Author Topic: Can't "Fix"  (Read 42892 times)

0 Members and 1 Guest are viewing this topic.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40627
  • Dragons by Sasha
    • Malware fixes
Re: Can't "Fix"
« Reply #15 on: April 14, 2011, 09:30:29 PM »
Thats a for sure - if safe mode with networking works we will be able to do a faster fix.  MBAM will not get the proxy changes or the malware folder - but it should get the running processes ;D

Offline Zyndstoff (aka Steven Gail)

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2610
  • I can resist anything except temptation.
    • tex62
Re: Can't "Fix"
« Reply #16 on: April 14, 2011, 09:31:43 PM »
I'll watch this closely, so I will not always need to call you this soon.  ;D
7 x64 SP1, FF 8a Aurora, TB6, 6.0.1203 Free
Free MBAM Clear

Offline rlakritz

  • Jr. Member
  • **
  • Posts: 72
Re: Can't "Fix"
« Reply #17 on: April 14, 2011, 09:35:52 PM »
Thanks guys.  I'm actually in the Middle East so British time is only 2 hours behind.  I'm too tired now to concentrate on essexboy's suggestions, but I will give it a try first thing in the morning and let you know how it works out.  Thanks again for all your help.  I really appreciate it!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40627
  • Dragons by Sasha
    • Malware fixes
Re: Can't "Fix"
« Reply #18 on: April 14, 2011, 09:51:13 PM »
For sure I will not be online until about 1900 gmt

Offline Zyndstoff (aka Steven Gail)

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2610
  • I can resist anything except temptation.
    • tex62
Re: Can't "Fix"
« Reply #19 on: April 15, 2011, 08:22:18 AM »
Can you think of some way around this before I take it in to my computer guy? 

BTW: don't take it to a "computer guy" if by any means this is dealer you are talking about. He is most probably not a malware expert, he won't invest any time (and that is surely needed), he'll tell you it can't be fixed and he is going to sell you some unneeded hardware like new HDD and tells you to reinstall Windows...  ;D

essexboy will get this straight with your co-operation.
7 x64 SP1, FF 8a Aurora, TB6, 6.0.1203 Free
Free MBAM Clear

Offline rlakritz

  • Jr. Member
  • **
  • Posts: 72
Re: Can't "Fix"
« Reply #20 on: April 15, 2011, 01:23:24 PM »
I was able to run MBAM on my desktop and here's the log.  I'll have to post it in a few sections since it's entirety exceeds the 10000 limit.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6367

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

15/04/2011 14:03:31
mbam-log-2011-04-15 (14-03-31).txt

Scan type: Quick scan
Objects scanned: 164601
Time elapsed: 2 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 760
Registry Values Infected: 32
Registry Data Items Infected: 7
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe (Security.Hijack) -> Quarantined and deleted successfully.

Offline rlakritz

  • Jr. Member
  • **
  • Posts: 72
Re: Can't "Fix"
« Reply #21 on: April 15, 2011, 01:25:46 PM »
On second thought, there were 806 infected items (I think) and the log was 53 pages long in Word.  If you really want to see it all I will post it, but otherwise I'm not sure it's worth the time and effort.
Thanks!

Offline Zyndstoff (aka Steven Gail)

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2610
  • I can resist anything except temptation.
    • tex62
Re: Can't "Fix"
« Reply #22 on: April 15, 2011, 02:03:01 PM »
Wooo Hoooo !

What a list.  8)

I see you had MBAM delete everything. Okay. Save the log to disk in case essex wants it to take a look.

Did you run MBAM in Safe Mode or in Normal Mode?
If you can run it in Normal Mode, please run it again - and again post the log, please. Should be somewhat shorter now.
7 x64 SP1, FF 8a Aurora, TB6, 6.0.1203 Free
Free MBAM Clear

Offline rlakritz

  • Jr. Member
  • **
  • Posts: 72
Re: Can't "Fix"
« Reply #23 on: April 15, 2011, 05:38:08 PM »
I restarted the computer normally and ran the program again.  It didn't find anything.  Here's the log:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6367

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

15/04/2011 18:12:50
mbam-log-2011-04-15 (18-12-50).txt

Scan type: Quick scan
Objects scanned: 167075
Time elapsed: 5 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

However, I still can't run Firefox.  I keep getting that same pesky message.

Offline Zyndstoff (aka Steven Gail)

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2610
  • I can resist anything except temptation.
    • tex62
Re: Can't "Fix"
« Reply #24 on: April 15, 2011, 05:39:57 PM »
Well, the log is one point for us.  ;D

What is the message?

About the proxy?

Check FF settings, make sure they look like the screenshot.

However, even if we manage to get you online again: still follow essexboy's instructions and come back here! I'm no expert on malware, and it is vital to close this thread with essexboy!
(Many users just vanish too early and we'll see them back here in a week or two and start all over...)
« Last Edit: April 15, 2011, 05:53:22 PM by Zyndstoff, aka Tex »
7 x64 SP1, FF 8a Aurora, TB6, 6.0.1203 Free
Free MBAM Clear

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40627
  • Dragons by Sasha
    • Malware fixes
Re: Can't "Fix"
« Reply #25 on: April 15, 2011, 08:31:29 PM »
Doing well  ;D  The IFEO's were a major part of the problem with programmes not running properly

I should imagine there are still some miscreant folders hiding in the user folders

Offline Zyndstoff (aka Steven Gail)

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2610
  • I can resist anything except temptation.
    • tex62
Re: Can't "Fix"
« Reply #26 on: April 15, 2011, 09:04:35 PM »
7 x64 SP1, FF 8a Aurora, TB6, 6.0.1203 Free
Free MBAM Clear

Offline rlakritz

  • Jr. Member
  • **
  • Posts: 72
Re: Can't "Fix"
« Reply #27 on: April 15, 2011, 09:16:49 PM »
YEAH!!! That did it. We can now get on the Internet using Firefox!  As you suggested, I'll run the other 2 programs essexboy suggested.  Thanks again!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40627
  • Dragons by Sasha
    • Malware fixes
Re: Can't "Fix"
« Reply #28 on: April 15, 2011, 09:18:08 PM »
Team effort Boyo  ;D

Offline rlakritz

  • Jr. Member
  • **
  • Posts: 72
Re: Can't "Fix"
« Reply #29 on: April 15, 2011, 09:22:53 PM »
OK, essexboy, here is the log from Roguekiller:
RogueKiller V4.3.8 by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Judith&Yuda [Admin rights]
Mode: Scan -- Date : 04/15/2011 22:21:09

Bad processes: 0

Registry Entries: 3
[PROXY IE] HKCU\[...]\Internet Settings : ProxyEnable (1) -> FOUND
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (http=127.0.0.1:25384) -> FOUND
[HJPOL] HKCU\[...]\Explorer : DisallowRun (1) -> FOUND

HOSTS File:
127.0.0.1       localhost