Posts by PhilliePhan

I also wanted to add this:

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FClickPotato

That's a fairly thorough enumeration of the changes this baddie makes to you machine (though they may vary for 64-bit OS). You might want to check and see if there is anything that you missed....

ClickPotato is not a particularly pernicious baddie - I probably wouldn't worry too much about it.

Best :)
PP

None of these problems above existed as of yesterday (1/25/2011), so between then and today, all of these issues surfaced.

I tried:

- Running Ad-Aware (LavaSoft) - Says system is clean
- Running Spybot - Search and Destroy - system clean
- Ran McAfee virusScan 8.8.0i- nothing detected
- Tried Housecall 7.2 antivirus and get an error message: 1082108645:2
- Ran HighJackThis for logs below:

I should add that some of the malware showing is stuff I have not seen for a few years. Can't imagine how your scanners would miss it....

Anyhoo, the steps in the linky I provided should get most of it and we'll deal with the remnants accordingly.
Let us know if you have any trouble with the steps in the linky.

PP:)

Hope someone may be able to point me in the right direction. Thanks for your time and assistance.

At quick glance, there are some iffy entries in your HJT log.
Please follow the steps in the linky below and post the requested scanlogs:

http://www.daniweb.com/forums/thread134865.html

We are a bit short on help, but I or another volunteer will check back as time permits.

Cheers :)
PP

Makes me feel better to hear that it won't do that.
Thank you very much PP, I consider this solved :)

You're welcome - Happy to help :)

Over the years, the registry will collect tons of remnants from normal software and malware that has been uninstalled/removed.
Usually they are not a problem unless they consist of legitimate reg keys which have been altered such as security settings and the like.
Sometimes a malware "run key" will be left as a remnant and notifications will pop up on boot that say "suchandsuch.dll" could not be loaded. The actual malware has been removed, but it is still being called on startup. This is annoying, but not harmful - just need to delete the reg key that is calling the previously removed malware component....

PP:)

I read that it can come back if it stays in your registry

No - that's not going to happen.

But, if it makes you feel better, you can still rip them out of there.
-- If you are going in manually, just rightclick those and delete them.

Or, download the attached Fix.txt to the desktop,
-- Rename it Fix.reg
-- Doubleclick it and allow it to merge into the registry

That ought to take care of it.

Cheers :)
PP

My hubbys friend took the PC and he's fixed it. If I have anymore problems, which I hope I don't I will let you know.

Glad to hear it!

Thanks for letting us know you got it sorted out.

Cheers :)
PP

I hope you can help me out :)

How do you find the stuff in the registry? (does it show on a scanner or do you go in manually?)

Try this:
Download Bill James’ RegSrch

Extract it to your Desktop and DoubleClick regsrch.vbs
-- if your AV has script blocking, you’ll need to allow this to run
When the dialog box opens, type Potato and Click OK.

You’ll need to save the log that pops up in Wordpad and then submit it for me. We can use that to pull out any remnants.

Cheers :)
PP

I was able to download to CD and load everything onto my laptop. after 3+ hours of scanning there were over 150 infected files - all successfully removed! thank you for the great help!!

Glad to hear it!
Happy to be able to point you in the right direction :)

I'd still recommend running the other tools in the linky below and posting the logs just in case there is anything remaining:

http://www.daniweb.com/forums/thread134865.html

'Course, that's up to you.

Cheers :)
PP

F2 Reg: System.ini: UserInit=userinit.exe
That's not been there before. Fixed that and ran a boot time scan with avast, which found nothing. Ran HT again and there's alot of services with (file missing), is this normal? Other than that laptop seems fine.

HijackThis has issues with 64bit Windows and that 023 (file missing) is one of them. That is usually not the case.

-- RE: F2 Reg: System.ini: UserInit=userinit.exe
No worries there - that's valid. The entry looks a bit different for 64bit as opposed to what we are used to seeing:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,

For your malware scare, I'd suggest a run of MBAM as per the linky below:

http://www.daniweb.com/forums/thread134865.html

Cheers :)
PP

please can someone help with the above? here is my hijackthis report:

Please follow the linky below and post the requested scanlogs:

http://www.daniweb.com/forums/thread134865.html

We're a bit shorthanded at the moment, but somebody will check back as time permits.

