Posts by DMR

Sorry, I'll take better notes next time.

No worries. I thought you might still have the link, but if not, that's cool.

You should still post another HijackThis log though. The Hotmail fix may have cured the blank page problem, but it didn't do that by remove the infections you have; those are still there.

I think my pc has been hijacked.

By no less than 4 separate infections even... :mad:

1. HiajckThis alone isn't going to be able to clean all of this up, so let's run a few other tools first. Please download and install:

ewido Security Suite (free trial version)
Microsoft AntiSpyware beta
Ad Aware SE Personal
SpyBot Search & Destroy

Run each utility consecutively, and reboot after each program has finished its scan/fixes (just for good measure). Before actually scanning/fixing with each, make sure to use the programs' online update features to make sure you have all of the most current updates installed.

2. Once you've cleaned up as much as possible with the above utilities, run HijackThis again and post a fresh log.

A couple of things:

1. If you mean that you fixed the blank screen in HotMail/MSN, could you please post a link to the fix? Others who experience the same problem could find the link helpful.

2. Your HijackThis log indicated infections that are most likely still on your computer. You should post another log for us to review.

See if this utility restores your Task Manager:

http://www.dougknox.com/xp/utils/xp_taskmgrenab.htm

Let us know if it works or not.

ooooo, thanks, this should be very helpful!

You're wecome. :)

It is a bit of a *plug* on my part (acl6379 and I have worked there for years), but there really are a lot of knowledgeable folks over there who are always willing to help out. Linuxquestions.org is another good place to go for help.

While we're at it, this reference site is a "must-bookmark" for Linux users of all levels:

The Linux Documentation Project

As I asked before: what exact driver software (including version) are you installing? Do you get any errors, or does the driver software seem to install correctly?

You have a variant of the CoolWebSearch/Home Search Assistant parasite.

1. About:Buster should have helped, but it doesn't seemed to have done the trick. Please download and run these additional removal tools:

CWShredder
HSRemove

2. Run HiajckThis again and look for entries similar to the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\hxxsa.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\hxxsa.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\hxxsa.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\hxxsa.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\hxxsa.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\hxxsa.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\hxxsa.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {53BFD0CE-7626-C39B-489D-49E0CCDA7369} - C:\WINDOWS\SYSTEM\APIAU.DLL
O4 - HKLM\..\Run: [BreezeTray] BrzTray.exe
O4 - HKLM\..\Run: [SDKWZ.EXE] C:\WINDOWS\SYSTEM\SDKWZ.EXE
O4 - HKLM\..\Run: [NETZZ32.EXE] C:\WINDOWS\SYSTEM\NETZZ32.EXE
O4 - HKLM\..\RunServices: [IEGB.EXE] C:\WINDOWS\IEGB.EXE /s
O4 - HKLM\..\RunServices: [ATLSR.EXE] C:\WINDOWS\SYSTEM\ATLSR.EXE /s

If such entries still exist, please go here and carefully follow the removal instructions given.

The infection uses random filenames, so the HijackThis log entries in the instructions are only for example; you will need to substitute the entries and filenames in the instructions with those I just listed above.

It should be pretty straightforward, but if you have questions, definitely ask us before proceeding. If you don't have questions, complete the …

That does sound like a classic webmail account hijack, and unfortunately- you may be up the proverbial river in terms of getting it back.

If it really is a hijack, the person responsible has probably not only changed your password and "secret question", but has aslo altered your personal account information as well. That means that you won't be able to prove that you're really the account owner when you call Microsoft regarding the problem.

Even if that's the case, contacting Micorsoft is still the first thing you should do, and you should do it ASAP. In all honesty, there isn't much else you can do in terms of rectifying the problem and/or closing the account; all of your information lives on the HotMail servers, after all.

Your log is actually very clean; there are no signs of malicious activity there at all.

