Posts by DMR

Hi titan5239, welcome to DaniWeb :)

Unfortunately, everything has not been cleaned, but before proceeding with the fixes, there is one thing you need to take care of first:

C:\DOCUME~1\Chris\LOCALS~1\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe

The log entry above indicates that you are running HijackThis from within a Temp/Temporary folder. Please do the following:
Create a folder for HJT outside of any Temp/Temporary folders and move the HijackThis.exe file to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.
One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

-------------------------------------------------------------------------------------------------
Once you've taken care of the above:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - …

Wretched log you've got there. [img]http://www.stevewolfonline.com/Downloads/DMR/Visuals/puke3.gif[/img]

I'm currently taking A+ classes with New Horizon...

My condolences; I hope your instructor there knows a heck of a lot more than mine did. :(

- Actually, the A+ course materials that New Horizons was using when I went were pretty well targeted to the test if I recall, although that was some years ago and they may be using different books now.

- I used to have bookmarks for tons of online testing resources, but those are long gone now. If you Google for combinations of the keywords CompTIA, exam, cram, test, online, study, etc., you'll find a good number of sites. Many of the sites require that you register before you can access the best sample exams and other resources, but if don't mind a little extra spam in your inbox (or if you use a "throw-away" email address), registering can be worth it.

Glad we could help, TheGu3st. Have a happy and virus-free New Year. :)

After ewido finished scanning, it popped up with this message:
The file "C:\Documents and Settings\Emmie\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0F.dat/files\wtvh.dll" cannot be removed because it is embedded in the archive "C:\Documents and Settings\Emmie\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0F.dat". Do you want to remove the whole archive?
I clicked on Yes, since I figured I could just uninstall Wildtangent and reinstall if needed. Was that a good choice?

Yes- the Wild Tangent programs contain adware/spyware components; it is recommended that you remove them. Ewido also picked up a piece of the WeatherBug program, which is ad-sponsored as well, so it should be uninstalled too.

Also, I searched my C: drive for "nvidGUIv" and was only able to find "NVIDGUIV.EXE-089AD208.pf" in C:\WINDOWS\Prefetch. Earlier, a friend told me to delete that file, but it seemed to have returned. I didn't delete it this time, just in case. Should I manually delete it again?

Yes, and as a matter of fact, you can delete all of the files in the C:\WINDOWS\Prefetch folder. Here's the story on that:
"To increase the startup time of your applications, Windows pre-loads portions of programs in a folder called Prefetch. Malware sometimes imbeds itself in this folder and uses that as their ‘autostart’ mechanism each time you boot.
Since Windows will automatically repopulate the Prefetch folder with valid program entries, emptying the entire contents of the folder won’t do any harm. You can do this by going to C:\Windows\Prefetch; open the Prefetch folder, click on Edit, Select All, …

Hi emmie, welcome to DaniWeb :)

Before proceeding with the main fixes, uninstall the "Surf Accuracy" program via your Add/Remove Programs control panel; the program is spyware.

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open Norton Antivirus and use its Live Update feature to make sure that you have the most current virus definitions installed. As with the above programs, don't run a scan with Norton; just close it once it is updated.

2. Download and install the CCleaner utility, but don't run it yet.

3. Open the Services utility in your Administrative Tools control panel.

- In the list of services, locate the service named "nvidGUIv" or "nvidGUIv2" and double-click on it.

- In the General tab of the Properties window …

Glad we could help :)

Have a happy, spyware-free New Year!

Good job; your log is clean now :)

do I also have to delete the other registry?

The "other" registry? I don't understand what you're asking. If you made the hpdriver.reg file and merged it with the registry, it will have deleted the LEGACY_HPDRIVER registry key, which is the only registry entry you mentioned.

The confirmation prompt you received when you merged the .reg file I had you create does ask if you want to "add this information to the Registry", but in this case the .reg file actually performs a deletion, not an addition. Notice the hyphen at the beginning of the HKEY_LOCAL_MACHINE\... line in the .reg file; it is interpreted as a "minus" sign, telling the system to remove the key following it.

OK, looks good so far. Let's go for the loose ends:

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open Norton Antivirus and use its Live Update feature to make sure that you have the most current virus definitions installed. As with the above programs, don't run a scan with Norton; just close it once it is updated.

2. Download and install the CCleaner utility, but don't run it yet.

3. Run HijackTHis again, put a check mark next to the following entries, and then click the "Fix checked" button. Close HJT once it has finished performing the fixes:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\RunServices: …

The Temporary Internet Files folder is just that- temporary; you can delete everything in those folders:

* Open your Internet Options control panel.
* In the General tab, click on the "Delete files..." button.
* In the resulting window, put a check mark in the "Delete offline content" box and then hit OK.
* The deletion may take a while, so be patient.

