Posts by DMR

Firefox has its own settings for Proxy configuration, which are separate from those used by IE.

I'm not familiar with NTL Medic, but you may be able to look at the Proxy settings in your Internet Options control panel and duplicate those in Firefox's settings:

Open the Internet Options control panel and go to Connections>Lan Settings. If you see Proxy configuration information there, try to replicate that information in Firefox's Tools>Options>General>Connection Settings window.

1. To get rid of the newdotnet mess:

a) Download and run LSPFix.

- If you do not see newdotnet6_38-1.dll listed in the "Keep" window, simply click the Finish button and then click OK in the resulting dialog box.

- If you do see newdotnet6_38-1.dll listed in the "Keep" window, put a check in the "I know what I'm doing" box, hilight newdotnet6_38-1.dll, and click the ">>" button to move newdotnet6_38-1.dll to the "Remove" window. Click Finish and then OK to complete the fix.

b) Run HijackThis again and have it fix:

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~3.DLL,NewDotNetStartup -s
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38-1.dll' missing (<-- if still present)

2. For the "Nail.exe" infection, reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up) and:

a) In your Start menu, click the "Run..." option, type the following command in the "Open:" box, and click OK:
services.msc

When the Services console opens, locate "System Startup Service",
right-click on it, and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services console.

b) Run HJT and have it fix the following (don't close HJT after the fixes are done though):

…

The long list of Read me threads in the viruses, spyware and other nasties looks disgusting

Hmm... I was just looking at that mess over the weekend and thinking the same thing.
We must all be taking the same little blue pills or something... :mrgreen:

Danny,

I think your assessment is on the money.
I've removed my post concerning HJT 1.99.1; it's rather old news comparatively, and as you said, linkage to the correct download can be provided in a better place. I'll leave the System Restore post where it is until we agree where (if anywhere) to put that info.

Let me try a few more tries downloading and I will let you know the results.

Yes, do that please. This has been a pretty long battle; it would be good to know if you finally got it fixed.

1. Turn off System Restore; instructions and explanation are here.

2. Follow the trojan removal instructions given in this Microsoft article:

http://support.microsoft.com/?scid=kb;en-us;897079

3. Run the AVG and Spyware Doctor scans again. If they no longer detect the trojan, re-enable System Restore. If they still detect the trojan, let us know.

Glad we could help, Hoggy. :)

Now that your system is clean, here are a few general things you can/should do to minimize your chances of future virus/malware infections (some of which you're obviously doing already):

1. Use Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will greatly reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks.

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here: http://tomcoyote.org/ieoe.php

5. Obviously-install a good anti-virus program and enable its "auto-protect" and email-scanning features.

6. Install a stand-alone firewall program such as Zone Alarm or Kerio Personal Firewall, or purchase the "Internet Security" packages offered by Symantec and McAfee.

7. None of your utilities are of much good if you don't check for updates frequently; updates for anti-spyware/anti-virus programs can be released as often as ever two or …

When I turned off System Restore and ran them again and then turned System Restore back on, everything seems fine now.

Yes, turning off System Restore (as opposed to just going back to previous restore point) can flush infections from your system in some cases. There's a bit more info on the "why" of that here.

No indications of any obvious "nasties" that I can see in that log- looks clean to me.

Are things running smother now?

In addition to the info in caperjack's post:

1. After you've made sure that no instances of IEXPLORE.EXE are running, have HijackThis fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: (no name) - {4A7A237F-2497-A933-FB3E-771277E546C7} - C:\WINDOWS\System32\drnbcklm.dll
O2 - BHO: (no name) - {5A2F6A8A-7102-7D47-9FE5-94F94823CF27} - C:\WINDOWS\System32\wajdtnvc.dll (file missing)
O2 - BHO: (no name) - {8A71D05A-5F68-424B-CD9A-F88B9C52E963} - C:\WINDOWS\System32\yfcckvty.dll
O2 - BHO: (no name) - {D6C0A84A-3FE6-5C70-649A-A13562BB77E2} - C:\WINDOWS\System32\qimfwwsw.dll (file missing)
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

2. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Locate and delete any of the following files if found:
C:\WINDOWS\System32\drnbcklm.dll
C:\WINDOWS\System32\wajdtnvc.dll
C:\WINDOWS\System32\yfcckvty.dll
C:\WINDOWS\System32\qimfwwsw.dll
c:\counter.cab

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living …

This is new t your logs and I don't like the looks of it:

C:\PROGRAM FILES\POKERSTARS.NET\POKERSTARS.EXE

Gaming/gambling programs and sites are notorious for spyware; uninstall that program.

