Posts by PhilliePhan

when i went to run this hijackthis check it said i could not enter some host files

Off the top of my head, it sounds as though you are being blocked from accessing some sites by Hosts File entries.

Navigate to C:\Windows\System32\Drivers\etc\hosts and open the Hosts file with notepad and copy and paste it for us and we'll see if that is the problem.

PP :)

I think I will stick to XP for the time being....
I think we can call this thread solved. Thanks for the help, judging from what happened, it looks like I had to take the only possible resolution!

Happy to help!

-- I personally prefer XP, even with all its holes, to Vista at this time.

PP :)

I think I will change my Automatic Updates settings to: ask me before downloading.

That is my preference. Definitely a good idea. That way, if you install a new update and something immediately goes wrong, you'll know where to start troubleshooting.

Do you have any further information on this problem?

No specifics - sorry. Just anecdotal stuff from problems I've seen while volunteering in various tech forums over the last five years.
Sometimes the updates bork your machine. Sometimes it is the update process itself. I remember a few instances in 04 or thereabouts when people would be posting about sluggish computer, etc... and it turned out that they were on dial-up and their machine was in the process of automatically downloading and installing SP2...... LOL!

More recently, M$ released an updated that borked the Internet connection for anybody using ZoneAlarm Firewall.
http://www.daniweb.com/forums/thread133490.html

There are just too many possibilities. . . . . .

Cheers :)
PP

After all this, can someone suggest what might have happened? (Hopefully it won't ever happen again, but it never hurts to be prepared).

Hi Norman,

As you noted, all we can offer is mere conjecture at this point, so here goes:

-- Could be due to SP3. Many people have had issues with it. Many have not. I have had no major issues with SP3.

-- Could be a poorly written piece of software or a poorly written piece of malware. Most malware today is designed to make somebody money, either through extortion or outright theft of information and for that they need a working computer. It's been a while since I've seen a piece of ineptly designed malware do this, so I'd probably rule that out.

-- I have seen issues such as yours turn out to be related to Microsoft's Automatic Updating Service in Windows. There were patches for these issues and I would assume they were on your machine if you were running SP3.

The culprit(s) could be all sorts to things. Hard to pin a tail on it after the fact.

Best Luck :)
PP

Sounds like you have quite a mess there!

-- Are you able to run any tools in Safe Mode?

If you want, you could try this AT YOUR OWN RISK:
Run this early beta of a scanning tool I've been writing off and on for a while. It should be safe - many of the more risky components are not included in this early version.

Download PeekabooXP.zip and EXTRACT the PeekabooXP Folder to your C:\ Drive
It needs to be there to run properly.
-- You'll need to disable your AV temporarily before you run PeekabooXP. It might hang if you don't. Run it in Normal Windows Boot, not Safe Mode.
-- Open the PeekabooXP folder on the C:\ drive and DoubleClick Run This.bat and follow the prompts.
-- A log ought to pop up in notepad - post that for me.

I'll try to check back as time permits. I've got a busy weekend of home repairs ahead of me, so I may be tied up for a bit.

Best Luck :)
PP

securitycadets seemed much swifter at assistance with malware problems and bar none for malware problems...

Next time (and if you keep using cracks and warez, there will definitely be a next time) please have the courtesy to let us know you are receiving help elsewhere.
Most forums are staffed by VOLUNTEERS and are overwhelmed with requests for help and it wastes our time and resources working the same problem in multiple forums.

Thanks :)
PP

Hey Judy,

If memory serves, Otto is OEM software for HP/Dell/others and I believe it is tied to WildTangent which also shows in log:
C:\Program Files\WildTangent\Apps

Cheers :)
PP

Hi Ron,

This issue is more common than you think.

http://blog.codefront.net/2006/03/19/how-to-fix-ie-always-opening-firefox-instead/

Let me know if you still have problems or are uncomfortable hacking the registry.
Otherwise, I trust you can mark this thread as Solved.

Cheers :)
PP

It....
Worked!!! :icon_cheesygrin:
Thank you very much! It means a lot to me!

You're Welcome!

If there are no more problems, please mark this thread as Solved and have a look at my linky below:

PROTECT YOURSELF FROM MALWARE:Tools & Tips

Cheers :)
PP

I'm sorry.. I'm a bit confused.
Do I just run the MBA-M Log, as you said? Or do I do everything your link said and I'd have to install DSS and ATF Cleaner too, and others?
Sorry for this hassle :confused:

No worries :)

-- I figured you'd be OK just running MBA-M. If you'd like for me to take a more thorough look at your machine, you could go ahead and run DSS scan after completing my steps below and post the logs.

