Posts by DMR

Does a new scan with HJT no longer list the WeatherBug entries? If so, please let us know so that one of us (the moderators) can mark this thread as "Solved".

Thanks.

Can you post the contents of the dump?

Something isn't right here. There have been indications of at least 4 or 5 separate infections in your logs, but nothing you've done so far has had much of an impact on them. :(

You will need to disconnect from the Internet for some of the following, so you'll need to print out the following instructions, or save them into a text file with Notepad:

1. Go into your Add/Remove Programs control panel and uninstall NaviSearch and Surf Sidelick if you see them listed.

2. Run at least three of the following online anti-virus/anti-spyware scannerss and let them fix what they can (for some of these scans you need to specifically select the option to have them clean/delete the infections they find, otherwise they'll just do a scan):

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

3. If you don't already have the most current versions of Ad Aware and Spybot, please download them from the links in my sig below and install them. Also download and install CCleaner, but don't run it yet.

4. Open Ad Aware, Spybot, Microsoft Antispyware, and ewido one at time and use each program's online update feature to make sure you have the absolutely most current spyware definition databases installed for each. DO NOT run scans with any of the programs yet; just close the programs …

Very good; I only see one thing left to fix in your log:

1. Go into your Add/Remove Programs control panel and uninstall WeatherBug if it is listed there.

2. Run HJT again and have it fix:

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)

3. Open Windows Explorer. Locate and delete the following folder entirely:

C:\Program Files\AWS

Will do. Thanks :)

You're welcome. I hope the reinstall holds up. :)

Glad we could help you get it sorted out, sldout1. :)

If your system really does appear to be "clean" now, can you please give us final confirmation on that so that we can call this one done and mark the thread as "Solved".

Thanks.

Hi crazyquilter,

Your latest HijackThis log is incomplete; it shows only your running processes, but nothing else.

Can you please run another scan with the program and post a full log?

i told him it probably boiled down to the memory possibly having gone bad. somehow i get the impression he doesnt believe me cos hes taken the PC to work with him. he's a trainee PC technician.

he thinks its got something to do with the graphics card or the motherboard again. suppose anythings possible really in todays world of computing though i have to agree with you about the 0x8E errors (read two or three books over the last few days about these).

I understand what you're saying. I've worked with a lot of techs who misdiagnose a problem simpy because they don't keep an open mind and consider all of the options, or because in their training they were told that problem "X" is 99.9% of the time due to failure "Y", and they take that as "gospel".

However- he might very well be right. Microsoft really isn't very good at publishing the exact reasons for many of their STOP errors, but both RAM and video problems/conflicts are often listed as probable suspects for many of those errors. Part of the reason for that is that it's not uncommon for systems to dedicate/set aside a portion of general RAM for graphics use only; this obviously ties the two together in a way that can't be separated without further and more in-depth testing.

Regardless of the outcome, keep us posted. Any further information that you can post will obviously be helpful to our members as a whole.

i dont think that this is software related more like hardware now.

Yeah- if it even bombs during a reformat, that does start ot point toward hardware.

Check your RAM first; Microsoft lists that as the primary cause of 0x8E errors, especially if they happen during the setup/reinstall process.

- Download and run the free memtest86 RAM-testing utility. It runs from a bootable CD or floppy, and it will do a pretty thorough battery "stress tests" of your RAM and give you the results of any errors it finds. Let the test cycle run for a few hours or more for the best results.

- If you've got more than one RAM module installed, run the computer with only one of the modules installed at a time. If you find that the system only crashes when one particular RAM module is being used, replace that module.

The update to the video drivers would definitely be a prime suspect. Go into video card's Properties windows in Device Manager, click on the Driver tab, and try the "Roll back dirver" option.

If that doesn't work, you may be able to use System Restore to roll the entire system back to a date just prior to when you started getting the STOP errors.

Since your system appears clean now, you might want to flush out your old System Restore points and set a new, clean Restore Point. More information on why you should do this, and instructions on how to do it, can be found here.

That's better, but there's a bit more cleaning to be done.