Your logs show signs of multilple infections; please do the following:

1. Uninstall all "Acceleration Software"/eAcceleration"-related software through your Add/Remove Programs control panel. Those products have, at best, a shady reputation.

2. Again through your Add/Remove Programs control panel, remove all MyWay/MySearch/MySearchBar/etc. programs; they are malicious.

3. Run a full anti-virus scan with AVG, making sure that it is using the most current virus definition updates.

4. Do at least two of the following free online anti virus/spyware scans:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://us.mcafee.com/root/mfs/default.asp?cid=9914

5. Download and run Ad Aware and SpyBot Search & Destroy (download links are in my sig below).

Follow these directions for configuring Ad Aware (directions courtesy of our member "crunchie"):

1. Install Ad-Aware SE, keeping the default options. However, some of the settings will need to be changed before your first scan

2.Close ALL windows except Ad-Aware SE

3. Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.

4. Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window

1) In the ‘General’ window make sure the following are selected in green:
*Automatically save log-file
*Automatically quarantine objects prior to removal
*Safe Mode …

Hi Adrian,

Many of these infections do "morph", and because of that, they can be rather difficult to weed out.

Please do this to start with:

Download HijackThis:

http://www.majorgeeks.com/download3155.html

Once downloaded::

A) Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.
One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!

B) Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here. The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

Log is sqeaky clean; you look good to go. :)

One thing though- I see that you have the ZA firewall and SpyBot's "Sd Helper" installed, but I see no indication of any anti-virus software. You really should have some sort of real-time AV protection running.

1. Scan with SpyBot and also Ad Aware; have them fix everything they find.

2. You can try a System Restore, but although that may remove the effects of the nasties, the actual malicious files will probably still be left on your system.

3. If the problem persists after the SpyBot and Ad Aware scans:

Download HijackThis:

http://www.majorgeeks.com/download3155.html

Once downloaded:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

O1 - Hosts: terminalserver 192.168.0.12
O1 - Hosts: fileserver 192.168.0.10
O1 - Hosts: exchangeserver 192.168.0.11

Those are actually probably valid host entries for different machines on Hoggy12's internal network. The IP addresses are all in the private, non-routable address range of a Class C network, so they aren't hijacks/redirects.

Since this isn't a virus/spyware/etc. problem, I'm going to move this thread over into a more general Window forum so that you can get more "eyeballs" on the problem.

Buckle up, we're going for a ride.....

Hi Capp,

First of all- welcome to TechTalk!

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread in this forum and post your question there. When you do, post a log from HijackThis and give us any other specific information that might be helpful.

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

For those that read my first thread and understood it completely. It should be obvious that I can clean out unwanted registry entrys if I want to. I would have hoped that I came across as one that knows how to use add/remove also...

If you don't know how Microsoft sets up folders that can't be deleted, I'll be glad to bring you up to my level. You can change access to most registry items except "Prohibited Files" registry entry... I just thought there might be knowlegeable guy on the forum that knew more than I did about it.

Well Dick,

We certain would like to thank you for those comments. Additionally, we sincerely apologize that the help we offer here (on our own free and unpaid time) was not "up to your level".

No further comment...

Can you tell us where Spyware Doctor says the trojan is located?

Yes, do that if you can please. Your latest log looks clean, but HijackThis isn't designed to detect all types of infections, so you may still have something lurking in your system.

Also install the latest updates for your AVG anti-virus program and run a full scan with that. If AVG finds infections, give us the info on that from AVG's scan report.

But it’s not the battery; I used a multi-meter to test it.

Althought the battery may be good, you should be aware that getting a good voltage reading with a meter isn't a very reliable test of that.

Meters are fairly sensitive, and even extremely weak batteries will still have enough juice left in them to give you a good voltage reading on a meter. However, such a reading doesn't prove the batteriy's ability to supply sufficient current under a real-world load. Given that a new CMOS battery will only cost you a few bucks, it's probably worth trying a new one before you spend more time and money on the other options.

Yes, you do still show signs of infections.

I need to log off for the day, but hopefully one of our other members will pick up on this until I can return.

Gosh how I love windows. Turned XP's firewall off...

I know what you mean. I've had more weird, flaky experiences with that @#$*% firewall than I care to think about....

Glad you at least got it happening, though. :)

rris.exe doesn't seem to be running anymore, but you've got new gremlins now:

O2 - BHO: (no name) - {C0EE1C5E-D2BD-FB4A-9009-D7C8688B7E9D} - C:\WINDOWS\System32\qnpi.dll
O4 - HKCU\..\Run: [Ifrjava] C:\WINDOWS\System32\j?vaw.exe

Let's see if a few other utilities can help here:

A) Download and run Ad Aware and SpyBot Search & Destroy (download links are in my sig below).