-- I do think that you should now run ATF-Cleaner.exe as directed in the previous linky. At the very least, it'll flush the Java cache. Good thing to do (in addition to updating Java) after being hit by Vundo.

For the DeskTop:

--- Please download the attached FixDsktop.zip and EXTRACT FixDsktop.reg from the ZIP to your Desktop.
-- DoubleClick on FixDsktop.reg and follow the prompt to ALLOW it to merge into the registry.

Reboot for good measure and let me know if that helps.

Cheers :)
PP

Hi Ichinisan23,

A few steps for you:

-- It looks like you are running multiple AV programs (McAfee & Norton). You need to completely Uninstall one of them to avoid problems.

-- Go and Update your Java here ---> http://www.java.com/en
--> Please note that, before updating your Sun Java, you MUST remove ALL older versions that may be on your machine or you will still be vulnerable to some exploits/weaknesses such as VUNDO which may target and force execution on older runtime environments.
-- Do this by going into Add or Remove Programs and removing any versions that differ from the current version listed at the Java site. They may look similar to the following:
Java 2 Runtime Environment SE v1.4.2.06
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 9
Java(TM) SE Runtime Environment 6 Update 1
Java(TM) 6 Update 2

-- Please run MBA-M as directed in the linky below and submit the scanlog for me:
Read me before posting a request for assistance

-- Download PeekDsktop.bat to your DeskTop.
- DoubleClick it to run it.
- A log should pop up in notepad. Please post that for me along with the MBA-M Log.

Cheers :)
PP

Lordy! Didn't even look at the original date!

Nice one, Judy! :D

Hi Tsahima,

The easiest way to continue will be to do this:

-- Copy mbr.exe to your C:\Windows Folder

Then, Click START > RUN > type or copy&paste mbr.exe -f and hit ENTER
(note that there is a space between mbr.exe and -f)

That ought to do the trick. You should run your scans again (including mbr.exe as before) and let us know how things are looking.

Cheers :)
PP

Ive got this virus , and avg cannot remove it.

You have a Password/Information stealer.

Can you run http://www2.gmer.net/mbr/mbr.exe and let us know the results?

PP :)

I am very frustrated and feel like throwing my laptop at the wall and replacing it with a mac.

The "sledgehammer option" can be very cathartic! ;)

-- Without sitting in front of the machine and having gone through all of the steps you have, it is difficult for me to advise you.... Frankly, at this point it might be easier to back up your important data and do a clean install.
Also, you might look at this: XP's No-Reformat, Nondestructive Total-Rebuild Option

-- Did you try "your uninstaller" to remove Firefox, etc...? What about making sure IE is set as your "default browser"?

These might help with the latest issues:
http://download.microsoft.com/download/e/9/d/e9d80355-7ab4-45b8-80e8-983a48d5e1bd/msicuu2.exe
http://support.microsoft.com/kb/328162
http://support.microsoft.com/kb/290301

Sorry I can't be of more assistance!

PP :)

I tried to use a registry cleaner program and it removes it.

That will work too . . . . For the orphaned run keys of removed malware.

I still suggest running MBA-M just in case there is active malware remaining on your compy.

Best :)
PP

Is this a reliable program? Has anyone tried it?

http://spywarewarrior.com/viewtopic.php?t=28684&sid=ab1e055a1ab43a5e5fcb83c991567e76

PP :)

My error message reads:
Windows - No Disk
Exception Processing Message c0000013 Paremeters 75b6bf9c

Lots of possible causes for this error. The obvious being the recent addition and removal of software. Probably something you'll have to dope out through trial and error.
This link might help: http://www.consumingexperience.com/2007/11/windows-no-disk-exception-processing.html

Also, for help removing what you couldn't uninstall properly ---> http://www.ursoftware.com/
Can't remember if free trial or not. I think it is, just not the "full featured" version.

Cheers :)
PP

I posted this in hopes that some one might be able to help me decide my next course of action. My first decision was to check for malware, and thats why I posted my hijack this log here. Any help, or point in the right direction would be much appriciated.

Nothing jumps out at me from your HJT Log other that an outdated Java. That could leave you vulnerable to a baddie such as Vundo.
You should uninstall ALL older versions of Java and install new version from here ----> http://www.java.com/en/

-- Probably not malware behind your problems.
-- If you can do a System Restore back to just before problems started, I'd try that. Essentially, take a few steps back and start again....
That will cause problems with some Added/Removed programs, but will probably be easier to deal with than where you are now.

