Posts by DMR

this line seems odd:
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} -
Any one else have any opinions on it?

D-oh! I missed that one... yup, it should get the axe.

1. Don't re-enable System Restore yet.

2. Select all objects that Ad Aware found and delete/fix them; do the same for SpyBot.

3. Repeat what I outlined in step C) of my last post

4. Poast a new HijackThis log.

...I should have paid more attencion to the TEMP directories, but it slipped my mind....

Sphyenx-

Things like that eventually happen to all of us here who eat HJT logs for breakfast, lunch, and dinner- don't sweat it. The more time you spend here crunching through those logs, the more likely it is that you'll miss something or (*cough!*) get something wrong. ;)

It's just a hazard of our occupation...

Congrats- your log looks clean to me. :)

You might want to wait until dlh6213, DaveSW, crunchie, or caperjack give a "second opinion" on my assesment.

Yeah- I hate to say ithis, but you've been hit rather hard.

Let's go for the whole drill to get you cleaned up; please do all of the instructions below, and in the order given:

* Before doing any of this, disable XP's System Restore function; instructions and explanations are here:

http://www.daniweb.com/techtalkforums/thread13362.html

After that:

A) Run a full anti-virus scan, making sure that your anti-virus program is using the most current virus definition updates.

B) Download and run Ad Aware and SpyBot Search & Destroy (download links are in my sig below).

Follow these directions for configuring Ad Aware (directions courtesy of our member "crunchie"):

1. Download and Install Ad-Aware SE, keeping the default options. However, some of the settings will need to be changed before your first scan

2.Close ALL windows except Ad-Aware SE

3. Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.

4. Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window

1) In the ‘General’ window make sure the following are selected in green:
*Automatically save log-file
*Automatically quarantine objects prior to removal
*Safe Mode (always request confirmation)

Under Definitions:
*Prompt to udate outdated definitions - set the number of days

…

You wasted your time with the log...

Not true; have a closer look at that log:

1. "Logfile of HijackThis v1.97.7" - That is an outdated version of HJT. The current release version is 1.98.2; CCG should download (the link is in my sig below) and run the newer version and post the log that version generates.

2. " C:\DOCUME~1\CARLGL~1\LOCALS~1\Temp\Temporary Directory 1 for hjt[1].zip\HijackThis.exe" - HJT is being run from a Temp/Temporary directory, which is not advised; here's the explanation:

"The contents of Temp folders aren't permanent, and often get deleted in the course of routine system clean-up and/or troubleshooting. Create a new folder such as C:\HijackThis, C:\Downloads\HijackThis, or C:\Spyware Tools\HijackThis and move the program to that folder."

3. " O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain" - indicative of an infection by a variant of the WildTanget spyware.

4. " O9 - Extra button: WeatherBug (HKCU)" - indicates the presence (or previous presence) of the "WeatherBug" spyware component.

5.

....I gave most of them spybot and ad-aware, and on XP after a few reboots spybot wont load and you recieve a nice nasy error. First you have to uninstall the program....

I install Ad Aware and SpyBot on all of my client's PCs (including those who run XP, and including SP2) in the normal course of "hardening" of their systems, and have yet to see the sort of error you describe. I've also not seen such a problem reported as being a …

I understand what you're saying Beamie, but this particular thread was started by another member, and in order to keep things more organized we do want to stick with a "one member's question(s) per thread" construct in our support forums.

As I said in my last post, please start a thread of your own and we'll take it from there.

Again- thanks for understanding.

...i'll get back to you as soon as i have a go this may take a day or 2 depending when i get a day to myself witch is very few and far between

Now there's a statement that I can relate to... :)

Ok- the log:

1. I just noticed a "cut-n-paste" mistake in my last post:

" O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll"

That's actually a valid entry; sorry about that. If removing that entry caused you problems with the Google toolbar, you might need to redownload/reinstall the toolbar.

2. The "satmat.exe" file is a known nasty, and although it was on my list of items to delete in my last post, it's still showing up in your log. Were you able to find and delete it before you posted your latest log?

3. In terms of the "C:\WINNT\nsdb" folder, HijackThis may have fixed that for you, but please double-check (using the instructions in point #4 of my last post) just to make sure.

4. Aside from the satmat.exe file entry, your log looks clean to me. Please check again for that file and let us know what you find.

That is a "hijacker" infection; you probably have other "unwanted guests" on your computer as well. I'm moving this to our "viruses, spyware, and other nasties" forum now, as that is where we deal with these issues.

Please do the following:

Download and run the (free) HijackThis spyware-detection utility (the download link is in my sig below).

