Posts by PhilliePhan

Everything seems to be normal once again. Thank You So Much for all your help in getting rid of this nasty booger. Here are the 3 logs you've requested and I hope you can come back here and give me the thumbs up!

Happy to help! There are still a couple steps left to do, but it is waaay late in my neck of the woods, so I may not be able to post them until tomorrow.

This is very similar to a thread I worked in another forum. I had thought somebody manually installed the spyware on her computer, but now that I see it again, it looks like this is being done remotely. As yet, I am not sure what to make of this - many of the downloaded malware are the same including these:
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\unsetup.exe
C:\WINNT\system32\acespy\systune.exe
C:\WINNT\system32\acespy\__acelog.ndx etc.......

These are commercial keyloggers/spyware. We can only assume that your computer was compromised. If you do online banking, shopping etc...., you might want to change passwords and notify your bank that your accounts may have been compromised. Do this from a clean computer or by phone.
http://www.symantec.com/security_response/writeup.jsp?docid=2004-062111-2932-99&tabid=2

At this point, I'm not certain what the damage is - better safe than sorry!

-- Also, please DELETE your copy of ComboFix. When I post back with further steps, we'll need to download a fresh copy and place it on the DESKTOP.

Anyhoo, I've got to get …

Hi Vegasgal,

You have a few malware issues showing in the log. Let's start by running two tools:

Please download Malwarebytes' Anti-Malware (MBA-M) to your desktop.

• DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
• Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When MBAM finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

THEN:

• Download combofix.exe by sUBs to your computer's Desktop.
  
• Alternate Download
  
• (If you already have a previous version, delete it and download a new version).
• Double click combofix.exe & follow the prompts.
  Note: Combofix will automatically disconnect your Internet connection when it runs, do not reconnect it.

When it finishes, it ought to

• Produce a log for you. ( C:\ComboFix\ComboFix.txt)
• Restore your Internet connection.

IMPORTANT:

• Do not use your computer while Combofix is running.
• Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  If you've lost your Internet connection when Combofix …

Hello, I did locate & remove C:\WINDOWS\system32\drmgs.sys also uninstalled Combofix. Things seem to be okay now.
Thanks for all your help & time, it's appreciated.
Rob.

You're Welcome :)
PP

You ought to be able to delete this folder manually: C:\programfiles\INSTARFINK
-- Then, run ATF Cleaner again.

I still see AVG7 and Norton present. You should select the one you want to keep and remove the other. Multiple AV apps often come into conflict with each other which can both slow performance and hinder their ability to protect you.
-- Also, please note that Norton can be extremely difficult to remove and if you choose to uninstall it you may need to visit the Norton site for special tools and instructions.

* I will be away from the computer over the weekend. Will check back on Monday!

Cheers :)
PP

Those logs show clean - how are things running now?

** Were you able to locate C:\WINDOWS\system32\drmgs.sys? Let me know.

Let's go ahead and remove Combofix:

• Click Start > Run
• Type or Copy&Paste ComboFix /u into the Run Box. (be sure there is a space between the x and the / if you type it)
• Click OK

I strongly suggest you keep a close eye on things in the near future (actually you ought to always ;) ) - as I mentioned, I have seen this baddie accompanied by rootkit-type components and those are always worrisome.... Plus, your infection put up more of a fight than I expected it to which makes me wonder if there is more to it.

-- Do the ESET Online Scan weekly for at least a month.

-- Also, have a look at my "Protect Yourself" linky below and definitely install Spyware Blaster and keep it updated!

PP :)

Hi; followed the instructions to remove Routing Service (Routing) but reads 'the service routing is enabled and/or running. Disable it first'. I can' find it to disable it. Probably an easy solution, any ideas?

That shouldn't be running now - that is odd.

