[Mike]

Hi there,

How is your internet connectivity? Do you think you'd be able to run an online scan?

First off,

Download the latest version of Java Runtime Environment (JRE) 6 Update 7. Once done, uninstall any older versions of Java through add or remove programs, mainly these two:

Java™ 6 Update 3
Java™ 6 Update 5

Are you familiar with the program NOS? If not go to start, then control panel and then to add or remove programs and uninstall it.

Delete these two folders:

C:\Documents and Settings\All Users\Application Data\NOS
C:\Program Files\NOS

Please open HijackThis again and choose "Do a system scan only". Please put a check next to each of the following entries (if still present):

O4 - HKLM\..\Run: [lphc5ucj0etel] C:\WINDOWS\system32\lphc5ucj0etel.exe
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe

Now please close all open windows except HJT and press "Fix checked".

Now,

http://www.gmer.net/files.php

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

[Advertisements]

Also what happened to Avast! Did you uninstall it? If so you need to reinstall it please - without an antivirus you will just get reinfected.

[Mike]

Also what happened to Avast! Did you uninstall it? If so you need to reinstall it please - without an antivirus you will just get reinfected.

[jigsawbill]

Good Morning;
Yes I deleted Avast, and now cannot download it or any of these other programs. I am curious about whether it would be better to go ahead and format the hard drive, I have all my files backed up on exterior hard drive, but the computer will not boot to disc. Will that recovery console make it boot to the xp disc?

[Mike]

If you wish to do so you can, I wouldn't be able to resolve your boot issue with the CD but I'm sure the techs here at geekstogo can.

Let's get some more information, when you go on the internet - are you getting redirected? Popups? If so to where or what sort of popups?
Can you even connect to the internet still?

Let's do this first, download the attached ZIP file

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for 'Show All'.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

In my next post I will have some other instructions, let's see if you can get that one to run as well (I have a upload limit)

Edited by Mike, 23 July 2008 - 02:26 PM.

[Mike]

Do this as well if you can.

Download the attached file OTScanIt.zip to your desktop. extract it and run the OTscanIt.exe.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

• Close ALL OTHER PROGRAMS.
• Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
• In the Drivers section click on Non-Microsoft.
• Under Additional Scans click the checkboxes in front of the following items to select them:
  • Reg - BotCheck
    File - Additional Folder Scans
    
• Do not change any other settings.
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post).

Edited by Mike, 23 July 2008 - 02:25 PM.

[jigsawbill]

Hi Mike;
I got the gmer, and ran it, and it didn't find anything. I'll try this other stuff now.

[jigsawbill]

Here is the report.

Sorry to edit your post, the log was stretching the page. - Mike

Edited by Mike, 23 July 2008 - 12:05 PM.
Removed log as it streched the page.

[Mike]

Hi there,

Don't copy and paste the log attach it please,

To attach a file, do the following:* Click Add Reply
* Under the reply panel is the Attachments Panel
* Browse for the attachment file you want to upload, then click the green Upload button
* Once it has uploaded, click the Manage Current Attachments drop down box
* Click on to insert the attachment into your post

[jigsawbill]

Sorry about that, Not paying attention like I should.

Attached Files

•  OTScanIt.Txt   173.23KB   124 downloads

[Mike]

Could I get the answers to these questions please?

Let's get some more information, when you go on the internet - are you getting redirected? Popups? If so to where or what sort of popups?
Can you even connect to the internet still?

Also answer if you have already run HostsXpert and tell me how are you accessing this site?

I still don't see anything that could be causing this.

