Posts by PhilliePhan

yeah and btw svchost can be infected by viruses but it is normal to have more than one running

True dat!

Also, there are a number of malware that use files labeled svchost.exe. But they run from a directory other than system32 and are easy to spot. Equally easy to spot are those such as svchosts, scvhost and the like.....

PP :)

The Kaspersky scan is attached here (quite long)

That's quite a healthy list! Those have been rendered harmless by your resident AV program. We can delete them manually - I do not know why your AV did not remove them. It just changed their extensions to disable them....

--- I'll need the AVG Anti-spy and Fresh HJT Logs before I can post the first removal steps for you.

PP :)

I posted a request for help and got a reply telling me to check "Remember Me"...I did - several times - with no success. The other download (ShowNow) worked just fine. It makes me think it's not me!

I do not know what to tell you - GetRunKey is a tool that is proprietary to majorgeeks and to my knowledge is not used in other forums.
You'd be better off asking Chas about any issues with the downloads.

PP :)

Hi Greenhouse,

At quick glance, your logs look OK. Will take a closer look tonight when I have more time.

-- You should rename HijackThis.exe to analyzer.exe.
I am not sure hijackthis.exe.exe (as you have it) will escape detection by Vundo and other malware

Are you sure about the spelling of lsas? Where was it running from? Do you know the path?
C:\WINDOWS\system32\lsass.exe --> this is the legitimate (and properly spelled) lsass.exe that is showing in your HJT log......

-- You can fix this entry with HJT ---> O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
I am not sure what it is - might be benign or could be a sign of a deeper infection. Based on the logs, I am leaning toward it being benign.

PP :)

GetRunKey is a tool created by my friend Chaslang at Majorgeeks.
If you are following the "Read and Run Me First" that he wrote, I suggest going ahead and posting a thread for help in his Forum and let him know you had difficulty downloading GetRunKey.

Best Luck :)
PP

thank its actually my family comupter not my own so my brothers mess it up pretty good, i'll try out the steps and get back to you. thanks

Well . . . The sure messed it up pretty good this time! :)

There are more bad than good items in the HJT log!
-- You will be able to uninstall some via Add/Remove programs, while others will require some specifically designed tools.

It will be a lot of work, but not particularly difficult. Just time-consuming due to the number of tools and scanners you'll need to run.

Cheers :)
PP

Sounds like a worm or two.....

--- Didn't you have another thread recently where you ended up Re-Formatting?
--- Six instances of svchost.exe running is not unreasonable.

Anyhoo, I'd be happy to have a look ( time permitting )

Follow the steps that I have written here.
Please obtain the three logs listed below as directed in my steps and post them here.
-- Be sure to locate HijackThis in a safe folder and RENAME HijackThis.exe as directed in the steps!

1- Kaspersky Online Scan Log
2- AVG Anti-Spy Log
3- Fresh HJT Log

Let me know if you have any questions . . .

Best Luck :)
PP

I recently had a virus problem and virus protection took care of it. . . .

Wow - I have not seen this many different infections on a machine in quite some time!
You have collected quite a diverse boatload of malware!

It may be easier to simply reformat your machine. However, if you'd like to have a go at cleaning it, please do the following:

Follow the steps that I have written here.
Please obtain the three logs listed below as directed in my steps and post them here.
-- Be sure to EXTRACT HijackThis to a safe folder and RENAME HijackThis.exe as directed in the steps!

1- Kaspersky Online Scan Log
2- AVG Anti-Spy Log
3- Fresh HJT Log

Those ought to provide a decent starting point.
Let me know if you have any questions . . .

Best Luck
PP

C:\WINNT\system32\xcttgs.dll -> Backdoor.Haxdoor.ky : Cleaned with backup (quarantined).
[1640] C:\WINNT\System32\xcttgs.dll -> Backdoor.Haxdoor.ky : Cleaned with backup (quarantined).
[408] C:\WINNT\system32\xcttgs.dll -> Backdoor.Haxdoor.ky : Cleaned with backup (quarantined).

It appears that AVG was able to clean that particular baddie.

Are you still having any problems? If so, we can try a few additional scans.....

Cheers :)
PP

Hey guys,
I have run across something similar to this a few times. Hard to tell from just a HJT Log, but.....

