Posts by DMR

All seems to be good- you said your last run of the utilities found no infections, and your HijackThis log is clean. :)

is there anything I should restore (i.e. checking/unchecking certain properties)

You'll probably want to reset the Explorer options which revealed the hidden files and folders.

should I uninstall the anti-spyware tools I downloaded? Are there any you suggest keeping?

* Uninstall Webroot SpySweeper, as it will stop working entirely after the 14 day trial period expires.
* Keep MS Antispyware installed; it provides good "real-time" protection for your system.
* I'd keep ediwo also; it's a very good anti-spyware program. Although its automatic update and auto-protect features will expire after the trial period, the main program can still be used to scan and clean your system; you'll just need to update it manually before scanning.
* I'd keep CCleaner as well; it's a good idea to run a program like that every once in a while just to clean out old/unused files that accumulate over time.

I can't find the things I'm supposed to check in Explorer... I open a browser...

It sounds like you're making a common mistake- you need to go to the "Tools" menu in Windows Explorer, not Internet Explorer. In your Start menu, go to Programs->Accessories; you should find a shortcut to Windows Explorer there.

Do I do this in safe mode??

Yes, that's a good idea. CCleaner should be able to do a more thorough job of deleting Temp files if you run it in Safe Mode.

Great; glad you found the right way to put the WiFi puzzle pieces together. :)

Your HijackThis log is clean, and Spy Sweeper and ewido were able to delete the malicious items they found; that's all good. Since the file that was originally flagged by Norton as being infected lived in a Temp folder inside your Local Settings folder, we should still have CCleaner flush out those folders.

You couldn't find the Local Settings folders because they are normally hidden, and I forgot to post instructions for making them visible. :o

Try this:

* Open Windows Explorer, and in the Folder Options->View settings under the Tools menu; check "Show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types". Close Explorer after that.

* Open CCleaner.
- Go to Options-> Advanced: Uncheck "Only delete files in Windows Temp folders older than 48 hours"
- Go to Options>CustomFolders>Add Folder>Navigate to these folders (click on bold file once and hit OK) :
* C:\Windows\Temp
* C:\Windows\Prefetch
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ (This will delete all your cached internet content including cookies.)
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp
* C:\Documents and Settings\<any other user's Profile>\Local Settings\Temporary Internet Files
* C:\Documents and Settings\<Any other user's Profile>\Local Settings\Temp
* C:\Documents and Settings\<Your Profile>\Cookies
* C:\Documents and Settings\<Any other users Profile>\Cookies
Hit OK

- In left pane, scroll down to "Advanced, Custom Folders", put a check in Custom Folders

- Click on Run …

Removing all pieces of that infection seems to be a bit of a pain; please do the following:

1. Disable System Restore.

2. Download and install the following (free) utilities:

CCleaner - www.ccleaner.com
Webroot Spy Sweeper (14 day free trial) - http://www.webroot.com/shoppingcart...4011&vcode=DT02
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
ewido Anti-malware (trial version) - http://www.ewido.net/en/download/

- Open Spy Sweeper, click on "Options", and then click on "Update Definitions" under the Program Options tab. Do not run a scan yet; just close the program once the update completes.

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open your antivirus program and use its online update function to make sure that it has the most current virus definitions installed. Again- don't scan yet, just close the program once it's updated.

3. Download the HijackThis utility. Once downloaded, create a folder for HJT outside of any Temp/Temporary folders and move/extract HijackThis.exe to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do. Do not actually run the program yet.

4. Reboot into safe mode (you get to the safe …

Even though the "Use XP Zero Config" option is selected, after I open the Zero config once and try to connect, or open the Linksys tool and try to connect, I can't use Zero Config again. It tells me it's not set as the network connection manager or whatever - even though I just used it.

Yup- exactly the conflicts I've run across. What makes things more frustrating is that there isn't one "right" way to configure WiFi cards. The instructions for some wireless devices explicitly say not to let Wireless Zero configure the card, while others say that you should let WZ configure the card; some devices are supposed to be connected to the computer before installing the associated software, while other cards have it the other way around. Go figure... [img]http://www.stevewolfonline.com/Downloads/DMR/Visuals/dunno.gif[/img]

Ah, ok. By default the Linksys config tool has "Use XP Zero Config" Enabled. I guess I should disable that and do my fiddling. If that doesn't work, I suppose for safe measure, I could leave it enabled, configure them both the same way, then disable the Zero Config option to try and cement it in the proper configuration.