-- Update the Java after restoring, rather than before, if you choose the System Restore route.

Best Luck :)
PP

Im a new one's here, kindly please someone help me how to stop an error loading everytime i started my PC since it was first occur when my anti-virus detect it as a virus and deleted it... the error always been shown on the startup is "error loading:C:Windows:system32:bcxhgsbb.dll ->could not found"

What has likely happened is that your A/V or anti-malware tools have deleted a baddie, but left some remnants in the registry (a run key) that now call the non-existent malware on startup.

I would suggest that you run the steps here --> PP's Malware Cleaning Steps and post the logs for us.
At the very least, post the MBA-M and HJT logs as directed in the linky.

I am not here too often, but someone ought to be able to advise you upon seeing those scanlogs.

Best Luck :)
PP

Hey Guys,

The first HJT log shows the following baddie:
F2 - REG:system.ini: Shell=Explorer.exe regsvr.exe
O4 - HKCU\..\Run: [Msn Messsenger] C:\WINDOWS\system32\regsvr.exe

This is probably responsible for the initial issues and may well be stealthed and still active....

Just a "heads up" in case you didn't look back that far.

-- Also, be advised that you have been exposed to an infected USB drive somewhere along the way. You may want to check your portable storage devices. If memory serves, sUBs has a "cleaner" for these....

PP :)

Hey Bobby,

I just remembered that I forgot to have you remove ComboFix.

No worries if you don't see this before you've returned the machine or if you've already removed ComboFix.

If you do see this in time, please do this:
• Click Start > Run
• Type or Copy&Paste ComboFix /u into the Run box. (be sure there is a space between the x and the / if you type it)
• Click OK

That ought to wrap things up!

PP :)

Well, guess I took a bit longer to get this posted than I originally thought. Of the files you had me look for, I ran searches and only about 2 of them actually existed, though not in the folder you listed - both had been quaranteened by the online scan. There was alvxqeif.dll.bac_a01172 in the folder C:\Documents and Settings\TiFF\.housecall6.6\Quarantine
The other file was
ssxjwpvi.dll.bac_a01172
In the same folder

You can delete that Quarantine folder if you so desire.

Likewise, these can be removed:
C:\Program Files\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint

Anyway here is the final combofix scan log. Also good news is I just noticed that the two error messages that I had been getting at bootup are gone:icon_cheesygrin:

Everything looks OK to me, Bobby. :)

-- The registry fix "took" this time. The machine is not trying to load those non-existent malware at startup any more.
-- You may want to look into some of the options for controlling unwanted Startups in the linky I posted earlier, but that is entirely up to you.

Have a look at my "Protect Yourself" linky below and definitely install Spyware Blaster as I recommend.

If everything is running as it should, please mark this thread Solved!

Cheers :)
PP

Where are you?:S
(Not trying 2 rush you or anything. I just have to return this thing by tomorrow morning. It's not a huge deal if we don't finish this tonight, and I know your doing this voluntarily so it is still appreciated. I have to go for a few hours, but will be back on later tonight. hopefully we are close?)

Hi Bobby,

Most days I really don't have much free time to devote to forums until after 7PM EST.

Looks like we are almost done, though my registry fixes didn't take via ComboFix. Probably blocked by one of the anti-spy tools. I should've used a switch to kill them. No worries, we'll try again "old school."
Most of the stuff left to deal with are the malware prevented from running via msconfig (and the Trend Micro and McAfee remnants). I would imagine all the actual malware files are gone, but in the interest of thoroughness I'd like to do the following:

-- Download BobbyFix.reg to your Desktop.
-- DoubleClick on BobbyFix.reg and follow the prompt to Allow it to merge into the registry

Then, you'll need to use Windows explorer to navigate to and DELETE any of the following, if they should remain:

C:\WINDOWS\system32\alvxqeif.dll
C:\WINDOWS\system32\bqdst.dll
C:\WINDOWS\system32\rrvfhlv.dll
C:\Program Files\Common Files\WinAntiVirus Pro 2006
C:\Program Files\Common Files\?ystem\w?aclt.exe --> The ? can be any character. You should probably remove the C:\Program Files\Common Files\?ystem Folder.
C:\Program Files\Trend Micro

I am much obliged for your rapid responses and detailed instructions. I will resume your steps in about 14 hours when I am at my desk again.

