Posts by PhilliePhan

The file doesn't looks like its been attached

Sorry! There it is. :)

This forum has limits on the type of files you can attach and I keep trying to upload them as is . . . ugh.

Right I've uploaded the log file,
Thanks for your help so far.

Happy to try to help!

Let's give this a whirl:

-- Please download the attached fixxshort.zip and extract it to your Desktop.
-- Open the folder and DoubleClick fixxshort.reg and allow it to merge into the registry.
-- You can then Delete it from your desktop.

REBOOT, and let me know if that had any effect.

Note: Anytime you hack the Registry or fiddle with it in some manner, bad things can happen.

You may want to first back up the registry before doing the above. I suggest a simple & Free tool such as ERUNT

I doubt you'll have any issues with the fix, but backing up the registry is prudent in any case.

Best Luck :)
PP

get ms windows defender (free) - choose NOT to join spynet and remember to do a ms update after install to get the definitions

run a FULL scan. this has helped me before.

That might be a bit of overkill in this case. ;) The HJT Log shows the following active anti-spy apps:

Spy Sweeper
Spyware Doctor
Winpatrol

These are solid apps. Plus, I'm not so sure we are dealing with a baddie as much as a nuisance program.

PP :)

As requested

Hi Norman,

I'm sorry! I am doing ten things at once and was a bit distracted . . ..

What I meant to ask for was the Uninstall List via HJT's Misc Tools.
-- Also, I have attached unstll.zip to this post
-- Please download unstll.zip and extract it to your Desktop.
-- A folder labeled unstll will appear on your Desktop.
-- Open the folder and DoubleClick unstll.bat and give it a couple seconds to run.
A very large log should pop up in Notepad. Please attach that (unstll.txt) for me.

BTW - You should be advised that anytime somebody in any forum gives you an unknown program to run (even a simple batch like this one), it is strictly a "Use At Your Own Risk" proposition!

Anyhoo, it is up to you if you want to trust me :)

-----------------------------------------

I did take a quick look at your Startuplist and saw a couple things. I doubt if they are still active. You've got plenty of anti-spy protection installed and I imagine they cleaned the threat, but I thought I'd point them out to you (these are the only ones that jumped out at me at quick glance):

aaudstum: \??\C:\DOCUME~1\Norman\LOCALS~1\Temp\aaudstum.sys (manual start) --> I don't know what this is. Doesn't look right to me.

mchInjDrv: \??\C:\WINDOWS\TEMP\mc22.tmp (disabled)---> this is related to a nasty backdoor trojan with keylogging capabilities. Probably no …

Hi Norman,

Let's have a look, shall we?

FIRST:
Download HijackThis from http://downloads.malwareremoval.com/hijackthis_sfx.exe

Save the setup file on your desktop.
Then, DoubleClick on it and by default it should install to C:\Program Files\HijackThis
Continue through the setup and allow it to create a desktop icon for you. Follow all the prompts, click Finish

-- Run HJT > Click Do a system scan and save a logfile and submit that for me.

EDIT PP: Missed your last post - please do the below as well....

ALSO:
Let's get a StartupList.
Run HijackThis and open the Misc Tools section.
-- Check the boxes to List minor sections & List empty sections
-- Click Generate StartupList & Yes
-- Please submit that log for me as well.

Will check back as time permits. Lotta playoff football to watch this weekend! ;)

PP

Ok then . . .. Let's have a look a a few things.

-- Please download Peekaboo.zip attached below and extract peekaboo.bat to your Desktop.
-- A folder labeled peekaboo will appear on your Desktop.
-- Open the folder and DoubleClick peekaboo.bat and give it a couple seconds to run.
A log should pop up in Notepad. Please attach that (peek.txt) for me using the "manage attachments" button when you post back (scroll down).

BTW - You should be advised that anytime somebody in any forum gives you an unknown program to run (even a simple batch like this one), it is strictly a "Use At Your Own Risk" proposition!

Anyhoo, it is up to you if you want to trust me :)

PP :)

Hi jshtylr,

Your HJT Log looks OK as far as malware is concerned. Just some minor issues we can clean up, if you so desire. First, do this:

Please relocate HijackThis to a safer location. Most Forum volunteers expect to find it at C:\Program Files\HijackThis or C:\HijackThis.
If you are unable to move it on your own, please do the following:

FIRST: DELETE your current copy of HijackThis.
THEN: Download a fresh HijackThis from http://downloads.malwareremoval.com/hijackthis_sfx.exe

Save the setup file on your desktop.
Then, DoubleClick on it and by default it should install to C:\Program Files\HijackThis
Continue through the setup and allow it to create a desktop icon for you. Follow all the prompts, click Finish and just leave it for now.

--------------------------------------------------------------------------

For the problem at hand:

-- What are the extensions for the shortcuts? Are they .exe or .lnk?
How about the actual programs themselves - .exe or .lnk?

-- How many different User Accounts are on this machine?

Will try to check back over the weekend if I get a chance.

PP :)

I really have a hard time reading that - Be sure to turn off "Word Wrap" in Notepad when you save the logs.

Account # 2 looks OK, but you should run the same procedure we did before on Acct.#1

-- It might even be best to redo Acct.# 2 as well. Get them one right after the other!