You may likely have a baddie in the Nuwar or Peacomm family.
Some components may be protected by a rootkit.
Also - you may have been initailly infected via P2P download.... Food for thought.

O4 - Global Startup: MSconfig.exe --> may be an SDBot

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://zinblog.com/ --> not sure how this fits into the puzzle, may be re-infecting you...

Cheers :)
PP

You have a fairly serious baddie that is protected by a rootkit. If nobody else is here able to help you clean your compy, I will try - I do not have a lot of Forum time these days....

C:\WINNT\system32\xcttgs.dll -> Backdoor.Haxdoor.ky : Error during cleaning.
[408] C:\WINNT\system32\xcttgs.dll -> Backdoor.Haxdoor.ky : Error during cleaning.

There will probably be a rootkit driver labeled xcttgs.sys in addition to the above.

Best Luck :)
PP

It is brilliant, but i did want to ask ... it doesnt seem to be running in the tool bar or anything, is this something that runs in the background?

That's the great thing about it..... It does not "run," per se. It just places entries in your registry that block known baddies from perpetrating unwanted ActiveX installs. It also blocks other malware threats as well as tracking cookies in this manner. You don't even know it is there..... 'course, you still have to remember to Update the DB! (or set it to auto)
I have a desktop Icon for it - I sometimes use its database to reference baddies.

I think these files are something to do with a windows update thats gone a bit wrong.
I've tried to update it about 6 or 7 times and it says its done but when i restart its right back there again saying it needs to update!
I even went to the update site and tried to do it through there but its still not working.

Thats what I figured.... Are you updating via IE or Firefox?
These errors are a pain to troubleshoot. Is it just this particular update? Are you able to install other "critical updates?"

I'm not getting the pop ups or redirect on my laptop now ... does this mean its safe to start using things like my online banking again?

I think so - I did not see any backdoors or …

Sorry to hear that! I did not think it was that bad.

But, at least you'll be certain your machine is clean. . . .

Best :)
PP

It might be related to AIM, since i downloaded it a few hours after I booted up my PC for the first time.

The linky I gave you in the other thread
http://www.daniweb.com/techtalkforums/thread69791.html
should explain why you cannot find this AIM-related file after you do not allow it to run.

Best :)
PP

Here's my Hijack log, can you help?
Thanks,
Ray

Hi Ray,

That's a baddie and you should be able to remove it. You just need to stop it from running via Task Manager, fix any related entry(s) with HJT and then DELETE the file using Windows Explorer.

I can talk you through it, but will be away from the compy for a while....

Also, I cannot remember exactly which baddie this is. Could you please go here ---> and use the Browse Button at the top of the page to navigate to C:\WINNT\system32\NOD32KERNELS.EXE and Upload it for analysis. Please Copy&Paste the results along with the fresh HJT Log when you post back.

I may not be able to check back until tomorrow evening (EST)

Best Luck :)
PP

Hi, I just got my new laptop yesterday, which came with Vista Premium.

EXEC.EXE has been used by both legitmate apps and baddies. You would really need to look at it more closely to make the distinction. (check properties or upload to an online scanner such as Jotti...)

However, I think this may answer your question ---> Did Windows Vista's most irritating feature save my butt?

Cheers :)
PP

The thread your link directs to is amazingly helpful ... thanks!
I've downloaded a few of the applications and already Zone Alarm has blocked things trying to access my pc that Norton didnt see ... silly that a free programme works better than the £50 one *rolls eyes*

Happy to help!

I still need to rework my recommendations page and update it a bit, but the basics are still valid.
It is good to have a software firewall (even if you are behind a hardware firewall) such as ZA because, unlike the built-in Windows Firewall, it monitors both incoming and OUTGOING traffic. So, if a baddie somehow makes it onto your machine and then decides to try to "phone home," ZA will pop up and ask if you want to allow it.....
Of course, it will take a few days until ZA "learns" what you want to allow and what you want to block.
I imagine you found their flash tutorial helpful?

Spyware Blaster is my favorite anti-malware tool - it is wicked in its simplicity. It uses zero system resources - just adds what it calls a "kill bit" to the registry for all the bad CLSIDs in its database, thus blocking those nasty ActiveX downloads. Excellent! Just remember to Online Update its DataBase every 10 days or so...