Create a new separate folder on your drive for HijackThis, download the program into this folder, and run it from there. (Don't run HJT from within any Temp or Temporary Internet folder, and don't run it directly from your desktop.) Do not have HJT fix anything yet, only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we review the log we can tell you what to do from there.

You need to have the RoadRunner-specific IP/subnet mask/gateway/DNS settings configured in your network connection properties when you try to access from home (that is, when you aren't going through the proxy at your work).

Tell us what version of Windows you use, and we'll tell you exactly how to configure those settings.

1. Does the problem only occur with certain websites, or does it seem to be random?

2. Give us specific details about your network/Internet setup. As it is, we don't have anywhere near enough info in that area to determine if your problem is really the result of malicious infections; the cause of the problem could lie elsewhere.

3. Download and install another web browser such as Netscape, Firefox, or Opera. Knowing if the problem occurs (or does not) with an alternate browser will help to pinpoint the cause of the problem.

4. One definitive test would be to download and run HijackThis and post the log file it generates here. That log can give us a lot of insight into the possible causes of the problem. A download link for HijackThis is in my sig below.

5. Tell us exactly what version of Windows and what version of IE you are using.

Hi Beamie,

First of all- welcome to TechTalk!

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

1. Do you mean that you removed the infection called "spybot", or the utility program called SpyBot?

2. You might want to run HijackThis and post the log file it generates. A download link for the program is in my sig below; instructions for using the program are listed in numerous previous threads in this forum.

"O4 - HKLM\..\RunServices: [Kernel loader] kernld32.exe"

That's the only entry in the log that bothers me; it can be indicative of an infection by one of the SDBOT variants. I'd get McAfee up-to-date on its virus definitions and run a full system scan.

Aside from that: you do have many processes running, but a lot of them are just part of your obvious interest in multimedia programs. Between those and essential processes like McAfee's components, I wouldn't be surprised if you were at least experiencing a pretty long boot-up time; are there any specific problems you're experiencing which prompted your posting here?

Ouch. That's some pretty nasty infestation you've got there. :(

Given the numerous infections you have, HijackThis alone isn't going to do the trick here, so let's go for the full drill:

!! Before doing any of the following, you should temporarilly disable XP's System Restore functions. Instructions for doing so and an explanation of why you do so can be found here:

http://www.daniweb.com/techtalkforums/thread13362.html

After that:

A) Run a full anti-virus scan, making sure that your anti-virus program is using the most current virus definition updates.

B) Download and run Ad Aware and SpyBot Search & Destroy (download links are in my sig below).

Follow these directions for configuring Ad Aware (directions courtesy of our member "crunchie"):

1. Download and Install Ad-Aware SE, keeping the default options. However, some of the settings will need to be changed before your first scan

2.Close ALL windows except Ad-Aware SE

3. Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.

4. Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window

1) In the ‘General’ window make sure the following are selected in green:
*Automatically save log-file
*Automatically quarantine objects prior to removal
*Safe Mode (always request confirmation)

FTP has security holes; I'd go with SSH instead if you're going to take that route.

Do you have valid system and Samba user accounts set up on the Linux box for all users who will be accessing the machine over the network? If not, you should.

You have multiple infections:

1.To remove twaintec.dll:

- Click "Start" and then "Run" and type the following command (which unregisters the software):

regsvr32 /u c:\winnt\twaintec.dll - Reboot and then delete the c:\winnt\twaintec.dll file

- Empty your Recycle Bin

2. In your Add/Remove Programs control panel, remove the following spyware programs:

MyWebSearch
Internet Optimizer
Power Scan

(this will probably not entirely remove the programs; some of these spyware programs are sneaky that way...)

3. Have HijackThis fix the following entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_...count_id=107312
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
O1 - Hosts file is located at: C:\WINNT\nsdb\hosts
O1 - Hosts: 81.211.105.69 lender-search.com
O1 - Hosts: 81.211.105.68 hot-searches.com
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINNT\System32\bridge.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: BHObj Class - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem214.dll (file missing)
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
…

Glad we could help! :)

To lessen your chances of reinfection, you should probably download and install SpywareBlaster and SpywareGuard as a measure of protection. I'd also suggest that you use SpyBot Search & Destroy in conjunction with Ad Aware. SpyBot is very similar in function to Ad Aware, but will sometimes catch things that Ad Aware misses; using the two programs together is a Good Idea.

Download links for a three of the above utilities are in my sig file below.

Looks like you got it right. :)

In Windows 98, C:\Windows is the correct location for the rundll32.exe file.