Sounds like you've got the idea; those are the kinds of dances I've had to go through to resolve the problems when I've encountered them.

...So I configured it for wep and mac filtering,...The laptop couldn't connect, it was stuck in a cycle of "Acquiring Network address" ... I reset and cycled the router, left it on factory settings... Now the laptop has wireless working too.

That was probably due to enabling WEP; I've had the same thing happen with Linksys WiFi setups I've configured. Sometimes you have to "experiment" with the Wireless DHCP and WEP configuration settings (especially the order in which you enable/apply the settings) of the router/access point and the computers until they talk to each other properly. One particular "gotcha" I've encountered is that settings for a computer's wireless card in Windows' built-in network configuration can conflict with the settings in the configuration software that gets installed with the network card. Odd things happen, such as Windows thinking that it should be using a static IP address while the WiFi card software thinks it should be using DHCP.

1. I think you're right- the DCOM errors are most likely just a result of the Safe Mode bootups.

2. Concerning the router: I used to prefer Netgear equipment, but I've honestly had better experiences with Linksys gear in the last few years, especially when it comes to wireless devices. If it really is an issue related to the router, trying a Linksys might very well clear things up.

Good luck; let us know how it goes...

Well, I've restarted the system several times since my last post and as of yet haven't gotten any new errors. I think the errors I had from before are from when I was actually setting up the network.

That could certainly be the case, at least for the DHCP and TCP/IP errors. The W32 Time messages are just the Windows Time service telling you that it can't reach a network time server to synchronize your computer's clock to, which could be due to Windows attempting to reach a time server at a point when you aren't connected to the 'Net, or to the fact that you haven't specified the address of a valid time server. The DCOM errors could relate to a number of things; posting the details of a couple of those might not hurt.

...the battery is perma dead, so I was moving from one spot to another in the house and it died before I could plug it back in. When I restarted, twice IE didn't even open when I clicked it. I tried to run the Control panel and it didn't open either. So I shutdown and it had two "end task/wait" dialogs for iexplorer. I wonder if somehow IE got messed up with all the updates..?

IE might be damaged in some way, but considering that you said the computer had just crashed because of the dead battery, it might only have been a "one-time confusion" caused by the crash; it's hard for me …

OK- let us know if you have any questions or problems.

OK- we'll be here... :)

It's not XP it's 2000...

Doesn't matter; both 2000 and XP are fully backward compatible in that regard.

All you should need to do is install each drive as a slave drive in the new system, paying attention to the Master/Slave jumper settings on your IDE devices. The drives should then appear in Windows Explorer; from there you can copy your old data to the new drive. I'd suggest working with the drives one at a time to minimize the chance of confilicts, especially since you indicated that one of hte old drives is unbootlable.

In terms of the unbootable drive, hopefully the damage is minimal enough that the system can at least read the data on the drive and let you copy it off. If the damage is severe enough that you can't even do that, let us know; there are further options you can try.

I don't see any malicious entries in your log, but what you describe (slow program start, delayed page loads, going to odd sites, etc.) does sound fishy. A couple of things to try:

1. Download Firefox and see if it exhibits any of the same browsing problems.

2. Open the Event Viewer utility in your Administrative Tools control panel and look through your System and Application logs for entries flagged with "Error" or "Warning" which might be related to the problems. Double-clicking on such an entry will open a properties window with more detailed information on the error; post that info here. To do so:

In the Properties window of a given entry, click on the button with the graphic of two pieces of paper on it; the button is at the right of the window just below the up arrow/down arrow buttons. You won't see anything happen when you click the button, but it will copy all of the details to the Windows clipboard. You can then paste the details into your next post here.

It all looks clean. :)

I've edited my previous post to include some further detection and cleaning steps that you should probably perform just to make sure that there's nothing still lurking about in your system.

Go through those steps and then post the requested log files; it never hurts to be cautious....

Although I'm not a web designer, judging from a look at the source code of that OneTel page, I believe that the text in/on the page is static. Furthermore, comments visible in the page's source code seem to indicate that certain dynamic functions/elements of the page, such as truly checking your IP address, haven't been added (yet?).

In other words, I think that anyone who goes directly to the page you linked to is going to see exactly the same information, regardless of how they are accessing the page. (For instance, the page tells me that my IP address is also 10.240.245.241.)