Anyhoo, the logs look OK, except for the following. I do not know what they are:
2007-02-12 01:17 <DIR> d-------- C:\c58930f38af91c528bd17fd98596

Hi somethingelse,

I have replied to your thread on this topic at Spywarewarrior.com.

Cheers :)
PP

If you want, post the Kaspersky and AVG logs and we'll have a look.

If a HJT scan is called for, then we'll do that & maybe a few others, if needed.

PP :)

Running HJT is not going to do anything in and of itself. It may show some malware.

Personally, if malware is suspected or you want to start to rule it out, I suggest starting with Kaspersky Online Virus Scan and AVG Anti-Spyware Scan as I have outlined in these steps.....

PP :)

anime

Hey,

I see alot of people have hijack this logs in here. Should I have Hijack this? If so why?? I used to have it on my computer before I formatted it. I never put it back on because I thought it was some type of spyware....obvisously it was not.

Thanks

HijackThis is strictly an analysis tool for people who know how to analyze the data provided. It is not preventative in nature.

If you think you have a malware issue, then it is usually among the tools a Forum volunteer will ask you to run.

So, no, you should not have it on your compy - too many people bork their machines by messing around with HJT. . . ..

If you want to safeguard your compy, see my linky below!

Cheers :)
PP

Hang in there for Crunchie to post back - Your combofix log showed a number of additional baddies not related to Vundo.

-- Vundo is tricky in that it has all sorts of backups and protections that reinstall it. Vundo has been around for a long time and there are many different versions/variations on it.
Unscrupulous affiliates use it to extort people into buying their crappy Anti-spy apps.
One popular one was WinFixer. Often, you'll hear of Vundo referred to as WinFixer because of this....

Anyhoo, as I mentioned, there are still a few baddies yet to be dealt with.
I am going to step out and let Crunchie continue here. Doesn't seem right to have two volunteers working one thread when so many more go unanswered.....

-- In addition, I do not see reference of these being removed:
C:\WINDOWS\SYSTEM32\tsrqr.ini2
C:\WINDOWS\SYSTEM32\tsrqr.bak2
C:\WINDOWS\SYSTEM32\tsrqr.bak1
+ a few others (I listed them below)

I have seen a ton of Vundo over the last few years and these follow the pattern (ini & bak extensions)
This is why I was not sure if Atribune's removal tool would get it all.

Anyhoo, I'm sure crunchie will get you sorted out!

Cheers :)
PP

Here - I'll list all the ones that jump out at me - Some are definitely Vundo or other Malware and a few are "iffy," meaning that I do not know …

The IP address in those items you told me to remove from HJT was the same one that was saved on my pc before i changed the dns back to automatic ... is this what is causing part of the problem?

That is part of it - along with the hidden Trojan that Fixwareout removed.

Do i need to contact my isp to change the IP?

That is not necessary. Just take proper precautions to prevent reinfection. See my linky below!
If your Norton doesn't come with a Firewall, I suggest you install ZoneAlarm. Also, Spyware Blaster (in the linky).
Better yet, when your subscription to Norton runs out, I suggest an upgrade....
You might have a look at Kaspersky Internet Security 6.0
Easily the best Security Suite option for the money....

Found another Trojan on the AVG scan ... any reason this wouldnt have been in the avg scan i did yesterday?

That is probably the same one - Trojan.DNSChanger.hk
Only this one is in System Restore. Usually, after a battle with malware, it is advisable to flush your System Restore points because some malware can be preserved along with the legitimate stuff. In this case, it looks like AVG was able to clean the baddies....

Thanks, Sarah :)

You're welcome! Happy to help :)

-- I would still like to see a Fresh Combofix log. If I remember correctly, there were some "iffy" items …

No problem with butting in PhilliePhan :). Feel free. For some reason, that combofix log looks like crap. Can you read that ok?

I think it is a formatting issue with the default text editor. When I choose to "reply with quote" (or perhaps even just reply and scroll down), logs are formatted properly in the quotebox and elsewhere in the thread and I just copy them to notepad and look at them that way.....

