John McKenna

And there lies the problem with automated HJT readers. It hasn't flagged the malicious 023 service entry connected to the original infection and suggests removing a legitimate entry from the winsock layer as safe. By simply posting the list, it's tantamount to suggesting their removal. Most novice users IMHO would remove all of those entries listed thinking they weren't necessary when in reality most of them are. As I've tried explaining, HJT is a tool for removing malware. If you're going to use it, it needs supporting instructions of what to delete file wise, not just a list of entries which may or may not be safe to remove. You're treating HJT as if it were CCleaner. It's not as easy as marking the entries and hitting Fix Checked and expecting the infection to be removed.

Tarun I don't wish to start a flame war on this forum but I feel I must respond to your comments. I don't for one minute claim to be an expert but I have studied malware removal on a virtually full time basis for some eighteen months now. Apart from being a Moderator in the Security forums of Webuser, I'm also an authorised malware remover at some of the top anti-spyware forums the internet has to offer. I consider myself more than competant when it comes to removing malware. If that puts me in the "know-it-all" bracket in your eyes then so be it. I haven't bashed the product at all. I've gone to great lengths to explain the reasons behind the original posting over 2 months ago and I have certainly not come here to insult the members of this forum. I can see how you may view a few of my comments towards yourself as insulting but my intention was never to do that. I apologise for causing such offence but I believe my comments were justified regarding the HJT advice. Ewido is the recognised remover of this infection along with Nailfix. Both must be run in Safe Mode and the temp files must be cleaned. The reason for the temp files? Nail.exe has been morphing of late to Nail1.exe and planting itself in the users temp folder when an attempt to remove it has been made. I posted the recognised 'full' fix so that the user doesn't mess about running scans with Ad-Aware and Spybot when those programs are not effective on this infection. If all the logs you advise on consist of simply removing the entries with HJT I'm afraid your success rate won't be anything like 99%. When the victim reboots, the entries will all be back again unless you delete the infected files..... True but this line WAS still present which should have alerted you to the fact the infection was still present.... O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe And with regard the malware scan in safe mode, as I've already mentioned, Ad-Aware and Spybot are useless against this infection at present. For what's it's worth (not much in your eyes I'm sure). I've cast my eyes over your recommendations again and make the following comments: On the basis that HijackThis is a program for the removal of malware and the victim came to you wishing to rid themselves of an infection. Why are you suggesting they disable system restore immediately? What happens if anything goes wrong with your fix and the victim needs to roll back to an earlier restore point? An infected restore point is better than no restore points IMHO. I would leave that until the end. The infected restore points are of no harm to the user while you're fixing their log so leave that until they're clean. All perfectly legitimate entries. Why are you recommending their removal? The users start page on IE. Why remove that? It's there for a reason. Xfire messenger....a perfctly legimate program. Certainly not malware by any stretch of the imagination. HijackThis is for removing malware. Many of the entries in the log are not 'needed' for the running of the machine but are nonetheless there for a reason and improve functionality for the user. If the victim had complained of a slow system then by all means recommend the removal of items not required from the startup list. To suggest they should remove virtually everything just because you've researched the item on one of the many online Startup lists and noted the 'not required' comment at the end of the explanation is just bad practice at the very least. Remember, this isn't your machine and you have no business removing legitmate items from a HJT log just because it's what you would do to your own machine. Best sticking to just removing malware unless specifically asked otherwise. New.Net must be removed via Add/Remove programs. Failure to do so may not only crash the machine in question but also damage the winsock layer. Granted you've asked them to use LSP-fix but there really isn't any need if the program is removed correctly. Xfire messenger will not function properley at all now either if the user has used LSP fix. Like I said above, it's a perfectly legit entry. Just because HJT flags it as 'unknown' does NOT mean it's bad. Without sounding condescending Tarun (and I hope you take this the right way) but I recommend you undertake a course in malware removal at one of the following forums. They provide free training in malware removal in a hidden closed environment which will not only teach you good practice but also keep you in touch with all the latest infections and recognised removal procedures. Enrol at any of the following sites if you wish to go down the classroom route. Bleeping Computer Tom Coyote Malware Removal.com You'll learn more in 2 days from these sites than you will from 2 months worth of your own research. Hell, you might even go as far as thanking me through gritted teeth one day if you decide to take my advice. Regards HJM DjLizard Thankyou for your reply.

