Posts by jholland1964 - Page 26

Much, much better. Now update MBA-M and do another full scan with it. Of course have it remove everything found and of course post the log.
Progress is absolutely being made now and it won't be long until we're finished.
Judy

this computer did some strange things while this was going on..it even downloaded something from microsoft for a restore point
That is normal, that is what it is supposed to do.

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active
You failed to follow this part of the instructions;

• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Turn off McAfee and then be sure to check the Task Manager for any of these you see, if you see any of them after turning off McAfee then end the process
2.0.181\SSScheduler.exe
McSvcHost\McSvHost.exe
mfevtps.exe
mcshield.exe
mfefire.exe
mcagent.exe

Now that said, it appears that it did it's work.
I would like to see a new DDS scan log.

My cookies are set like this.....(MEDIUM)
Blocks 3rd party cookies that do not have a compact privacy policy
Blocks 3rd party cookies that save info that can be used to contact you without your explicit consent
Restricts 1rst-party cookies that save info that can be used to contact you without your implicit consent.
Where do you have these settings? I have never seen any that are that explicit.
Is it this link below?
http://25yearsofprogramming.com/blog/2008/20080624.htm
You need to read everything on that page and I don't believe that you have.
First Party cookies:
If (and only if) the website already knows your name, email address, or any other information that personally identifies you, they might choose to store that information in their cookie (they usually don't), but since only they can read the cookie anyway, it doesn't matter. Furthermore, they only have that information if you gave it to them (such as by registering on their site), so you probably wanted them to have it.

I was speaking about IE:note my attachment which is the Advanced Setting spoken of on that link. All 1st party cookies are allowed. All 3rd party cookies are blocked.
Period. Session cookies allowed because those are the ones used for that specific browsing session which allows you to go page to page on various sites without losing your sign in or whatever is needed. Once you leave the website session cookies are deleted.
…

Some odd things about your log, you only have 3 auto starting programs for one thing. When did you turn off all the others and what were they?
I also note the AT&T Internet Security Suite Service listed in Services. When did you uninstall this and how? It contains and av program and a firewall.
This URL blocking, are you certain this is coming from Avast? Avast is an anti-virus program not a firewall which would normally be what would be blocking URLs.

Do you have your cookies set this way:
Accept 1st party cookies, Block 3rd Party cookies, Accept Session cookies.

I would like you to do the ESET Online Scanner.

http://www.eset.com/onlinescan/scanner.php?i_agree=14

* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt.
Post back with the log.

Well I hate to say it because I rarely do, but yes, a reformat is likely the way to go if you are prepared to do so. It probably would be much faster than attempting to run all the tools, or find the proper tools which will run.

Post a HiJackThis system scan log for us.
http://free.antivirus.com/hijackthis/

I would advise you totally Uninstall AVG and install a truly good anti-virus program, either Avira Free or Avast Free. Both are much better programs and rated much higher.

http://www.free-av.com/ AVIRA Antivirus

or http://www.avast.com/free-antivirus-download AVAST AV

You have at least one P2P program on there,BitComet, the easiest way to get an infection.
Our policy here is very clearly stated in our Read Me First sticky:Please Uninstall or Disable any P2P (peer-to-peer) programs on the infected computer before posting in this forum. Rather than write a long piece on the dangers of P2P, I’m just going to say this:

P2P software circumvents common-sense security measures and opens a user’s computer to a world of hurt.
Our regular volunteers' time is valuable and most are not willing to waste it on a machine that is almost certain to be reinfected in short order.
So, please remove or disable all P2P software for the duration of the cleaning process. Failure to do so may result in your thread being ignored.

I need to see the log done when MBA-M found the infections so I know what was found. I don't see an anti-virus program on the computer just several old anti-spy programs which would not be enough protection and really are out of date. You have some P2P programs or remnants of programs on there, they need to go. You have a very old copy of HijackThis on there version 1.99, this should be uninstalled then download and run the newest version, which is version 2.0.4. Run a system scan, save the log and also post it back here.
http://free.antivirus.com/hijackthis/

So post back here with the MBA-M log showing infections found and the new HiJackThis log and I can better tell you what you need to do. Your computer IS very much at risk.

Can you post the MBA-M logs when it found the infections? I need to see what all was found.

Well I tell you, the AOL stuff, most of it we can get rid of because it applies to dial-up connections and she still will be able to use AOL without difficulty but we will do that later.
I want you to do this:
Please download ComboFix by sUBs from

http://www.bleepingcomputer.com/download/anti-virus/combofix

Please note that the BleepingComputer.com download link will expire in 10 minutes after you click it so if you don’t click within ten minutes after reaching the page you will need to refresh the page.

