Posts by DMR

Good work :)

Your HijackThis log is clean, and your ewido log indicates that ewido not only cleaned the files we wanted to remove, but also caught a couple of other "nasties" as well.

Now that your system has been disinficeted, you might want to have a read through this thread for suggestions on how you can keep your system protected from future infections.

Hi jaishankar,

We definitely do appreciate your desire to help. However, there are a few things to keep in mind when offering help in this forum:

1. You appear to have linked to an older version of XSoftSpy. As new infections and new variants of existing infectiosn are discovered almost daily, it is very important that members are given the absolute latest version of the detection and removal programs we recommend and/or provide.

2. The download link you provided for XSoftSpy leads to a file-sharing site, and such sites cannot (for what I hope are obvious reasons) be considered "trusted" download locations. Given that, we do not recommend that members obtain their utilities from those sites, but rather from the software vendors themselves or from trusted software repositories such as majorgeeks.com. (XSoftSpy's site does have its own direct download for the current release of the free version of their product).

3. When participating in a thread where troubleshooting is already in progress, please do not suggest alternate "fixes" until the threadstarter has posted the results of performing the proceedures already given them by the person currently assisting them. Doing so can confuse or sidetrack the person we are trying to help, and malware removal is most effictive when done in a methodical way.

Thanks.

Hi funnygirl, welcome to DaniWeb :)

You've got a handful of "unwanted guests" in your HijackThis log; please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/

- Open ewido. If you receive a warning message saying "Database not found"; just click "OK" for this. Next, in the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open Adaware, click on the "Check for updates now" link, and follow the prompts to get the latest updates. Close the program when it has finished installing the updates.

- Open SpyBot and use its update feature to download and install the most current spyware definitions file. Close the program once the update is complete.

- Open Norton Antivirus and make sure that you have the most current update installed. As with the above programs, don't run a scan …

I'm glad you were able to delete the malicious files and their associated "Run" entries in the Registry, but I'd suggest that you now do a couple of full anti-virus/anti-spyware scans to clean out the rest of the components of the infections. These days, infections are rarely comprised of a single file and a single simple adddition to the Registry.

Those files are components of malware (virus, spyware, adware) infections. :(

Please read the malware removal information in this thread and try the suggestions given there. If you have further questions about the infections or their removal, please start an entirely new thread in our Viruses, Spyware and other Nasties forum.

I see no obvious "suspects" in your HJT log.

Do you have any Internet access at all (email, Instant Messenger, etc.)? This could be more of a general connection problem; please give us more info/details if possible.

You're welcome, sauronflorik; glad we could help :)

Paddy,

You might know the reasoning behind Safe Mode scans already, but I'll post the basic info just for reference:

When Windows is running in its normal start-up mode, spyware and virus removal programs can have difficulty removing some malicious infections due to the fact that components of the infections have already loaded themselves at Windows start-up, and are active at the time the removal programs try to delete them. While the removal programs can terminate many of the active nasties, others present more of a problem.

One reason for this is that many infections install multiple files which act as guardians for one another; monitoring each other's "health". When one of the files gets shut down by a removal utility, another guardian file senses this, and restarts (and in some cases actually recreates) the file that was killed. Additionally, infections can use hidden .dll files which are activated at boot-up by obscure registry entries, and these dlls can be quite difficult to detect and deactivate.

In Safe Mode however, Windows loads only a bare minimum of services, drivers, and processes; it ignores most normal startup items, and it does not process the entire registry. This means that many of the "autostart" techniques used by infections are also ignored, making the infections essentially dormant in Safe Mode. The fact that the infections are inactive makes it much easier for removal programs to thoroughly remove them …

1. Friggin' good job; it looks like you got them. Your latest log is clean :)

2.

i did as you said "replace on reboot" but when i selected that option, nothing at all seemed to happen after i clicked teh button.

That's normal. Nothing visible does happen; Killbox just silently whacks the files when you reboot the computer.

3. R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.suicidegirls.com/

Suicidegirls, eh? Erm, yeah... nooooooooo comment. :mrgreen:

You're welcome :)

By the way, would you give me some tips to make kazaa safe?

You probably knew this was coming, but...

Don't use it.