Click START > RUN > Type services.msc > ENTER
Find the EXACT Routing Service (Routing)
-- DoubleClick on it and make sure Path to executable reads: C:\WINDOWS\system32\routing.exe
-- Under Service status, if it says "started, click the "stop" button
-- Just above that, where it says "Startup type:," select Disabled and click OK

Then try to remove it with HJT as I posted before. If there are any similarly named "routing" services make sure you target the exact one above.

I do not know why this is being so stubborn. If this fails, let me know if you're up for running my little batch scan tool. No guarantees that it will remove it either and it is definitely a "run at your own risk" proposition (I've run it on my XP box a gazillion times with no problems - 'course I change it a bit each time ;) ).

PP

Hello PP, here are the new logs you needed:
HJT log. Thank you.

You're welcome :)

-- Things are looking better, but that Routing Service remains as a remnant in the registry. Let's do this to remove it:
Run HijackThis and open the Misc Tools section and select Delete an NT service and follow the instructions to enter and remove Routing Service (Routing)

-- Are you able to navigate to and DELETE C:\WINDOWS\system32\drmgs.sys?
It is important that we make sure this is gone.

I kinda miss the days when we ripped these baddies out manually - Tools such as ComboFix are a Godsend to over-worked and under-staffed forums, but I still prefer a more "hands on" approach. But I digress from the task at hand . . . LOL!

ALSO:
Please run http://www.eset.com/onlinescan/
-- You will need to temporarily disable your current Anti-virus program.
-- Make sure that the option Remove found threats is Unchecked, and the option Scan unwanted applications is checked.
-- Remember to Re-enable your Resident Anti-virus program after the scan has finished.
-- A logfile ought to be found at C:\\Program Files\\EsetOnlineScanner\\log.txt.
Please post that for me.
I would also like to see a fresh HJT Log from after all of the above has been completed.

Hopefully that will do the trick. If not, we'll try something else. I have added this baddie to a batch …

thanks alot for your help so far PhilliePhan. My computer now seems alot quicker.

Happy to try to help :)

Programs such as firefox and windows meesenger are no longer able to access the internet.

I was worried about connectivity problems when removing msvrl.dll, hence the use of LSPFix. If you want, you can try running LSPFix again and just click the "Finish" button. But, I doubt this is the problem.
-- I do not even see Firefox installed on this machine. You probably need to re-install it properly.

I know this seems like a firewall problem but i have tried turning both my firewalls off and the problem has still persisted.

How many firewalls are you running? You should run only ONE software firewall. Running a software firewall along with a hardware firewall is OK.

-- I see that you have just installed AVG Anti-virus along with the existing Norton. This is a bad idea and could very well cause major conflict issues. You need to UNINSTALL one of them! It would be best to wait until we finish before adding any new software. Even Firefox as noted above.

Also on internet explorer i am unable to view secure sites. Niether of these were an issue before. thanks again for your help.

IE7 is a PITA with regard to its Security Settings. The problem may lie there, though it is more likely to be with the 2 anti-virus apps....

-- Also, you need …

Thanks, guys!

I will try booting up in safe mode when I get home tonight and see what happens. I will also try Firefox

You're welcome!

Let us know how the above shakes out - Firefox can be put on a flash drive/disk and installed that way.
This part of the diagnostic process involves a bit of trial and error - much easier if one of us were sitting in front of the computer.

PP :)

yeh it is a legit copy of windows. when i try to run the validation process an error message comes up saying script error. The article on the microsoft website has been removed which doesn't help much.

I am not sure I can help much with validation issues - that process is still fairly new. I doubt I could tell you any more than what is in the Microsoft Knowledge Base. If I am not mistaken, I do think there is a fix if you can provide them the key.

As far as cleaning the compy goes....

Let’s continue on by doing the following:
-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into/over ComboFix.exe

-- Let Combofix run as before and post me that log.

THEN:
Download ATF-Cleaner.exe by Atribune to your Desktop.