Hello CCleaner people. I'm the author (or should I say 'retard'?) of the Webuser thread. First of all I'd like to point out that despite my apparent 'ignorance' of the program in question, I've been using CCleaner myself for nearly a year and I'm a firm favourite of it's use. However, the warning to the Webuser readers (baring in mind the site's members are generally novice users) was on the back of a discussion in a hidden Security Experts forum at Bleeping Computer? (one of the nets foremost computer help sites). The issue was raised by several experts who know far more about computers than I ever will and who's opinion I take note of. My own background is strictly one of Security and malware removal just to get that straight from the off. I'm not concerned with stripping computers down so they run at optimum performance like many of the forum mainstays here 'seem' to be but mearly the safe removal of viri and spyware. When the issue of CCleaner was originally raised, I was as surprised as most but preferred to air on the side of caution. The Security Experts on both Webuser and Bleeping had been advocating CCleaner's use for a long time but issues were being raised about certain aspects of the program (sorry I cannot provide links). I trust the authors of the information I was reading and I don't believe they had an interest in any competitors software). As I revealed at the start, my background is one of Security (not programming) so when acting as a Moderator of Security forums I believe I acted with my own readers interests in mind. Registry cleaning tools should be treated with caution at all time regardless of the software title. Due to the issues I'd seen raised, I prefered to warn our novices until I was happy the issues were either ironed out and/or proved unfounded. As someone who has a direct impact on the well being of malware victim's machine's, I don't consider I posted without thought. I did after all request "regulars (ie computer literate) take extra care with which default options they retain". If the appropriate forum had been here I may well have done that but from what I remember, the relevant soapbox was not present at the time (note the date of my original post please). A quick search on the CCleaner forum reveals only a few threads prior to my own warning. The first in the Bug Reporting Forum was: Problem with registry (5/5/05) which recieved no replies. The other one I found was in the CCleaner Discussion Forum: error with registry issues (27/4/05) <--Unfortunately you won't be able to view this topic as it's been deleted..... Are Spybot and Ad-Aware backup logs useless? What happens when one of these programs makes a booboo and removes something it shouldn't have? Both are excellent but accidents do happen. I don't believe CCleaner has any business deleting these log files (especially without specific instructions/reasons for doing so. I can't find any explanation about these on your forums.... So my warning has some legitimacy in your own words and in a perfect world, users (even novices) would check every registry issue found (and understand it) but in reality that's not the case. If you think otherwise you're just kidding yourself. It's only when people run into problems that folk start to question the integrtity of applications they know and trust. Hopefully my comments so far will go some way to helping you understand how this comment is a little unfounded. As I said previously, I'm not concerned with performance issues, just Security. Your comment here goes a long way to explaining our different angles in reading this issue. Granted some of the issues I raised may have nothing to do with CCleaner at the end of the day but once again I point out that the relevant support forum wasn't available at the the time of my original post. Nor has it on my own machine but I felt I had a duty to others as I suggested before who may not have the contacts I do and wouldn't think to look at a program they know and trust as a 'possible' cause of system malfunctions. I apologise wholeheartedly for any offence 'finally' caused but hope you understand my reasoning for the warning a few months ago even if it appears ill founded to yourselves. When I unpinned the topic 6 weeks ago, I hoped it would disappear from the google ranks so I hope this thread doesn't resurect the issue. ============================================= Regarding the HJT logs posted on this site (and with all due respect to Tarun because he's had a go), don't be surprised if this user doesn't post back again due to his internet connection being destroyed after following your instructions..... And in this thread. If you want my help to clean the malware I will do so as a goodwill gesture. If you want to clean HJT logs I suggest you do so properley. Simply removing the entries with HJT does NOT fix the problem. Nail.exe requires a specific fix, not just Nailfix. I suggest you leave the HJT logs to the experts (or should that be 'retards' Peace.... HJM