If Defender is giving you problems, try uninstalling it entirely and reinstalling it.

VNC would do the trick. Here's a good (and free) VNC program:

http://www.tightvnc.com/

OK:

1. See this link for the "16 bit MS-DOS Subsystem..." error; you must resolve that error before we proceed.

2. From the l2mfix folder, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. (If you get prompted for a password while running L2MFix, type: bye )

Copy the contents of the L2M log and paste it back into this thread, along with a new hijackthis log.

1. Did you try cleaning the infection by running Defender in Safe Mode as jaishankar suggested? Before going in to Safe Mode, use Defender's online update feature to make sure you have the absolutely most current virus detection database installed.

2.

I found the file it was believed to be in, and I deleted it, but when I ran another scan, it is still showing it being there.

Please tell us the exact name and location of the infected file.

3. Try at least two of the following sites for an online virus scan:

BitDefender Free Online Virus Scan
http://www.bitdefender.com/scan/licence.php
Make sure you tick AutoClean under Scan Options.

Panda ActiveScan
http://www.pandasoftware.com/active...n_principal.htm
Make sure you tick Disinfect automatically under Scan Options.

Housecall at TrendMicro
http://housecall.trendmicro.com/hou.../start_corp.asp
Make sure you tick Auto Clean.
When it completes, post back the full filename of any files that cannot be cleaned or deleted.

eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

4. If the above suggestions don't solve the problem:

Download the (free) HijackThis utility.

Once downloaded, follow these instructions to install and run the program:

Create a folder for HJT outside of any Temp/Temporary folders and move/extract HijackThis to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once …

OK- that looks right.
If you're comfortable editing the Registry you can just delete the LEGACY_HPDRIVER subkey yourself.

Otherwise:

* Open a new file in Windows Notepad
* Copy-n-paste the text in the Code box below into that document
* Save the file to your desktop as hpdriver.reg
* Double-click on the file to run it
* Click "Yes" when prompted to add the information to the Registry
* Reboot

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HPDRIVER]

The full registry entry for hpdriver-

HKEY_LOCAL_MACHINE/SYSTEM/ENUM/ROOT/LEGACY_HPDRIVER

:-( I just noticed that was a waste of time... you hit it right on target besides the "CurrentControlSet" part.

Can you check that path again, please? There is no (valid, at least) ENUM subkey directly under the HKLM\SYSTEM key; the ENUM subkeys should only appear under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet and HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x subkeys.

Hello jgrieco, welcome to DaniWeb :)

You have a version of the "Look2Me" infection; please do the following:

Download L2MFix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts. Then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing Enter. This will scan your computer and it may appear nothing is happening. After a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 or any other files in the l2mfix folder until you are asked to do so!

That sounds right- hpdriver.sys does have two or three related Registry entries, but I'm pretty sure ntfsprotect.exe doesn't.

Please post the full and exact path of the Registry entries. For example:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HPDRIVER

Plz dont include the path(C:\windows) and the extensions(.exe, .sys) while searching the registry

Right; if you search the Registry for "hpdriver" or "ntfsprotect", you may find a a few leftover entries.
In terms of the actual files, if you searched for the filenames in the way I described in my last post but didn't find them, that means that your utilities found and deleted them.

I see no signs of infections in your log, nor do I see anything else which looks like it might be the source of the problems.

Open the Event Viewer utility in your Administrative Tools control panel and have a look through your System and Application logs for entries flagged with "Error" or "Warning". If you find such entries, double-clicking on them will open a window containing more details. If you find any entries which seem like they might related to your problems, post the full and exact contents of the details window(s).

Hi hateviruses123, welcome to DaniWeb.

A) C:\DOCUME~1\JOHNMI~1\LOCALS~1\Temp\Rar$EX00.578\HijackThis.exe

The log entry above indicates that you are running HijackThis from within a Temp/Temporary folder. Please do the following:

Create a folder for HJT outside of any Temp/Temporary folders and move the HijackThis.exe file to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

B)

I once had the virus that gave my desktop a blue screen and a black box in the center... after trying to right click desktop>properties>display tab, I am unable to change/click anything...

That's a side effect of the "Smitfraud" and "SpySheriff" infections. Please do the following:

- Download the smitfraud.reg file by right-clicking on this link and choosing "Save link as..." or "Save target as..." from the resulting pop-up menu. Save the file to your desktop.

