Posts by DMR

1.

the system is not allowing me to delete one user's Content.IE5 folder...Also, when trying to delete one user's Cookies folder, I get this error...

When I said to delete the entire contents of those folders, I meant just that- delete the files in the folders, not the folders themselves. From what you're asking, it sounds like you're trying to delete the Cookie folders themselves, and Windows won't let you do that (as you found out).

Windows will actually let you delete the Content.IE5 folders entirely (because it will/can automatically create new Content.IE5 folders as needed). If Windows doesn't let you delete entire folders within Content.IE5 or the Content.IE5 folder itself, sometimes you have to go deeper and individually remove the files in those folders first. Windows may then allow you to delete the folder once it is empty. If not, you'll have to identify the actual file that is refusing to be deleted; the files name (or information in its properties) could tell us if it's anything to worry about or not. The folders inside Content.IE5 are ranmdomly named by Windows, so the folder names "Y7EJUTMF" and "YUK0JKTD" that you posted won't really tell us anything useful.

2. Your log shows that you got rid of a couple of the bugs, but not all of them. Are you positive that you entirely deleted the "C:\Program Files\WildTangent" and "C:\Program Files\SurfSideKick 2" folders, as well as the "C:\WINDOWS\wupdt.exe" file? All three still show up in your log.

These two need to go as well:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchexe.com/passthrough/in...http://msn.com/
O4 - HKLM\..\Run: [owns dart] C:\PROGRA~1\HTMPLA~1\axis wait.exe

The second one of those (axis wait.exe) might be a little tricky, because HijackThis will remove the startup entry in your Registry, but it will not be able to delete the actual .exe file from your system (HJT cannot do that for any files listed in its "04" entries). The path to the file is truncated in your HJTlog, so you'll have to track down the actual location of the file yourself. This is as much as I can tell you in that regard:

The offending file will live in a folder whose name begins with HTMPLA, and that folder will reside underneath your C:\Program Files\ folder.

..but it is beyond my capability...

And almost beyond my capability to stay awake for- could someone please tell me what the heck I'm doing up at 3 AM crunching through HJT logs?

Inquiring (and very tired) minds want to know... :mrgreen:

1. The "googledesktopnetwork1.dll" entries appear to be valid; they seem to be a component of Google's new desktop Search feature. Do not delete them (for the moment at least).

Also- "CONTENT.IE5" is a folder (not a file). The thing to do is to delete the contents of that folder (see step 3 below).

2. Have HJT fix the folowing:

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [txngtklho] C:\WINDOWS\system32\odgcsu.exe
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
O9 - Extra button: RemindU - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\topMoxie\TEMP\upromise_script0.htm (file missing) (HKCU)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (HKCU)
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/gam...nts/y/kt3_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/gam...nts/y/ct0_x.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.ritzpix.com/upload/XUpload.ocx

3. - Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

- Delete the following file:
C:\WINDOWS\system32\odgcsu.exe

- Delete …

Fix this only if you do not have Java Sun...

Yup, my bad- I missed that at first. I just edited that line out of my above post...

first of all you have an old verison of hijack...

True. A link to the latest version of HijackThis (1.98.2) is in my sig below.

In terms of your log, bear with us- this might take a couple of tries:

!! First and foremost, your log indicates that you aren't running any anti-virus software at all. Before doing anything else, visit the following 2 sites and use their free online anti-virus scans:

http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

After that:

1. Have HijackThis fix the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\system32\ajo.dll
O2 - BHO: (no name) - {E9590744-812B-46C3-96EB-33212855927D} - C:\WINDOWS\System32\netcgf.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iecust.dll
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\RunOnce: [o9q09.exe] C:\WINDOWS\System32\o9q09.exe /k
O4 - …

Did you update CWShredder before running it?

Yes- Merijn (the original author of CWShredder) has sold the program to InterMute, and they have a newer version available. You can download it here:

http://www.intermute.com/spysubtract/cwshredder_download.html

Your log indicates at least a couple of different infections, so it might take a couple of tries to get you totally clean. Please follow the instructions below fully and carefully:

1. Run a full anti-virus scan, making sure that your anti-virus program is using the most current virus definition updates.
2. Download and run Ad Aware and SpyBot Search & Destroy (download links are in my sig below).

