Posts by DMR

conntacted ISP (NDO) went through set up with me , but did not seem very clued, just a script i think...

Probably. Unless you get a tech who isn't a total droid, all they'll do with you is go through their set of standard canned answers and procedures; you'll rarely get any "individualized" help.

!! Before doing any troubleshooting, disable your firewall software! To make sure that you've entirely disabled it, go into the program's options/preferences, turn off the option to automatically start the program when Windows starts, and reboot. Simply choosing to disable the firewall once it has started often does not shut it down completely.

If the firewall isn't the source of the problem, we'll need to try to determine at what level the problem is occuring:

1. Open the Event Viewer utility in your Administrative Tools control panel and have a look through your System and Application logs for any network-related error or warning messages in those log files. If errors related to the problem are being logged, you should see them recurring/repeating at about the same time as each of connection losses occurs.

If you find such messages, double-clicking on them will bring up a window with details of the errors; post the full and exact contents of those detail windows.

2. Does the problem occur only with certain sites/pages, or does the connection drop afer a few minutes regardless of what/where you're surfing?

…

OK, that probably explains it then. Let's get rid of the leftovers:

1. Aurora drops hidden files in a few different locations. To see if we can identify those, go here and download Silent Runners.vbs. Run the program, and post the contents of the log it generates.

2. Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

- Install the program, open it, and update the definitions to the newest files. Do NOT run a scan yet though; just close the program once it is updated.

- Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).

- Once in Safe Mode, run Ewido, and do a full scan. Save the logfile from the scan.

3. Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

OK, that's much cleaner now. :)

Still a bit to go yet, though:

1. Run HijackThis again and have it fix:

R3 - Default URLSearchHook is missing
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab

2. - Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Locate and delete the following two files:
c:\eied_s7.cab
c:\ex.cab

- For every user account listed under the C:\Documents and Settings folder, delete the entire contents of these folders (but not the folders themselves):

(Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!)

1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files

- Delete the entire content of your C:\Windows\Temp folder.

- Delete the entire content of your C:\Windows\Prefetch folder.

Note- If you get any messages concerning the deletion of system …

The worm and the rootkit are related, but unfortunately there are several variants of both.

1. Run Microsoft's Malicious Software Removal Tool. Download link and more info here:

http://support.microsoft.com/?scid=kb;en-us;897079

2. Run a few of these other free scans, have them clean what they find, and post any relevant information they may report:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.ravantivirus.com/scan/

3. Also post a fresh HJT log once you've finished the scans.

That's a clean log, and neither Alexa nor the micro-128 virus would cause such behaviour as far as I know. Had you installed any software around the time you first noticed this (think carefully...)? My first thought is that the icon is part of some freebie cursor accessory or the like (although I don't see anything in your log to support that hunch).

Do you get a normal cursor when you boot into Safe Mode? (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

Hi Comede, welcome to the site :)

Although your log does shows signs of infection, it doesn't show all of the usual fingerprints of Aurora. Have you already done some cleaning with your Microsoft AntiSpyware and/or other tools? If so, let us know what you've done so far.

Your log does indicate some signs of the Aurora/Nail.exe infection. Please follow these removal instructions:

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

try using a very non expensive software provided by eacceleration is called stopsign

Actually, we don't really recommend eAcceleration products; please read this for an explanation of the reasons. In general, before using any "anti-spyware" software, you should (at the least) consult the list of programs in the link above; there are many imposters out there...

Hi Joe- thanks for reposting in this (separate) thread.

The following two log entries are indicative of a trojan infection, but there may very well be other infected components in areas of your system that HijackThis does not scan:

O4 - HKLM\..\Run: [sysPersonalFirewall] msnmssgr.exe
O4 - HKLM\..\RunServices: [sysPersonalFirewall] msnmssgr.exe

Can you find any information in your anti-virus programs' report logs which gives more specific details concerning the names and locations of the infected files they've found?

Google has a Linux-specific search function; you'll get more focussed results if you use that when looking for Linux info.

