Well, my computer has been acting up for a while now. Thought the problem happened when I ordered more memory and Gateway sent the wrong chip..Imagine That!! At install it made my computer run and not stop.

However now I find after all this time I have the Trojan Horse Dialer 17 E on here. I had no idea it was found , but looked in the Vault and there it was. :bawling:

I know this is a photo site, but I have come to trust :classic: the people here and believe I will be led in the right direction for help. If this is not an appropriate post for here, maybe someone can direct me for some help. I am a senior citizen and know a little about computers but this is just not something I know about to relieve the problem.

Also I have Microsoft 2003 and it will not work properly either!! The program does not respond , and when I try to end it the end task effort does nothing. Can someone kindly help me or send me inthe right direction. I would be so pleased to have any help possible. Thanks Neb

Hi Neb,

First of all, have you got AdAware and Spybot S&D, if not, then download them from here.
http://www.lavasoft.de/
http://spybot.safer-networking.de/en/download/index.html

Once you have downloaded and installed them, you MUST update them for the newest definitions.

Now run a FULL scan with both of them. When you finish a scan with one, REBOOT before running the scan with the other, THEN REBOOT AGAIN.

Often, some Malware can only be removed on Bootup.

Also Update your AntiVirus and run a Scan, again REBOOT after the scan.

If you're still having problems, post again, and I'll go through what you need to try next.

Best of luck,

Gary.

Thanks Gary:
I have Ad Aware, ran a scan and nothing there. I also have Spy Doctor, and Spy Blaster. I run AGV antivirus and all clean there .

Now it was today when I was looking closer at AGV that I saw the Quarantine Vault and that is where the Trojan is and it says not healed or something like that.

I know I got SpyDoctor AFTER the date the Trojan was found. So maybe that is why I have this virus. I have been having problems with dialing into my provider, and now when I go to get my e-mail I get booted off totally??

So , will wait for you to post what you think I might need to do now. Thanks Neb

Hi Neb, if the Virus is in the "Virus Vault", it has been Quarantined, and is therefore safe.

Sometimes it isn't possible to remove a virus without damaging your Operating System, in such cases the Anti Virus Program will encrypt the virus in such a way that it cannot operate.

Did your E-mail problem start when you installed AVG, and do you use Outlook Express as your E-mail client ?

If so, you will have to either turn off the E-mail scanner for AVG (easiest but least secure option) or manually configure the E-mail filter (complex, but I can guide you through it).

What kind of Internet connection do you have, and in what way does it fail to operate ?

As a quick test, to see if it is AVG causing your E-mail problems, do the following.

Open AVG, Click on "Control Centre", Click on "E-mail Scanner" then Click on the "Properties" tab at the bottom of the window.

Now another window will open, click on "Disable Plugin" then click "OK".

This has disabled your E-mail scanner, try your E-mail now, and let me know what happens.

Best of luck,

Gary.

Gary has good advice, you may also want to turn off your "system restore" Control panel - system - system restore - turn off. to prevent windows from reinstalling a file it can no longer find.

ok . already had e-mail scanner disabled Gary. Was having problems once before and so did it then and it began to work.
Did the system restore done as well. Thanks to you both.

Now I just downloaded RegistryFix, have either of you heard of it? It found 505 problems. I am not sure but said free scan so

I bet
I need to buy it and will not be able to. My friend said not to fool around with the registry , and that I may lose all my files and have not backed them up, as ..well...hate to admit it but my old computer came with CD Creator and loved it..but this one has Nero and do not know how to use it and tried and all that happened is that I got a bunch of Nero Icons on the CD. So have not tried it since. OH MY... Neb :scared:

If you are still having problems with your computer there is an excellent site which gives good advice. www.suggestafix.com I've used it many times for computer help.
Sanda

no advice, but one recommendation here - try avast! antivirus ( http://www.avast.com/ ), it's among the best you can get [well, as well as the AVG, it's czech program :D ], and it's regular winner of the "100% Virus Bulletin award" (price awarded for detecting all ItW viruses (i.e. viruses known to be 'in the wild') in the test); home edition is for free, you just have to register...

Thanks Sanda. :thumbsup:
I am pullin gthe site up now. Neb

Photoshop: Looked at your site..nice work and nice site!! :classic:

Just one more word of caution, since you had a dialer fon your system and you are using a dialup connection - you are set up for a big disaster - especially if you are periodicly losing your connection. You may still have the dialer (or another one) and it is dropping your connection to dial an overseas 900 number - some of these numbers charge several hundred dollars a minute. Believe me, I know first hand from an experience several years ago and got the shock of my life when I received my phone bill. I was only able to get the charges cut in half but not eliminated. Funny thing is you can get voice 900 calls blocked but not data 900 calls. You might want to check out your network folder and see if their are any connections that you did not create. Also, go to Start - Run and type "msconfig" then go to the startup tab. Look down the list to see if there are any programs starting that you do not want to start, (you can usually tell by the path what programs the entries control) if so uncheck them. Dont worry too much about unchecking these entries - if something doesn't work after you reboot just go back in and check the entry again. Anyway, hopefully your problem is not another dialer but I just wanted you to be aware of what could happen.

OMGosh. :aghast: Well HELP please. Where is my network folder? How do I find it? Better look now. Thanks and please hang with me!!

Go to your control panel and choose network connections - if you are using dialup you should have an entry in their for that provider - you can open them up to see what phone number they are dialing and to make sure it is the one it is supposed to be.

Found my network folder there are two dialers there both my ISP name and number..this ok?? Neb :scared:

Hi Neb,

If you have disabled your System Restore, RE-ENABLE IT AT ONCE if you have a problem now, it will not be possible for you to recover from it.

As you have disabled it, it will have cleared out all your restore points, so if there was any malware it will now be gone. Re-enabling it means it will create a new Restore Point automatically. Even if this is infected, better to have an infected point you can restore to, than no point at all.

You can find instructions on how to enable and re enable system restore here: Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
re-enable system restore with instructions from tutorial above.

It is not likely that running a Registry Fix will resolve your problems, also, your friend is right, it is not a good idea to change anything in your system registry without first doing a Registry Backup.

The easiest way to do this, is to create a System Restore Point. To do this, Click on Start/All Programs/Accessories/System Tools/System Restore then check Create a Restore Point click the Next button, Now type a Name into the box (it adds date automatically) and click the Create button.

You may have malware that your scanners are not picking up.

First you need to download Hijack This from here Download Link (http://www.merijn.org/files/hijackthis.zip)
To a location on your computer where you can find it. I recommend you create a New Folder C:\Hijack This

It is important you unzip it into this folder for the following reasons.