Cheers :)
PP

I get the report log which I posted below. Will that help?

Yup - that's what we were looking for.

Looks OK to me. Better safe than sorry, I guess.

Cheers :)
PP

is there a specific site you recommend?

Actually, there is:

HDD Doctor Removal

See if you are able to follow the detailed steps in the linky above.

-- Please post the MBAM Log for me and let me know if you have any trouble along the way.
Often, when a machine is infested with one piece of malware, there is more malware present - so there are a couple other scans I'd like to try after this initial removal.

Will try to check back later tonight.

PP:)

How can I rid my computer of this??

Hi Skygirl,

-- I'm assuming you've got another compy handy that you are posting from?

-- Do you have a USB Flash Drive that you can use to transfer a few cleanup tools to the ill machine? If no flash drive, burning them to CD will work.

Let me know and we'll go from there.

Cheers :)
PP

That's what is weird, I never said to delete anything while it was running GMER but hey, I'm not going to complain.

As crunchie alluded in his earlier post, there is a process involved with removing items with GMER that calls for specific user action. You'd know it if you did it.

I still suggest a running of TDSSkiller.....

Cheers :)
PP

Weird. Perhaps your AV/AM services decided to work. But usually they say they've killed something.
Those logs appear clean.

I think running one more tool is warranted here:

Please download TDSSKiller.exe to your Desktop.

-- Click START > RUN and type or Copy&Paste the following command into the Run Box and hit ENTER.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\LogIt.txt -v

Let the tool run. If you get a Hidden service detected message, DO NOT take any action. Just press ENTER and allow the tool to continue.

Likewise, TDSSKiller may tell you a Reboot is necessary for the cure to take effect. Press “Y” or Enter when prompted to do so.

Once it finishes, please post the C:\LogIt.txt for us.

PP:)

those services could be removed manually and I be that would expose other files to scans. You wanna do the work?

Maybe.
Maybe not..... I'd rather go with combofix first and see what remains and then have a whack at manual removal.

PP:)

PP, I don't think this shell extension is approved, actually...

Indeed!

To be perfectly honest, I did not see any of those (other than the drivers) because I did not bother to look :)

The first thing I do any more - due to my time restraints - is look for suspicious drivers in the logs. If I see them, I request a run of Combofix and go from there.
If not, then I look at the rest of the logs....

-- Hey Gerbil: What do you think of running Avast! (or any other AV) with MSE? This isn't the first time I've seen this in a log....

PP:)

I'm still getting internet explorer message , when I open it, it states:-
AppName: iexplore.exe AppVer: 8.0.6001.18702 ModName: unknown
ModVer: 0.0.0.0 Offset: 01582663

It looks like you've got some hidden baddies. Let's have a crack at them.

-- Also, it looks like you are using the tandem of Avast! and MSE. I have seen where that has been recommended - Normally I don't care for the idea of multiple AV apps, but I'm wondering how that works for you with regard to machine speed? (We already know it didn't catch this malware... ;) )

Anyhoo, please follow the instructions in the linky below to download Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please follow the instructions in the linky very carefully to run it and then post the combofix log for me.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Try to refrain from using the infested machine until we can remove all this mess.
Will check back as time permits.

PP:)

Can someone give me guidance please.

Please run the tools in the linky below and post the requested scanlogs.
-- Post the MBAM log where it found baddies as well, please.

http://www.daniweb.com/forums/thread134865.html

We're a bit short on volunteers for a bit - I'll try to check back as time permits.

PP:)

Any ideas on this one.....?

S3 gel90xne;gel90xne;\??\c:\docume~1\roisin\locals~1\temp\gel90xne.sys --> c:\docume~1\roisin\locals~1\temp\gel90xne.sys [?]

2011-01-04 19:46:37 53248 ----a-w- c:\windows\system32\drivers\sst6BA.sys
2011-01-04 19:46:37 0 ----a-w- c:\windows\system32\drivers\sst6BA.tmp
2011-01-04 19:46:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\nJpCf06504

Do you know what these are?

