Posts by DMR

The Internet connection problems could definitely be the work of the infections.

You will need to disconnect from the Internet for the following fixes (I'd suggest physically unplugging the cable), so you should either print out these instructions or save them into a text file using Notepad.

1. Run HijackThis again, put a check in the boxes next to the following entries, and click the "Fix checked" button:

F2 - REG:system.ini: Shell=Explorer.exe mcafee32.exe
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
O4 - HKLM\..\Run: [Regmgr] scvhost.exe
O4 - HKLM\..\Run: [Microsoftf DDEs ContDLL] rune.pif
O4 - HKLM\..\Run: [PPPOEOE] winlite.exe
O4 - HKLM\..\Run: [Microsoftf DDEs ContrDL] runm.pif
O4 - HKLM\..\Run: [McAfee Windows Protection] mcafee32.exe
O4 - HKLM\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKLM\..\Run: [msci] D:\DOCUME~1\YIKYAN~1.ITW\LOCALS~1\Temp\200562817262_mcinfo.exe /insfin
O4 - HKLM\..\RunServices: [Microsoftf DDEs ContrDL] runm.pif
O4 - HKLM\..\RunServices: [Microsoftf DDEs ContDLL] rune.pif
O4 - HKCU\..\Run: [Windows Media Player] mcafe32.exe
O4 - HKCU\..\Run: [Regmgr] scvhost.exe
O4 - HKCU\..\Run: [Norton Personal Firewall] lah.exe
O4 - HKCU\..\Run: [NAV Auto Protect] navprotect.exe

2. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Locate and delete the following files:
mcafee32.exe
xpjava.exe

That looks good , but since crunchie is driving this tour bus right now, I'd wait for his response. :)

Hi kwaldeck,

In addition to Begin2Search, you also have the evil Aurora/Nail.exe infection and the WhenUSave parasite.

Please follow these instructions carefully and completely. You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the instructions or save them into a text file using Notepad:

1. Open your Add/Remove Programs control panel and uninstall WhenUSave if you find it listed. Also remove the Ebates/MoeMoneyMaker program if it is listed.

2. Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then run Ewido, and run a …

1. dlh6213 is right- your log does look a bit short. If you did run the HijackThis scan in Safe Mode, please run HJT while booted into Windows normally and give us that log.

2. In terms of the Silent Runners program, you need to right-click on the download link and then choose the "Save target as..." menu option to save the file into a folder on your computer.

Once you've done that, double-click on the Silent Runners.vbs file to run it. The script will take a little while to run, and you won't see anything happening while it does. When it finishes running, it will display a message telling you where it saved the log file. You need to then open that log file in Windows Notepad and copy-n-paste the full text of the log file into a post here.

3. Your log shows signs of at least three worm infections:

- A W32/Sdbot variant, which is responsible for msdirectx.sys and friends.

- A W32/Agobot variant, indicated by the O4 - HKLM\..\RunServices: [Regmgr] scvhost.exe log entry.

- A W32/Rbot variant, indicated by the runm.pif and rune.pif log entries.

Since AVG isn't able to remove those infections, I suggest you run these free online anti-virus/anti-spyware scans and see if they can clean things up a bit:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

Is this $#%@ gone?

Not entirely. There are pieces of the infection that do not show up in a HJT log, but the following entry in your log is one Aurora leftover:

O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing)

Please do the following to remove that entry:

1. Run HJT again and have it fix the above "023" entry.

2. Once HJT completes the fixes, click on the "Config" button in the lower right corner of HijackThis' main window. In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Type the following in the box and click OK:

svcproc

3. Reboot, run HJT again, and post a new log.

What exactly did happen when you tried to download Nailfix from my FTP site? I tried the download myself as a test and it worked fine.

Thank you for the quick advice.

You're welcome Todd.

Unfortunately, I am not able to Download Nailfix (http://www.noidea.us/easyfile/file....050515010747824) as for the past 3 hours I continue to receive the message "cannot find server." Is there a way to address the issue without Nailfix? or is there another way I can get the zipfile for Nailfix?

You definitely need the Nailfix program, but the site I linked to does seem to be down; I can't reach it either.
Try this alternate download from my FTP site; it should work for you.

...my computer very very very slowly is being scanned by Ewido in safe mode (12% finished after 3 hours).