-- When you do the fix with HJT, fix ONLY these entries, if they exist --> O17 - HKLM\System\CCS\Services\Tcpip\..\{C55FDA9D-75CB-4F59-9101-F51BB8DD5DDA}: NameServer = 85.255.116.164 85.255.112.112

If anything else remains, we'll deal with it once I get a readable HJT log.

Hang in there - this procedure is 90% effective in removing this baddie...

Best Luck :)
PP

That looks better, but it is a bit hard to read. You must've had word wrap on or something similar. . .. . .

Anyhoo, how are things running now?

-- Looks like you have a couple different User Accounts on that machine. Please give me a Fresh HJT log for EACH account.

PP :)

My search engines have been giving me redirected results Please take a look at my HJT log Thank You

Hi Googen,

These are essentially the same instructions I posted for another poster with the same problem. Be sure to follow them exactly!

Anyhoo, here we go:
Please relocate HijackThis to a safer location. Most Forum volunteers expect to find it at C:\Program Files\HijackThis or C:\HijackThis.
If you are unable to move it on your own, please do the following:

FIRST: DELETE your current copy of HijackThis.
THEN: Download a fresh HijackThis from http://downloads.malwareremoval.com/hijackthis_sfx.exe

Save the setup file on your desktop.
Then, DoubleClick on it and by default it should install to C:\Program Files\HijackThis
Continue through the setup and allow it to create a desktop icon for you. Follow all the prompts, click Finish and just leave it for now.

NOW, on to the fix:

You may want to print out these instructions for reference, since you will have to restart your computer during the fix. Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it.
Click Next, then Install, make sure "Run fixit" is checked and click Finish.

The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal. When your system reboots, …

Thanks for helping =)

You're welcome :)

Looks like you are OK and good to go!

If you desire, you can fix these entries with HijackThis:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing) --> You might want to check this one to see if the file is indeed "missing."

** Don't forget to install an Anti-Virus app! Perhaps AVG Free in my Linky below. . . .

Cheers :)
PP

WOW, thanks a lot. Took 10 minutes or so to fix, and working perfectly. I didnt know that AVG aquired e-wido. Thank you so much for helping, and have a happy new year.

You're welcome :) Glad to hear things are looking better!

Yeah - Grisoft made a good choice in picking up EWIDO, IMO.

-- You should still submit those logs I asked for at the bottom of my post - There are likely relatives and remnants of the baddie on your machine......

Cheers :)
PP

If i go to, www.adkjasdljsadjasj.com it should pop up a page that says "Page can not be found" but now its giving me this random page that has porn links all over it. I use E-wido and i love this anti malware program, but its not finding the virus. Im still new to HijackThis, i had to use it getting rid of spy-axe a year ago. So, if you could help me out on this it would be much apreciated.

Hi Zev,

Your EWIDO has been bought by AVG and updated. Please uninstall it. You will be downloading the new version after the fix.

These are essentially the same instructions I posted for another member with the same problem. Be sure to follow them exactly (right down to installing a resident AV app!! )

Anyhoo, here we go:

FIRST: DELETE your current copy of HijackThis.
THEN: Download a fresh HijackThis from http://downloads.malwareremoval.com/hijackthis_sfx.exe

Save the setup file on your desktop.
Then, DoubleClick on it and by default it should install to C:\Program Files\HijackThis
Continue through the setup and allow it to create a desktop icon for you. Follow all the prompts, click Finish and just leave it for now.

NEXT:
You may want to print out these instructions for reference, since you will have to restart your computer during the fix. Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it …

As I'm writing this ive noticed my new homepage is MSN and i cannot change it in internet options it simply resets itself. But I wasn't redirected to another site when i typed in daniweb in the search bar. What was that question u were asking about something school related? Sorry I didnt quite get that. Thanks for all your help.

Happy to try to help :)

OK - Let's try a few more things. Some is just minor cleanup with HJT and the other stuff is quite important. Let me know if you have trouble with any of it....

-- R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.46:6 What I wanted to know is whether this is the correct setting . . . Are you using a proxy for school or the like? If not, you can fix this with HJT along with the others below.

-- The MSN thing sometimes accompanies this infection. For the life of me, I can't remember how to fix it. So we'll try a few different things.

Please do ALL of these steps:

1-
Please Scan with HJT, and check the boxes for the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ario&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...ario&pf=laptop

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.46:6 --> …

Looks like you've got a baddie!

If you still need assistance, please post a fresh HJT Log for me.

PP :)

At 1st there were also infected restore files but i was able to get rid of those by disbaling the system restore. According to AVG there are still two infected files in the virtual memory.

Hi Ozzman,

This is typical of a Wareout infection. Please do the following:

FIRST: DELETE your current copy of HijackThis.

THEN: Download a fresh HijackThis from http://downloads.malwareremoval.com/hijackthis_sfx.exe

Save the setup file on your desktop.
Then, DoubleClick on it and by default it should install to C:\Program Files\HijackThis
Continue through the setup and allow it to create a desktop icon for you.
Follow all the prompts, click Finish and just leave it for now.

NEXT: You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch (If Hijackthis does not launch then please start it yourself).

Please Scan with HJT, and check the boxes for the following items:

O17 - HKLM\System\CCS\Services\Tcpip\..\{84AE79C6-2FC7-49E7-B2F7-E336F0FC4AE1}: NameServer = …