Posts by PhilliePhan

Well, I don't have anymore scan logs. I just scaned with rpograms like AVG and Spyware Doctor. Most of them were found in System32 files. I'm sorry, I don't really know much about computers.

Please run MBA-M and DSS as per the linky below and post those logs for us and we'll go from there.

Read me before posting a request for assistance

Seeing as it's the weekend, it may take a bit longer to get a reply.

PP :)

But this was at least a couple of years ago, and the problem started only about two weeks ago!

Hi Ron,

Glad you were able to get it sorted out!

I used to have a much better link that provided for a number of contingencies, but that site seems to have gone belly-up. I think the issue (at the time) was traced back to a couple files and I would imagine MS has since dealt with the problem, but I could be wrong.

PP :)

Hi Ron,

This issue is more common than you think.

http://blog.codefront.net/2006/03/19/how-to-fix-ie-always-opening-firefox-instead/

Let me know if you still have problems or are uncomfortable hacking the registry.
Otherwise, I trust you can mark this thread as Solved.

Cheers :)
PP

You will definitely need to get some scanlogs for us. You can put DSS and MBA-M from the linky below onto a usb drive or burn them to disk and transfer them to ill compy that way.
You might want to download Firefox browser as well as the above and install it in the event that IE remains problematic.

-- Are you able to access Safe Mode with Networking on the ill computer?

Read me before posting a request for assistance

PP :)

Hi Petrena,

There could be all sorts of different reasons why your computer is acting the way it is. For us to try to help, we'll need to see some logs. We can try to rule out malware as a cause of the problem and then go from there.

Can you do this for me:

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

• DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
• Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Please post this scanlog for us.

Let me know if you have any trouble with this.

Cheers :)
PP

If it still does not seem to work after running the program jholland has suggested, try turning off restore point, sometimes this can interfere with the scanning process as wellr

No! That is not a good idea!

We prefer to have System Restore enabled. We operate under the assumption that "an infected Restore Point is better than none at all."

We instruct people to Flush System Restore AFTER the malware cleaning process is completed.

PP :)

Hi Sterlingmaxx,

Looks like they have a few issues there.

Please run the steps listed in the linky below and submit the requested scanlogs:
Read me before posting a request for assistance

• Please post the DSS extra.txt as an attachment to your post using the “Manage Attachments” button (scroll down when composing your post).
• Hold off on posting the Uninstall List. The DSS extra.txt ought to suffice.

I or one of the other volunteers will be happy to help as time permits. I'm a bit over-extended at the moment, but will try to reply in a timely manner if nobody else jumps in.

Best Luck :)
PP

I keep having the same prob, I had to reinstall windows completely due to a worm 32, lost everything now evern after running ad-aware and virus scan I keep getting pop ups from adaware services and spyware programs, im fing in safe mode now only way i can use internet, I can open home page google but cant get to email or nothing plz help.

You should start your own thread to ease confusion.

--- It might be easiest to do another fresh install. Bear in mind that it is best to have your patches, AV, Firewall, Anti-spy apps in place BEFORE connecting to the Internet. I realize that the patches can be a bit difficult if you don't slipstream - but they should definitely be top priority.

If you'd rather hold off on the clean install, please run the MBA-M and DSS steps listed in the linky below and submit the requested scanlogs in your new thread:
Read me before posting a request for assistance

• Please post the DSS extra.txt as an attachment to your post using the “Manage Attachments” button (scroll down when composing your post).
• Hold off on posting the Uninstall List. The DSS extra.txt ought to suffice.

Best Luck :)
PP

Sorry for the late reply. Ive been busy with work and haven't been able to check up on things much.

No Worries! We all have "real life" to attend to and that always comes before everything else ;)

C:\WINDOWS\system32\vi
C:\WINDOWS\system32\gI5
I checked them both and they appear to be empty. I'm not really sure what they are for and I dont want to delete then and find out that its something that my computer needs

Whatever makes you comfortable - doubt there is anything to worry about there. I trust you had the viewing of hidden files enabled when you looked at these?

Will keep an eye out for the new logs.

Cheers :)
PP

It....
Worked!!! :icon_cheesygrin:
Thank you very much! It means a lot to me!

You're Welcome!

If there are no more problems, please mark this thread as Solved and have a look at my linky below:

PROTECT YOURSELF FROM MALWARE:Tools & Tips

Cheers :)
PP

I'm sorry.. I'm a bit confused.
Do I just run the MBA-M Log, as you said? Or do I do everything your link said and I'd have to install DSS and ATF Cleaner too, and others?
Sorry for this hassle :confused:

No worries :)

-- I figured you'd be OK just running MBA-M. If you'd like for me to take a more thorough look at your machine, you could go ahead and run DSS scan after completing my steps below and post the logs.