--- I did not see any of the files typically replaced by AWF but here is the top part of the combofix log. Besides the Vundo, there are a few oddities that bear further scrutiny:

"John" - 07-02-09 19:12:42 Service Pack 2
ComboFix 07-02-08.2 - Running from: "C:\packages\VerminTools"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\unsvchosts.exe
C:\DOCUME~1\LOCALS~1\Application Data\NetMon
C:\DOCUME~1\NETWOR~1\Application Data\NetMon
C:\WINDOWS\Sm9obg
C:\Program Files\Common Files\{3C6AE~1
C:\Program Files\Common Files\{5C6AE~2
C:\Program Files\Common Files\{5C6AE~1
C:\DOCUME~1\John\Application Data\SearchToolbarCorp
C:\Program Files\InetGet2
C:\Program Files\outlook

((((((((((((((((((((((((((((((( Files Created from 2007-01-09 to 2007-02-09 ))))))))))))))))))))))))))))))))))

2007-02-09 15:33 990,157 ---hs---- C:\WINDOWS\SYSTEM32\vvyxx.bak2
2007-02-09 15:33 118,804 --a------ C:\WINDOWS\SYSTEM32\fgwgrewt.dll
2007-02-09 14:42 277,146 ---hs---- C:\WINDOWS\SYSTEM32\xxyvv.dll
2007-02-09 14:42 277,146 --------- C:\WINDOWS\SYSTEM32\ljhef.dll
2007-02-09 14:42 277,146 --------- C:\WINDOWS\SYSTEM32\iifgf.dll
2007-02-09 09:10 1,534 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-02-08 22:39 991,069 ---hs---- C:\WINDOWS\SYSTEM32\ttstv.bak1
2007-02-08 22:39 76,412 --a------ C:\WINDOWS\SYSTEM32\eqbcgmdu.dll
2007-02-08 22:39 118,804 --a------ C:\WINDOWS\SYSTEM32\uoeoeloc.dll
2007-02-08 12:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\SecTaskMan
2007-02-08 12:02 <DIR> d-------- C:\Program Files\Security Task Manager2
2007-02-08 12:01 <DIR> d-------- C:\Program …

And please don't butt out... I'm an old OS internals guy and one thing I learned early on is that no one person has every gem at his fingertips. The more people I ping the smarter I get. I've resisted delving into NT/XP internals, but I probably won't let this go until I understand how a file can be kept from being deleted during boot cycle. (Btw, while I may be Reds fan, I have still enjoyed watching the Phillies play at old Crawsley Field, Riverfront, Wrigley, St. Louis, San Diego, Dodger Stadium, and Candlestick.)

I've seen plenty of Reds games in my time - was fortunate enough to see the Big Red Machine in the mid-70s.

I have listened to Marty and Joe since Marty signed on about '74ish..... Sad to see the way they kinda forced old Joe out.

-- Anyhoo, I really don't want to hijack Crunchie's action here. Too many cooks spoil the broth, and all that....

The combofix log shows a number of baddies including, as I suspected, VUNDO. I'm not sure if Atribune's removal tool will get this one - manual removal may be in order - but I would suggest doing the following first:

Please download VundoFix.exe to your desktop.
• Double-click VundoFix.exe to run it.
• When VundoFix re-opens, click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive …

I actually apologize. I jumped the gun with the last post. I hadn't clicked okay after the "system restore complete" screen popper up.
I hit okay, and my taskbar and desktop icons are back.
However, I am still worried about there being a problem somewhere that needs to be fixed.

I figured that would do the trick :cool:

-- You are probably correct in assuming that there are some baddies on your compy....

Please run through these steps I have written.
Please obtain the three logs as directed and post them here.
-- Be sure to RENAME HijackThis.exe as directed in the steps!

1- Kaspersky
2- AVG Anti-Spy
3- Fresh HJT Log

Let me know if you have any questions . . . I'm heading out the door shortly (hey, it IS the weekend), but will be here on and off over the weekend.

PP :)

What happens when you RightClick on the Desktop?

And. . . . You do have a baddie showing in your HJT log. May have been partially cleaned, but more scans will probably be needed.

No worries!

Can you get into Safe Mode? Boot to Safe Mode with Command Prompt and then type:

%systemroot%\system32\restore\rstrui.exe

Hit Enter and you should be able to use System Restore to go back to last point....

PP :)

I do not want to get in Crunchie's way here, but try this:

1. Download this file :
http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. DoubleClick combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Please submit that for us.

Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall...

-- Rename HijackThis.exe to something else such as HJTscan.exe. Certain baddies such as VUNDOhide from HijackThis.exe. Your symptoms sound like VUNDO - though I doubt the BHO is VUNDO-related because it is showing in the log.
A Combofix log will tell a bit more... . .