Erm. that doesn't sound right. The scan should take nowhere near that long, but let it go anyway. Regardless, once you download the Nailfix program, you should repeat the ewido scan as per the entire removal process I posted earlier.

Congratulations; that's a clean log! :)

I wouldn't worry about the items that you couldn't find. They should have been fixed in the course of the cleaning proceedures, but I was just having you double-check to be sure.

Now that your log is clean, you might want to do the following to tidy up any loose ends:

Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!

1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files

- Delete the entire content of your C:\Windows\Temp folder.

- Delete the entire content of your C:\Windows\Prefetch folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or …

Hi kashres, welcome to our site. :)

Your log does shows signs of Aurora, as well as few other "unwanted guests". However, we need to take care of one thing before proceedign with the fixes:

C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

The log entry above indicates that you are running HJT from within a Temp/Temporary folder. Please do the following:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.
-----------------------------------------------------------------------------

The following procedure is the standard Aurora fix; it should also clean up some, if not all, of the other infections. Please follow the instructions carefully and fully:

You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the following instructions or save them into a text file using Notepad.

Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install …

I am trying to follow your iinstructions the best I can.

Please understand that the instructions we give should be followed exactly, completely, and fully in order to entirely kill the infections. If you only complete part of the removal processes, or perform them in an order other that specifiied, some components of the infections will remain on your system and may enable the infections to "resurrect" themselves.

Please do the following:

1. In addition to ewido, download and install the following utilities. Use each program's online update function before running them to make sure you have the most current updates installed:

Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

Run a full scan with each utility (the order doesn't matter). After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find. If you find that the utilities can't fix something, try running them in Safe Mode instead.

2. Boot into Safe Mode again and repeat the ewido/NailFix procedure dlh6213 described ealier, but do not reboot; stay in Safe Mode.

3. Run HijackThis again and have it fix the following entries. (The names of the "04" entries may have "morphed"; these infections can do that in order to make them harder to find and delete. ):

F2 - REG:system.ini: …

My Anti-virus keeps finding a couple of problems, so does Spybot and Ad-Aware occasionally.

I see a couple of things in your log that don't look quite right, but nothing explicitly malicious. Can you give us specifics as to exactly what your a-v program, SpyBot, and Ad Aware find and the locations (folders) in which they find problems?

A Required.DLL file, OLEACC.DLL, was not found.

Certain versions of Win 98 either did not have that dll at all, or had an outdated version of it. The following Microsoft article tells you how to get the right version of the file:

http://support.microsoft.com/default.aspx?scid=KB;en-us;810684

1. You need to take care of one thing before we proceed:

C:\Documents and Settings\Admin\Local Settings\Temp\HijackThis.exe

The log entry above indicates that you are running HJT from within a Temp/Temporary folder. Please do the following:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

2. I see reference (the "010" entry) to the BulletProof "anti-spyware" software in your log; uninstall that program. In addition to the fact that the product itself is of dubious reliability, the Bulletproofsoft company actually partners with known adware distributors and bundles that adware with downloads from the bulletproof.com site.

Before downloading/buying/installing any product touted as an anti-spyware/anti-adware program, you should consult the list of reputable vs. disreputable utilities at the following site:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

3. Download and run LSPFix.

In LSPFix, if you see a file named "apptoport.dll" listed in the left-hand Keep column, …

Your log is clean. :)

1. 17K isn't bad for the winlogon process; I've seen it chew upwards of 600K on perfectly healthy machines.

2. The Winlogon Notify reg entries are legit. igfxsrvc.dll is a software component for Intel's accelerated graphics hardware; opxpgina.dll is part of OmniPass' sercure password management software.

it shows C:\Windows.....Nortonxxxx on line

Is "Nortonxxxx" really what the message shows, or does it give an exact filename? Since the filename points to Norton, I'd try uninstalling and reinstalling Norton; it sounds like one of Norton's driver files got corrupted, or the installation didn't complete correctly.

IPerhaps you could try locating and reinstalling a device driver for the Cirrus Logic display card?

Yes, try that. I've seen exactly what you describe happen even when Device Manager reports that the video card is functioning and the correct driver is in use. Downloading and installing a new copy of the driver driver solved the problem.