Follow these directions for configuring Ad Aware (directions courtesy of our member "crunchie"):

1. Download and Install Ad-Aware SE, keeping the default options. However, some of the settings will need to be changed before your first scan
2. Close ALL windows except Ad-Aware SE
3. Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
4. Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window

In the ‘General’ window make sure the following are selected in green:

• Automatically save log-file
• Automatically quarantine objects prior to removal
• Safe Mode (always request confirmation)

Under Definitions:

• Prompt to udate outdated definitions - set the number of days
• Click on the ‘Scanning’ button on the left and select in green :

Under Driver, Folders & Files:

• Scan Within Archives

Under Select drives & folders to scan -

• choose all hard drives

Under Memory & Registry: all green

• Scan Active Processes
• Scan Registry
• Deep …

Do I need to make my alternate subnet / gateway to the same address as that of the broadband connection

Essentially yes, but the exact IP configuration you need depends on a couple of things:

- Are you supposed to get your IP address/Gateway IP/DNS/etc. info from RR via DHCP?

- Do you connect to the modem through a router in your home network setup? If so, is the router acting as the DHCP server for your LAN, or are you manually setting your IP info on the computer(s) on the LAN

Basically- give us a more detailed description of your network environment; that will allow us to give you the exact setting you need.

Can you be more specific please? The following is really pretty vague and much too general:

actually got a general idea that is network web monitoring system but i dont hav any idea how to implement it...where to start, what to use..
anybody who has any idea on networking based project pls help me...and if u gus hav any idea on the network web monitoring system..pls share it wif me...i really got no idea on how to implement it....

Hi Eric9112, welcome to TechTalk!

You do have infections, but you need to address couple of things before we start with the troubleshoot:

1. Your log indicates that you are using version 1.97.7 of HijackThis, which is out of date. Please download the latest version (1.98.2) using the link in my sig below and post the log that the new version generates.

2. This entry in your current log: " C:\Program Files\Internet Explorer\iexplore.exe" indicates that you had at least one instance of Internet Explorer open when you ran HijackThis. HijackThis cannot fully perform its fixes when any instances of your web browser are running, so you need to make sure Internet Explorer is entirely closed down before you run HJT the next time.

Do the above, and we'll take it from there . :)

Scratch what I said above.

I just noticed that you have posted a log in this thread. We'll follow up on your current problem in that thread, as members should not have multiple threads going on what is basically the same issue.

I'm closing this thread so that no further replies accidentally get posted here.

Seems like you've gotten some new infections since our last troubleshoot.

Post a fresh HJT log here for starters, so that we can get a glimple of what's going on.

r u sure that i wont get a virus if i update any of my programs...

It would be absolutely foolish to tell anyone that they'll be 100% safe if they keep all of their anti-virus and anti-spyware programs up to date.

The problem is that the wonderful people who make viruses, spyware, etc. are constantly coming up with new and "sneakier" ways to infect computers, which means that the people who make the utilities to fight the infections are usually one or two steps behind. There is always some delay between the point at which a new infection is discovered and the point at which someone can find a cure for that infection; the process is exactly like that of finding a cure for biological viruses.

Didn't notice that, that is odd. Coincidence?

DPFs (Downloaded Program Files) can get reinstalled on your computer in the normal (or not so normal) course of surfing the web. The files are ActiveX controls used by web site, so if you have HijackThis delete a given "016" entry and later visit a site which uses that DPF, it will be redownloaded to your computer again.

Not all 016 entries in a HJT log are malicious by a long shot, but a Google search for the particular Class ID (CLSID) of the one we're dealing with here indicates that it is related to a DPF called "RunExeActiveX.RunExe".

I may just be paranoid from too many months of HJT log analysis, but I really don't feel god about something whose name says: "Hey, look at me, I can run potentially malicious code on your computer!"
:mrgreen:

IE is no more vulnerable than is Firefox or anything else, it's just a bigger target and therefore the malware authors can make more money targeting it.
As soon as FF becomes a large enough target to be worth the effort people will start to target that as well.

Hang on there- No offense meant, but your above statements indicate a lack of understanding of one of the key problems with Internet Explorer (and yes, in this case it is a problem): the extent to which Microsoft has integrated IE into the Windows operating system itself.

The fact that other browsers are less prevalent isn't the major reason that they are safer to use at all. Non IE-based browsers are safer because they pretty much operate at an application level, whereas IE, by Microsoft's own design, acts to a large degree as a system-level service. In other words: browsers like Firefox, Netscape, and Opera do not have the system-level privileges that IE does, and therefore a compromise to one of those browsers is much less likely to constitute a compromise to the operating system as a whole.

FIREFOX, please. lol.