1. If you run it from its Zip File, the program cannot create backups, which may be needed if mistakes are made.
2. If you put it in a Temp File, HJT and the backups may get deleted if its needed to clear out your Temp Files as part of the cure.

Once it is located, Navigate to the folder using Windows Explorer or My Computer, and double click on HijackThis.exe..

When its opened for the first time you’ll get a startup screen.
Click on Don’t show this frame again when I start Hijack This then
Click on None of the above just start the program.

Before your first scan, we need to check the configuration.
Click on the Config button in the bottom right hand corner.
Now confirm the following are checked.

Make backups before fixing items
Confirm fixing & ignoring of items (safe mode)
Include list of running processes in logfiles

The other items should be unchecked.

Click the Back button to return to the Scan page.


Click on the Scan button, and wait for the scan to finish (this may take some time depending on the number of items in your log).

When finished the Scan button will turn to a Save Log button, click on this and save the log (by default to the same folder that HijackThis,exe is in).

To paste it into a Forum, do the following.

Navigate to your Hijack This folder, double click on the hijackthis.log file, a text document will now be open on your screen. Click on Edit/ Select All, then Edit/Copy, then open the Posting Screen on the Forum, right click in the screen, and click on Paste. The text should now be in the message. Press Submit.

If you post a HJT log here, I'll have a look at it, and I'll be able to tell you if you need to seek expert advice.

DO NOT ATTEMPT TO FIX ANYTHING WITH HJT, NO MATTER WHAT ADVICE YOU ARE GIVEN BY OTHERS, HJT CAN DO IRREPERABLE HARM TO YOUR COMPUTER IF NOT USED WITH EXPERT GUIDANCE.

Hi Gary,Great Gye, and others. Thank you so much for taking the time to post help suggestions.

Thsi is just too much for a novice like me. I am just going to backup all my files and do a complete restoration. :bawling:

I do have Nero and do not know how to use it. I tried once and all I got was a bunch of Nero Icons with nothing in them???

If you have any suggestions or want to post a how to please feelfree to ok?

Thanks for everything!! NEB :classic:

Not sure what version of Nero that you have, but these tutorials may help

Nero Tutorials (http://ww2.nero.com/enu/Tutorials_Express_6_Create_a_data_CD_DVD.html)

Ahead Nero Instructions for Burning a Data CD (http://helpdesk.alfred.edu/nero.htm)

How to use Nero Express to create a data CD to backup your files (http://asp2.wlv.ac.uk/its/website/selfhelp/help/nero/help_with_nero.asp)

A friend rang me last Week and asked for help. His XP computer is infected with

Trojan Startup Nameshifter A

I am going over at weekend to try to help him.

I have read this thread and prepared a CD containing the latest versions of

Adaware
Spybot
Avast
Hijack This
WinsockFix
MultiAv
Stinger
Trend Sysclean Package and pattern
KaSx Kaspersky

I have used all these programs before.

The trouble is I can find no info on this Trojan. Is anybody familiar with this or have a removal tool or procedure. I have searched but can find no info.
I did find a little on Trojan Startup Nameshifter EW/wingu/EZ but I don’t know if this is similar.

Should I take any other programs? I don’t know if my friend has internet access.

Ken

I just had my computer guy who is a long time trusted friend tell me that he is now using Spy Sweeper besides Adaware and Spybot and he thinks it's better because when he ran the other two they only found 4 things and spy sweeper found 116 and 3 of them were trojans. That's what he told me to get anyways.

Here (http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453094805) is some information on NameShifter.

Pierre

Thanks Twinkissed

I found it here
http://www.webroot.com/consumer/products/spysweeper

There is a free online scanner.



Thanks Pierre.

I found info on Trojan.Startup.Nameshifter.XXX

Are they all the same?

Ken

I quit running any virus protection other than "mailwasher" and I've taken steps to keep my address book from being Hi Jacked.

I've been able to quit worrying about viruses by building a really current restore point and whenever I suspect a problem I just return to my restore point.

I keep very little on My C: partition to lose... favorites, addresses and e-mails can be saved on the other Partition or hard drive when needed.

windows-XP and I think Win/me have RESTORE programs built in and are worth getting familar with.. I use win2000Pro and a little program that came with my motherboard called RestoreIt.....

http://www.farstone.com/home/ensite/products/restoreit.shtml

requirements
CPU: Intel Pentium 133 or higher
RAM: 256MB or more
Hard Drive: 400MB free space for the program and partition
Operating Systems: Windows 2000 and XP platforms for desktops and laptops
RAID Support: RAID 0/1.... I have installed it on hard drives without RAID Support

-----------------------------------------

I've used the built in XP restore Program to build the same recovery protection on a couple of computers.

The key to making this an acceptable method is returning to the restore point before before making permanent changes and then creating another.

I usually make the new restore point a temporary one for a few days while I check for problems before making it permanent... windows XP allows more freedom there it seemed .

Not a plan for everyone for sure but once in place all problems go away with a mouse click.

Webroot Spysweeper also has a free 14 day trial copy you can download, available from http://www.webroot.com/consumer/downloads/?WRSID=e78f336cee06e1c0259941ba8e8052f1

The trojan your friend has is often tied to the Vundo (Virtumundo Trojan), or Apropos infections.

You would be well advised to run a copy of HijackThis on his computer, then post a copy of his log to one of the following forums for analysis.

http://spywarewarrior.com/index.php
http://castlecops.com/forums.html
http://www.spywareinfo.com/tempforum/index.php?act=idx
http://forum.malwareremoval.com/profile.php?mode=register&sid=7b5761e87384ab38f6610a8387960061

These are serious infections, and can be very difficult to remove. Often auto tools do not do a very good job of totally cleaning a system, and re-infection can occur.

Apropos in particular comes with a rootkit, and this can only be removed using specialist tools. (Sometimes not even then).

HJT available from http://www.merijn.org/files/hijackthis.zip

Good luck,

Gary

I quit running any virus protection other than "mailwasher" and I've taken steps to keep my address book from being Hi Jacked.
:scared: :scared: :scared:
That is a very poor method, and in reality gives no protection at all :scared:
If you have a dormant virus within your file system, you will be restoring the virus as well as the windows :scared: There are also viruses/worms out there that can rewrite themselves in to the system as you run the restore point procedure. By saving file to another drive or partition, it does not make them safe. In fact the viruses can spread to any drive or partition within the system, so they may be reinfecting your windows.
Anti virus software is free and all over the net, so I would advise getting some protection back on your system.

