Tech Support Forum - View Single Post

bry623 · 12-01-2005, 11:32 AM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Make sure you downloaded, installed, updated and ran these programs (run in Safe Mode) already - Ad-aware, Spybot and Ewido. If you didn't, do them now. For more information, go to http://www.greyknight17.com/spyware.htm

Download Hoster http://www.greyknight17.com/spy/Hoster.exe and run it. Choose the 'Restore Original Hosts' button and press OK.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O1 - Hosts: 82.195.155.5 c3310.z1301.winmx.com c3311.z1301.winmx.com c3312.z1301.winmx.com c3313.z1301.winmx.com c3314.z1301.winmx.com c3315.z1301.winmx.com c3316.z1301.winmx.com c3317.z1301.winmx.com c3318.z1301.winmx.com c3319.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3310.z1302.winmx.com c3311.z1302.winmx.com c3312.z1302.winmx.com c3313.z1302.winmx.com c3314.z1302.winmx.com c3315.z1302.winmx.com c3316.z1302.winmx.com c3317.z1302.winmx.com c3318.z1302.winmx.com c3319.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3310.z1303.winmx.com c3311.z1303.winmx.com c3312.z1303.winmx.com c3313.z1303.winmx.com c3314.z1303.winmx.com c3315.z1303.winmx.com c3316.z1303.winmx.com c3317.z1303.winmx.com c3318.z1303.winmx.com c3319.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3310.z1304.winmx.com c3311.z1304.winmx.com c3312.z1304.winmx.com c3313.z1304.winmx.com c3314.z1304.winmx.com c3315.z1304.winmx.com c3316.z1304.winmx.com c3317.z1304.winmx.comc3318.z1304.winmx.com c3319.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3310.z1305.winmx.com c3311.z1305.winmx.com c3312.z1305.winmx.com c3313.z1305.winmx.com c3314.z1305.winmx.com c3315.z1305.winmx.com c3316.z1305.winmx.com c3317.z1305.winmx.com c3318.z1305.winmx.com c3319.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3310.z1306.winmx.com c3311.z1306.winmx.com c3312.z1306.winmx.com c3313.z1306.winmx.com c3314.z1306.winmx.com c3315.z1306.winmx.com c3316.z1306.winmx.com c3317.z1306.winmx.comc3318.z1306.winmx.com c3319.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3520.z1301.winmx.com c3521.z1301.winmx.com c3522.z1301.winmx.com c3523.z1301.winmx.com c3524.z1301.winmx.com c3525.z1301.winmx.com c3526.z1301.winmx.com c3527.z1301.winmx.com c3528.z1301.winmx.com c3529.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3520.z1302.winmx.com c3521.z1302.winmx.com c3522.z1302.winmx.com c3523.z1302.winmx.com c3524.z1302.winmx.com c3525.z1302.winmx.com c3526.z1302.winmx.com c3527.z1302.winmx.com 3528.z1302.winmx.com c3529.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3520.z1303.winmx.com c3521.z1303.winmx.com c3522.z1303.winmx.com c3523.z1303.winmx.com c3524.z1303.winmx.com c3525.z1303.winmx.com c3526.z1303.winmx.com c3527.z1303.winmx.com c3528.z1303.winmx.com c3529.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3520.z1304.winmx.com c3521.z1304.winmx.com c3522.z1304.winmx.com c3523.z1304.winmx.com c3524.z1304.winmx.com c3525.z1304.winmx.com c3526.z1304.winmx.com c3527.z1304.winmx.com c3528.z1304.winmx.com c3529.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3520.z1305.winmx.com c3521.z1305.winmx.com c3522.z1305.winmx.com c3523.z1305.winmx.com c3524.z1305.winmx.com c3525.z1305.winmx.com c3526.z1305.winmx.com c3527.z1305.winmx.com c3528.z1305.winmx.com c3529.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3520.z1306.winmx.com c3521.z1306.winmx.com c3522.z1306.winmx.com c3523.z1306.winmx.comc3524.z1306.winmx.com c3525.z1306.winmx.com c3526.z1306.winmx.com c3527.z1306.winmx.com c3528.z1306.winmx.comc3529.z1306.winmx.com
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present<<<<< unless you put it in yourself

Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Restart and run a new HijackThis scan. Save the log file and post it here.

Please run an online scan at http://www.pandasoftware.com/products/activescan.htm
Make sure you click the "Free Online Virus Scan" in the upper right hand corner of the page under the Free use Activescan header. We do NOT want the default spyXposer scan.

Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
Click On 'Scan Now'
Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
Begin the scan by selecting My Computer
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
If it finds any malware, it will offer you a report. Click on see report
Then click Save report
Post the contents of the report in your next reply along with a new HijackThis log.