-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK > EXIT

NEXT:
Open Hijackthis.
Click the Open the Misc Tools section Button.
Click the Open Uninstall Manager Button.
Click the Save list... Button.
Save that list to your desktop and submit that for me.

LASTLY:
Run …

Hi digital11,

Let's try this one more time - I hate to say it, but I missed one. This particular infection often has some rootkit-type stealthing attributes that try to hide its components. I wish I could say I missed a hidden one, but that's not the case... LOL!

Anyhoo, I'd like to do one more CFScript. I changed it a bit and it should get the remaining baddies. In addition, I'd like to look for a couple associated baddies that have not shown themselves.

-- Please DELETE your copy of ComboFix and download a fresh one to your Desktop
-- Please Download this updated CFScript to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into/over ComboFix.exe to start ComboFix

-- Let Combofix run as before and post me that log.
-- I'd also like to see a fresh HijackThis Log from after this CFScript step.

With any luck, that ought to do the trick!

Cheers :)
PP

@ PhilliePhan I suspect my toes will be fine, I have small feet :icon_lol:

Good to know! :)

Here is the log in its entirety:

Pinging www.1.google.com [64.233.167.99] with 32 bytes of data:
Reply from 64.233.167.99: bytes=32 time=16ms TTL=245
Ping statistics for 64.233.167.99:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Hi Rachel,

That looks OK.
We are leaning toward this being an issue with IE security settings/firewall setting or Norton.
-- Can you remember making any changes to the compy around the time the problem started? Like, say . . . Updating Norton AV?

-- Have you tried an alternate browser such as Firefox? You might want to try that and see if you have the same problem.

-- And, of course, see if you can connect in Safe Mode as per MoralTerror's post.

PP :)

Hi PP;
Here's the combofix log:
I appreciate the help.

Happy to try to help :)

-- You should uninstall Limewire

Then, let's give this a go, shall we?

-- Please DELETE your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into/over ComboFix.exe to start ComboFix

-- Let Combofix run as before and post me that log.

And, I guess we'll go from there....

Cheers :)
PP

'Fixed checked' in safe mode here's the log:
As you can see it's still showing up.

HijackThis is more a diagnostic tool than a "fixer" program.
It does not attempt to delete any actual malware files (except for those associated with 02 BHO entries). At its core, it is a powerful registry editor.
The "fixes" you are attempting are incomplete and probably being thwarted by SpyBotSD's Tea Timer feature.

FIRST:
Disable SpybotSD's Tea Timer. Do that now.

THEN:

• Download combofix.exe by sUBs to your computer's Desktop.
  
• Alternate Download
  
• (If you already have a previous version, delete it and download a new version).
• Double click combofix.exe & follow the prompts.
  Note: Combofix will automatically disconnect your Internet connection when it runs, do not reconnect it.

When it finishes, it ought to

• Produce a log for you. ( C:\ComboFix\ComboFix.txt)
• Restore your Internet connection.

IMPORTANT:

• Do not use your computer while Combofix is running.
• Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  If you've lost your Internet connection when Combofix has completely finished, re-start your computer to restore it.

Please post that log for us along with a fresh HJT. Let us know if you run into any difficulty.

Best Luck :)
PP

thanks alot for the help, as you can probably tell i don't use this comp very much and the problems have just accumulated. The problem with internet explorer seems to be resolved, however i now have a message popping up before i log in saying that my version of windows is not genuine. ne help would gain be appretiated.

Do you have a valid product key for Windows? There are ways to deal with the nag screens, but I doubt forum policy would let me post them....

There remains some malware to be removed, but I'd like to hear from you that your Copy of Windows is legit or that you bought your computer with that assumption before continuing.

Cheers :)
PP

EDIT PP: Looks like MoralTerror beat me to the punch. You guys can ignore this post if you like. I'll leave it up in the event you want to try my suggestion.