- Double-click the smitfraud.reg file you saved, and when it asks if you want to merge with the registry, click YES.

- Reboot your computer; your display properties should …

Your HJT log is clean, but not all of the components of the particular infection that Norton is finding are reported in a HijackThis scan. Do a manual check to make sure the infected files have been deleted:

1. Reboot into Safe Mode again.

2. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

3. Delete the C:\WINDOWS\system32\hpdriver.sys file if it still exists.

4. Search for the following file; delete it if it exists: C:\WINDOWS\Ntfsprotect.exe

5. Empty your Recycle Bin and reboot normally.

6. Once rebooted, run another scan with Norton and see if it still detects the infection.

First of all get rid of that Norton Antivirus

U have Windows XP with SP2 then why do u need Google toolbar

:rolleyes:

madspook,

I see no signs of malicious infections or other problems in your log. Can you describe your connection issue(s) in more detail please? The more information we have concerning the problem, the faster we'll be able to help you get it solved.

You have a few different "unwanted guests" listed in your log. Please do the following:

- Open your Add/Remove Programs control panel and uninstall these programs if they appear in the list of installed programs:

My Way/My Search/My Bar
Wild Tangent
BrowserAid
BrowserPal
CashToolbar
Web Toolbar
iSearch
If you did not knowingly install the "CrazyTalk" program, remove that as well.

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open Norton Anti-virus and use its LiveUpdate feature to make sure that you have the most current virus definitions installed. As with the above programs, don't run a scan with it; just close it once it is updated.

3. Download and install the CCleaner utility, but don't run it yet.

4. …

Hi nooklogan,

First of all- welcome to TechTalk :)

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your HijackThis log in that thread. Once you start the new thread, we will assist you there.

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

Hi TheGu3st, welcome to DaniWeb :)

Before we start to remove the infection, there is one thing you have to take care of first:

C:\DOCUME~1\SADHWA~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

The log entry above indicates that you are running HijackThis from within a Temp/Temporary folder. Please do the following:

Create a folder for HJT outside of any Temp/Temporary folders and move the HijackThis.exe file to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

Once you've done the above:

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process …

Error 39 is one of the error codes associated with the Registry issue I've mentioned, and the fact that you're getting the error for both drives simultaneously makes it less likely that the drivers are truly corrupt or missing.

Please read and follow the instructions in the Microsoft article I linked to carefully; if you find "upperfilters" and/or "lowerfilters" entries in your Registry, there's a very good chance that the described fix will work. Please ask questions before doing anything that you are unsure of though, as incorrectly editing the Registry can make matters worse.

Please post the exact errors from Device Manager, including the error codes (if they're given).
If you read the Microsoft article referenced in the post I linked to above, you'll see that certain CD/DVD driver errors in Device Manager are indicative of the Registry problem described in the article. The problem will not be fixed by reinstalling the drivers.

- Close Internet Explorer.
- Open your Internet Options control panel.
- Click on the Security tab.
- Select/hilight the "Internet" zone.
- Click the "Custom Level..." button to open the Security Settings window.
- Scroll down the list of Settings to the "ALLOW META REFRESH" option and make sure it is set to "Enabled".
- Click OK in the Security window and then click OK in the main Internet properties window.
- Open Internet Explorer again and see whether or not the problem still occurs.

Are the drives listed in Device Manager, and if so, are they reported to be working properly?

Also- there is a documented problem with "disappearing" CD/DVD devices in Windows. Please see this post for more info and a possible solution.

Your log is clean. As far as the toolbar change goes, does SpywareGuard tell you anything more specific than the fact that it relates to the Goolge toolbar?

Good work; it took a little doing, but your log is clean now :)

Does everything seem to be functioning properly now?

Hi Smokey29, welcome to DaniWeb :)

1. Yes- many of the malicious infetions do have the ability to "morph" the names of their files.

2. Unfortunately, the traditional anti-virus/SpyBot/Ad Aware trio is often not enough to rid your system of some of the more nasty infections that exist today. Microsoft Antispyware beta, ewido Security Suite, and Webroot Spy Sweeper are proving to be more effective against the newer spyware/adware threats, and infection-specific removal procedures are often necessary.

3. I haven't seen anything that definitively states that SpyAxe and the hacktool infections come hand-in-hand, but I've seen enough posts where both infections are present to start me thinking that there might be a connection. Even if that's not true, it definitely isn't uncommon for malicious infections as a whole to come as a "package deal"; if you've got one, chances are that you've got more than one.

