Computer Woes

[Corrine]

Ok, try it manually:

• Go to C:\WINDOWS\System 32\drivers etc
  
• Right click on the host file and select Open. 
  
• When prompted, choose the option to "select the program from a list" and Open with Notepad
  
• Remove ALLentries except the default entry for localhost:  127.0.0.1       localhost
  
• Close the Hosts file and save it when asked (Note: the file is saved without an extension.  It is "HOSTS" not hosts.txt)
  

[Lonestar]

Ok, try it manually:

• Go to C:\WINDOWS\System 32\drivers etc
  
• Right click on the host file and select Open. 
  
• When prompted, choose the option to "select the program from a list" and Open with Notepad
  
• Remove ALLentries except the default entry for localhost:  127.0.0.1       localhost
  
• Close the Hosts file and save it when asked (Note: the file is saved without an extension.  It is "HOSTS" not hosts.txt)
  

Corrine - Which file is the host file? Thanks

[winchester73]

XP Home edition ... the hosts file is located here:  c:\windows\system32\drivers\etc\hosts

[Corrine]

Thanks, Win73!

[Lonestar]

Thanks for the reply Win73 and Corrine!

following c:\windows\system32\drivers\etc\hosts - I do not see a hosts file.   I have LMHOSTS "SAM File"  - NETWORKS - PROTOCOL and SERVICES.   The LMHOSTS file opened in notepad seems to be just a sample file. Sorry to be such a pain :(

[winchester73]

Hmmm, you have 4 out of 5 files ...  :blink:

I wonder if the Microsoft FixIt will work?  http://support.microsoft.com/kb/972034

Corrine?

[Corrine]

Microsoft FixIt is worth trying.  Otherwise, it may be necessary to recreate a clean HOSTS file, as shown at https://www.microsoft.com/Security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FQhost.JC&ThreatID=-2147343825#recovery_link and modified for XP:

   1.      Click Start, and click Run.
   2.      Open the Hosts file, according to operating system:
     
            In the Open field, on Windows XP type: notepad C:\Windows\system32\drivers\etc\hosts

   3.      Copy/paste the following information from the code box below:

Code Select Expand

# The hosts file assigns the name of a web page/site on the Internet
# to an IP address. This bypasses the normal DNS system.
# Each entry should be on a single line. The IP address should
# start in the first column followed by one or more spaces
# followed by the web page/site name.
#
# Any line, such as this one, that starts with a number sign is a comment
# Comments can also appear on a line with a real entry as shown below
#
# For example:
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost


   4.  Save the file to the same location you opened it from.
   5.  Close Notepad.

[Lonestar]

Microsoft fixit didnt seem to create the file or fix. So I followed Corrines directions and create the notepad file. 
  - Ran HostsXpert and set the file to read only.
  - Deleted all suggested files
  - Ran ATF cleaner
  - Ran MBAM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4184

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/14/2010 10:21:02 AM
mbam-log-2010-06-14 (10-21-02).txt

Scan type: Quick scan
Objects scanned: 134710
Time elapsed: 8 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{deceaaa2-370a-49bb-9362-68c3a58ddc62} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Corrine]

Excellent!  That took care of the orphaned entries.  How is the computer working now?

[Lonestar]

Excellent!  That took care of the orphaned entries.  How is the computer working now?

As far as I can tell, great! :thumbsup:  THANKS!!!!

[Corrine]

Great.  You are very welcome.  Now let's finish things off.

Please do the following to implement cleanup procedures and also to reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Note: In the event you wish to contribute to the ongoing development of ComboFix, the developer is accepting donations via PayPal.


As you saw, and I hope passed along to your "better half", having a firewall, anti-virus and anti-malware software are not enough.  It is also necessary to keep not only those programs updated but also to stay current with security updates and third-party software.  If the computer isn't set to automatically install the Microsoft Security Updates, please check for updates now.  For additional information, see my blog post Understanding Microsoft Updates

To check if the system is missing security updates or has any other insecure applications installed, visit http://secunia.com/software_inspector/ .  The Secunia Software Inspector runs through the browser with no installation or download required and does the following:

• Detects insecure versions of applications installed
  
• Verifies that all Microsoft patches are applied
  
• Assists in updating your system and applications
  

Install and update SpywareBlaster to prevent the installation of spyware and other potentially unwanted software: http://www.javacoolsoftware.com/spywareblaster.html

My favorite security software is WinPatrol which includes the features described at http://www.winpatrol.com/features.html

Please let me know if you have any questions.

[Lonestar]

Just want to say thanks to everyone that helped Paddy, Clark76, winchester73 and Corrine.  I greatly appreciate your time and knowledge!!!  Will make sure we keep everything up to date.  Thanks again!!! :goodie:

[Corrine]

You are very welcome, Lonestar.