However, as the "itunesff.exe" file is known to be a component of a rogue dialer infection, we should probably dig a bit deeper:

1. Download and install the following (free) utilities, but don't run them yet:

CCleaner - www.ccleaner.com
Ad Aware SE Personal - www.lavasoftusa.com

* Open Ad Aware, click the "Check for updates now" button, and follow the prompts to install the most current spyware definition database. Close the program once the update is complete.

* Open AVG and use its Update feature to make sure that you have the most current virus definitions installed. As with the above programs, don't run a scan with it; just close it once it is updated.

* Open Spy Sweeper, click on "Options", and then click on "Update Definitions" under the Program Options tab. Do not run …

Can you describe the problem(s) in more detail please? There are only a couple of possibly suspicious entries in your log, but HijackThis isn't as effective at pointing out infections on Win 98 systems as it is on WIn 2000 or XP systems.

Malicious programs often add their own entries to the Registry or alter existing entries in order to modify the behaviour of your system to their benefit. There are a number of effects that can be achieved by these modifications; a few of the more common are:
* Denying access to system utilities such as msconfig, Task Manager, and the Registry Editor.
* Disbling/crippling anti-virus and anti-spyware programs.
* Ensuring that malicious components are auto-started when Windows boots.
* Hiding malicious files/folders from view in Explorer or Task Manager
* Lowering or disabling Windows security settings.
* Controlling network communications.

Custom/targeted .reg files can be constructed to undo the Registry modifications made by a given infection. In the particular .reg file I posted, the entries in the file:

#1: Re-enable the Windows Firewall.
#2: Re-enable DCOM (Distributed Component Object Model), which handles inter-process communication across networks.
#3: Re-enable Windows' Automatic Update feature.
#4: Restore the default access rights for anonymous logins.
#5: Delete an entry which runs the malicious "winPE.exe" program at Windows start-up.

I used this tool from Atribune: http://www.atribune.org/ccount/click.php?id=4
and it seems to be gone...

Weird- that's a link to the same VundoFix program that you said hadn't worked before. Well, whatever happened this time, the program appears to have done the job- your log is clean now. :)

At the very least least, you are infected with a variant of the W32/Rbot worm.
Judging from the following information in your HijackThis log's header, you are also running very outdated versions of XP and Internet Explorer:

Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Before doing anything else, download and install XP Service Pack 1a; the Service Pack fixes many bugs and security loopholes that allow malicious programs to install and run on your system.

1. I don't see any signs of an active antivirus program in your HijackThis log. If you do have an AV program installed, the worm may have disabled it; we'll attempt to fix that shortly. If you don't have an AV program installed, please download and install the free AVG antivirus utility now.

2. Open Windows Notepad, cut-n-paste the entire contents of the Quote box below into the new Notepad document, and then click the "Save As..." option under the "File" menu. In the Save As window, name the file RbotFix.reg and save it to your desktop:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="Y"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
"Start"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"restrictanonymous"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"ms ownage"=-

3. Download and install the following utilities:

CCleaner - www.ccleaner.com
Webroot Spy Sweeper (14 day free trial) - http://www.webroot.com/shoppingcart...4011&vcode=DT02
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
ewido Anti-malware -

1.

The device, \Device\Harddisk0\D, has a bad block.

That error usually indicates a physically damaged spot on the hard drive. This is obviously not a Good Thing in itself, and it can also be an early warning sign of a failing drive. I'd suggest:

A) Running Windows' ScanDisk utility:
* Double-click My Computer
* Highlight a local hard disk drive by clicking on it once.
* Right click the highlighted local drive
* Click properties
* Click the tools tab and click check now to check the drive for errors.

B) Visiting the drive manufacturer's support site and downloading their hard drive diagnostic utility; it will probably do a more comprehensive job of testing/repairing your drive than ScanDisk.

2.

Faulting application explorer.exe, version 6.0.2900.2180, faulting module wininet.dll, version 6.0.2900.2180, fault address 0x00037d96.

There can be a number of different causes for this error. Read/try some of the pertinent fixes in these Microsoft support articles on the issue.

I have put a selective startup and stopped lsass from running because a dos popup was occuring on startup system32/cmd.exe.

That sounds suspicious; please do the following:

Download the (free) HijackThis utility:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, follow these instructions to install and run the program:

Create a folder for HJT outside of any Temp/Temporary folders and move/extract HijackThis to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...".
Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log". Open the log file with Windows Notepad, and cut-n-paste the entire contents of the Notepad file here.

Once we analyse the log we can tell you what to do from there.