At quick glance, these smell of Rootkit to me.

I imagine Judy will concur....

PP:)

What disk are you trying to boot from? Are you absolutely sure the disk is bootable?

^^^ What Rik said + did you check BIOS settings? Hit F12 at boot and make sure settings are right to boot from optical drive.

PP:)

any ideas are much appreciated as this is a last ditch effort before sending lappy off to Toshiba along with $100 U.S.

Get ahold of Phoenix and see if they can help you.... for free :)

Lappy can be tricky. The tried and true method used to be to remove the CMOS battery and let it sit until residual has discharged. Much easier with a tower than laptop.

http://www.youtube.com/watch?v=cg_wvp1YdSI

http://www.ehow.com/how_5268844_reset-phoenix-bios-password.html
http://www.computerhope.com/issues/ch000235.htm

Good luck :)
PP

My bad! I completely missed where you said that in the first place (doh!)

It's a shame you can't use a pen drive or something easy :)

Hey Rik,

I found this - I imagine if you work in a shop you'd have the needed ingredients:

- So i tried reinstalling with the my desktop and it doesn't work. It will load the os but it wont load into windows.

- You can reinstall windows this way: If you have an external hard drive that accepts IDE drives.

What youll need: External IDE hard drive and Desktop DVD or CD Rom.

How To:

1. Open up your external hard drive. Make sure it's an IDE connection.
2. Remove the IDE hard drive. Power cable and IDE cable.
3. Remove your DVD or CD ROM from your desktop
3. Plug the power and IDE cable from your external to your DVD or CD ROM.
4. Connect it to your tablet and boot from removable drives.

I just recently upgraded my hard drive to a 120GB 5400RPM and reinstalled with XP PRO. Works fine without any issues. I plan on ordering a XP Tablet Edition recovery soon.

Reinstall-Tablet-XP-OS-w-o-external-optical-drive

PP:)

think that's a good idea?

Without looking at it, I really can't say.
I'm fairly certain the key is at fault here - I'd probably pop out the key pad and poke around ('course I'd probably do more harm than good ;) ).

You might want to try to disable the F1 hotkey first to confirm the diagnosis. I cannot remember how to do it off the top of my head, but I imagine a quick Google search could find the procedure.

PP:)

Any other ideas before I completely open up the laptop to clean the insides?

Sounds to me as though your F1 key is stuck/sticky.

You could mash it a bunch of times to see if that "un-sticks" it - or shows some improvement in the frequency of the help pages opening up - but I suspect you'll probably have to pull the keyboard and clean it thoroughly.

Best Luck :)
PP

Hi Trampaw,

Let's try something a bit easier:

Download the attached Look.zip.
RightClick it and extract Look.bat from the ZIP.

DoubleClick on Look.bat to run it. Let it run - shouldn't take more than a minute.

A text log will pop up - please copy and paste that here for us.

PP:)

yes, Avira is also very good. but in comparison to AVG...it pales a tad.

Don't let Judy hear you say that! :)

Oh well, I did as much as I could as a friendly neighbor.

Thanks for your help!

Yeah - it's good of you to try :)

Hopefully the shop can get him sorted without losing important data.

I was going to say that, if you can boot the recovery disks, you should also be able to boot a Linux live CD and use that to copy all of his important info to an external drive.
It is VERY easy...... Providing you have an external drive. A shop might charge and arm and two legs to do that.

The CD is FREE and easy to create and I can talk you through it. Something to consider if you don't want to give up just yet or you want to take a stab at backing up the data before putting the compy in the shop.

Cheers :)
PP

i just found out that mdnsresponder.exe is residing in "windows prefetch" as "MDNSRESPONDER.EXE-02F30C6F.pf". i don't have knowledge enough to tamper with with system files. What would you advise?

If you now do not have the actual program on your machine and you never plan to use it again, there is no reason to have (portions of) it in prefetch.

Delete it.

Or, leave it alone. Eventually Windows ought to remove automatically it due to lack of use.

