Author Topic: Can't "Fix"  (Read 51897 times)

0 Members and 1 Guest are viewing this topic.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Can't "Fix"
« Reply #30 on: April 15, 2011, 09:27:29 PM »
OK you still have a bad proxy in IE - I will remove that using OTS 

Offline Zyndstoff (aka Steven Gail)

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2604
  • I can resist anything except temptation.
    • tex62
Re: Can't "Fix"
« Reply #31 on: April 15, 2011, 09:31:00 PM »
Team effort Boyo  ;D

Looks like we made one man happy.
I am very strongly tempted to change my nick to "Flash Gordon (Saviour of the Universe)"...  ;D
7 x64 SP1, FF 8a Aurora, TB6, 6.0.1203 Free
Free MBAM Clear

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Can't "Fix"
« Reply #32 on: April 15, 2011, 09:36:35 PM »
Quote
I am very strongly tempted to change my nick to "Flash Gordon (Saviour of the Universe)"...
Noooo I have enough problems keeping track of you now   ;D

Offline Zyndstoff (aka Steven Gail)

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2604
  • I can resist anything except temptation.
    • tex62
Re: Can't "Fix"
« Reply #33 on: April 15, 2011, 09:40:51 PM »
Well, Judith and Yuda,
once we're through with this, I strongly recommend that you setup a second restricted user account for everyday work & fun.
Also pay a little more attention to where you surf and what you click on.
Don't follow any links that were sent to you by email by clicking on them, even if you know the person the mail is coming from. Be careful when you are sent any attachements via email (especially .pdf and of course .exe and .com and .bat), if you are not 100% sure about the origin of the attachement.

Keep Avast up to date at all times.

 ;)
7 x64 SP1, FF 8a Aurora, TB6, 6.0.1203 Free
Free MBAM Clear

Offline Zyndstoff (aka Steven Gail)

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2604
  • I can resist anything except temptation.
    • tex62
Re: Can't "Fix"
« Reply #34 on: April 15, 2011, 09:41:40 PM »
Quote
I am very strongly tempted to change my nick to "Flash Gordon (Saviour of the Universe)"...
Noooo I have enough problems keeping track of you now   ;D

...there is this "aka"-thing in the nick.  ;D You should be able to handle it.
7 x64 SP1, FF 8a Aurora, TB6, 6.0.1203 Free
Free MBAM Clear

rlakritz

  • Guest
Re: Can't "Fix"
« Reply #35 on: April 15, 2011, 09:48:27 PM »
The OTS log is too long to post - over 9000 words.  Is there another way I could send it to you?

Offline Zyndstoff (aka Steven Gail)

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2604
  • I can resist anything except temptation.
    • tex62
Re: Can't "Fix"
« Reply #36 on: April 15, 2011, 09:51:53 PM »
Even better: attach as .txt file.
Click on "additional options" in the post editing screen to upload.
7 x64 SP1, FF 8a Aurora, TB6, 6.0.1203 Free
Free MBAM Clear

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Can't "Fix"
« Reply #37 on: April 15, 2011, 09:58:16 PM »
Yep attach it is much easier (for me )  ;D

rlakritz

  • Guest
Re: Can't "Fix"
« Reply #38 on: April 15, 2011, 10:10:12 PM »
This is Susan.  Someone who once worked on our computer set up the Judith & Yuda user names...
Steven, please be more specific about setting up a second, restricted user account.  How do I do this?  Should we ever access the Judith & Yuda account?  When?  Should we delete it?
Also, why are .pdf files so dangerous?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Can't "Fix"
« Reply #39 on: April 15, 2011, 10:15:05 PM »
Hi Susan - if you do not use those accounts then they can just be deleted

We will discuss limited user accounts once we are sure you are clean  ;D

Could you attach the OTS log please - do you know how to do that ?

