15 steps

[jjdb5]

After I followed the directions at the command prompt and ran HJT in safe mode those three entries were already not listed.

However, when I rebooted in normal mode, the 017 entries appeared but the 023 remained missing.

I checked off and fixed the two 017 entries and here is the latest and greatest HJT log.

 

[Blind Dragon]

The log looks fine to me now as long as those 017 entries don't come back. I am going to ask for a 2nd opinion just to be sure, while we wait a new Java update just came out yesterday and you can update this one through the console. Also I may see one more thing in there, what brand of computer are you running HP or DELL?

Update your Java Runtime Environment

• First try going to Start -> Control Panel -> double click Java
• Select the Update TAb at the top
• Click the Check for Updates button at the bottom
• If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
• After it installs the newest version Go back to Control Panel -> Add/remove programs
• Uninstall any older versions of Java

If for some reason you couldn't update through the above instructions.

• Click the following link
  Java Runtime Environment 6 Update 5
• The 4th option down is the one you want (click Download)
• Check the box to agree to terms of service
• Check the box for your operating system and click 'Download selected'at the bottom
• After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
• Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

 

[jjdb5]

I installed the new version of Java - thanks.
Also I have a Dell system and an HP printer.

I ran another HJT and those 017 entries do keep reappearing. It lets me delete them but they come right back. The log is attached

 

[Blind Dragon]

Now that we have system restore off lets try this again

FixWareOut
run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

: Remove bad HijackThis entries

* HijackThis should launch automatically
* Click on the Scan button
* Put a check beside all of the items listed below (if present):

O17 - HKLM\System\CCS\Services\Tcpip\..\{0D7C60DB-20E2-407C-B5E0-CB37E9A99148}: NameServer = 85.255.116.109 85.255.112.21
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D7C60DB-20E2-407C-B5E0-CB37E9A99148}: NameServer = 85.255.116.109 85.255.112.21


* Close all open windows and browsers/email, etc...
* Click on the "Fix Checked" button
* When completed, close the application.
-----------------------------------------------------------------------------------------------------
Go to start -> all programs -> accessories -> command prompt
At the command prompt type => ipconfig /flushdns
Close the command prompt
--------------------------------------------------------------------------------------------------------
Run Ccleaner again

• Close all browsers.
• Run the programme and make sure all the boxes are ticked under the Windows and Applications tabs, Also check All Advanced tabs(except for the Old prefetch Data option, this should be unticked)
• Click the run cleaner button. Do this several times
• Click the registry Icon on the left hand side -> scan for problems
• have it fix whatever it finds

------------------------------------------------------------------------------------------------------------

Restart your computer run a fresh scan with Hijackthis and lets see if they are still there, if they are I must be missing something and will ask for a fresh look at the logs from somebody else.

 

[jjdb5]

I received an error message at the command prompt when I tried to enter that command:
"Could not flush the DNS Resolver Cache: Function failed during execution."

I did run FixWareout again and CCleaner and it looked like the two entries were gone after the reboot. However, right before I went to reply I checked just to make sure and the entries were back. It must have been 3-4 minutes after the reboot.

Here are the logs.

 

[Blind Dragon]

I have requested help on this one

 

[momok]

Hi,

Do you use the services of ukrtelegroup (please see HERE)? If you do those 017 entries are legitimate.

 

[jjdb5]

Thanks Blind Dragon!

Momok - I've never seen ukrtelegroup before.

 

[momok]

Hi,

I received an error message at the command prompt when I tried to enter that command:
"Could not flush the DNS Resolver Cache: Function failed during execution."

I did run FixWareout again and CCleaner and it looked like the two entries were gone after the reboot. However, right before I went to reply I checked just to make sure and the entries were back. It must have been 3-4 minutes after the reboot.

Did this occur just as you went online? Could I have a HijackThis log and Combofix log just to be sure too since two weeks have lapsed.

from ukrtelegroup:

We are dedicated to providing the highest quality domain hosting service and support to our clients

Just to be doubly sure, you/anyone in the family/workgroup/office do not use such web hosting services?

 

[jjdb5]

This occured when I followed these instructions:

Go to start -> all programs -> accessories -> command prompt
At the command prompt type => ipconfig /flushdns
Close the command prompt

My version of Combofix had expired and I wasn't sure how to get the new one.

As far as ukrtelegroup goes, I am the only person using this computer and I've never used it or any other domain hosting service for that matter.
My latest HJT is attached.

 

[momok]

Hi,

Please download Deckard's System Scanner from HERE.

You may wish to copy and paste these instructions on notepad for easier reference later.

1. Boot into safe mode under your normal user name. See how HERE
   
2. Next turn on "Show all files and folders, including hidden and system". See how HERE
   
3. After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
   
   O17 - HKLM\System\CCS\Services\Tcpip\..\{0D7C60DB-20E2-407C-B5E0-CB37E9A99148}: NameServer = 85.255.116.109 85.255.112.21
   O17 - HKLM\System\CS1\Services\Tcpip\..\{0D7C60DB-20E2-407C-B5E0-CB37E9A99148}: NameServer = 85.255.116.109 85.255.112.21
   
   Close HJT.
   
4. Run Deckard's System Scanner
   
   
5. Reboot into normal mode and rehide your protected OS files.

Please post the resultant logs in you next reply.


Regards,
momok =)

This thread is for the use of jjdb5 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[jjdb5]

Thanks Momok.
Here is the DSS log

 

[momok]

Hi,

You may wish to copy and paste these instructions on notepad for easier reference later.

1. Boot into safe mode under your normal user name. See how HERE
   
2. Next turn on "Show all files and folders, including hidden and system". See how HERE
   
   
3. Go to start > Control Panel > Add and Remove Programs.
   Remove anything related to the following:
   
   Spykiller < Generally not recommended as it has had a history of having dubious repute. There are plenty of better options out there anyway.
   
   
4. Navigate in Windows Explorer and delete the following files and folders in bold.
   
   C:\WINDOWS\winlogon.exe
   C:\WINDOWS\sysupd.exe
   C:\Program Files\SpyKiller
   
5. Reboot into normal mode and rehide your protected OS files.

Thereafter, please post a fresh log as attachment into this thread.


Regards,
momok =)

This thread is for the use of jjdb5 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[jjdb5]

I followed these instructions but Spykiller was not listed in my Programs and the files in bold were not anywhere to be found either.

I've posted a new HJT and it looks like those 017 entries have re-appeared

 

[momok]

Hi,

Sorry I need a fresh DSS log too. I'm not sure how and why the O17 entries are coming back. Perhaps I'll have to direct you to some other sites where several experts specialise in dealing with these issues.

 

[jjdb5]

Here is the fresh DSS. I'm not too worried about those entries, my original problem has beeen fixed and my system seems to be working better.