Follow these directions for configuring Ad Aware (directions courtesy of our member "crunchie"):

1. Install Ad-Aware SE, keeping the default options. However, some of the settings will need to be changed before your first scan

2.Close ALL windows except Ad-Aware SE

3. Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.

4. Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window

1) In the ‘General’ window make sure the following are selected in green:
*Automatically save log-file
*Automatically quarantine objects prior to removal
*Safe Mode (always request confirmation)

Under Definitions:
*Prompt to udate outdated definitions - set the number of days

2) Click on the ‘Scanning’ button on the left and select in green :

Under Driver, Folders & Files:
*Scan Within Archives

Under Select drives & folders to scan -
*choose all hard drives

Under Memory & …

but until then, I think this scheme is the best we have.

It appears that way, yes. Considering the fact that it's being positioned as a replacement for WEP, TKIP, and even DES/3DES, it must have something going for it...

Hmm... that all looks good to me; I'd think you should at least be able to ping at this point.

Just to really eliminate this possibility- turn off XP's firewall entirely. After disabling the firewall it might be a good idea to reboot just to make sure that all components of the firewall have been shutdown. If you're worried about leaving yourself vulnerable, just physically disconnect the XP machine from your DSL modem during the test.

The "AdStatus" infection still appears in your log. Did you follow my earlier reomoval instructions exactly and fully? Even if you did, AdStatus may be respawning itself.

Please do the following:

A) Run a full anti-virus scan, making sure that your anti-virus program is using the most current virus definition updates. Also run the free online virus scan at at least two of these sites:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

B) Download and run Ad Aware and SpyBot Search & Destroy (download links are in my sig below).

Follow these directions for configuring Ad Aware (directions courtesy of our member "crunchie"):

1. Download and Install Ad-Aware SE, keeping the default options. However, some of the settings will need to be changed before your first scan

2.Close ALL windows except Ad-Aware SE

3. Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.

4. Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window

1) In the ‘General’ window make sure the following are selected in green:
*Automatically save log-file
*Automatically quarantine objects prior to removal
*Safe Mode (always request confirmation)

Under Definitions:
*Prompt to udate outdated definitions - set the number of …

1. Was there any version information, company name, etc. in the Properties tabs of the rrsi.exe file? I've never seen that file before and can't find any information about it online. Also, it's running out of your C:\Windows\system folder, which is not where .exe files usually live on an XP system. All of that makes me suspicious of the file, but I don't want to tell you to delete it until I'm sure there's no further indentifying info in the file's Properties.

2. .dll files are Dynamically Linked Libraries, also called Dynamically Loaded Libraries. They aren't programs in and of themselves, but rather they contain instructional code used by programs (or Windows itself) in the course of performing different tasks. Most dlls are legit, but malicious infections can also use dlls to accomplish their "dirty deeds".

3. What does happen when you try to get into Safe Mode?
If Windows just boots as it normally does, you may not be hitting F8 at just the right time. The timing can be pretty tight, and many systems have a "fast boot" option enabled which makes it even harder to catch the F8 keystroke in time to bring up the Safe Mode boot menu. Try repeatedly tapping the F8 key just after the computer starts to boot; you need to catch it well before you see the "Welcome to Windows" or "Windows is Starting Up" screen.

If I do find anything I'll post it, but I haven't seen a workaround yet.

While I am a sceptic as far as the inability of a determined hacker to break into anything, the statistics concerning cracking an AES encryption key found in this government document are impressive!

I'll take my cue from history and put the money on the crackers. :D

It seems that every time a new encoding/encryption scheme has been developed, there's been a prediction that it would be humanly impossible to crack, or that it would take thousands/millions/billions of years to crack. But what's really happened in almost every case? Yup- the encryption gets cracked in decades/years/months or, in a couple of embarassing cases, it's been cracked before it's even officially been released.

The cracks may have been made possible by new and previously-unimagined technology, the discovery of an attack vector overlooked by the code's designers, some stroke of genius on a cracker's part, or sheer brute-force determination. Whatever the method though, solving encryption "mysteries" is something that's always proven to be a fascinating challenge that some people just can't ignore.

1. As Christian asked, can you post the results of running the "ifconfig" command on the RH box please?

2. 169.254.0.0- * - 255.255.0.0 - U - 0 - 0 -0 eth0

The above entry in your routing table comes from DHCP auto-configuration. Since you're using staic IP addressing, it shouldn't be there. It might just be a leftover entry from your previous configuration changes, but it might also be a sign of a current conflict.