Offline Zyndstoff (aka Steven Gail)

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2604
  • I can resist anything except temptation.
    • tex62
Re: Can't "Fix"
« Reply #40 on: April 15, 2011, 10:15:21 PM »
This is Susan.  Someone who once worked on our computer set up the Judith & Yuda user names...
Steven, please be more specific about setting up a second, restricted user account.  How do I do this?  Should we ever access the Judith & Yuda account?  When?  Should we delete it?
Also, why are .pdf files so dangerous?

Hi Susan,

leave all accounts as they are for the moment, please.

we'll talk that later on, okay?
Let's first get the baby clean, then do the other stuff.
Essexboy is still waiting for the log.  8)
« Last Edit: April 15, 2011, 10:16:52 PM by Steven Gail (aka Zyndstoff) »
7 x64 SP1, FF 8a Aurora, TB6, 6.0.1203 Free
Free MBAM Clear

rlakritz

  • Guest
Re: Can't "Fix"
« Reply #41 on: April 15, 2011, 10:17:04 PM »
I thought had already posted the OTS log.  Here it is again.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Can't "Fix"
« Reply #42 on: April 15, 2011, 10:26:01 PM »
Your host file was also hijacked - so lets remove these few bits and see what problems remain.  This fix may take a bit longer than normal as your temporary folders are a bit full.  When OTS runs you will lose your desktop and taskbar as it will kill all processes this is normal  ;D

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_CURRENT_USER\] > ->
YN -> HKEY_CURRENT_USER\: "ProxyEnable" -> 1
YN -> HKEY_CURRENT_USER\: "ProxyServer" -> http=127.0.0.1:25384
< HOSTS File > ([2011/04/14 14:41:49 | 000,002,130 | RHS- | M] - 247 lines) -> C:\WINDOWS\system32\drivers\etc\hosts
YN -> Reset Hosts ->
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{D4027C7F-154A-4066-A1AD-4243D8127440}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "AdobeUpdater" -> ["C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\Documents and Settings\All Users\Application Data\80888d\BM808_2112.exe" -> [C:\Documents and Settings\All Users\Application Data\80888d\BM808_2112.exe:*:Enabled:Best Malware Protection]
[Files/Folders - Created Within 30 Days]
NY ->  BMHQP -> C:\Documents and Settings\All Users\Application Data\BMHQP
NY ->  80888d -> C:\Documents and Settings\All Users\Application Data\80888d
[Files/Folders - Modified Within 30 Days]
NY ->  PC Health Advisor Defrag.job -> C:\WINDOWS\tasks\PC Health Advisor Defrag.job
[File - Lop Check]
NY ->  80888d -> C:\Documents and Settings\All Users\Application Data\80888d
NY ->  BMHQP -> C:\Documents and Settings\All Users\Application Data\BMHQP
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

Offline Zyndstoff (aka Steven Gail)

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2604
  • I can resist anything except temptation.
    • tex62
Re: Can't "Fix"
« Reply #43 on: April 15, 2011, 10:29:30 PM »
Okay, whilst essex is checking the log...:

A restricted account means that you do not have the same rights in performing operations on the PC. Malware attackers normally, most of the time,will have the same rights as the account that is used when the malware reaches the PC. So, when you catch a malware and are logged on to Windows with Administrator rights, the malware can do just about anything. Because it gets the same rights.

As example, restricted users are not allowed to install software. Consequently the malware possibly attacking can't neither - at least in most of the cases.

So you should have one account with administrative rights (just like the Judith & Yuda account) to install software.

And you should have a second one, a restricted one, to surf the web, use MS office, listen to music etc. You can work just normally, save documents etc...


PDF files are dangerous because the program used to read and handle them (Adobe Reader) is a rather poor program securitywise (or was a poor program, it is getting much better now). So malicious code can be placed easily in the pdfs and when you open them, the Reader will perform bad things, if he has the rights to - a good reason to be on a restricted account.  ;D
7 x64 SP1, FF 8a Aurora, TB6, 6.0.1203 Free
Free MBAM Clear

rlakritz

  • Guest
Re: Can't "Fix"
« Reply #44 on: April 15, 2011, 10:44:49 PM »
I ran the fix on OTS and the got a message to restart the computer.  It's taking a really long time to shut down and may be stuck.  Now what?