The log looks clean to me; you might want to wait for one of our other members to give a second opinion on that just to be sure.

Also:

C:\Program Files\Internet Explorer\iexplore.exe

That entry indicates that you had at least one instance of Internet Explorer running when you ran HijackThis. HJT can't fully perform all of its fixes while any instances of web browsers are running; please make sure to close IE entirely before fixing things with HijackThis.

They are in a Recovery folder. I found it along with all of the DSO Exploits Spybot has ever found. It looks like this folder is for all the bad things Spybot has ever found. Should I delete the whole folder?

What is the exact location of the Recovery folder you mentioned? If you can tell us that, we can tell you for sure if you should delete it or not.

I wouldn't think that the critical updates would only clobber two specific sites, but I guess stranger things have happened with computer software.

Let us know when the problem occurs again; maybe we'll be able to pick up a clue or two this time.

That can be tricky, depending on what exactly you mean by "sharing" Outlook.
In a business environment, the networking capabilities that you find in Outlook (sharing contacts, calendars, etc., for example) are usually made possible by the presence of a Microsoft Exchange mail server; Outlook itself is not really designed to be a "served" network application.

There are a few "tricks" you can use to get some aspects of sharing working, and there are more that a few third-party applications which add network functionality that Outlook itself lacks. The following article discusses some of the problems and considerations, and also gives links to some of the add-on programs that you can use to overcome the obstacles:

http://www.slipstick.com/outlook/share.htm

Keep in mind that Outlook and Outlook Express are two very different programs "under the hood"; suggestions/techniques which work for one will not necessarilly work for the other.

Yup- that's a clean one. Glad we could help! :)

Your log indicates that you still have problems, and those problems are not the same as the originals. You've either gotten further infections (not unusual) or the infections that you originally had have "morphed" (also not unusual).

I need to log off now, but hopefully one of our other members will pick up on this shortly. If not, I'll repost here tomorrow.

Was everything I deleted spyware and if so why doesn't Spybot find and delete it????

Yes- absolutely everything that I asked you to delete was related to virus/spyware/adware/etc infections.

To answer your question as to why SpyBot (and Norton, for that matter) didn't detect and delete all of the "nasties":

The people who create these spyware/virus/adware/trojan/etc/ programs are constantly modifying their programs to avoid detection, and that being the case, there is no single utility which can eradicate all of them.

If you really have to use Windows as your operating system and use Internet Explorer as you web browser, you will have to take multiple measures to protect yourself from further infections. Here are some of those necessary measures:

http://www.daniweb.com/techtalkforums/thread5690.html

1. Use Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will greatly reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks.

4. Tighten up some of Internet Explorer's existing, …

OK, here we go...

1. SpyKiller, BestPopUpKiller, and SpyHunter all fall into the category of "dubious" programs, in that they are unreliable and at the very least return "false positive" findings as a way of enticing users to buy the commercial versions of the programs. You should uninstall them and use the trusted, recommended (and free) alternatives instead. For more information on bogus vs. legit "spyware" utilities, please visit this site:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

Links to some of the reputable programs (of which Lavasoft's Ad Aware is one) can be found in my sig below.

2. " C:\Program Files\Internet Explorer\IEXPLORE.EXE"

That entry in your HJT log indicates that you had at least on instance of Internet Explorer running when you ran HijackThis. HJT cannot fully perform its fixes unless all instances of your web browsers are closed. Please make sure that is the case before proceeding.

* -> Before doing the following, you should probably disable XP's System Restore function. Instructions for doing so (and an explanation of why you should) can be found here.

3. Once you have closed all instances of all web browsers, have HijackThis fix:

O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvdme32.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [E981F653] C:\WINDOWS\system32\ctLinra.exe
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [FDBF3A4E] C:\WINDOWS\system32\dsntcer.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKCU\..\Run: [kbdsw] C:\WINDOWS\System32\kbdsw.exe
…

warlancer-

I've split your post/question into its own thread for reasons of clarity; your new thread is here:

http://www.daniweb.com/techtalkforums/thread15020.html

Webroot's Spy Sweeper is a reputable program- it may very well have done the trick for you.

Bingo!

Good find, and congratulations- you are most likely the proud parent of a bouncing baby virus infection. More info on the "winshow" infections (and removal instructions) can be found in these links:

http://www.google.com/search?hl=en&q=winshow.dll&btnG=Google+Search

I'm moving this to the Viruses/Spyware forum now; buckle up...

That site works fine for me, in three different browsers: Internet Exploder, Netscape, and Firefox.

