
regards

Your last log still had a reference to the malicious "setup32.exe" file, and I'd like to make sure that's cleaned up before we sign off on this.

Can you do the following please?:

1. Have HJT fix the "F2 - REG:system.ini: UserInit=userinit.exe,setup32.exe" entry one more time.

2. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

Search your system for setup32.exe and delete it if found (I think it usually gets created in your root C:\ directory).

3. Run HJT one more time to make sure that setup32.exe is really no longer present in the F2 log entry. If so, let us know and I'll mark this thread as "Solved" at that point.

1. Have hijackThis fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.shopnav.com/search/9886/search.html
F2 - REG:system.ini: Shell=Explorer.exe winsock.scr

2. Search your system for winsock.scr, and delete the file if you find it. Make sure your system is set to show hidden files and folrders:

Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

3. Run HijackThis again. If winsock.scr has reappeared in the "F2" log entry, you can try to manually remove the reference from the Registry:

Go to Start, Run, and type in regedit; click OK and the registry editor will open.

Before you edit the registry, you should make a backup. At the top of the Registry window, click on the Registry menu, click Export Registry File. In the Export range panel, click All, then save your registry as Backup

Go to:
HKEY_LOCAL_MACHINE, SOFTWARE, Microsoft, Windows NT (not Windows), CurrentVersion, IniFileMapping, system.ini

Highlight system.ini and look in the right-hand pane for winsock; if found, right-click on it and delete it.

Exit the Registry Editor

You need to give us the exact make/model/version # of your wireless card.

There's a very good possibility that virus/spyware/etc. infections are causing the problems you've described. Given that, I'm moving this to the forum which I think will be most appropriate.

Please do the following:

Download the (free) HijackThis utility:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, follow these instructions to install and run the program:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...".

Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

the thinkpad's ip adress thing is the default 192.168.1.1

That's wrong- the 192.168.1.1 IP address is the default IP of the model of your Linksys router; if your Thinkpad or any other computers on that network have that IP address as well, there will be a conflict. By default, the BEFW11S4 should hand out IP addresses (via DHCP) to the computers that connect to it starting with 192.168.1.100; the 192.168.1.1 IP addres is the (router's) gateway IP.

but my home computer is like 65.32.xx.xxx. I can get it to be the same 192.168.1.1, but then it wont connect to the internet either.

Pleae give us more specific information on the network setup in both circumstances. For instance, on the home computer/network, do you also go through a router, or do you connect directly to a cable/DSL/etc. modem?

/dons Kevlar underware to deflect flame...:

Steve Gibson has been around for loooonnngg time, as has his site with the Shields Up! test. I'm not going to place any overall judgement on the guy, but let's just say that he has history of being very opinionated about things, sometimes to the point of being what you could call "adamantly wrong" .

I do have to say that this side of his personality definitely comes into play when he dives into the waters of security-related issues. I've seen him try to make monsters out of what are, in reality, relatively minor security problems/exploits, and I've also seen him defend his positions against overwhelming evidence to the contrary put forth by security experts more respected than he.

Don't get me wrong; his online tests do have more than some merit, but they also have their flaws in terms of their comprehensiveness and accuracy. In addition to that, the analysis you'll get from a Shields Up! scan can be a bit more on the "alarmist" side than is really necessary.

Given that, I'd suggest that you run some of your own Intrusion Detection tests against the computers on your network. Links in this Google search should yield some options in that regard:

http://www.google.com/search?hl=en&q=%22intrusion+detection%22+software&btnG=Google+Search

OK- your general IP configuration looks good, although since you're only having trouble accessing some sites, that would pretty much be expected.

Did you have a chance to try the Winsockfix program dlh6213 linked to yet? If not, please do that and let us know if it made any difference.

On top of the timezone issue, "real life" also takes precedence over the time we spend here. We offer our help here on a purely volunteer basis, and on our own free time, so responsibilities such as jobs, family, etc. do limit our availability sometimes.

Also, we have many more members on this site who need help than we have members who can offer help. We're trying to get more people on board to balance that out a bit more, but for now...

Hmm- those Reg keys are the ones that others have reported their AOL antispyware to be flagging; if it isn't those I'm not sure where else to look.

