Posts by jholland1964

Run another DDS scan and post the logs, it obviously isn't gone.

i downloaded avira from their website, however when i try to install it, it says i should manually uninstall norton internet security, but it's not in my uninstall programs list.

should i just continue with installation??

No most definitely not.
Go here and get the Norton Uninstall Tool for your product and run it first.
https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?docid=20080710133834EN&lg=english&ct=united+states&product=home&version=1&pvid=f-home&entsrc=redirect_pubweb

After you run that and it's removed then do the Avira install. Be absolutely positive you use the Custom install so you don't take that Askbar and Webguard. You don't need either of those.

You have two anti-virus programs on there:
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated*
AV: Microsoft Security Essentials *Disabled/Updated*

Your log shows the TDSKiller was run, do you have a log?

We need a log from MBA-M, Fully updated Full Scan.

Please now run this program, Follow the directions to the letter. That is extremely important.

Please download ComboFix by sUBs from

http://www.bleepingcomputer.com/download/anti-virus/combofix

Please note that the BleepingComputer.com download link will expire in 10 minutes after you click it so if you don’t click within ten minutes after reaching the page you will need to refresh the page.

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When ComboFix has finished running, you will see a screen stating that it is preparing the log report
• This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty …

You have the TDSS Rootkit on there. Download and run this program http://www.bleepingcomputer.com/download/anti-virus/tdsskiller

To remove the infection simply click on the Continue button and TDSSKiller will attempt to clean the infection. If it does not say Cure, leave it at the default action of Skip and press the Continue button. Do not change it to Delete or Quarantine as it may delete infected files that are required for Windows to operate properly.

After you do that then do this:

MBA-M was only a Quick Scan. Instructions are very clear, Full Scan must be done.
Please run it again,FULL scan please, have it remove everything found, then Reboot. Post back here with the logs.

The MBA application that I found in the link on the "Read Me before posting requests" post, after an analysis. I can't see a tab for the log.

Maybe I have the wrong program as it's the Reimage application? I could not see a download button for any other application. So, I'm assuming this is the MBA Program.

A screen shot of the application after analysis is attached.

You obviously downloaded the wrong program.

The program name you state is Reimage...it doesn't say Malwarebytes' Anti-Malware anyplace on it.

Download for MBA-M is plainly visible at the very top of the link from the sticky and it says that. Reimage is NOT at the top of the page. The Reimage is an AD for the Reimage program and IT is looked upon as a rogue program itself and their own website has a poor reputation. Get rid of that program ASAP!

Go back to the link in the sticky and read the page very carefully, it clearly shows right at the top of the page as Malwarebytes Anti-Malware 1.60.0.1800 Official Download For Malwarebytes Anti-Malware and immediately below those words you will see Download with two Majorgeeks download listings and one Internode for persons in Australia.

We need to see the MBA-M log. That is essentially the easiest log to obtain from a program. Open the program, click on the Logs Tab and they are sorted by date. Find the one you ran, double click to open it and then go to the top, click Edit, Select All, Copy and come back here and copy/paste that log into a reply.

Try this one, same instructions.
http://www.winhelponline.com/exefix_xp.com

Avira is absolutely MY choice. Without a doubt! It consistently scores in the top 3 on most independent unpaid testing. I recommend it highly.

Download this file and save it to the desktop. If you can't download with the infected machine then use another clean computer, save the file on a flash drive and take it to the infected one and install from there.
http://download.bleepingcomputer.com/reg/FixNCR.reg

Double click on the file to fix the registry and after that you should be able to run programs normally. If it doesn't work, let me know.

PP isn't here right now. Your log is clean. Thankfully.

To remove Norton go here and choose the correct Uninstall tool.
https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?docid=20080710133834EN&lg=english&ct=united+states&product=home&version=1&pvid=f-home&entsrc=redirect_pubweb

Once you have done that come back and I can walk you through the install and configuration of Avira 2012 Free. It's an excellent av program.