And, you've got this piece of adware:
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Sm9obg\command.exe (file missing)
Probably partially cleaned by one of your antispy apps. I don't see a resident AV. . .. - that would probably have gotten it as well.
You might want to double-check this . . . And certainly delete C:\WINDOWS\Sm9obg

I will butt out now - hate to step on a moderator's toes! :cool:

Best Luck :)
PP

Probably the easiest thing to do would be a System Restore to the last Restore Point saved before you had problems.

Then, we can have a look and see if there was a malware cause.

Are you able to access System Restore?

PP :)

I posted some steps for you - pretty much the same as before, as you probably figured...;)

I guess we won't worry about that file we deleted. If it was legit and down the road you find you need it, should be no problem to get another copy....

PP :)

Hi Sarah,

There are a few "iffy" items in the combofix log - we'll figure them out later.

First, these steps need to be run - pretty much same as before ;)

You may want to print out these instructions for reference, since you will have to restart your computer during the fix. Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it.
Click Next, then Install, make sure "Run fixit" is checked and click Finish.

The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
When your system reboots, follow the prompts.
Afterwards, HijackThis will launch (If Hijackthis does not launch then please start it yourself).

Please Scan with HJT, and check the boxes for the following items:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C3338E8-986F-4033-B0EC-2309FE31F0FF}: NameServer = 85.255.114.90,85.255.112.92
O17 - HKLM\System\CCS\Services\Tcpip\..\{5737BCEC-DDD7-4816-A4F5-EE3812D97D77}: NameServer = 85.255.114.90,85.255.112.92
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C419E89-D305-4BBD-8803-5F2BF0356C4A}: NameServer = 85.255.114.90,85.255.112.92
…

I deleted that folder last night because it was empty ... but im sure that is the same thing i had to delete from windows when i rebooted in safe mode.

Hi Sarah,

I should have time to look at the new thread.

--- What I was wondering is whether you knew what that Program Files/ProxyLicense folder was.... I imagine it was indeed related to the file you deleted --> C:\DOCUME~1\SARAH~1.SAR\APPLIC~1\PROXYL~1\atom okay.exe

I just want to make sure it was not something legit (certainly did not look legit) and needed. Do you/did you need a Proxy?

No wrries, I guess. We'll deal with that if we need to.

PP :)

Combofix log looks OK.

Can you tell me what this is?
2007-02-04 16:23 <DIR> d-------- C:\Program Files\ProxyLicense

PP :)

Should i do all of these scans and stuff on my laptop now aswell? :confused:
Sarah

If you like . . . . But start a new thread for the laptop so we don't get confused.

I still have yet to take a thorough look at the combofix log for this thread. :cool:

For the laptop - a HJT Log, a combofix log and AVG Anti-spy log ought to be enough to get us started.
If you want to have a pass with VundoFix, that's up to you.

Cheers :)
PP

Whilst I am not the most knowledgable in computers, I have discovered that my browser has been hijacked. If someone could please look at the copy of my log below and let me know what I need to get rid of it would be very much appreciated. If there is any further info that you require please let me know.

Hi Natkia,

Please do the following:

FIRST:
Please relocate HijackThis to a safer location. Most Forum volunteers expect to find it at C:\Program Files\HijackThis or C:\HijackThis.
If you are unable to move it on your own, please let me know.

THEN:
Download RemAdvertisemen by Atribune to your Desktop.
-- DoubleClick remadvertisemen.exe to run it.
-- Click the Start Removal button and allow it to run until you see Done Removal! Please reboot your computer now message.
-- Click OK and then reboot your computer.

NEXT:
Please Update your Java here ---> http://www.java.com/en
Then, look in Add/Remove Programs and Remove ALL traces of any older Java versions!
If you do not uninstall ALL older versions, you may remain at risk for a number of baddies.

THEN:
Download ATF-Cleaner.exe by Atribune to your Desktop.
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option (if you don’t want it to clean cookies, …

Hi Sarah,

Will have a more thorough look this evening, but a quick glance shows VUNDO.

This hides from HJT unless you rename hijackthis.exe to something such as HJTScanner.exe.

Please run Atribune's VundoFix.exe
as per the instructions in the linky and post the log.

