Posts by PhilliePhan

....... which a friend is going to do for me as I do not have the Windows XP program plus the other programs that I had installed on there.

That is not a good idea because, in essence, you will be pirating Windows and if you and your friend are sharing the same product key, you'll not be able to get the critical patches from M$ and you'll likely get re-infested quickly.
Windows updates are the first line of defense against malware and you won't be able to get them.....

PP :)

I did try to do a system restore when this issue came up and it wouldn't let me. The computer wouldn't let me do a lot of things so I just figured it was related to the sickness that the terminal had.

That could be the case because you had viable points set up to the 3rd of December.
Can you do a System Restore now? (to the point that was created when you turned it off and back on)

Judy has found a couple links that point to this as being related to Norton's "tamper protection."
http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=9633

http://service1.symantec.com/SUPPORT/sharedtech.nsf/pfdocs/2005113009323013

Maybe disabling the Tamper Protection will head off the System Restore errors, but I wonder what that will do to Norton's effectiveness?

I guess that's something you'll need to weigh.... It might be better just to turn off System Restore and use ERUNT instead, as I suggested before. At least for as long as you stick with Norton.

Cheers :)
PP

Can I delete all the files and folders I put on my desktop or are we going to need these some more?

Yes - you can delete them.
Did you run Combofix /uninstall?

-- I should add that you should update Adobe and Java (and anything else that needs it) on all your other computers. Keeping up to date is the first line of defense.

I would like to turn off system restore and turn it back on and see about that error. Where would I find that error?

Well . .. In some cases, when you try to turn it back on, an error message will pop up saying that it us unable to monitor the drive.
If that doesn't happen, you'll need to check the event log.
http://support.microsoft.com/kb/308427

Your logs show Restore Points being set up until 12-3. Then comes the Norton message (haven't had time to check that out yet. Sorry - time is hard to come by).
I am not sure if this is due to the malware or solely a Norton thing. What bothers me is that you probably wouldn't know it had happened until you tried to use System Restore...

Frankly, I do not care much for Norton - It does the job, but is bloated and a resource hog. Should your subscription lapse, I'd suggest Kaspersky Internet Security 2010 as a better alternative. But that's just my opinion ;)

Thanks for your …

Viewpoint Manager (Remove Only)
I am not sure why you worded that one differently. Just like the others on the list I should remove all those, right?

That's just the way it is listed in Add / Remove programs.
That one is not a big deal - not really malware. Rather, it is considered "foistware." Put there without your consent....

The other two definitely need to be replaced with updated versions.
With the Java, you especially need to remove older versions because Vundo can still exploit them even if you have the new version installed as well....

Also,
12/6/2009 7:34:03 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000043' while processing the file 'SrtETmp' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
Where do I find this when I call Norton. I have been on the phone with them daily with other issues I am having on my server. I would like to show them I am also having problems on my client computers as well as my server.

I would imagine if you read them that error message they could reference it.
The fact that the file name starts with Sr could indicate something that deals with System Restore monitoring, but that is merely a guess.
That error also occurred in one of Judy's threads here as well, so we are going to look into it. I hope to have some time this …

Hey Scott - Everything looks pretty good. Just a couple things left to do.

You should go into Add / Remove Programs and Uninstall these:

Adobe Reader 7.1.0
J2SE Runtime Environment 5.0 Update 3
Viewpoint Manager (Remove Only)
Viewpoint Media Player

Then, download and install the updated and more secure Adobe Reader 9

Also, please download JavaRa.zip to your Desktop and Extract it to its own folder.

-- Make sure ALL browsers are CLOSED.
-- DoubleClick on JavaRa.exe to run it and then select your language of choice.
-- Click Remove Older Versions.
-- Follow the prompts and a log will pop up. You can post this if you wish - I really don't need it, though.
-- Then, please go to http://www.java.com/en/ to download and install the latest version of Java.

Keeping your Java up to date will lessen your chances of getting hit by more Vundo....