Not sure if I can, but we can consider this thread closed.

Are you able to copy his important data to external drive?

In your first post, you said you could run the recovery CDs - If you can do that, there should be no reason to take it to the shop just yet.
That's why there was a bit of confusion on my end - figured you had a bit more functionality.....

Cheers :)
PP

you can see from my answer below to Rik that I should have tried that. thanks a lot.
by the way. Gizmo application is not active anymore.

I've been posting in forums long enough not to assume anything not explicitly stated. I saw that you should have tried it - didn't know if you did. :)

Sorry.

BTW - That link is still good for TurnOffBonjour.

Also

Were you able to rename mdnsNSP.dll?

Were you able to rename mdnsNSP.dll?

Did you try this?

Gizmo Project has created a small tool TurnOffBonjour.exe that turns off and removes Bonjour service. However, it will not remove the Bonjour folder from Program Files. You will still need to manually delete the Bonjour folder after restart. The reason why you’re advised to delete the folder after restart is in case there’s a problem, the Bonjour files are still there for you to restore.

PP:)

Any other suggestions that might work?

You might also try this tool to ID the program responsible for the problem:

http://windowsxp.mvps.org/temp/GetOpenClipboardWindow.zip

Extract it from the ZIP and run it - let us know the results.

Cheers :)
PP

I will have to take a look at ERUNT! :)

ERUNT was recommended to me years ago as a replacement for System Restore - Great little tool. Many malware forums use it to back up registry before digging around.

-- I've kinda re-evaluated my position on registry cleaners. I think that as long as one knows what he is doing, there should be no problem. It's the average user I worry about who will run this and have it remove 1000 items without looking and then a few days later be all confused when Media Center or Office start misbehaving....

PP:)

Perhaps backing it up might be an idea if you are unfamiliar with ccleaner tho!

Or any other registry cleaner for that matter.

Anybody who blindly clicks "fix" (on any tool) is asking for trouble :)

I trust that you know what you are doing, but I doubt you fire up each and every program on a compy after cleaning the registry.

I use CCleaner too - mostly after uninstalling software to catch the remnants - but I (and probably you as well) pay close attention to what it finds and I uncheck a couple of the default settings (missing shared .dlls springs to mind).

-- I generally recommend ERUNT to back up the registry - Free and easy to use.

PP:)

Funny, I've used Norton for quite a few years and have never had a problem with it....

Like you say, you practice Safe Computing - That is a huge factor in keeping malware-free.

I am not rabidly anti-Norton. We've all got opinions and this is mine:

While the protection Norton offers is fairly solid, I do feel it is a bit bloated and a bit of a resource hog. It has been that way for as long as I remember.
And, I do not think it stacks up to the Kaspersky Suite - that is the cream of the crop IMO. Even the free Comodo suite matches up well.

'Course everybody is going to have their own experience and opinion. In the interest of full disclosure, I dumped Kaspersky a few years ago and went with the free Avira. I'm poor and malware doesn't scare me ;)

PP

My question is, can anyone recommend a decent FREE antivirus program that will work with windows 7 64bit?

Hey Rik,

Did you try Avira? That would be my recommendation.

Commodo is probably good, too, but I know that they've had some problems with their firewall and Windows 7 64-bit. So, I'd avoid that and just try the AV.

Avira had some issues about a year ago - something to do with chkdsk I think, but they have since been addressed. As far as a free solution, that'd be my choice.

I prefer Avira to AVG and Avast! for all OS.....

Happy Christmas :)
PP

Downloading and running ccleaner should help too! Run the registy cleaner several times until it finds no issues!

If you do run a registry cleaner, make sure you back up the registry before doing so - or you might end up wishing you had.
CCleaner should still give you the option to back up before removing issues.

PP:)

title says it all.....help me clear what startup files i need and what i dont!! thanks

Honestly, you could dump ALL of those, if you wanted. Only you know which of them you "need." You could run HijackThis and remove them all and try that for a bit and see if you miss any of the functionality. If you do miss some functionality, just restore the ones you want to keep.....