The Read Me First sticky is what we require. The date refers to when it was first posted, it IS kept up to date. No, there is no express version, all steps must be done, in order. If you have a problem with one, move onto the next. We need ALL the logs to be copy/pasted, NOT attached, we will not open attached files. After we see all the logs then we can advise the next steps needed.

It keeps saying error when i try to attach the logs you have requested.

What keeps saying error? We don't want the logs attached, we want them to be copy/pasted

I am seeing the same problem. While I don't yet know how to remove the damn thing, I have at least temporarily removed the 100%CPU part of the problem by excuting "del c:\windows\system32\ping.exe & copy c:\windows\system32\mshearts.exe c:\windows\system32\ping.exe" from a cmd shell.

You have to do this in a script (I used a cygwin bash shell but a DOS .bat file should work too) as the virus program watches to see if ping.exe is deleted and creates a new copy fairly quickly - faster than I was able to match just with the file explorer.

Anyways, the result for now is that the virus program now starts mshearts (hearts) rather than ping which doesn't swamp my CPU and allows faster running of other stuff. BTW, running GMER right now which has detected a hidden/no-name module which I hope will be a big step towards getting rid of this problem.

You need to create your own thread. Help is not given to more than one person per thread.
You must begin by followin our Read Me First sticky and post back in your own thread with those logs.

easiest thing to do is erase your computer, back up what is important to you, then find somebody who can take care of the situation(i can)

This truly is not helpful. If you read the information posted by PhilliePhan this situation can very possibly be remedied by the steps he is outlining.

While it is possible that you could help the poster after he has erased his computer, I could also, but neither of us are likely in his location, so that isn't going to do the poster much good.

We rarely recommend a reformat of the computer if at all possible and it is recommended only as a last resort. By reading PhilliePhan's post alone one can tell that point has certainly not been reached in this case.

weeds2323, I strongly recommend that you ignore the advice given by skilly and do follow the instructions given to you by PP. He will lead you the rest of the way.

But are all of these problems now gone?????

"Do the symptoms I described, right-click disabled, etc sound like it was the trojans that were causing problems?"
If you no longer have any of those problems then yes, probably they were the cause. For the right-click problem, maybe, depends on what it was that you were right clicking. If it was only on web pages and not everything on the computer, some web pages are written to disable this ability on purpose to protect it from unauthorized copying of the page or items on the page. If it only happened on a web page then it was the page itself.

How do you normally connect to the internet, dial up, broadband, wireless? Do you know the names of the infections removed?

You can try to save your files to a cd/dvd if you wish, an external hard drive, flash drive. But before they would be put onto and new, clean and legal system each file must be scanned with an av program and MBA-M to be sure they are not infected.

It does not terminate legitimate processes. It terminates malware running that stops legitimate programs from running properly. If there were none then it would have terminated nothing.

Just foud out, my softuare isn't original. It is a copy my uncle had at work mhe used because the originals weren't there.

Well then I am sorry, but I cannot continue to assist. You need to get a legal,activated operating system installed for us to continue. The problem with having a "copy" of the operating system and one that is not legal is you will not be able to obtain needed critical and security update for the system. Running a copy of the system from someplace else means that your system does not have it's own product key, which it needs to have.

This may be, though I cannot say for sure, but may be the reason for your infections, the system is out of date. You need to get this system it's own product code from Microsoft for it to be legal. If it is not the reason it will likely be the reason in the future.

Eventually other programs may also not be able to either be installed or updated because they require and up to date legal operating system and do check this before installs.

If you have concerns, then of course do not run Combofix and you need to actually find out IF the system is legal. If it is not legal then you are going to continue having problems until it IS legal.

I suggest that you go to and read all the necessary information on these pages.

http://windows.microsoft.com/en-US/windows7/How-can-I-tell-if-Windows-7-is-activated

http://windows.microsoft.com/en-US/windows7/Activating-Windows-7-frequently-asked-questions

Run combofix as instructed earlier.