Then again, just because an anti-spyware app flags a registry entry doesn't necessarilly mean that the entry is part of an active infection. Reg entries and other settings sometimes get reported just because they might be indicative of an infection, or because they indicate a loophole that an infection could possibly take advantage of. The infamous "DSO Exploit" issue with SpyBot Search & Destroy was one example of that.

System is running 100 percent better. :p

Yay, We like that kind of response...

I tried to get rid of the x10nets via highjack this. It keeps coming back as you said. When I try to delete it with the delete nt service option it tells me that x10nets is already running, however when I go to Services in Administrative Tools, it says it is stopped, what gives?

Try this:

In the Services section of Administrative Tools, right-click on the x10 entry and then click Properties in the resulting popup menu. From there, choose "Disabled" from the "Startup Type" drop-down menu there, click "OK", and then close the Services window.

Reboot, and then try the removal instructions I posted before. Pleae note that the X10 entry is not usually a malicious one; it's only indicative of the fact that you had at some point installed multimedia hardwre or software which installed X10 functionality.

Hi Tony,

Thanks for the "Thanks". Appreciation from those we try to help is really the only "pay" that those of who volunteer our time on support sites ever get. :p

Hi mattisjo- we were wondering where you went... :)

Your log definitely shows infections, but HijackThis has been update since you last posted, and the newer version does a much more thorough job of scanning.

Please download the most current version of HijackThis, run it, and post the log it generates.

Since this is the same laptop that is
inundated with Spyware (another post), I decided to use another
machine to try to configure the router.

Good thinking; "spyware" infections can seriously interfere with, or even break, your network connectivity. If you want to get those issues resolved, visit our Viruses, Spyware, and other Nasties forum; we can help you get the system cleaned up.

The next step will be to try to get the router working when it is connected to the DSL modem.
This is not my setup, so I'll have to wait to hear what happens when
my friend tries it. Thanks again for your advice.

You're welcome; give us a progress report when you can.

Hi Joe,

To start with, please do the following:

You will need to either print out these directions or save them into a text file by using Notepad; you will need to close all open instances of Internet Explorer and disconnect from the Internet during the course of this. HJT cannot fully perform its fixes while IE is running.

1. Have HJT fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe,setup32.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [sysPersonalFirewall] msnmssgr.exe
O4 - HKLM\..\RunServices: [sysPersonalFirewall] msnmssgr.exe

2. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Find and delete the following files:
setup32.exe
msnmssgr.exe

- Empty your Recycle Bin and reboot normally.

3. Run HJT again and post a new log.

Hi maynd,

Judging fom your log, it looks like the work you've already done may have cleaned up most of the problems. The log isn't entirely clean yet though, so...

1. Run HijackThis again and have it fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.specialgoods.info/ad/ad0415/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - Default URLSearchHook is missing
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\PROGRAMAS\IMESH\IMESH5\IMESHBHO.DLL
O2 - BHO: (no name) - {8A5F6488-6D79-44CF-BDD6-CAA77E44A620} - (no file)
O2 - BHO: (no name) - {C79D197D-F6EC-BF69-9D5F-DAC81E8A789A} - (no file)
O2 - BHO: (no name) - {E7506B66-F19E-4EED-82EF-DA4EF9AF92FF} - C:\WINDOWS\SYSTEM\CMF.DLL (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {8742F5BA-7D50-4985-AA06-E949DF1CBFF2} - (no file)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8742F5BA-7D50-4985-AA06-E949DF1CBFF2} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {2A42603A-808F-4FA8-BCEC-7C5CF24B745B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2A42603A-808F-4FA8-BCEC-7C5CF24B745B} - (no file) (HKCU)

After doing the above fixes:

- Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and:

- Locate and delete the following file:
c:\windows\system32\blank.htm

- Locate and delete the following folder entirely:
C:\PROGRAMAS\IMESH

- Empty your Recycle Bin …

Hi maynd,

First of all- welcome to TechTalk! :)

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

In light of that, I've split your post here into its own separate thread, which you can find here:

http://www.daniweb.com/techtalkforums/showthread.php?t=24477

Being a new member, you might want to have a read of our forum guidelines to acquaint yourself with our site's general policies and procedures:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

hardware manager stills shows my hard drive and my cdrom as scsi, but everything works fine, so far.

