pskelley

Hi Charles, This last log was posted before the last Ewido scan . I would like to look at a HJT log that was run after that last Ewido scan. The last HJT log you posted, Selective Startup is running in MSCONFIG: O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto , please do this: Start > Run > type "msconfig" without the quotes then OK. Choose "Normal Startup" then Apply and OK your way out. Scan with HJT and post a new HJT log. You may return to Selective Startup without a reboot if you wish. I will not need any log but the HJT log. I see no problems in the last log you posted, just want to be sure nothing is hiding from me. Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online: http://forums.net-integration.net/index.php?showtopic=3051 http://russelltexas.com/malware/allclear.htm http://forum.malwareremoval.com/viewtopic.php?t=14 http://www.bleepingcomputer.com/forums/topict2520.html Let me know how the computer is running now. If all is well, then you should follow the instructions to establish a clean System Restore point. Thanks...Phil

Hello Emanc2k, Yep you have a nasty and I am fairly sure it is this one: http://www.bleepingcomputer.com/startups/W...exe-f10486.html The first link was acting up so I am editing in another: http://castlecops.com/s5642-Winupdates_exe.html See this information: http://www.sophos.com/virusinfo/analyses/w32rbotmm.html Make sure you read the information under all of the tabs, this worm has made changes you might have to fix. Here is what I would like you to do: 1) This is probably where this junk came from: C:\Program Files\LimeWire\LimeWire.exe please see this: http://castlecops.com/startuplist-5068.html and this: http://www3.ca.com/securityadvisor/pest/pe...px?id=453088059 Open Add Remove programs, highlite then choose uninstall to rid yourself of this junk. Here is information and suggestions for some safe programs: http://www.spywareinfo.com/articles/p2p/ While you are in there look for C:\Program Files\winupdates\winupdates.exe and uninstall it if it is there, this is your trojan!! 2) Download CCleaner from this link: http://www.ccleaner.com/ Take the time to review the instructions on the download page so that when I ask you to run it you will know what you are doing. 3) Ewido trojan scanner: http://www.ewido.net/en/download/ Please download, install, update and scan your system with the free version of Ewido trojan scanner: [*]When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". [*]When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment. [*]From the main ewido screen, click on update in the left menu, then click the Start update button. [*]After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack.... [*]If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK. [*]When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread. 4) Open Task Manager then the Processes tab. Locate and end process on these if there: C:\Program Files\winupdates\winupdates.exe C:\Program Files\LimeWire\LimeWire.exe 5) I see you have called your HJT folder "Maintainance" I have no problem with that, just store only HJT related items in the folder. Thanks. 6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items: O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) Close all programs but HJT and all browser windows, then click on "Fix Checked" 7) SHOW HIDDEN FILES: Follow the instructions in the link to enable hidden files for your operating system. You may wish to reverse this process if you have any concern about anyone getting into these hidden system files. http://www.xtra.co.nz/help/0,,4155-1916458,00.html RIGHT Click on Start then click on Explore. Locate and delete these items: C:\Program Files\LimeWire\ >>> folder C:\Program Files\winupdates\ >>> folder 8) Run CCleaner then restart the computer and post a new HJT log along with the results of the Ewido scan in this same thread along with any feedback you have. Let us know how you are running. Thanks...pskelley Trusted HJT Advisor PCPitStop forum PURGE SYSTEM RESTORE When you are completely finished with the removal procedure and are satisfied that the threat has been removed follow these instructions: http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

That is the list our your ISP's domain numbers. When I search the 017 line in your log I get this information:http://www.samspade.org/t/lookat?a=139.134.2.190 You can click to look at it, it indicates the range for your ISP which should be Telstra Internet is 139.134.0.0 - 139.134.255.255 if I am correct. The range in the 017 entry in your log is: 203.49.70.20 139.134.2.190. While I may not be right but often when I see ranges exceeded like that it is because of a hijacker. The only one who can reset this for you is your ISP, and they can tell you also if you have a problem. Please see this information about this area of your HJT log. http://www.bleepingcomputer.com/forums/ind...rial=42#O17Diag Can't help you with that one, I can only say there is some really bad infections out here now and you need to insist they practice safe surfing habits. I am surprised, why did you remove AVG? For a free program it is a very good one. Let me say this, when the computer comes home the programs on it are installed for their compatibility with each other. Once we start changing the configuration by adding new program, we can expect that they are not all going to work well with the others. With Xp many older programs will not work, best to check to make sure something is compatible with your system prior to downloading. Cherokee friends named me PhilFox about 1960, so here we are, a Bear and a Fox. I can say that your HJT log is clean of malware, here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online: http://forums.net-integration.net/index.php?showtopic=3051 http://russelltexas.com/malware/allclear.htm http://forum.malwareremoval.com/viewtopic.php?t=14 http://www.bleepingcomputer.com/forums/topict2520.html Good luck and safe surfing Cheers...pskelley Trusted HJT Advisor PCPitStop forum

