Posts by DMR

Unfortunately, because your system was infected on the day that you restored back to, you've reintroduced the infections in the course of trying to fix the other problems.

Please repeat the instructions I gave in my last post. If removing the items I indicated causes other problems, that means that something has been damaged by the infections and needs to be fixed, but if you try to do that just by using System Restore you will again restore the infections.

Because the member who originally started this thread has not responded in 1 1/2 years, this thread is classified as "abandoned" and is now closed.

Other members who may be experiencing problems similar to those discussed in this thread should read the comments in my above post regarding starting your own threads.

Thanks.

Hi Gandalfs_beard,

First of all- welcome to TechTalk!

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

Was it really a full reformat? If so, how long were you online after that before you got reinfected? :mrgreen: :evil:

Malicious entries in your current log:

c:\windows\system32\tzjlhsy.exe
O4 - HKLM\..\Run: [loezkir] c:\windows\system32\asvpzm.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

I don't have time to delve into this right now, but I'll pass a request for assistance on to crunchie and dlh6213; they should be coming online here soon.

Something I suggested before:

Open the Event Viewer utility in your Administratve Tools control panel and look through the Application and System logs to see if you can find any event messages/warnings/errors in those logs which might give us clues as to the reason for the disconnects.

Thanks for understanding KlondikeTW :)

...there are ways of getting it otherwise. :evil: (not that I would).

Mmm...

Whether you would or would not, suggesting that possibilty to another member here runs close to the edge in terms of our rules regarding discussion of pirated/pirating software.

People can find those "ways" on their own if they want; let's not give them a push in that direction, OK?

Sorry for the delayed response; the last couple of days have been really hectic.

The work you've done has cleaned thing up a lot; good job! :)

Now for the rest:

1. Uninstall Weatherbug, unless you are using the paid-for version. The free version is Adware, despite the company's statements to the contrary (the definition they choose to use for "adware" is actually the definition of "spyware").

2. Have HijackThis fix the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\svcmgr32.exe
O3 - Toolbar: (no name) - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - (no file)
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [Windows Service Manager] C:\WINDOWS\svcmgr32.exe
O4 - HKLM\..\Run: [czazwt] C:\WINDOWS\czazwt.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)

3. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Locate and delete the following files:

C:\WINDOWS\svcmgr32.exe
C:\WINDOWS\czazwt.exe

- Delete the following folder entirely:

C:\PROGRAM FILES\AWS

4. The following log entry bothers me; do you have any idea what the .exe file is related to?:

O4 - Global Startup: Cpp1.exe

…

Have downloaded Hijack This but when I tried to open it I got another message window saying "Error Starting Program a required .DLL file,MSVBVM60.DLL was not found." any suggestions on how to find it Thanks JIM

HijackThis requires the Visual Basic 6 runtime libraries; the error meassage is indicating that you don't have that version of the VB libraries installed on your system. You can download them here.

The autoexec.nt error translates as follows:

"C:\windows\system32\autoexec.NT. The System file is not suitable for running MS-DOS and MS-Windows applications. Choose "Close" to terminate the application".

That error can be the result corruption or modification to that file, perhaps done by the infection(s) you had. Reinstalling a fresh copy of the file is usually the recommended first approach; there are a few ways to do this:

1. A backup copy of the file might exist in your C:\Windows\repair folder. If so, replace the autoexec.NT file in \system32 with a copy of the one in the repair folder.

2. Run the System File Checker. It will scan for missing or corrupt system files (you may have more than one) and if any are found, it will prompt you to insert your XP CD and will extract fresh copies of the file(s) from there.
If you don't have the XP CD, but you do have a C:\Windows\i386 folder on your machine, point the File Checker to that folder; fresh copies of the file(s) it needs may exist in that location.