1. Download the Killbox utility and save it to your desktop, but don't run it yet.

2. Run HJT again and have it fix:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {D62594E2-75A1-6B2B-4FAE-446C6B595631} - C:\WINDOWS\system32\crys.dll
O2 - BHO: Class - {F197B1B9-0AAF-D47B-4EDC-FF4944D4BD3C} - C:\WINDOWS\nthr32.dll
O4 - HKLM\..\Run: [iecp.exe] C:\WINDOWS\system32\iecp.exe

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).

- Open the Killbox.

A) In the "Full Path of File to Delete" box, copy and paste the following:
C:\WINDOWS\system32\iecp.exe

- Select the "Delete on reboot" option and then click on the button with the red circle with the X in the middle.

- Click Yes at the Delete confirmation prompt.

- Click NO at the next request to actually reboot.

B) In the "Full Path of File to Delete" box, copy and paste the following:
C:\WINDOWS\system32\crys.dll

- Select the "Delete on reboot" option, but this time also select the "Unregister dll before deleting" option.

- Click on the button with the red circle with the X in the middle.

- Click Yes at the Delete confirmation prompt.

- Click NO at the nxt request to actually reboot.

C) Repeat step …

The version of rundll32 that you've found appears legit, and there's nothing amiss in your HJT log.

Are you getting any further indications of lingering problems, or do things seem to be working correctly now?

OK- the "about":blank" infection has revealed itself more fully now.

Run these specific "about:blank" removal tools and post a new HJT log once you've done that (before scanning/fixing with About:buster and CWShredder, use their online update features to make sure you have the most current updates installed):

CWShredder - http://www.intermute.com/spysubtract/cwshredder_download.html
About:Buster - http://www.majorgeeks.com/AboutBuster_d4289.html
HSRemove - http://www.majorgeeks.com/HSRemove_d4286.html
Sp.html-Se.dll Hijack Fix - http://www.majorgeeks.com/Sp.html-Se.dll_Hijack_Fix_2000XP_d4617.html

1. If you can give us the exact "usb.sys" error that might be helpful. You might find more specific info for that, and perhaps the other problems, by doing the following:

Open the Event Viewer utility in your Administrative Tools control panel.

In the Event Viewer, look through the System and Application logs for entries flagged as "Warning" or "Error"; double-clicking on any of those entries will open a "details" window with more information about the error/warning. If you find any entries that seem to relate to the hangs/crashes that you're having, post the full and exact contents given in the detail windows.

2. The sharing of IRQs isn't usually a problem anymore, although it definitely was back in the days before PCI, "Plug-N-Play", and ACPI technologies were invented.

Since you haven't indicated that any recent hardware changes have been made to the system, the PCI/IRQ resource allocations of your installed hardware shouldn't have changed, but if you want to eliminate that possibility:

A) You can sometimes force a given device to use a specific IRQ or memory address range via the Resources tab in the device's Properties in Device Manager, but for the most part this rarely works. The issue is that modern operating systems and BIOSes do PCI resource allocation automatically, as opposed to the old (and pretty much manual) way that allocation was done with ISA devices.

B) There's one procedure which can often force a reallocation of resources …

the ipconfig gave just the header line:

Windows IP Configuration

That is it. and Nothing else..

If your network card were truly working properly (and enabled, of course), the ipconfig command should have given you information somewhat similar to the following:

Windows IP Configuration

		Host Name . . . . . . . . . . . . : Stinky
		Primary Dns Suffix  . . . . . . . : 
		Node Type . . . . . . . . . . . . : Mixed
		IP Routing Enabled. . . . . . . . : No
		WINS Proxy Enabled. . . . . . . . : No


Ethernet adapter Local Area Connection:

		Connection-specific DNS Suffix  . : 
		Description . . . . . . . . . . . : Intel(R) PRO/1000 
		Physical Address. . . . . . . . . : 00-0C-F1-26-FE-3B
		Dhcp Enabled. . . . . . . . . . . : No
		IP Address. . . . . . . . . . . . : 192.168.0.5
		Subnet Mask . . . . . . . . . . . : 255.255.255.0
		Default Gateway . . . . . . . . . : 192.168.0.1
		DNS Servers . . . . . . . . . . . : 4.2.2.1
		NetBIOS over Tcpip. . . . . . . . : Disabled

That fact that ipconfig listed no information whatsoever about your network card means that the device is either not configured correctly, or that it is configured correctly but has been disabled.