· Turn off the real time scanner of any existing antivirus program while performing the online scan

12-01-2005, 11:32 AM	#5 (permalink)
bry623 Manager, The Conversation Pit/Analyst, Security Team Join Date: Apr 2002 Location: NW Territory circa 1787 Posts: 11,692 OS: winxp pro sp2	Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Click Yes to confirm and then click OK. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Make sure you downloaded, installed, updated and ran these programs (run in Safe Mode) already - Ad-aware, Spybot and Ewido. If you didn't, do them now. For more information, go to http://www.greyknight17.com/spyware.htm Download Hoster http://www.greyknight17.com/spy/Hoster.exe and run it. Choose the 'Restore Original Hosts' button and press OK. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Don't run it yet. Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O1 - Hosts: 82.195.155.5 c3310.z1301.winmx.com c3311.z1301.winmx.com c3312.z1301.winmx.com c3313.z1301.winmx.com c3314.z1301.winmx.com c3315.z1301.winmx.com c3316.z1301.winmx.com c3317.z1301.winmx.com c3318.z1301.winmx.com c3319.z1301.winmx.com O1 - Hosts: 82.195.155.5 c3310.z1302.winmx.com c3311.z1302.winmx.com c3312.z1302.winmx.com c3313.z1302.winmx.com c3314.z1302.winmx.com c3315.z1302.winmx.com c3316.z1302.winmx.com c3317.z1302.winmx.com c3318.z1302.winmx.com c3319.z1302.winmx.com O1 - Hosts: 82.195.155.5 c3310.z1303.winmx.com c3311.z1303.winmx.com c3312.z1303.winmx.com c3313.z1303.winmx.com c3314.z1303.winmx.com c3315.z1303.winmx.com c3316.z1303.winmx.com c3317.z1303.winmx.com c3318.z1303.winmx.com c3319.z1303.winmx.com O1 - Hosts: 82.195.155.5 c3310.z1304.winmx.com c3311.z1304.winmx.com c3312.z1304.winmx.com c3313.z1304.winmx.com c3314.z1304.winmx.com c3315.z1304.winmx.com c3316.z1304.winmx.com c3317.z1304.winmx.comc3318.z1304.winmx.com c3319.z1304.winmx.com O1 - Hosts: 82.195.155.5 c3310.z1305.winmx.com c3311.z1305.winmx.com c3312.z1305.winmx.com c3313.z1305.winmx.com c3314.z1305.winmx.com c3315.z1305.winmx.com c3316.z1305.winmx.com c3317.z1305.winmx.com c3318.z1305.winmx.com c3319.z1305.winmx.com O1 - Hosts: 82.195.155.5 c3310.z1306.winmx.com c3311.z1306.winmx.com c3312.z1306.winmx.com c3313.z1306.winmx.com c3314.z1306.winmx.com c3315.z1306.winmx.com c3316.z1306.winmx.com c3317.z1306.winmx.comc3318.z1306.winmx.com c3319.z1306.winmx.com O1 - Hosts: 82.195.155.5 c3520.z1301.winmx.com c3521.z1301.winmx.com c3522.z1301.winmx.com c3523.z1301.winmx.com c3524.z1301.winmx.com c3525.z1301.winmx.com c3526.z1301.winmx.com c3527.z1301.winmx.com c3528.z1301.winmx.com c3529.z1301.winmx.com O1 - Hosts: 82.195.155.5 c3520.z1302.winmx.com c3521.z1302.winmx.com c3522.z1302.winmx.com c3523.z1302.winmx.com c3524.z1302.winmx.com c3525.z1302.winmx.com c3526.z1302.winmx.com c3527.z1302.winmx.com 3528.z1302.winmx.com c3529.z1302.winmx.com O1 - Hosts: 82.195.155.5 c3520.z1303.winmx.com c3521.z1303.winmx.com c3522.z1303.winmx.com c3523.z1303.winmx.com c3524.z1303.winmx.com c3525.z1303.winmx.com c3526.z1303.winmx.com c3527.z1303.winmx.com c3528.z1303.winmx.com c3529.z1303.winmx.com O1 - Hosts: 82.195.155.5 c3520.z1304.winmx.com c3521.z1304.winmx.com c3522.z1304.winmx.com c3523.z1304.winmx.com c3524.z1304.winmx.com c3525.z1304.winmx.com c3526.z1304.winmx.com c3527.z1304.winmx.com c3528.z1304.winmx.com c3529.z1304.winmx.com O1 - Hosts: 82.195.155.5 c3520.z1305.winmx.com c3521.z1305.winmx.com c3522.z1305.winmx.com c3523.z1305.winmx.com c3524.z1305.winmx.com c3525.z1305.winmx.com c3526.z1305.winmx.com c3527.z1305.winmx.com c3528.z1305.winmx.com c3529.z1305.winmx.com O1 - Hosts: 82.195.155.5 c3520.z1306.winmx.com c3521.z1306.winmx.com c3522.z1306.winmx.com c3523.z1306.winmx.comc3524.z1306.winmx.com c3525.z1306.winmx.com c3526.z1306.winmx.com c3527.z1306.winmx.com c3528.z1306.winmx.comc3529.z1306.winmx.com O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present<<<<< unless you put it in yourself Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff. Restart and run a new HijackThis scan. Save the log file and post it here. Please run an online scan at http://www.pandasoftware.com/products/activescan.htm Make sure you click the "Free Online Virus Scan" in the upper right hand corner of the page under the Free use Activescan header. We do NOT want the default spyXposer scan. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it Click On 'Scan Now' Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB Begin the scan by selecting My Computer * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. If it finds any malware, it will offer you a report. Click on see report Then click Save report Post the contents of the report in your next reply along with a new HijackThis log. · Turn off the real time scanner of any existing antivirus program while performing the online scan __________________ "If you aren't a liberal when you're 20, you have no heart. If you aren't a conservative when you are 50, you have no brain"