Download and run this program TDSSKiller

http://support.kaspersky.com/downloads/utils/tdsskiller.exe

When the program opens, click the Start scan button. The scan time is very short (less than a minute). If the scan completes with nothing found, click Close to exit. If malicious objects are found, the default action will be Cure. Click on Continue. If suspicious objects are found, the default action will be Skip. Click on Continue. It may ask you to reboot the computer to complete the disinfection. If so, please do so. Normal mode if possible.

Post back here with the log.

It is working in Safe mode because whatever that missing file is probably isn't needed in safe mode.
Can you use Safe Mode with networking? Meaning you can be online in Safe mode.

Well portions of all of those programs are running or at least were running when you did the DDS scan.

Let's try something else: do the following in normal mode:

go to this link and download ALL copies available of rkill, there are 7 of them, same file just different names to fool the infection processes if needed

http://www.bleepingcomputer.com/download/anti-virus/rkill

Save all to the DESKTOP

double click on the first rkill file and see if it will run.
When RKill is run it will display a console screen, small black screen in other words, it will keep running until it rkill has finished. When it is finished it will close and then should show you a log telling you what processes were ended

After that do NOT Reboot but Update MBA-M and run another full scan with it, if it finds something have it remove of course and then reboot the computer.
Post back with that log.

One reason I asked if this was a legal copy of Windows 7. One of the files noted by MBA-M could indicate a pirated system.
Try to boot to Safe Mode and let me know.

Yes reboot. You have two anti-virus programs on there, parts of both running or attempting to run, Avast and MSE. The absolute rule is ONE anti-virus program should run or even attempt to run on a computer.
You also have PC Tools Spyware Doctor running also and it too has multiple files running.
Pick ONE of those three and Uninstall the other two, I would recommend keeping Avast and removing the others.

There is no way any tool should take all night and only be at 37%. A piece of advice, never leave an online scanner running all night when you cannot be there to watch it scan. Stop that scan and run this tool.
Post back with the log:

http://support.kaspersky.com/downloads/utils/tdsskiller.exe

Save the tool to the desktop. Shut down all other programs and then run that tool.
When the scan is over, the utility outputs a list of detected objects with description.
The utility automatically selects an action (Cure or Delete) for malicious objects.
The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
After clicking Next, the utility applies selected actions and outputs the result.

A reboot might require after disinfection.
Come back with the log.

Post that log also and I will check tomorrow.

We need a lot more information, logs of removal programs used, names of the infections, locations of the infections, operating system, anti-virus program, firewall. Without all of that information we will not be able to suggest a solution.

We request that all logs be copy/pasted, not attached. Please copy/paste those logs and also the MBA-M log and we will be happy to assist.

Still finding infections. Do the following:
Please download ComboFix by sUBs from

http://www.bleepingcomputer.com/download/anti-virus/combofix

Please note that the BleepingComputer.com download link will expire in 10 minutes after you click it so if you don’t click within ten minutes after reaching the page you will need to refresh the page.

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When ComboFix has finished running, you will see a screen stating that it is preparing the log report
• This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by …

Run ESET first.
Avast does not show as installed it would have to be installed first. But wait until we see if any more is found before installing other programs, even an anti-virus program.

Ok, just checking. You don't appear to be running any anti-virus program but your log shows entries of file creations for both Avira and Avast.
An anti-virus program is a MUST, along with a firewall. The only security program showing is Windows Defender, which really isn't worth much and is not an anti-virus program.

Please run this online scan, have it remove everything found and post back here with the log it produces:

ESET Online Scanner

http://www.eset.com/onlinescan/scanner.php?i_agree=14
* You can use Internet Explorer to complete this scan and you will need to allow an Active X to be installed or you may use Firefox
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt.

May I ask, are you running legal copies of Windows 7 and Microsoft Office?

Looks ok to me:cool:

matthewh, When doing a search for your problem the first two links shown on the results page led to threads made by you for this same problem, word for word, at two other forums.

Since you have identical threads on this problem running at bleepingcomputer and malwarebytes.com I suggest that you continue at ONE of those. At MBA-M you have given more information than you have given here or at bleepingcomputer and without full information given helpers cannot offer proper assistance.