• You must download it to and run it from your Desktop
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Turn off McAfee and then be sure to check the Task Manager for any of these you see, if you see any of them after turning off McAfee then end the process
2.0.181\SSScheduler.exe
McSvcHost\McSvHost.exe
mfevtps.exe
mcshield.exe
mfefire.exe
mcagent.exe
After that continue with the instructions below:
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply along with a fresh DDS log
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine …

We prefer that the logs be copy/pasted not attached. How exactly are you connecting to the internet? You are showing AOL dial up and a broadband connection.

Since MBA-M found three more items you probably should run the ESET again just to be safe.

Turn that off for ALL of this. Try again

You don't have anything set to go to sleep or hibernate do you, or screensavers, etc.?

No need to re-scan with the ESET online scanner that would all be current if run today, post the log. HiJackThis we need to see a copy/paste of the actual log, not a snapshot of what you see.

No, not so good. You didn't update MBA-M prior to this scan. You are still showing the database used with the first scan done 7 days ago. Current database is 5169. This is a key to using MBA-M, you absolutely must update the program prior to each scan, even if scans are done on the same day. The MBA-M people are constantly updating the database, they often have multiple updates in one day. Please update it and run the full scan again. Make this part of your routine when using the program, update first before you scan.

First of all you need to follow the instructions given in our Read Me sticky, yes you have posted the DDS log, but you have posted no other logs. MBA-M in particular.
You also have not done as instructed in 1A of the instructions:
1A – Please Uninstall or Disable any P2P (peer-to-peer) programs on the infected computer before posting in this forum. Rather than write a long piece on the dangers of P2P, I’m just going to say this:

P2P software circumvents common-sense security measures and opens a user’s computer to a world of hurt.
Our regular volunteers' time is valuable and most are not willing to waste it on a machine that is almost certain to be reinfected in short order.
So, please remove or disable all P2P software for the duration of the cleaning process. Failure to do so may result in your thread being ignored.

Your log and uninstall list show the following P2P programs on the computer:
BitTorrent
LimeWire 5.4.8
Please uninstall these programs if you want assistance. They are very likely the reason you are infected.
You have grossly out of date Java installed along with the old version of HiJackThis.
The java we will worry about later.
You definitely have at least one serious infection on there, maybe more.
You need to remove the programs I noted. You need to update Malwarebytes' Anti-Malware and run a Full Scan with it. Have …

Good enough Gary. Post the logs and I will take a look. Hopefully it's all gone but have to be certain.

You know you are never going to get this computer clean. You last posted here six days ago. The scan log for the full scan was not updated prior to running and was done six days ago like the other one.
MBA-M is the first tool of choice for removing these types of infections, but never the only one used. Unless this computer has been fully powered off and not used and not connected to the internet for the past six days there is no reason to believe that additional infected files have not remained on the computer.
If you want to clean the computer then you will stick with this, without six days between posts. Because it has been so long I am going to ask you to update MBA-M and do another Full Scan with it. Have it remove everything found.
Next do the following:
Please Run the ESET Online Scanner

http://www.eset.com/onlinescan/scanner.php?i_agree=14

* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt.

Post back here with both of those logs along with a system scan log from HijackThis version 2.0.4 http://free.antivirus.com/hijackthis/

If you don't return within a reasonable time this thread will be considered …

No, I will pass on Greek. Learning the Greek alphabet was enough!

That is good to know the translation is accurate. I, like most others in the USA are pretty much "flying blind" when it comes to other languages as we don't learn them here as is done in other countries in the world. I know most others also learn English as well as their own native language. That is one thing very lacking in our educations.

It ISN'T probable if you use safe surfing rules, top of the line security programs, don't use P2P like uTorrent or any other programs like it, which is truly the easiest way to get a serious infection and do regular scans.

One more piece of advice, if something like this happens again and you need to run tools for scans and post them here or another forum where the basic language is English then either use the English version of the tool or run the logs through a translator. There are many available online for free. Here is one I have used in the past;

http://www.stars21.com/translator/
Here is one translated from English to Greek
Malwarebytes 'Anti-Malware 1,46
www.malwarebytes.org

Βάση δεδομένων Έκδοση: 5142

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

18/11/2010 4:01:07 μμ
MBAM-log-2010-11-18 (16-01-07). txt

Τύπος σάρωσης: Πλήρης σάρωση (C: \ |)
Αντικείμενα σάρωση: 272471
Χρόνος: 47 λεπτά (ες), 12 δευτερόλεπτα (ες)