You're welcome :)

No worries - and no rush. I should be around tomorrow evening

Such as? and how so?:idea:

The how so part is that it adds more stuff for us to sift through and deal with accordingly. Just a little extra work.

As for the "such as," my friend Chaslang has a good and thorough explanation here. Check it out:
Dealing with Startup Processes

Catch you tomorrow evening :)
PP

Here are the log files in order as requested. I hope you have a search engine for whatever your looking for!

LOL!

I have a pretty good idea of what I am looking for. Though, I should say that you ought not use Diagnostic Startup via msconfig as a "startup manager." There are better ways to deal with unwanted startups and malware. Plus, it adds to the workload of forum volunteers to have to deal with them.

Anyhoo, please do the following:

FIRST-
Look in Add/Remove Programs and UNINSTALL the following:

Adobe Reader 6.0.1 --> You'll need to update to the latest version.
Java 2 Runtime Environment, SE v1.4.2_03 --> This is probably the culprit that paved the way for Vundo. See instructions at end of fix steps to update Java.
McAfee VirusScan Enterprise --> Remove, since you are using AVAST! now.
Viewpoint Manager (Remove Only)
Viewpoint Media Player

THEN:
-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into/over ComboFix.exe to start ComboFix

-- Let Combofix run as before and post me that log

NEXT:
Please run http://www.eset.com/onlinescan/

-- You will need to temporarily disable your current Anti-virus program.
-- Make sure that the option Remove found threats is Unchecked, and the option Scan …

Should I be in safe mode while performing these?

No - Normal Windows boot is preferable at this time.

PP

however I am getting two new error messages upon startup every time. They are both RUNDLL error messages saying "Error loading C:\WINDOWS\System32\vyaqfgmb.dll The specified module could not be found." And actually the second error message is identical except it's looking for the file ssxjwpvi.dll in the same folder. I googled both of those file names and got nothing at all.
They look to me like incorrect registry entries, or remnants of the recently removed infection.

Hi Bobby,

You are correct - those are registry remnants from the removed malware.

Looks like you did not get it all. Please do the following:

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

• DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
• Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

NEXT:

• Download combofix.exe by sUBs to your computer's Desktop.
  
• Alternate Download
  
• (If you already have a …

I'm hoping there's a solution that can bypass using that program again -- just because I hate that screen. Thankfully, I rebooted and am using the same computer to make this post, so all is not lost. Yet.

Sorry to hear that!
It worked exceptionally well on the same malware here in this thread:
http://www.daniweb.com/forums/thread112066.html

That's why I suggested it when I saw you were having trouble. But, you are right to wonder why the steps you already took didn't work - they should have worked.

Hang in there for Crunchie - I don't want to get in his way any more than I already have done.

PP

Adobe Acrobat 5.0 I couldn't find anywhere to check for updates, will I have to purchase the v8.0?

My fault there - Was doing 10 things at once. I confused myself. I must've been thinking of Adobe Reader
If you already removed Acrobat 5.0, you can get it here --> http://www.download.com/Adobe-Acrobat-5-0-5-Update/3000-6675_4-10069848.html

I looked 2 X in the C:\WINNT\system32 Folder for: 953BEBAFA6.sys - then looked 2 X in the C:\WINNT Folder and still couldn't find it.

My fault again - That is a hidden file and you need to enable the viewing of hidden files to see it: http://www.bleepingcomputer.com/tutorials/tutorial62.html
You might want to check again just to make sure it is/isn't there. Looks a bit iffy to me. It could very well be gone.

pc is running much better now Thank You:icon_smile:

You're welcome - Happy to help :)

Let's go ahead and remove Combofix:

• Click Start > Run
• Type or Copy&Paste ComboFix /u into the Run Box. (be sure there is a space between the x and the / if you type it)
• Click OK

Everything else looks OK to me. If things are running well and you don't find 953BEBAFA6.sys for Jotti scan, then I think you can mark the thread as solved!

Have a look at my "Protect Yourself" linky below - Definitely install Spyware Blaster!

Cheers :)
PP

I doubt Crunchie will mind if you go ahead and do the following:

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

• DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
• Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

Post back with the MBA-M Scanlog and I'm sure Crunchie will weigh in with further advice.

PP :)

This afternoon when I logged on Nortons found and fixed 3 trojans. I ran SpyWare Doctor and came clean. Here are the 3 reports you wanted and from what I can read we still have a nasty little booger around. I hope that we can remove it soon.