While a clean HJT log does not necessarilly mean that your system is totally clean, there are plenty of non-malicious reasons for abnormal CPU usage. However, if you'd like to examine your system further before ruling out the possibility of infections, do the following:

- Download and run these detection and removal tools; let them fix anything they find:

Ad Aware SE Personal
SpyBot Search & Destroy
Microsoft AntiSpyware beta

- Run a few of these free online virus/spyware scans:

http://housecall.trendmicro.com/
http://www.kaspersky.com/scanforvirus.html
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

msnistehrwn.exe seems to be a component of one of the newer variants of the SDBOT worm, and yes- it can disable Task Manager. However, your log is clean; it shows no indication of the worm's startup entries, etc.

Given that, can you give us a few details please? We'll need as much information as you can give in order to help you remove the pest:

- Which program detected the worm in the first place?

- Which exact online scans have you done?

- You said: "... but have been unsuccessful". Do that mean that the worm is still detected on your system? If so, which program detects it, what files does the program identify as being infected, and in what folder(s) are the infected files located?

Great; I'm glad that worked for you. :)

Good work; that's a clean log. :)

(although I'd suggest staying away from things like PartyPoker; freebie gaming programs/sites like that are very often sources of spyware/adware.)

Now that your system is clean, here are a few things you can/should do to minimize your chances of future virus/malware infections:

1. Use Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will greatly reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks.

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here: http://tomcoyote.org/ieoe.php

5. Obviously-install a good anti-virus program and enable its "auto-protect" and email-scanning features.

6. Install a stand-alone firewall program such as Zone Alarm or Kerio Personal Firewall, or purchase the "Internet Security" packages offered by Symantec and McAfee.

7. None of your utilities are of much good if you don't check for updates …

If that behaviour is occuring even in Safe Mode, there's a good chance that you have physically corrupt sectors on your hard drive.

Drive manufacturers often have low-level utilities which can download and run to test a questionable drive. Find the make/model of your drive and see if such a utility is avalable for it.

I could be wrong, but that looks suspiciously like the work of a malicious infection.

Can you give us more detail on the problem:

- When exactly does this message come up?

- When did it start happening?

- Had you done any software installations/uninstalls/upgrades at around the time you first got the error?

If you can use Windows at all, open Windows Explorer (not Internet Explorer) and navigate to your C:\Program Files folder. Look inside any folders there whose names begin with INTERN for a subfolder named "update" and tell us the full and exact names of the files in that folder.

Greetings fledgling Penguinistas,

Welcome to The Dark Side. MUUUAHAHAHAHA!!!! [img]http://www.stevewolfonline.com/Downloads/DMR/Visuals/possessed.gif[/img]

:mrgreen: :mrgreen:

1. A second hard drive is definitely a good idea if this is your first time experimenting with a dual-boot system. That way it's less likely that any possible mistake you make with the Linux install wil hose your Windows partition too.

2. Regardless of how you choose to install: Back up your system first!

3. Do not reformat the existing D: partition; delete it instead, leaving the resulting space unallocated. Why? A couple of reasons:

a) Linux doesn't use the same filesystem formats as Windows does (NTFS and FAT32), so if you reformat the existing D: partition with a Winodws formatting tool, the Linux installer is just going to reformat the partition with a Linux (ext2, ext3, Reiserfs, etc.) filesystem format anyway.

b) Unlike Windows, Linux normally uses a separate partition for its Swap (virtual memory) space, as opposed to WIndows, which only uses a Swap file. In other words, the Linux installer will want to create(at least) two partitions in the space now occupied by your single D: partition. It will create one large partition for the OS and your data, and another smaller partition (about 2 times as large as the amount of your physical RAM) for the swap file. By default, some Linux distros even create a third (small) partition for your boot files.

You don't usually see drivers in Add/Remove Programs. The wireless card's utility software (if it comes with any) might be listed there, but you should look in Device Manager to check the NIC and its drivers status.

A few questions to start with:

- Does the wireless NIC appear in Device Manager at all?

- If so, is it listed as functioning correctly, or not?

- What exact driver package (including version) are you trying to install?

- What else, besides the fact that you see nothing in your A/RP control panel, makes you think the card isn't working?

1. To get to the Safe Mode boot option, tap the F8 key repeatedly as your computer is starting up (before you see the Windows start-up screen/logo).

2.