Yeah, I know- but let's not start a "Browser Holy War"; I hate those ... :mrgreen:

The core point is that you'll be less vulnerable if you use any of the non-Microsoft browser options; the choice of exactly which of those alternatives you go with is pretty much a matter of presonal preference.

Also, if you want a free anti-virus program, this would be the one:

http://free.grisoft.com/freeweb.php/doc/2/

Ok, guys, I'm baaack...LOL...

You should be aware that we really have started a contest titled "What is Mereannjen is going to do once her log is clean?" :mrgreen:

Seriously though- I do need to finish up here for the night, log off, and think about normal things like dinner. Hopefully one of our other "contestants" will pick up on this before tomorrow; if not, I'll check back then.

I thought updates were only for paying customers...

For the free programs we recommend, you can definitely get (unlimited) updates, but what some of them do lack is an automatic update function such as Norton's Live Update. All that really means is that you will have to manually check for updates when you run the programs, but all of them (as far as I've seen) have a built-in option for doing so.

In terms of some of the utility programs detecting/not detecting/being able to clean/not being able to clean certain "nasties", keep in mind that each of these programs are basically optimized for specific functions. For example- Ad Aware and SpyBot are primarily spyware/adware/hijackware/etc. removal tools. They are not optimized for traditional virus removal in the way that Norton or McAfee are, nor were they ever designed to do so. On the flip-side, Norton, McAfee, etc. products have traditionally been anti-virus/trojan/etc. programs; their ability to deal with adware/spyware is relatively new. Sooo:

Norton found something a little while back that Adaware and Spybot didn't pick up, but Norton did not remove it.

If you can give us specifics as to the files/infections in question we might be able to help you out.

Given the above, the fact that the lines between all versions of generally malicious programs are blurring, and the fact that new variants of those nasties are appearing almost daily, it's impossible to expect that only one or two protective programs will keep you extirely …

Ay up! Back again... Just to let you know that the "qqtask,exe" according to the castlecops identifier is not the same as "Qqtask.exe" which is the actual quicktime application...They say its known spystuff...

Hmm.. I can't find the CastleCops link to the supposed spyware version; can you post it here?

About different browsers, I tried using the MSN browser...

I did say "...use a non-Internet Explorer based browser", which disqualifies the MSN browser.

If I restore to an earlier restore point before I ever got the internet I have a sinking feeling that this won't help either.

It may not, and it may even make things worse. Read this to find out why.

I'll try and work out how you reply to my miserable missives using quotes instead of recycling all the text next time

Sorry, but there's no magic wand invloved in that one. I do recycle the text; I just manually wrap the separate bits in their own quote tags for clarity.

Go raibh mile maith agat
(as they say in these parts)

Tá fáilte romhat.

OK. Please follow the above instructions carefully, and don't hesitate to post if you have any questions along the way- it's better to ask than make a mistake.

:)

Again- you're welcome. Now let's hope it worked...

The kalvxyz32.dll bit seems like it might be related to the EliteToolbar pest that's making the rounds, but there isn't really a heck of a lot of definitive info available on the beast; I was only able to confirm the (psuedo-random) pattern of the filename change yesterday or the day before.

Let us know if it crops up again please.

Crud- I missed one in my earlier post...

1. Have HJT fix the following:

" O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe"

2. Although the actual filename has morphed slightly (in your last log it was named "kalvdme32.exe"), this gremlin is still present:

O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvxxv32.exe

** Note: That file may change its name slightly again, but this particular infection has a pattern: the filename will always be kalvxyz32.exe, where xyz are the only letters of the name which change.

Have HJT fix that entry, reboot into Safe Mode, delete wuclient.exe and kalv(whatever)32.dll, and empty your trash.

How do you back up your Hard drive? Is there any point until this thing's sorted?

There's not much point in doing a full system backup until you're clean; you'd just be archiving the "nasties" along with everything else. However, it is always a good idea to back up your important documents/data at regular intervals. There are many different backup options (another hard drive/a zip drive/a tape drive, burn to CD/DVD, etc.) some of which depend on just how much data you need to archive. If it's not a huge amount of data, you can just do manual copies to one of the types of media I just mentioned. If have a lot of data, or simply want to automate/schedule the process, you should look into a commercial backup utility porgram like Dantz's Retrospect package. (Maxtor's One-Touch line of external USB/FireWire drives come with a "lite" version of Retrospect which can be set up to fire off backups literally at the press of a button.)