Μολυσμένες διεργασίες στη μνήμη: 0
Στοιχεία μνήμης Μολυσμένα: 0
Μολυσμένα κλειδιά μητρώου: 3
Μητρώο Μολυσμένες τιμές: 2
Μητρώο στοιχεία δεδομένων Μολυσμένα: 0
Φάκελοι Μολυσμένα: 0
Αρχεία Μολυσμένα: 4

Μολυσμένες διεργασίες στη μνήμη:
(Δεν εντοπίστηκαν επιβλαβή αντικείμενα)

Στοιχεία μνήμης Infected:
(Δεν εντοπίστηκαν επιβλαβή αντικείμενα)

Μολυσμένα κλειδιά μητρώου:
HKEY_CLASSES_ROOT \ setup.player (Spyware.MarketScore) -> σε καραντίνα και διαγράφηκε με επιτυχία.
HKEY_CLASSES_ROOT \ setup.player.2k2 (Spyware.MarketScore) -> σε καραντίνα και διαγράφηκε με επιτυχία.
HKEY_CLASSES_ROOT \ CLSID \ {35b7e48b-9d81-4c6c-9578-5fd4f620d886} (Spyware.MarketScore) -> σε καραντίνα και διαγράφηκε με επιτυχία.

Μητρώο Μολυσμένες τιμές:
HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ curre ntVersion \ RunOnce \ 36064180 (Trojan.SCTool.Gen) -> σε καραντίνα και διαγράφηκε με επιτυχία.
HKEY_CURRENT_USER \ …

Sorry that you had to resort to a reformat but as you said it was probably the best solution.

Did you follow this caution?
Do not mouse-click combofix's window while it is running. That may cause it to stall

Where are the logs from the other programs you ran, especially the MBA-M log. The HJT log will tell us nothing unless we can see the other logs. We don't even know the names of infections found or the locations or the action taken for sure. Please post all additional logs you have.

Hi, Welcome to daniweb,
First we prefer that people begin with the steps found on our Read Me First sticky
http://www.daniweb.com/forums/thread134865.html
You HAVE completed one of these steps and that is running MBA-M however you only posted a portion of the MBA-M log. We need to see the Entire log from top to bottom, not just the infection notations. Please post back with that entire log.
We also would like you to this portion of the Read Me sticky which is the running of
the Microsoft® Windows® Malicious Software Removal Tool
*Due to the increasing prevalence of Rootkits, this step is especially important if you do not run this tool regularly when visiting Windows Updates.
Skip the ATF cleaner and instead use the built in Disk Cleaner on the computer. To access this go to Start, All Programs, Accessories, System Tools, Disk cleaner. Have it clean out ALL temp files there.
Since DDS is not compatible with Windows 7 you can use HiJackThis but the version of HijackThis you used is an old one. Please uninstall that one and download the newest version, which is version 2.0.4
http://free.antivirus.com/hijackthis/

Post back this the full MBA-M file and the new HJT log.
Judy

Since you have a flash drive download the manual update file for MBA-M to the flash drive and use it to update the MBA-M on the affected computer. It is slightly behind the daily update database but will certainly be more up to date than the one you used.
Then run the Full Scan again, have it remove everything found and post back here with the log.
http://data.mbamupdates.com/tools/mbam-rules.exe

Also run HiJackThis on the affected computer and post that log back here also.

http://www.trendmicro.com/ftp/products/hijackthis/HijackThis.exe

"I think it was something called Pipex."
No, I don't mean the name of it but how, wireless, or directly via the ethernet cord?

Have you tried to boot to Safe Mode with Networking with the computer?
Shut down the computer. Plug the ethernet cord directly into the computer. Then reboot the computer to Safe Mode with Networking and see if you can go online.

How is this computer normally connected to the internet? When it isn't on your network?

Do you have a flash drive? Or a CD burner? On YOUR computer I mean. Does the laptop in question have a cd drive?

Well obviously since you can't get online the database for MBA-M is out of date. I just needed to see where it stands.
Very ironic, for me anyway, what was found on the machine. I just completed a thread at another forum with another person infected with Spyware.Marketscore. It really puts personal info at great risk. Here is the info I found about it and recommendations when it is found.
When Spyware.Marketscore is installed on a computer, it starts a proxy service. Once this service runs, all the Internet connections will be routed through the Marketscore's proxy (OSSProxy).