You're right- running HijackThis (and then posting the log it generates) is the first step; here are instructions which should help:

Download the (free) HijackThis utility:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, follow these instructions to install and run the program:

Make a new folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

- Do you get any error messages when the freezes occur, or does the computer just "lock up"?

- Do the freezes occur when you run Windows in Safe Mode? To get to the safe mode boot menu option, start tapping the F8 key just after you power up the computer.

- Thermal problems? Open the case agian and make sure that all fans are running freely and smoothly, and that there are no dust/dirt build-ups on the components or in any of the venting paths.

An explanation and fix for the most common cause of what you describe can be found here:

http://support.microsoft.com/kb/q270008/

Although the article pertains to Win 2000, I've seen the problem occur with XP as well; the fix described for Win 2000 works for XP.

Please note that although the article only refers to the "UpperFilters" and "LowerFilters" entries in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet registry subkey, I've had to apply the fix to the similar entries (if found) in the HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x subkeys as well in order to make it work.

I looked at Event Viewer and found a lot of warnings and errors in system and applications, but I dont know how to post them, because it wont let me copy and paste. Is there another way?

Yes there is, but like many things Microsoft, it's not really obvious at all:

When you double-click on any log entries to open the details/properties window for the item, there will be a vertical row of three buttons at the right of the window. The top two buttons have (respectively) an "up" and "down" arrow on them, but the bottom-most button has a picture of two overlapping pages on it. If you click on that button, it will automatically (aqnd without giving you any feedback) copy the entire contents of the window into the Windows clipboard.

All you need to do after hitting that button is to hit the Reply button in this thread to open a reply/response text window and then paste the clipboard contents into that text entry box by either simultaneously holding down the "Ctrl" and "V" keys or by going to your browser's Edit menu and choosing "Paste".

Heres my scan;

Service load: 0% 100%

File: wmiprvse.exe
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 075ea6c849ab0fe416a3d6dd65c3cf41
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
…

Hi cjillson7030,

dlh6213 has done a good job of walking you through the process of removing the obvious "nasties" that were present on your system. I would definitely do as he asked in terms of having the wmiprvse.exe file scanned; that file is normally a valid Windows file, but a file of that name is also known to placed on systems by some malicious programs. Other than that though, I agree with him on the fact that you're system isn't showing any more signs of infection.

Given that, your system logs may hold some clues as to the cause(s) of your "not responding" program crashes/hangs. I'm inclined to believe that those errors are not related to the infections you had, or that the infections may have caused the errors, but the damage done won't be fixed just by removing the infections themselves.

Please do the following:

Open the Event Viewer utility in your Administrative Tools control panel.

In the Event Viewer, look through the System and Application logs for entries flagged as "Warning" or "Error"; double-clicking on any of those entries will open a "details" window with more information about the error/warning. If you find any entries that seem to relate to program hangs/crashes or anything else related to the problems you're having, post the full and exact contents given in the detail windows.

why are we still getting these trojans when Norton detected them in 2001???

The names that these infections are identified by usually refer to the general, overall type/family of the infection, but the problem is that new variants of many of these infection continue to appear. Think of it in terms of biological viruses. For example- how many versions of hepatitis are there now as compared to those we knew of only a few years ago.

Norton detected mine but I couldn't get rid of it from quarantine. Can anyone explain why that is?

That could depend on a couple of things, including exactly where Norton found the infected files. There are some directories/folders which A-V programs like Norton have permission to scan/read, but do not have permission from which to delete files. See this for an explanation of one such area of your system where this can happen.

A) Good job- that's a clean log. :)

B)

I downloaded NoAdaware before contacting you here, they claimed to be able to get rid of my problem. They failed, and were much more difficult to contact.

I think you mean NoAdware (not NoAdaware), yes? That program does not have a good track record at all; it is definitely not one of the programs we recommend (and most of the programs we do recommend are free).

You can read more about NoAdware and other questionable (or outright bogus) "anti-spyware" programs at the following site:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

It's always a good idea to consult the list of programs at the above site before installing any anti-spyware software (especially if you're planning on spending $$ on it).

C) Now that your log is clean, here are a few things you can/should do to minimize your chances of future virus/malware infections:

1. Enable Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely …

The Desktop Search entry might not appear in the list of installed programs; don't worry about it if it doesn't.