I downloaded the program you recommended, and unfortunately it did not restore my internet connection.
I greatly appreciate all the help I've been getting here at this website, but I'm starting to feel like I might just be wasting your time. If we keep trying different things and nothing works, I'll feel terrible about wasting all of your time and effort on this deadend project.

No worries there! I am happy to volunteer my free time to help you.
-- My main concern is that I don't step on MoralTerror's toes any more than I already have. Too many cooks spoil the broth, as they say....

I will say that your connectivity problems may not be due to malware and that there are a few more things we can try, if you are up to it. Obviously, it can be a hassle to work with no Internet available for the ill compy....
Here is a diagnostic step that might help isolate the problem:

-- Type the following bold text to notepad exactly as it is written and save it to the DeskTop as TEST.bat. Or, you could copy&paste to notepad, save as directed, and then transfer Test.bat to the ill compy.

if exist %systemdrive%\look.txt del %systemdrive%\look.txt
ping www.google.com …

No, I don't think it's vundo. I looked that up, and those aren't the symptoms.

Vundo has a very large extended family, LOL! :)
http://www.castlecops.com/tk42325-random_filename.html
No worries - ComboFix ought to remove it.
I'm not sure what that other one is ( C:\WINDOWS\system32\nod32se.exe ) or if it is related to the above - guess we'll find out. If you like, you can submit them both at www.virustotal.com for analysis...

Also, for anti-virus, I use Spyware doctor: with anti-virus, but I guess it just appears as spywaredoctor.exe in the log, but thanks.

My mistake - sorry! I should have taken a closer look.

Cheers :)
PP

-- Try that and then wait for further steps.

I probably should have added for you to let us know if that restored your Internet connectivity or if we need to try something else... Did that do the trick?

PP :)

everytime i open internet explorer the program crashes as it starts. The program shows as not responding and on task manager the program is running twice. i wonder if any1 could help me out. thanks in advance

Hi craiggale,

You have a boatload of malware showing there, much of which I have not seen on a regular basis for a few years. Let's go ahead and do this to get started:

FIRST -
Please Download this tool: http://www.cexx.org/lspfix.zip and extract the LSPFix folder to your Desktop.
--Please run LSPFix
- Check the Box labeled "I know what I'm doing" and then click on the msvrl.dll file (in the “Keep” section) to select it.
- Then, Select the >> button to move msvrl.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.
I'd like to do this first to try to avoid the connectivity problems that occur when we rip malware from the LSP stack....
Note that ComboFix will also address this issue as well, but I'd prefer to use LSPFix for this step.

NEXT, let's go ahead and do the following:

• Download combofix.exe by sUBs to your computer's Desktop.
  
• Alternate Download
  
• (If you already have a previous version, delete it and download a new version).
• Double click combofix.exe & follow the prompts.
  Note: Combofix will automatically disconnect your Internet connection when it runs, do not reconnect …

When I typed "netsh winsock reset" in the window, this was the response I got:

The following helper DLL cannot be loaded: FWCFG.DLL

The following command was not found: winsock reset

This is because you do not have SP2 installed yet.

However, as MoralTerror mentioned, you MUST NOT install SP2 until you are given the "all clean..."

So, I would suggest that you Download and run the following:
http://www.spychecker.com/program/winsockxpfix.html

You can put it on Disc/Floppy/Flash Drive - whatever you have to get it to the ill computer....

-- Try that and then wait for further steps.

Best Luck :)
PP

If you are able to stop the machine from rebooting, you ought to be able to get more info on the nature of the problem.

RightClick My Computer > Properties > Advanced > Startup & Recovery and look under "System Failure" and UNCHECK the box to "Automatically Restart."
Be sure any other boxes pertaining to the writing of the reports are checked.

The next time the problem occurs you will get the BSOD - but there ought to be a message and an error code that you can research.

Best Luck :)
PP

if it is normal, then it means that there is a different sort of redirect at work.

Looks like Vundo.

