Posts by DMR

if you did and its lost on the hddrive do a search for *.WAB

Possibly, but that would be more likely with Outlook Express, as OE uses the Windows Address Book (.wab) directly. Outlook does not, so things could be a be a bit more difficult in this case.

With 350 contacts you really should have had a back up!!

Ouch, yes: Chapter 3, in which Pooh learns the lessons of making frequent backups! :mrgreen:

Are you using Outlook in conjunction with an Exchange server, or is it just one of the "stand-alone" implementations of Outlook?

You may be able to recover/re-import some (if not all) of the overwritten contact information if you had an existing Personal Address Book (.pab) file which contained the same info as your Outlook Contacts folder living somewhere on your local hard drive or a network drive. First, open Windows Explorer and search your local hard drive(s) for all filesnamed .pab

The log looks better now. Please do the following to clean things up:

1. This entry in your log indicates that you had an instance of Internet Explorer running when you ran your HJT scan:

C:\Program Files\Internet Explorer\iexplore.exe

Before fixing problems with HijackThis, you must make sure to close/quit ALL instances of your web browser(s)! HijackThis cannot fully perform its fixes while browsers are running.

2. After taking care of the above, run HJT and have it fix:

O2 - BHO: (no name) - {31B7AAB3-E6C7-3309-B9E7-5C0621B3FFCC} - (no file)
O2 - BHO: (no name) - {E38A8CF2-4CDD-B986-140E-7A21B34E968F} - (no file)

3. Let us know what problems (if any) you are still experiencing.

1. The "Welcome to the domain" message is a bit premature; it basically means that the workstation has been readied to join the domain, but the actual changes in your configurations won't happen until the reboot.

2. Double-check your setups for the workstation and user accounts on the DC.

3. I know this may seem redundant, but can you please walk through the procedures described in the following link and let us know the results. If you encounter any errors/problems during the procedure, please tell us exactly what they are and where in the process they occur:

http://www.wown.com/j_helmig/wxpjoind.htm

how would I check if its primary or secondary

As kc0arf said, the most definitive way to determine that would be to open the computer's case and look at how the drives are connected.

Assuming that you have IDE (as opposed to SATA) drives, there will be two connectors on the mothereboard for the IDE ribbon cables. One of those connectors is the Primary IDE channel, the other is the Secondary channel, and you can have a maximun of two drives connected to each. You can usually determine which connector is Primary and Secondary by looking for labels on the mobo (near the connectors) that say something like IDE 0 and IDE 1; the lower number is the Primary. Which device on each channel is the Master and which is the Slave is usually determined by jumper settings on the drives tehmselves.

If both of your hard drives are connected to the mobo by the same ribbon cable, then they are both on the Primary IDE channel. The drive jumpered as Master will be C: (Primary Master) and the drive jumpered as Slave will be D: (Primary Slave).

If the drives are connected to the mobo on two different ribbon cables, you'll first have to determine which cable is on which IDE channel. After that, if the second drive is the only device connected to the Secondary cable, it will be the Secondary Master; if you have another device like a CD-ROM drive attached to the Secondary …

My thinking is that maybe when logged into Windows computer (not domain), my pc is able to conncect to the access point. But when logging into windows, the wireless card i have isnt connecting to the access point. And will only connect when the workstation is on. Is that wrong thinking?

The way you've stated your question is more than a bit unclear, but if this is of any help:

I have a very similar setup (Netgear RT314 router, Linksys WAP11 access point, 1 DC and 3 workstations wired to RT314, 1 laptop connecting via WAP11), and I have no issues related to the access point in terms of Domain vs. Wokstation logons on the laptop.

1. On the workstation, can you log on to the domain under other valid domain user accounts, or do you get the "domain unavailable" messages regardless of which account you try?

2. Do the event/system logs on either the workstaion or the DC contain any messages/errors that might give us more specific clues as to the "domain unavailable" error?