For the files that you're having trouble deleting, try the "Delete a file on reboot" option in HJT's Misc. Tools page. Locate and select each of the four files for deletion one at a time. You will be asked if you want to reboot after you select each file; don't choose to do so until you've reached the last file.

Try this:

- Open Windows Explorer

- Under the Tools menu, choose Folder Options

- Click on the "File Types" tab.

- In the resulting list of registered file types, hilight each type (jpeg, gif, etc.) for which you want to change the default program association and click the "Change" button. The rest should be self-explanatory.

For free Anti-virus programs, try either AVG or Avast!; they often do a better job of removal than some of the "pay for" products from companies like Norton/Symantec or McAfee.

Some entries in your log are indicative of the evil "bube.d" infection. Please follow the cleaning instructions in the following link fully and completely (the procedures will most likely clean up some of your other infections as well):

http://www.dslreports.com/forum/remark,12688162~mode=flat

After doing the above, run HijackThis again and give us the new log to review.

Good work- that's a clean log... :)

The "svhost.exe" entry in the log may just have been a loose end; the actual svhost.exe file itself was probably removed by one of the utilities you ran.

How do things seem to be working now?

Hi media_luvvie, welcome to our site :)

Don't worry about being confused when it comes to trying to figure out which programs you should use to protect yourself from all of the possible threats out there; given the huge amount of "nasties" that Windows users can suffer from, your question is well worth asking.

Use McAfee until your subscription runs out if you'd like. I wouldn't suggest renewing it after that though, and nor would I suggest switching over to Norton's products as an alternative. The offerings from McAfee and Norton are both "pay for" products to begin with, and Norton's programs have the same sort of subscription-renewal plan as McAfee's. In addition, there are other (free) programs which often do a better job.

My suggestions would be:

1. Installable anti-virus programs:

AVG: http://www.grisoft.com/doc/40/lng/us/tpl/tpl01
Avast!: http://www.avast.com/eng/down_home.html

2. Free online anti-virus scanners:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

3. Some specific "anti-spyware" detection/removal/protection programs:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/
SpywareBlaster and SpywareGuard - http://www.javacoolsoftware.com/downloads.html
IESpyad - https://netfiles.uiuc.edu/ehowes/www/resource.htm

4. Firewall programs:

Kerio Personal Firewall - http://www.kerio.com/kpf_download.html
Zone Alarm - the direct …

Unfortunately you're right- even though the utilities I asked you to run may have found and/or removed many infections, the log still indicates that some of your "unwanted guests" don't want to go. That isn't unusual, as some of these beasts are very difficult to remove.

Pleae print out the following instructions or save them into a text file using Notepad; you will need to disconnect from the Internet for much of the rest of this.

1. I would highly suggest that you uninstall the MessengerPlus3 program; it comes bundled with adware/spyware components.

2. Close all running/open programs, physically remove your network cable fom your computer, run HijackThis, and have it fix the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quulciwxsibucjktbisse.co.../aNHRUeARk.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fdljtqkxgbclmd.com/IBQyR...7PL9kHpfMI.html
O2 - BHO: (no name) - {71C666C8-C2AD-5D21-462A-BC634F3EACDE} - C:\DOCUME~1\PAUL~1.PAN\APPLIC~1\INSIDE~1\One Byte.exe (file missing)
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [amok vga bind regs] C:\Documents and Settings\All Users.WINDOWS\Application Data\Rect upload amok vga\WarnAxis.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [SDAv] C:\WINDOWS\svhost.exe
O4 - HKCU\..\Run: [IDLE LESS] C:\DOCUME~1\PAUL~1.PAN\APPLIC~1\OWNSPO~1\PileName.exe

3. Reboot into Safe Mode and open Windows Explorer again; make sure Explorer is set to show hidden files/folders as I described before.

Locate and delete the following file:
C:\WINDOWS\svhost.exe

!! There is a valid Windows file named svchost.exe; make sure that you do not delete …

1. You are infected by a worm, which is responsible for many of the entries in your log. A full description of the beast, including removal instructions, can be found at the following site:

http://securityresponse.symantec.com/avcenter/venc/data/w32.serflog.c.html#removalinstructions

2. There are other infections in addition to the worm. Please do the following to (hopefully) get most of the mess cleaned up:

Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed). After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido Security Suite
Microsoft Anti-Spyware beta
Ad Aware SE Personal
SpyBot Search & Destroy

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For …

I have been reading the threads and on one of them was the numbers for the web page instead of the www. address I tried this on the explorer and the pages came up

The "numbers" for the web pages are their IP addresses. If you can reach a site by its IP address but not by its URL (the "www." address), that usually indicates a problem with your DNS settings.