Not a plan for everyone for sure

A lot of people don't get it... but no.. there are no viruses built into the permanent restore points.

By always returning to the restore point before making changes (and creating a new restore point when finished) the system hasn't been exposed to the net.

Just think of formatting the HDD then sitting down and installing windows, all software, preferences and other tweaks all at one time without ever going online before making that restore point.. In effect that is what is accomplished by always returning to the restore point before making changes.

That said, I did go online once to download and install service pack#4 for win2000... but... after doing that I 1st made a new restore point then went to trend micro's "house call" ran their scan for viruses..... found none... and then returned to the restore point I made before running the scan.. which means all traces of going back online for the House call scan were also removed..

It's tricky! and you have to be dedicated to returning to the restore point before making changes but it does work..

another advantage I find is that I have no fear of installing trial software.. things I may not want .. or full versions of software until I decide which portions are actually usefull.

I've heard there are viruses that cross over partitions but I've never had one and I've been tweaking this restore point idea for nearly a year with no problem at all.. As a precaution I have made backup DVD's.

If anyone does try this I've found it interesting and learn little tricks to make it easier... like starting a list of all the little things to be added next time I make a major change... for instance one was to be signed in here.. another was to open all my photo files with the PhotoShop browser so that thumbnails were made.. I made a few stationarys to choose from in outlook express and so on.

I even have a shortcut to the "list" on my desktop.. the actually list is kept on the other partition so that when I use the restore point the shortcut brings up the current "list".. whoever that makes sense to will have little problem using this method.

Besides virus protection the speed enjoyed after restoring makes it worthwhile.. I have about 3 gigs of windows and software installed and defragged when I return and the machine runs quick... none of the debris.

Fair enough, but as a Microsoft Registered Partner and IT adviser, I wouldn't recommend it :wink: If you are happy with how it works for you, then thats OK for you. But as a general/possible alternative to Anti-virus protection, it wouldn't give the cover needed for people using the net on a day to day basis.
One worm/virus that is flying all over at the moment is Linux.Plupii. It is exploiting Linux based web servers all over the world, and has attempted to get to my Windows based server many times. I have security in place that not only told me of the attack, but also told me when and where it came from. If the host of this site was hit by it, the hacker would be able to change scripts within this site and infect members (without anti-virus protection) with any number of viruses/Trojans/worms etc.
I have just had to inform an IT college in Bathurst, Sydney,(Au) that their system has been hit by it, and they are at risk of infecting users of their site and server. Not to mention the fact that until they patch their system and reinstall everything from scratch, it is constantly trying to search out other web servers to infect (mine being one of them). Neither their head of department, or IT manager were aware of the infection and they had no signs of it from their server logs or scans, but sure enough it was there.

Photoshop: wasn't having a go at what you said, just didn't want to let people think they could drop anti-virus and use that method as a replacement :bow: :bigthmb:

That's more of a rave about your skills...

I am on the net 15-20 hrs a day... On A phone line, I mention that as those virus protection programs have a more noticeable slowdown effect on those of us trying to keep up with the increasing demand for more speed on the WWW.

Before developing this technique for utilizing restore points I was accustomed to formatting and reinstalling everything on Partition C: ... to get rid of bugs and glitches. I had gotten good at it and kept most of the needed installs on another Partition to accelerate things but it was still drudgery.

This does all that but much more thoroughly.. No forgotten tweaks. and it all happens with a click of the mouse and a leisurely trip to the kitchen for a coffee refill.

It's not high tech.. I find it interesting and I simply offered it as an alternative... those who embrace the offerings of virus protection software won't have paid this advice any notice.. It's for the others..

Don't be such a Know it all
That's more of a rave about your skills...
Legend in your own mind?

There was no need for any of that :mad: ?????????????????
I've given people/you my advice/opinion, take it or leave it. The choice is theirs/yours to make.
I won't bother giving IT advice again on here, as it seems it is not appreciated :confused: :confused: :confused: :wavey:

Have you forgotten your opening salvo?

That is a very poor method, and in reality gives no protection at all

I'm sure you are offering worthwhile advice .. but be careful of your critiques of other's ..

I stand by that statement 100%.
Did you forget this part.
Photoshop: wasn't having a go at what you said, just didn't want to let people think they could drop anti-virus and use that method as a replacement

End of discussion

I'm dismissed am I?

Some people can get rid of anti-virus protection. Some people would like to ride bareback through the Valley of evil.

I've been running partitions for more than 5 years without a problem... It's the use of restore points that is relatively new to me. There is more to it than first appearance.

I don't think I was alone when I was using the old formatting C: (only) technique.. even among those running protection, and I think I was a late comer on the system restoration scene.

Even after I started using the restore point there were always many forgotten utilities... for instance FTP .. I seldom used it, so it was seldom in place when I needed it. Making a simple transfer a bit more difficult.

From these minor annoyances grew the idea of a restore point with everything in place.

I'm sure the idea has crossed many minds... my notice here is for those whose hasn't.... and to confirm to that it works for those considering it.

These links may help some members.


http://support.microsoft.com/Default.aspx?kbid=831829

http://www.microsoft.com/technet/prodtechnol/winxppro/plan/faqsrwxp.mspx

http://www.microsoft.com/uk/businesscentral/issues/sgc/checklist/step1.mspx

http://www.microsoft.com/uk/businesscentral/themes/email/article2.mspx

And for those running Windows XP SP2 only, check your full system on the link below
http://safety.live.com/site/en-US/default.htm

Also see this item on system restore.
http://www.computing.net/windowsme/wwwboard/forum/45340.html

Your link on restoration is for win/ME only.. misleading to anyone trying to figure out what we are talking about...

RestoreIt (http://www.farstone.com/home/ensite/products/restoreit.shtml) simply copy's everything on the Hard drive ... then when needed formats the hard drive and re-installs the system exactly as it was when the restore point was created..

This is a viable alternative to security.. or for that matter could be used with security.. although that might be more difficult given the numerous updates needed bvirus protection.

Running around the Web Exposed as I am my computer has been HiJacked.. more so recently but usually after I have downloaded something large. I"ll notice that my modem is sending when it shouldn't be..

If the download was something I want to keep I move it to the other partition (no problem so far) and then use the restore point.
Occasion virus scans at Trend Micro show all partitions clear.

In the case of an infection with a kernel mode rootkit, doing a system restore will not remove the Malware.

System Restore only applies to User Mode, and does not affect your kernel structure, which has been modified by the infection to make detection or removal of the infection very difficult (and often impossible).