DVD usage in Linux has been hampered by copyright, patent, anti-piracy and other such issues. There are no technical roadblocks in to playing DVDs in Linux, but you'll need to check applicable laws in your country/state/province/whatever to make sure you aren't crossing any legal lines. Here's some linkage for thought:

http://www.google.com/linux?hl=en&lr=&q=dvd+play&btnG=Search

OK- you've got a few things going on there, but there's one thing you need to fix first:

1. C:\DOCUME~1\JOHN&J~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

The log entry above indicates that you are running HJT from within a Temp/Temporary folder. Please do the following:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!

2.

But everytime I run my Spyware, it finds it again

I'm assuming that you mean AOL's anti-spyware tool, yes? Can you look through the details of the program's scan and tell us exactly where AOL is finding the infection please?

Hi dabrizzy, welcome to the site :)

You've got a few different infections showing up your log; please do the following:

1. Run a couple of these free online anti-virus/anti-spyware scans; have them clean what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://www.pandasoftware.com/active...n_principal.htm
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

3. Download, install, update, and run these three tools; they are made specifically to remove the about:blank/sp.html#93256 infection you have:

CWShredder
About:Buster
HSRemove

4. In addition to Ad Aware and SpyBot, download and run these general detection and removal tools:

ewido Security Suite (free trial version)
Microsoft AntiSpyware beta

5. Reboot, run HijackThis again, and post a new log.

Hi Derek,

I see nothing in your log which would account for the browser troubles; have you done any general network troubleshooting to rule out a possible non-malicious cause? If so, please tell us what you've tried so far.

So long and thanks for all the fish...

No problem Zaphod... [img]http://www.stevewolfonline.com/Downloads/DMR/Visuals/fishwhack.gif[/img]

:mrgreen:

Let's start with this so that we can get an overall idea of what's lurking in your computer:

Download the (free) HijackThis utility:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

If you can't get the setup wizard to run, you may have to manually configure the router.

The exact way you do that varies between different models and versions of Netgear routers, so you'll have to consult the documentation for your particular version of 614. The basic steps are usually:

- Configure your network card for DHCP (Netgear routers are configured to automatically assign IP info via DHCP by default) and connect it to one of the wired ports of the router.

- Open a browser and type in the router's default IP address or the URL of the router's main setup page as indicated in the documentation.

- Enter the default username and password.

- Set your WAN, LAN, and wireless configurations manually, apply the changes, and exit setup.

I'd personally recommend a fresh, clean install of XP as opposed to an upgrade over 98, but if an upgrade is your only option (and you're positive the system is trouble-free now), you should be able to go for it. Just make sure you back up any critical data before upgrading! If something goes wrong with the upgrade, you could be left not even being able to boot into 98 anymore.

When you go to the Windows Update site, it automatically checks your system status. If the site is only offering you the SP2 download, that should indicate that it has detected that your system is current with all of the SP1 updates.

1. You can bind more than one IP to a NIC and specify multiple gateway IPs in the card's advanced TCP/IP settings, although I'm not sure that's going to give you the exact functionality you're looking for.

2. Although it seems to be a bit of a kluge, I think you can set up different NIC configurations under different Hardware Profiles and then select which profile to boot into each time you fire up the computer.

To minimise the amount of time spent disable all running programs before defragging. If your drives are accessible in Safe Mode you are best to defrag from there.

Right.
If you experience extremely long defrag times, or if the defrag program keeps restarting itself, that's usually due to other open/running programs or processes changing the contents of the drive's data or otherwise interrupting the defrag process. Defragging in Safe Mode is your best bet, because Windows only loads a minimum amount of programs/processes in that mode.

server_crash, thanx but i already know that. I wanted 2 make a program that tells u the ip address of the inputted domain name.

thanx anyway.

The ping command referenced in Catweazle's link will return the IP, although by default it will query a site 4 times, echo a response for every query, and then barf summary statistics on top of that. You can limit the query count with the "-n" switch, but it will still return the stats as well.