Look in your Network Connections control panel. Do you seen the connection listed? If so, what information do you see there? Right-click on the connection and then click Status in the resulting pop-up menu. what information do you see there?

Hi ijagarce,

First of all- welcome to TechTalk!

RJL1265 is right about starting your own thread. We do ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

Hi Janine,

You can find info on the possible causes (and fixes) for that particular Stop Code error in the links returned by the following Google search:

http://www.google.com/search?hl=en&lr=&q=STOP+0x0000008E+win32k.sys+0xC0000005&btnG=Search

Give some of those a try and let us know the results.

Hi Chintz,

1. You're running a slightly older version of HJT (v 1.99.0); you should get the latest version (1.99.1), do a scan with it, and post the new log.

2. Your current log definitely has some "nasties" in it. Before posting a log from the new HJT version, please complete the following general removal proceedures in order to (hopefully) get some of the infections cleaned up automatically:

You will need to disconnect from the Internet for some of the following, so you'll need to print out the following instructions, or save them into a text file with Notepad.

1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed).

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

3. Reboot into safe mode …

Since the laptop can connect to the router and access the Net, it should only be the desktop machine that would need to be restarted if anything.

1. Right-click on the networking icon in the tray and click "Status". It should show that you are connected, and that packets are being both sent and received.

2. Disable any and all firewall software entirely. Even Windows' built-in firewall gets wonky sometimes and denies connections that it shouldn't.

3. Open an MS-DOS window and type the following command:

ping ip_address_of_the_router

If that works, you should get 4 positive responses from the router. If it doesn't work, give us the exact error that the ping command gives you.

4. If the above ping works, try to ping a website (Google in this case) by its IP address:

ping 66.102.7.147

5. If that works, try:

ping www.google.com

6. If none of te above work:

Type:

ipconfig /all >C:\ipconfig.txt

Open the resulting ipconfig.txt file in Notepad and post the contents of the file.

... or are they getting smarter?

Absolutely. :evil:

I'm glad that finally seems to have worked. :)

Now that your system is clean, here are a few things you can/should do to minimize your chances of future virus/malware infections:

1. Enable Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks. IE-SPYAD is another helpful tool; it can be downloaded here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here: http://tomcoyote.org/ieoe.php

5. Obviously-install a good anti-virus program and enable its "auto-protect" and email-scanning features.

6. Install a stand-alone firewall program such as Zone Alarm, Sygate Personal Firewall, or Kerio Personal Firewall, or purchase the "Internet Security" packages offered by Symantec and McAfee.

7. None of your utilities are of much good if you don't check for updates frequently; updates …

You said "can't get her desktop back"; can you give us specific information on just what you mean by that please?

These are all thin I recommend to clients, and yet it still got through.

The Nasties have gotten nastier, so the rules have changed. The old recommendations of Ad Aware, SpyBot, and a good A-V programs (which I used to recommend to my clients as well) just don't do the trick anymore in terms of keeping a system most protected. Ad Aware and SpyBot are still good tools to have thaough.

For the best protection against the most current threats, these are my general recommendations:

This should go without saying, but:

Enable Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

In addition:

1. Detection and removal tools:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

Use each program's online update function before running them to make sure you have the most current updates installed, and run the programs consecutively (the order doesn't really matter). After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find.

2. Online anti-virus/anti-spyware scanners (have your clients run at least three of …

it doesn't matter right?

It does matter. If an anti-virus or anti-spyware program detects an infected file on your computer, you should definitely delete it. Even if an infected file seems to be "dormant" at the moment, it could be triggered back into action at some point in the future. This is especially true of infections hiding in your System Volume Information folder, because that's where Windows stores the backup files that it uses for its System Restore feature. If you ever have to use System Restore to recover from a problem, any infected files in the Restore folders can get reinstalled along with the "good" Restore files.