-- I do think that you should now run ATF-Cleaner.exe as directed in the previous linky. At the very least, it'll flush the Java cache. Good thing to do (in addition to updating Java) after being hit by Vundo.

For the DeskTop:

--- Please download the attached FixDsktop.zip and EXTRACT FixDsktop.reg from the ZIP to your Desktop.
-- DoubleClick on FixDsktop.reg and follow the prompt to ALLOW it to merge into the registry.

Reboot for good measure and let me know if that helps.

Cheers :)
PP

Hi Ichinisan23,

A few steps for you:

-- It looks like you are running multiple AV programs (McAfee & Norton). You need to completely Uninstall one of them to avoid problems.

-- Go and Update your Java here ---> http://www.java.com/en
--> Please note that, before updating your Sun Java, you MUST remove ALL older versions that may be on your machine or you will still be vulnerable to some exploits/weaknesses such as VUNDO which may target and force execution on older runtime environments.
-- Do this by going into Add or Remove Programs and removing any versions that differ from the current version listed at the Java site. They may look similar to the following:
Java 2 Runtime Environment SE v1.4.2.06
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 9
Java(TM) SE Runtime Environment 6 Update 1
Java(TM) 6 Update 2

-- Please run MBA-M as directed in the linky below and submit the scanlog for me:
Read me before posting a request for assistance

-- Download PeekDsktop.bat to your DeskTop.
- DoubleClick it to run it.
- A log should pop up in notepad. Please post that for me along with the MBA-M Log.

Cheers :)
PP

I have started getting a pop up saying IE critical update needed etc. This is my work laptop and I am leaving for vacation in 2 days. I really need help finding the problems so I can complete my work before I leave. Any help is greatly appreciated!

Hi Laura,

1) Please Update your Java here ---> http://www.java.com/en

2) Please run the steps listed in the linky below and submit the requested scanlogs:
Read me before posting a request for assistance

• Please post the DSS extra.txt as an attachment to your post using the “Manage Attachments” button (scroll down when composing your post).
• Hold off on posting the Uninstall List. The DSS extra.txt ought to suffice.

Chances are that the MBA-M scan and cleaning will do the trick, but I'd like to see the logs afterward just to be thorough.

Aloha! :)
PP

Hi Gort,

Looks like you still have a mess there. Lotsa Vundo and other baddies.

If you could do the following for me, I'll help you get cleaned up:

1)Go and Update your Java here ---> http://www.java.com/en
--> Please note that, before updating your Sun Java, you MUST remove ALL older versions that may be on your machine or you will still be vulnerable to some exploits/weaknesses such as VUNDO which may target and force execution on older runtime environments.
-- Do this by going into Add or Remove Programs and removing any versions that differ from the current version listed at the Java site. They may look similar to the following:
Java 2 Runtime Environment SE v1.4.2.06
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 9
Java(TM) SE Runtime Environment 6 Update 1
Java(TM) 6 Update 2

2) Please follow the steps in the linky below to run combofix and post that log for me:

How To Use ComboFix

I'll try to check back Tuesday evening as time permits.

Cheers :)
PP

I dont know what
C:\WINDOWS\system32\vi
C:\WINDOWS\system32\gI5
are, any guesses?

No idea.... Not sure if they are gaming-related. What's in the folders?

I gave the logs a quick glance and they look much better now - How are things running?

Let's do a couple more things:

1) I've prepared another CFScript and attached it. Please use it to run combofix one more time and post me the log. I made a mistake with last one (nothing major) and I want to rectify that and do a few other things.

2) Go and install the latest Java from here ---> http://www.java.com/en

Let me know how everything shakes out. We'll still have a couple final cleanup steps (removing combofix properly, etc...) yet to do once all is deemed well with your compy.

I have a hectic long weekend coming up and may be away until Monday. One of the other volunteers may jump in.
Try to keep an eye out for that/those infected pen drives!

Cheers :)
PP

Hi slntassassin87,

You guys definitely have an infected USB Drive floating around. Be careful! Also, if you can track it/them down, you might try:
http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe

-- Can you tell me what these two folder are? Do you recognize them?

C:\WINDOWS\system32\vi
C:\WINDOWS\system32\gI5

Your compy has definitely been compromised by information stealing malware. Some of it is specific to online gaming and designed to harvest passwords, etc...
I still think a reformat and clean install is the way to go.