You might also check out the "nslookup" command.

Good work- that's a clean log :)

Does the system seem to be working normally now? If not, give us the details.

If it is working now, here are a few things you can/should do to minimize your chances of future virus/malware infections:

1. Enable Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will greatly reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks.

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here: http://tomcoyote.org/ieoe.php

5. Obviously-install a good anti-virus program and enable its "auto-protect" and email-scanning features.

6. Install a stand-alone firewall program such as Zone Alarm or Kerio Personal Firewall, or purchase the "Internet Security" packages offered by Symantec and McAfee.

7. None of your utilities are of much good if you don't check for updates frequently; updates for anti-spyware/anti-virus programs can …

Hey Danny,

As always, the "your mileage may vary" caveat applies, but:

I've done the manual removal thing, including Registry pruning, for Norton/Symantec products and other programs without any ill effects.

Due to shared library issues and the like, it can be hairy if you've got different versions of the software installed and you're trying to get rid of the older ones while leaving the newer ones intact. You said that you want all of it off your system though, so that shouldn't be an issue.

In terms of programs' main/root folders under HKEY_LOCAL-MACHINE\Software\ and other Registry locations, I've found that uninstallers often leave those hanging around, even if they've removed all of the contents of the folders. If I'm totally removing a program, I always whack those folders if I find them just to make sure that there are no references to the program left hanging around.

That's my $0.02 worth from experience. Back up the Registry, take a Restore snapshot as an added fallback, and make sure you've got boot disks handy just in case...

Sorry, don't mind me...I can be a bit of a Bube sometimes. :p

Hi joecutler,

First of all- welcome to TechTalk!

I'm sure we can help you out, but we do ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, it would be a good idea to post a log report from the "HijackThis" utility; here are instructions on how to do that:

Download the utility:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system. Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

For a full description …

Generally speaking SP2 is stable, and it does have its benefits. It's no minor upgrade though, and it has caused problems for some, so you should make sure your system is absolutely problem-free and backed up before making the migration.

You need to do the Bube thing :D.

Um, er, uh, yeah.. but not in public, OK? This is a famliy-oriented forum, after all. :eek: :mrgreen:

hey how can i become super mod or something like that dmr

lol.

Easy:

Spend every single second of your free time helping people on tech support forums. Do this for a few years. Eventually, a forum administrator will recognize that you really know your stuff and that you're really helpful to other members. They will then ask you to take on even more responsibility by becoming a moderator. Because you already spend all of your free time helping out, you then have to quit your job, kick everyone else out of your house, and accept the offer to Moderate.

:mrgreen::mrgreen:

I have recently heard that 'nix-like user permissions are possible with Windows XP. I have also heard, however, that XP's user permission system is far more primitive.

One thing to keep in mind if you're concerned about permissions/user rights/access policies: there's a big difference between XP Pro and Home in those areas. If you want the most flexibility and granularity in terms of security-related settings (especially in a network environment), you'll want XP Pro, not Home.

Also- contrary to what a lot of Linux users will tell you, Windows 2K/XP permissions are actually quite flexible and powerful. Even in a workgroup configuration, you have a myriad of options you can configure through the Security-related MMC snap-ins, the advanced file/folder permission and security options, etc. The problem, of course, is that Microsoft hasn't exactly implemented those options in an intuitive or centralized way.... :sad:

Better, but not clean yet...

1. On the page below, Norton/Symantec have a link to their stand-alone IST removal program, as well as more information about the infection as a whole:

http://securityresponse.symantec.com/avcenter/venc/data/adware.istbar.html

Download and run the remover as per their instructions.

2. After that, run HJT again and have it fix the followng entries if they still exist:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=9
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\SYSTEM\Services\{5B81E240-CBB8-11D9-9E8F-444553540000}\SVCHOST.EXE
O4 - HKLM\..\Run: [IST Service] \ISTsvc\istsvc.exe

3. Verify that the ISTscv folder and file have truly been deleted; if you find them, delete them manually.

4. Empty your Recycle Bin, reboot, run HJT one more time and post the log.

Hi Rthlss,

In the future, please start your own thread for your questions as opposed to tagging them on to another member's thread. Adhering to our "one member's question(s) per post" guideline helps keep the threads more organized and easy to follow.

