Posts by DMR

Also:

Now that your system is clean, here are a few things you can/should do to minimize your chances of future virus/malware infections:

1. Enable Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks. IE-SPYAD is another helpful tool; it can be downloaded here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here: http://tomcoyote.org/ieoe.php

5. Obviously-install a good anti-virus program and enable its "auto-protect" and email-scanning features.

6. Install a stand-alone firewall program such as Zone Alarm, Sygate Personal Firewall, or Kerio Personal Firewall, or purchase the "Internet Security" packages offered by Symantec and McAfee.

7. None of your utilities are of much good if you don't check for updates frequently; updates for anti-spyware/anti-virus programs can be released as often …

Glad we could help. :)

In terms of cleaning your daughter's computer, do keep in mind that each computer is configured differently, and will probably have different types of infections in addition to Aurora. Given that, some of the infection removal procedures are computer-specific, as are the results you'll get from HijackThis scans run on different computers. Always ask before fixing anything that you have the slightest question about.

You are welcome; I'm glad we could help. :)

Were you able to fix the "Broken Internet access..." problem with WinsockXPFix?

You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the following instructions or save them into a text file using Notepad.

* Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

* Download Nailfix from here:
http://www.noidea.us/easyfile/file....050515010747824
Unzip it to the desktop but please do NOT run it yet.

* Open the Services utility in your Administrative Tools control panel.

- In the list of services, locate the service named "System Startup Service" or "SvcProc" and double-click on it.

- In the General tab of the Properties window that opens, click the Stop button.

- Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.

* Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

* Once in Safe Mode, double-click on Nailfix.cmd. …

Your log still shows indications of a full-blown Aurora infection. Please follow the instructions below carefully and fully:

You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the following instructions or save them into a text file using Notepad.

* Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

* Download Nailfix from here:
http://www.noidea.us/easyfile/file....050515010747824
Unzip it to the desktop but please do NOT run it yet.

* Open the Services utility in your Administrative Tools control panel.

- In the list of services, locate the service named "System Startup Service" or "SvcProc" and double-click on it.

- In the General tab of the Properties window that opens, click the Stop button.

- Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.

* Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting …

1.

Also, there is a program in my control panel named "The ABI Network- A Division of Direct Revenue". Should this be removed as well?

Absolutely- kill it.

2. Your HJT log is clean. :)

3. Is the slowdown you think you might be seeing an overall "sluggishness", or is it just that Windows seems to take a longer time to start up?

Very cool. Glad we could help you remove the "unwanted guests". :)

Your HJT log is almost clean now. :)

There are just a couple of leftovers to take care of:

1. You have the Messenger Plus! 3 program installed, and that program has a "Sponsored" (read: adware-driven) installation mode. If you aren't sure if you installed the Sponsor option when you first installed the program, uninstall it and reinstall it without the sponsor. Better yet- don't reinstall it.

2. Although not the result of malicious infections (it's probably the result of an incomplete program uninstallation), the following entry indicates a missing component in your networking software stack:

O10 - Broken Internet access because of LSP provider 'xfire_lsp_11078.dll' missing

To fix the problem, download WinsockXPFix, run it, and click the "Fix" button. Choose YES when asked if you want to proceed.

I can't help with this, just giving it a 'bump' so DMR doesn't overlook it :)

(I know how much he needs more to do)

Uh, yeah...thanks. I'll just ignore those 14 auto-notifications that piled up in my mailbox after only 6 hours offline and wait for you to throw me more fresh fish... :mrgreen:

yikyang,

Unfortunately, I was hoping that the Media Player error message might tell us exactly which module/file was causing the problem, but it only gives "faulting module unknown", which doesn't give us anything specific to go on. The cause of hte problem could be in a number of places, and since Media Player still crashes after you reinstalled it, I really don't have any suggestions right now. :(

For the possible reinfections, post a new log as dlh6213 suggested.

I saw your name reviewing this thread just as I hit the Post button.