DNS is the method computers use to associate a site's URL with the correct IP address. All sites on the Internet are really identified by IP address and not their URL, so if DNS can't translate the "www.whatever.com" name into the right numeric IP address, your browser won't know what site it's supposed to contact.

Try to repair Internet Exploder with the free IEFix utility program; it might correct the problem. If it doesn't work there are other things to try, but they're a bit more technical, so run IEFix first and let us know what happens.

Can you give us any more info on the history of the problem?

- How long has it been happening?

- Had you installed/removed/updated any software at around that time?

- Have you had virus/spyware infections or any other problems with the computer lately?

You can try running the IEFix utility. I don't know if it will help with your particular problem, but it won't hurt.

I use VPN and my company prefers we use a non-XP machine for security reasons.

For security reasons they want you to use Windows 98?? Now there's a twist... :eek:

I cannot get a browser to run... However, I can still run Yahoo IM, and get to shared directories on other machines in my house.

All three of those functions utilize different ports and protocols, so it's quite possible for one to be "broken" but not the others. However, the fact that you can browse your LAN and use IM means that your network/Internet connectivity isn't totally b0rked.

I cannot download updates for NAV, Adaware, Spybot, etc. I suspected my browser was hijacked, so I opened the hosts file. But, it did not exist. There was a file called hosts.sam

Good thought on your part, but no, Windows 98 does not, by default, have a hosts file. The ".sam" in the hosts.sam filename is short for "sample"; the file is an example/template that you can use to make your own hosts file.

... my machine is now extremely sluggish... Below is my hijackthis log.

I see no indication of malicious infections in that log.

- What exact errors do you experience when you try to browse web sites?

- Can you reach any websites in your browsers?

- You are running a Symantec firewall program. Before doing any other troubleshooting, you need to disable the firewall completely to eliminate the possiblility that the fualt lies with …

Thanks DMR,
did as you said above
looks like this problem is now solved can you mark this thread as such... and this old fart can again enjoy using this damn machine without the annoyance...

Marking as Solved.

... and from one old fart to another: I'm glad we could help you get it sorted out. :mrgreen:

Dear DMR,
thanks it does look like I'm now clear of this virus/trojan
thanks for all your help
just one last question how do I terminate this thread?
regards

Your last log still had a reference to the malicious "setup32.exe" file, and I'd like to make sure that's cleaned up before we sign off on this.

Can you do the following please?:

1. Have HJT fix the "F2 - REG:system.ini: UserInit=userinit.exe,setup32.exe" entry one more time.

2. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

Search your system for setup32.exe and delete it if found (I think it usually gets created in your root C:\ directory).

3. Run HJT one more time to make sure that setup32.exe is really no longer present in the F2 log entry. If so, let us know and I'll mark this thread as "Solved" at that point.

System is running 100 percent better. :p

Yay, We like that kind of response...

I tried to get rid of the x10nets via highjack this. It keeps coming back as you said. When I try to delete it with the delete nt service option it tells me that x10nets is already running, however when I go to Services in Administrative Tools, it says it is stopped, what gives?

Try this:

In the Services section of Administrative Tools, right-click on the x10 entry and then click Properties in the resulting popup menu. From there, choose "Disabled" from the "Startup Type" drop-down menu there, click "OK", and then close the Services window.

Reboot, and then try the removal instructions I posted before. Pleae note that the X10 entry is not usually a malicious one; it's only indicative of the fact that you had at some point installed multimedia hardwre or software which installed X10 functionality.

Hi Tony,

Thanks for the "Thanks". Appreciation from those we try to help is really the only "pay" that those of who volunteer our time on support sites ever get. :p

Hi Joe,

To start with, please do the following:

You will need to either print out these directions or save them into a text file by using Notepad; you will need to close all open instances of Internet Explorer and disconnect from the Internet during the course of this. HJT cannot fully perform its fixes while IE is running.