G'day Mate, I apologize if I confused you, I picked the name up from here: C:\Documents and Settings\Bear\Desktop\HijackThis.exe Not meaning to imply that wormfarmer is not a fine name A quick look at this log showed no malware and you supplied little information other than the fact that it was a "Log" and the fact that you Since I could see that Selective Startup was enabled I can't tell what I am not seeing. Folks seem to think that turning something causing a problem off will make it go away, and of course this is not the case. I am also concerned by the large span of numbers here: 203.49.70.20 139.134.2.190. If you will verify with your ISP that those numbers are correct and show me everything under the Startup Tab in your System Configuration Utility, I can quickly let you know if you have any issues being shown by HJT. Once again, sorry for using the wrong name. Cheers...Pskelley

Hello Bear, I need some information from you, but first: 1) We may not use it but your HJT needs a folder so it can store HJT.exe, logs and backups for safety. See these links if you need help: http://www.bleepingcomputer.com/forums/tutorial94.html Note: This video tutorial requires Macromedia Flash to play. http://www.spywareaid.com/index.php?file=svideo&id=1 2) You are running Selective Startup in MSCONFIG. I need to see a log with "Enable All". You can Enable, then scan for the log then return to Selective Startup without a reboot if you wish. Thanks. 3) I am not sure about this: O17 - HKLM\System\CCS\Services\Tcpip\..\{CACC1131-EE84-4B84-8DEB-CFEBFDC3633B}: NameServer = 203.49.70.20 139.134.2.190 If you are not sure there is no problem please check with your ISP and give them that information for validation and instructions. 4) Post a new log in this same thread, along with the information I asked for, Thanks. Thanks...pskelley Trusted HJT Advisor PCPitStop forum

Hi Ender_CM, You have a nasty infection but thanks to Swandog, racooper and miekiemoes we have a fix for it. Please make sure you follow the instructions carefully. Please download the trial version of Ewido Security Suite here: http://www.ewido.net/en/download/ Install it, and update the definitions to the newest files. Do NOT run a scan yet. Please download Nailfix from here: http://www.noidea.us/easyfile/file.php?dow...050515010747824 Unzip it to the desktop but please do NOT run it yet. Next, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Select the first option, to run Windows in Safe Mode. For additional help in booting into Safe Mode, see the following site: http://www.pchell.com/support/safemode.shtml Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal. Then please run Ewido, and run a full scan. Save the logfile from the scan. Next please run HijackThis, click Scan, and check: F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe Close all open windows except for HijackThis and click Fix Checked. Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan. Thanks...pskelley Trusted HJT Advisor PCPitStop forum

Hi Jeremy, You have a nasty infection but thanks to Swandog46 and miekiemoes we have a fix for it, just follow the directions carefully. Please download the trial version of Ewido Security Suite here: http://www.ewido.net/en/download/ Install it, and update the definitions to the newest files. Do NOT run a scan yet. Please download Nailfix from here: http://www.noidea.us/easyfile/file.php?dow...050515010747824 Unzip it to the desktop but please do NOT run it yet. Next, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Select the first option, to run Windows in Safe Mode. For additional help in booting into Safe Mode, see the following site: http://www.pchell.com/support/safemode.shtml Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal. Then please run Ewido, and run a full scan. Save the logfile from the scan. Next please run HijackThis, click Scan, and check: F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe Close all open windows except for HijackThis and click Fix Checked. Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan. Thanks...pskelley Trusted HJT Advisor PCPitStop forum