I get nothing but a Windows explorer error message

Please give us the full and exact text of the error, including any numeric error codes that might appear.

In general, please remember that in order for us to help you most quickly you need to give us as much specific information as possible.

1. Please download and run About:Buster and HSRemove; they should help clean up the "tqyhc.dll/sp.html#12345" infection.

2. Print out the following instructions, as you will need to be offline for the rest of this:

3. Close all Internet Explorer and Windows Explorer windows. Run HijackThis again and have it fix any of the following entries that still exist:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tqyhc.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tqyhc.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\tqyhc.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tqyhc.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tqyhc.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tqyhc.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {F0369D81-D189-AC88-E454-02C0B2632F5E} - C:\WINDOWS\d3as.dll
O4 - HKLM\..\Run: [netgj32.exe] C:\WINDOWS\system32\netgj32.exe
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\appgy.exe" /s (file missing)

4. Click on the "Config" button in the lower right corner of HijackThis' main window. In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Type the following in the box, click OK, and then close HJT:

NSS

5. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the …

Leave the Java components; one is the initial installation package and the others are updates.

The "housecall" DPF was installed as part of an online virus scan (probably at Trend Micro). You can remove it, as it's one of those DPFs that the website will just reinstall if you ever go there for a scan again.

I would like to bridge my two Network cards so that I can share my wireless internet connection.... when I go to the properties of the 2 Nic cards and Uncheck Internet connection sharing and then I go to bridge the 2 cards it still says that internet connect is enabling and so I cannot bridge the 2 connections. I dont know what else I can do to disable internet connection sharing...

Why are you trying to disable ICS? Unless there's something about your description that I'm misunderstanding, ICS is exactly what you want.

Manually configuring a simple network bridge only allows computers on two separate physical network segments to all connect to the same logical network/subnet. It does not configure the bridging computer to act as a router, which is what you would need to allow the computers on your home network to connect to another (physically and logically) separate network

When you run the Network/ICS wizard though, it does more that just create a bridge- it essentially configures the ICS computer as a router by acting as a DHCP and DNS server for the LAN-side machines, and enabling the Windows firewall on the Internet-facing NIC.

Is the line visible even before Windows starts up (that is, is it present from the moment you turn the laptop on)? If so, you should take it to the dealer or an authorized service center for a diagnosis; that symptom would most likely indicate a hardware problem.

If the problem isn't visible until Windows actually boots up, you can try uninstalling and reinstalling the video drivers, but my hunch would still be that you've got a hardware defect.

The only program in that list that really needs to go is SpyBouncer; the porgram is bogus.

I don't have time to run through your whole list right now, but I'll try to repost tomorrow morning. In general though, Downloaded Program Files can be removed by right-clicking on them and choosing "Remove" from the context menu. Also- many DPFs get downloaded onto your computer by websites that you visit; if you chose to delete these from your system, they'll just get downloaded again if needed when you revisit the site that installed them.

There a few different infections indicated in your log.

1. Please download and run the following (free) detection and removal programs to get things cleaned up a bit before we dig in with HijackThis:

Ad Aware SE Personal
SpyBot Search & Destroy
ewido Security Suite
Microsoft AntiSpyware beta

Before you actually scan your computer with each of the above programs, use its online update feature to make sure you have the most current updates installed.

When each program has completed its scan, have it fix the "nasties" it finds and then reboot your computer before scanning with the next program.

2. Once you're done running the removal tools above, run HijackThis again and post a new log.

1. If you're using Win 2000 or XP, open the Event Viewer utility in your Administrative Tools folder. From there you can review your System and Application logs to see if there are error or warning meassages related to the crashes. If you find such messages, double-click on them to view details of the messages and post that info here for us to review. Be sure to give us the complete and exact text of the messages; even the cryptic error numbers that you might find can mean something to us.

2. Give us more specifics overall:

- What version of Windows and MSN are you using?

- When did the problem start to occur?

- Had you made any software changes/upgrades/etc. at around that time?

- You said: "i've tried everything". Tell us what that "everything" was so that we don't waste your time suggesting fixes you've already tried.

Let's continue on with the fix...