O2 - BHO: (no name) - {23D44BCF-AA7A-41D6-8905-E808F16322EF} - C:\WINDOWS\system32\opnnoml.dll
O20 - Winlogon Notify: opnnoml - C:\WINDOWS\SYSTEM32\opnnoml.dll

C:\WINDOWS\system32\nod32se.exe looks like a baddie too.

-- Also, I do not see any Resident Anti-virus program running - bad idea. Have a look at my "Protect Yourself" linky below to remedy this!
- While you are there, note that your Java is a tad out of date - update it as per my linky. You MUST first go into Add/Remove programs and remove ALL older versions. That will help keep future Vundo infections at bay.
- While you are in ADD/Remove, uninstall C:\Program Files\Viewpoint. It's not a real baddie. Just Foistware. If you prefer to keep it, that's your call....

THEN:

• Download combofix.exe by sUBs to your computer's Desktop.
  
• Alternate Download
  
• (If you already have a previous version, delete it and download a new version).
• Double click combofix.exe & follow the prompts.
  Note: Combofix will automatically disconnect your Internet connection when it runs, do not reconnect it.

When it finishes, it ought to

• Produce a log for you. ( C:\ComboFix\ComboFix.txt)
• Restore your Internet connection.

IMPORTANT:

• Do not use your computer while Combofix is running.
• Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  If you've lost your Internet connection when Combofix has …

EDIT PP:
Removed original post - Crunchie beat me to it.

PP :)

Booman here again, I also have a blinking red shield icon that blinks with a white "X" then a blue "?". It's some type of spyware remover. Can't seem to get rid of that either. Very annoying to say the least. Thanks.

Hello Booman,

Please have a look at my linky here--> PhilliePhan's Malware Cleaning Steps for instructions on how to run HijackThis. Note that I do link a slightly older version of HJT, but it does the job just fine. Be sure to RENAME hijackthis.exe as I describe in the post.

-- Please obtain the HJT Log (if you want to update to Trend Micro's version of HJT, that's cool) and also do the ESET Online Scan step and obtain that scanlog.

-- Please post those logs in this thread and I or one of the other volunteers would be happy to help you as time permits.

Best Luck :)
PP

I still disagree, that article was written way back in 2005.

Microsoft, 2007: [ http://support.microsoft.com/kb/263455 ] F-Protect 2007: Turn Off System Restore.

You say this and then link to an article written for Windows ME....

I won't argue with you - on an open board such as this one, everybody is entitled to their opinion and I'll respect yours.

So if you clean your PC whilst infected, as soon as an infected system file is deleted, its restored, in its infected glory.

Only if you restore it. I DO advocate flushing the restore points after cleaning.

No matter what Anti-Virus program you use, it will not clean anything from the System Restore folder.

This is true, but if you look in the majority of Security Forums, you'll not see these tools in use. Rather, you'll see tools such as ComboFix and SDFix (which are more up-to-date and effective). And, most of these tools attempt to set a Restore Point BEFORE they clean to help avoid disaster...

The main thing here is to rid Susan's PC of an infection.

Susan's problem occurred 3 years ago ;)

Best :)
PP

Sounds like you got a lot more than just a Hijacked Desktop.

Please have a look at my linky here--> PhilliePhan's Malware Cleaning Steps

Please obtain the HJT Log (if you want to update to Trend Micro's version of HJT, that's cool) and also do the ESET online scan step.

Please post those logs in this thread and I'm sure somebody would be happy to help you.

PP :)

My advice for removing anything is to turn off System Restore first.

That used to be the prominent opinion three or four years ago. I admit I used to advise the same.... But now, with the influx of much more complex and difficult malware, the concensus in the anti-malware community is that "An infected System Restore Point is better than none at all!"

Of course, you are correct that System Restore needs to be flushed after a malware infestation. But, it should be done AFTER the machine has been cleaned.