4. In terms of what you should or shouldn't do, or in what order you should do things, that can depend on which specific infections or variants of infections you are dealing with. Sometimes a "shotgun" approach works, but in other cases one infectious component must be removed before others can be sucessfully deleted. If you want to post a HijackThis log for us to review, we can probably give you a better answer to this.

Better still; only three leftovers to go...

1. Run HJT again and have it fix:

O2 - BHO: Class - {4A7341EB-80CF-9F8F-8388-6D50AD0366BF} - C:\WINDOWS\system32\netna.dll (file missing)
O2 - BHO: Class - {9FBCDEFF-A6FC-C42E-2DA5-84537095BAA5} - C:\WINDOWS\system32\appon32.dll (file missing)
O2 - BHO: Class - {EC0BF822-7720-175B-2901-9FA68F761D30} - C:\WINDOWS\d3lh.dll (file missing)

2. Reboot into Safe Mode again.

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Verify that the following files have truly been removed; if not, delete them now:

C:\WINDOWS\system32\netna.dll
C:\WINDOWS\system32\appon32.dll
C:\WINDOWS\d3lh.dll

- Empty your Recycle Bin.

- Perform one more scan/fix with ewido and save the new scan report log.

3. Reboot normally, run HijackThis again, and post the new (and hopefully final) log. Also post the log that ewido generated.

Many infections have been cleaned, but the main Home Search/about:Blank infection still appears to be present.

Please run the 4 about:blank-specific utilities (from #1 in my last post) again and post a new HJT log.

Looks good now; that's a clean log. :)

Does the system seem to be functioning properly now?

All looks good from here- Your HJT log is clean now, and ewido deleted a couple of other hidden "nasties" as well. :)

Does everything seem to be working properly now?

Other than the following two "loose ends", which you should have HJT fix, the log looks clean:

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {301F1B2E-EBA7-430C-60B2-5DB343B2583B} - (no file)

The following entry is still present; try fixing it again:

O4 - HKCU\..\Run: [AlexaToolbar] C:\WINDOWS\alt.exe

Other than that though, the log looks clean.

Your latest log is much cleaner, but there are two entries which did not get fixed, and one new entry as well.

1. Run HijackThis again and have it fix:

F3 - REG:win.ini: run=C:\WINDOWS\inet20099\winlogon.exe
O4 - HKCU\..\Run: [AlexaToolbar] C:\WINDOWS\alt.exe
O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll (file missing)

2. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Locate and delete the following files if they still exist:

C:\WINDOWS\system32\st3.dll
C:\WINDOWS\alt.exe

3. Empty your Recycle Bin, reboot normally, run HijackThis again, and post the new log. Also let us know if the "can't connect" message still appears or not.

That's a clean log, tayspen :)

For future protection, I'd recommend that you install Microsoft Anti-Spyware beta; it does a good job of removing "nasties" and also provides real-time protection.

Hi Adi, welcome to DaniWeb :)

Your log indicates quite a few "unwanted guests", and it also indicates that you have a couple of "bogus" anti-spyware programs installed.

A) SpyFighter and AdwareAlert are programs known to display false positives in an effort to coax/scare you in to paying money for their products; you should uninstall both programs using your Add/Remove Programs control panel. Before downloading/installing/purchasing any adware or spyware utilitiy, you should check this site to see if the program is reputable or not.

B) Please perform the following disinfection proceedures:

You will need to disconnect from the Internet for some of the following, so you'll need to print out the following instructions, or save them into a text file with Notepad.

1. Download and run these specific about:blank/Home Search/etc. removal tools (before scanning/fixing with about:buster and CWShredder, use their online update features to make sure you have the most current updates installed):

CWShredder - http://www.intermute.com/spysubtrac...r_download.html
about:Buster - http://www.majorgeeks.com/AboutBuster_d4289.html
HSRemove - http://www.majorgeeks.com/HSRemove_d4286.html
Sp.html-Se.dll Hijack Fix - http://www.majorgeeks.com/Sp.html-S...00XP_d4617.html

2. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open …

Hi HadYourPhil, welcome to DaniWeb :)

A) To remove the "crazywinnings" references:

- First, remove the site from your Trusted Zone:
Start Internet Explorer, click Internet Options on the Tools menu, and then click the Security tab. Click Trusted Sites, and then click Sites. Click the "crazywinnings" site, and then click Remove.

- Click on the "Run..." option under your Start menu, type "regedit" (omit the quotes) in the resulting "Open:" window, and hit OK. This will open the Registry Editor program.

- In the editor, press F3 to bring up the Find window, type crazywinnings in the find box, and hit enter. There may be more than one "crazywinnings" entry, so you need to keep repeating the find until you get the message "finished searching through the registry". Delete all instances of "crazywinnings" entries you find.