So Rondon, your method may work well generally, but does not provide protection against some of the more recent infections which are currently doing the rounds, and which are becoming more and more common. (At least 3 worms currently active carry a rootkit).

Well Garyl .. maybe!.. I'm not enough of a techie to understand where the kernel structure dwells..
below is from the RestoreIt Page
-------------------------------
RestoreIT resides between the system BIOS of a PC and its operating system. During installation, the software creates a hidden partition where it saves complete (static) and partial (incremental) restore points. Unlike other data backup utilities, RestoreIT enables both file-level recovery, allowing you to undo changes to a personal file by returning it to an incremental backup point, and system recovery, which restores every file on a hard drive to a chosen static backup point.
-----------------------------------------
Is the Kernal structure part of the BIOS ?

System restore in any windows OS (ME, 2000 Pro or XP etc) only restores the files it monitors. If you have a virus located in My documents folder for example, system restore will NOT touch it as it is user data. The same goes for any other folders or data files classed by system restore as user data (created by the user). This can be downloads or any file type for that matter.
Viruses worked round the system restore program within days of Microsoft introducing it years ago when ME was released.
RestoreIT works the same way as the Packard Bell recovery system, by using a hidden partition on the drive. Both are still open to virus attack/corruption, and by saving files to another partition you are wiping out any work done by RestoreIT.

System restore in any windows OS (ME, 2000 Pro or XP etc) only restores the files it monitors.
well this brings us to where our thoughts differ...

With Windows XP I thought I had made restore points as deep into the system as RestoreIt goes..
The computer isn't here or anything with windowsXP on it so I can't go take a look. but I do know this. I used the factory restore point on that computer... installed all the software wanted, set the preferences then made a new restore point...
It was my nieces computer which was riddled with viruses,worms , etc.
She took it home and got it setup for her cable connection and then made another restore point... as yet un-needed..
What you are saying is that chances are if the computer gets bogged down again that restore point may not save her? That wasn't the feeling I had.

After thinking about it I had checked out the system restore in WIN2000 and also in win/Me as I had ran that for a few years. Actually I remember learning how to shut it off as it grew into a large chunk of my HDD.

BUT ..the recovery disks that came with it never failed to format the hard drive and reinstall WIN/ME ... I was never trying to recover the added software then. I can see where a partial restoration would be prone to all sort of problems... but that is pretty obvious. hence the Format.

But what I am into now does that very same format... but instead of installing just factory windows it installs all my software and preferences. none of it corrupted because of my faithful return each time to the restore point before performing whatever upgrades I had on my list.. then immediately creating another restore point.. This is the essence of my message here.. How to keep the restore point pristine..

This new restore point is not made permanent for a few days... not until I feel comfortable with it. Then I must return to it again before saving it as a static (permanent) point.

Also I'm learning that when making that temporary point (incremental) it is better to do it twice.. the newest file grows so I return to the 1st of the pair when ready to make it permanent.

Have a look at the answers to questions 1, 8, 9 and 12 on the link below
http://www.microsoft.com/technet/prodtechnol/winxppro/plan/faqsrwxp.mspx
I don't think it doesn't monitor user files, I know it doesn't, as it's there in black and white.
System restore only acts on the system files and program files within the system. It makes no changes to any user data files at all, thus rendering any attempt at virus removal useless. It may remove the changed windows/program files created by the virus, and give better performance to begin with. But it will not remove a virus from your system, unless it is contained within a monitored file type and NOT within a user data folder.

I'm having trouble deciding if you are saying none of it works or just Microsofts built in restore.. ?

It's Farstone's RestoreIt (http://www.farstone.com/home/ensite/products/restoreit.shtml) that I defend... and thought worth mentioning here.

On Windows I might have been overly optimistic.. a shame if so. I did wonder about Win/Xp's ability to retreat to an earlier restoration point without deleting later ones.. with RestoreIt any newer restore points dissolve.. and set furthest back is the one Static (permanent) restore point.

That is misleading though as you can delete it and make a new permanent restore point.. as often as you wish... This is the Restore point I talk about.. The one safe guarded thru it's development until it offers every preference and tweak I desire. When I use this restore point all others disappear..

software all in place with preferences set but never used... none of the debris I've came to believe is inherent with use.

all files and folders of mine are kept on a different partition .... the only thing I need to consider is whether I have any new favorites, emails or address book files to move..

This isn't for those who operate and keep all files on one partition.. At least my method isn't.

Using the restoreIt would work, but by having/moving files to another partition or drive, you would be allowing the virus in to that partition/drive just by having it their in the first place. Virus would then re-infect the restored windows from the second partition/drive, although a scan would show your restored windows as clean to begin with.
The windows system restore version doesn't work at all, it just restores clean versions of the corrupted files created by some viruses.

To do it with RestoreIt would still require some anti-virus cover. Not just to cover your system but to cover your hidden restore files. A virus can still corrupt you hidden restoreIt files, rendering them totally useless and wiping out all you have backed up.
You will need only 1 partition that you back up once a day or what ever, and back up your other files created after the backup to CD or removable drive. Then when you restore to your good restoreIt point, you can scan the CD/drive for viruses before putting them back on the main drive. It needs to be done this way, as if they are on another fixed drive/partition, they can activate the virus before the restored anti-virus fires up.
What ever way you look at it, Anti-virus is needed in one form or another.

Just try AVG and see how it runs on your system. I'm willing to bet you will see little, if any difference in your net speed.

Free AVG anti-virus (http://free.grisoft.com/doc/Get+AVG+FREE/lng/us/tpl/v5)

Still don't get it?

I've mentioned an ocassional visit to Trend Micro for their free online virus scan...
It may be possible for a virus to find my hidden restoration files but I think you are still talking of a lesser restore point.. this is a closed partition


when you start talking about "You will need only 1 partition that you back up once a day or what ever"
you are not on the same page.. A restore point like that is just a run of the mill one.. it will include all the unwanted glitches and debris my idea does away with...
Just take a moment and rethink just what I've written without assumming it has faults.. It works.. it's not for everybody.

I can't make it any clearer. No restore point systems/methods work safely without the backing of antivirus. Using an online virus scan of any kind doesn't fully scan the system, neither does it scan for malware, adware spyware, keyloggers etc. In fact some viruses have ways of running undetected by any scan (online or installed) unless it is run in safe mode. I'm not going to keep on about it, as the choice is yours to make.

what you hit me with earlier in the day was ]" That is a very poor method, and in reality gives no protection at all " where do we stand now?
I say it offers lots of protection ... probably not perfect but I use it very often and when I do my system stays clean until I get reckless... and often that happens when my system speed could use the boost gained by by returning to my restore point...