To run the System File Checker, click on the "Run..." option in your Start menu and type the following command in the "Open:" box:

sfc /scannow

3. You can try to repair the damage manually by extrracting fresh copies of autoexec.NT and gtwo other core files:

Insert your XP installation CD, open an MS-DOS window, and type the …

Although I have no idea what they are, it doesn't appear that they're malicious at all. They seem to be an error log created by legit programs; I've seen references to the fact that Photoshop is one of those programs.

If they come back, look at the contents of one of the files. I'm sure one of members who's into programming could say for sure, but if it looks like the following I pretty sure you don't have anything to worry about virus-wise:

Initializing ....  
 
Total memory allocated = 5452148 
		Begin Printing Seed information 
 
Seed point: 87 123 	Path 0 0 	User path -1 -1 -1 
 
--------------------- 
 
Print path:  
 
 
 
[87 123]  
 
		Begin Printing Seed information 
 
Seed point: 87 123 	Path 0 20 	User path 0 9 0 
 
Seed point: 101 106 	Path 21 21 	User path 29 29 29 
 
--------------------- 
 
Print path:  
 
 
 
[87 123] [88 122] [88 121] [89 120] [89 119] [90 118] [91 117]  
[92 116] [92 115] [93 114] [94 113] [94 112] [94 111] [95 110]  
[96 109] [97 108] [98 107] [99 107] [100 107] [100 106] [101 106]  
[101 106]  
 
		Begin Printing Seed information 
 
Seed point: 87 123 	Path 0 20 	User path 0 9 0 
 
Seed point: 101 106 	Path 21 45 	User path 9 29 9 
 
Seed point: 114 95 	Path 46 46 	User path 51 51 51

You're pretty loaded down with infections, and I'm a bit surprised that Ad Aware and Spybot didn't clean some of them out.

A couple of things you need to take care of before continuing with HijackTHis:

1. C:\DOCUME~1\david\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

The log entry above indicates that you are running HJT from within a Temp/Temporary folder. Please do the following:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!

2. C:\Program Files\Internet Explorer\iexplore.exe

The log entry above indicates that you had at least 1 instance of Internet Explorer running when you ran HijackThis.
Before fixing problems with HijackThis, you must make sure to close/quit ALL instances of your web browser! HijackThis cannot fully perform its fixes while browsers are running.

3. Let's try to get some of the mess cleaned up before using HijackThis:

- Run at least two of the following free online anti-virus/anti-spyware scans and have them fix what they find:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://www.ravantivirus.com/scan/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.bitdefender.com/scan/licence.php

Those are symptons of one the known "nasties" going around lately. I'm moving this to our security forum now, as that is where we deal with such issues.

To begin with, please do the following:

Download the (free) HijackThis utility:

Once downloaded, follow these instructions to install and run the program:

Create a folder outside of any Temp/Temporary folders for HJT and move it there. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

Then mid week it appeared that some sort of worm had infected the system. SUDDEN onset of MULTIPLE pieces of spam mail showing up in my mailbox.

Keep in mind that being on the receiving end of a spate of spam emails could more likely indicate that someone you know (or at least someone who has your email address on their computer) has been infected with a mass-mailing worm/virus/trojan. In other words, it doesn't necessarilly mean that you are infected; only that your email address was culled from the infected machine and you're now on the infection's "mailing list". :(

If your Norton scans and the online scans that dlh6213 linked to above all come up negative, that could well be what's going on. If that's the case, the other problems/errors you said you're having may be related to other (non-viral) Windows problems. If you can post the exact contents of the .dll-related errors you got that could help us make a better determination of that.

Hi macdaddyjfg,

First of all- welcome to TechTalk!

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

That being the case, I've split your post into its own separate thread, which you can find here.

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

Iget this mmc.exe program error message where it say memory cant be read.

Can you give us specifics on that please (when do you get message, what the exact text of the message is, etc.)?

OK-

1. You said:

"... browser worked partially on these sites but not completely ie if i needed to log on it wouldn't do"

That might indicate a problem with accessing "secure" pages/sites. Is it only these types of pages that you're having trouble with, or do you have problems viewing some "normal" (non-secure) stes as well?