Thanks for following up, Chris. Do you have time to field this one for a bit? I need to log off right now and I won't back online for a few hours...

uhhh when i ran the second scan http://housecall.trendmicro.com/ it asked me if i wanted to install nail.exe... and the first website doesnt work

That's all a bit weird, but just complete as many of the steps as you can and then get back to us with the results and a new HijackThis log; we'll take it from there.

Blech! That log is still a right mess; you have numerous infections. :(

Let's see if we can some of it cleaned up with a few automated utilities before digging in with HJT and manual removal methods

1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed). After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

About:Buster
HSRemove
ewido Security Suite
Microsoft Anti-Spyware beta
Ad Aware SE Personal
SpyBot Search & Destroy

3. Run HiajckThis again and post a fresh log.

Try running SpyBot while booted into Safe Mode; if you've got some serious "nasties" on your system, they can sometimes "choke" the detection and removal utilites.

Although it's not an absolute indication that your entire system is infection-free, that log is squaky clean. :)

Problems like you describe are pretty common with Internet Exploder, and many of the causes are not virus/spyware-related.

1. Use our Search function to find the many threads that we've had on the subject in our Web Browsers forum, and see if any of the suggested remedies do the trick for you. Here are some search keywords that should return relevant results:

page explorer display secure blank sites

2. Download and run the (free) IEFix utility; it might help.

3. If nothing above helps, repost here, let us know what you've already tried and what the results were, and we'll take it from there.

Aurora can be a real pain to remove, because it installs hidden files that regenerate the infection after trying to "fix" it with something like HijackThis. The names of the infected .exe files will also change/morph each time you reboot, making it difficult to delete them.

Please do the following so that we can identify the hidden "Mother File":

- Go here and download Silent Runners.vbs. Run it, and post the contents of the log it generates.

- Next, go here and download FindIt's.zip to your Desktop. Unzip the files and doubleclick on FindIt's.bat to run it. A text file will open when it has finished scanning; it may take awhile, so please be patient. Post the contents of that log in addition to the Silent Runners log.

Finally, download Killbox from here. Depending on what the log files tell us, we may be using it shortly.

You need to give us specific details if you want us help you most quickly.

- What is the exact name of the trojan?

- Where (in what folder) does Norton indicate that the infected file lives?

- Norton keeps a log/report of its actions; look in the report to for more information about what (if anything) Norton was able to do about the infection.

1. Download, install, and run about:Buster and HSRemove.

2. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Delete the entire contents of all Temp, Temporary, and Temporary Internat Files folders.

- Open a DOS window, type the following command at the prompt, and then hit Enter:

regsvr32 /u C:\WINDOWS\SYSTEM\ECEDD.DLL

- Locate and delete the C:\WINDOWS\SYSTEM\ECEDD.DLL file.

- Run HijackThis and have it fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {217D7B2A-5866-4DA0-8102-08E0AE5C472E} - C:\WINDOWS\SYSTEM\ECEDD.DLL
O18 - Filter: text/html - {01FA9BA2-FF95-43B9-ACF2-2489D6D3536B} - C:\WINDOWS\SYSTEM\ECEDD.DLL
O18 - Filter: text/plain - {01FA9BA2-FF95-43B9-ACF2-2489D6D3536B} - C:\WINDOWS\SYSTEM\ECEDD.DLL

- Empty your Recycle Bin and reboot normally.

3. Run HJT again and post a new log.

Your log is still a mess. Please do the following to (hopefully) get some it cleaned up:

A) Run a full anti-virus scan, making sure that your anti-virus program is using the most current virus definition updates.
If you do not have an anti-virus program installed, do at least two of following free online virus scans:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

B) Download and run Ad Aware and SpyBot Search & Destroy (download links are in my sig below).

Follow these directions for configuring Ad Aware (directions courtesy of our member "crunchie"):

1. Download and Install Ad-Aware SE, keeping the default options. However, some of the settings will need to be changed before your first scan

2.Close ALL windows except Ad-Aware SE

3. Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.

4. Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window

1) In the ‘General’ window make sure the following are selected in green:
*Automatically save log-file
*Automatically quarantine objects prior to removal
*Safe Mode (always request confirmation)

Under Definitions:
*Prompt to udate outdated definitions - set the number of days

2) Click on the …

Ok nvm that Ill start a new thread.

Thanks i3lackrabbit.

It really does make it easier for all of us if we keep members questions/problems in their own discrete threads.

In fact, you replied earlier that Mandrake probably isn't a good choice for the 200 MHz server I am planning to eventually install it to. BTW, why is it not a good choice for that? Too slow a processor?...

The newer versions of Linux distros are, in general, too bloated to use on Pentium systems of that era, especially if you choose one of the default installation options. You definitely can run the new versions on such machines, but in order to get the most performance out of boxen that old you'll need to do a custom install in order to avoid installing resource-hungry components that you don't really need.

Your situation is a not quite normal though, because you originally said that you wanted to install Linux on a quad-processor ALR system. That could pose a bit of a dillema, because quad-processor support in the newer versions of Linux is definitely better than in older versions, but regardless, you might have to jump through some kernel-compile hoops to get things to happen on such a beast.

Linux uses the RISC (Reduced Instruction Set Computer) architecture,

Not quite. The instruction set, be it RISC or CISC, is hardware dependent. Specifically, it is determined by the type of processor.

All CPUs used in PCs (Intel, AMD, Cyrix, etc.; doesn't matter) are CISC-based, and although the newer generations of these CPUs incorporate RISC functions, they are not true RISC chips but CISC-RISC hybrids. True RISC-based CPUs architectures include the PowerPC, SPARC, and Alpha processors.

In order for any operating system to run on either type of platform, it has to be written specifically for that platform, or ported to that platform. The Good Thing is that the Linux OS is available for all of the above platforms. :)

What I have is a AIM Virus that come to folks as a hyperlink to "Check this out".
I am attemptng to work the AIM problem out through this site.

Bleh! Tell you daughter what we already know too well: Never open anything like that. Good luck with the fix!

On the up-side: your log is clean now; good work! :)

1.

I was not able to find the file, C:\WINDOWS\czazwt.exe
I do not see it in this log.

The file may have been detected and deleted by ewido or MS AntiSpyware; I see no indication of it or any other suspicious, randomly-named files in your log. Just to be on the safe side though, recheck your Explorer View settings and have another look for the file.

2. You've picked up the Wild Tanget parasite. Open your Add/Remove Programs control panel and uninstall any WildTanget programs that you find there. After that:

- Have HJT fix:

O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"

- Delete the entire C:\Program Files\WildTangent folder.

- Empty your Recylcle Bin.

3. As to the AIM question- I don't have any ideas there, as I stopped using AIM a few years ago; too many people pestering me :mrgreen:

We need to get more protection in place for you; your log indicates that you aren't even running an anti-virus program at the moment.

1. Download, install, and run the following utilities. Make sure to use each program's update feature to install the most current virus/spyware databases before running them:

AVG anti-virus (free version)

ewido Security Suite

Microsoft Anti-Spyware beta

Ad Aware SE Personal and SpywareBlaster (download links are in my sig below)

Kerio Personal Firewall

2. If you have a broadband Internet connection, I would highly advise purchasing a hardware firewall router such as those made by Linksys or Netgear. A hardware router adds a layer of protection between your computer and the outside world; installing one is like building a guarded wall around you castle.

3. Once you've run the above detection/removal/prevention tools and had them perform their fixes, run HJT againand post a fresh log.

I did a bit more searching, and although I still haven't found out exactly what those files are, what I did find makes me 99.999% sure that they're "safe".

If you want to Google around for yourself, search for the filename "iserror.log" as well as "iserror.txt"; you'll find tons of iserror.log files in online archives, and they appear to be chronological listings of exactly what you're finding in your iserror.txt files.

The commercial version of Mandy 10.1 is a three-tiered product. The most basic package (the "Discovery" package) unfortunatley does not included Apache, but the more advanced packages (Powerpack/Powerpack+) should.
According to info on Mandrake/Mandriva's site, the download version of 10.1 should also include Apache 2.0.50.