From the RH box, please post the contents of your /etc/sysconfig/network-scripts/ifcfg-eth0 and /etc/sysconfig/network files.

I missed something that's been lurking your logs:

C:\WINDOWS\system\rrsi.exe

I don't recognize that file and I'm a bit suspicious of it; can you do the following please?:

- Open Windows Explorer and locate the file.

- Right-click on it with your mouse. A menu box should pop up; choose Properties from that menu.

- Look through the information in the various Properties tabs and post any indentifying information that you can find there (file size, modification/creation date, company name, etc.).

While I can't say that these are the source of your problem, your log does show indications of infection.

1. You should print out these directions, as you cannot have any web browsers open while performing the following HijackThis fixes.

2. With any/all web browsers closed, have HJT fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
O4 - HKLM\..\Run: [NAV_Update] C:\NAV_Update.exe
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\PAUL~1.BUS\LOCALS~1\Temp\bundle.exe

If you do not have a Realtek sound card, also fix this:
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

There is a valid "soundman.exe" file which is part of some Realtek sound card software, but there is also a malicious file of the same name.

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Delete the following files:
C:\WINDOWS\about.htm
C:\NAV_Update.exe

If you've detemined that the "soundman.exe" file is not part of your sound card software, locate and delete that file as well.
- Delete the following folder entirely:
C:\Program Files\AdStatus Service

- For every user account listed under C:\Documents and Settings, delete the entire contents …

Now when I put in one of the disks that I was trying before it just tell me that the disk isn't formatted and asks if I want to. It no longer gives me the old error message.

I never found an answer as to why that happens, but others have reported the exact same thing: once they full-formatted a new floppy, that floppy worked fine but the error they got when they put in old floppies changed from the original "No ID" message to the "unformatted" message.

Weird... but this is Windows we're dealing with. :mrgreen:

Sorry, my mistake; I should have asked about Ares.
I remebered an "ares.exe" file being associated with a certain trojan/worm, which is why I asked you to remove it. However, I forgot that there was also an "Ares" filesharing program as well. While I personally don't advise people to use such sharing/downloading programs, if you do want to use it, just ignore my HJT fixes regarding the program.

No problem with move/split stuff- I was just kidding.

Try to give us a HJT log generated while you're booted into Windows normally (not safe mode). Also remember what I posted earlier about making sure that HJT is not running from any temp folder, and that Internet Explorer is entirely closed down while you're working with HJT.

1. C:\Program Files\Internet Explorer\iexplore.exe

The log entry above indicates that you had at least 1 instance of Internet Explorer running when you ran HijackThis.
Before fixing problems with HijackThis, you must make sure to close/quit ALL instances of your web browsers. HijackThis cannot fully perform its fixes while browsers are running.
Since you won't be online while you're performing the fixes, you might want to print out our instruction or save them to a local text file on your computer.

2. Once Internet Explorer is closed, have HJT fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [27oW34R] p2cntcreate.exe
O4 - HKLM\..\Run: [bypcbs] c:\windows\system32\bypcbs.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Jw76RQd9e] odeund.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...up1.0.0.8-2.cab

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Locate and delete the following files:
p2cntcreate.exe
c:\windows\system32\bypcbs.exe
odeund.exe

- Delete the following folder entirely:
C:\Program Files\Ares

- …

havnt you tried it from add remove programs in control panel ?????

A question worth asking. Do it that way if you have the option.

NEVER, NEVER, NEVER DELETE SOFTWARE!

Uninstall software, don't delete it. Deleting software does not work!

Erm, um, well... while CW does have a rather inimitable way of responding to some questions, his suggestion is on the mark here: if you can't uninstall a program through the control panel, it isn't suggested that you try to do so by just deleting components of the program "by hand". That will almost certainly leave "orphaned" entries in the Winows registry and other leftover bits of the program .

Oh *groan*- I see now that you're making my life as a moderator rather difficult.

You have two concurrent threads going on regarding the same problem (which is something that our posting guidelines prohibit), I've just responded to both, and now I'm going to have to merge them together. (Did I mention that I hate thread merges and splits?) :mrgreen:

Oh well- here we go...

i cant do this as the virus won't let me open the program

Which program?

Please clarify:

- Was HJT run in Safe Mode or normal mode?

- Is it HJT or AVG that you cannot open?