3. What exact versions of Windows are involved here?

4. Double/triple check the network-related settings on the workstation for errors or omissions.

1. Make sure all instances of your web browser(s) are closed before having HJT fix anything! This log entry indicates that you had Netscape running when you did your last scan:

" D:\Program Files\Netscape\Netscape\Netscp.exe"

2. Run HJT and have it fix:

O2 - BHO: (no name) - {A708A39C-8DA7-4e36-B3B0-0A1FFAFD4B6D} - C:\WINDOWS\system32\javafix3.dll
O4 - HKLM\..\Run: [mshelp32] C:\WINDOWS\system32\mshelp32.exe
O4 - HKCU\..\Run: [msjava critical update] c:\windows\jjfixer.exe

3. Reboot into safe mode. Find and delete:

C:\WINDOWS\system32\javafix3.dll <-- HJT may have already deleted this one
C:\WINDOWS\system32\mshelp32.exe
c:\windows\jjfixer.exe

4. Empty your recylce bin and reboot normally.

5. Post a fresh log, and tell us if you are still experiencing symptoms of infection.

Great- glad we could help (again)! :)

If you're sure that the problem is fixed, can we marked this thread asa solved?

run adaware and winsock fix in my signature

To add to/expand on that advice, please do the following:

A) Run a full anti-virus scan, making sure that your anti-virus program is using the most current virus definition updates.

B) Download and run Ad Aware and SpyBot Search & Destroy (download links are in my sig below)

1. Follow these directions for configuring Ad Aware (directions courtesy of our member "crunchie"):

2.Close ALL windows except Ad-Aware SE

3. Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.

4. Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window

1) In the ‘General’ window make sure the following are selected in green:
*Automatically save log-file
*Automatically quarantine objects prior to removal
*Safe Mode (always request confirmation)

Under Definitions:
*Prompt to udate outdated definitions - set the number of days

2) Click on the ‘Scanning’ button on the left and select in green :

Under Driver, Folders & Files:
*Scan Within Archives

Under Select drives & folders to scan -
*choose all hard drives

Under Memory & Registry: all green
*Scan Active Processes
*Scan Registry
*Deep Scan Registry
*Scan my IE favorites for banned URL’s

some of my games are running slow, but ill just defrag over the weekend. (and yes my IP is regestered to West GA.) popups usually stop my computer, but after doing the above things......it helped dramatically. so all i really have left to do is run AVG, Spybot and Adaware......and things should be good. and i havent run LSPFix utility yet....thanks for reminding me....haha

OK- do those things (especially the run of LSPFix) when you get a chance and get back to us with the results. :)

Good- your log looks much cleaner now. :)

A couple of things, though:

A) I assume that the IP addresses listed in the "017" log entries (160.10.4.9 and 160.10.2.5) are correct, yes? (They report as being registered to West Georgia University).

B) Did you run the LSPFix utility before posting yor latest log? If so (and if LSPFix did its job correctly), the " O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing" entry shouldn't still be appearing. Please give us more info on that.

C) What exact problems are you still experiencing? HijackThis is a great tool, but it can't identify and fix everything; if you're still having problems, we might have to do a few more things to get you totally cleaned up.

Sorry to intrude in such an off-topic way in this forum section, but seriously, 90% of the problems encountered in this section and in the 'Viruses and nasties' section could be avoided by changing browsers and discontinuing the use of Internet Explorer!

No intrution whatsoever; I was just "tweaking" you a bit just for the fun of it.

Seriously though- both my online and "real life" work as a computer consultant/troubleshooter have proven to me that what I (and you) have said concerning IE is true and valid. I've also been doing online support long enough that I've learned to not get very involved in the "flame wars" that might arise as a result of my posting my opinions.... ;)

The following HJT log entries tell me that our job here isn't done yet, but as crunchie has a better handle on this that I, please wait until he is able to respond:

C:\WINDOWS\System32\izlrrspv5.exe
O2 - BHO: (no name) - {31B7AAB3-E6C7-3309-B9E7-5C0621B3FFCC} - C:\WINDOWS\System32\xgctpemo.dll
O2 - BHO: (no name) - {E38A8CF2-4CDD-B986-140E-7A21B34E968F} - C:\WINDOWS\System32\iegayctm.dll
O23 - Service: bnnanphcbipz - Unknown - C:\WINDOWS\System32\izlrrspv5.exe

The Add/Remove Programs control panel generates its list based on information in entries under the following Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Do all of your installed programs show up in that Registry key? To check:

1. Click on the "Run..." option in your Start menu.

2. In the "Open:" box of the resulting Run dialog, type "regedit" (omit the quotes) and hit enter.

3. Navigate to the key listed above; the individual sub-keys there will contain info related to each of your installed programs.