Back in a bit!
PP :)

The DNS thing wasnt quoted in the bit i posted, it was just quite a few people in that thread had said that changing the DNS back to automatic had worked for them.

That's just part of the solution to this problem - one should do that after the steps we just did, if it is needed.

I assume this is your ISP?
inetnum: 212.139.0.0 - 212.139.255.255
org: ORG-TUL3-RIPE
netname: UK-TELINCO-990326
descr: Tiscali UK Ltd
country: GB
admin-c: TU935-RIPE
tech-c: TU935-RIPE
status: ALLOCATED PA
notify: **********@uk.tiscali.com
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: TU935-RIPE-MNT
mnt-routes: TU935-RIPE-MNT
changed: **********@ripe.net 19990326
changed: **********@ripe.net 20040121
changed: **********@ripe.net 20051104
source: RIPE

organisation: ORG-TUL3-RIPE
org-name: Tiscali UK Limited
org-type: LIR
address: 20 Broadwick Street
address: W1F 8HT
address: London
address: United Kingdom

I'd like to see a fresh HJT log and a ComboFix log.

1. Download this file :
http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. DoubleClick combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Please submit that for me.

Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall...

Since i turned on the computer today the pop ups and redirects seem to have gotten worse, …

Hi Zeon,

I’ve got to run, so we’ll operate under the premise that C:\DOCUME~1\SARAH~1.SAR\APPLIC~1\PROXYL~1\atom okay.exe is a baddie.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix. Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it.
Click Next, then Install, make sure "Run fixit" is checked and click Finish.

The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
When your system reboots, follow the prompts.
Afterwards, HijackThis will launch (If Hijackthis does not launch then please start it yourself).

Please Scan with HJT, and check the boxes for the following items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKCU\..\Run: [inside 64] C:\DOCUME~1\SARAH~1.SAR\APPLIC~1\PROXYL~1\atom okay.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{76B4F42D-817E-4CDE-A535-D3BE1975A3EA}: NameServer = 85.255.114.90 85.255.112.92
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE30C0AC-01F2-4E05-977D-9DA7EAFCF049}: NameServer = 85.255.114.90,85.255.112.92
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.90 85.255.112.92
O17 - HKLM\System\CS1\Services\Tcpip\..\{76B4F42D-817E-4CDE-A535-D3BE1975A3EA}: NameServer = 85.255.114.90 85.255.112.92
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.90 85.255.112.92
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.90 85.255.112.92
Be sure All Browser Windows are Closed …

Can anyone tell me if this IS actually causing the problem and if so what else cn i do besides changing the DNS back to automatic?

I did not read that quote, but I can tell you that you have what is referred to as a Wareout infection.

Give me a few minutes and I'll post some steps for you.

Do you know what this is:
C:\DOCUME~1\SARAH~1.SAR\APPLIC~1\PROXYL~1\atom okay.exe ??
Let me know so I can add it to the fix.....

It looks a bit like LOP....

PP :)

In addition to my previous post, you sould really do the following:

First and foremost, you really need to install a resident Anti-Virus app. I also suggest installing a Firewall as well.
http://free.grisoft.com/doc/2/lng/us/tpl/v5
http://dl2.zonelabs.com/bin/free/1001_cnet_zdnet/zlsSetup_70_302_000_en.exe

Install Spyware Blaster, too!
http://www.javacoolsoftware.com/spywareblaster.html

-- Otherwise, the new logs look OK (we'll still need to flush System Restore after we finish).
You should delete this baddie that was still found by Kaspersky:
C:\Documents and Settings\Carrie_2\inetd.exe -- Infected: Backdoor.Win32.IRCBot.gen
Or, is this something you recognize?

-- About the Trusted Zone:
Are your IE Security Settings set so high that you need to put these known sites into the Trusted Zone? Did you change those settings?

Let me know.

PP :)

Hey P!Managed to get through these instructions without incidence. Thanks for making them so clear. I did remove the trusted sites, but have a problem (ie links don't open) with moving around within a site if the site is not listed in trusted. Drop downs for file selection such as to upload an attachment take eons to open. Not sure if related, but cd writer software doesn't recognize that a cd is inserted. Trying to think what else...Here are the new logs. Again, many thanks. Your help is greatly appreciated.

Happy to help!