Also, this bothers me a bit:
12/6/2009 7:34:03 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000043' while processing the file 'SrtETmp' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

It looks like Norton is interfering with System Restore monitoring ability. I think you should address that - I'm not all that familiar with Norton (much too bloated IMO). That might be something you'd need to take up with them. You definitely …

Hey Scott - that looks better.

Do you know what this is?
C:\ELEVATOR
What's in the folder?

Let's go ahead and remove Combofix and the files/folders it created:

• Click Start > Run
• Type or Copy&Paste ComboFix /Uninstall into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

I'd also like to look to see if there are other minor cleanup items - things we need to update (Adobe / Java etc...) that otherwise would pose security risks. The Vundo on your machine may well have been a result of outdated Java, for instance.

So, please do this:
-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

- Copy&Paste the DDS.txt into …

It appears everything is back to normal.

Not Quite! Still some baddies remaining - please do the following:
-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into ComboFix.exe just like this.

-- Let Combofix run as before and post me that log.

-- Then, update your MBAM and run the Full scan in Normal Windows Boot and post the log for me.

Is there anyway to find out how I got this worm/virus? I would like to find a way to avoid this in the future. It was on one of my employees computers that this happened.

You had/have a healthy infestation of malware. Probably not from one source.
I imagine some was from "drive by" download of a rogue scanner.
The rootkit components are worrisome.

Honestly, in cases such as this, I usually recommend a reformat and reinstall of Windows. Especially on business computers with potentially sensitive data.
Even if all of the scanlogs show clean, you can never really be certain......

'Course, that isn't always a practical option. But, it is the only 100% effective option.

Please post the new scanlogs from combofix and MBAM for me.

PP:)

I just got the correct service pack of xp pro on my desktop. I drag and drop on the iexplorer.exe icon and nothing happens. According to the instructions it should start to scan.
Am I missing something?

I'm not sure what you are referring to - You don't want to install a service pack. We need the appropriate Recovery Console download for your machine.

Most likely this one :
http://www.microsoft.com/downloads/details.aspx?FamilyId=15491F07-99F7-4A2D-983D-81C2137FF464&displaylang=en

Once the Recovery Console has been installed, you need to start combofix with this command:
"%userprofile%\desktop\combofix.exe" /KillAll

I got everything to run and I have a .txt log. should I post it?

YES! :)
I definitely need to see that!

Now I have a bigger problem. My good computer that is on the same network cannot get on the internet anymore and only my infected computer can access the internet. What could I have done to my good terminal?

Shut down the good computer for the time being - in a lot of cases, it is easily possible to infect one compy while trying to clean a second one. Just shut it down for the time being.

If that is not an option, please start a new thread for the second computer and we'll work both at once. We'll need separate threads to avoid confusion.

-- Can you run MBAM on second compy?
-- What OS is second compy?
-- Do you have Windows CD / DVD …

Hi Scott,

-- So the Recovery Console installed with no trouble?

Open a command prompt and type:

"%userprofile%\desktop\combofix.exe" /KillAll

Note ---> ix.exe"<space> /Kil

Hit Enter and that should start combofix. If it still has trouble, try in Safe Mode ( assuming you can now get there).

Let me know how that shakes out.

PP:)

I ran it until it finished but there is nothing really in the log. It just says finished.

Actually, that's good - no need to see it.

Are you able to move the renamed combofix to the desktop?
If so, please follow the steps in this linky to manually install the Recovery Console.

If combofix prompts you to start the scan, go ahead and say yes and follow the in the linky from the top.
You'll need to disable any AV / AntiSpy tools on the compy prior to running combofix. If you are unable to update it, no worries - run it anyway.

Let me know how you fare. I'll need to see the combofix log, if it is able to complete successfully.

PP:)

So I uninstalled MBAM and reinstalled it and I still get the same error. Is there any other way to get MBAM to install and run?

