OK now what I want ot you do is




First:
Please download Ewidoit is a trial version of the program.

Install ewido security suite

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

Launch ewido, there should be an icon on your desktop double-click it.

The program will now go to the main screen

You will need to update ewido to the latest definition files.

On the left hand side of the main screen click update

Then click on Start Update

Once the updates are installed do the following:

Click on scanner

Click on Complete System Scan and the scan will begin.

While the scan is in progress you will be prompted to clean files, click OK

When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

Click Save report.

Save the report .txt file to your desktop.


Now close ewido security suite.

Reboot and post a new log please.

Did you do the fixes and download ewido yet and run it?

:-D Hey M;erlin,

I just read your post at the other location and was writing to tell you it was here, I took a look at patti's HJT log, here's what I found with a couple of ?s for you

T,



C:\WINDOWS\system32\mfcnx.exe Tojan Loader Downloder Agent BF,? MS AVG can Fix

C:\WINDOWS\system32\winrw32.exe Worm
info at http://www.sophos.com/virusinfo/anal...2agobotrw.html
Can this be fixed w/ ewido?
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fysti.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fysti.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fysti.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fysti.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fysti.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fysti.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fysti.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - Default URLSearchHook is missing
CWS extremely virulent (expected to see multiple RunOnce entries, perhaps cleaned in previous attempt)
O2 - BHO: Class - {2D8F6DAA-6B2C-D070-B2CB-029A9926F9E4} - C:\WINDOWS\msue32.dll

O4 - HKLM\..\Run: [mfcnx.exe] C:\WINDOWS\system32\mfcnx.exe

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
Merlin, you know all about HPs, Why are there HP systems on a Dell PC or visa versa?
O4 -Global Startup: hpoddt01.exe.lnk = ?

O23 - Service: Workstation NetLogon Service ( 11F?? #????`I) - Unknown owner - C:\WINDOWS\system32\winrw32.exe

Tj good job .... Yes Ewido will clean alot, can't tell yet what it all cleans as it is new... I do know it wont clean up the worm... thats why I posted the fix... its easier to go directly to the sorce in the registry to get rid of the worm that way we can see what else it gets rid of and what it is not connected to? If you dont understand me dont worry, as I am not looking at the screen as I am typing :-D

As for the Dell, thing she can turn it off and save alot of ram :-D... But I ask at the end of a log if they want to mess with services.

Here is for your services (services.exe )

I merged and cleaned up the 2 topics and also removed the services.exe comment from T's post. (could be dangerous if Conversee would "fix" it before she saw Merlin's reply )

OK , lets see if whe can get it all at once.

First of all I need you to download some programs for use later.

Download this file and unzip it to your desktop

Download about:Buster from here. Once it is downloaded extract it to c:\aboutbuster and check for updates. Do NOT use it yet

Download CWShredder from here, install it, check for updates but again, don't use it yet.

Download and install Ewido Security Suite Trial from here. Run and update the program but do not scan with it yet.
(if you need instructions in setting up Ewido , look 5 posts up at Merlin's post)

Show hidden files and folders:


For XP:

1.On the Tools menu in Windows Explorer, click Folder Options.
2.Click the View tab.
3.Under Hidden files and folders, click Show hidden files and folders.
4.If you see a warning message, click Yes.
5.Click Apply.
6.Click OK.


Then disable system restore to prevent re-infection.
(if you have/use it.)
(you can turn it back on when youre pc is clean).


How to disable system restore:

WinXP.

Click the Start button.
Right-click My Computer, and then click Properties.
On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.

Then go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called 11F??#????`I. When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

Open HJT and click config > misc tools > ?delete an NT service?
Copy and past: 11F??#????`I
Click OK and close hjt.


Please disconnect from the Internet and unplug your modem for the duration of this fix You may want to print the rest of these instructions.

Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE

While in safe mode, double click on the HSfix.reg file you downloaded at the beginning. Grant it permission to add the registry items.

Then Open cwshredder that you downloaded in the first step. Close all browser windows and click on the fix/next button.

Bring up task manager Ctrl-Alt-Del and end these processes if they are present

mfcnx.exe
winrw32.exe


Now find and delete these files, if you can't find one then don't worry.. just move on to the next one.?

C:\WINDOWS\system32\fysti.dll
C:\WINDOWS\msue32.dll
C:\WINDOWS\system32\mfcnx.exe
C:\WINDOWS\system32\winrw32.exe
C:\WINDOWS\hpoddt01.exe


Now run hijackthis and click the scan button, when it has finished scanning put a check against the following and click 'fix checked' (if still present)

C:\WINDOWS\system32\mfcnx.exe
C:\WINDOWS\system32\winrw32.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fysti.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fysti.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fysti.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fysti.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fysti.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fysti.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fysti.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {2D8F6DAA-6B2C-D070-B2CB-029A9926F9E4} - C:\WINDOWS\msue32.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [mfcnx.exe] C:\WINDOWS\system32\mfcnx.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O23 - Service: Workstation NetLogon Service ( 11F??#????`I) - Unknown owner - C:\WINDOWS\system32\winrw32.exe


The following step is important as you may have several malware files in your temp directories.

empty the C:\windows\prefetch folder ,
empty the C:\windows\temp folder ,
empty the C:\Documents and Settings\Administrator\Local Settings\Temp folder ,
empty the C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files folder EXCEPT the content.ie5 folder (may be hidden).
(replace administrator with youre user name) and (replace windows with winnt if needed)

And close all instances of IE and OE ,then go to: Control Panel / Internet Options / General tab ,
Click the "Delete Files" button.
When prompted place a check in: "Delete all offline content", click OK. This removes the junk files such as downloaded files,
zero byte files created by Outlook Express and many other hidden files that reside in your cache.

Now navigate to the c:\aboutbuster directory and double-click on AboutBuster.exe. Click Begin Removal to allow AboutBuster to scan. When it has finished, AboutBuster will open a 'Scan Completed' window.? Click OK. Another information window will open.? Click on Exit. AboutBuster will inform you that a log has been created.? Click OK. I will need you to post that log later.

Run Ewido and do a full System Scan with it. Let it clean anything it finds. Save the report it creates.

Now reboot,and run hijackthis again and post a fresh log along with the about buster log and the Ewido log.? ?