I say this is some protection in reality

also a delight...

so was that your last word for real?... I know it's getting late across the pond but what I really was looking for was more along the lines of "Yes I see what you mean now .. I misunderstood.. that is a very good plan for those who do understand it... I regret having portrayed it as irrevelant.. again it was because I didn't/couldn't understand... 1,000 pardons ole RonDon" ..

Hi Rondon,

OK, first let me say that no system can offer complete protection, and the system you are suggesting certainly has merits.

RestoreIt, and the other "Sandbox" applications do not work in the same way as Windows inbuilt Restore function, (which as Chris says, do not restore User created files and folders, or many of the kernel functions), and are a viable method to secure your computer. They create a partition with a "virtual" system, which is ring fenced with encrypted security protocols to prevent cross partition infection. (Another such type with a good reputation is Deep Freeze), and as such are not prone to the possible "holes" that may be exploited by using Windows native Restore option.

However, it would still be useful to have an anti-virus scanner, if only to make it easier to know if you have been infected, and have to make a restore.

It's not necessary to have the resident scanner switched on, as this is the part of the programme that uses up resources. But if you use the On-Demand scanner whenever you wish to check your system, there should be no deterioration of performance. As with all such programmes, it is necessary to update regularly.

I don't think that either Chris or I are saying that your strategy of restore has no merit, just that it may not be as secure as you may wish.

I of course wish you every success with your method, and hope it continues to protect you.

Gary

I agree with Gary :nod: . I can confirm that although a virus will have great problems infecting the hidden (sandboxed) sector on the drive, it can be corrupted/damaged by it. Also installing some programs can damage the hidden partition, as found out by 100's of Packard Bell hidden recovery users (same system as RestoreIt). The main problem I have with your method is not the fact that you are open to infection, but that you are open to infect others. Being unprotected means that once you are infected, you can be spreading the infection to 1000's of others. This is how these things spread all over, an example being the Linux.Plupii worm. Every one system infected with it will infect 100's of others, and they in turn will infect 100's more. So the virus (or what ever) goes on and on and on.
I can tell you with a 100% guarantee that an XP SP1 system with no anti-virus/firewall, will be infected with a virus within 5-10 seconds of being put on the net. I've seen it 1000's of times when people have reinstalled windows, and gone on the net for updates. They then phone up saying my computer keeps shutting itself down, every time I try to go on the internet.


so was that your last word for real?... I know it's getting late across the pond but what I really was looking for was more along the lines of "Yes I see what you mean now .. I misunderstood.. that is a very good plan for those who do understand it... I regret having portrayed it as irrevelant.. again it was because I didn't/couldn't understand... 1,000 pardons ole RonDon" ..
I fully understand what you are doing.

I do give others protection by following advice I read some time ago to change some options in outlook express . And and occasional visit to "housecall" keeps my other partition as clean as most virus protection and as I wrote of before I do that just before using the restore point (not everytime). In this fashion even the visit to housecall isn't recorded on my FAST restore point.

Thank you Gary for this: RestoreIt, and the other "Sandbox" applications do not work in the same way as Windows inbuilt Restore function, and are a viable method to secure your computer. They create a partition with a "virtual" system, which is a ring fenced with encrypted security protocols to prevent cross partition infection. That sounds very much the way it feels...

I do now understand windows/XP restore points better now and agree it does not offer the same protection... without having it around long enough to understand I assumed too much. One thing that may have thrown me off was they have the restore points and system restore all thrown together.... are you saying that windows XP instead of using recovery disks (like win/me) just stores that data on the HDD? That still is a factory restore point right?.. but can't be updated? It didn't help that RestoreIt by default names the static(permanent) restore point Factory settings you are allowed to change the name to anything you like though.. I usually use the date.

so My question to Chris is do you still stand by your original classification of my method That is a very poor method, and in reality gives no protection at all ..

I've been perfecting my restore point and thought I was sharing something wonderful... and I still do... but he shot it right out of the water without really understanding it.. some folks will have read no more about and thats really too bad... it really is a delight to use it... even just to know it's there.

using Restore it normally does give folks some protection but using it with my method gives them much more. If I've done it correctly all the changes and updates I've made over time appear on the hard drive as if I sat down and formatted the HDD and installed and tweaked it all at once. No debris. All defragged and very quick.

The most important thing for anyone interested is:

return to the restore point before making permanent changes
make 2 new temporary (incremental) after
use the temp points long enough to trust them
then restore the computer to the 1st of the 2 temporary
create a new Permanent (static) restore point.


then feel free to try programs make changes and all sorts of things that normally leave clutter and debris even after removal.


start a list then of the new changes that you wish to make permanent the next time you update the permanent restore point..


This is where the greatest worth is in the method. Virus protection is nice too...

rondon, I do stand by what I said. The reasons for this are that by having a clean restore point, you are not protecting yourself from virus attack. You are doing nothing other than creating a file that can be used to put a clean disc image back on to the system. To prove this point I will now give you a hypothetical situation.
You have just restored your system using your method and the system is as clean as a whistle. It's been scanned and double scanned, and there is nothing at all wrong. You connect to the net to do a bit of searching and find a nice little free trial program you want to try. You download this file, and feel safe doing so with your restore point safe and hidden away. You run the program and try it out. Unknown to you (because you have no anti-virus) this trial program has a Bios virus contained within the file system. By running the program you have also run the virus. This virus sends new data into the BIOS chip, overwriting BIOS EEROM. You get up the next morning to use your computer, and it makes a single beep noise and does nothing when powered up. You then think I know I've got my hidden file I can restore. So you fire the system up again, but nothing is working. You can't enter bios setup, get restoreIt to work or do anything other than make it beep once when powered up. So you call an IT person out or friend in the know, and ask them what is wrong. Your friend then tells you that because you didn't have anti-virus, you have just wiped the Bios chip on the motherboard. Your system is now totally dead, and because this virus has also overwritten the first few MB of data from your each HDD/partition, you have lost your restore point and all your files on any fixed drive in your system. He now tells you that the only way fix this is to replace the Bios chip or motherboard. Then reformat the drives and install everything from scratch. He could try to get the windows data back with recovery software, but thats gunna cost you even more.

Now what do you say when asked why you didn't have any FREE anti-virus protection? How do you justify spending all that money on repairs, when a free program would have stopped it!

Seen it happen many times, and read many sorry story's about this exact same situation.
I really am not having a go at what you are doing, but pointing out that it is NOT doing what you think it is. It doesn't give you any protection at all. An old phrase comes to mind "prevention is better than the cure" You are running the risk of loosing everything on your system, and damaging the hardware in the process.
Remember this was your statement
Restore as virus protection?