2. Unfortunately, problems with access at only certain sites (secure or not) can be caused by a number of things. Let's see if we can narrow things down:

A) Had you made any software or network-related hardware changes around the time that problem first appeared?

B) Flush out all of your Temp/etc. files manually:

Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or …

Please do the following to start with:

Download the (free) HijackThis utility:

Once downloaded, follow these instructions to install and run the program:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

I don't know if it will cure your specific problem, but you can try running IEFix.
It would probably be a good idea to uninstall the Window Maximizer before running IEFix, as it might cause conflicts with IEFix's repair process.

1. The "parted" partitioning tool can be a bit tempermental if you've used some other partitioning utility to create/manipulate your partitions. If you actually need to change the partitions, you might have to try another tool.

2. Lilo can reside either in the MBR of a drive, or in the boot sector of a partition on that drive. If you install it on a partition or as opposed to the MBR, that partition must be a Primary partition, not a Logical partition. In other words, it sounds like you just specified the wrong location when you tried to reinstall Lilo.

If your lilo.conf file contains the line:

Boot=/dev/hda

you should be able to boot into rescue mode from the SuSE CD and then issue the following 2 commands to reinstall Lilo to the MBR:

chroot /mnt/sysimage

/sbin/lilo

Your log shows no signs of anything nasty, nor does it show any sign of corruption in your networking software.

1. Regardless, the first thing to do when troubleshooting network connection problems is to temporarilly disable your firewall software. Your log indicates that you currently have McAffe's Internet security software running, so you should turn that off entirely for now.

Keep in mind that just turning off/closing down most firewall programs does not usually disable them completely. You need to go into the program's Preferences, uncheck any/all "Start automatically when Windows starts" options, and then reboot.

2. The OpinionBar software has been known to cause browsing problems, and it's also classified as adware; you might want to remove it. Full manual removal instructions are here:

http://www.pcprivacysolutions.com/ss/pests/OpinionBar.htm

That alteration to your Display properties is usually the work of the "smitfraud" infection. See if this fixes the problem:

1. Download the following reg file by right-clicking on the link and choosing Save As. Save this file to your Desktop.

Smitfraud Fix Reg File

2. When it is finished downloading, double-click on the smitfraud.reg file on your Desktop. When it asks if you want to merge the information, allow it to do so.

3. Reboot. You should then be able to change your desktop properties back to the way you want to. If you have trouble with some settings, click on the Themes tab in the display settings and change the theme to Windows XP to use the default settings.

Well, I did all that I could.

And that made quite a difference- you log is much cleaner now,

I have to log off for the night now, but hopefuly one of our other responders will be able to folllow up on this before I log back on tomorrow. If not, I'll reply then.

Good job- that log looks clean to me. :)

A "Canned Answer" as to how to keep some of this stuff from infecting you in the future:

1. Use Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will greatly reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks.

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here: http://tomcoyote.org/ieoe.php

5. Obviously-install a good anti-virus program and enable its "auto-protect" and email-scanning features.

6. Install a stand-alone (and free) firewall program such as Zone Alarm or Kerio Personal Firewall, or purchase the "Internet Security" packages offered by Symantec and McAfee.

7. None of your utilities are of much good if you don't check for updates frequently; updates for anti-spyware/anti-virus programs can be released as often as ever two or three days.

Revenge, and the fact that most people don't want to take the time to do it, is something we have to deal with.

True, but I personally disagree with the whole "revenge" aspect to begin with.

Most of us who help out here are professionals, and our main focus is to help others; "revenge" and other similar types of misguided and rather childish online behaviours really don't serve any of us.

If anyone wants an online "playpen" where they can post whatever they want and then gripe, whine and moan about how the others in that community feel about those posts, there are plenty of those types of sites out there.

Ours just doesn't happen to be one of them... ;)

any suggestions?

Ouch! That doesn't look very good. I do have some suggestions, but they'll have to wait until tomorrow. I need to wrap things up here and log off for the night pretty soon.