Speaking of which- I know that definitely meant that I was up too late, but does it also mean that you got up at some unholy early hour just to sneak in a few posts here before work? :cheesy:

Hmm... It's dark, and I'm posting at the same time as dlh6213. That can only mean one thing:

I should have been in bed 3 hours ago! :eek: :mrgreen:

The Nasties are all yours until tomorrow, Danny; I'm logging off and heading for the Comfy Pillow now...

Hi, welcome to the site. :)

Unfortunately, you have more than the Aurora infection. To begin with, please follow these general cleaning procedures to remove (hopefully) most of the "unwanted guests:

1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed).

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not …

*grrr*

Something has retriggered pieces of Aurora and the "Win Server Updt" infection. Let's carefully and completely repeat the basic Aurora cleaning proceedure, with the following adjustments:

* Reboot into Safe Mode again.

* Once in Safe Mode, double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly (this is normal).

* Then run Ewido, and run a full scan. Save the logfile from the scan.

* Next run HijackThis, click Scan, and put a check in the box to the left of:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [qmvpymw] c:\windows\system32\yjasshe.exe

Close all open windows except for HijackThis and click Fix Checked.

- Close HijackThis.

* Open Windows Explorer, and in the Folder Options->View settings under the Tools …

You still have indications of the Aurora (DrPmon.dll) infection in your log. Please perform the following standard Aurora removal proceedure; it will probably clean up a lot of other leftover "nasties" as well:

You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the following instructions or save them into a text file using Notepad.

* Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

* Download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.

* Open the Services utility in your Administrative Tools control panel.

- In the list of services, locate the service named "System Startup Service" or "SvcProc" and double-click on it.

- In the General tab of the Properties window that opens, click the Stop button.

- Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.

* Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select …

You're welcome; glad we could help :)

Do things seem to be working correctly now?

Something look familiar here?

O20 - Winlogon Notify: f3dsl - C:\WINDOWS\SYSTEM32\MSplg7.dll

Bingo- that's what I was looking for. Let's try this:

1. Download the Killbox utility and save it to your desktop, but don't run it yet.

2. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Run HijackThis and have it fix:
O20 - Winlogon Notify: f3dsl - C:\WINDOWS\SYSTEM32\MSplg7.dll

- While still in Safe Mode, Run the Killbox.

- In the "Full Path of File to Delete" box, copy and paste the following
C:\WINDOWS\SYSTEM32\MSplg7.dll

Select the "Replace on reboot", "Use Dummy" options, and "Unregister dll before deleting" options.

- Click on the button with the red circle with the X in the middle and then click Yes at the "Replace on Reboot" confirmation prompt.

- Click YES at the request to reboot and let the computer reboot normally.

3. Run HijackThis and another anti-virus scan; see if any references to MSplg7.dll still exist.

The HijackThis log is clean now.

Since ewido keeps turning up "nasties" in your C:\System Volume Information\_restore folders, but your HJT log no longer shows signs of infections, let's flush those folders to get rid of any possibly remaining "unwanted guests, and set a new, clean Restore Point.

To do this, you just disable and then re-enble XP's System Restore feature:

Disable System Restore

1. Log in as a user with Administrator privileges.

2. Right-click on the My Computer icon on your desktop and choose the "Properties" option.

3. In the System Properties window, click on the System Restore tab and then put a check in the box next to the "Turn off System Restore" option and hit the "OK" button.

4. Click "Yes" in the resulting confirmation box. You may experience a slight delay as your change is applied; the Properties window will close automatically when the operation is complete.

Once you've done that:

Reactivate System Restore

1. Log in as a user with Administrator privileges.

2. Right-click on the My Computer icon on your desktop and choose the "Properties" option.

3. In the System Properties window, click on the System Restore tab, uncheck the box next to the "Turn off System Restore" option, and hit the "OK" button. There will be a slight delay as Restore reactivates; the Properties window will automatically close when the operation is complete.
A fresh new …

Everyone's HJT logs will be different, because the contents and configurations of everyone's computers are different.