SpyBot's "Tea Timer" protection feature may be interfering with the fix/file kill attempts.

1. Open Spybot and:
- In the Mode menu click "Advanced mode" if not already selected.
- Choose "Yes" at the Warning prompt.
- Expand the "Tools" menu.
- Click "Resident".
- Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box if it is checked.
- In the File menu click "Exit" to exit Spybot Search & Destroy.

2. Run HJT and have it fix the two ljhij.dll entries again.

3. Reboot the computer into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up) and:

- Run Cleanup! again.

- Try the Killbox deletion again.

4. Reboot Winodws normally, run HijackThis again, and post the new log.

Unfortunately, the two malicious entries in your first HJT log are still present in the new log you just posted. :(

Let's see if we can delete the malicious ljhij.dll file with a slightly more "brute-force" approach:

1.Download the Pocket Killbox utility and save it to your desktop or some other convenient folder. Don't run the program yet.

2. Close/quit all open programs (including your web browser), run hijackThis again, put a check in the boxes to the left of the following entries, and then click the "Fix checked" button:

O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\system32\ljhij.dll
O20 - Winlogon Notify: ljhij - C:\WINDOWS\system32\ljhij.dll

Close HJT when it completes the fixes.

3. Run the Killbox.

- In the "Full Path of File to Delete" box, copy and paste the following
C:\WINDOWS\system32\ljhij.dll

- Select the "Replace on reboot", "Use Dummy", and "Unregister dll before deleting" options.

- Click on the button with the red circle with the X in the middle and then click Yes at the "Replace on Reboot" confirmation prompt. Click Yes at the subsequent request to actually reboot.

4. Once the computer reboots, run HijackThis again and post the new log.

Open the Event Viewer utility in your Administrative Tools control panel. Look through the Application and System logs for "Error" or "Warning" entries; double-clicking on the entries will open a properties window with more details. If you see any entries whose details look like they might relate to the problem(s) you're having, post the full and complete contents of the details window(s) here. Here's the easiest way to post those details:

- In the Properties window, click on the button with the graphic of two pieces of paper on it; the button is at the right of the window just below the up arrow/down arrow buttons. You won't see anything happen when you click the button, but it will copy all of the details to the Windows clipboard.
- Paste the details into your next post in the same way that you paste your HijackThis log- by choosing "Paste" from the "File" menu or by hitting CTRL+V.

1. "sass.exe" is a component of a trojan infection, but I see no signs of that particular trojan (or any other "nasties", for that matter) in your log.

2. C:\WINDOWS\system32\Lsass.exe is a valid Windows program/process; is that possibly what you saw?

3. Do your antivirus/antispyware programs flag anything malicious/suspicious?

4. What is the name of the suspicious folder on the desktop? What are the names of the files inside the folder?

Looks good. Your HTJ log is clean now, and ewido apppears to have done its job as well.

Does everything seem to be functioning properly now?

Although my first hunch would be to check for legit program which might be scheduled to perform automatic updates at that time, there is one nasty infection evident in your HJT log. Please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

Download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning. It should look like this: Quote:
  VundoFix V2.15 by Atri
  By using VundoFix you agree that you are doing so at your own risk . Press enter to continue....
  
• At this point press enter one time.
• Next you will see: Quote:
  Please Type in the filepath as instructed by the forum staffand then press enter:
• At this point please type the following file path (make sure to enter it exactly as below!):
  • C:\WINDOWS\system32\ljhij.dll
• Press Enter to continue with the fix.
• Next you will see: Quote:
  Please type …

Looks good to me. Does everything seem to be back in order now?

A) C:\WINDOWS\System32\ctfmon.exe is normally a valid component of the MS Office suite. There are infections which use a malicious file named ctfmon.exe, although the malicious versions of the file are usually placed in a directory other than C:\WINDOWS\System32.
You can check the validity of the C:\WINDOWS\System32\ctfmon.exe file by locating it in Windows Explorer, right-clicking on it, and choosing "Properties" from the resulting pop-up menu. In the Version tab of the properties window you should see information indicating that it is indeed the Microsoft file.

B) Open your Add/Remove Programs control panel and see if the Secure Shield program is listed there. If so (and if you did not knowingly install the program), uninstall it now.

C) To clean up the leftovers of "jake.scr" and other possible infections, please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install the following utilities:

CCleaner - www.ccleaner.com
ewido anti-malware (14 day free trial) - http://www.ewido.net/en/download/

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

…

As it stands now, your log is clean. However, items that have been disabled won't appear in the log, so please re-enable any startup items which were disabled in/with msconfig, run HijackThis again, and post a new log.