Seriously- filesharing/P2P networks as a whole are, unfortunately, great conduits for the delivery of malicious programs; by not using them, you avoid that risk altogether. If you do choose to use them, your only real recourse is to protect your system as much as possible. This thread has several useful suggestions on how you can accomplish that.

Good work- your latest log is clean :)

Does everything seem to be functioning correctly now?

Perfect; thanks!

Please do the following:

1. Download the Pocket Killbox utility into its own new folder. Don't run the program yet, though.

2. Run HijackThis again, put a check in the box to the left of the following entries, and then click the "Fix Checked" button. Close HJT after it completes the fixes:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O20 - Winlogon Notify: Mixer - C:\WINDOWS\SYSTEM32\sndmix.dll

3. Run the Killbox.

- In the "Full Path of File to Delete" box, copy and paste the following
C:\WINDOWS\system32\sndmix.dll

- Select the "Replace on reboot", "Use Dummy", and "Unregister dll before deleting" options.

- Click on the button with the red circle with the X in the middle and then click Yes at the "Replace on Reboot" confirmation prompt. Click No at the request to actually reboot.

- Copy the file names below to the clipboard by highlighting them and pressing Control-C:

c:\secure32.html
C:\WINDOWS\system32\paytime.exe
C:\winstall.exe

- In the Killbox, go to the File menu, and choose "Paste from Clipboard".

- Select the "Delete on …

Well i tried all that and it seemed to work

Unfortunately, it didn't work; your latest HJT log indicates that almost all of the "nasties" are still present. Are you sure you followed all of my suggestions properly?

:o Actually, if you really did follow everything I suggested, you would have deleted the HijackThis program, because I missed something in your first log that needs to be dealt with before anything else:

C:\DOCUME~1\LARRYC~1\LOCALS~1\Temp\Rar$EX00.766\hijackthis.exe

The log entry above indicates that you are running HJT from within a Temp/Temporary folder. Please do the following:

Create a folder for HijackThis outside of any Temp/Temporary folders and move HJT there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders (which I did ask you to do in my last post). Given that, if HijackThis and/or other data that you care about is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

There is one file in your log that I'd like to get more information on if possible please; it looks suspect to me:

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select …

I'd suggest installing the free SpywareBlaster utility; it blocks known "bad" addresses/domains, including abcsearch. A short tutorial on installing and updating SpywareBlaster can be found here.

Also- you should try running AdAware and SpyBot in Safe Mode if you haven't already; they might be able to find/fix more "nasties" that way:

- Before booting into Safe Mode, open SpyBot and AdAware and use each program's online update feature to make sure that you have the absolutely most current spyware definition databases installed. Do not run scans yet, just close each program when it finishes installing its updates.

- Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).

- Run both utilities (the order doesn't matter) and have each program fix everything it finds.

- Reboot normally.

Wait for somebody to come along that can read HJT logs. Like DMR :)

Aww- I'm flattered... :o :mrgreen:

Hi presmmbb,

1. The IP address that your computer is accessing is within a block of IPs
(216.143.70.0 - 216.143.71.255) associated with McAfee. Since you do have McAfee's Internet Security package installed, my bet would be that the TCP connection is bieng established by that software.

2. Can you explain IE's CPU usage in more detail please? IE definitely does hit the CPU pretty heavily when it first starts up (I get up to an 80% CPU usage spike), but there shouldn't be much of a sustained load on the CPU after IE settles down.

3. When you say "hijacked", are you just referring to the IP address issue mentioned above, or are you also experiencing true hijacks (being redirected to unwanted sites/pages)? The reason I ask is that I see no indications of malicious infections in your HJT log.

4. There are, however, a few irregular entries in the log, which you should fix unless you (or one of your legitimate programs) specifically made the modifications:

O15 - Trusted Zone: www.macromedia.com
O15 - Trusted Zone: www.slickdeals.net
O15 - Trusted Zone: http://www.windows.com
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol …

1. The following information in your HijackThis log's header indicates that you are very behind in your Windows and Internet Explorer updates:

Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Please use the Windows Update feature to download and install the most current updates for your system; many of the updates fix security holes and bugs through which spyware and viruses can infect your system. I wouldn't suggest upgrading to Service Pack 2 until your system is infection-free, but you should at least get Service Pack 1 and all of the most current related updates.

