Can't "Fix"

[Zyndstoff (aka Steven Gail)]

So, as one thing I see is a modified hosts file as well - which does not come to me as a complete surprise.  

On the laptop use this MS-tool to fix the Hosts-file: TOOL

Download the file to disk and then run it.

Then please start hostsXpert and copy the text on the right side of the window and post it here, pls. There is a "copy to clipboard" command in hostsXpert somewhere, maybe in the "tools" or "editing" sections.
In case you need to download hostsXpert, here is the link: hostsXpert

Thx

[rlakritz]

Steven, I ran the Tools fix and downloaded HostsXpert.  When I opened the program I got this message:  "Hosts file does not exist. Press OK to create Hosts file. Cancel to Quit." What to do?

[Zyndstoff (aka Steven Gail)]

Create it, then copy and post. 

[rlakritz]

# Copyright © 1993-1999 Microsoft Corp.
# 
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# 
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
# 
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a "#" symbol.
# 
# For example:
# 
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# 
127.0.0.1 localhost

[Zyndstoff (aka Steven Gail)]

Wonderful.  

This one is sorted out.

Since essexboy will be online in the evening only you will have to wait for a detailed analysis of your log, but I think it is looking quite okay so far.

I would suggest in the meantime:

• Do a quickscan mit Malwarebytes Antimalware (update it via it's GUI first!) and post the log here (just another quick look for me), but do not delete anything, just post the log.
• Go ahead and check / update your Avast (on the Maintenance tab click on "Update program")

I'm away for a meeting now, but I'll look at the MBAM log in an hour or so.  

[rlakritz]

See attached log.

[Zyndstoff (aka Steven Gail)]

That is clean so far, very good.

This entry
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action takenin the log refers to a PUM = potentially unwanted modification. This may have been done deliberately by the user or by some software and need not be bad.
This particular entry hides the search in the Windows start-menu.
You can delete it with MBAM if you wish or you can leave it this way, it is a harmless entry.  
If you haven't missed that start-menu entry until now - just leave it.



For further advice please wait for essexboy to look at your OTS-log.

Cheers
Zyndstoff

[rlakritz]

Will do. Thanks.  We'll see what essexboy has to say later on.

[essexboy]

Here I be  you also have a proxy setting and best malware hiding on your laptop - wave bye bye to them

There are also a few temporary files to go so it may take a little longerr than normal to complete the fix

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_CURRENT_USER\] > ->
YN -> HKEY_CURRENT_USER\: "ProxyEnable" -> 1
YN -> HKEY_CURRENT_USER\: "ProxyServer" -> http=127.0.0.1:25384
< HOSTS File > ([2011/04/14 14:41:49 | 000,002,130 | RHS- | M] - 247 lines) -> C:\WINDOWS\system32\drivers\etc\hosts
YN -> Reset Hosts ->
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{D4027C7F-154A-4066-A1AD-4243D8127440}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\Documents and Settings\All Users\Application Data\80888d\BM808_2112.exe" -> [C:\Documents and Settings\All Users\Application Data\80888d\BM808_2112.exe:*:Enabled:Best Malware Protection]
[Files/Folders - Created Within 30 Days]
NY ->  BMHQP -> C:\Documents and Settings\All Users\Application Data\BMHQP
NY ->  80888d -> C:\Documents and Settings\All Users\Application Data\80888d
[File - Lop Check]
NY ->  80888d -> C:\Documents and Settings\All Users\Application Data\80888d
NY ->  BMHQP -> C:\Documents and Settings\All Users\Application Data\BMHQP
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

[rlakritz]

Hi there, essexboy. I'm in the middle of running the OTS fix and keep getting a notice that a certain file has been deleted or moved and asking if I want to create it.  I said yes to a couple but now see that there are about 150 more.  What should I do? Thanks.

[essexboy]

What is the name of the files ? A few examples will do

[rlakritz]

I can only see one at a time as they pop up. The next one up is 00EE9D56d01

[essexboy]

What is instigating the notice that the file is being moved ?   Is this while it is trying to remove the best malware folder BMHQP

[rlakritz]

I don't know what stage of the fix we're at.  The Paste Fix Here window now has 3 things listed:
[Empty Temp Folder]
[EmptyFlash]
[createRestorePoint]

The pop-up window says:

Copy Folder
The C:\Users\Susan\AppData\Local\Mozilla\Firefox\Profiles\chb...\00EE9D56d01 folder does not exist. The file may have been moved or deleted. Do you want to create it?

[essexboy]

Ah OK answer no to them all - as the main parts have run - it is just clearing the temps from the list it had in memory