Personally, I think the rep system is not a good one for monitoring abusive forum members. Giving negative rep to someone who is unusually rude, abrupt or even abusive does little. Reporting such posts to your moderators is a better method of dealing with that circumstance.

Entirely right.

The entire rep thing is pretty useless. I've yet to see a site where it doesn't lead to strive and popularity contests to get the highest rep.

Exactly.

As I posted in one of our older threads on this subject:

Quite honestly, getting wrapped up in this whole thing of reputation points isn't worth it. The points system is flawed, can be abused, and basically means nothing in terms of your true reputation here. This is why many support sites that used to use such a system have dropped it- the accuracy of the advice and answers you give are ultimately what will determine your reputation here.

In other words: don't let your ego take hit because another member gave you a negative Point Hit, especially if it happened in a post in one of our non-technical forums like the Geek's Lounge. Your overall reputation here is not based on your Rep Points, it is based on whether or not you have a history of giving good and reliable advice to other members. Period.

/dev/hda2 is the bootable part.

What "bootable part"? You didn't indicate that you had a separate /boot partition as well. Is that what you meant by the above? If not, please clarify.

/dev/hda8 is another linus partition.. i done remember what is it used for.. i tried re-running the boot setup from linux, but it failed.

What exact errors did you get?

I don't mean to sound short or anything like that, but given the fact that you've got a dual boot/dual OS system, and there seem to be problems with both OSes, you'll need to provide us with as much exact and specific information as possible in order for us to help you resolve the problems most quickly.

Time for a new game perhaps? ... How about this one?

Pick a ridiculous situation.
Post a picture found with Google image search that illustrates it.
Pick the topic for the next person to do.

Ahh.. not a new game at all, but Alex is probably the only other one here who might even remember the infamous "Google-Pic Contests" waged by a certain denizen of The Net named FoBoT. His abililty to Google a picture for any idea thrown at him was a thing of wonder and legend.

In FoBoT's honor, I give you "the red brick computer":

[img]http://www.peeron.com/pics/inv/custpics/4066apx045.1106372469.jpg[/img]

(Yes, I know it's a Lego brick, but.. it's red, it's a brick, and it's a computer; job done)

Again in FoBoT's honor (and because I have a particular penchant for marsupials, and also that a non-marsupial creature mooning us has been offered already), might I ask for a pic of a Wombat giving us all the proverbial Moon?

Have at it folks....

- Why did your Linux partition need fixing in the first place? As much detail as possible about that would help.

- If you can, give us the details of your exact partition layout (/dev/hda1=Windows, /dev/hda2= /, etc.).

- Did you have Lilo installed as your primary bootloader? That is, installed on the MBR (/dev/hda) as opposed to the / Linux partition. If so, the FIXMBR command just wiped out that boot code and restored the Windows-only boot code. You will have to boot into Linux with a boot floppy or the install CD and re-run Lilo to get your Lilo boot menu back. I can tell you how to do that if need be.

- If you were booting between the two OSes in a different fashion, please elaborate.

Get back to us with the above information and we'll go from there.

Linux as well? Oh fsck, I really wish you'd have let know that before... :eek:

Not time to panic yet though- a few of here are Linux geeks too. :mrgreen:

- Did this happen before/during/after trying what I suggested in my last post?

- What version of SuSE are you running?

- Give us the specifics of your drive/partition setup and your bootloader configuration.

- Give us the exact specifics of "KABOOOOOM"; what (if any) errors you get, etc.

Get us the details and we'll take it from there...

Hang in there. I have to go offline for a bit; if none of our other helpers pick up on this in the mean time, I should be back in a couple of hours or less.

Ah- now that's more like it. Time for the Killbox :)

1. Unzip the downloaded Killbox file to your desktop.

- Run Pocket Killbox, paste the following file path into the "...file to delete" box, click "Standard File Kill" and "End Explorer Shell While Killing File", and then click on the button with the red circle and an X in the middle:

C:\WINDOWS\SVCPROC.EXE

- Repeat the above process for:

C:\WINDOWS\KKLIEY~1.EXE

- Paste the following in the Delete box, click "Standard File Kill", click "Unregister dll before deleting", and then click on the button with the red circle and an X in the middle:

C:\Windows\System32\DrPMon.dll

- If you get no errors when you do the deletions, reboot your computer.