!! Do not change anything while using the Registry; just view the contents of it !! You can severely cripple your system if you make a mistake.

helloimtim, that's just plain wrong!

Yes, but tell us how you really feel, Catweazle.

:cheesy:

Since you can't boot to the OS on the 60G drive at all, you might have to boot from the installation CD and try a repair via the Recovery Console. A short explanation/tutorial can be found here:

http://www.pctechguide.com/tutorials/MBoard_WinXP.htm

Good job, glad we could help you help you get it sorted out. :)

Just to clean up the last leftover, have HJT fix:

O2 - BHO: wowfawk - {5CE88842-FCF5-7575-9F91-520F80390773} - (no file)

Can you boot fully into the Windows installation on the 60G drive in Safe Mode? (You get to the safe mode boot option by hitting the F8 key as your computer is starting up).

The presence of the guard.tmp file in C:\Windows\system32 does indicate an infection by one of the latest VX2 variants. However, as crunchie has asked you to use the L2mfix utility and I have not used that tool yet, I'd advise that you stay off line and proceed no further until he can get back to this.

1. Are you unable to delete the C:\WINDOWS\TEMP\A2A2.TMP.exe file in the first place, or does it reappear on a reboot after you've sucessfully deleted it?

2. The partial 016/DPF entries in your log are odd- the CLSIDs (the long strings of characters between braces) indicate that at least 2 of them belong to malicious programs, but others seem to be associated with legit sites/programs. Either way, there should be more info after the strings of each one, as there are in hte first two 016 entries. I'll have to look into that further, but I won't have time to do it tonight.

1. Have HijackThis fix the following entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: US Class - {1FFED2CB-FC98-49f8-B3D0-678D03350F1E} - C:\WINDOWS\mscore.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: LinkTracker Class - {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} - C:\WINDOWS\System32\lmf32v.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [Multimedia Codecs] C:\WINDOWS\System32\mcc.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [wovax] C:\WINDOWS\wovax.exe
O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe
O4 - HKLM\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [u73P3mO] dsufctrs.exe
O4 - HKCU\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
O18 - Filter: text/html - {DFAA31C8-A356-4313-9D95-5EDAB46C5070} - C:\WINDOWS\System32\lmf32v.dll

2. If the IP addresses in the following entries are not the DNS server IP addresses that your ISP assigned to you, have HJT fix them as well (if your ISP does not automatically assign DNS IPs to you, you will have to manually re-enter the correct IPs in your network card's Properties):

O17 - HKLM\System\CCS\Services\Tcpip\..\{7A05DA13-EDCF-4BE7-9BE4-9348165335E8}: NameServer = 160.10.4.9,160.10.2.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{7A05DA13-EDCF-4BE7-9BE4-9348165335E8}: NameServer = 160.10.4.9,160.10.2.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{7A05DA13-EDCF-4BE7-9BE4-9348165335E8}: NameServer = 160.10.4.9,160.10.2.5

2. Reboot into safe mode (you get to the safe mode boot option by hitting the …

No- delete everything in those folders, but don't delete the main folders themselves.

snowwolf,

Please do not post the same question in multiple threads and/or forums; it goes against our posting rules. Given that, I've merged your two threads in the anti-spyware forum into a single thread; let's deal with your spyware problem in that thread and your Office problem in this one.

In terms of the Office configuration problem, it might be difficult to get around without the install disk. What happened to the disk?

