Tech Support Forum - View Single Post

**amateur** · 11-30-2006, 05:51 PM

Hello and welcome to TSF.

First you'll need to place HijackThis.exe in a folder of its own for it to function properly. Click on an empty space on the desktop, then go to New>Folder to create a folder. Name the folder HijackThis. Drag and drop the HijackThis.exe into the new folder.

You have a kind of infection that the infected files change and take a different name every time you reboot your computer. So, it's best if you don't reboot until we make sure the infection is removed. I also would like to find out if you have any malware disabled with selective start-up.

Copy/paste the following text in bold into a new notepad (not wordpad) document. Make sure that wordwrap is unchecked (via format).

regedit /a /e %systemdrive%\regkey.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig"
notepad %systemdrive%\regkey.txt
del /q %systemdrive%\regkey.txt

Go to the menu at the top of the Notepad file and Save as msconfiglook.bat Save as Type: All files (not as a text document or it won't work)
Select the desktop icon on the left to save it on the desktop.

Locate msconfiglook.bat on your Desktop and double-click it. When notepad opens, copy/paste the content in your reply. When you close Notepad the cmd window will close automatically and the text file will be deleted.

================================================

We'll also need to disable Spyware Doctor so that it will not interfere with the fixes

To disable Spyware Doctor:

Click the Spyware Doctor icon in the System Tray.
Click Settings.
Click Startup Settings under Pick a Category.
Uncheck Run at Windows startup.
Click Apply and Exit Spyware Doctor

Once your log is clean you can re-enable Spyware Doctor.

================================================

Please save or print these instructions before beginning.

================================================

Open HijackThis. Please close all browsers, windows, applications, email, etc., except HijackThis. Then scan with HijackThis and put a checkmark against the following entries:

R3 - URLSearchHook: (no name) - {5CBB43F0-686E-0431-3268-1D5C17AAC40B} - (no file)
O1 - Hosts: localhost 127.0.0.1
O15 - Trusted Zone: *.p0rt2.com
O16 - DPF: {33331111-1111-1111-1111-611111193423} - http://www.www2.p0rt2.com/files/777.cab
O16 - DPF: {33331111-1111-1111-1111-615111193427} - http://www.www2.p0rt2.com/files/epl48bf2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{642CC269-B0F6-46FE-9BEE-19402AED8BBF}: NameServer = 85.255.114.39 85.255.112.11

Make sure that all browsers, etc. are closed and click on "fix checked". Exit HijackThis.
================================================

Please download FixWareout by LonnyRJones from one of these sites and save it to your desktop.

http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/file...Fixwareout.exe

Run Fixwareout.
Click Next,
then Install,
make sure Run fixit is checked
and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.

When you run fixwareout , simply follow the prompts, you will need to restart when prompted.

CAUTION!: It is possible that your Internet Service Provider requires specific settings here. Make sure you know if you need specific DNS settings here or not before you proceed to make the following changes or you may lose your internet connection. If you are sure you do not need a specific DNS address here, you may proceed.

Once back in Windows, close all web browsers.

Go into Control Panel>Network Connections.
Right click on your connection
and click Properties.
On the Properties page, highlight Internet Protocol(TCP/IP)
Click Properties. This will bring up another page.
Select Obtain DNS Server Automatically.
Click the ok button. The page will close.
Press ok on the page in front of you.
Go to Start > Run and type in cmd
Click OK.
This will open a command prompt.
Type or copy and paste the following line in the command window:
ipconfig /flushdns
Hit Enter
Exit the command window
Restart the computer.
Start the Internet and IE.
Open this file c:\fixwareout\report.txt and post the contents of it, along with the msconfiglook.bat, and a new HijackThis log please.

11-30-2006, 05:51 PM	#2 (permalink)
amateur Moderator, Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: USA Posts: 7,463 OS: XP SP3	Hello and welcome to TSF. First you'll need to place HijackThis.exe in a folder of its own for it to function properly. Click on an empty space on the desktop, then go to New>Folder to create a folder. Name the folder HijackThis. Drag and drop the HijackThis.exe into the new folder. You have a kind of infection that the infected files change and take a different name every time you reboot your computer. So, it's best if you don't reboot until we make sure the infection is removed. I also would like to find out if you have any malware disabled with selective start-up. Copy/paste the following text in bold into a new notepad (not wordpad) document. Make sure that wordwrap is unchecked (via format). regedit /a /e %systemdrive%\regkey.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig" notepad %systemdrive%\regkey.txt del /q %systemdrive%\regkey.txt Go to the menu at the top of the Notepad file and Save as msconfiglook.bat Save as Type: All files (not as a text document or it won't work) Select the desktop icon on the left to save it on the desktop. Locate msconfiglook.bat on your Desktop and double-click it. When notepad opens, copy/paste the content in your reply. When you close Notepad the cmd window will close automatically and the text file will be deleted. ================================================ We'll also need to disable Spyware Doctor so that it will not interfere with the fixes To disable Spyware Doctor: Click the Spyware Doctor icon in the System Tray. Click Settings. Click Startup Settings under Pick a Category. Uncheck Run at Windows startup. Click Apply and Exit Spyware Doctor Once your log is clean you can re-enable Spyware Doctor. ================================================ Please save or print these instructions before beginning. ================================================ Open HijackThis. Please close all browsers, windows, applications, email, etc., except HijackThis. Then scan with HijackThis and put a checkmark against the following entries: R3 - URLSearchHook: (no name) - {5CBB43F0-686E-0431-3268-1D5C17AAC40B} - (no file) O1 - Hosts: localhost 127.0.0.1 O15 - Trusted Zone: .p0rt2.com O16 - DPF: {33331111-1111-1111-1111-611111193423} - http://www.www2.p0rt2.com/files/777.cab O16 - DPF: {33331111-1111-1111-1111-615111193427} - http://www.www2.p0rt2.com/files/epl48bf2.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{642CC269-B0F6-46FE-9BEE-19402AED8BBF}: NameServer = 85.255.114.39 85.255.112.11 Make sure that all browsers, etc. are closed and click on "fix checked". Exit HijackThis. ================================================ Please download FixWareout by LonnyRJones* from one of these sites and save it to your desktop. http://downloads.subratam.org/Fixwareout.exe http://www.bleepingcomputer.com/file...Fixwareout.exe Run Fixwareout. Click Next, then Install, make sure Run fixit is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal. When you run fixwareout , simply follow the prompts, you will need to restart when prompted. CAUTION!: It is possible that your Internet Service Provider requires specific settings here. Make sure you know if you need specific DNS settings here or not before you proceed to make the following changes or you may lose your internet connection. If you are sure you do not need a specific DNS address here, you may proceed. Once back in Windows, close all web browsers. Go into Control Panel>Network Connections. Right click on your connection and click Properties. On the Properties page, highlight Internet Protocol(TCP/IP) Click Properties. This will bring up another page. Select Obtain DNS Server Automatically. Click the ok button. The page will close. Press ok on the page in front of you. Go to Start > Run and type in cmd Click OK. This will open a command prompt. Type or copy and paste the following line in the command window: ipconfig /flushdns Hit Enter Exit the command window Restart the computer. Start the Internet and IE. Open this file c:\fixwareout\report.txt and post the contents of it, along with the msconfiglook.bat, and a new HijackThis log please. __________________ My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006