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. What can you tell us about this program that shows up in your list of running processes: E:\browser.exe ?

2. Download and install the following utilities:

CCleaner - www.ccleaner.com
Webroot Spy Sweeper (14 day free trial) - http://www.webroot.com/shoppingcart...4011&vcode=DT02
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
ewido anti-malware (14 day free trial) - http://www.ewido.net/en/download/

- Open Spy Sweeper, click on "Options", and then click on "Update Definitions" under the Program Options tab. Do not run a scan yet; just close the program once the update completes.

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open Norton and make sure that it has the most current virus definitions installed. Again- don't scan yet, just close the program once it's updated.

3. Run HijackTHis again, put a check mark next to the following entries, and then click the "Fix checked" button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start …

That's a clean log :)

Now that your system seems to be back in good order:

1. Flush out your old System Restore points and set a fresh new Restore Point. Explanation and instructions can be found here.

2. Have a read through these threads for further suggestions on protecting and disinfecting your system:

http://www.daniweb.com/techtalkforums/thread27519.html
http://www.daniweb.com/techtalkforums/thread27570.html

The computer is only 2 or 3 years old, I don't think the cd-rom would be faulty.

Perhaps not, but until you test the posibility, you can't rule it out. Here are a few tests which could confirm or rule out a hardware problem:

- Change the ribbon (data) cable between the drive and the motherboard.
- If the motherboard has two IDE channels, connect the drive to the other channel. Pay attention to Master/Slave jumper settings when moving the drive.
- Install a known-to-be-working drive in place of the problematic one.
- Install the problematic drive in another computer.

Your HJT log shows no signs of "unwanted guests", and the utilities you've already run do a pretty godd job of cleaning, so I've no reason so far to believe that malicious infections are the cause. However, if you want to dig a bit deeper into that possibility, here are a few other detection and removal tools you can try:

ewido - http://www.ewido.net/en/download/
Microsoft Antispyware - http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en
Rootkit Revealer - http://www.sysinternals.com/Utilities/RootkitRevealer.html

Good work; just a little cleanup to do :)

1. Run HijackThis again and have it fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll (file missing)

2. Locate and delete the C:\WINDOWS\blank.mht file and empty your Recycle Bin.

3. Reboot, run HJT this one (hopefully) final time, and post the new log.

Good work; that's a clean log :)
How does everything seem to running now?

Your log shows signs of a few different infections. Please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Use your Add/Remove Programs control panel to uninstall WeatherBug; it has spyware components.

2. Download and install the following utilities:

CCleaner - www.ccleaner.com
Webroot Spy Sweeper (14 day free trial) - http://www.webroot.com/shoppingcart...4011&vcode=DT02
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
ewido anti-malware (14 day free trial) - http://www.ewido.net/en/download/

- Open Spy Sweeper, click on "Options", and then click on "Update Definitions" under the Program Options tab. Do not run a scan yet; just close the program once the update completes.

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open Norton and make sure that it has the most current virus definitions installed. Again- don't scan yet, just close the program once it's updated.

3. Run HijackTHis again, put a check mark next to the following entries, and then click the "Fix checked" button:

R0 - HKCU\Software\Microsoft\Internet …

You should do the other steps as well, because I see at least one component of a separate infection (not Smitfraud/SpyAxe/Spy Sheriff) in your log, and there are probably other malicious entities that HijackThis isn't reporting. Runnning ewido andAd Aware will help clean out those "loose ends".

Run those utilities, and then do another scan with HijackThis. Post the new HJT log and the log that ewido generates so that we can be sure your system is entirely clean.

Your log is clean. Secure login problems aren't usually the result of malicious infections, but there are more than a couple of possible causes.

Try this fix first:

Register the following system files
Click Start > Run
Type “regsvr32 softpub.dll (w/o quotes)
Press OK
Repeat the above steps for the following:
regsvr32 wintrust.dll
regsvr32 initpki.dll
regsvr32 dssenh.dll
regsvr32 rsaenh.dll
regsvr32 gpkcsp.dll
regsvr32 sccbase.dll
regsvr32 slbcsp.dll
regsvr32 cryptdlg.dll

Reboot the system after doing the above.