OK- you definitely do have "nasties", so here's the entire drill:

A) Run a full anti-virus scan, making sure that your anti-virus program is using the most current virus definition updates.

B) Download and run Ad Aware and SpyBot Search & Destroy (download links are in my sig below).

Follow these directions for configuring Ad Aware (directions courtesy of our member "crunchie"):

1. Download and Install Ad-Aware SE, keeping the default options. However, some of the settings will need to be changed before your first scan

2.Close ALL windows except Ad-Aware SE

3. Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.

4. Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window

1) In the ‘General’ window make sure the following are selected in green:
*Automatically save log-file
*Automatically quarantine objects prior to removal
*Safe Mode (always request confirmation)

Under Definitions:
*Prompt to udate outdated definitions - set the number of days

2) Click on the ‘Scanning’ button on the left and select in green :

Under Driver, Folders & Files:
*Scan Within Archives

Under Select drives & folders to scan -
*choose all hard drives

Under Memory & Registry: all green
*Scan …

ellie, a couple of things first:

1.

Logfile of HijackThis v1.97.7

You are running an old version of HijackThis; please download the latest version (1.98.2) and post a new log from that version.

2.

C:\Program Files\Internet Explorer\IEXPLORE.EXE

The above indicates that you had at least one instance of Internet Explorer running when you did your HijackThis scan. HJT cannot fully perform its fixes when IE is open/running, so you need to make sure that IE is totally shut down before using HJT.

Take care of those two things and we'll go from there.

Your HJT log doesn't indicate any obvious "nasties", and given your description of the actual problem, it sounds like you made an incorrect change to some (normal) part of your system's configuration in your attempt to clean out your previous infection(s).

- Have you had a look through your log files for any relevant error messages? If not, go into your Administrative Tools folder and open Event Viewer to browse the logs. Let us know if there's anything in them that might help pinpoint the problem.

- What you describe definitely sounds video-oriented. Have you checked your video hardware and drivers for possible errors/changes?

...you may want to wait for someone else to independantly confirm this.

Looks to me like you've got it right. :)

Sassy, the "nasties" indicated in your log are associated with at least two known trojans/viruses; I'm surprised AVG didn't catch them. Is your version of AVG absolutely up-to-date on its virus definitions?

You should probably get a free online virus scan from the following two sites just to get a "second opinion":

http://housecall.trendmicro.com/hou.../start_corp.asp
http://www.pandasoftware.com/active...n_principal.htm

What- you're back again?? Damn Gremlins just won't leave you alone, will they?

:mrgreen:

Sphyenx is right- using Netscape, Firefox, Opera, etc. instead of Internet Explorer will save you from 90+% of these headaches.

But in the mean time:

1. Close all browsers, including AOL (your log indicates that it was running when you ran HJT).

2. Have HJT fix:

O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll (file missing)
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvkjh32.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/...IL/PhPSetup.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/C...e/bridge-c9.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yah...nst20040510.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/e...oach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1881054...ip/RdxIE601.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yah...utocomplete.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/gam...aploader_v6.cab

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

- Delete the following file:
C:\windows\system32\kalvkjh32.exe

- Delete the following folders entirely:

Your HJT logs doesn't point to any obvious culprit.

1. Can you give us some history/details concerning when the error started to occur and what, if any, changes were made to the system/software around that time?

2. rundll32.exe is a critical Windows file; does it actually exist on your system, or is it really missing? If the file is missing or corrupt, you can see if installing/extracting a fresh copy of it does the trick. General instructions for extracting fresh copies of system files can be found here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;129605

is there anyone who can help?

Sure, but first you need to update your version of HijackThis.

Version 1.97.7 is old, and the current version (1.92.8) does a deeper/broader scan. Install the new version and post the log it generates.

1. Uninstall Weatherbug; they don't call it "bug" for no reason... ;)
Also uninstall the MySearch toolbar.

2. "O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe" indicates a trojan downloader infection. Use Norton's Live Update feature to get the absolutely most current virus definitions installed, and then run a full virus scan. If Norton doesn't catch/fix the infection(s), go to these two sites for free online virus scans:

http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

3. Turn off XP's System REstore function. Instructions are here.

4. Have HijackThis fix the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [lidrxsbmf] C:\WINDOWS\system32\xtwfshm.exe
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm …

Hey LTB, you got an even newer version of HJT than I suggested! I didn't know that was out :).