There is a standard Aurora fix though, which we can expand on to fit your particular system:

You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the following instructions or save them into a text file using Notepad.

1) Open the Services utility in your Administrative Tools control panel.

In the list of services, locate the service named "System Startup Service" or "SvcProc" and double-click on it.

In the General tab of the Properties window that opens, click the Stop button.

Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.

2) Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

3) Download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.

4) Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, …

I guess you can find a conspiracy in anything

lol.

I thought I found a conspiracy in my fridge once, but it just turned out to be some potato salad I'd forgotten about for a few months...

Sorry- my bad. The service needs to be disabled before it can be deleted:

1. Open the Services utility in your Administrative Tools control panel.

2. In the list of services, locate the service named "System Startup Service" or "SvcProc" and double-click on it.

3. In the General tab of the Properties window that opens, click the Stop button.

4. Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.

5. Run HijackThis and try deleting the service again:

- Put a check next to the O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing) entry and then click "Fix Checked".

- Once HJT finishes the fix, click on the "Config" button in the lower right corner of HijackThis' main window.

- In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Type the following in the box and click OK:

svcproc

6. Reboot, run HJT again, and see if the SvcProc entry still appears.

I'm not saying that Akamai's services aren't immune to abuse, and I'm not certainly not saying that everything Akamai does or has done is all "warm and fuzzy" either. Akamai, however, is not a "cyberterrorist" or anything close to that.

- Who's your ISP? Perhaps they've recently started using Akamai's services.

- The possibilty certainly exists that there's something fishy going on; I just don't see any indication of that at all in your HJT log.

Not so "friendly" after all.

http://pressf1.co.nz/archive/index.php/t-33444.html.

Umm... did you happen to notice that the person who posted the "information" you're referring to:

A) Gave no verifiable sources of that information, nor any supporting evidence for his claims whatsoever.

B) Mentions that the Israeli government uses Akami's services as thought there's something ominoius about that, but conveniently forgets to mention that other governments (including the US) also use Akami.

C) Ends his post by going off on a rather paranoid rant about cyberterrorists and how he might "blow the cover" on Akami himself?

I won't even go into his mind-bogglingly convoluted discourse on the use of "dashes" in Akami identification strings at the beginning of the post.

Akami is a company which provides a number of Internet services. Some of them are irritating (serving streaming/animated ads for customers' websites, for example), while some of them are quite legit (hosting websites, download, and DNS services for many major corporations, providing streaming video for major sports events, etc.). Even Microsoft and Symantec have used Akami servers (and may still) to deliver their online updates in ordeer to take some of the load off their own servers.

So the upshot is this: If you visit a major site on the web, there's a good chance (15% was the estimate I read last year) that the comany whose site you're visiting is piping you at least some of their content from an Akami server. This is why …

1.

Thanks again! How many of these antivirus sites are there? How do you know which are reliable?

You ask people like us. :D

Here's a list of some of the most-often recommended online scanners:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. I missed one leftover (from the Aurora infection) in your HJT log. Please do the following:

- Open HijackThis again and click on the "Config" button in the lower right corner of HijackThis' main window.

- In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Type the following in the box and click OK:

svcproc

- Reboot, run HJT again, and verify that the O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing) is no longer present. If it is still present, or if you got any errors during the deletion process, let us know.

3. Remove the Viewpoint Manager program using your Add/Remove Programs control panel. Also uninstall any MyWay/MySearch/MyBar-related programs as well if you find them listed there.

4. Reboot into Safe Mode and:

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- …

A good place to find all kinds of drivers, especially drivers for older versions of Windows, is www.driverguide.com. You do have to register with them in order to download from their site, but the registration and downloads are free, and they won't use your email to flood you with spam.

I checked, and Driverguide does have Win 98 drivers for the CL-5446 chip. They have a few different versions though; I'd try the latest version first.