Following the instructions given in the link that dlh6213 posted should have deleted the contents of the System Volume Information folder, but if not, you can try to manually delete the infected files by doing the following:

1. The System Volume Information folder is a hidden folder; make it visible by opening Windows Explorer and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

2. In Explorer, browse/search for the infected files and delete them by hand.

3. Make sure to empty your Recycle Bin after deleting the files.

what does this virus do?

We can't tell that from the information you've posted; the names that AVG is giving you are just the names of infected files, not …

Sorry, and Thanks, I will

And I see that you have now. Thanks. :)

You're welcome. glad we could help. :)

Good work on your part- your latest log is very clean. :)

Are you still seeing any symptoms of infections? If so, give us some specific info on that.

Good job- that's a totally clean log now. :)

If the fix really worked, you should now be able to set your IE Start Page to whatever you want (the "hsremove.com" entry is obviously just left over from running hte HSRemove utility).

Let us know if you're still experiencing any problems or if things seem to be working correctly now.

Very good; you're welcome. :)

Can you please post one final HijackThis log so that we can make absolutely sure that all signs of infections are really gone?

Thanks.

Hi Maged,

First of all- welcome to TechTalk! :)

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

Better, but not by much.

1. Please download this additional "Temp\se.dll" removal tool. Run the utility and click on the "start disinfection" button to initiate the removal procedure.

2. Run HJT again and have it fix the following entries if they still exist:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JEFFHO~1.JEF\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JEFFHO~1.JEF\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O18 - Filter: text/html - {BB19CEC2-134E-499A-BBC6-ABC7A0315BDC} - (no file)

3. Reboot, run HJT again, and post a new log.

There is a less "manual" Aurora removal procedure than that described in the link above. Please do the following:

You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the following instructions or save them into a text file using Notepad.

* Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

* Download Nailfix from here:
http://www.noidea.us/easyfile/file....050515010747824
Unzip it to the desktop but please do NOT run it yet.

* Open the Services utility in your Administrative Tools control panel.

- In the list of services, locate the service named "System Startup Service" or "SvcProc" and double-click on it.

- In the General tab of the Properties window that opens, click the Stop button.

- Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.

* Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in …

Mainly i was just trying to clean useless stuff up, and get rid of annoying startup programs and the like.

OK- I just needed to check; that's the shortest log I've ever seen from an XP system.

That said, every single entry in the log except the last one indicates the "about:blank" infection. Please follow the removal instructions in my first post in this thread, and give us a new log after that.

No, the log is very clean.

What specific signs or messages did you get that make you think that you've been reinfected?

Very good. We'll call this one solved then. :)

Now that your system is clean, here are a few things you can/should do to minimize your chances of future virus/malware infections:

1. Enable Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks. IE-SPYAD is another helpful tool; it can be downloaded here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here: http://tomcoyote.org/ieoe.php

5. Obviously-install a good anti-virus program and enable its "auto-protect" and email-scanning features.

6. Install a stand-alone firewall program such as Zone Alarm, Sygate Personal Firewall, or Kerio Personal Firewall, or purchase the "Internet Security" packages offered by Symantec and McAfee.

7. None of your utilities are of much good if you don't check for updates frequently; updates …

hmmm, Sorry about the strange line breaks again, it looked alright in the preview.. :(

I edited the post to clean up the formatting a bit. :)

That log looks very short on content for a normal XP computer, and it's missing a lot of entries that appeared in the first log you posted. Did your latest log come from a scan done while booted into Safe Mode? If so, you need to do a scan while booted normally and post that log.

MSplg7.dll does still exists in the system32 folder. Is it dead or just dormant?

Sorry I didn't address that earlier. Can you give us the creation date, modification date, and size of the file please?

As for ewido, try running it in Safe Mode. There may be something else running in normal mode that's conflicting with it.

Great; good work. :)

Does everything seem to be working correctly now?