Will simply restoring to factory settings resolve anythin apart from taking ages to re install everything?

Even if you go as far as a full reinstall of Windows, you'll still get infected in the future unless you take precautions.

I tried Quarantining the "qttask.exe" by moving it to another folder and changing "exe" to"xxx" but the problem persists.

qttask is a component of Apple's QuickTime multimedia software. It is not malicious, but it certainly doesn't need to be running as a startup item (this goes …

You're welcome ellie; glad we could help. You're log looks infection-free now.

:)

No sweat parby. :)

Just for future reference: if you make a mistake in one of your posts or just want to change it for some other reason, you can do it youself by clicking the "Edit" button in the lower right-hand corner of the post.

Of course, only we moderators can muck with other people's posts. ;)

Does it make any difference when it just shows the number, not the description or address?

The general concensus seems to be that if the CLSID (the 32-character identifier string) doesn't show up with an associated "human-readable" description, there's something wrong with it.

I don't think an incomplete/partial entry in a HJT log necessarily indicates a "nasty"; a partial entry could probably also be the result of some sort of registry corruption, an incompletely/incorrectly uninstalled component, etc.
That's just my understanding though; I could be wrong.

There's always a first time!! hehe :)

Nooo!!!

Repeat after me:

"We are perfect. We make no mistakes."
"We are perfect. We make no mistakes."
"We are perfect. We make no mistakes."

:mrgreen:

...but it said thoose were files that were needed to boot up and that sounded to bad

That's just a standard Windows warning message. The files in the particular folders I listed above are definitely not needed for normal operation; those folders contain files that are used by Windows only on a temporary basis. You should very rarely see a program actually running from one of those folders, and if you do, you should be suspicious of it.

In your case, the following .exe file indicated in your log is definitely a "nasty" and needs to be deleted:

O4 - HKLM\..\Run: [taCQu] C:\documents and Settings\owner\local settings\temp\taCQu.exe

1. After doing the general cleanup that we've already suggested, run HijackThis again and have it fix any of the following entries which still exist:

R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O4 - HKLM\..\Run: [Open Site] C:\Program Files\Open Site\opnste.exe
O4 - HKLM\..\Run: [owns dart] C:\PROGRA~1\HTMPLA~1\axis wait.exe
O4 - HKLM\..\Run: [emsw.exe] C:\WINNT\emsw.exe
O4 - HKLM\..\Run: [icncftzv] C:\WINNT\gcesrmpc.exe
O4 - HKLM\..\Run: [taCQu] C:\docume~1\owner\locals~1\temp\taCQu.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\System32\dp-k13w13.exe
O4 - HKLM\..\Run: [73Fi38R] C:\WINNT\System32\msler.exe
O4 - HKLM\..\Run: [AutoLoader7wwM1KMSMdLU] "C:\WINNT\System32\msler.exe"
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)

OurNation,

Not only do you still have problems, but your latest log indicates that they've multplied or "morphed" (which is not unusual). Did you do absolutely everything that caperjack and I previously suggested in terms of running Ad Aware and SpyBot, cleaning out your Temp folders, ewtc.?

In my opinion it better to wait until its fixed before you turn off system restore ,just in case ,a bad restore is better than no restore...

Err... I guess I just need to put this out here-

I don't agree with that statement in cases where suspect files have already been identified in the Restore folder:

a) The infected files could get restored at some point during out troubleshoot.

b) I've been active here long enough to trust in the fact that our crew of security responders (you, crunchie, dlh6213, etc.) all know their stuff well enough that if a member follows our instructions exactly; they will not have to resort to a restore. I cannot recall any thread in which someone here has gotten to that point as a result of the advice we've given.

I mean the above as a compliment more than anything else at all; I hope it isn't taken the wrong way...

- Dave

Firewing1,

You might want to head over to www.justlinux.com, register there, and post your question there. The site is a Linux-only support site with many helpful members; both alc6379 and I have been working there for quite some time and were actually recruited by this site's admin (Dani) due to our work there.

I'm only suggesting this because I know that we have only a small number of Linux-savy responders here, and at least three of us also have moderator duties (meaning: not a heck of a lot of spare time); you will get more "eyeballs" on your questions over at JL.

(Yikes- hope I didn't offend anyone by posting that....)

1. The about:blank home page setting is legit in one instance; it is what you'll get if you choose the "Use Blank" home page option in your Internet Options control Panel.

Can you change the home page setting to something other than about:blank via your Internet Options control Panel? If so, does that change persist, or does your home page keep reverting to about:blank?