When properly updated, the information in your HJT log header should read as follows:

Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

2. Please give us any and all specific information that Norton gives you concerning the names and locations of the infected files it is finding.

3. Open the Services utility in your Administrative Tools control panel.

- In the list of services, locate the service named "MicroSoft Media Tools" and double-click on it.

- In the General tab of the Properties window that opens, click the Stop button.

- Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.

4. Run HijackThis again and have it fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - …

Hi Lartones, welcome to DaniWeb :)

Please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

1. Run at least two or three of the following online anti-virus/anti-spyware scans. Some of these scanners have "auto clean" scan options; make sure to choose that option if it exists.

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Run HijackThis and have it fix the following entries. Some of these may have been cleaned by the above scans; fix all that still exist:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKLM\..\Run: [Windows Spooler Services] spool.exe
O4 - HKLM\..\RunServices: [Windows Spooler Services] spool.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\system32\sywsvcs.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

3. Download and install the following (free) detection and removal tools. Open each program and use its online update function …

1.

I'm probably wrong ..

Nope, you're right- loss of date/time is the classic sign of a dead CMOS battery. It should be replaced.

2. For rundll32.exe, try extracting a fresh backup copy of the file from your Win 98SE CD or from the hard drive:

If you have a folder on your hard drive named C:\Windows\Options\Cabs:

Go to Start->Run, type SFC and click ok to start the program. Select the "Extract one file from installation disk" option, type Rundll32.exe and click on Start. Select the C:\Windows\Options\Cabs folder as the source, and C:\Windows as the target (Save in).

If you do not have a folder on your hard drive named C:\Windows\Options\Cabs, but you have the Win 98SE install CD:

Go to Start->Run, type SFC and click ok to start the program. Select the "Extract one file from installation disk" option, type Rundll32.exe and click on Start. Select the Win98\Win98_46.cab folder on the installation CD as the source, and C:\Windows as the target (Save in).

Hi Sienna,

First of all- welcome to DaniWeb!

We do ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need. Given that, you should start your own thread and post your question there.

Before you start a new thread in this particular forum though, you should have a read through this thread in our Viruses, Spyware, and other Nasties" forum and try some of the virus and spyware removal programs/procedures described there. The reason I suggest this is that on a Windows 2000 or XP system, the legit "svchost.exe" file lives in the C:\WINDOWS\System32 folder, not the C:\WINDOWS folder. The presence of a file named svchost.exe in your C:\WINDOWS folder is usually an indication that you have a malicious infection.

Your log is clean, and a general rundll32.exe problem like that isn't usually due to malicious infections anyway.

Can you give us a bit more background on the problem please (when it started occuring, whether or not you made any software changes just prior to the start of the problem, etc.)? Also- give us the full and exact text of the error you recieve.

Accessing swecure pages/sites in general is a relatively common problem. Many possible solutions can be found in these related threads from our archive:

http://www.daniweb.com/search/search.php?q=secure%20sites%20access

Thank you Hollystyles!

I'm confused about the printer as it's a Dell unless that company owns Dell?

Not quite, but close.
Dell doesn't make their own printers, so they partnered with the Lexmark company to have Lexmark manufacture printers for them. In other words, the printer you have may have the Dell brand name on the outside, but its all Lexmark on the inside.

Hi MsNytOwl,

Your log indicates a few different infections; let's start with the following general cleaning:

<EDIT> Hmm... looks like just_a_nobody beat me to some of this already</EDIT>

1. Download and install these two utilities:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

2. Open ewido. If you receive a warning message saying "Database not found"; just click "OK" for this. Next, in the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

3. Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

4. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).

5. Run ewido and MS Antispyware beta consecutively (the order doesn't matter), and have both programs fix whatever they find.

6. - Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious …

Your HJT log shows no signs of malicious infections or anything else which would account for the problem.

Before performing any other troubleshooting steps, disable your firewall software. To make sure that you've entirely disabled it, go into the program's options/preferences, turn off the option to automatically start the program when Windows starts, and reboot. Simply choosing to disable the firewall once it has started often does not shut it down completely.

If the firewall isn't the source of the problem, we'll need to try to determine at what level the problem is occuring:

1. Open an MS-DOS box, type the following command, and hit Enter:

ipconfig /all

Do you see correct entries for the computer's IP address, the gateway IP address, and DNS server address(es)?