- If the deletions fail, do not reboot yet. Instead:

Run Pocket Killbox again, paste C:\WINDOWS\SVCPROC.EXE into the Delete box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "No".

Repeat the process for C:\WINDOWS\KKLIEY~1.EXE.

Repeat the process again for C:\Windows\System32\DrPMon.dll, but this time click Yes when prompted to reboot.

2. Once rebooted, do the following:

Open a new/blank Notepad file.
Copy the contents of the code box below into the Notepad file.
Name the file as fix.reg.
Change the Save …

Ouch- it's really strongly recommended that you not upgrade to SP2 on an infected or otherwise problematic system. Bad Things can happen, as it seems you may have discovered. :(

I'm quite certain that the Atlcu32.exe file is a component of a malicious infection, but it sounds like you'll have to get past the boot-up isue before we can deal with disinfecting the system.

Let us know whether or not you can even get into the system via Safe Mode and we'll take things from there.

1.

actually my internet keep on disconnecting... I have been able to fix this problem by killing some proccess. how can I fix this??

Can you tell us the exact name of that process?

2. Your log looks clean, but it sounds like you still have some hidden Aurora-related nasties hanging around. Please do the following so that we can get a better look at exactly where those files are lurking:

- Go here and download Silent Runners.vbs.Run it, and post the contents of the log it generates.

- Next, go here and download FindIt's.zip to your Desktop. Unzip the files and doubleclick on FindIt's.bat to run it. A text file will open when it has finished scanning; it may take awhile, so please be patient. Post the contents of that log in addition to the Silent Runners log.

Finally, download Killbox from here. Depending on what the log files tell us, we may be using it shortly.

You have a few different infections, so this will take a couple of steps. Please be patient:

1. Remove Newdotnet, either from your Add/Remove Programs control panel, or by going here and scrolling down to the uninstall tool.

2. Go here for the instructions on how to remove the Bube.d (aka Win32.Beavis) Removal [isrvs] infection. Please follow the removal instructions exactly.

3. Once done, repost a new log here and we will finish off the clean up.

Good work. Between CWShredder and your other fixes, you've removed most of the problems.

There's still a little bit of clean-up to do though:

1. Have HijackThis fix:

R3 - Default URLSearchHook is missing
O4 - Startup: DLHelperEXE.exe
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb02a.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/dlhelper/version7/dlhelper.cab

2. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

Search for and delete DLHelperEXE.exe.

3. Empty your Recycle Bin, reboot, run HJT again, and post a new log.

1. OK, that seems to have worked; no more sign of the Nail.exe infection :)

2. Those Norton and SpyBot entries with all of the hyphens between the letters look very strange; I've never seen entries like that in a HJT log before.

Are those directories really spelled that way when you view them in Windows Explorer?

1. I'm not sure what did happen when you ran CWShredder, but CTHELPER probably wasn't the cause.

2. Have HijackThis fix:

O4 - HKLM\..\Run: [awvycup] c:\windows\system32\awvycup.exe

3.Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

Locate and delete the c:\windows\system32\awvycup.exe file.

4. Empty your Recycle Bin, reboot, and post a new HJT log.

A few more things need to go.