1. Have HJT fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe,setup32.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [sysPersonalFirewall] msnmssgr.exe
O4 - HKLM\..\RunServices: [sysPersonalFirewall] msnmssgr.exe

2. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Find and delete the following files:
setup32.exe
msnmssgr.exe

- Empty your Recycle Bin and reboot normally.

3. Run HJT again and post a new log.

Very good- there are just a couple of loose ends left to have HJT fix:

R3 - Default URLSearchHook is missing
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

If the "x10nets" entry returns after you fix it, try this:

Click on the "Config" button in the lower right corner of HijackThis' main window. In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Type the following in the box and click OK:

x10nets

How are things running overall? If you're still seeing popups or other abnormal behaviour, give us the details and we'll help you sort it out.

Hello again Joe-

I have to log off shortly, as it's time to start dinner in my end of the world now. However, I'll flag this thread and get back to it ASAP.

OK, that's much cleaner now. :)

Still a bit to go yet, though:

1. Run HijackThis again and have it fix:

R3 - Default URLSearchHook is missing
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab

2. - Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Locate and delete the following two files:
c:\eied_s7.cab
c:\ex.cab

- For every user account listed under the C:\Documents and Settings folder, delete the entire contents of these folders (but not the folders themselves):

(Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!)

1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files

- Delete the entire content of your C:\Windows\Temp folder.

- Delete the entire content of your C:\Windows\Prefetch folder.

Note- If you get any messages concerning the deletion of system …

The worm and the rootkit are related, but unfortunately there are several variants of both.

1. Run Microsoft's Malicious Software Removal Tool. Download link and more info here:

http://support.microsoft.com/?scid=kb;en-us;897079

2. Run a few of these other free scans, have them clean what they find, and post any relevant information they may report:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.ravantivirus.com/scan/

3. Also post a fresh HJT log once you've finished the scans.

try using a very non expensive software provided by eacceleration is called stopsign

Actually, we don't really recommend eAcceleration products; please read this for an explanation of the reasons. In general, before using any "anti-spyware" software, you should (at the least) consult the list of programs in the link above; there are many imposters out there...

Hi Joe- thanks for reposting in this (separate) thread.

The following two log entries are indicative of a trojan infection, but there may very well be other infected components in areas of your system that HijackThis does not scan:

O4 - HKLM\..\Run: [sysPersonalFirewall] msnmssgr.exe
O4 - HKLM\..\RunServices: [sysPersonalFirewall] msnmssgr.exe

Can you find any information in your anti-virus programs' report logs which gives more specific details concerning the names and locations of the infected files they've found?

Hi dabrizzy, welcome to the site :)

You've got a few different infections showing up your log; please do the following:

1. Run a couple of these free online anti-virus/anti-spyware scans; have them clean what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://www.pandasoftware.com/active...n_principal.htm
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

3. Download, install, update, and run these three tools; they are made specifically to remove the about:blank/sp.html#93256 infection you have:

CWShredder
About:Buster
HSRemove

4. In addition to Ad Aware and SpyBot, download and run these general detection and removal tools:

ewido Security Suite (free trial version)
Microsoft AntiSpyware beta

5. Reboot, run HijackThis again, and post a new log.

When you go to the Windows Update site, it automatically checks your system status. If the site is only offering you the SP2 download, that should indicate that it has detected that your system is current with all of the SP1 updates.

Generally speaking SP2 is stable, and it does have its benefits. It's no minor upgrade though, and it has caused problems for some, so you should make sure your system is absolutely problem-free and backed up before making the migration.

Versions of that puppy have been around for a couple of years now; if you install the most current updates for your anti-virus program, that should be able to clean it. If not, you can also try these free online anti-virus/anti=spyware scans:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.bitdefender.com/scan/licence.php
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.ravantivirus.com/scan/

If the a-v programs can't clean the infection for some reason, give us more details (the names of infected files, the names of the folders they live in, etc.).

In the days before Firefox was actually Firefox (Phoenix/Firebird) and ready for Prime Time, I used Netscape primarily, and sometimes Opera. But I too found that, as newer versions were released, Netscape was becoming too to "Boggy and Cloggy".

I still use Netscape on my Linux boxen sometimes (it doesn't seem to suffer from the problems that the Win versions do), but Firefox has been my main browser on both platforms for some time now.