Posts by DMR

How are the computers getting their IP, gateway, DNS, etc. info? Are you assigning that info manually on each machine, or they obtaining it via DHCP or somesuch from your ISP.

Judging from the initial info you've given, it sounds like you need a router, not switch. However, if you could give us the make/model of the switch and a bit more specific info concerning your network setup overall, that would help.

on way would be to buy a faster wirless card !

That won't increase the length of the pipe, just the diameter of the pipe. ;)

Because both 802.11b and 802.11g devices operate in the same (2.4GHz) frequency range, their distance ranges are essentially the same; wireless G devices just have more bandwidth within that distance.

Dark_Omen,

Signal boosting is usually done on the router/access point side. What make and model of router/WAP is your friend using?

That's a clean log. :)

How do things seem to be running now?

Soooo- what happens when you click "Connect"? Any errors, or does IE go online then?

As for the blank space in SysConfig, I'm really not sure...

1. This entry in your log indicates that Internet Explorer was open/running when you ran HJT:

" C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE"

Before fixing problems with HijackThis, you must make sure to close/quit ALL instances of your web browser(s)! HijackThis cannot fully perform its fixes while browsers are running.

2. Once IE is closed, have HJT fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {D3F3C489-044D-0060-A451-31243427C6A4} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {891D0D43-7246-11D9-A628-00049C344427} - C:\WINDOWS\SYSTEM\HPOMGD.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O4 - HKLM\..\Run: [Windows AdTools] C:\PROGRAM FILES\WINDOWS ADTOOLS\WINADTOOLS.EXE
O4 - HKLM\..\Run: [Windows AdService] C:\PROGRAM FILES\WINDOWS ADSERVICE\WINADSERV.EXE
O4 - HKLM\..\Run: [Windows ControlAd] C:\PROGRAM FILES\WINDOWS CONTROLAD\WINCTLAD.EXE
O4 - HKLM\..\Run: [Windows AdControl] C:\PROGRAM FILES\WINDOWS ADCONTROL\WINADCTL.EXE
O4 - HKLM\..\Run: [A2A2.TMP] C:\WINDOWS\TEMP\A2A2.TMP.exe 0 28129
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
O16 - DPF: {3334504D-0000-0010-8000-00AA00389B71} -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} -
O16 - DPF: {CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA} -
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
O16 - DPF: {11111111-1111-1111-1111-222222222222} -
…

Cool- we'll be waiting...

Your log looks clean. How are things running now?

The file may have become corrupted; viruses or other "nasties" can do this.

Tell us which version of Windows you're running and we'll tell you how to replace shell.dll with a fresh copy from your installation CD.

An 0x00000004 value for zones/domains in that registry sub-key means that those sites are added to your Restricted Sites zone in Internet Explorer. However, this does not necessarily mean that a trojan created those entries.

Since Symantec does indicate that current virus definitions should detect the trojan in question, but does not find the infection on your system, it's possible that those zones were put there by some other means.

They're Baaaaack!!!

1. Have HJT fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://lookfor.cc/sp.php?pin=10001
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lookfor.cc?pin=10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lookfor.cc?pin=10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://lookfor.cc/sp.php?pin=10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://lookfor.cc/sp.php?pin=10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lookfor.cc?pin=10001
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\prvdi.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [rbenh ml710e] "C:\Program Files\RBEnhance\rbenh.exe"
O4 - HKLM\..\Run: [3.tmp] C:\DOCUME~1\nicole\LOCALS~1\Temp\3.tmp.exe 0 10001
O4 - Global Startup: Microsoft Windows.hta

2. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

- Find and delete the following folders entirely:C:\Program Files\Viewpoint
C:\Program Files\RBEnhance

- Find and delete the following file:
Microsoft Windows.hta
(I think you'll find the above file in the C:\Documents and Settings\All Users\Start Menu\Programs\Startup folder)

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders:

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary …

Let us know how it goes. Those boot options often do the trick, but if not, we'll try to come up with some other solution(s) for you.

This 59kd53fg.exe.tcf looks bad to me as well.

The Trojan Hunter utility adds a .tcf extension to infected .exe files that it finds as a way of neutralizing them. As TH has already identified and neutralized the 59kd53fg.exe.tcf file, it should be safe to delete it.

tedbone,

If your AV scans don't show any sign of the Trojan.Regger.A infection, what leads you to believe that you have it?

I had the gamepad, and the modem running through an unpowered USB hub (along with a couple of other things). And so it was just that there wasnt enough power I think.

Good intuition; are you connecting to your modem via USB as well?

