A friend asked me to look at his computer (WIN XP Prof). SP2 is not
installed. A message appears saying that a process wishes to use his Default
IP connection and connect to one of the following:
morfline.Iwas2.net
www.wincustomize.com
irc.dal.net
www.w3.org
www.google.com
www.warez.com
www.msn.com
When connected to the net his computer appears to be sending large amounts
of data but I can't work out which program is sending. It is not possible to
use msconfig and avg cannot be opened. Both avg and msconfig appear briefly
on the screen and then the window disappears.
Any help appreciated.

Peter

Sounds like malware, perform the following and find out...

1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt255.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM.

2) Update Adaware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDoc...SysRestore.htm
4) Reboot your PC into Safe Mode
5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) If you are using WinXP, create a new Restore point

* * * Please report back your results * * *

Dave




"Peter" <(E-Mail Removed)> wrote in message news:cnlspm$ni8$(E-Mail Removed)...
| A friend asked me to look at his computer (WIN XP Prof). SP2 is not
| installed. A message appears saying that a process wishes to use his Default
| IP connection and connect to one of the following:
| morfline.Iwas2.net
| www.wincustomize.com
| irc.dal.net
| www.w3.org
| www.google.com
| www.warez.com
| www.msn.com
| When connected to the net his computer appears to be sending large amounts
| of data but I can't work out which program is sending. It is not possible to
| use msconfig and avg cannot be opened. Both avg and msconfig appear briefly
| on the screen and then the window disappears.
| Any help appreciated.
|
| Peter
|
|

Peter wrote:

> When connected to the net his computer appears to be sending large
> amounts of data but I can't work out which program is sending.

Sounds to me like he is a zombie, sending spam via a trojanized SMTP
engine. In addition to the other recommendations, try:

A-Squared anti-trojan program: http://www.emsisoft.com/en/

--
-bts
-This space intentionally left blank.

David,
Thanks for the info. tried it out but, although some spyware removed, as
soon as the computer is connected to the net it starts sending. This
restricts bandwidth (dialup modem) and makes it impossible to download Zone
Alarm etc. Still unable to open AVG or run MSCONFIG. I tried to install SP2
but this does not appear to have installed properly. I have suggested he
returns his system to supplier and get XP reinstalled etc.

Many thanks for your help.

Peter