Let's try something different first:
Please Download Win32kDiag from a linky below and place it on the Desktop of the ill compy.
• http://ad13.geekstogo.com/Win32kDiag.exe
• http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe
-- DoubleClick on Win32kDiag.exe to run it. Let it run for as long as it needs to.
-- When it says Finished – Press any key to exit, do that to exit the program.
-- You should now have a Win32kDiag.txt on your Desktop. Please post the entire log for me and we’ll go from there.
Be sure to let it run until is says "Finished" before posting the log!

Also:
If you already have Combofix on your machine, DELETE it.

Then follow the instructions in the link below to download a fresh copy of Combofix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

What I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to iexplore.exe and then download it and see if you can place it on the Desktop of the ill machine.

Do not run it yet - just place it on the Desktop.

Let me know how you fare with these steps.

PP:)

FYI - baby is healthy baby girl!

That's great! Congrats :)

I can't run the file. I get a window that pops up that says my computer is infected and it cant run the file. Any other ideas?

-- Are you still able to transfer programs to the ill computer?
-- Are you able to get a command prompt on the ill computer?

Can you do this:
Download all four of these and place them on ill compy:
http://download.bleepingcomputer.com/grinler/rkill.pif
http://download.bleepingcomputer.com/grinler/rkill.scr
http://download.bleepingcomputer.com/grinler/rkill.com
http://download.bleepingcomputer.com/grinler/rkill.exe

First, run RKILL. You only need to run it once. If it runs successfully, a black screen will appear and then disappear.
If one doesn't run (you get error message) , try the next and so on until one runs.

Once RKILL runs, immediately start MBAM and do the quick scan. Remove what it finds an post the log.

Also, try this:
Please download and try to run http://download.bleepingcomputer.com/sUBs/SafeBootKeyRepair.exe

It will take only a moment for it to run.
A log will be produced at C:\SafeBoot_Repair.txt. Please copy/paste that log in your next reply if possible.

Let me know how you fare.

PP :)

Hopefully though there won't be a next time!

^^^What she said!!

Actually, though, in your case I think a reformat was the right way to go - I was just a bit leery of the homemade XP CD.

Glad it all worked out OK :)

PP

yes it is

Do you have a utility on the compy to burn recovery media from this partition? It would probably be START > All Programs > Tools or Accessories, if not obvious....

That would be best, if you are unable to do a system recovery from that partition.

I will try to run this tomorrow night at some point........I think.

Thanks

Great - No rush.
I imagine you'll be pretty busy :)

I, or one of the other volunteers, will be happy to help once you are ready.

PP

d is a partition do i set it up the same as the c partion i just need to know this last thing then its go time

Do you need a second partition?

Is d:\ your original recovery partition?

They are inducing labor on my wife tomorrow so I might not get to reply for a couple days but at least you guys can give me some ideas for when I get the terminal in my hands again.

Congratulations :)

See if you are able to download the attached FindWPP.zip and Extract the FindWpp Folder from the ZIP to your Desktop.
In the FindWPP folder, you'll see RunThis.bat.
Run it, if you are able.
A log should pop up after a bit. Please post that for me.

PP :)

yeah i have my product key and lets say i try my disk and something goes wrong could i still buy a cd or could the damage be so bad that my pc is ruined for good.

You're not going to ruin anything. Worse comes to worse, you can buy a legit OS CD and use that.
All you are doing is wiping the hard drive - no worries. If you run into problems with your current CD, wipe the HD again and use the new Windows CD.

could you recommend a good free anti virus program also i noticed the site had nothing to say about my d drive couldn't malware hide in there what am i supposed to do about that

Try Comodo AV + Firewall

Is D:\ a separate drive or partition. If partition, wipe it. If separate drive, scan to be sure not infected.

the boot and nuke site said i should use eraser for windows is this necessary to remove the second copy of windows?

Where does it say that?
If you run DBAN, it will wipe the drive and everything on it - doesn't matter how many copies of Windows are on it......

PP:)

to answer your question yeah i can burn iso on this computer of coarse not the ill one.

I'd rather try a bootable recovery console, than the homemade XP CD, to be honest. Very leery of that.
With the recovery console, we could repair MBR and Boot.ini.
Unfortunately, my time is very limited these days.