The USB ports in your computer can only provide 500 mAmps of current to all/any connected devices. Powered USB hubs not only allow you to connect more USB devices, but also acts as bosters to provide more current to connected devices. Unpowered hubs, on the other hand, only allow you to connect more devices; they do not supply/provide the extra current that might be needed to "drive" those devices.

when I did the HiJackThis scan, there were a bunch of things in my MSCONFIG that are unchecked. I know some of them are "nasties".......and I just read where a HiJackThis should be done with All the boxes checked.

Yes- enable all items in MSCONFIG, reboot, and post a new HJT log after that.

You're fairly well infested, but I need to log for the night and can't dive into this right now. Let me try to contact one/some of other security experts and see if they can help you; we're all in different time zones, so one of them will hopefully be able to respond before I get back online tomorrow. Hang tight...

Do the mcAfee or Symantec slow the computer down more than others?

Ah... a perceptive question indeed. :mrgreen:
Unfortunately, the answer is yes; at least in terms of increasing your start-up time. Once Windows has finished initially loading though, you shouldn't notice much of an overhead (assuming that you have a sufficient amount of RAM in your system). The full "Internet Security" packages from Symantec and McAfee will, unless you set their options to do otherwise, start up when Windows is started and will attempt to connect to their respective servers to automatically download any updates at that time. Keeping the programs as up-to-date as possible is advised, so they should be configured to do this, but you can change that behaviour in the programs' options if you like.

To TOTALLY remove Ad Ware & Spyware?

A single program to totally remove adware/spyware (free or not)? Unfortunately, no. There are simply too many existing variants of adware/spyware programs out there, and at this point in time, new ones appear probably more frequently than do new types of "traditional" viruses.

1. Ad Aware and SpyBot Search & Destroy, when used together, are definitely your best bet in terms of free general detection and removal utilities. However:

a) both of those programs are designed to be more curative than preventative.

b) given the rate at which malware programs morph and multiply, sometimes you will need to use utilities (also free) which are designed specifically to detect and remove a certain kind/family of infection. CWShredder, About:Buster, and HSRemove are examples of these types of utilities.

2. You can find info and dowload links for almost all of the trusted, recommended, and free "anti-spyware" utilities here:

http://www.majorgeeks.com/downloads31.html

3. Some overall suggestions, which apply to users of all versions of Windows:

1. Use Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will greatly reduce the avenues through which spyware/adware/hijackers/etc. can infect your …

Also there is another computer in the house that has no problems...so I dont think its the ISP.

Ah, OK- that wasn't quite clear in your first post. That brings up a question though- are you using a router to share 1 Internet connection between the 2 computers, or is each machine connected to a separate DSL line/modem?

Good job- your log is clean now!

In terms of the Panda Titanium; if you're going to drop $50+ on any protection software, I'd go for the full Interenet Security packages from Symantec or McAfee. In addition to an anti-virus program, they also include a firewall program, a spam filter, and a "privacy protection" component.

You've got new pests. :(

1. Have HJT fix the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_...ount_id=1002245
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~2\SEARCH~1.DLL
O2 - BHO: CATLEvents Object - {98BC949B-3D81-4750-836F-4BC57BD032EE} - C:\DOCUME~1\LINDAT~1\LOCALS~1\Temp\kablmx.dat
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\system32\msbe.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll
O4 - HKLM\..\Run: [fenotz] C:\WINNT\system32\gxidffta.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [DqaD21bdR] C:\WINNT\extgemun.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [hyl] C:\WINNT\hyl.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINNT\system32\SahAgent.exe
O4 - HKLM\..\RunOnce: [*xmlbak] C:\WINNT\Web\xmlbak.exe rerun
O4 - HKCU\..\RunOnce: [*WinLogon] C:\DOCUME~1\LINDAT~1\LOCALS~1\Temp\scvi50.exe ren my_time:1107015030
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares...ysb_1002245.cab
O23 - Service: ZESOFT - Unknown - C:\WINNT\zeta.exe

2. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

- Find and delete the following folders entirely:
C:\PROGRAM FILES\YOURSITEBAR
C:\Program Files\ISTsvc
c:\program files\180solutions
…

Your log is clean.

I'd check with your ISP to see if the problem might be on their end, and also perhaps reset the modem before calling them.

Just one question, why can't I go to regedit, and type in "crazywinnings", and delete everything that comes up under that heading, and do the same for "awmthebest"?

You certainly can. We just don't usually make the assumption that people are comfortable with (or even familiar with) using regedit. ;)

I had a look at that program and it not very good

Um... it's not a program, it's a site which offers anti-spyware recommendations and utility downloads. ;)

Grendel_Rose,

Actually, although there are other sites which offer much more in the way of anti-spyware advice and downloadable utility programs, the info and programs listed on that site are legit and helpful.