Those problems do not make any sense with the steps we ran.
Sites should not have to be listed in the Trusted Zone for them to work properly
What is really wierd is that I am helping somebody in a different forum with a similar problem with uploading attachments in a few forums they visit..... Sounds like a javascript issue.....

Do This:
Please Update your Java here ---> http://www.java.com/en
Then, look in Add/Remove Programs and Remove ALL traces of any older Java versions! (jre1.5.0_04 and any others)
If you do not uninstall ALL older versions, you may remain at risk for a number of baddies.

Then, run ATF Cleaner again to flush the Java Cache.

-- You could try reinstalling the CD Writer software, but I do not think anything we did affected that....

I will double-check the logs when I get home …

Hi there, thanks so much for replying i have installed avg av before avg antispy (did it after log) norton is not fully updated hence me downloading avg av, shall i still delete avg av? many thanks x

Pick one to keep and Uninstall the other.

Multiple resident AV programs often interfere with each other, and - in addition to slowing performance - can actually lower your AV protection.
Definitely not a good idea!

-- Your Norton tends to be a bit bloated and a system resource hog - but it can be extremely difficult to uninstall.....

-- When you run AVG Anti-spy, please do it according to the instructions in my steps. Set it to "quarantine" and allow it to clean what it finds before saving the log!

I will check back as time permits :)
PP

i downloaded hj, and here is my log, i also have just downloaded avg anti spyware.

I see a few problems in your HJT Log. But first, it looks like you installed AVG Anti Virus instead of Anti-Spyware - that is not good, because it will interfere with your Norton AV....
UNINSTALL AVG. Do that now.

NEXT:
Please Update your Java here ---> http://www.java.com/en
Then, look in Add/Remove Programs and Remove ALL traces of any older Java versions!
If you do not uninstall ALL older versions, you may remain at risk for a number of baddies.

THEN:
Please look at these steps I have written and obtain the three logs as directed and post them here.

1- Kaspersky
2- AVG Anti-Spy
3- Fresh HJT Log

Let me know if you have any questions - I'm happy to talk you through the cleanup process. Don't let it intimidate you!

Cheers :)
PP

sorry about the crappy log but i don't know how to put it in without it messing up and the attachment button isnt worrking im guessing its because of my lame screwed up computer thanks for any help

Just make sure "word wrap" is turned OFF when you save the HJT Log.

You've got a few issues. Here are some steps to get you started:

Please relocate HijackThis to a safer location. Most Forum volunteers expect to find it at C:\Program Files\HijackThis or C:\HijackThis.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix. Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it.
Click Next, then Install, make sure "Run fixit" is checked and click Finish.

The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
When your system reboots, follow the prompts.
Afterwards, HijackThis will launch (If Hijackthis does not launch then please start it yourself).

Please Scan with HJT, and check the boxes for the following items:
O17 - HKLM\System\CCS\Services\Tcpip\..\{42634319-BAFE-4CA8-879B-BF31D9BCDE71}: NameServer = 85.255.116.150,85.255.112.70
O17 -HKLM\System\CCS\Services\Tcpip\..\{5961A949-B2C3-4241-9205-A898558247A1}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.150

Hi Greg,

This sounds like the work of a particular trojan to me.

Please look at these steps I have written and obtain the three logs as directed and post them here.
1- Kaspersky
2- AVG Anti-Spy
3- Fresh HJT Log

They should give us the necessary information needed to help you out.

Cheers :)
PP

i rebooted my computer after a long time.. everything luks normal nw.. i didnt do anythin to fix the network isuue.. perhaps ur rite tht it has nothin to do with wat we js did..

anyway, thnx a lot for helpin me gettin rid of tht annoyin desktop stuff.. really appreciate.. :-))

Happy to help! :)

-- I think I initially misinterpreted your connection problem. Looking at it again, it looks like some troubleshooting of your wireless network might be in order.
It could be related to any number of things: Firewall settings, Winsock, Network Card, Router, and so on.....

Best Luck :)
PP

this happened immediately after i fixed the previous problem of the desktop background,.

This would be completely unrelated to what we just did.

The registry keys we addressed have nothing to do with your wireless network.

You could try this:
Click Start > Run > type CMD > Enter
Type or Copy&Paste: ipconfig /flushdns > Press Enter
(Be sure to leave the space between the g and the / )

If that doesn't help, we can try a few other things....

PP :)