Have a browse through your installation package again and see if you can find Apache hiding there somewhere.

Hi ysb21189,

The formatting of the last HJT log you posted came out a bit weird in terms of line breaks and spacings, making it rather difficult to read. Could you try to repost that log so that it appears like your your first log formatting-wise?

Thanks.

1. Microsoft has a KnowledgeBase article on that mmc error here.

2. Also, you can try reinstalling/upgrading the mmc component. The download from MS is here.

Ignore last post

I deleted it for you, just to keep the thread less cluttered.
Members can delete their own posts if they wish; if you click the Edit button in one of your posts, the option to delete the post entirely shows up at the top of the Edit page.

Anyway... on to the log:

1. Follow the directions dlh6213 gave earlier concerning the removal of the New.Net hijacker. Also remove the following programs if you find them listed in your Add/Remove Programs control panel:

My Web Search
SpyWare Stormer
Errorguard

2. The "Greasy Palm" software is officially still classified as "open to debate" in terms of privacy, etc. issues. Personally I would remove it, but the choice is yours.

3. For the moment, have HJT fix the following (there will be more to fix later):

O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINDOWS\Fonts\odbcfont.dll
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O20 - Winlogon Notify: odbcfont - C:\WINDOWS\Fonts\odbcfont.dll

- If you choose to uninstall Greasy Palm, also have HJT fix:

O4 - HKLM\..\Run: [GreasyPalmUpdate] C:\WINDOWS\GreasyPalmUpdate.exe
O16 - DPF: {4D561B31-49A0-4E2C-8AFF-353468EC669B} (GreasyPalmInstallHelper Class) - http://www.greasypalm.co.uk/bho/update/GreasyPalm.cab

4. Reboot into safe mode …

*bows to the mod*

My apologies, I should have guessed that doing something of that nature would be over the edge. I will not do so again!

No apologies necessary, and thanks for understanding.
Your post wasn't over the edge, but I just wanted to put the caution out there before someone else decided to *ahem* "elaborate" on what you alluded to. ;)

Apache is an exceedingly popular server, I would be exceedingly suprised if it wasn't already supplyed with your distrobution.

Yes. It wouldn't have actually been installed on your system during the installation unless you you specifically chose to do a Server or Custom install, but the pre-compiled (ready to run) Apache package is probably included on your install disks.

I have no idea what the Cpp1.exe program is.

Cpp1.exe is a filename commonly used in C++ programming (Cpp= C Plus Plus).
Since it seems to throw you an error, and you don't know why it's there, have HJT fix this line as well:

O4 - Global Startup: Cpp1.exe

After that, locate and delete Cpp1.exe along with the other two files I listed in the instructions in my last post.

Get back to us after you've had a chance to do the clean up, and post a fresh HJT log at that time.

If you double-click on any of the entries in the logs, an Event Properties window will open, and that window will contain details of the entry.

The top portion of the Properties window contains information such as the time the event occured, the event's ID number, and the source of the error (the "source" identifies the specific component of Windows that actually generated the log entry). Below that will be a text description of the event (which may also contain rather cryptic-looking error codes).

Look through the error/warning messages to see if you can determine which ones might relate to networking. You said that the disconnect happens every 10-15 minutes, so I'd expect that you'll find the same error messages repeating themselves at about that interval. If you find entries which appear relevant to your problem, post the following info from their Properties windows here:

- the Time
- the Source
- the Event ID
- the full and exact text of the Description

Having that information will help us pinpoint the cause of the connection drops.

The Restore at least brought back the entries in your Registry that were created by the infections; whether or not they brought back the infections themselves or not might be a different story.

Repeat these steps again:

1. Have HijackThis fix:

R3 - Default URLSearchHook is missing
O4 - Startup: DLHelperEXE.exe
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb02a.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/dlhe...n7/dlhelper.cab

2. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

Search for and delete DLHelperEXE.exe.

3. Empty your Recycle Bin, reboot, run HJT again, and post a new log.

If you don't find DLHelperEXE.exe this time, then it's probably only the Registry entries that got restored and not the malicious file itself. Either way, repeat the steps again and give us a progress report after that.