You may want to check out Black Viper's Site, as he is the guru when it comes to running only the bare necessities.

Happy Christmas :)
PP

I read that Norton antivirus+ other things was better than McAfee that costs more. After I do a Norton initial scan with quick or complete scan, I always get 4 threats detected and 4 resolved. I can never get 0 threats detected. Is this normal or what is wrong?

Like Judy said, that's not enough info to go on.
If you could what those 4 items are or post the log, that'd be best.

Could well be a heuristic detection or an FP of legit software. Running the tools in the linky Judy posted is a good idea - Just to be on the safe side.

-- RE: Norton vs. McAfee..... I'd choose neither. If you are going to pay for AV, I recommend the Kaspersky Internet Security suite. Most bang for the buck!

Heck, there are free options I prefer to Norton / McAfee.

Happy Christmas :)
PP

Cheers PP, thats a big help i was having thoughts it might have been a trojan or the like as i have had recent viral trouble too.
Frimpage.

Great!

Though, if you've had some malware, you might want to run the linky below and post the results:

http://www.daniweb.com/forums/thread134865.html

A lot of the baddies today are well-hidden and "stealthed," so a second opinion might be warranted....

Happy Christmas :)
PP

Nevermind. Everything's good now. Thanks.

Outstanding!
Glad you got it sorted.

Happy Christmas :)
PP

what do I do next after I do that?

Well, you have to boot it up and it will behave like the XP setup disk - you'll get a list of options, except that the only one that will work is "Press R" for recovery console.

From there, we are going to be limited to a command prompt and some DOS commands.
It's enough to get the job done, providing that everything on the ill computer is where it is supposed to be. Otherwise, we'll have to deal with error messages and that can be a pain.

Honestly, finding a way to get Ubuntu to boot properly would be waaaay easier - especially if we need to poke around for other problems.

Try downloading and burning an older version ---> http://releases.ubuntu.com/karmic/ubuntu-9.10-desktop-i386.iso

-- But, if you've got the RC.iso burned, boot it up and hit R when prompted to do so and see if you get the command prompt. If that works, we can try copying NTFS.sys and see if that works.
If it doesn't work, we'll need Ubuntu. There are some other options, but I am comfortable using the 'buntu live CD.

PP:)

while looking through my computer I discovered that Vista has doubled all my photos, and put them in a hidden folder for each picture
why is this happening and how do i stop it from happening again?

This is an issue with Vaios.

If your compy is a Vaio, check this out:
http://social.answers.microsoft.com/Forums/en-US/vistamedia/thread/89a50671-eca9-4fd5-9c63-1d68eff17e32

Cheers :)
PP

Well . . . Nothing jumps out at me, though the DDS is missing a lot of info.

Let's try the easy way:

Click START > Control Panel > Administrative Tools > Services
Look for the Themes service and make sure the Status is Started and the Startup Type is Automatic.

Then, RightClick the Desktop and select Properties > Themes and make sure it is set to Windows XP.

If it is not there, choose Browse and navigate to C:\Windows\Resources\Themes\Luna.theme and set this as the theme.

Let me know how that shakes out. I'll be back Friday evening EST.

PP:)

Go through each and every one of those downloads?

The MBAM and DDS steps ought to suffice at the moment - We'll see what they have to show us before going further.

PP:)

Tried that. Never had anything restored before it happened, because I didn't know much about System Restore.

Try running the scans in the linky I posted and copy&paste the requested scanlogs for us and we'll have a look.

PP:)

Do I have to go to the computer repair shop to see what's happening?

Probably not.

Try a System Restore back to a point before the problem started.

Even if that restores things to "normal," I'd suggest running MBAM as per the linky below:

http://www.daniweb.com/forums/thread134865.html

Cheers :)
PP

I could also tell how easy it was to use Ubuntu ...but I guess nothing goes easy for me these days...

I know how that goes.

With Ubuntu, we could copy and paste NTFS.sys from servicepackfiles to where it needed to go.

Anyhoo, see if you can burn RC.iso the same way you burned Ubuntu and hopefully we'll have better luck.

PP:)