If that doesn't work, search our Windows forums for combinations of the following keywords to find other possible fixes:

hotmail login secure password "page cannot be displayed" MSN

You have a variant of the Smitfraud/SpySheriff/AntiVirusGold/SpyAxe/etc. family of infections, which require a special proceedure to remove:

You will want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

Please download smitRem.zip and save it to your desktop.
Right click on the file and extract it to its own folder on the desktop.

Please download, install, and update the free version of Ewido Security Suite:

1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
2. When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
3. From the main Ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes, the status bar at the bottom will display "Update successful"
5. Exit Ewido. DO NOT run a scan yet.

If you do not already have Ad-Aware SE 1.06 installed, follow these download and setup instructions. Also check for updates:
Ad-Aware SE Setup
Again, do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as …

Good work- you've cleaned out a fair number of "unwanted guests".
There are still infections present though, so:

First: C:\DOCUME~1\OWNER~1.UPP\LOCALS~1\Temp\Rar$EX00.438\HijackThis.ex

The log entry above indicates that you are running HijackThis from within a Temp/Temporary folder. Please do the following:

Create a folder for HJT outside of any Temp/Temporary folders and move the HijackThis.exe file to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.
-------------------------------------------------------------------------------------
You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Open the Services utility in your Administrative Tools control panel.

* In the list of services, locate the service named "NTBOOTMGR" and double-click on it.
* In the General tab of the Properties window that opens, click the Stop button if the service is not already stopped.
* Once the service is stopped, choose Disabled in …

A HijackThis log?

No, but close- I was after a log generated by the "smitrem" utility, an infection-specific removal tool :)

the computer is obviously infected

Not at all; the problem could be caused by a number of things. Did SpyBot, Ad Aware, etc. turn up anything that makes you suspect a malicious infection?

Personally, I'd look for non-malicious causes first; it's been a loooong time since I've seen an "unwelcomed" program that mucks with CD drives in the way you describe.

The errors you're experiencing could be due to a few different things, so it might take some work to pinpoint/fix the exact cause. Can you help us narrow down the possibilities, please?

1. Was the spyware/virus cleaning done after the problem appeared, or before? Can you tell us the names (or even the symptoms) of any of the infections?

2. Run the System File Checker to see if it detects any missing/corrupt system files; instructions for/explanation of the SFC utility are here). If problems are found, it may prompt you for the XP install CD in order to retrieve good copies of the files it needs to refresh/replace.

3. Did anything else occur just prior to the errors occuring which might have contributed to them (new programs installed, old ones uninstalled, other changes to the system). Without making him feel like he's done something wrong, ask your son if he can shed some light in this regard.

4. How does the computer work when booted in to Safe Mode as opposed to when booted normally?

5. Open the Event Viewer utility in your Administrative Tools control panel and look through your System and Application logs for entries flagged with "Error" or "Warning". Double-clicking on such an entry will open a properties window with more detailed information on the error; post that info here. To do so:

In the Properties window of a given entry, click on the button with the graphic of …

Good work; your log is clean now. :)

Does everything seem to be working correctly now?

That's better, thanks. Your log doesn't look too bad, but there are enough leftovers from Look2Me and other infections that a bit more general cleaning is probably in order.
There's one thing to take care of before we continue, though:

C:\DOCUME~1\Carla\LOCALS~1\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

The log entry above indicates that you are running HijackThis from within a Temp/Temporary folder. Please do the following:

Create a folder for HJT outside of any Temp/Temporary folders and move/unzip the HijackThis.exe file to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

- Open …

There's only one leftover that I see in your log; run HJT again and have it fix:
O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\system32\msctl32.dll (file missing)

There are a few variants of the "hacktool.root" infection, and not all of them install components that are detected in a HJT scan. Given that, do scans with Norton and your other utilities come up clean now? If not, please give us the exact details (file names, file locations, etc.) of the detected infections.

Hi rclksr,

Please paste your hijackthis log directly into your post instead of attaching it as a Word doc:

Run HijackThis again. Once the scan is complete, the "Scan" button will turn into an option to "Save log...".
Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log". Open the log file with Windows Notepad, and cut-n-paste the entire contents of the Notepad file here.

Looks good- there are no signs of infections in your latest HJT log. :)

Does everything seem to be working properly now?

Which classes you take pretty much depends on your goal- are you taking the classes just for personal knowledge, or are you taking them for career/employment-related reasons? Also- have you subscribed to one of New Horizon's 6 or 12-month "package" deals, or are you taking classes on an individual basis?