I don't see much there - I think Norton got three of the baddies I had targeted in the CFScript.

--You should use Add/Remove Programs to remove the following:

Adobe Acrobat 5.0 --> Remove and update to latest version. I think it's 8.
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java(TM) SE Runtime Environment 6 Update 1
Java(TM) 6 Update 2
Java(TM) 6 Update 3 ---> Remove all of these older Java versions. Help deter Vundo.
Do not remove this one --> Java(TM) 6 Update 5
Pando --> P2P stuff is a good way to get reinfested. A number of forums deny help to people until they remove or disable these.
URGE -->your choice
Viewpoint Media Player (Remove Only)

-- Can you tell me what is in this folder --> C:\WINNT\hvrqkcro
If you don't recognize it as something you need, DELETE it.

-- Also, please go here ---> and use the Browse Button at the top of the page to navigate to …

AllRightyThen!

-- Are you able to Uninstall/Remove XPdefender in Add/Remove Programs?
See if you can do that first. If not, no worries - keep going with the rest of the steps.

-- Please DELETE your copy of ComboFix and download a fresh one to your Desktop. Be sure you get it onto the Desktop this time, please ! If you still have trouble, let me know!
-- Download the attached file CFScript.txt to your Desktop as well.
-- Close ALL browser windows and then drag CFScript.txt into/over ComboFix.exe to start ComboFix

-- Let Combofix run as before and post me that log.

ALSO:
Please run http://www.eset.com/onlinescan/
-- You will need to temporarily disable your current Anti-virus program.
-- Make sure that the option Remove found threats is Unchecked, and the option Scan unwanted applications is checked.
-- Remember to Re-enable your Resident Anti-virus program after the scan has finished.
-- A logfile ought to be found at C:\\Program Files\\EsetOnlineScanner\\log.txt.
Please post that for me.

One More Thing:
Run HijackThis and Open the Misc Tools section.
Open the Uninstall Manager and Click Save list
Save it to your desktop.

Please post the fresh ComboFix log, the ESET Log and the Uninstall List for me and we'll go from there. I will try to check back in a timely manner, but I'm a bit overextended ato the moment...

Best Luck …

We do not bank online, but I do love shopping online. Yesterday I did purchase Spyware Doctor so I will keep an eye out on my credit card account.
Thanks Again

Hi Vegasgal,

I'll post the next steps in a few minutes (slow typist).

-- Regarding all the malware, I am still not sure if those are active baddies or if your computer has been "salted" by smitfraud so it can extort you to buy their Spyware Remover and it can "remove" all these "baddies" that it planted in the first place . . .. If that makes any sense LOL!

Those keyloggers, to my knowledge, must be installed manually. Also, I did not see the Run Keys, so perhaps they are not active and only there to provide extra motivation for the extortion.
-- But, I'd rather err on the side of caution and operate under the assumption that your machine may have been compromised.... Keep an eye on the creditcards, etc...

For the ComboFix download, in Firefox click Tools > Options > select the Main Tab and make sure to check the box under Downloads where is says Always ask me where to save files and click OK

Then, download Combofix to the Desktop.

Back in a few with the next steps :)
PP

Everything seems to be normal once again. Thank You So Much for all your help in getting rid of this nasty booger. Here are the 3 logs you've requested and I hope you can come back here and give me the thumbs up!

Happy to help! There are still a couple steps left to do, but it is waaay late in my neck of the woods, so I may not be able to post them until tomorrow.

This is very similar to a thread I worked in another forum. I had thought somebody manually installed the spyware on her computer, but now that I see it again, it looks like this is being done remotely. As yet, I am not sure what to make of this - many of the downloaded malware are the same including these:
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\unsetup.exe
C:\WINNT\system32\acespy\systune.exe
C:\WINNT\system32\acespy\__acelog.ndx etc.......

These are commercial keyloggers/spyware. We can only assume that your computer was compromised. If you do online banking, shopping etc...., you might want to change passwords and notify your bank that your accounts may have been compromised. Do this from a clean computer or by phone.
http://www.symantec.com/security_response/writeup.jsp?docid=2004-062111-2932-99&tabid=2

At this point, I'm not certain what the damage is - better safe than sorry!

-- Also, please DELETE your copy of ComboFix. When I post back with further steps, we'll need to download a fresh copy and place it on the DESKTOP.