However, if you want to give cleaning a try, please do the following:

1) Please Download HostsXpert and Extract it from the ZIP to its own folder
-- Run HostsXpert and Select Restore MS Hosts File and then Click OK
-- Close HostsXpert.
You might want to keep this handy tool for use in the future.

2) Please delete your copy of ComboFix and download a fresh one to your Desktop.
-- Download the attached file CFScript.txt and save it to your Desktop as well.
-- Close ALL browser windows and then drag CFScript.txt into/over ComboFix.exe to start ComboFix.
-- Let Combofix run as before and post me that log

3) Please Run ATF-Cleaner.exe again as per the "Read Me" instructions.

4) Please run ESET Online Scan again.
-- You will need to temporarily disable your current Anti-virus program.
-- This time, make sure that the option …

So how do you fix it ???

This malware has been around in various incarnations for a while now.

Anybody wanting help in this Forum should follow the steps in the linky below and then start their own thread. We're just going to ask you to do that anyway ;)

Read me before posting a request for assistance

Best Luck :)
PP

As asked by Phillie here is the new thread with the ComboFix logs. I hope it helps:

Thanks - much better.

-- It is going to take me a while to go through the log. I will post the next bit this evening after work.

PP :)

Thanks.

I think it may turn out to be an issue on my end having to do with Firefox browser. I just don't have time to track it down and it happens so rarely. I just needed to see that Combofix log in its entirety to work up the next step.

PP :)

Recently I downloaded this file that infected my computer with a virus/spyware.
Its there anyway I can remove this virus/spyware?

Please run the steps listed in the linky below and submit the requested scanlogs:
Read me before posting a request for assistance

• Please post the DSS extra.txt as an attachment to your post using the “Manage Attachments” button (scroll down when composing your post).
• Hold off on posting the Uninstall List. The DSS extra.txt ought to suffice.

I or one of the other volunteers will be happy to help as time permits. I'm a bit over-extended at the moment, but will try to reply in a timely manner if nobody else jumps in.

Best Luck :)
PP

Do you think I would be better off re-formatting C:\ and re-installing Windows. Also, Is vista worth the hassle?

No and No. :)

I did swap out the DVD Writer with another computer I have. Same issue.

It doesn't work in another computer either? If that is the case, flash the firmware and if that doesn't help, buy a new drive at newegg for $25.00. I recommend LiteOn or BenQ as they excellent and can be had for a reasonable price.

PP:)

I'm sitting here working on a computer that has been shown some SmitFraud, SpyAxe, and Vundo love . . .

I think it was a pretty safe assumption that it belonged to the previous malware.

You might be well advised to run the MBA-M and ESET scans in the linky below. I suggest the DSS as well to make sure you got everything......

Read me before posting a request for assistance

Cheers :)
PP

Since then My DVD Burner is not working. It will not read/write DVD.

Could be an unhappy coincidence - the drive conks out at about the same time as malware issues occur.

-- I'd look closer at the drive. Have you tried removing it and re-installing it in Device Manager? Does your compy recognize the drive? What about a driver issue?

At quick glance, HJT looks OK to me.

C:\DOCUME~1\Mike\LOCALS~1\Temp\RtkBtMnt.EXE ---> Not sure if this affects your situation. Probably not.

O4 - Startup: PowerReg Scheduler V3.exe --> This can be removed. Nothing major.

PP :)

maybe somebody else here knows what the heck it is.
Hope it's not something new and exciting for me to have to fix.

That's a funny one :D

I suggest you upload it for analysis at one or both of the below links:

http://www.virustotal.com/

http://virusscan.jotti.org/

Post the results - I'm sure we'd all like to see what, if anything, the scans find.

Cheers :)
PP

Hi slntassassin87,

There is still a bunch left to remove, but I am having trouble viewing this thread. Can you see all the posts OK?
I can only see them when I click the "reply" button and then some of the combofix log entries are cut off.

Could you please start a new thread and then run ComboFix again and post the log. I should be able to see that and give you the next steps ( a script for combofix to remove additional baddies).

PP :)

Well . . . That's a mess! You are probably right to suspect a bad pen drive, but that was probably only a small contributor.
Frankly, in cases such as this, a reformat and clean install is easier than trying to remove the mess since things might never get back to "normal." However, if you want to try, we can give it a go - just continue with the step below:

Please follow the steps in the linky below to run combofix and post that log for me:

How To Use ComboFix

Best Luck :)
PP

What problems do you see....I am not very program or windows savy. I just know the basics...

You have a bit of a mess.

Follow the steps in the link below and post the requested logs. I - or one of the other volunteers - will be happy to assist you as time permits.

