command services?

pchelpman

Hello Mcnab

I'm not round here much these days but I've had a look at the log and it's OK except for a couple of minor issues.

First the HJT folder is in a temporary location. HJT makes automatic backups of anything it changes but these backups may be lost if HJT isn't in a permanent place. Please move the folder to the C: drive so you have C:\HJT.

Secondly, your java is well out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9.
• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version.

Now to this message ...

Macnab wrote:

hkey-local-machine\system\currentcontrolset\enum\root\legacy-net...\000

This is the place in the registry where you may have something old stored. Perhaps an old driver for something you maybe don't use any more.

The "leg" at the end of the key is short for "legacy". However, this is also the place malware can hide.

We must see the FULL name of the registry key(s) to know exactly what's happening.

Do you see the complete key name in the message? If so please post the name(s) here.

If not we need to look in the registry itself.

WARNING ... DO NOT CHANGE ANYTHING IN THE REGISTRY. Be careful to take only the recommended action here .....

1. Click on Start and Click on Run
2. In the space provided, type regedit.exe and press OK
3. Scroll down to HKEY_LOCAL_MACHINE
4. Click on the + sign. A bunch of keys should appear.
5. Scroll down to SYSTEM key and click on the + sign
6. Scroll down to CurrentControlSet and click on the + sign
7. Scroll down to Enum and click on the + sign
8. Scroll down to Root and click on the + sign

Look down that list and see what key(s) start with the message you see. Make a note of the full key name(s) and post them here. Perhaps you could just take a screenprint and post it.

Hit the usual "X" in the corner to close regedit.

As I'm not here often I'll ask Alfonso to advise from here if he has the time. I don't want to abandon you but I am extremely busy with the "day job".

Macnab

heky_local_machine\system\currentcontrolset\enum\root\legacy_net...\0000

is the address in the pop up, followed your instructions and next to legacy were -netbios, -netbt,-netman, network_monitor. Do any of these ring a bell?

I've downloaded newer version of Java and removed old one, but couldn't double click on desktop.

Don't know how to move HJT folder from temp to c drive.
thank you so much for your help so far, much appreciated

Macnab

Sorry for being dense but where is the HJT folder?

Chippy_Minton

Macnab wrote:

Sorry for being dense but where is the HJT folder?

First uninstall it via add/remove programs in control panel, then create a folder (e.g. c:\hjt) and put HijackThis.exe there, or put it on your Desktop, and run it from there.

Alfonso_Skinarelli

If you've removed the malware on your machine, the Legacy keys in the registry are harmless.

Get a second opinion from a strong online scanner such as Kaspersky On-line Scanner

• Accept the Active X object and download the latest definitions.
• When the scanner is ready, click Scan Settings.
• Select the Extended anti-virus database.
• Select Scan Archives & Scan Mail Bases and then ok.
• Click My Computer to run a full system scan.
• When complete, choose Save as Text and save the log to your desktop.

Copy the results back here please.

Macnab

well I've done everything suggested but the damn pop up from pc guard still keeps on coming up every 5 mins saying not deleted its driving me mad but I still don't want to call their pound a minute call centre - rip off merchants pay enough for telewest broadband as it is

pchelpman

Please post the Kapersky scan results as Alfonso recommended.


PCH

Macnab

oh sorry will do

Macnab

Tried last night to post scan results, but they are v long and was unsuccessful.
it said i had 2 infections
any ideas on how to make it smaller?