Hi Maligogo, Is your Dad having a problem? Because I do not see any malware. Here is what I suggest you do. 1) First make sure you have permission to download programs for security. I would make your Dad aware of my suggestions to be sure he wishes these changes made. 2) Download CCleaner from this link: http://www.ccleaner.com/ Take the time to review the instructions on the download page so that when I ask you to run it you will know what you are doing. 3) I see Spybot S&D but does he have Ad-aware. I suggest you use the following link to make sure he has Ad-aware v1.06 and Spybot 1.04 (both new) and that they are configured and run according to the instructions: http://tomcoyote.org/aawsb.php After we are finished, I suggest you activate a feature in Spybot called TeaTimer. This will require a little time to configure but it will give him some good realtime spyware protection: http://www.voiceofthepublic.com/SSD/SI/teatimer.swf.html 4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items: (I suggest you remove these and you can click the link or I will tell you what it is) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstall...l?noreloadredir see the links >> http://www.greatis.com/appdata/u/v/viewmgr.exe.htm http://www.bleepingcomputer.com/startups/V...r.exe-6093.html Close all programs but HJT and all browser windows, then click on "Fix Checked" 5) Run CCleaner then restart the computer and post a new log in this same thread along with any feedback you have. Let us know how you are running. Thanks...pskelley Trusted HJT Advisor PCPitStop forum

Hi Nocc, I need to apologize for the delay, the notification system that is supposed to email me when you posted did not do so I located your post during my routine check. I will check your post manually for the duration of this repair. Good job following those instruction, your log is clean. How's it running? Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online: http://forums.net-integration.net/index.php?showtopic=3051 http://russelltexas.com/malware/allclear.htm http://forum.malwareremoval.com/viewtopic.php?t=14 http://www.bleepingcomputer.com/forums/topict2520.html Here is some information about SP2 if you need it. http://www.microsoft.com/windowsxp/sp2/sp2_whattoknow.mspx Please follow these instruction to clean out your System Restore files in case a trojan got backed up in there and could get back on the computer if you used SR. http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam I'll leave the thread open for a couple of days...safe surfing Thanks...pskelley Trusted HJT Advisor PCPitStop forum

Hello Nocc, You do have some issues that need to be addressed. 1) You are running msconfig in Selective Startup. I need to see all programs, for the next post enable all, scan for the HJT log then you may go back to Selective Startup without a reboot. Thanks. 2) You are running HJT from H:\hijackthis\HijackThis.exe, I do not know if this is a floppy or CD, please move HJT.exe to your C:\HJT\HijackThis.exe. 3) D:\AssimIRC v2\mirc.exe = http://castlecops.com/startuplist-6767.html Open Task Manager then the Processes tab, highlite and end process on D:\AssimIRC v2\mirc.exe 4) Download CCleaner from this link: http://www.ccleaner.com/ Take the time to review the instructions on the download page so that when I ask you to run it you will know what you are doing. 5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (unless you know what the next item is, check it) O1 - Hosts: 80.39.232.127 L2testauthd.lineage2.com O4 - HKLM\..\Run: [AntiVirusScanv.1.] C:\WINDOWS\AntiVirusScanv.1.3.pif O4 - HKLM\..\RunServices: [AntiVirusScanv.1.] C:\WINDOWS\AntiVirusScanv.1.3.pif Close all programs but HJT and all browser windows, then click on "Fix Checked" SHOW HIDDEN FILES: Follow the instructions in the link to enable hidden files for your operating system. You may wish to reverse this process if you have any concern about anyone getting into these hidden system files. http://www.xtra.co.nz/help/0,,4155-1916458,00.html RIGHT Click on Start then click on Explore. Locate and delete these items: D:\AssimIRC v2\ >>> folder C:\WINDOWS\AntiVirusScanv.1.3.pif >>> file if there Let's clean your Prefetch folder: Locate C:\Windows\Prefetch folder and open it. Delete the contents of the folder (NOT THE FOLDER) if there are many choose Edit then Select all then Delete. You may not be able to remove them all, don't be concerned unless any have the name of the items we need to remove. Here is some information about the Prefetch for you: http://techrepublic.com.com/5100-6270-5165773.html http://www.pcmag.com/article2/0,1759,1683520,00.asp You have one nasty trojan, let's check for trojans in case any are hiding, run this free online scan, scan the whole system. Let me know what it finds and the exact name and location of anything it locates but can't remove. You may be asked to install an ActiveX, please do so as this program is safe and it can not run without it. http://www.windowsecurity.com/trojanscan/ Run CCleaner then restart the computer and post a new log with all programs enabled in MSCONFIG, in this same thread along with any feedback you have. Let us know how you are running. Thanks...pskelley