1. Open a DOS box by typing "command" (omit the quotes) in the "Run.." option under your Start button menu.

• At the command prompt in the DOS window, type the following command:

regsvr32 /u C:\WINDOWS\SYSTEM\HIJENCA.DLL

Close the DOS window after the command command completes

1. Run HijackThis again and have it fix:

   R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
   R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
   R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
   R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
   R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
   R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
   R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
   R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
   R3 - Default URLSearchHook is missing
   O2 - BHO: ToolHelper - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} - C:\PROGRA~1\ADVANC~1\TOOLBAR.DLL (file missing)
   O2 - BHO: (no name) - {4948A8E1-BE50-11D9-9E02-000855D4C36C} - C:\WINDOWS\SYSTEM\HIJENCA.DLL
   O18 - Filter: text/html - {7CDBC5E3-BE71-11D9-9E02-00084A455E60} - C:\WINDOWS\SYSTEM\HIJENCA.DLL
   O18 - Filter: text/plain - {7CDBC5E3-BE71-11D9-9E02-00084A455E60} - C:\WINDOWS\SYSTEM\HIJENCA.DLL

2. Search your system for the C:\WINDOWS\SYSTEM\HIJENCA.DLL file and delete it if it still exists.

3. Run HJT again and post a fresh log.

One infection down, one to go:

In your Start menu, click the "Run..." option, type the following command in the "Open:" box, and click OK:

services.msc

When the Services console opens, locate "System Startup Service",
right-click on it, and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services console.

b) Run HJT and have it fix the following (don't close HJT after the fixes are done though):

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O23 - Service: System Startup Service - Unknown - C:\WINDOWS\svcproc.exe

Once HJT completes the fixes:

- Click on the "Config" button in the lower right corner. In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Type the following in the box and click OK:

svcproc

- Again in the "Misc Tools" window, click on "Delete a file on reboot". In the Explorer windows that opens, navigate to C:\WINDOWS\Nail.exe and double-click on it. Click "Yes" in the resulting reboot confirmation dialog box and allow the system to reboot normally.

3. Reboot, run HJT again, and post a fresh log.

You're welcome. Let us know if you find a solution.

OK; we'll be here...

If the online scans don't help, do the following:

Download the (free) HijackThis utility.

Once downloaded:

Create a folder outside of any Temp/Temporary folders for HJT and move it there. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents can tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

Well, there's nothing suspicious about the processes you listed. They're necessary components of your Wireless software and your anti-virus/anti-spyware applications, and unfortunatley there are all known to be a bit on the resource-intensive side.

In terms of the "access denied" error, you will get that when you try to use Task Manager to kill certain running processes. In those instances you should use whatever Exit/Shut Down/etc. option is built into the programs, or turn off the option to automatically run the programs at Windows start-up and then reboot.

In general though, I can't think of anything that would be the obvious cause for the resource drain. Your best bet is probably to experiment with disabling/shutting things down one at a time to see if you can narrow down the possibile suspects.

OK. There are a couple of different methods of removing Hotoffers that have worked for some of our other members. The procedures are described in the links below; give them a try and let us know the results:

http://www.daniweb.com/techtalkforums/thread19959.html

http://www.daniweb.com/techtalkforums/thread23003-hotoffers.html

First try the instructions given in this thread; they seem to have worked for others members who were infected with Hotoffers.

If that doesn't fix the problem for you just let us know, post a new HJT log, and we'll go from there.

Are you sure you posted the full contents of the HJT log? That one looks abnormally short...

Your log is pretty clean; just a couple of small nasties to fix. Put a check next to the following items and then click the "Fix checked" button:

R3 - URLSearchHook: HyperSearchHook - {C69D0BFE-3584-447B-BB42-ADADECD323C0} - C:\Program Files\Common Files\Hyperbar\HyperbarSS3.dll (file missing)
O2 - BHO: CWebDirObj Object - {C003C49F-53E4-4A72-B7D6-0B2B9997392F} - C:\WINNT\webdir.dll

More than anything, your log indicates that you've a got fair amount of programs and processes fired up, including a web server and a MySQL database. It's possible that you're just overtaxing the system.

If you open Windows Task Manager and monitor the CPU and memory usage of the running processes, can you determine which of them is hogging your resources?

In addition to your Symantec scan, you should do a least two of the following free online virus/spyware scans; they may catch things that Symantec didn't:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.ravantivirus.com/scan/

Let us know what (if anything) those scans found, and if they were able to remove the mailer infection.