As teenage helper said, Ad Aware is a very good tool when it comes to spyware detection and removal. However, Ad Aware alone is not usually enough to clean out the "nasties" and keeep them out of your system in the future.

If you can give us some specific information concerning the problems you're experiencing I'm sure we can help you out.

You've picked up a new nasty; have HJT fix:

O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

Reboot, delete the C:\WINDOWS\farmmext.exe file, and post a new log.

Also: tell us what (if any) problems you are still experiencing.

Also, do the following:

1. Have HijackThis fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.lyqngfxzmbitugje.com/Xgy...2vD5DBJ_Alp.htm
O2 - BHO: (no name) - {8E56AB4B-09F3-C96E-D8A2-84446439566F} - C:\PROGRA~1\MIX64~1\Upload admin.exe (file missing)
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.4.6.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [Settings each warn remote] C:\Documents and Settings\All Users\Application Data\AboutFindSettingsEach\PHONE GRID.exe
O4 - HKCU\..\Run: [Style Setup] C:\DOCUME~1\Daniel\APPLIC~1\EGGSWA~1\Bagsstop.exe

2. Reboot into Safe Mode and make sure Windows Explorer's view options are set as I described in my last post, then find and delete the following folders entirely:

C:\Program Files\Hotbar
C:\Documents and Settings\All Users\Application Data\AboutFindSettingsEach
C:\DOCUME~1\Daniel\APPLIC~1\EGGSWA~1

Redhat 9 has some options which you can pass to the kernel at the Boot: prompt to work around certain problems or incompatibilities. You can read about them here:

http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/install-guide/ch-bootopts.html

Try the "noathlon" option first; it's been known to clear up boot-up hangs on Athlon systems.

Yup- you've picked up another nasty.... :(

1. Have HJT fix the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mymbv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\mymbv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mymbv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mymbv.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mymbv.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {49B04408-07F3-994E-3645-61004E2FBCBE} - C:\WINDOWS\system32\msqm32.dll (file missing)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)

2. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

- Search for C:\WINDOWS\mymbv.dll and delete it if it still exists.

- Reboot normally.

3. Most (if not all) of the "015" entries will reappear unless their entries are removed from the Windows Registry. Please do the following, and we'll tell you what you need to do from there:

Go to http://www.billsway.com/vbspage/ and download, unzip and run the Registry Search Tool. …

I will gladly reference this site and service to all I know with problems.

Oh great, MORE HijackThis logs to crunch through... joy! :mrgreen:

You're welcome; glad we could help. :)

Now that you're clean again, here are some steps you can take to minimize your chances of further infection:

1. Use Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will greatly reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks.

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here.

5. Remember that none of your utilities are of much good if you don't check for updates frequently; updates for anti-spyware/anti-virus programs can be released as often as ever two or three days.

I have no idea what's going on there; the view options we've mentioned should be just below the "Do not cache thumbnails" checkbox

:?: :?:

Win 98? OK- the Administrator stuff doesn't appy in your case then.

I have to log off for a while to take care of "real life" things, but I'll try to post other suggestions as soon as I can. Hopefully, one of our other will pick up on this in the meantime.

Tell us the exact makes/models of the meeces you've tried. Also post the contents of the "Input Devices" section of your /etc/X11/xorg.conf and
/etc/X11/XF86Config files.

i did this in .bash_profile

PATH = $PATH:/usr/java/j2ske1.4.2-06/bin/javac
export PATH

Just at first glance (although it may not be the fix): your PATH statement should only point to the directories in which executables reside, not to the executables themselves; try this instead:

PATH = $PATH:/usr/java/j2ske1.4.2-06/bin:
export PATH

You may also have to export other environment variables besides PATH, such as CLASSPATH- more info and suggestions can be found in the results of this G4L search:

http://www.google.com/linux?hl=en&lr=&q=javac+linux+%22command+not+found%22&btnG=Google+Search

Have you had any version of Linux running correctly on this system before? Give us the system's full specs.

After 3 attempts my 80 GB hard was 39 GB and I had no new drives and missing a huge chunk of my HD?????

Windows operating systems and Windows/DOS-only partitioning utilities cannot not recognize partitions which have been formatted as non-Microsoft (FAT, FAT32, NTFS) partitions; this includes Linux filesystems (ext2, ext3, reiserfs, etc.). You will not be able to see/access your Linux partitions under Windows without installing third-party software (let's hold off on that for now though).

But system commander (came with partition commander) would show 3 Linux os's....now I have an L: The new drive is 26 GB.