It's a beta release that got "leaked" to the public. Merijn does not recommend that people use it; here's the blurb from his site:

HijackThis version 1.99 is currently in beta. Unfortunately, several sites have picked the file off the forums where I posted it in restricted sections and posted it as a public, final release.
Please refrain from using the HijackThis 1.99 beta, it has a crash bug and is not finished yet. Be patient and wait for the final version, which should be out soon. 'Beta' does not mean 'pretty much ready anyway'.

1. Go into your Administrative Tools folder, open up Event Viewer, and have a look through your log files. Are there any error messages in your logs which contain more specific information pertaining to the problem?

2. You may have malicious infections which Norton isn't catching. Read through the threads in this forum for information on using some of the recommended "anti-spyware" utilities such as Ad Aware, SpyBot, and HijackThis. Download links for many of the utilities are in my sig below.

Go into your Administrative Tools folder, open up Event Viewer, and have a look through your log files. Are there any error messages in your logs which contain more specific information pertaining to the problem?

1. If possible, remove the router from the equation; plug the computer directly into the modem via an Ethernet cable. You will probably have to power down/up the modem and computer to get them to "talk" to each other. If your connection is stable with that configuration, the problem obviously lies with something in your internal (LAN) setup.

2. When the problem occurs, do the network link/activity lights on all devices indicate a good connection, or do they indicate a dropped/lost connection.

- check the status of your wireless adapter with it's setup/utility software.
- check the router's status in its setup utility; query the modem from the router if the router software has that ability.

3. Are you just losing the ability to browse the Internet, or do you lose all network functionality? When the problem occurs:

- Open a DOS box and run the following commands:

ping www.google.com
ping 66.102.7.147
ping the IP address of your router
ping the IP address of your computer
ping 127.0.0.1

What results do you get for each of the above pings?

Since you seem to indicate that you've already got the router working with one computer, the rest should be fairly simple.

1. Plug the other computer into one of the available Ethernet ports on the router.

2. If the currently-connected computer's network settings are configured to obtain IP and DNS info automatically from the router, configure the new computer that way as well. If you've entered your computer's IP info manually, assign the new computer an IP address in the same range as the currently-connected computer. That is, if the current computer is assigned an IP of 192.168.1.100, make the new computer 192.168.1.101. For the subnet mask, gateway IP and DNS server IPs, use the same values that the currently-connected computer is using. At this point, both computers should be able to share the Internet connection through the router.

If you want to share files, printers, etc. between the two computers:

3. They should each be given a unique name and should be assigned to the same workgroup. You assign the computer name and workgroup name through the System control panel, and you will have to reboot each computer to make the settings take effect.

4. In a workgroup setup, you should create identical user accounts on each machine for all users who will be accessing the computers over the network. If you don't do this, you will be prompted to enter a valid username and password whenever you attempt to remotely connect …

One more thing. While typing this....Spybot detected that something called "Avenue A"----a know threat was trying to download. Spybot asked me if I wanted to block this and I said YES. This came up 5 times.

1)What is "Avenue A"?

As Dave said, it's a tracking cookie. You can set SpyBot to automatically block things like that without asking for confirmation each time:

Under the "Immunize" section of SpyBot's settings, put a check mark in the "Enable permanent blocking of bad addresses..." box and choose "Block all pages silently" from the pull-down menu.

That's weird. Aside from a corrupted page cache, I don't really know what would cause that to happen with just one specific site. :?:

Let me ask this again:

Is it just that site that you're having trouble viewing, and is the problem just with one computer?

You still have virus/trojan/etc. infections. Also- from some reports I've read, the NoAds program you installed seems to be questionable. It appears that it may have some "hidden nasties" of its own; personally, I would uninstall it.

1. Have HijackThis fix the following:

O4 - HKLM\..\Run: [Win32s USB Drivers] spoolcsv.exe
O4 - HKLM\..\Run: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\RunServices: [Microsoft WinUpdate] syswin32.exe
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [Microsoft WinUpdate] syswin32.exe
O15 - Trusted Zone: http://www.uproar.com
O15 - Trusted Zone: http://deskwx.weatherbug.com

2. Turn off XP's System Restore function; instructions are here.

3. - Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders:

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

- Find and delete the following files:

spoolcsv.exe
syswin32.exe

- Delete the entire C:\Program Files\NoAds folder.

- Delete the entire content of your C:\Windows\Temp folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to …

Or you can boot it into recovery mode with the XP/2000 cd...

Yes- try that before resorting to a reinstall. When you boot into the Recovery Console from the install CD you have more than a few options at your disposal, one of which is to attempt an automated repair of your system. You can also attempt manual repairs via the Recovery Console's (somewhat limited) built-in commands. More info on using the Recovery Console can be found here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q314058