Anyhoo, I've got to get …

Hi Vegasgal,

You have a few malware issues showing in the log. Let's start by running two tools:

Please download Malwarebytes' Anti-Malware (MBA-M) to your desktop.

• DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
• Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When MBAM finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

THEN:

• Download combofix.exe by sUBs to your computer's Desktop.
  
• Alternate Download
  
• (If you already have a previous version, delete it and download a new version).
• Double click combofix.exe & follow the prompts.
  Note: Combofix will automatically disconnect your Internet connection when it runs, do not reconnect it.

When it finishes, it ought to

• Produce a log for you. ( C:\ComboFix\ComboFix.txt)
• Restore your Internet connection.

IMPORTANT:

• Do not use your computer while Combofix is running.
• Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  If you've lost your Internet connection when Combofix …

Actually, this is a Smitfraud infection.

There are a couple dedicated removal tools for this.

-- A note on HJT and Online Analyzers.
Both miss a lot. An online analyzer is only as good as it's DB and there are a ton of baddies that do not show in a HJT Log in the first place.

-- Hazdude,
I'd be happy to help you clean this, time permitting (I am juggling a number of threads in a number of forums at the moment).
At this point, I am not sure what you have and haven't done to your machine. So, please do the following:
Please look at the steps I have written here and obtain the three logs as directed and post them here.
1- Kaspersky
2- AVG Anti-Spy
3- Fresh HJT Log

Often, there are multiple malware issues with this infection and it helps to get a good baseline from which to start. Those scans will do it and we'll go from there.

Cheers :)
PP

Here it is

Yup - It looks like it merged just fine :)

You can see the differences between the two peek.txt logs.

Also, if you take fixxshort.reg and change the extension to fixxshort.txt and open it, it will match the second log exactly.

PP :)

Anyway, thanks for all the help you've given me

Happy to try to help :)

That's odd - that should just merge right in. Perhaps it did.
-- If you like, you can give me a fresh peekaboo log and we can see if it merged successfully.

At any rate, all's well that ends well . . ..

Cheers :)
PP

The file doesn't looks like its been attached

Sorry! There it is. :)

This forum has limits on the type of files you can attach and I keep trying to upload them as is . . . ugh.

Right I've uploaded the log file,
Thanks for your help so far.

Happy to try to help!

Let's give this a whirl:

-- Please download the attached fixxshort.zip and extract it to your Desktop.
-- Open the folder and DoubleClick fixxshort.reg and allow it to merge into the registry.
-- You can then Delete it from your desktop.

REBOOT, and let me know if that had any effect.

Note: Anytime you hack the Registry or fiddle with it in some manner, bad things can happen.

You may want to first back up the registry before doing the above. I suggest a simple & Free tool such as ERUNT

I doubt you'll have any issues with the fix, but backing up the registry is prudent in any case.

Best Luck :)
PP

Ok then . . .. Let's have a look a a few things.

-- Please download Peekaboo.zip attached below and extract peekaboo.bat to your Desktop.
-- A folder labeled peekaboo will appear on your Desktop.
-- Open the folder and DoubleClick peekaboo.bat and give it a couple seconds to run.
A log should pop up in Notepad. Please attach that (peek.txt) for me using the "manage attachments" button when you post back (scroll down).

BTW - You should be advised that anytime somebody in any forum gives you an unknown program to run (even a simple batch like this one), it is strictly a "Use At Your Own Risk" proposition!

Anyhoo, it is up to you if you want to trust me :)

PP :)

Hi jshtylr,

Your HJT Log looks OK as far as malware is concerned. Just some minor issues we can clean up, if you so desire. First, do this:

Please relocate HijackThis to a safer location. Most Forum volunteers expect to find it at C:\Program Files\HijackThis or C:\HijackThis.
If you are unable to move it on your own, please do the following:

FIRST: DELETE your current copy of HijackThis.
THEN: Download a fresh HijackThis from http://downloads.malwareremoval.com/hijackthis_sfx.exe

Save the setup file on your desktop.
Then, DoubleClick on it and by default it should install to C:\Program Files\HijackThis
Continue through the setup and allow it to create a desktop icon for you. Follow all the prompts, click Finish and just leave it for now.

--------------------------------------------------------------------------

For the problem at hand:

-- What are the extensions for the shortcuts? Are they .exe or .lnk?
How about the actual programs themselves - .exe or .lnk?

-- How many different User Accounts are on this machine?

Will try to check back over the weekend if I get a chance.

PP :)