The scenario that Chris gives you is valid, however, bios viruses are not very common, as they are difficult to write.

It is still possible to get infected with such a virus even if you have an up to date anti-virus on your m/c, provided the virus that hits you is a zero day infection (ie unknown new variant).

This does not mean that the advice he is giving is not sound, its all a matter of reducing risk.

A workable system could surely be put together using the "plusses" of both systems. A well firewalled and anti-virus protected shell to make primary penetration difficult, with a ring fenced "Sandbox" to enable recovery in case of infection.

Provided your firewall monitors both incoming and outgoing connections, the chances of passing on an infection are reduced. Of course if you are connected in a Network, different considerations have to be taken, as internal network infection can happen once your outer defences are breached.

The "sandboxed" system is there for you to recover to, should your m/c be compromised.

One last thing to consider.

Intruders are a sneaky and devious lot, they have many different reasons for wanting to infect your box.

Just a couple of possible scenarios.

Not all intrusions are obvious, they do not all carry a payload that alerts you to their presence. Sometimes an intruder may just wish to use you as a springboard for attacks on others, hiding his trail from the m/c he really wants to attack. As long as their traffic use on your computer is small, you might have them on board for a long time without knowing it. However, your m/c is the one that will show up on the attacked m/c, and you are the one who will get woken up by the police at 3.00 am.

Similarly, they may have just installed a backdoor on your system, and can monitor your internet activity, noting down bank details, credit card numbers, passwords and private details etc. etc. With the added advantage that with a backdoor installed they can completely take over your m/c whenever they want.

Without the programmes needed to keep them out, and to monitor your system, you cannot know that this is not the case.

Gary

What I am about to show you is 100% safe and all files are 100% virus free
Like Gary said "bios viruses are not very common" , but this was a worst case scenario to show what I mean. The net is full of illegal activity and nasty people willing to blame you for what they have done. Using your computer as a middle man is a way of making it look as though you are the one doing illegal things. They can hide files to do this in many different forms.
An example of a file you would never suspect of having a virus is bitmap. Now I will show you what I mean by this.
Below is a link to a picture file (bitmap) that I used on another forum to show how a security program works.
http://www.chrishoggy.pwp.blueyonder.co.uk/test.bmp

This file could be a picture of anything that you like/want to download. Now the program I used was created to secure data, but it can also be used to hide any type of file within a bitmap image. It can be used to run a program when you open the image or run a virus. In the case of the link above, it has a text file in it asking how someone opened the file. It is totally safe to view as a normal bmp image and the file contains nothing nasty.
Save the image to your Hard drive
Now if you download this free 10 day trial program Here (http://www.amplusnet.com/products/fileprotection/download.htm) and open that bmp file in it. You can unlock the text file hidden within it.
Open the program and highlight the test.bmp file and click on the unlock tab.
Now enter canyoucrackthis (no spaces) as the password and the program will now extract the text file that was hidden within the image, so you can read it.
This system can be used to hide anything in an image, and just shows how it can be done. Systems like this can do lots more, but I would be foolish to post the details on a forum :eek: .

If we rule out the rare, difficult to develope bios virus that could cripple even a well protected system I have yet to understand why my system doesn't trump many security features.
Nothing to stop folks from using it daily or even every start up.

So what if I never saw it.... it's gone.

I don't care to have somewhat invasive security draining resources and themselves often requiring maintenance.

I'm sure virus protection could be built into the restore point but there is the issue of updates to be dealt with. No problem if the security updates can be downloaded and installed offline in the process of creating a new permanent restore point, but if those updates must be done online then it will compromise what was intended to be a restore point that has never been online. But including security would really just be one of the interesting work arounds required.

What I really feel is going on here is Chris is acting in a way that I see a lot of myself in... although I'm trying to repent. He wants to give advice and be listened to without listening. My idea appeared to him as riddled with holes and he confidently slammed it.. All too human but if his ego blinds him to the explanations I offered he is no longer conversing but defending his stance.. sort of like an corrupt restore point... pardon the pun.

This thread is getting a fair amount of views .. deflecting his criticism has allowed folks a closer look so I thank him for that... It does appear as too shallow a plan to do any good.. it's not that shallow... it takes some dedication. And it's not for everyone.

OK, I am willing to hold my hands up and admit I was totally wrong, this will be done on one condition.
Assume someone has done your restore and cleaned their system fully. They have just gone on the net after buy something with their credit card via the net, sent an Email with their name and address in, copied their driving licence with a scanner to send off to the police via snail mail or something else along those lines where they have been dealing with personal details.

Now tell me what is stopping me from getting all that info and using it to buy electrical goods in their name and committing fraud. Or stopping me from selling that info on to the lo-life ID criminals, who will use it to create Passports, driving licences and credit cards etc.

If you can tell me that something has stopped me from getting all their details, I apologise and your system works.

Photoshop: I didn't dispute that your system is good for restoring to a good setup, or that it would recover a system after a minor attack. The only thing I dispute is that it offers protection against any form of virus etc.

Just remind me to never open anything that has Ron's name attached to it.

I certainly know what Gary and Chris are talking about, why they are talking about it, and what they are trying to help with, having been a victim of a nasty virus/trojan only once before.

I was TOTALLY BLESSED in that both my husband, who is a computer systems man and my son, who runs the IT department where he works, were home when it happened. I only lost a minimum of data because both of them knew what do do, how to do it, and caught it quickly.

I'm living proof that the RESTORE POINTS do not work they way you think they do Ron.

A six-eight hour rebuild while losing your data is absolutely awful.

Sign me: A CAREFUL computer user

Janet

I don't think what janet said is revelant but chris opened a new can of worms.. when he mentioned using a credit card. I don't do online transactions and those would require another work around

The rest of this is nonsense
sent an Email with their name and address in, copied their driving licence with a scanner to send off to the police via snail mail

Ron,
OK, it's nonsense. I talk utter rubbish and I was wrong all along, your method works like a dream.
Happy surfing :tired:

Another thing to look at, and I'm not sure if this is covered by Dougs server protection is this
http://www.windowsitpro.com/Article/ArticleID/44039/44039.html


Photoshop: Janet, nobody can say I haven't tried :wink: . Advise is there for members to read. I will let them decide on what is correct :spchless:

PPS: Apologies to Nebgranny for this discussion taking over her original post

Twit this thread is about security quit trying to win people over by sukking up

Twit this thread is about security quit trying to win people over by sukking up

You are rude, arrogant and ignorant! Chris and Gary are trying to help you by explaining the flaws in your system and how to get virus protection without slowing down your connection or draining system resources.