Good work; I only see one item in your HJT log that needs to go. :)

1. Close all open programs, including Internet Explorer, run HJT again and have it fix:

O4 - HKLM\..\Run: [mrqapp] c:\windows\system32\qiifcvw.exe

2. Delete the c:\windows\system32\qiifcvw.exe file and empty your Recycle Bin.

3. Run ewido again to see if it finds any leftovers.

4. Reboot, run HJT again, and post a new log.

So are you saying that you managed to get it sorted out now? It isn't quite clear from what you posted.

Is there anyway to identify a keystoke logging program?

There are certainly programs which target trojan keyloggers, and even the usual suspects of SpyBot, Microsoft Antispyware beta, and ewido Security Suite accomplish this to a degree. However, identifying possible components of a keylogger "by eye" isn't something the average user is going to be able to do; after all, one of the main goals of keyloggers is to install themselves in very obscure ways in order to avoid being noticed.

In terms of a "cure all" for all of the threats that exist out there, unfortunately- no such beast exists. You do need a combination of programs, but you don't need to spend hundreds of $$ for those programs, as many free programs exist (some of which often do a better job than "pay for" products). I need to log off shortly, but I'll post some of the recommendations when we take this up tomorrow.

No signs of Aurora, but there are some other leftovers to deal with:

1. Uninstall WeatherBug via your Add/Remove Programs control Panel. "The Bug" contains adware/spyware components.

2. Uninstall AdwareAlert; it has a questionable reputation at best. You can read more about AdwareAlert and other disreputable and outright bogus "anti-spyware" tools here.

3. Run HijackThis again and have it fix:

O4 - HKLM\..\Run: [kzwgjg] c:\windows\system32\wtikjwi.exe r
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

4. Delete the following file:
c:\windows\system32\wtikjwi.exe

5. Empty your Recycle Bin, reboot, run HJT again, and post a new (and hopefully final) log.

Here's the standard Aurora removal procedure, which should clean up a few of the other things evident in your log:

You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the following instructions or save them into a text file using Notepad.

Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then run Ewido, and run a full scan. Save the logfile from the scan.

Next run HijackThis, click Scan, and put a check next to the following entries:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
…

You are welcome; glad we could help you get things cleaned up. :)

Here are a few things you can do to minimize your chances of future virus/malware infections:

1. Enable Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks. IE-SPYAD is another helpful tool; it can be downloaded here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here: http://tomcoyote.org/ieoe.php

5. Obviously-install a good anti-virus program and enable its "auto-protect" and email-scanning features.

6. Install a stand-alone firewall program such as Zone Alarm or Kerio Personal Firewall, or purchase the "Internet Security" packages offered by Symantec and McAfee.

7. None of your utilities are of much good if you don't check for updates frequently; updates for anti-spyware/anti-virus programs can be released as …

Good job; that looks like a clean log to me. :)

Now that your log is clean, let's flush out any possible nasties that might be hiding in your System Restore folders:

1. Log in as a user with Administrator privileges.

2. Right-click on the My Computer icon on your desktop and choose the "Properties" option.

3. In the System Properties window, click on the System Restore tab and then put a check in the box next to the "Turn off System Restore" option and hit the "OK" button.

4. Click "Yes" in the resulting confirmation box. You will experience a slight delay as your change is applied and the Restore folders are being emptied; the Properties window will close automatically when the operation is complete.

5. Reopen the window and uncheck the "Turn off System Restore" box. This will re-enable System Restore and set a new, clean Restore Point.

OK- you'll still need to keep the wired connection though; what I said about the wireless management restriction still stands.

- Can you at least ping the router?

- Are you sure that the router's default password hasn't been changed? Anyone with a bit of security sense would have done that when the router was first set up.

will i now attempt to follow the steps in crunchies most recent post?

Yes- please do that.