As a new member, you should read our full Posting Rules to familiarize yourself with our particular policies and guidelines.

Thanks. :)

The AIM "search toolbar" plug-in may be the source of the problem; uninstall it if possible.

Sorry for the confusion- you should definitely allow ewido to fix any "nasties" it finds.

Does this mean that infections will come back as soon as I connect once again to the net?

I'm starting dinner right now, so I only have time to answer your above question:

What the warning means is that if you connect to the Internet before the infection is entirely eradicated, yes- the pieces that are still left on your computer may very well open up a network connection by themselves and try to redownload what you've deleted.

Ouch. First and foremost- you have the Aurora/Nail.exe infection.

Please follow these instructions carefully and exactly to remove it; and don't hesitate to ask if you have questions about the procedure:

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new …

OK- that log indicates more than a few different infections. We'll need to run a few (free) detection and removal programs to get some of this cleaned up before we attack the infections with HijackThis.

1. Use Norton's Live Update feature to make sure you have the most current updates for Norton Anti-virus and run a full system scan.

2. You can (and probably should) also run a couple of these free online anti-virus/anti-spyware scans:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

3. Download, install, update, and run these three tools; have them fix whatever they find:

CWShredder
HSRemove
about:Buster

4. Download, install, and run these general spyware detection and removal programs; anyone using Windows and Internet Explorer should have them in their toolbox (again- let the utilities fix what they find):

Ad Aware SE Personal
SpyBot Search & Destroy
Microsoft AntiSpyware beta
ewido Security Suite (free trial version)

5. After you run the above utilities, run HiajckThis again and post a fresh log for us to review.

OK- get back to us when you can...

1. Open your Add/Remove Programs control panel and uninstall any programs related to My Way, My Search, My Bar, My Search Bar, etc.

2. C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

The log entries above indicates that you had at least 2 instances of Internet Explorer running when you ran HijackThis. Before fixing problems with HijackThis, you must make sure to close/quit ALL instances of your web browsers.
HijackThis cannot fully perform its fixes while browsers are running.

3. After taking care of the above, run HJT again and have it fix:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=2340
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765728274} - C:\WINDOWS\SYSTEM\WER8274.DLL
O2 - BHO: IEsearch.clsIESpy - {4508E20C-ACAD-11D2-9FC0-00550076E06F} - C:\PROGRAM FILES\2SEARCH\PLUGIN.DLL
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O4 - HKLM\..\Run: [huvitf] C:\WINDOWS\SYSTEM\wlxlcpeq.exe
O4 - HKLM\..\Run: [Ce8MBdD] C:\GSIVO.EXE
O4 - HKLM\..\Run: [Local runole service] C:\WINDOWS\System\srvc32.exe
O4 - HKLM\..\Run: [IST Service] \ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O9 - Extra button: Microsoft AntiSpyware helper - {EA471700-C4C1-11D9-9E8F-444553540000} - C:\WINDOWS\SYSTEM\WLDR.DLL
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {EA471700-C4C1-11D9-9E8F-444553540000} - C:\WINDOWS\SYSTEM\WLDR.DLL
O9 - Extra button: Microsoft AntiSpyware helper - {EA471700-C4C1-11D9-9E8F-444553540000} - C:\WINDOWS\SYSTEM\WLDR.DLL (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {EA471700-C4C1-11D9-9E8F-444553540000} - C:\WINDOWS\SYSTEM\WLDR.DLL (HKCU)

4. Open an MS-DOS window, type the following command, and …

I want to upgrade to XP - would it be better to wait until exsisting problems are sorted?

Absolutely. You should never do a major upgrade to a computer that's infected or otherwise problematic. You run the risk of having Very Bad Things happen if you do.