1. Have HijackThis fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yaadifzawhkykymcdhdm.biz...3_hEPmrbC3.html
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: (no name) - {9260DCB5-BB2E-BD39-6707-EF2059B3B8E9} - C:\PROGRA~1\WMABEN~1\TIMEPING.exe (file missing)
O4 - HKLM\..\Run: [SOFTWAREFOURBALLVIEW] C:\Documents and Settings\All Users\Application Data\RULE SURF SOFTWARE FOUR\remoteprogram.exe
O18 - Filter: text/html - {16C04871-8BD4-4927-8516-0342B7476A85} - C:\Documents and Settings\Lisa\Local Settings\Application Data\microsoft\internet explorer\V0.26.dat

2. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

- Find and delete the following folder entirely:
C:\Documents and Settings\All Users\Application Data\RULE SURF SOFTWARE FOUR

- Find and delete the following file:
C:\Documents and Settings\Lisa\Local Settings\Application Data\microsoft\internet explorer\V0.26.dat

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders:

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

- Delete the entire content of your C:\Windows\Temp folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but …

eveytime i visit a website key words are highlited as a link. for example, words like "guitars" or "toys" are highlighted and have a link

More and more websites are starting to use that advertising technique; there's a good chance that at least some of that behaviour you're seeing is designed into the web pages you're viewing.

However, please do the following:

Download HijackThis:

http://www.majorgeeks.com/download3155.html

Once downloaded, follow these instructions to install and run the program:

1. Create a new separate folder on your drive for HijackThis, move the program into thids folder, and run it from there. (Don't run HJT from within any Temp or Temporary Internet folder, and don't run it directly from your desktop.)

2. Before fixing problems with HijackThis, you must make sure to close/quit ALL instances of your web browser(s)! HijackThis cannot fully perform its fixes while browsers are running.

3. Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here. The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

You can try to repair Internet Explorer, but the methods for doing so depend on the particular versions of Windows and IE that you have. Useful information and suggestions can be found in the links returned by this Google search:

http://www.google.com/search?hl=en&q=%22internet+explorer%22+repair&btnG=Google+Search

As far as the posiible about:blank hijack:

Download HijackThis:

http://www.majorgeeks.com/download3155.html

Once downloaded, follow these instructions to install and run the program:

1. Create a new separate folder on your drive for HijackThis, move the program into thids folder, and run it from there. (Don't run HJT from within any Temp or Temporary Internet folder, and don't run it directly from your desktop.)

2. Before fixing problems with HijackThis, you must make sure to close/quit ALL instances of your web browser(s)! HijackThis cannot fully perform its fixes while browsers are running.

3. Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here. The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

If you have no way of downloading to the machine with the "broken" IE, download …

1. Have HijackThis fix:

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Calvin\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Calvin\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {71DE9681-9396-4B8C-B42E-404DE35F20D4} - C:\WINDOWS\system32\msflc.dll
O2 - BHO: (no name) - {D9482E4B-DBA3-43E9-8BA8-263114AAF36A} - C:\WINDOWS\system32\ohpo.dll
O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - (no file)
O18 - Filter: text/html - {317B24E4-D8FD-498C-8BF6-BC147D0B5145} - C:\WINDOWS\system32\ohpo.dll
O18 - Filter: text/plain - {317B24E4-D8FD-498C-8BF6-BC147D0B5145} - C:\WINDOWS\system32\ohpo.dll

If the DNS server IP addresses in the entry below are not the correct addresses assigned to you by your ISP or network administrator, have HJT fix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{C85224FD-2CFB-4A25-AE7E-34DEAD585717}: NameServer = 69.50.188.180,195.225.176.31

2. - Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide …

If the Trend Micro scans aren't working for you, you can also get an online scan from:

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

For XP, try this:

http://www.bleepingcomputer.com/files/shellxp.php

Don't run HJT from within any Temp or Temporary Internet folder, and don't run it directly from your desktop.

Please re-read the above; this entry in you HJT log indicates that you are running the program from within a Temp folder:

"C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe"

Please create a new folder outside of any Temp/Temporary folders for the new version of HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. If HijackThis and any other files/data that you care about are living in those Temp folders, they will be erased along with everything else! Please move any and all files that you want to keep out of your Temp folders and into another location before we proceed.

Once you have taken care of the above, run HJT from its new location and post a new log.

Is that something I can keep on my desktop and install it as needed for things like that??

