User Name on internet connection Changed.

I have msn dial up connection.
When I go to sign in on the net my User Name has been changed to "aqw".
I have to change it back to what it was originally,then I'm on the net but not signed in. This has been for approx. 2 weeks.

My Giant AntiSpyware says from time to time that it dectects Possible Hijack.
I would delete this as reccommended. I notice this happens when my IE is changed from majorgeeks.com to microsoftwindowsupdatecom, usually when I first get on the net in the morning, I'll get these alerts. I don't use the IE.
In the bottom right hand on this window over the task bar is "Not signed in. Retrying..."
Does anyone know what this is?

Have did the READ ME FIRST spyware removal , I do this about once a week.

 

How do you post HJT log as a .txt file attachment?

 

I don't know what I'm doing, so if I'm doing it wrong ,please forgive.
I hope here is my log

 

Hi Vivian,

Please put HijackThis in its own safe folder - C:\Program Files\HijackThis - Let us know if you have trouble doing this.

You have a lot of stuff running in your log, though it looks fairly clean.

I do see evidence of the WORM_SDBOT.UO - It will need to be dealt with. Please run a fresh scan once HJT is in its own folder and attach a new log.

Best
PP

 

I guess I'm going to the need some help with this on how to move it.
I thought I had it in it's own folder but evidently not.
I have no idea how to turn anything off.

 

I hope it's right this time.
Here goes.

 

Hi Vivian,

To create a new folder:

Click START > My Computer > Local Disc C: > Program Files

Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER

Now, RightClick your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder (C:\Program Files\HijackThis)and click Next.

Now run HJT from there and attach that log.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made, the mistakenly deleted entry can be restored.

Hang in there

PP

 

I hope this works, this is my third try to attach.

 

Trying again

 

It's the manage attachment.
I click- Go Advanced -manage attachment
the a window opens- I click Browse buttom
a window open to where I've saved the log.
I double click the HijackThis log- I see writing by browse
I click upload, then I wait, then it says "invalid hijackthis log"
then I post a reply- then I click Sumit Reply.
Then I don't see an attachment.
Then I start all over again.

Maybe HijacKThis is still in the wrong place, I just don't know.

So new to computers,
I won't let this defeat me.

 

Hi Vivian,

Try this - Change the log name to HijackThis Log Two and then attach it with the above procedure.

If that doesn't work, then go ahead and copy and paste it into your post - Kodo or Chas can attach it for you. This isn't a big deal.
It is much more important that you have HJT in its own safe folder.

Hang in there - I'll check back in a bit
PP

 

I think I got it this time. Hope it's in the
right place.

 

please download and run this in safe mode

a-squared (a²) Personal Edition 1.1
requires FREE registration


When you're done scanning with A-squared, post a new log file

 

Looks safe to me! Your log shows a couple of worms - Let us know if you have any problems with these instructions

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and END them:
winclean.exe
uzpdate2.exe

Now scan with HijackThis and check the boxes for the following:
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [Windows Registry Cleaner] winclean.exe

O4 - HKLM\..\Run: [zerzvpack2] uzpdate2.exe

O4 - HKLM\..\RunServices: [Windows Registry Cleaner] winclean.exe

O4 - HKLM\..\RunServices: [zerzvpack2] uzpdate2.exe

O4 - HKCU\..\Run: [Windows Registry Cleaner] winclean.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O16 - DPF: ppctlcab - http://69.44.122.156/scanner/ppctlcab.cab

O16 - DPF: {B94B4225-E02E-4D3F-BADB-026F1E2F3AD7} (HttpDownloader Control) - http://www.instantplugin.com/SexDownloader.cab

O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/604485.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

Now boot into Safe Mode and DELETE:
C:\Windows\System32\uzpdate2.exe
C:\Windows\System32\winclean.exe

Reboot to Normal Windows and Scan with HijackThis and attach that log (name it HJT Three). Let us know of any problems you may have encountered with the above instructions and how your computer is running now.

Best luck
PP

 

Okay, I think I've moved HijackThis to the right place.
Downloaded a2 squared.
I ran a2-squared I think it's called, in safe mode,
booted to normal and ran HJT again.
I pray here it is.

 

Oh, see you have more instructions.
Before I perform them, I need to know do I have
HijackThis in the right place now, so I can do as
you instruct.

 

Hi Vivian,

Sorry about making you move HJT all over the place - We just want to make sure that the backups it makes will be safe in case you or we make a mistake! HJT is safe now.

Please run through the instructions in my last post. Let us know if you have any problems. I'll check back later this evening.

Best luck

PP

 

I moved HJT when Kodo told me in #17, did I move it to the right place?

 

YES you did You may proceed with the cleanup instructions I left a few posts ago.

PP

 

Couldn't find winclean.exe or uzpdate2.exe in Task manager.
Performed HJT scan and fix per instructions.
Booted to safe mode ,did a search in C:\Windows\System32 for:
uzpdate2.exe - winclean.exe - I did not find it.
I did find a empty folder of SexDownloader in C:\Wndows\Systems32.
I deleted it there and in the recycle bin.
I also did a search for other things that HJT fixed - Found nothing.
Booted to Normal mode.
Did HJT scan & save log.
Here it is.

 

Hi Vivian,

Your Hjt log looks OK. How are things running?

Did you try using Windows Explorer to search for uzpdate2.exe & winclean.exe? The two worms that you had usually copy themselves into the System32 folder, but they might be elsewhere.
You should also note that they are spread via KAZAA and mIRC Chat.

I should also note that you have A LOT of stuff running. I'd ask you to check out Chaslang's Malware Prevention advice, but you are up-to-date with Windows and you already have a surplus of anti-spyware apps running
You might want to weed some things out - just a thought.

Anyhoo, let us know how things are working. I'll try to check back this evening.

Best
PP

 

Thanks You Guys
PC seems to be running great!
Did a windows search everywhere for uzpdate.exe & winclean.exe
forward and spelled backward with no results.
Do you still see these worm on my Pc?
My son nor I use Kazaa or mirc chat.

When you say alot of things running, do you mean anti-spyware or what?
What anti-spyware tool would you get rid of?
I've used everyone of them to clean this use to be dirty PC.
Thanks again, you taught me some new tricks.

 

Hi Vivian,

I didn't see any trace of those worms in your last log.

If running so many Anti-spyware Tools makes you feel more comfortable, then I guess there's nothing wrong with a little overkill As long as it doesn't cause any problems with the effecient working of your machine.

Regards,
PP