Here are the new HJT and ComboFix logs.
It looks like the 08 entries were deleted successfully but the 023 Netcom3 entry still appears.
However, my google searches are now directing me to the coorrect websites.

Attached Files

	hijackthis.log (11.2 KB, 2 views)
	ComboFix Log.txt (13.7 KB, 1 views)

Is it possible that the NetCom3 entry could cause problems if it can't be removed?

Ok, first lets install the recovery console, then we will continue to remove

Go to Microsoft's website here --> http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Windows XP SP2

Download the file and save it as it's original name to your desktop

Close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please attach that log here.

Here is the CF-RC log.

Attached Files

CF-RC.txt (327 Bytes, 2 views)

Start -> all programs -> Accessories -> command prompt
type services.msc at the command prompt and press enter

Stop the netcom3 or PSCMonitor.exe service from running by right-click it and choose Properties. In the Properties dialog box that appears, choose Manual from the Startup Type drop-down list and choose Disabled.

Reboot into safe mode

Launch Hijackthis -> System Scan only -> check the following
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D7C60DB-20E2-407C-B5E0-CB37E9A99148}: NameServer = 85.255.116.109 85.255.112.21
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D7C60DB-20E2-407C-B5E0-CB37E9A99148}: NameServer = 85.255.116.109 85.255.112.21
O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe (file missing)

Select Fix checked
--------------------------------------------------------------------------------------------------------
Reboot into normal mode
--------------------------------------------------------------------------------------------------------
Run a fresh scan with Hijackthis and attach the log here

After I followed the directions at the command prompt and ran HJT in safe mode those three entries were already not listed.

However, when I rebooted in normal mode, the 017 entries appeared but the 023 remained missing.

I checked off and fixed the two 017 entries and here is the latest and greatest HJT log.

Attached Files

hijackthis.log (10.8 KB, 2 views)

The log looks fine to me now as long as those 017 entries don't come back. I am going to ask for a 2nd opinion just to be sure, while we wait a new Java update just came out yesterday and you can update this one through the console. Also I may see one more thing in there, what brand of computer are you running HP or DELL?

Update your Java Runtime Environment

• First try going to Start -> Control Panel -> double click Java
• Select the Update TAb at the top
• Click the Check for Updates button at the bottom
• If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
• After it installs the newest version Go back to Control Panel -> Add/remove programs
• Uninstall any older versions of Java

If for some reason you couldn't update through the above instructions.

• Click the following link
  Java Runtime Environment 6 Update 5
• The 4th option down is the one you want (click Download)
• Check the box to agree to terms of service
• Check the box for your operating system and click 'Download selected'at the bottom
• After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
• Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

I installed the new version of Java - thanks.
Also I have a Dell system and an HP printer.

I ran another HJT and those 017 entries do keep reappearing. It lets me delete them but they come right back. The log is attached

Attached Files

hijackthis.log (11.0 KB, 2 views)

Now that we have system restore off lets try this again

FixWareOut
run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

: Remove bad HijackThis entries

* HijackThis should launch automatically
* Click on the Scan button
* Put a check beside all of the items listed below (if present):

O17 - HKLM\System\CCS\Services\Tcpip\..\{0D7C60DB-20E2-407C-B5E0-CB37E9A99148}: NameServer = 85.255.116.109 85.255.112.21
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D7C60DB-20E2-407C-B5E0-CB37E9A99148}: NameServer = 85.255.116.109 85.255.112.21


* Close all open windows and browsers/email, etc...
* Click on the "Fix Checked" button
* When completed, close the application.
-----------------------------------------------------------------------------------------------------
Go to start -> all programs -> accessories -> command prompt
At the command prompt type => ipconfig /flushdns
Close the command prompt
--------------------------------------------------------------------------------------------------------
Run Ccleaner again

• Close all browsers.
• Run the programme and make sure all the boxes are ticked under the Windows and Applications tabs, Also check All Advanced tabs(except for the Old prefetch Data option, this should be unticked)
• Click the run cleaner button. Do this several times
• Click the registry Icon on the left hand side -> scan for problems
• have it fix whatever it finds

------------------------------------------------------------------------------------------------------------

Restart your computer run a fresh scan with Hijackthis and lets see if they are still there, if they are I must be missing something and will ask for a fresh look at the logs from somebody else.