Do not delete or modify anything else in the registry!!!

1. Download and install ewido Security Suite (trial version) - http://www.ewido.net/en/download/

2. Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open SpyBot and use its update feature to download and install the most current spyware definitions file. Close the program once the update is complete.

- …

The "red circle with a white x" is the signature symptom of the Antivirus Gold/SpySheriff/Smitfraud group of infections. Your HJT log indicates a couple of other infections as well.

Your log also shows no signs of an anti-virus program running. If you really don't have an A-V program, download and install the free edition of AVG anti-virus now.

Next, please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open SpyBot and use its update feature to download and install the most current spyware definitions file. Close the program once the update is complete.

- Open AdAware, click the "Check for updates now" button, and follow the prompts to …

Hi drajpatel, welcome to DaniWeb :)

I believe the problem may have started after installing and running the latest versions of "Ad-aware 6.0" and few similar like that then deleting the problem items that were found.

Good call- that's exactly right. "bridge.dll" is a spyware component, and while AdAware, etc. have removed the actual bridge.dll file, there is still a reference to the file in your Windows Registry.
You may also have other "loose ends" remaining on your system; please do the following so that we determine if that's true or not:

Download the free HijackThis utility:

Once downloaded, follow these instructions to install and run the program:

Create a folder for HJT outside of any Temp/Temporary folders and move HijackThis.exe to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...".
Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log". Open the log file with Windows Notepad, and cut-n-paste the entire contents of the Notepad file here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there. We can also tell you how to …

1. You still have one HijackThis log entry left over from the infection. Run HJT again and have it fix:
O2 - BHO: (no name) - {58F07DD3-924D-4141-BC74-299F523A95F1} - (no file)

2. I can't tell you exactly what happened in terms of the lost space at this point, but I can you that it isn't a normal side effect of infections (or removing them). There could be a few different reasons for the problem, though; let's see if we can narrow it down:

A) Look for "bloated" files or folders:

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Click on the Search button, and in the resulting "Search Companion" pane:

* Leave the "All or part of filename" and "word or phrase in file" boxes blank.

* Click on "When was it modified" and specify a date range that would most closely reflect the time during which the loss of disk space occured.

* Click on "What size is it? and select "Don't remember".

* Click on "More advanced options", select "all files and folders" for the type of file, and put a check mark next to the search options for system, hidden, and subfolders.

Let the search run, and when it completes, look for any items whose size looks abnormally large. Give us …

Seems that the CleanUp! utility somehow recognizes the winxp style as a temp file and deletes it!!

Oh, crud... you're right, d0rk. Buried in the release notes for the new version of Cleanup! is an obscure reference to fixing an issue with Temp files and XP themes. [img]http://www.stevewolfonline.com/Downloads/DMR/Visuals/crap.gif[/img]

One possible ways to restore the "XP Themes" option:

Right click on the desktop and choose Properties. Choose the "Browse..." option in the Themes drop-down menu, browse to the C:\Windows\Resources\Themes\Luna.theme file, and double-click on it.

Good job d0rk, your logs look good :)

As far as losing the themes (and perhaps other graphical presentation elements of Windows) goes, there is a side-effect of the smitfraud infection which might be at the root of that problem.

To find out if this is the case, right-click anywhere on your desktop and choose "Properties" from the resulting pop-up menu. If you don't see all of the following tabs in the properties window, or cannot change the settings within the tabs, perform the fix given below:

Themes
Desktop
Screen Saver
Appearance
Settings

The fix:
- Download smitfraud.reg and save the file to your desktop.
- Once downloaded, double click on the file and when Windows asks you to merge the data, click Yes.
- Reboot your computer.

You should now be able to change your desktop settings to your liking. If your desktop still looks strange, go into your display properties and click on the Themes tab. Change the theme to Windows XP and you will now be using the default Windows XP settings. Then change them as you see fit.

Nooooooo!!!!!

Don't even THINK about following the above suggestions!!!

Good lord- not only will deleting the user account not fix the infection, but it could easily cause you a huge pile of additional problems.

:eek: :eek: :eek:

dork,

The "big red and black box" and "red circle with a white x on the taskbar" you describe are the signature symptoms of the Antivirus Gold/SpySheriff/Smitfraud group of infections. Your HJT log indicates a couple of other infections as well.

To begin with, please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open SpyBot and use its update feature to download and install the most current spyware definitions file. Close the program once the update is complete.

…

Yes- In addition to violating the laws in many countries, providing, linking to, or even suggesting the use of "cracked" or otherwise illegal software sofware directly violates our forum rules.