Yes, you can. Its sole function is to clear out all entries in your Restricted & Trusted Zone lists, so if you ever need to do that again you can just repeat the procedure; it's not like a protection/remove utility that needs to to be kept updated or anything like that. (and yes- your log is nice and clean now).

:)

Oh man, good luck dealing with all of that- it's certainly much more important than getting a few pesky pieces of softeware off of your computer....

1. Oh great, that's what I thought it would be.... The file is a hack/crack which is designed to replace/modify the Security hive of your Registry. :mad:

This is not a Good Thing, but the repair is a bit complicated; lets' hold off on that for a minute.

2.

i saw a link to the windows "something" website so i can get at Windows Explore and all the contents of both drives

If your system was "frozen", how were you able to get this far? Tell us what the "something" was; being as specific as possible will allow us to help you more quickly.

3.

Im not sure if HighJack this did the right drive.... because the E drive is the one i cant even get on... and the C is the one im on but havent activated. I saved Highjackthis in the E drive but it might have ran a check on the C.... i want it to do it on the E.

HijackThis' job is to analyze/fix your currectly-active Windows environment. Because of that, HJT always runs its scans on the operating system that the computer is booted into; you cannot have it analyze the Windows installation on your E: drive unless you are booted into that installation.

OK- unfortunately, it does sound like it could be a hardware problem; good luck with it. :)

1. Have HJT fix:

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {D3F3C489-044D-0060-A451-31243427C6A4} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [Windows AdService] C:\PROGRAM FILES\WINDOWS ADSERVICE\WINADSERV.EXE
O4 - HKLM\..\Run: [Windows ControlAd] C:\PROGRAM FILES\WINDOWS CONTROLAD\WINCTLAD.EXE
O4 - HKLM\..\Run: [Windows AdControl] C:\PROGRAM FILES\WINDOWS ADCONTROL\WINADCTL.EXE
O4 - HKLM\..\Run: [A2A2.TMP] C:\WINDOWS\TEMP\A2A2.TMP.exe 0 28129
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
O16 - DPF: {3334504D-0000-0010-8000-00AA00389B71} -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} -
O16 - DPF: {CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA} -
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -

2. Reboot into Safe Mode and look again carefully for the following folders; delete them entirely if found:

C:\PROGRAM FILES\WINDOWS ADTOOLS
C:\PROGRAM FILES\WINDOWS ADSERVICE
C:\PROGRAM FILES\WINDOWS CONTROLAD
C:\PROGRAM FILES\WINDOWS ADCONTROL

3. Delete everthing in your C:\WINDOWS\TEMP folder (but do not delete the folder itself!).

4. Empty your Recycle Bin

5. Reboot normally and post another log.

Open the following file in Windows Notepad and Cut-n-Paste the contents of the file here please:

C:\WINDOWS\repair\reset.bat

AVG now detects downloader.rameh.c but unable to clean.

1. If AVG indicates the location of the infection to be in your System Restore folder, please see the following thread for removal instructions:

http://www.daniweb.com/techtalkforums/thread13362.html

2. Once you've done the above, rerun HJT and have it fix:

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

- Find and delete the C:\WINDOWS\isrvs folder entirely if it still exists on your system.

4. While you're at it:

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders:

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

- Delete the entire content of your C:\Windows\Temp folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files …

If you now have a file named "deldomains.inf", you've done the right thing.

.inf files will still be associated with Notepad because they are text files, but they're a special kind of text file containing installation information.

When you right-click on an inf file's icon, you should have an "Install" option in the resulting pop-up menu. That's the option you want to click.

You're welcome. Did you ever find the source of the crashes?

Have HJT fix the following. I'm not sure if it's a nasty, but let's delete it just to be on the safe side; it won't hurt anything:

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/1...23/cpbrkpie.cab

Other that that, your log is clean.

And instructions for setting up and running those two utilities are here
(directions courtesy of our member "crunchie"):

1. Download and Install Ad-Aware SE, keeping the default options. However, some of the settings will need to be changed before your first scan

2.Close ALL windows except Ad-Aware SE

3. Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.

4. Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window

1) In the ‘General’ window make sure the following are selected in green:
*Automatically save log-file
*Automatically quarantine objects prior to removal
*Safe Mode (always request confirmation)

Under Definitions:
*Prompt to udate outdated definitions - set the number of days

2) Click on the ‘Scanning’ button on the left and select in green :

Under Driver, Folders & Files:
*Scan Within Archives

Under Select drives & folders to scan -
*choose all hard drives

Under Memory & Registry: all green
*Scan Active Processes
*Scan Registry
*Deep Scan Registry
*Scan my IE favorites for banned URL’s
*Scan my Hosts file

3) Click on the ‘Advanced’ button on the left and select in green:

Under Shell Integration:
*Move deleted files to recycle …

1. The Norton/Symantec AV program has the ability to allow you to delete objects that it has quarantined but cannot fix; open the list/log of quarantined items and choose to delete them.

2. In terms of your "broken" Internet access, this can happen as a result of cleaning (or trying to clean) infections that have integrated themselves into your Windows networking software components.

Please do the following; it will give us a much better idea of exactly where your problems lie and exactly what damage has been done:

Download HijackThis:

http://www.majorgeeks.com/download3155.html

Once downloaded, follow these instructions to install and run the program:

1. Create a new separate folder on your drive for HijackThis, move the program into thids folder, and run it from there. (Don't run HJT from within any Temp or Temporary Internet folder, and don't run it directly from your desktop.)

2. Before fixing problems with HijackThis, you must make sure to close/quit ALL instances of your web browser(s)! HijackThis cannot fully perform its fixes while browsers are running.

3. Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here. The log contents will tell us a lot about what "nasties" …

Great; glad we could help. :)

You might still want to post a HijackThis log for us to look over, though; the log will give us a pretty good idea of whether or not you still have any lingering traces of "unwanted guests" in your system.

The noticeable effects of the infections may have been fixed, but as long as your HJT log still shows references to components of the infections, we can't really qualify your system as being clean.

One of the problems with many of these "unwanted guests" is that unless you remove all traces of them from your system, they can lie dormant for a while, but "come back to life" at a later date.

From your tone.......am I right to assume that you are not an AVG fan....

Sorry- I didn't mean to give that impression at all. Actually, AVG is one of the most-often recommended programs in terms of free anti-virus utilities. Personally, I've primarily used the Norton/Symantec and McAfee AV products (for many years), but that's really only a function of the fact that those are the programs that 99% of my clients use, so I have to stay current with them. I honestly haven't used AVG for a long enough period of time to give it a realistic critique.

The Wombat of Happiness Lives ON!!

Lives on, yes- but the really important thing is the Snuffling part. Um, but on second though... let's not get into that right now. [img]http://www.stevewolfonline.com/Downloads/DMR/Visuals/eek3.gif[/img]

You guys ROCK!

Thanks for the appreciation- it's the only pay we get.... :mrgreen:

Glad we could help!

"vault" is the AVG quarantine option; the AVG program will not try to delete or repair the file, but it will try to neutralize it by moving it to the "vault". I'm not sure exactly where in your system AVG keeps the vault, though.

"delete" is, well... delete. Being unable to clean/repair a given file, AVG will simply delete the file if you choose this option. If your positive that the file is a malicious one, you can do the deletion.

"heal" is a repair option which can be attempted on suspect files which have already been moved to the vault. If AVG can sucessfully heal a "vaulted" file, it's probably OK to move the file back to its original location (assuming that the file is one which should exist on your system in the first place).

Sorry- the procedure for displaying hidden files/folders differs a bit between 98 and XP/2000; I accidentally gave you the XP/2000 method. Try this for 98:

1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
6. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
7. Remove the checkmark from the checkbox labeled Hide protected operating system files.
8. Press the Apply button and then the OK button and shutdown My Computer.

1. Why the hub? If one of the NICs in the desktop is connected to your cable Internet connection and the other is connected to the laptop, I don't see where the need for the hub comes in (unless there are other machines involved which you haven't mentioned yet).

2. Have you set up ICS (Internet Connection Sharing) between the desktop and laptop yet? If not, you should do so.