Postie,

We're never going to be able to keep track of you if keep starting new threads for your responses instead of posting them here.

I've tracked down your other responses to this troubleshoot and merged them into this thread, but from now on, please use the "Post Reply" button in this thread instead of clicking "New Thread".

Thanks. :)

...and then the person helping me just stopped helping me for some reason

We're only volunteers here; "real life" responsibilities often keep us from being as active here as we would like.

That's a clean log. Are you still experiencing problems? If so, let us know what they are and we'll help you get them cleaned up.

Sorry for the redundant questions about the drive. I was responding to three other threads when I posted here, and got your post confuzzled with one of the others I was working on...

Drive drop-offs are often hardware-related, and could even be a sign that the drive is failing. You might want to back up the music files on the drive if they're important to you.

Some software things you can check:

1. Right-click on the My Computer icon and choose the Manage option. In the window that opens, click on Disk Management and see what the system has to report about the D drive. Check the drive's status both when it's behaving normally, and when it has dropped off line.

2. Right-click on the D drive in Disk Manager, choose Properties, and click the Tools tab in the Properties window. Run the Error Checking and Defragment tools.

3. Open the Event Viewer utitlity in your Administrative Tools control panel. Look through the System and Application log files for any error or warning messages that might be related to the drive. Double-clicking any of the messages will open a window with more details; post the full and exact contents of that window for any messages you see that might relate to the problem.

4. Hardware issues to check:

- The data cable between the drive and computer's motherboard can become loose or even damaged. Disconnect and reconnect the cable, making sure …

I have to log off shortly, but let me ask a few quick questions to start with:

A "skipping" problem?

- Do you mean that the D drive contains music that skips when you're palying it?

- If so, in which program does this happen?

- When you say that the D drive "disappears", where exactly does it disappear from? Do you mean that it is no longer visible in your WIndows Explorer window?

Hey T_I,

Thanks for the heads up on that particular version of "Phishing" scam. There are so many of them going around lately that it's hard to keep up.

I've removed the email link you posted for security reasons, but here's the direct link to PayPal's warning regarding the scam:

https://www.paypal.com/cgi-bin/webscr?cmd=xpt/general/SecuritySpoof-outside

At least it isn't the three page long list I have seen on some of these logs

No kidding.

Hey- care to brush up on your security skils and give crunchie, dlh6213, caperjack, and I a hand with those? We could always use the help :mrgreen:

When malicious entries automagically reappear in a HijackThis, it's usually due to a hidden "mother file" which respawns the infections. Please do the following:

1. Download, install, and run these two detection and removal programs. Make sure to use their online update feature before actually having them perform their scans and fixes:

http://www.ewido.net/en/download/
http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en

2. Download rkfiles.zip
http://skads.org/special/rkfiles.zip
Unzip the contents to a permanent folder.

Reboot in Safe mode.

Doubleclick rkfiles.bat
It will scan for a while, so please be patient. rkfiles will save the results of its scan to the file "C:\log.txt".
Wait till the DOS window closes and reboot back to normal mode.

Post the contents of C:\log.txt in your next reply, along with a new HijackThis log.

lol. Much easier on the brain; thanks!

OK- you've got a few things going on, but let's go for the Aurora infection first:

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido …

Hey T_I,

I don't have time to give you a per-process description of all of the entries right now, but they're all legit; no signs of nasties in that log.

Some of the programs (smss, svchost, winlogon, lsass, services, etc.) are built-in Windows processes; the ATI stuff is video/display related; the HP/Symantec/Zone Labs/etc. stuff is, well, obvious.

This should be pretty straightforward; ask us if you have any questions:

- Download the (free) HijackThis utility:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

- Once downloaded, follow these instructions to install and run the program:

- Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

- Run HijackThis, but do not have HJT fix anything yet; only have it scan your system. Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HijackThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

Hi mlbrooks1,

Can you please try posting that log again? As you can see, something really strange happened with the formatting; it's very difficult to read.

Thanks. :)