Still, a reformat is the right way to go here, but, without a true Windows CD, the potential for error(s) is great.

-- Do you have a copy of your Windows Product Key? You'll need that.

and as for safe mode last week or a little later i tried to go into safe mode and my computer restating itself i tried a few more times and same result so that's a no go.

I would've liked to know that a few days ago ;)
If combofix had run successfully, it'd have told us if the safeboot key was borked....

when all this started i figured i might have to reformat my drive and i saved some stuff movies,mp3's, a bunch of pictures some packed in rar and cbr format, and some programs can viruses, malware, whatever hide in those files i already know they can hide in the programs I'm not going to use any of those but what about the other stuff?

Your movies / mp3s / pictures are probably OK. You have to be carefull copying executables and such.

Given that you copied i386 …

Hang on for a bit and let me go over the thread and try to answer those questions :)

Will post them shortly.

Seems so, I won't know what to do with myself now, lol ... it is kinda sad :(

HA! I know - same here!
Hey - at least I learned some things along the way about Vista and Laptop touchpad sensitivity....... I'm sure they will come in handy down the road for people with similar issues!

Email (here or look on my blog info) me about the Christmas card and thank you again for all your time and patience. You have been very gracious. :)

I sent you a PM with my info.

You're quite welcome - I enjoyed the challenge!

Merry Christmas :)
PP

O23 - Service: EAOVVXVITMQ - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\EAOVVXVITMQ.exe
O23 - Service: IHJRGEKFK - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\IHJRGEKFK.exe
O23 - Service: NJBVC - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\NJBVC.exe
O23 - Service: WGB - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\WGB.exe
O23 - Service: YAUCRHW - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\YAUCRHW.exe
O23 - Service: ZFUTRHBWIR - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\ZFUTRHBWIR.exe

These are Rootkit Revealer remnants - not baddies, but you'd think it'd clean up after itself a bit....

I'm really limited on time at the moment - what issues are remaining?

PP:)

I feel kinda dumb. ;) Thank you!

Well . . . . I didn't think of it either . . . .

Happy to have been of service :)

I feel a tinge of regret in saying this, but it appears the Ulysses of Daniweb threads has come to a close. (unless an unaddressed issue remains)

What do you think? Should we mark this one as "solved?"

PP:)

What anti-virus software are you using? Also what operating system?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:31:46, on 29/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe. . . . . .

C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe

:)

just recently i lost the ability to go in to safe mode

-- What do you mean by that - what happens when you try?
(tap F8 on restart)

-- Don't panic just yet :)
While a reformat is generally best in these cases, I suspect you may run into problems without the proper Windows CD.

-- Are you able to burn an ISO for a bootable CD?

PP

you have been extremely helpful and very House M.D. like and I thank you, it is working much better than it was :)

You're welcome :)

-- I was talking to a friend and she mentioned she had a similar problem with her laptop cursor jumping around and it was due to her touchpad.
In your control panel / mouse settings, do you have the option to disable the touchpad when typing?
Or, maybe try TouchFreeze
See if that makes any difference.

PP:)

IT WAS AT 17 HOURS is this normal?

Yes - That is normal. No worries. Just let it run and delete the baddies it is unable to neutralize.

-- Can you attach that Zip from AVPTool for me please.

Since combofix can't run and MBAM can't remove the baddies, I thought AVPTool would be the next best option.
If it doesn't get them, we'll have to manually remove them with an ARK tool.

-- When Judy had you run combofix the first time, did you install the recovery console?
-- Did you look in the Qoobox folder for combofix.txt?