As for your above insults, just because you were never taught proper manners doesnt mean that everyone else here has to lower themselves to your level. What you call 'sukking up' is proper forum ettiquette when 'hijacking' someone elses thread.

All I can say is I hope theres someone out there listening to this thread that will make you eat your words.... I'm tempted myself tbh.

I don't think name calling exactly elevates this discussion, and I'm sure that members will make their decisions based on the arguments expressed, and not on any "sucking up", real or imagined.

I hope we're here to give information and advice that will help other members, that is certainly my intent, and perhaps that might best be achieved with a little less hostility.

Probably ignorant too! but I think I've showed less arrogance.

No need to win Neb over. We've PM'd quite a few times, as well as chatted on another forum.

Twit
:lol: :lol: :lol:
Personal insults will not get a rise from me I'm afraid. Water off a ducks back n all that :spchless:

Thanks Everyone.

Update.

I went to my friends. In the meantime he had paid Norton for an update and run it.
He had also installed Microsoft AntiSpy

I started his PC in safe mode (System Restore Disabled) and ran Trend SysClean, Stinger and Adaware.
I cleared the things Adaware suggested but found No virus.

I restarted his PC in normal mode and ran WinsockFix and Hijack This. I repaired all the items marked in red at Hijack.De and uninstalled a toolbar he had installed.

A few of the nasties returned after restarting his PC. So I’m not sure whether he is virus free or not.(I think he is probably not)

I have attached his Hijack Log

Gary. I wondered if you could find time to take a quick look. The nasties regarding ydurw.dll were the ones that I deleted but returned after restarting the PC.
There are no comments on ydurw.dll at hijack this and a google search finds nothing.


Ken

Hi Ken,
That zip folder is showing as empty :depressed
Can you double check it at your end :pleased:

Chris.

I just downloaded it and it works OK for me.

RetouchPro will not allow LOG files to be attached. so I attached it again as a .TXT file.

It is not zipped. Just rename it to a .LOG file.

Thanks.


Ken

Hi Ken,

Got your HJT log. Will take a bit of time to check it out, get back to you later.

Not a good idea to use HijackThis.de, they just run it through an automatic process, which often gives a lot of false positives. I've seen quite a few cases where they've recommended removing essential windows processes.

From just a quick glance though, there's still a lot of junk on there.

Gary

Get back to you on this.

Hi Ken, the HJT log shows a classic case of one of the Coolwebsearch variants, known as About Blank 02/04

First of all I need you to download some programs for use later.

Download this file (http://users.telenet.be/marcvn/regfiles/HSfix.zip) and unzip it to your desktop

Download About:Buster from here (http://downloads.malwareremoval.com/AboutBuster5.zip). Once it is downloaded extract it to c:\aboutbuster and check for updates. Do NOT use it yet

Download CWShredder from here (http://www.intermute.com/spysubtract/cwshredder_download.html), install it, check for updates but again, don't use it yet.

Download and install Ewido Security Suite Trial from here (http://www.ewido.net/en/download/). Run and update the program but do not scan with it yet.

Make sure that you can see hidden files.
1. Click Start.
2. Click My Computer.
3. Select the Tools menu and click Folder Options.
4. Select the View Tab.
5. Under the Hidden files and folders heading select Show hidden files and folders.
6. Click Yes to confirm.
7. Uncheck the Hide file extensions for known file types.
8. Click OK.

We need to stop a service...
- Click Start button then select Run
- Type services.msc then hit OK
.- Scroll down and find the service called.

Remote Procedure Call (RPC) Helper Note the "Helper", as there is a legitimate Remote Procedure Call (RPC).

- Right-click on Service and choose Properties.
- On the General tab under Service Status click the Stop button to stop the service.
- Beside Startup Type in the dropdown menu select Disabled
- Click Apply then OK. Exit the Services utility
(Note: If the service isn't listed go ahead with the rest of the instructions)

Please print out these instructions, or save to a text file that you can view, as you are going to be offline for part of the cure, and will not have access to them.

Please disconnect from the Internet and unplug your modem for the duration of this fix

Shutdown your computer, and Boot Up into Safe Mode, by hitting the F8 key repeatedly as you power up.

This will bring up a menu, select Safe Mode and press enter. Log on as a user with administrator priviledges. Continue for the rest of the fix in SAFE MODE

Double click on the HSfix.reg file you downloaded at the beginning. Grant it permission to add the registry items.

Then Open CWShredder that you downloaded in the first step. Close all browser windows and click on the fix/next button.

Halt these Processes (if found), by pressing Ctrl+Alt+Del, this will bring up Windows Task Manager. Click on the Processes tab, scroll down to find the process, then click on the End Process button. Repeat till all processes are halted.
winms.exe
ntkw32.exe

Perform a scan using HJT, and check the following items (if found).

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ydurw.dll/sp.html#83556
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ydurw.dll/sp.html#83556
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ydurw.dll/sp.html#83556
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ydurw.dll/sp.html#83556
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ydurw.dll/sp.html#83556
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ydurw.dll/sp.html#83556
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ydurw.dll/sp.html#83556

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {97853963-D003-7871-69E2-70710B4A6915} - C:\WINDOWS\addbo.dll
O2 - BHO: Class - {E436CD32-AE4D-738A-E06E-D227AC75B577} - C:\WINDOWS\apiir32.dll (file missing)
O4 - HKLM\..\Run: [winms.exe] C:\WINDOWS\system32\winms.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä #·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ntkw32.exe

Close all windows except for the HJT window, and click the Fix Checked button.

Exit out of HijackThis.

Find and delete the following, if found.

These Files


C:\WINDOWS\system32\winms.exe
C:\WINDOWS\ntkw32.exe
C:\WINDOWS\web\related.htm
C:\WINDOWS\ydurw.dll

Next we need to delete your Temporary Files.

Use Start > Run and type in %temp% . Delete the entire contents of that temp folder (use Edit > Select All, press Delete, click Yes).

Then, Empty your Temporary Internet Cache completely. Close all instances of Outlook and and Internet Explorer, then use Control Panel > Internet Options > General tab and click the Delete File button. When prompted place a check in: Delete all offline content, then click OK.

Then, use Windows Explorer to clean out ALL the other temp folders on your system (navigate to these folders, use Edit > Select All, press Delete, click Yes): Note: Do not Delete the Folder itself

* C:\Documents and Settings\Your Profile\Local Settings\Temp\
* C:\Documents and Settings\Any other users Profile\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\Any other users Profile\Local Settings\Temp\

* Empty your "Recycle Bin".