Unless it starts causing problems, I am going to let sleepings dogs lie.

My hunch is still that the SCSI issue is RAID-related, but as you said, if it's working fine...

I did get a solution to the problem of finding relevant information in a Linux related search. THANK YOU SO MUCH FOR THAT LINK!!! :D

You're welcome. G4L is your friend when it come to searching for Linux info.

Christian is right about XINE; I think that a lot the legal issues that used to hamper XINE's functionality have been at least relaxed if not cleared up entirely.

1. This entry in your log does indicate that HJT is running from a Temp folder:

Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

Another strange thing about that entry is that it makes reference to hijackthis[1].zip. The version of HJT I gave you the link to isn't a zipped file at all (it's just the regular hijackthis.exe executable); downloading it shouldn't have created a Temp zip folder.

Have you ever downloaded HJT before? The version offered at many sites is in .zip format, which might explain things.

2. A lot of P2P programs create registry entries under the folowing Registry keys; these are probably what AOL is detecting:

HKEY_CLASSES_ROOT\: magnet
HKEY_LOCAL_MACHINE\software\magnet
HKEY_LOCAL_MACHINE\: software\classes\magnet

Please do the following:

- Open the Windows Registry Editor. To do so, click on the "Run..." item in your Start menu, type the following in the resulting "Open:" box, and then click OK:

regedit

- Navigate through the Registry folder structures to the three locations I just listed above and tell us what entries exist under each.

!! DO NOT actually delete or change anything in the Registry at this time!!

The Registry entries are there, but the FindIt's log doesn't show any actual Aurora-related files, which could be a Good Thing.

Let's see if we can delete the registry references:

A) Make a backup of your Registry. Instructions from Microsoft on how to do that in XP can be found here.

B) Copy the text in the box box below into a new, blank Notepad document and save the file to your desktop as FixAurora.reg:

REGEDIT4

[-HKEY_CURRENT_USER\Software\aurora]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon\Driver]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon\Driver]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon\Driver]

C) Reboot into Safe Mode, double-click on the FixAurora.reg file to run it, and click "Yes" when prompted to Merge. (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

D) Reboot normally once the merge is done, run FindIt's and HijackThis again, and post the logs from both.

Very good- there are just a couple of loose ends left to have HJT fix:

R3 - Default URLSearchHook is missing
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

If the "x10nets" entry returns after you fix it, try this:

Click on the "Config" button in the lower right corner of HijackThis' main window. In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Type the following in the box and click OK:

x10nets

How are things running overall? If you're still seeing popups or other abnormal behaviour, give us the details and we'll help you sort it out.

The detection and removal programs I asked you to run don't seem to have done their jobs as well as they should have. Please do the following:

Print out the instructions below or save them into a text file using Windows Notepad; you will not have access to the Internet during most of this troubleshoot:

1. - Uninstall WeatherBug; it contains spyware components.

- Uninstall SpyFighter; it is a disreputable product which, among other things, returns "false positives" in it scans. Before installing any "anti-spyware" product, you should consult this list to verify the product's legitimacy; there are a lot of imposters and frauds out there.

- You should uninstall Warez P2P, although that choice is yours. Aside from the obvious legal issues, filesharing is one of the primary ways through which people become infected with spyware and adware.

2. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up), and run all of the utilities I listed in #2 of last post again; have each utility fix everything it finds. Running the utilities in Safe Mode might enable them to do a more thorough cleaning.

3. While still in Safe Mode, run HijackThis and have it fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jwhog.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jwhog.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 …

Judging from the short list of running processes in your log, it looks like that HJT scan was done while still in Safe Mode. If that's the case, can you please scan while booted normally and post a log from that?

Hi atky2004,

I'm just posting this to let you know that we haven't forgotten you :)

I need to log off for the night right now, but I'll follow up on this tomorrow..

Hello again Joe-

I have to log off shortly, as it's time to start dinner in my end of the world now. However, I'll flag this thread and get back to it ASAP.