PP:)

ok i got the log but before i get to that i got a few questions i've been looking around the net and few people with problems similer to mine have been told to disable systum restore because it could save infected files,

That is not the proper procedure. We like to operate under the assumption that "an infected restore point is better than none at all" in the event that the repair process goes awry and we need to take a step back.
We flush System Restore AFTER the repair process is complete.
-- Also, many of the cleaning tools we use will set restore points before they run for this very reason.

and also i noticed more then a few files camp out in my temporary internet files folder couldnt i just delete everything in the folder to make sure everything is gone

Sure - or use a tool such as CCleaner or ATF-Cleaner....

i've spotted some suspicious stuff in the root of my c:/ drive like a folder called qoobox another one called pkbtemp with a 16 mb text file called syskeys, a file named w2ksect.bin and a hidden file named iph.ph w2ksect.bin now to the log this was before i removed the infections

Qoobox is a component of Combofix.
PKBTemp and Syskeys are components of FindWPP - they should have been deleted when you closed the logfile. You can safely delete those now.
w2ksect.bin is probably a component of …

ok i did what you said and my computer still freezes when i connect to the internet and i still cant run combofix heres the avenger log

Did you reboot and try combofix?

If that doesn't work, let's try another powerful tool:
Please Download Kaspersky's AVP Tool

-- Save AVP Tool to your Desktop.
-- DoubleClick the AVP Tool setup file to run it.
Follow the prompts and it should install to your Desktop Folder
-- AVP Tool will open.
-- Click the Manual Cure Tab
-- Click the Gathering system information Button and let it run
-- When it finishes, click the link “Open folder” to access the folder where the report is saved.

Please save the log and post it for me.

THEN:
Please select the Automatic Scan Tab
Be sure the following boxes are checked:
• System Memory
• Startup Objects
• Disk Boot Sectors.
• My Computer.
• All other drives

-- Please click the Scan Button.
AVP Tool should Neutralize any objects it finds. If some are left un-neutralized, Click the Neutralize All button.
Note: If an object cannot be neutralized, select DELETE at the prompt.

When finished, please click the Reports Button and save the log where you can find it easily.

Please post that for me.

Also, let me know if …

It has gone crazy, plugging my son's keyboard in and it worked initially, then did the same thing.
C:\Windows\Users\Auberey\AppData\Local\temp\Setup.exe
yesterday some of the tabs in my website program stopped working and it made me use keyboard shortcuts, then it quit letting me type at all so I restarted it and it was working ok, but it did the same thing this morning.

What's the setup.exe from?

At this point, I am not sure what to tell you - there are so many different areas to investigate that it would not really be feasible to do that in a forum setting.
The first thing I would look at would be the driver(s). Update/reinstall them.
Also, if it only occurs within a browser, I'd reinstall that as well.

Sorry I can't be more helpful - does House M.D. diagnose computers?

PP:)

OK - Let's have a whack at this AVG:

Please download the attached RemAVG.zip and extract RemAVG.reg from the Zip to your desktop.
-- DoubleClick on RemAVG.reg and allow the contents to merge into the registry.

That ought to take care of that.

-- Any progress with the keyboard?

PP:)

ok i stopped svchust and enterd the command heres the log

Great!

Now, do the Avenger step from post #57 and see if combofix will run.

Let me know how you fare.

PP:)

I am going to be away from the computer for a while, so I'll assume you were able to copy atapi.sys to C:\atapi.sys as in post #56.

If it is not still on the ill machine, please download The Avenger v2 by Swandog46
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight Everything in Red below and copy it using Ctrl+C or RightClick > Copy:

Files to delete:
C:\WINDOWS\svchust.exe

Files to move:
C:\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys

-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox, using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.

** If you have to type the commands, please note the spaces.

If Avenger runs successfully, please give combofix another go. See if you are able to download a new copy via the ill computer now.

If you ARE able to download a fresh copy, do this:

If you already have Combofix on the ill machine, DELETE it.

Then follow the instructions …

i havent tried this but i know where my i386 couldint i just overwrite the the bad atapi.sys file from there myself

It may not allow you to do so. No worries - we'll do it a different way.

-- Open task manager and see if you can stop svchust.exe from running. Note the spelling.
Let me know.

-- Also, try this at command prompt:
EXPAND C:\WINDOWS\I386\atapi.sy_ C:\atapi.sys

if that doesn't work, try:
COPY C:\WINDOWS\I386\atapi.sy_ C:\atapi.sys

PP:)

I've got to run, so I'll assume you can get a command prompt.