Read me before posting a request for assistance

Best Luck :)
PP

The best procedure would be to follow the steps in the linky below:

Read me before posting a request for assistance

If MBA-M doesn't get it and the ESET scan doesn't see it, then most users should rely on a knowledgeable volunteer to guide them through the usage of SDfix/Combofix/Smitfraudfix as needed.

PP :)

Lordy! Didn't even look at the original date!

Nice one, Judy! :D

Hi stereotypical,

I do not see anything in your HJT log.

Lotsa causes for slow computer besides malware. Could be a heat issue. Could need a defrag. Any number of things.....

Help! My computer is slow!

PP :)

Just wanted to pop in and have a quick look since I'll be gone for the rest of the weekend.

-- Nothing particularly evil jumps out at me there. Though I didn't ask for the log, I trust the ESET scan was uneventful?

-- Uninstall this older Java ---> Java(TM) 6 Update 6 and then run ATF Cleaner to flush the Java cache.

-- I think the AVG/McAfee running at same time contributes to symptoms.

Also, if you want to address the following:
-- Application Event Log -------------------------------------------------------
Event Record #/Type21280 / Warning
Event Submitted/Written: 07/19/2008 01:55:48 PM

then see this:
http://www.microsoft.com/downloads/details.aspx?FamilyId=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en

Cheers :)
PP

I know there has to be a blaster virus because my internet sessions take a while to boot up after I got the 2wire notification.

I went to a basketball site and some window popped up and said I wasn't protected and needed to do some update. Like an idiot I clicked ok not thinking it should have come from microsoft, that's why I am trying to clean this out.

I haven't seen a case of blaster in years - I doubt you have it as you have SP3. You ought to be pretty well patched against this type of threat.

-- Your slowdown is more likely due to running both AVG and McAfee at the same time. You should remove one to avoid conflict.

I suggest you run the steps listed in the linky below:
Read me before posting a request for assistance

Please post only these two logs:
-- MBA-M
-- DSS

Cheers :)
PP

Thanks PP,
It worked very well (it didnt run first, so I entered the cmd and found it there).
I scanned with spyware doctor+avg and they both showed clean results.
Thank you very much
:)

You're welcome!
Glad things are back to normal.

-- Your Java is a tad out of date. It is a good idea to keep an eye on that - keep it updated and remove all older versions to prevent problems with malware such as Vundo that exploit older versions.

Cheers :)
PP

It's worked perfectly, thank you all for all your help.

You're Welcome! Happy to Help :)

Please mark this thread as Solved and have a look at my "Protect Yourself From Malware" linky below for additional safeguards and advice.

Cheers,
PP

Hi Tsahima,

The easiest way to continue will be to do this:

-- Copy mbr.exe to your C:\Windows Folder

Then, Click START > RUN > type or copy&paste mbr.exe -f and hit ENTER
(note that there is a space between mbr.exe and -f)

That ought to do the trick. You should run your scans again (including mbr.exe as before) and let us know how things are looking.

Cheers :)
PP

Should I still post the logs?

Yes - That would be a good idea. There will very likely be remnants that we need to address.
Also, there are a few other issues such as getting your Java updated and removing the older versions, etc.....

PP :)

Ive got this virus , and avg cannot remove it.

You have a Password/Information stealer.

Can you run http://www2.gmer.net/mbr/mbr.exe and let us know the results?

PP :)

The link doesn't seem to work, it comes up with page not found.
Is there anyother way of getting it I tried google searching it and it come back with nothing.

That's odd - I bet the site was down. Sure wouldn't be the first time!

I will attach the fix to this post. It is something I put together specifically for your machine, though there are probably thousands of similar "fixes" floating around the web due to these malware . . .

Just EXTRACT FixDesktop.reg from the ZIP to your Desktop and then follow the instructions from my previous post - Let me know if it helps.

PP :)

You have a few malware issues showing there.

I am a bit overextended both with work and with users who may or may not respond in other forums, so I may not be able to get back to you in a timely manner.

I suggest you run the steps I outline here ---> http://forum.networktechs.com/showthread.php?t=49 and post the requested logs.

Best luck :)
PP

Thanks for your help.

Happy to try to help!

Wow . . . doesn't that seem a bit much for a simple desktop? LOL!

Been a while since I looked at this type of problem and I don't remember so much "clutter."

Anyhoo, lets try this:

-- First, fire up System Restore and Create a New Restore Point

-- Then, please download FixDsktop.reg to your Desktop.
DoubleClick on it and follow the prompt to ALLOW it to merge into the registry.

Reboot for good measure and let me know if that helps.

Best Luck :)
PP

Any ideas / starting points?