If after completing the steps crunchie posted, a subsequent scan with HJT still shows signs of the items we're trying to kill, please do the following:

1. Download the trial version of Ewido Security Suite from here:
http://www.ewido.net/en/download/

Install it, and while installing, under Additional Options, uncheck Install background guard and Install scan via context menu.

From the main Ewido screen, click on Update in the left menu, and then click the Start update button. After the update finishes (the status bar at the bottom will display Update successful), close the program (don't scan yet). If you have problems updating see here:
http://www.ewido.net/en/download/updates/

Note -- When you do run Ewido for the first time, you will get a warning Database could not be found!, click OK when you do; the message is non-critical.

2. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up) and run a full scan with ewido. Save the log it generates; you'll need to post it in your next response here.

While still in safe mode:

- Run HJT and have it fix any of the following entries which still exist (ewido may have cleaned some of these up already):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

Although HijackThis is far from the final word on this, I don't see anything in your log which indicates malicious infections.

Can you give us the IP address and port number associated with the suspicious connection? Post anything else in your firewall, etc. logs that might help as well.

1. Open the Services utility in your Administrative Tools control panel.

2. In the list of services, locate the service named "Network Security Service", "NSS", or " 11Fßä#·ºÄÖ`I" and double-click on it.

3. In the General tab of the Properties window that opens, click the Stop button.

4. Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.

5. Run HijackThis and try delting the service again:

Click on the "Config" button in the lower right corner of HijackThis' main window. In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Type the following in the box and click OK:

NSS

If the operation is sucessfull, have HijackThis fix the following entry and then locate and delete C:\WINDOWS\crru.exe:

O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\crru.exe

Reboot after that, run HJT again, and post a new log.

Hi rockstar_cs_32,

First of all- wlecome to the site. :)

Can you give us more specific information please?

- Which exact version of Windows are you using?

- Are you using any firewall or other "Internet security"-type software?

- What steps have you already taken to try to fix the problem?

- What exact errors do you get from the different programs that have the conneciton problems?

You have the correct default user name and password, but remote administration via a wireless connection is disabled by default on those routers. You will need to connect to the router directly (via an Ethernet cable) in order to access the setup pages.

1. SQL is a database program; the patches mentioned don't apply to you.

2. You can't selectively delete Restore Points; you either flush them all or you don't. Also, there's nothing to say that files in the Restore Points you choose to keep might not be infected also. A bit more info on that can be found here. However, for just the reason you mention, I'd suggest waiting until your system is clean before deleting your old Restore Points.

3. The infection you have places an entry in the Windows Registry which automatically runs the malicious MSplg7.dll file every time Winodws starts. This is what is making the file difficult to delete.

Please do the following so that I can (hopefully) see exactly where/what that Registry entry is:

Download the (free) HijackThis utility:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, follow these instructions to install and run the program:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell …

Very good. :)

Now that your system is clean, here are a few things you can/should do to minimize your chances of future virus/malware infections:

1. Enable Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks. IE-SPYAD is another helpful tool; it can b e downloaded here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here: http://tomcoyote.org/ieoe.php

5. Obviously-install a good anti-virus program and enable its "auto-protect" and email-scanning features.

6. Install a stand-alone firewall program such as Zone Alarm or Kerio Personal Firewall, or purchase the "Internet Security" packages offered by Symantec and McAfee.

7. None of your utilities are of much good if you don't check for updates frequently; updates for anti-spyware/anti-virus programs can be released as often as every …

You're welcome. :)

For the Media Player problem:

- What is the exact error that it gives you?

- Open the Event Viewer utility in your Administrative Tools control panel and look through the System and Application logs to see if there are any error messages there which might contain more information on the problem.

Sorry for the late response.

A) userinit32.exe is a component of a malicious infection. You can find more info and removal instructions in some of the links here:

http://www.google.com/search?hl=en&q=userinit32.exe&btnG=Google+Search

B) Media Player can get corrupted by viruses/spyware, but it can also break for other reasons. Uninstall and reinstall it and see if that clears thing up.