2. Again at the DOS prompt, type the following two commands and tell us the results:

ping www.google.com
ping 66.102.7.147

3. See if you can reach a site in your browsers by its IP address as opposed to its URL. Using Google as an example, enter the following into IE and Firefox's address bar, and let us know the result:

http://66.102.7.147

4. Here's a software fix you can try:

WinsockXPFix

5. Cruft built up in your Temporary Internet Files folder and other locations can cause browsing problems. Do the following "housecleaning":

- …

You're welcome roz, glad we could help :)

Why not get AVG Free, it is a free anti-virus program that works great.

A good point. If you're just looking for an anti-virus program (as opposed to an entire "Internet Security" package), AVG is very effective, and doesn't bog down your system in the way that Norton or McAfee can.

It's also free for personal use, and free is always good :mrgreen:

You can download AVG here.

As long as your computer is not connected to the Internet and you do not use any floppy/CD-ROM discs in the time that you are "unprotected", you won't get infected.

1. Leave Norton installed and active until the moment you're ready to install McAfee.

2. Physically unplug the cable that connects your computer to the Internet.

3. Uninstall Norton; Install McAfee.

4. Reconnect your Internet/network cable.

5. Open McAfee and use its online update feature to make sure you have the most current virus definitions installed.

Good work- your log looks clean now. :)

Everything rebooted normally after following your instructions

Does that mean that all of your programs, shortcuts, etc. are working now? Please give us an update on that.

To eliminate the eAcceleration startup error, run HijackThis again and have it fix the following entry:

O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus

The eAcceleration software is not still on your computer, but a Registry entry which references the software is; fixing the above HJT entry will delete the "orphaned" Registry entry.

Also- please do not do a system restore or reinstall- neither is necessary at this point, and in doing either you might incur more problems than you already have.

Please do the following:

You will need to close all web browser programs before performing these procedures, so you should print out the following instructions or save them into a text file with Notepad.

1. Click on the "Run..." option under your Start menu, type the following in the resulting "Open:" box, and then hit Enter:

services.msc

In the resulting list of Windows Services, locate the following services and perform the procedure below for each:

NTBOOTMGR (NTBOOT)
NTLOAD
NTSVCMGR

- Double-click on the service.
- In the resulting window, click the Stop button if the service is reported to be currently running.
- Once the service is stopped, choose the "Disabled" option in the "Startup Type" drop-down menu, and then click OK.

Close the Services window after reconfiguring all three of the services.

2. Run HijackThis again and have it fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe
O23 - Service: NTLOAD - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: NTSVCMGR - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe

3. Once HJT finishes the fix, click on the "Config" button in the lower right corner of HijackThis' main window. …

Hi battousai, welcome to TechTalk :)

You are running a very old version of HijackThis; you need to get the most current version (1.99.1) and post the log that that version generates. You can get the latest version of HijackThis here.

Cool; let us know if anything suspicious crops up.

Also- read this thread for some good suggestions on how to protect your computer against future infections.

Good- looks like that took care of lockx.exe. :)

Are you still seeing sysmptoms of possible infections, or does the system seem to be running correctly now?

1. Run another scan with HijackThis and have it fix the following three entries:

O4 - HKLM\..\Run: [stratas] LOCKX.EXE
O4 - HKLM\..\RunServices: [stratas] LOCKX.EXE
O4 - HKCU\..\Run: [stratas] LOCKX.EXE

2. Delete the following file:

C:\WINDOWS\SYSTEM\LOCKX.EXE

3. Empty your Recycle Bin.

4. Reboot, run HijackThis again, and post the new log.

The "lockx.exe" entries in your log are definitely indicative of the infection, but there are probably other hidden components of the infection as well. Please do the following so that we can see if that's true:

- Run Hijackthis.

- In HJT's main window, click on the Config button.

- Click the Misc. Tools button on the resulting page.

- In the StartupList section of the Misc Tools page, put a check mark in the boxes next to the "List also minor sections (full)" and "List empty sections (complete)" options.

- Click the "Generate StartupList log" button and then click "Yes" in the resulting confirmation box.

- When the scan is finished, the results will be displayed in a Windows Notepad file named "startuplist.txt". Paste the entire contents of that file into you next post here.