2. Is the "Search the Web" stuff you describe an unwanted toolbar that appears in IE? If so, can you give us a screenshot of it? There are some particularly nasty variants/offshoots of the CoolWebSearch family that exhibit similar symptoms, and not even CWShredder can kill all of those. One such variant is the rather new-ish HSA (Home Search Assistant) infection; see the following link for more info on that:

http://www.short-media.com/forum/showthread.php?p=172774

How come there's no preposterously irate smilies?

But they're are, oh geezerly-one; you just need to know where to look:

[img]http://www.stevewolfonline.com/Downloads/DMR/Visuals/furious.gif[/img] [img]http://www.stevewolfonline.com/Downloads/DMR/Visuals/grr.gif[/img] [img]http://www.stevewolfonline.com/Downloads/DMR/Visuals/possessed.gif[/img] [img]http://www.stevewolfonline.com/Downloads/DMR/Visuals/para.gif[/img]

well... you get the idea, yes?

Oh, does about:Buster do what it says on the tin?

Yes- good catch; give AboutBuster a try; it's legit. MajorGeeks as a whole is a trusted and reputable site, so if you find something available for download there, it's pretty sure bet that the program has merit.

1. I donwload the current 1.92.2 version of Hijack This into a folder called C:\hijackthis
2. I run Hijack This and post the log

Yes, exactly.

3. Should I also uninstall WIld Tangent & Weather Bug.... whatever they are!

Yes, they are "spyware" infections, and they do need to be uninstalled. The problem is (these being malicious programs,) that trying to remove them using your Add/Remove Program control panel probably won't get them off your system entirely. Many of these types of infections leave small pieces of themselves behind and will "grow back" in a short period of time.

4. Download, install and run Adware (I already have Spybot installed).

No single utility program exists which is capable of removing all infections, but Ad Aware and SpyBot compliment each other quite well in the fact that one of those programs will often detect and fix something that the other program missed. You should use both programs regularly- run them consecutively (the order doesn't matter), have each program fix everything it finds, reboot your computer when the fixes are complete, run the other program, and reboot again after it has completed its fixes.

What do you mean by a "hardening" and "global problem"?

Sorry for the computer jargon. "Hardening" is the technical term for the process of making a computer less vulnerable to hacker attacks, virus/spyware infections, and other malicious intrusions.

By "global problem", in this context I meant that the error Sphyenx mentioned concerning SpyBot/Ad Aware is not …

Yes- once everything is clean you should re-enable the System Restore function, but not before that.

Your HJT log doesn't seem to indicate any foul play (and yes, it appears that you did run the pings correctly), so this may be more of a general networking problem/question; but it does sound as though your network software has been corrupted somehow.

1. Can you give details on the history of the problem please?

2. What version of Windows are the other computers on the network running?

THANK YOU!!! You are a genius!!!

You are too kind, sir- I am surely not a genius, simply a humble geek (with an intense loathing of "spyware") who tries to be of service...

:mrgreen:

Seriously though- glad we could help you get it sorted. Staying away from IE, downloading the utilities I mentioned, and keeping your system current on Windows updates will go a looooong way toward preventing further infestations.

:)

Many of the processes listed in your log don't necessarily need to be running as startup items, but none of them are malicious as far as I can see.

1. Given that your log indicates no obvious "nasties", can you describe the pages/ads/pop-ups/whatever that you're getting in greater detail please?

2. Stop using Internet Explorer as your *$#$% web browser, ya foul-mouthed Geezer! :mrgreen:

Use Netscape, Firefox, or Opera instead; they're pretty much immune to the spyware/adware/etc. problems that plague IE

3. If you absolutely need to use Internet Exploder, at the very least download and install SpywareGuard and SpywareBlaster; they plug some of the security "loopholes" in IE. Links to those two programs are in my sig below.

4. Try Shoot the Messenger; it might stop some of the crud.

Yuck! That's ugly.

And that is an understatement- the thing was a fRaNKeNPoSt! :mrgreen:

All fixed now...

I had to go to the configuration web page and make ONE CHANGE to the settings. That was all it was.

Can you tell us what the exact setting was? That info could help others who have similar problems.

Thanks.