Linux doesn't use the same drive-naming convention that Windows does (A:, B:, C:, L:, etc.), so I'm assuming the L: partition you created was a Win/DOS partition. What other drive and partition labels do you see from inside Windows?

if anyone is familiar with system commander am I good to go? Or will I have to reinstall xp then add Linux?

System Commander is capable of creating and recognizing Linux-formatted partitions. How does SC report each of your individual partitions to be partitioned?

And since I created the partition using windows and not partition commander will I have a problem trying to use SC to boot to Linux?

Actually, many of us who have been using Linux for a number of years would advise that you use the Linux bootloader "GRUB" as your bootmanager (as kc0arf suggested in his post). If Windows is already installed when you install Linux, the Linux …

1. Your log doesn't indicate severe infection; what exact problems are you experiencing?

2. Have HijackThis fix these:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://quickmetasearch.com/?said=acc0001_ho
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/do...bin/actxcab.cab

OK- your log indentifies a number of "unwanted guests", not all of which HijackThis alone will be able to fix. Please follow the general cleanup instructions below and then post a fresh log:

A) Run a full anti-virus scan, making sure that your anti-virus program is using the most current virus definition updates.

B) Download and run Ad Aware and SpyBot Search & Destroy (download links are in my sig below).

Follow these directions for configuring Ad Aware (directions courtesy of our member "crunchie"):

1. Download and Install Ad-Aware SE, keeping the default options. However, some of the settings will need to be changed before your first scan

2.Close ALL windows except Ad-Aware SE

3. Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.

4. Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window

1) In the ‘General’ window make sure the following are selected in green:
*Automatically save log-file
*Automatically quarantine objects prior to removal
*Safe Mode (always request confirmation)

Under Definitions:
*Prompt to udate outdated definitions - set the number of days

2) Click on the ‘Scanning’ button on the left and select in green :

Under Driver, Folders & Files:
*Scan Within Archives

…

1) Just shdocvw.dll, mshtml.dll and browseui.dll.

What exact version of Windows are you using?

2)I have no computer knowledge at all, what do you mean by administrator rights?

In Windows 2000 and XP, user accounts are assigned to certain groups, each of which grants the user different levels of permission to perform certain tasks such as installing programs, modifying system settings, etc. Users who belong to the "Administrators" group basically have unrestricted permission to make system-level changes, and given that, many troubleshooting tasks must be performed while logged in as a user who is a member of the Administrators group. You can determine which user accounts are assigned to which groups by looking at your user accounts in the Users Control Panel in Win 2000 or the User Accounts control panel in Win XP.

In terms of your log:

1. Verify that the IPs listed in this entry are your correct DNS sserver IPs:

O17 - HKLM\System\CCS\Services\Tcpip\..\{BAC5B70D-A401-439E-8F49-A7754842CD27}: NameServer = 69.50.188.180 195.225.176.31

If not, have HJT fix the entry and verify/reset your DNS settings in your network connection's properties page.

2. From the little info I can find on the "protect32.dll" file, it appears to be an "unwanted guest". Have HJT fix the following:

O18 - Filter: text/html - {A135230A-777A-4C1F-A71E-2329A63483DF} - C:\WINNT\System32\protect32.dll
O18 - Filter: text/plain - {A135230A-777A-4C1F-A71E-2329A63483DF} - C:\WINNT\System32\protect32.dll

Then delete the protect32.dll file. You may need to reboot, possible even into Safe Mode, to perform the deletion.

1. It fails on all of your dlls, or just one or two in particular?

2. You are logged in to an account with administrator rights, yes?

Give us the exact errors you're getting if possible, please. That will help us narrow down the possible causes of your problems.

Just dont buy the hype fire fox is more secure.

Actually, firefox is more secure.

Security holes/flaws in browser program code aside, the simple fact is that third-party browsers such as Firefox present much less of an avenue of attack because they operate at the application layer; they simply do not have the system level access rights that are so often exploited in Internet Explorer.

A good explantion of this can be found here:

http://www.io.com/~cwagner/spyware/appendix.html

See our member antioed's suggested fix (involving the "regsvr32" command) in the this thread:

http://www.daniweb.com/techtalkforums/thread782-browseui.dll.html

Run the regsvr32 commands on the dlls you listed in your post and see if that fixes the problems.

Yup- it definitely looks like a hijack. :(

However, the Internet Explorer forum isn't the place for troubleshooting those types of issues. I've moved your thread to our Viruses, Spyware, and other Nasties forum; please post your HijackThis log now, and we'll help you from there.