He's got a bunch of malware showing. . . .

Have him run the steps in my linky here ---> PhilliePhan's Malware Cleaning Steps

Please post the FOUR requested logs and we'll go from there. I'll try to check back as time permits.

Cheers :)
PP

I own a vaio laptop, roughly five years old. Am I problem and virus free?

Looks OK to me. 'Course, a HJT log alone is insufficient to make a proper determination.

It does show a few minor cleanup issues. And your Java is a tad out of date.

I'd uninstall Viewpoint and fix the following with HJT:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: (no name) - {ED46E61C-C391-49ED-82F8-A3DCAA44671F} - (no file)
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

-- Update your Java as per my "Protect Yourself" linky below!

Cheers :)
PP

Doesn't Deckards call up hijackthis from your pc anyway?

Yes - it will install the latest version of HJT :)

My picture has now come back on the desktop but I am still unable to browse (shaded grey) or chose any other the existing wallpapers. . . . Any ideas?

Sounds like more registry keys were borked than what MBA-M found.
Let's have a look.

-- Please Download PeekDsktop.bat to your Desktop.
-- DoubleClick on it to run it.
-- Notepad should pop up with a log -- > peek.txt
-- Copy&Paste peek.txt into this thread for me please.

Cheers :)
PP

What type of virus does this and how can I remove it?

Not necessarily a virus or even malware.... Though there is plenty of malware that do what you describe.
I suggest following the steps in my "Malware Cleaning" linky below. They should give you an idea what you are dealing with.

is there another way to get to the system restore function without using the conventional path?

Click START > RUN > type CMD and then type or copy&paste C:\windows\system32\restore\rstrui.exe and hit enter. If that doesn't work, chances are that something has altered your registry which is preventing this from running.

Best Luck :)
PP

PhilliePhan, you need to update your hijackthis link :).

Thanks, Crunchie :)

I know - been meaning to do it for a long time. For some reason, I've not cared for the Trend version.... LOL!
It would probably be better to just go ahead and go with Deckard's System Scanner instead.

PP

Hi Thanks for offering to help I really appreciate it. I would be grateful for any information on how to remove this virus.

Happy to help!

It looks like the actual malware is gone. I think you and AVG got it.
MBA-M has dealt with the altered registry key that was keeping you from changing your desktop.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn (Hijack.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Are you able to change the desktop now?

Everything else looks OK to me, save for a couple things:

1) Looks like you are running both AVG and Norton Anti-virus at the same time. Not a good idea as they can come into conflict and interfere with each other. This will both slow your machine and make you less safe! You should choose one and uninstall the other.

2) Then, go into Add/Remove Programs and Uninstall Java(TM) 6 Update 6. Then, run ATF-Cleaner again (from the malware cleaning steps) to flush the Java cache, among other things.
Then, go here ---> http://www.java.com/en/ and install the latest version of Java.
Your current version is barely out of date, but it is a good idea to keep on top of this because some baddies such as Vundo target and exploit weaknesses in Java and are able to force execution on older runtime environments. (That is why you must remove all older versions when installing …

Can anyone help??

I'd be happy to help as time permits :)

Please follow the steps in my linky below and post the 4 requested logs for me and we'll go from there.

PP's Malware Cleaning Steps

At the very least, I'll need to see the MBA-M and HJT logs.

Best Luck :)
PP

After 3 days going through this thing I was finally able to straighten out the mess completely. Thank you.

You're welcome!
Happy to hear all is well and you did not have to take more drastic measures (the satisfaction of the "sledgehammer method" notwithstanding).

PP :)

I am very frustrated and feel like throwing my laptop at the wall and replacing it with a mac.

The "sledgehammer option" can be very cathartic! ;)

-- Without sitting in front of the machine and having gone through all of the steps you have, it is difficult for me to advise you.... Frankly, at this point it might be easier to back up your important data and do a clean install.
Also, you might look at this: XP's No-Reformat, Nondestructive Total-Rebuild Option

-- Did you try "your uninstaller" to remove Firefox, etc...? What about making sure IE is set as your "default browser"?

These might help with the latest issues:
http://download.microsoft.com/download/e/9/d/e9d80355-7ab4-45b8-80e8-983a48d5e1bd/msicuu2.exe
http://support.microsoft.com/kb/328162
http://support.microsoft.com/kb/290301

Sorry I can't be of more assistance!

PP :)

I tried to use a registry cleaner program and it removes it.

That will work too . . . . For the orphaned run keys of removed malware.

I still suggest running MBA-M just in case there is active malware remaining on your compy.

Best :)
PP