Have a look ---> http://msmvps.com/blogs/spywaresucks/archive/2005/09/17/66724.aspx

Cheers :)
PP

download CCleaner from the link in my signature, that has a registry cleaner in it.

What is the point of this?
Are you inferring that posters should have it "Scan for issues?" Because, that is not good advice. Only people familiar with how the registry works should do this.
And, only after properly backing up the registry.

Gerbil is correct - with a massive infestation such as this, a tool such as ComboFix or SDFix needs to be run.

Glad you got it sorted out.

Be sure to update your Java and remove all older versions. Yours is only slightly out of date, but an update will help keep some baddies such as Vundo at bay.

See my "Protect Yourself" Linky below.

Best :)
PP

. When I open firefox it keeps opening windows that say build yahoo toolbar.

Not sure what you mean.... Did you install yahoo add-on?

Can you post a screencap or url of the page?

http://help.yahoo.com/l/us/yahoo/toolbar/troubleshootff/toolbar-55.html

-- At very quick glance, your HJT looks OK, but you should update your Java and remove all older versions.

PP :)

hey... im in need of some aid for my laptop...
lately it's been really slow starting up and applications have been taking a while..
anyone who knows how to analyze HijackThis! logs and could help me would be greatly appreciated.

Your HJT log looks OK.

But, that doesn't mean a lot these days . . . You should look at my "Malware Cleaning Steps" linky below and do the ESET Online Scan and post the results. (Step #7 in the linky)

Also, Norton AV - while a good and effective product - is a notorious resource hog and could be contributing to the slowdown....
Malware is not always the culprit:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

Cheers :)
PP

Hi Joletta,

I am pretty tied up with work, but since your original responder has not posted back yet, I though I'd jump in and say that at quick glance I do not see any obvious malware in your ComboFix log.

-- With the reinstall of M$VB runtime, you ought to be able to run the latest version of HijackThis. I haven't seen v1.97.7 in about four years.....

-- It does sound like something is cattywampus with your machine - have you done any malware cleaning recently? Any new software added or any big changes to the machine recently?

Hopefully your original responder will post back with some ideas as well.

PP :)

In addition to running ComboFix as per willcomp's post, it sounds like you need to go to the linky below and re-install Microsoft Visual Basic run-time:

http://www.microsoft.com/downloads/details.aspx?FamilyId=7B9BA261-7A9C-43E7-9117-F673077FFB3C&displaylang=en

-- Also, I would recommend installing the Recovery Console before running ComboFix.

Best Luck :)
PP

Happy to help! :)

here are my final logs thanks for the help.

You're Welcome! :)

Those logs look better - how are things running now?
(It looks like you were able to get AVG Anti-Spy updated?)

A few things left to do:
-- If you are no longer using AOL, you can fix these with HJT:
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

-- You should UNINSTALL SpywareBot as it is an anti-spy app of dubious repute. There are better ones in my linky below!

-- Please Flush your System Restore Points. Please follow the instructions in this link ---> Disable and Re-enable System Restore
—First, turn OFF System Restore to flush any bad Restore Points.
— Then, follow the instructions in the linked page to Re-enable the Restore Utility which will create a fresh ( and hopefully uncontaminated ;) ) Restore Point.

-- For some preventive measures, have a look at my Linky below.
I recommend that you install Spyware Blaster & that you use Firefox browser.

Keep the AVG Anti-Spyware. It is a solid product. Even after the trial period runs out, you will still be able to Internet Update its malware definitions and run scans.....

Cheers :)
PP

hello im new to the site and it appears others have had help from you attached is my hijackthis log please help me. my explorer directs me to different places other than my intended search and dumps me out of explorer if i try to back out . here is my log.

Looks like you definitely have a few baddies!