You're welcome folks. It's good to back from vacation and in full swing here again! :)

chyenn,

Now that your system appears to be clean, please read the following thread for some suggestions on how to protect yourself from future infections:

http://www.daniweb.com/techtalkforums/thread27519.html

ok now we are getting somewhere.

Yes, we are; good troubleshooting. :)

The "Services and Controller" program is a component of Win 2K and XP which manages Windows operating system services. The actual program file is named services.exe; you will see it listed as a running process in your Task Manager. On a Win 2K system, services.exe should live in the C:\WINNT\system32\ folder; on an XP system it will live in the C:\Windows\system32\ folder. If you find a file named services.exe living in any other folder, there's a pretty good chance that that version of services.exe is part of an infection.

The next time Zone Alarm gives you the “Services and Controller app..." message, allow the connection, and also tell ZA to remember your choice (in other words, tell ZA not to prompt you in the future).

chyenn,

To narrow down a few things regarding the Internet connection problem:

1. What exact type of connection do you have (dial-up, cable, DSL)?

2. If it's cable or DSL, do you connect directly to the modem, or do you go through a router or switch first?

3. If you're running any firewall software, disable it completely.

4. Some tests:

1. Open your Internet Options control panel, click on the Connections tab, and then on the "LAN Settings" button. In the LAN settings window, make sure none of the proxy-related boxes are checked, and also try toggling the status of the "automatically detect settings" box.

2. Open Internet Explorer and see if you can reach Google and/or Yahoo by their IP addresses as opposed to their URL. In IE's address/location bar, type in the following locations one at a time and tell us what happens:

http://66.102.7.147
http://66.94.230.37

3. Click on the "Run..." option in your Start menu. In the "Open:" box of the resulting window, type "cmd" (omit the quotes) and hit Enter. This will bring up a DOS window

- At the DOS prompt, type the following commands, hit Enter after each, and tell us the exact results:

ping 127.0.0.1
ping 66.102.7.147
ping www.google.com

- Again at the DOS prompt, type the following command, hit Enter, and post the …

Your log indicates signs of a couple of infections, and there may be more than that.

Please perform the following general cleaning procedures:

You will need to disconnect from the Internet for some of the following, so you should print out the following instructions or save them into a text file with Notepad.

1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed).

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for …

Hi All!!!

To resolve this problem:

Svchost.exe Takes 99% of CPU memory Usage

go to my Home and read the article!

Regards,

aSeptik

justsched.exe is certainly one culprit, but unfortunately, there are many more causes for excessive resource usage than the one given on your page.

Congratulations- your latest HJT log is clean. :)

Also I had my windows set up to automatically download updates but when i went to update manually it told me my windows wasn't licensed. This comp was built for me and i think they used a pirated version of xp.

Quite possible.

So do i need to go buy one or what?

Yes.

Or should I complain to the guy who built the pc for me.

That won't do you much good; the guy probably knew what he was (wrongly) doing, so I doubt confronting him will get you very far.

I think he does it on the side for extra cash so I'm probably screwed. Just buy one I guess.

Yes, and yes.

Do you know of any useful links?

If you mean links for info on Firefox, I'd suggest checking out the resources on their site.

Can you run firefox and ie on the same comp?

Of course; you can install and run as many web browsing programs as you want. Actually, even if you do choose to use Firefox as you primary browser, you'll still need to use IE to get updates from Microsoft; MS (unfortunately) doesn't let you do that with browsers other than IE.

In terms of your latest HJT log- it looks much better, but there are still a few leftovers to clean up. Please do the following:

1. Run another HJT scan and have it fix these entries:

O4 - HKLM\..\Run: [stb] C:\WINDOWS\system32\stb.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/W...e/bridge-c3.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.c..._ap1001_sp2.cab
O18 - Filter: text/html - {DFAA31C8-A356-4313-9D95-5EDAB46C5070} - C:\WINDOWS\system32\qlink32.dll

2. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).

* Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

* Locate and delete the following files:

C:\WINDOWS\system32\stb.exe
C:\WINDOWS\system32\qlink32.dll

* Empty your Recycle Bin.

3. Reboot …

Great; glad we could help. :)

Now that your computer is clean, you might want to have a look at this thread for some good suggestions on how you can protect yourself from future infections.