C) Some general things you can/should do to minimize your chances of future virus/malware infections:

1. Enable Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks. IE-SPYAD is another helpful tool; it can be downloaded here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here: http://tomcoyote.org/ieoe.php

5. Obviously-install a good anti-virus program and enable its "auto-protect" and email-scanning features.

Yes- try the reg fix again in Safe Mode.

I don't recommend deleting the file as it may be critical to your systems function.

That file is dropped/created by the trojan; it should be deleted.

Simply deleting the file will not, however, remove the infection itself. Infections usually drop several different components and make several modifications to your Registry in order to make it more difficult to eradicate them. If you do not fully clean the infection, chances are very good that it will simply "respawn" itself. Additionally, if you've identified one infection on your computer, you probably have other "unwanted guests" as well.

Here are some general virus/spyware/etc. detection and removal steps that you can try:

1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed).

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

3. Reboot into …

Go through the instructions I posted fully and carefully, and respond when you can. It doesn't matter if it takes a few days; we won't lose track off you (this forum will automatically notify me when you make your next post).

There's one leftover from the Aurora infection, but other than than that your latest log is clean. :)

Please do the following to remove the leftover:

- Open HijackThis again and click on the "Config" button in the lower right corner of HijackThis' main window.

- In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Type the following in the box and click OK:

svcproc

- Reboot, run HJT again, and verify that the O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing) is no longer present. If it is still present, or if you got any errors during the deletion process, let us know.

Giving us specific info about the computer and its configuration would really help it wouldn't be a Dell by any chance, would it?), but here are a couple of general thoughts:

1. "Cover previously removed" is just a warning message that some computer's will give you to indicate that the case has been opened before. The "warning" is harmless, and you should find a place In your BIOS to turn that notification off.

2. If the computer only has one drive installed, it will be "Drive 0". Again- look in the BIOS for anything related to detection of a second (possibly SATA) hard drive. If you find such an option enabled but have no second drive installed, disable that option.

3. It is perfectly normal for the BIOs to identify installed hard drives as "Auto" or "Auto detected".

In addition to Ad Aware and SpyBot, download, install, and run:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

Open each program, use its online update feature to get the most current definitions installed, at run it. After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find.

The ewido utility will generate a report log; save that file and copy/paste it into your next post.

If you have trouble running the utilities while boot into Winodws normally, run the utilities while booted into Safe Mode instead (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).

Hi stefan, welcome to our site. :)

To start with, please do the following:

Download the (free) HijackThis utility:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, follow these instructions to install and run the program:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

That's a clean log now. :)

The name of the hp9C75.tmp file seemed to change at each power up so I used "delete C:\WINDOWS\System32\hp*.tmp"

Yes; good call. Many infections "morph" the names of their files on reboot to make it harder to detect and remove them.

The "Download, install, and run CleanUp!" couldn't be performed as the site appears to be suspended... Also, "http://www.zerosrealm.com/" seemed unavailable.

Right on both counts- the sites are down. As an alternative to the Cleanup! program, you can use CCleaner instead.

Odd things that occurred:
The CHKDSK function fixed something after rebooting when the machine crashed when trying to operate in safe mode by
pressing F8.

CHKDSK will run automatically after the system crashes in certain ways and try to fix any data/filesystem corruption that might have occured because of the shutdown. This is normal.

The 'Appearance and Themes' list for one of the users has lost the tabs that enable the desktop background
and the computer's theme to be selected. Only options are to change resolution or select a screen saver. Any clues as to what this is?

That alteration to your Display properties is the work of the smitfraud infection. See if this fixes the problem:

1. Download the following reg file by right-clicking on the link and choosing Save As. Save this file to your Desktop.

Smitfraud Fix Reg File

2. When it …

Glad we could help. :)

However, some of the infections you had are difficult to completely remove, and they can come back to life if pieces of them are left on your system. Please post a new HijackThis log so that we can see if there are any "leftovers" that need to be cleaned up.