FIRST:
Look in Add /Remove Programs and UNINSTALL the following:
ArcadeRockstar
Viewpoint

NOW:
Please EXTRACT HijackThis from the ZIP to a safe location. Most Forum volunteers expect to find it at C:\Program Files\HijackThis or C:\HijackThis.
Then – RENAME HijackThis.exe to hjtscanner.exe
If you are unable to move or Rename HJT on your own, please do the following:
-- Delete your current copy of HJT.
-- Please download HijackThis Self-X to your Desktop.
-- DoubleClick on it to run it and follow the prompts.
-- A Shortcut for HJT will be created on your Desktop. Just leave it for now.

NOW, on to the fix:

-- Please make sure the Viewing of Hidden Files is Enabled.

You may want to print these instructions or save them locally, since you will have to restart your computer during the fix. Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it.
Click Next, then Install, make sure "Run fixit" is checked and click …

Wow. A simple thanks doesn't seem like enough but thanks. No more redirecting and no more porn or free games sites, or whatever the heck it was, for the boy.

You're Welcome! :)

Hey PP,
I followed your directions and this is the results...

I only had time for a quick glance, but those logs look OK to me.

How are things running?

I suggest you have a look at my linky below for some preventative measures.
Definitely install Spyware Blaster and perhaps ZoneAlarm Firewall.

Best :)
PP

Hi,
Well I've completely hit the wall on this one. Short of formatting I've used all of the programs listed on your forum to try and exorcise this thing from the teenage boy's computer...

No need for such drastic measures! :cool:

Please EXTRACT HijackThis from the ZIP to a safe location. Most Forum volunteers expect to find it at C:\Program Files\HijackThis or C:\HijackThis.
Then – RENAME HijackThis.exe to hjtscanner.exe
If you are unable to move or Rename HJT on your own, please do the following:
-- Delete your current copy of HJT.
-- Please download HijackThis Self-X to your Desktop.
-- DoubleClick on it to run it and follow the prompts.
-- A Shortcut for HJT will be created on your Desktop. Just leave it for now.

ALSO:
-- Please open your AVG Anti-Spyware.
Click Run online update and allow it to run until you see the Update Successful message. If you are unable to do this, please let me know.

NOW, on to the fix:

You may want to print these instructions or save them locally, since you will have to restart your computer during the fix. Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it.
Click Next, then Install, make sure "Run fixit" is checked and click Finish.

The fix will begin; follow the prompts.
You …

In my opinion Symantec should pay it's customers to install Norton on their machines :(.

HA! :cheesy:
I'll second that opinion!

Michael:
Crunchie is correct - I'd like to see those Logs....

Also, to address your question, the AVG Anti-spy is a good complement to any anti-virus program. But you DO need an AV app!

-- Also, if you are going to spend good money on and AV or Security Suite, you can do no better than Kaspersky Internet Security 6.0
Check it out!

See my linky below for more tips.

Cheers :)
PP

There you have it. I am not very computer literate (when it comes to problems like these). I would appreciate any help you can offer. Thanks.

No Worries! The fix is pretty straightforward.
Let us know if you have any questions.

FIRST: Navigate to HijackThis.exe and RightClick on it and RENAME HijackThis.exe to hjtscanner.exe

NOW, on to the fix:

You may want to print these instructions or save them locally, since you will have to restart your computer during the fix. Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it.
Click Next, then Install, make sure "Run fixit" is checked and click Finish.

The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
When your system reboots, follow the prompts.
Afterwards, HijackThis will launch (If Hijackthis does not launch then please start it yourself).

Please Scan with HJT, and check the boxes for the following items:
R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: (no name) - {81A99149-F047-4090-8AAD-D11FF4EFB734} - (no file)
O2 - BHO: (no name) - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - (no file)
O3 - Toolbar: (no name) - {5AA06644-BC46-4220-A460-47A6EB47C96D} - (no file)
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-HCM10 Control) - http://mail.mixthis.com:8080/kxhcm10.ocx
O17 …

I told it to clean all the stuff but the program is a demo so I don't know if it will work...