Let's do this:

Open a command prompt and type the following exactly as I have posted it. Copy and paste would be better so you don't miss any spaces. (If C&P is not an option on ill machine, you might want to copy and paste to notepad on your working machine so you can see the spaces better before typing them)
Obviously you want to hit ENTER after each line and, if prompted to delete or allow over-write, say yes. Let me know of any errors that come up::

TSKILL "svchust" /A

DEL /F C:\WINDOWS\svchust.exe

COPY C:\WINDOWS\I386\atapi.sy_ C:\WINDOWS\system32\drivers\atapi.sys

Now, see if Combofix will run. If not, try MBAM. If either runs, please post the log. Be sure to update MBAM before running, if possible.

If neither runs, REBOOT the ill machine and then try to run them again.

Let me know how you fare - I'll check back as time permits.

PP:)

heres the log

Well . . .I need to update that a bit LOL!

Anyhoo, I think it shows enough to get started.

Are you able to get a command prompt on the ill computer?
START > RUN > Type cmd OK

PP:)

It will be this weekend before I can getto it as I had to go out of town for work.

No worries! I'll be around.

PP:)

did it again and that was it...

Great - I'll post some removal steps late tonight or Monday to remove the AVG stuff from registry.

PP:)

Should I do the Grisoft thing again?

Please do.

It will make removing it easier ( yeah - I know I'll probably regret saying that.....)

PP:)

PhilliePhan to the rescue!!!!

LOL!
I was trying to reply the other day, but I couldn't access the thread - got some sort of phpbb error (I think) . . .

PP:)

[HKEY_USERS\S-1-5-21-4215972033-1050644244-1932678965-1000\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List]
"File1"="C:\\Users\\Auberey\\Documents\\regedit for Grisoft.txt"

Is that the whole thing?

I figured there'd be more - no worries if not.

PP:)

wow! very impressive

Well . . . Unfortunately it is not very lucrative at the moment :)

which is why I was so happy to find Daniweb and that you and Crunchie were/are so willing to help.

Luckily for you, we are not nearly as overwhelmed as some other forums.
I have a friend who runs a popular forum and they are currently running 3-4 days between replies. At that pace, this thread would take a year to complete :)

Let's do this for the old Java:

Please download JavaRa.zip to your Desktop and Extract it to its own folder.

-- Make sure ALL browsers are CLOSED.
-- DoubleClick on JavaRa.exe to run it and then select your language of choice.
-- Click Remove Older Versions.
-- Follow the prompts and a log will pop up. You can post this if you wish.

PP:)

can you explain how a program can just block me from the internet and how to unblock it i think i would have a better chance of success if i could run more then potentially out dated malware and spyware

There are a number of different ways malware accomplishes this. Lately, modifications to legit files along with some rootkitted components seems to be the method of choice.

In your case, atapi.sys has been modified. We will need to address that as well as some other changes in order to allow combofix and MBAM to run.

I do not have a lot of time, but I'll try to get you guys back on track - these issues can sometimes be a bear. Sometimes they do not end well - If you are able, I suggest backing up important data (pictures / music / work product) if you have not done so already.

PP:)

nope nothing is better it just wont go away and when i connect to the internet my computer slows wayyyyyy down or feezes i hate this

Are you able to download the attached FindWPP.zip and Extract the FindWPP Folder from the ZIP and place it on your ill computer?

If so, do that and then open the FindWPP Folder and run RunThis.bat (DoubleClick it).

Let it run for as long as it needs. A log will pop up - please post it for me.

PP:)

I had tried this but it doesn't show up in my programs list, neither version does, sorry I should have said this before.

It shows in your DDS Attach log:
iTunes
Java(TM) 6 Update 15
Junk Mail filter update

Any trouble installing the updated version?

it is in the programs file....