Please let me know about any problems with the temp file deletes.

Note: If you cannot delete them all at once because you have too many, then click and hold ctrl and highlight a batch of them at a time. Once highlighted, R-click over the highlight and select delete. Rinse, lather, repeat until folder is empty.

Now navigate to the c:\aboutbuster directory and double-click on AboutBuster.exe. Click Begin Removal to allow AboutBuster to scan. When it has finished, AboutBuster will open a Scan Completed window. Click OK. Another information window will open. Click on Exit. AboutBuster will inform you that a log has been created. Click OK. I will need you to post that log later.

Run Ewido and do a full System Scan with it. Let it clean anything it finds. Save the report it creates.

Close all open Windows before starting scan. Do not use your Computer at all while Ewido is performing its scan.

Now reboot,and run hijackthis again and post a fresh log along with the about buster log and the Ewido log.

Important It is important that you disable Microsoft Anti-Spyware before starting the fix, as it will attempt to stop the removals you are making.

Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

After all of the fixes are complete it is very important that you enable Real-time Protection again.

Gary.

Thanks very much for taking the time to help.

I have downloaded the programs and printed out the instructions ready to take to my friends PC.

I am just doing a dummy run on my PC to make sure I am clear on the method.

Remote Procedure Call (RPC) Helper

I don’t have this on My PC
I have
Remote Procedure Call (RPC)
Remote Procedure Call (RPC) Locator

So I would skip this step on my PC – Right?

I knew there was something still wrong with his PC even though Trend Sysclean and Stinger both came back clear – It’s most concerning when a virus checker does not find this.

I have always relied on the info from HJT for my PC, but it sounds like this can be wrong as well.

Thanks again for your very clear instructions

I will post the logs next week

Ken

Hi Ken,

You'll only have Remote Procedure Call (RPC) Helper on your computer if it's infected.

The other two are legitimate services, and should be there.

Automatic tools are excellent at getting rid of well defined infections, it's just a matter of getting the right tool for the right infection. Some work better on some infections than others, and vice versa.

Trouble is these beasties have a nasty habit of evolving, so it's always a case of playing catch up.

Good luck with your friends computer, and keep me posted as to what happens.

Gary

Did you actually help Neb, or scare her away with all this male testosterone?

Just like to add i listening to some of the tips you added before Ron got alittle high on his knowledge, and i am now scanning my pc!

So thank you!!!

Elle.

Sorry. It’s probably my fault. I had a question that I thought was related so I posted it in Neb’s thread

Maybe I should have started a new thread.

Sorry Neb.


Gary.
I have just been banned from malwareremoval.com ‘cos I didn’t put the code in capitals. What do I do now?

Ken

Don't really know Ken, it's a while since I joined, so I don't really remember what I did to subscribe, I guess from your post that you had to enter a security code.

Send me a PM with details of what you tried to enter, and I'll PM one of the administrators at MRU, and ask how to get round this problem.

Alternatively, try subscribing with a different name and a hotmail address.

I know that many use disposable e-mail addresses, and it doesn't seem to prevent them from joining.

Hi Elle,

Firstly my apologies to Neb, for hi-jacking her thread. But Ken's friend has a real and present threat to his computer, and it's important that he deal with it as soon as possible, as this particular infection has a habit of inviting more friends to the party once it's got a foothold.

More than happy to move to a new post, if this is causing problems to anyone.

And Elle, it's important that you keep your defences updated, and that you scan regularly. I find once a week is quite adequate, and can usually be fitted in quite easily while you have a cuppa. It's a whole lot easier to keep it off, than it is to remove it once it gets a foothold.

Keep safe,

Gary

Update.

Gary I have now been back to my friends PC. I ran the fixes as you suggested. When I had finished Norton popped up asking

Sysin.exe is attempting to connect to a DNS server
Msjz32.exe is attempting to connect to a DNS server

I blocked them both.

I still don’t think he is clean as the About Blank page is still a Search page.

I have attached all three logs.


Ken

Hi Ken,

At first glance, a great deal of the major infection seems to have been removed.

Will take me a while to go through your logs, will get back to you on this, but things look better.

Gary

Photoshop. Just need to ask you. Did you disconnect from the Internet for the duration of the fix. It's essential that you totally disconnect from the Internet (remove telephone lead), and close Internet Explorer and Outlook Express, or fix will fail.

Will get back to ypu with update on what to do next.

Gary.

His Internet comes via a LAN card. I disconnected the cable.

I think I did everything correctly, except I forgot to update Ewido.

Thanks for your help.

Ken

Hi Ken,

OK, looks like we've pretty much got a total re-infection here. Probable reason is the time delay between posting the HJT log, and instigating the fix.

As I said earlier, this baby likes to update and morph itself, so the version I gave the fix for wasn't totally the version that was on the computer when the fix was applied.

There was obviously a "guard" file on there that we didn't remove, and that's what's re-installing the infection.

As long as your friend's computer is connected to the Internet, we're going to have this problem. He must disconnect from it, and keep disconnected until we get this removed.

The HJT log I've now got is not really of any use, as his machine has been connected since our removal attempts, and will almost certainly have morphed again.

I need him to disconnect his connection, then provide a new HJT log. If he's not connected it will not be able to update, and we should be able to get rid of it.

It would be helpful if you could post the next log at http://spywarewarrior.com/index.php

I am a helper there, online name Gary R, so if you post the log in the HJT forum, then PM me to let me know (include a link to the log), I'll be able to see to it.

There's a few reasons for this. One, the forum is set up to deal with large posts, and you can post the logs without having to post as attachments, and two, the most important, I can reference it to some of the more experienced helpers, in case it continues to be difficult, or in case it's a new variety. Lastly Retouch Pro is a reouching forum, and I feel kind of guilty using up Doug's bandwidth on a non-retouching topic.

Good luck, and look forward to seeing your post at SWW.

Gary


Photoshop. Sorry I'm a bit late coming back, got called out to see to my mother-in-law's plumbing last night. She got a burst pipe with the cold weather, and I had to replace it, and fit the lagging that they should have had in the first place.

Gary.

I have told my friend that I cannot help him unless I bring his PC home. That way I’ll be able to keep his PC disconnected and still use mine to post the log files.
If he agrees I will PM you and post them at SpyWarrior.

I will delete the logs I have posted as they are of no use.

Thanks Again for all your help.

Ken

Hi Ken,

You're welcome. Look forward to your post at SWW,

Gary