1. The HijackThis link in my sig below should take you to the latest (1.98.2) version.

2. Open a DOS box. What are the results of running the following 4 commands?

ping www.google.com
ping 216.239.57.147
ping the IP address of your router (if you're using a router, obviously)
ping 127.0.0.1

3. Are you getting your IP info automatically (via DHCP), or did you enter your IP address, subnet mask, gateway IP, etc. manually?

any body have any suggestions of A FREE SPYWARE AVAILABLE ON THE NET AND WHICH IS EASILY DOWNLOADABLE!!

dlh6213 just listed the two most-recommended tools: Ad Aware and SpyBot. Links to their download sites are in my sig file below.

:)

1. Did you have Ad Aware fix what it found? If not, do that now.

2. You have infections in your System Restore folder. Instructions for fixing that problem are here.

3. You have at least one "nasty" running from one of your Temp folders; do this:

- Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders:

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

- Delete the entire content of your C:\Windows\Temp folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.

- Reboot normally.

4. Post a new HJT log.

Logfile of HijackThis v1.97.7

You are running an outdated version of HijackThis. Please get the latest version (1.98.2) and post the log that version generates.

1. You are heavily infected; please do the online scans caperjack recommended.

2. Uninstall the following rogue programs:

Virtual Bouncer (VBouncer)
AdDestroyer
palnetaware

3. Run HijackThis again; have it fix any of the following entries if they still exist:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: MraSearch Class - {30DA811B-BCBF-4aa7-B5E3-CEE0E03EF2B2} - C:\WINDOWS\SYSTEM\MraSearch.dll
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F3 - REG:win.ini: run=c:\windows\system32\mousecntl32.exe
O4 - HKLM\..\Run: [Mra] C:\WINDOWS\SYSTEM\Mra.EXE
O4 - HKLM\..\Run: [fxhilc] C:\WINDOWS\System32\fxhilc.exe
O4 - HKLM\..\Run: [DQMXFKBM] c:\windows\system32\dqmxfkbm.exe /install
O4 - HKLM\..\Run: [Hot_Tarts_il] C:\Program Files\Video1\Dialers\Hot_Tarts_il\Hot_Tarts_il.exe /dontdial
O4 - HKLM\..\Run: [HDOFAEVY] c:\windows\system32\hdofaevy.exe /install
O4 - HKLM\..\Run: [WCBRCLZV] c:\windows\system32\wcbrclzv.exe /install
O4 - HKLM\..\Run: [EvtHtm] c:\windows\system32\evthtm.exe /nocomm
O4 - HKLM\..\Run: [Mousecntl32] c:\windows\system32\mousecntl32.exe
O4 - HKLM\..\Run: [Mdmdll] c:\windows\system32\mdmdll.exe
O4 - HKCU\..\Run: [Mra] C:\Documents and Settings\Жен\Application Data\Mra\Mra.EXE
O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1022.dll,InstantAccess
O4 - HKCU\..\Run: [mslagent] C:\WINDOWS\mslagent\mslagent.exe
O4 - HKCU\..\Run: [Advmon32] c:\windows\system32\advmon32.exe
O4 - HKCU\..\Run: [Mousecntl32] c:\windows\system32\mousecntl32.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
O9 - Extra button: Mail.Ru Agent - {7558B7E5-7B26-4201-BEDB-00D5FF534523} - C:\WINDOWS\SYSTEM\Mra.EXE
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downloadv3.com/binari...UTH_1022_EN.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binari...thv32_EN_XP.cab
O16 - DPF: …

1. You've picked up another nasty along the way:

O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe
 .
 .
 .
 
  O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe

C:\WINDOWS\inetdata\winlogon.exe is a component of one of the CoolWebSearch hijacker variants. Have HijackThis fix both of those entries, reboot into Safe Mode, delete the entire C:\WINDOWS\inetdata folder, and empty your trash.

After that, download and run the CoolWebSearch removal utility called "CWShredder" (download link is in my sig below) as an added precaution.

2. Although the actual filename has morphed slightly, this gremlin is still present:

O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvuej32.exe

Have HJT fix that entry, reboot into Safe Mode, delete the file, and empty your trash.

** Note: That file may change its name slightly again, but this particular infection seems to have a pattern: the filename will always be kalvxyz32.exe, where xyz are the only letters of the name which change.

3. Further preventative measures:

- Download and install SpywareBlaster and SpywareGuard (again- links are in my sig below). use each program's update feature to make sure you have the latest version of their detection files installed.

- SpyBot has an "Immunize" function; you should use it.

- Use Windows' Automatic Update function to ensure that you always have the latest security/bug fixes from Microsoft installed.

Hi Tokunbo,

First of all- welcome to TechTalk!

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.