All looks good now. Are you still experiencing pop-ups or any other problems, or do things appear to be running properly now?

You've got a lot more than the Winfixer problem going on there. :(

Please perform the following general cleaning procedures:

You will need to disconnect from the Internet for some of the following, so you' should print out the following instructions or save them into a text file with Notepad.

1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed).

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

1. Uninstall the MyWebSearch program via your Add/Remove Programs control panel.

2. Close all open/running progrms, run HJT again, put a check to left of the following entry, and then click the "Fix Checked" button:

O4 - HKLM\..\RunOnce: [MyWebSearch bar Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -2

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of the following folders (but not the folders themselves):

(Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!)

1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files

- Delete the entire content of your C:\Windows\Temp folder.

- Delete the entire content of your C:\Windows\Prefetch folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those …

Hi ouch,

You've posted the wrong information from HijackThis, and you're also using a very old version of HijackThis. Please do the following:

Download the latest version of HijackThis:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, follow these instructions to install and run the program:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

1. Run HijackThis again, put a check in the boxes next to the following entries, and then click "Fix Checked": (Before fixing problems with HijackThis, you must make sure to close/quit ALL instances of your web browser! HijackThis cannot fully perform its fixes while browsers are running.)

F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT2\System32\System32.exe
O2 - BHO: CIEObject Object - {5D647E9C-6B37-4636-9A78-DADB1EB93BDF} - C:\WINNT2\System32\CtxPopup.dll
O2 - BHO: (no name) - {74229664-DE88-3CCE-2C24-260883A74E04} - C:\WINNT2\system32\CV6g61e0.dll (file missing)
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINNT2\system32\dcom_9.dll

2. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Locate and delete the following files:

C:\WINNT2\System32\System32.exe
C:\WINNT2\System32\CtxPopup.dll
C:\WINNT2\system32\CV6g61e0.dll
C:\WINNT2\system32\dcom_9.dll

(And why do you have a C:\WINNT2 folder? That is not normal.)

- For every user account listed under C:\Documents and Settings, delete the entire contents of the following folders (but not the folders themselves):

(Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along …

All looks good; your latest log is clean. :)

Hi CooperS,

1. Download ewido Security Suite and install it, and then open the program. If you initially receive a warning message saying "Database not found" when you first run the program, just click "OK" for this. Next- in the main screen, click "Update" and click "Start Update". After the update process, exit from Ewido; do not actually have it scan your system yet.

2. Open Norton Anti-Virus and use the Live Update feature to make sure you have the absolutely most current virus definition databases installed. Close the program after that.

3. Run HijackThis again and have it fix the following:

O4 - HKLM\..\Run: [Wins Service Driver] winet.exe
O4 - HKLM\..\RunServices: [Wins Service Driver] winet.exe
O4 - HKCU\..\Run: [Wins Service Driver] winet.exe
O4 - HKCU\..\RunServices: [Wins Service Driver] winet.exe

4. Reboot into Safe Mode and:

* Run a full system scan with ewido; let it fix everything it finds.

* Run a full system scan with Norton.

* Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types". Search for and delete all instances of winet.exe that you find.

* Empty your Recycle Bin.

5. Reboot normally, run a scan with HijackThis again, and post the new log. Also post the …

Good- the main "nasties" are no longer present in your latest log.

A couple of things, though:

1. MessengerPlus! 3 has a "Sponsored" installation mode, and if installed in this mode, the program will install adware on your system. If you are unsure of which installation mode you chose, you should uninstall the program and then reinstall it without the Sponsor option.

2. The following log entry is a loose end which should be taken care of:

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

To do this:

A) Open the Services utility in your Administrative Tools control panel.

- In the list of services, locate the service named "Remote Packet Capture Protocol" or "rpcapd" and double-click on it.

- In the General tab of the Properties window that opens, click the Stop button if the service is not already stopped.

- Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.

B) Run HijackThis again, do another scan, and put a check in the box to the left of the O23 - Service: Remote Packet Capture Protocol v.0 entry, and then click "Fix Checked".

C) Once HJT finishes the fix, click on the "Config" button in the lower right corner of HijackThis' main window. In the next window click on the …

Hi grams79,

First of all- welcome to TechTalk!

We do ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.