No worries - we can deal with that. Did you try to delete it in Safe Mode?
We can just remove the associated reg keys and then pull it out - hopefully with no problems...

it's very long so I am attaching it, if you'd prefer that I paste it let me know.
It gave me an error when I ran the second one for Grisoft

Attaching is fine - actually preferable in this case.
Please try again for "Grisoft" - Let me know if any trouble.

I haven't used word lately and have only been typing online, but yes, in Firefox too now . . . . Maybe it is a keyboard issue? I can live with it, it's just frustrating and I wanted to make sure it wasn't related to anything we've been working to resolve.

Honestly, these types of problems are rarely (directly) due to malware. Sometimes they are a resulting annoyance due to system instability after a malware infestation - but that is rare.

Usually it is a keyboard/mouse or driver issue.
Are you able to try a different keyboard?

If you want to use …

things seem to be running fine. Did the restore delete. anything else I need to do?

Yes - I think the machine is clean, but we should now make sure all the security measures are up to date.

The Kaspersky Internet Securty Suite on the machine is usually solid. It should be updated. If she allowed the license to lapse and does not want to renew, we'll have to replace it with a free option.

Please do this:
-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

- Copy&Paste the DDS.txt into your next post.
- Please post Attach.txt as an attachment to your post - there is no need to Zip it.

That will give me the info I need to make any recommendations.

PP :)

I am afraid I do not know how to "boot to safe mode"

Hi Richard,

-- What is the OS?
-- Are you posting from a clean computer?
-- Do you have a USB thumb drive?
-- Are you able to get a command prompt on ill machine?
(START > RUN > Type cmd > OK
or
(START > RUN > Type command.com > OK

PP :)

Hey Crunchie I am having the same problem with my internet browser google searches where they show the little green planet icon and then redirect me. . . . .

Hi anotherhour,

I split your post off into a new thread - please reply in this one.

Please provide the scanlogs requested in the linky below:
http://www.daniweb.com/forums/thread134865.html

Also, if you can attach any previous scanlogs from the scans you noted, that would be helpful.

Happy Holidays :)
PP

what is the best way to delete the older versions of Java?

Just go into Add / Remove Programs and remove to old one - I think I saw only one old version.

It still came up and said that AVG was running, not sure what to do about that, I still have a file but it doesn't come up if I try to uninstall it.

What file?

Download Bill James’ RegSrch

Extract it to your Desktop and DoubleClick regsrch.vbs
-- if your AV has script blocking, you’ll need to allow this to run
When the dialog box opens, type AVG and Click OK.
-- Then, run it again and search for Grisoft.

-- You’ll need to save the logs that popup in Wordpad and then submit them for me.

Everything seems to be running pretty smoothly except that I still have the typing issue when typing on-line.

So, it's just online?
Does the problem occur in both Firefox and IE now?

Just in case we are done or about done, this is me http://puddleofcrumbs.blogspot.com/ in case you change your mind about a Christmas card or graphic.

I think we are about done - I'd like to take a whack at that AVG remnant and see if we can deduce the typing issue, though.

-- Wow, those look great! I especially like the penguin.
What sort of …

Thankyou and Happy Thanksgiving to you aswell.
Start > Run Combofix /u could not be found. I think I removed all the Combofix files though,
Files are backed up with Erunt.
I checked the system/driver files listed and found nothing.
Registry keys listed: I found the first folder system/UACd but none of the seperate folders listed. system/uacd folder could not be deleted but only contained (Default) REG_SZ (value not set) which also could not be deleted.

No worries!
These particular keys can be a real pain to remove, even when orphaned.
It won't hurt anything to leave them there - there are likely (many) hundreds of orphaned keys accumulated in the registry. I am leery about trying to rip them out forcibly again given what occurred the last time...

If you didn't see HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules key or any "imagepath" values, it would seem that those have been cleaned previously.

-- How are things running now?

If OK, let's Flush System Restore. Just turn it off and back on as noted in the linky.
If you prefer, you can leave it off and use ERUNT - 'Course you have to remember to do it or set ERUNT to run automatically.

PP:)