Sorry I wasn't able to get back this earlier; I've been pretty busy with my "real life" work in the past week.

snowwolf,

1. Aside from the following "loose end" which you can have HJT fix, your log is clean:

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

2. Is the system still crashing?
If so, did you look into my suggestions regarding other possible (non-spyware) causes?

3. The "input past end of file" error is not specific to HijackThis; it's a general program error which often means that the application that threw up the error encountered an unexpected character in a file it was reading/processing (the win.ini file in your case). For a plain-text file like win.ini, the culprit is usually a corrupt or incorrect control character ( end-of-line, line-feed, end-of-file, etc.). Control characters are invisible when you view a file in a simple text-editing program such as Notepad, but
sometimes just opening the file in Notepad and saving it again can correct the problem. Also, if you look through the file in Notepad and notice any odd line-spacings or other fomatting inconsistencies, manually correcting those and resaving the file might clear things up.

As for the "file already open" error, that basically means that the file is reporting itself to already be in use by another program or process, but I'm not sure why you're getting the error with win.ini. I've only seen a small handful …

I don't know what specific programs are creating those, but the 32-digit strings enclosed in braces look like CLSIDs (CLass IDentifiers) to me. CLSIDs are unique identifiers for Windows COM (component Object Model) entities installed on your system, and those entities should have entries to their related CLSIDs hiding in your Registry. If I'm correct about this, you may be able to determine which programs are generating the tmp files by searching through your Registry for the CLSIDs in question:

1. In your Start menu, choose the "Run..." option and type the following in the "Open:" box to run the Registry Editor:

regedit

2. Once the program opens, choose the "Find..." option under the Edit menu
to bring up the search window, paste one of CLSIDs from the suspect filenames into the search box, perform the search, and see if the ID is found. If so, see if there's any helpful information within the found key. If not, there may be other listing for the CLSID elsewhere in the Registry; Pressing the F3 key will continue your search.

3. Repeat the above for each of the 32-digit strings in the other suspect files.

Hi BlindMelonade, welcome to TechTalk!

Unfortunately, we do not troubleshoot problems via AIM, email, or other "offsite" methods for a few reasons.

The most important reason for our policy on this is that by keeping the entire troubleshooting history of our members' problem(s) documented in our forums, we create a valuable archive of resources which people from around the world who are seeking answers to computer-related questions can access. Many of our new members have found our site through Google or the like, and we want to be able offer them as much helpful information as possible; if we were to offer solutions to a particular member's question(s) by methods other than our forums, other people would not have access those solutions.

That said- since you indicated that you are infected with some variant of the Home Search Assisant (HSA) parasite, here are some suggestions I posted a while ago for another member who had a similar issue:

Unfortunately, most variants of the Home Search Assistant (HSA) are very difficult to remove. The methods of infection used by HSA variants are constantly evolving/changing, and they have the ability to "morph" the names of the malicious files they use in such a way that the names of those files can change every time you reboot your computer.That being the case, there are no "simple steps" for 100% assured removal.

1. The free utilities "about:buster" and "HSRemove" can remove some of the HSA variants. Download …

Nice work up-front on your part; you've given a lot to go on!

From the looks of your log and the other info you posted, you have a few "unwanted guests" that we need to get rid of, and HijackThis isn't going to be able to do it all. Although they might seem like a bit of work, please follow the instructions below carefully to (hopefully) clean some of the infections out of your system:

A) Run a full anti-virus scan, making sure that your anti-virus program is using the most current virus definition updates.

B) Download and run Ad Aware and SpyBot Search & Destroy (download links are in my sig below).

Follow these directions for configuring Ad Aware (directions courtesy of our member "crunchie"):

1. Close ALL windows except Ad-Aware SE

3. Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.

4. Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window

1) In the ‘General’ window make sure the following are selected in green:
*Automatically save log-file
*Automatically quarantine objects prior to removal
*Safe Mode (always request confirmation)

Under Definitions:
*Prompt to udate outdated definitions - set the number of days

2) Click on the ‘Scanning’ button …

Hi isisnyc,

First of all- welcome to TechTalk!

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

good idea finding out what jgrmlfs.exe is up to! this file has only the General tab in Properties. It's an application of about 46k and was created on 01/20/05.(the day I noticed my system was slowing down).It's not a hidden file and this is all about it. No version, no company name. Looking around my C:\windows I found more of these files.

All have random names of 7 letters, size of 46,592 bytes and were last modified on 01/20/05....
I rebooted in Safe Mode my Win 98 system and deleted the strange files from C:\windows.

Well done Perrom- excellent intuition and troubleshooting on your part.

Your log looks clean to me now; are you still experiencing any problems? If so, let us know.