If you follow crunchie's instructions on how to Run AVG Anti-spyware (with regard to Quarantine and Apply all Actions), it will try to clean those baddies.
If it is unable to clean the rootkit components, you may need more detailed assistance.
On the plus side, if AVG is detecting the rootkit, that is cause for optimism.

PP :)

C:\WINDOWS\system32\protector.exe
C:\WINDOWS\system32\ntio256.sys

These two are a malware downloader and the FOOP Rootkit driver that protects it.

I am interested in seeing if AVG Anti-spy can remove it. The Legacy Reg Keys are a pain to remove.

Sp please do have AVG try to clean all it finds!

PP :)

An up-to-date resident Anti-Virus program ought to be able to clean this.

If you need a "Stand-Alone" tool, use this one:
http://www.trendmicro.com/download/dcs.asp

Full instructions are avaialbe in the linked READ ME on that page.

Cheers :)
PP

Hi all
spybot found these SPYARSENAL
MICROSOFT WINDOWS SECURITY ANTIVIRUS DISABLE NOTIFY.
MICROSOFT WINDOWSECURITY FIREWALL DISABLE NOTIFY.
Would these have replicated and should i reinstall after these? :sad:

A reinstall would be a bit extreme. :cool:

You should investigate SPYARSENAL - Sounds like something you'll need to track down and remove.

As for the others, they are common and nothing to worry about. Posts 2 & 3 in the following link can explain it better than I:

http://forums.spybot.info/showthread.php?t=75

Cheers :)
PP

Also, you are running a very old version of HijackThis on your unpatched system. You should install the latest version of HJT. (v1.99.1)
And, while you are at it, please RENAME HijackThis.exe to goodscan.exe so certain malware cannot hide from it.

-- Crunchie will tell you which Windows Updates to obtain. Installing SP2 right now may do more damage than good, so wait for those instructions.

Cheers :)
PP

Im kinda getting the impression theres nothing wrong with my HJT log. If no one can spot anything can they tell me that the HJT log is fine and i'll consider getting someone in to fix it. Thanks

Hi Josh,

At very quick glance, I do not see anything particularly evil. Of course, these days you really need to delve further to rule out malware.

I suggest you try my SelfCleaning steps linked below - Do the Kaspersky online scan and AVG Anti-spyware + Relocate & Rename HJT as directed.
-- When running the Kaspersky scan, if you have trouble with the Accept Button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. This is an IE7 issue....

-- I think your issue may be with IE7.
You might try a reinstall of IE6 or, better yet, install Firefox Browser and see if you still have problems.

Best luck :)
PP

I looks like Vista has retained sfc.exe.

Can you run sfc /SCANNOW

I am not familiar enough with Vista to be of much help.....

A linky for locating and interpreting results:
http://support.microsoft.com/kb/928228

PP :)

Thanks for the spydawn thing.
except it isnt running on VISTA
Do you have any idea why AVG cant install?

Is it the Free or For Pay version of AVG?

To my knowledge, AVG Free does not support 64 bit OS. That could be it. Do you have x64?

I am not sure if the same holds true for S!Ri's SmitfraudFix, but SpyDawn is not difficult to remove manually.

Still, I think you have more going on there than meets the eye....

PP :)

Honestly, Vik, if this computer is only two weeks old I suggest returning/exchanging it.

It sounds like there is more going on/wrong than just malware. Take it back and get an exchange. And, make them give you a Windows OS disc!
Or, have them burn one for you (using your machine and its legal copy, of course).

Too many retailers these days tell and expect you to make your own backup copy of Windows once you get your machine up and running.
This is absolute BS! Especially these days with the prevalence of rootkits increasing the need to reformat machines. Too many people get stuck without a legal copy of their OS.

If you are dealing with a legitimate retailer, you ought to be able to get satisfaction...

BTW - S!Ri has updated SmitfraudFix to remove SpyDawn.......

Best luck to you :)
PP