I received an error message at the command prompt when I tried to enter that command:
"Could not flush the DNS Resolver Cache: Function failed during execution."

I did run FixWareout again and CCleaner and it looked like the two entries were gone after the reboot. However, right before I went to reply I checked just to make sure and the entries were back. It must have been 3-4 minutes after the reboot.

Here are the logs.

Attached Files

	hijackthis.log (11.0 KB, 0 views)
	FixWareout.txt (2.8 KB, 2 views)

I have requested help on this one

Hi,

Do you use the services of ukrtelegroup (please see HERE)? If you do those 017 entries are legitimate.

Thanks Blind Dragon!

Momok - I've never seen ukrtelegroup before.

Hi,

Did this occur just as you went online? Could I have a HijackThis log and Combofix log just to be sure too since two weeks have lapsed.

from ukrtelegroup:Just to be doubly sure, you/anyone in the family/workgroup/office do not use such web hosting services?

This occured when I followed these instructions:

Go to start -> all programs -> accessories -> command prompt
At the command prompt type => ipconfig /flushdns
Close the command prompt

My version of Combofix had expired and I wasn't sure how to get the new one.

As far as ukrtelegroup goes, I am the only person using this computer and I've never used it or any other domain hosting service for that matter.
My latest HJT is attached.

Attached Files

hijackthis.log (11.0 KB, 1 views)

Hi,

Please download Deckard's System Scanner from HERE.

You may wish to copy and paste these instructions on notepad for easier reference later.

1. Boot into safe mode under your normal user name. See how HERE
   
2. Next turn on "Show all files and folders, including hidden and system". See how HERE
   
3. After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
   
   O17 - HKLM\System\CCS\Services\Tcpip\..\{0D7C60DB-20E2-407C-B5E0-CB37E9A99148}: NameServer = 85.255.116.109 85.255.112.21
   O17 - HKLM\System\CS1\Services\Tcpip\..\{0D7C60DB-20E2-407C-B5E0-CB37E9A99148}: NameServer = 85.255.116.109 85.255.112.21
   
   Close HJT.
   
4. Run Deckard's System Scanner
   
   
5. Reboot into normal mode and rehide your protected OS files.

Please post the resultant logs in you next reply.


Regards,
momok =)

This thread is for the use of jjdb5 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Thanks Momok.
Here is the DSS log

Attached Files

main.txt (19.4 KB, 1 views)

Hi,

You may wish to copy and paste these instructions on notepad for easier reference later.

1. Boot into safe mode under your normal user name. See how HERE
   
2. Next turn on "Show all files and folders, including hidden and system". See how HERE
   
   
3. Go to start > Control Panel > Add and Remove Programs.
   Remove anything related to the following:
   
   Spykiller < Generally not recommended as it has had a history of having dubious repute. There are plenty of better options out there anyway.
   
   
4. Navigate in Windows Explorer and delete the following files and folders in bold.
   
   C:\WINDOWS\winlogon.exe
   C:\WINDOWS\sysupd.exe
   C:\Program Files\SpyKiller
   
5. Reboot into normal mode and rehide your protected OS files.

Thereafter, please post a fresh log as attachment into this thread.


Regards,
momok =)

This thread is for the use of jjdb5 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

I followed these instructions but Spykiller was not listed in my Programs and the files in bold were not anywhere to be found either.

I've posted a new HJT and it looks like those 017 entries have re-appeared

Attached Files

hijackthis.log (11.1 KB, 2 views)

Hi,

Sorry I need a fresh DSS log too. I'm not sure how and why the O17 entries are coming back. Perhaps I'll have to direct you to some other sites where several experts specialise in dealing with these issues.