Here is what currently is enabled with msconfig in the startup section:

If you find no reference to Nail.exe in any of the msconfig tabs, then the entry is in the following Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini

Click on the "Run..." option in your Start menu, type the following in the resulting "Open:" dialog box, and then hit Enter:

regedit

In the left-hand pane of the Registry Editor, navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini folder and click on it to display its contents in the right-hand pane.

In the right-hand pane, look for a "Shell" value (or any other value, for that matter) which refers to "Nail.exe". If you find such an entry, just write down exactly what's listed there, but DO NOT edit/change anything yet!

If you don't see a Nail.exe reference in the main "system.ini" key, also look in the "Boot" subkey.

The only one item that I don't recognize is the ctfmon. I keeps on getting enabled after I disable it...maybe that's what causing the error message?

Here's the scoop on ctfmon.exe:

http://support.microsoft.com/?kbid=282599

OK- your log is clean now. :)

In terms of the error message, did you see and/or disable a reference to Nail.exe in the System.ini tab of msconfig? What else (if anything) did you disable with msconfig?

Hi Fiendforeva, welcome to the site. :)

The log you posted definitely shows signs of infections, but there are a few things you need to take care of before we can begin to work onit:

1. Logfile of HijackThis v1.98.0

The log entry above indicates that you are using a very old version (1.98.0) of HijackThis. Please download the latest version (1.99.1) and post the log it generates.

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

2. C:\Program Files\Internet Explorer\iexplore.exe

The log entry above indicates that you had at least 1 instance of Internet Explorer running when you ran HijackThis. Before actually fixing problems with HijackThis, you should close all other open programs, especially your web browser and Windows Explorer. HijackThis cannot fully perform its fixes while any instances of your web browser are open.

3. The log you did post has odd line breaks and the like in it, which makes it difficult to read. Make sure the new log you post doesn't come out "fractured" like that.

You're welcome; glad we could help. :)

And yes- we hope that your system stays clean for a looong time. Surf wisely, and it just might.

No problem swatkat.

We've only got a few really active responders here, so we try to pick up/follow up for each other so that members aren't left hanging.

Given that, feel free to jump in yourself if you see a thread-in-progress that needs a helping hand. :)

That looks clean now; I was afraid that the vljgst.exe entry would "respawn" after you deleted it, but it hasn't. :)

Now that the log is clean, you should delete your existing (possibly infected) System Restore points and create a new, clean Restore Point. An explanation of that, and instructions on how to do it, can be found here.

Also:

Here are a few things you can/should do to minimize your chances of future virus/malware infections (some of which you're obviously already doing):

1. Enable Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks. IE-SPYAD is another helpful tool; it can be downloaded here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here: http://tomcoyote.org/ieoe.php

5. Obviously-install a good …

Aww- now I'm going to have to find another conspiracy. Oh well, back to the fridge....

:mrgreen:

Only certain features of ewido expire after the trial (automatic updates, real-time protection, etc.), but you should still be able to do manual updates and run scans. More on this tomorrow; it's dinner time for me right now....

Before I got infected I was already running...

Yeah, what I posted is just a "canned answer" that I paste from a text file; most people are already doing at least some it. :)

That's looking much better now. :)

I only see one malicious entry left in your log, although it could be indicative of further "nasties" hiding elsewhere in your system.

* Have HJT fix:

O4 - HKLM\..\Run: [ligqbrj] c:\windows\system32\vljgst.exe r

* Delete the c:\windows\system32\vljgst.exe file and empty the Recycle Bin.

* Reboot, run HJT again, and post another log.

Some people have removed the program that way, but I myself have trouble recommending that someone trust a removal tool offered by the same company that gave you the infection in the first place.

You can do one of two things:

A) Use their removal tool and see what happens. Paranoid bugger that I am, I would do full system scans with ewido, Norton, and probably a few other utilities right after I used the online removal tool.

B) Since we're seeing no other signs of Aurora other that the Add/Remove Programs entry, remove the entry from the A/R P control panel manually:

http://support.microsoft.com/?kbid=314481