Start OTScanIt. Copy/Paste the information in the Code box below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> lphc5ucj0etel -> %SystemRoot%\system32\lphc5ucj0etel.exe [C:\WINDOWS\system32\lphc5ucj0etel.exe]
YN -> services -> %SystemRoot%\services.exe [C:\WINDOWS\services.exe]
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found.
YN -> 1 domain(s) and sub-domain(s) not assigned to a zone. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found.
YN ->   .[msn] -> My Computer
< Internet Explorer Bars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
[Files/Folders - Created Within 30 days]
NY -> blphc5ucj0etel.scr -> %SystemRoot%\System32\blphc5ucj0etel.scr
NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> phc5ucj0etel.bmp -> %SystemRoot%\System32\phc5ucj0etel.bmp
NY -> 14 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> @Alternate Data Stream - 26 bytes -> %SystemRoot%\gmer.exe:Zone.Identifier
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> NOS -> %AllUsersProfile%\Application Data\NOS
NY -> @Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\dss.exe:Zone.Identifier
NY -> @Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\gmer.zip:Zone.Identifier
NY -> @Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\OTScanIt.zip:Zone.Identifier
NY -> @Alternate Data Stream - 88 bytes -> %UserProfile%\Desktop\SD-FIX.exe:SummaryInformation
NY -> @Alternate Data Stream - 0 bytes -> %UserProfile%\Desktop\SD-FIX.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
NY -> NOS -> %ProgramFiles%\NOS
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here


I would like to give combofix a shot as it covers a wide range of Malware...

Please go here to install the recovery console and for a guide on using combofix.
Please note: Installing the Recovery Console plays a vital part in making this process of cleaning your computer safe, don't overlook this!

Now please download combofix from here or here. It is important that you save this file to your desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a Hijack This log in your next reply.

A quick heads up, if you click on combofix's window when it's running, you may cause it to stall.

[jigsawbill]

Okay, here is answers, IE simply does not work, a blank scrren with IE title, then 2 or 3 more all blank then the computer locks up. The only way out is to log off, and start over. The same happens when I attempt to download, except for just now I tried the hostsexpert, and I got 3 IE windows, and 4 download windows, and finally one of them downloaded, and then I had to end each one and click them off back to desk top. kkI have gone into internet options and designated Google as home page and am getting out on it, but cannot click onto any links or my favorites, they all take me to the blank IE page.
the fix.Here is the report from the fix.

[jigsawbill]

Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\lphc5ucj0etel deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\services deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ created successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ created successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\msn\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32683183-48a0-441b-a342-7c2a440a9478}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\ not found.
[Files/Folders - Created Within 30 days]
C:\WINDOWS\System32\blphc5ucj0etel.scr moved successfully.
C:\WINDOWS\System32\phc5ucj0etel.bmp moved successfully.
ADS C:\WINDOWS\gmer.exe:Zone.Identifier deleted successfully.
[Files Created - Additional Folder Scans - Non-Microsoft Only]
C:\Documents and Settings\All Users\Application Data\NOS\Adobe_Downloads folder moved successfully.
C:\Documents and Settings\All Users\Application Data\NOS folder moved successfully.
ADS C:\Documents and Settings\ole bill\Desktop\dss.exe:Zone.Identifier deleted successfully.
ADS C:\Documents and Settings\ole bill\Desktop\gmer.zip:Zone.Identifier deleted successfully.
ADS C:\Documents and Settings\ole bill\Desktop\OTScanIt.zip:Zone.Identifier deleted successfully.
ADS C:\Documents and Settings\ole bill\Desktop\SD-FIX.exe:SummaryInformation deleted successfully.
ADS C:\Documents and Settings\ole bill\Desktop\SD-FIX.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} deleted successfully.
C:\Program Files\NOS folder moved successfully.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\ole bill\Local Settings\Temp\hpodvd09.log scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\ole bill\Local Settings\Temp\~DFDD97.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.16.2 fix logfile created on 07232008_193558

Files moved on Reboot...
C:\Documents and Settings\ole bill\Local Settings\Temp\hpodvd09.log moved successfully.
File C:\Documents and Settings\ole bill\Local Settings\Temp\~DFDD97.tmp not found!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.

[jigsawbill]

Oh yes when I am trying to clear out the IE windows, I get an end program notice, and then a send report for each one.

[Mike]

Have you got ComboFix? Take a look at post #25

[jigsawbill]

Heres something that might help you. I went to control panel and into windows firewall, and tried to turn it back on, and there is a message there: "Your network administrater is using Group Policy to acontrol these settings."