It is never advisable to post the same problem at multiple forums. Unless helpers "stumble" on this fact like I did you may receive conflicting advice and double or triple your problems if you follow all advice from all of the forums.

I am closing this thread here and I suggest that continue at one of the others.

This thread is 2 years old and now closed.

We cannot assist unless we see some logs.Please follow the steps given in our Read Me First Sticky, those are the logs we need.

http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

In order to receive assistance we request that all posters read and follow the instructions given in our Read Me Sticky and post back here with all of the logs

http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

It also said that I didn't have an active System Restore program running,

It isn't System Restore, it is the Recovery Console. Don't worry about it.
Plus, you are going to have to clean out System Restore once this is clean anyway.

Hi, you need to follow the steps given in our Read Me First sticky and then post back with all the requested logs. Then we will be able to offer assistance
http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

You will have to get her password from her as it is her program asking for a password.

For now skip that part and do the other steps that PhilliePhan has given you.

You should not have run Combofix without first being instructed to do so.
You cannot run the program again. Their information is very clear about this:

http://www.bleepingcomputer.com/forums/topic273628.html/page__hl__combofix

ComboFix is an Anti-Malware tool used by advanced malware technicians
specifically trained in its use.

Please DO NOT USE ComboFix on your own without supervision!!!

Run Combofix ONCE only!!

There are only TWO legal sites to obtain this tool and be guaranteed that it is an up to date version.

Where did you get your copy?

You failed to update MBA-M before the scan, that is a must since MBA-M releases updates multiple times daily the absolute rule is update before each and every scan, even multiple scans run the same day. An update may have been released while you were scanning. Your log shows Database version: 7622 and current Database version is 8325. You need to update it and do the full scan again.
If you cannot get online using wifi, try plugging the internet cable directly into the computer and see if you can go online.

DO NOT use System Restore, this will not remove an infection and possibly make it that much harder to remove because system restore could possibly remove visible traces of the infection, but not the infection itself.
Leave System Restore alone.

A screen shot of items removed by Avira and MBA-M are not what we need to see, what we need to see are the logs created by both programs at the time of removal. Both are readily available within each program. Please look for those logs and post them both.

I do have to stress, since MBA-M found something with an out of date database there very likely is much more there, that program must be updated and run again.

If you do get a response please post here with their recommendations.

There is no way to tell where DDS is hanging, nothing shows during the scan. Do you have your Norton, SpyBot and all security programs 100% turned off when running this scan?
Did you try it in Safe Mode? NOT safe mode with networking but Safe Mode, you never said. It will still do a full scan in safe mode.

Glad all is working well!

http://www.bleepingcomputer.com/download/anti-virus/dds

Not a single file I see there that is a problem, a may not need to auto start but nothing wrong with any of them that I can see. What one did Spybot say was bad?
Some are there because you have a Toshiba computer, occasionally programs like Spybot will not recognize those.

TOSHIBA Zooming Utility - allows "automatic" zoom feature in some appications, like IE, MS-Office, WMPlayer, Adobe-Reader and also desktop icons. Perfectly fine. Doesn't need to auto start but it is not a bad program.

DLA - C:\WINDOWS\System32\DLA\DLACTRLW.EXE >>Related to Sonic CD/DVD burning applications.

IntelZeroConfig >>>Related to Intel Corp. Zero Config MFC Application, part of Intel's ProSET utilities and installed by the drivers for many of Intel wireless network cards - essential to the proper functioning of many of the Intel ProSET utilities (but not all) and these System Tray ProSET utilities are a must if you are using your wireless connection, if only so you know when the signal is fading or dropping. **

NDSTray.exe>>> Related to ConfigFree Tray on a Toshiba laptop. Tray utility for their network switching application which permits switching network devices and settings with a click on the tray icon. While it is not required, for people who span multiple networks and want an easy way to go from wired to wireless and change addresses and other network settings, it's a must have **

NvCplDaemon>>>System Tray icon used to change display settings, change …