1. C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

The log entry above indicates that you are running HJT from within a Temp/Temporary folder. Please do the following:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

2. Once you've taken care of the above, run HJT again and have it fix:

O4 - HKLM\..\Run: [Windows_Protect] wincontrol32.exe
O4 - HKLM\..\Run: [Required Service Drivers] micront.exe
O4 - HKLM\..\Run: [ITUNES] itunes.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.12R] C:\WINDOWS\gah32.exe
O4 - HKLM\..\RunServices: [Windows_Protect] wincontrol32.exe
O4 - HKLM\..\RunServices: [Required Service Drivers] micront.exe
O4 - HKLM\..\RunServices: [ITUNES] itunes.exe

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide …

1. C:\Arquivos de programas\Internet Explorer\iexplore.exe

The log entry above indicates that you had at least 1 instance of Internet Explorer running when you ran HijackThis.
Before fixing problems with HijackThis, you must make sure to close/quit ALL instances of your web browser! HijackThis cannot fully perform its fixes while browsers are running.

2. Although not associated with the "hotoffers" infection as far as I know, you need to have HijackThis fix:

O4 - HKLM\..\Run: [second] C:\WINDOWS\system32\second.bat

Once HJT has finished the fix (and yes, your question: " After I run the FIX the HJT pane gets clear, is this right" is correct.) close HJT, open Windows Explorer, navigate to the C:\WINDOWS\system32\second.bat file, and delete it. Empty your recycle Bin after oyu have done so.

I'd wait for their software to arrive first of all, but in the mean time:

Is there anything more to the "IDE #1" error you mention? Giving us as much specific and exact information as possible up front will allow us help you most quickly.

That is an extremely broad question; can you narrow it down a bit?:

- What experience do you have with *NIX operating systems?

- What experience do you have programming for the various *NIX operating systems (Linux, BSD, etc.), and which would be your platform of choice?

- Are there any specific guidelines that you have to adhere to in terms of the final year's project's scope? That is- does the project demand that you focus on a certain thing such as a writing some type of device driver, a GUI applet, etc.?

Possibility one:

You're trying to remove system files and you might as well stop trying.

True. Many Windows files/folders can and will auto-regenerate as needed. If you're trying to delete those sorts of things, there's no need to, and, as Catweazle said, you shouldn't be trying- they're not the types of items that should be involved in any "cleanup" efforts.

Possibility two:

You're trying to delete spyware and other nasties and you've no hope of doing so. Use removal tools instead.

And that's a very good possibiltiy. Files/folders which are not part of the core operating system but still have the ability to "respawn" after deletion are quite often components of malicious infections. As I asked before, please give us more specific information on the exact files/folders in question.

No problem- not your bad at all. :)

It really does sound like a problem with your video display, so I think you'll get more knowledgeable "eyeballs" on your thread in this forum as opposed to the "spyware forum".

Hi Adrianne, welcome to TechTalk. :)

Please do the following to start us off:

1. Download HijackThis:

2. Once downloaded, follow these instructions to install and run the program:

- Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

- Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

That depends on the exact files/folders that you're dealing with, now doesn't it? :mrgreen:

Please give us more specific information on that and we'll help you out.

...as far as i can tell i have no virus on my comp..

Um... then why did you post this in the Viruses, Spyware, and other Nasties forum? :mrgreen:

Seriously though- that does sound much more like a hardware or driver problem, so I'm going to move this to what (I hope) is a more appropriate forum....

Just what I posted: that although WMP does have an uninstall option in the A/R P control panel, that option does not actually remove the player, only the obvious shortcut accesses to it. WMP itself remains on your system.

1. WEP is definitely not secure (although it is better than nothing). Cracking any level of WEP encryption is considered a trivial task these days for anyone who is truly intent on doing so and has the right setup. Depending on your location (and the sensitivity/importance of the data traversing your network), you may not have to worry about such serious "hackers", but then again... you never know.

WPA and other newer encryption methods have come along to address WEP's shortcomings, and although they are more robust than WEP, they too have their weak spots.

2. MAC filtering is not an altenative encryption method to WEP, but rather a compliment to the security that encryption such as WEP can provide. MAC filtering simply allows or denies access to your wifi network based on the unique MAC address assigned to every network device.

MAC addresses can be sniffed and "spoofed" however, so even this is not a foolproof security measure. Although most Windows users are unaware of the wealth of network sniffing/cracking/etc. tools that are available, users of Linux systems and other UNIX-based operating systems have been using such tools for a long time. Unfortunatley, even though most of those tools were originally intended for legit network maintenance and troubleshooting, they've been put to the wrong uses by "war drivers" and other wifi network-cracking low-lifes.