The publisher claims to improve the speed of the Internet connection by using OSSProxy. However, because all of your Internet connections will go through the Marketscore's proxy, and your Internet usage information may be logged and submitted to Marketscore's customer companies, this could create security risks.
MarketScore (also called NetSetter) is a spyware-like application that compromises the security of all data sent or received by your web browser, even on "secure" encrypted web sites. All external browser communications are re-routed through MarketScore's proxy servers, so they have access to any "secure" traffic/passwords/accounts that otherwise would be encrypted.

If you have MarketScore installed on your computer and have used your browser for any services that require WebLogin, your password should be considered compromised. After you have removed MarketScore from your computer, we strongly recommend that you change your passwords. This advice applies to any secure web sites you …

What operating system is on the computer?

That isn't the full log. The top portion was not included. This section is very important it gives this information;
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5142

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

18/11/2010 4:01:07 PM

Since you didn't post the MBA-M log we don't know what was removed. We need to see that log. rkill should have been used BEFORE that first run of MBA-M and since you were able to run MBA-M before using rkill it is likely you didn't need to use it at all. It is used when the program is being blocked by malware and stopped from running. Since you could run the program rkill was unnecessary. The only thing it does is stop malware processes that are running and stopping security programs from starting.
Check this setting on Internet Options.
Go to the Connection Tab and click the LAN settings button at the bottom. Make sure there is NO check mark in Use a Proxy Server. If one is there, remove it. Then check your connection ability. Post back with that MBA-M log.
Judy

It is interesting to note that as I return to this forum that I get a new browser window opening in the background. Do you have a removal tool for that?

All the correct tools are found, as you have been told previously on this link;
http://www.daniweb.com/forums/thread134865.html

And you have been told several times that I am looking for manual remove instructions. I have used Google and have also tried search on 2 real search engines, but all I can find is recommendations to install exe files that more than likely will NOT remove the problem.

If you have no personal experience with this problem, why are you posting at all?

And YOU have been told 4 times the rules here. We use TOOLS here to remove infectionswe do NOT do manual removals. You can say it until your computer crashes and we will tell you the same thing;
In order for the few volunteers who offer a bit of their free time and expertise in this forum to assist you in a timely manner, please adhere to our rules and complete the following steps before posting a request for help:
http://www.daniweb.com/forums/thread134865.html

rather than install unknown executables. You are kidding aren't you? These are all well known, well respected, top of the line tools we use here. You will find the very same tools requested on virtually every reliable, respected malware removal forum on the web.
I have no idea on how to give manual instructions on the removal of this malware there would be multiple registry edits and renaming of files required doing it manually. The use of automated tools would guarantee the removal of these, manual removal isn't going to be 100% effective.
Since you don't want to use "unknown executables" then I am afraid you need to ask elsewhere for the list of manual registry edits. I don't have them all.

:$ Didn't notice the "hijacked thread" until after I posted here.

Follow steps given here and post back with all logs. Please copy/paste all logs we do not open attachments.
http://www.daniweb.com/forums/thread134865.html

This thread is closed cabbagehead and over 4 years old. You need to begin your own new thread in order to obtain assistance.

Either one is an excellent choice. Be sure you choose only ONE, that of course is the absolute rule, only ONE anti-virus program should be on a computer.

Here are links for both, choose either one and download the install file to your computer. Then totally Uninstall AVG. Once the uninstall is complete and then install the new one you have chosen.

Avira - http://www.avira.com/en/avira-free-antivirus

Avast - http://download.cnet.com/Avast-Free-Antivirus/3000-2239_4-10019223.html?part=dl-85737&subj=dl&tag=button

No matter which one you choose you will have excellent protection. One other program I always recommend, also free, is SpywareBlaster by Javacool. It silently blocks malware, prevents the installation of ActiveX-based spyware, adware, dialers, browser hijackers, and other potentially unwanted programs.
Install it. Update it, enable protection for latest updates, close it out. MUST HAVE PROGRAM
It does NOT run in the background so there are no conflicts with any other programs you may have.
http://download.cnet.com/SpywareBlaster/3000-8022_4-10196637.html

Either one is an excellent choice. Be sure you choose only ONE, that of course is the absolute rule, only ONE anti-virus program should be on a computer.

Here are links for both, choose either one and download the install file to your computer. Then totally Uninstall AVG. Once the uninstall is complete and then install the new one you have chosen.

Avira - http://www.avira.com/en/avira-free-antivirus

Avast - http://download.cnet.com/Avast-Free-Antivirus/3000-2239_4-10019223.html?part=dl-85737&subj=dl&tag=button

Why not post your question in the Spyware Doctor forum?
http://www.pctools.com/forum/forumdisplay.php?f=54

You absolutely must run MBA-M, just removing that one file would not remove the infection. It's very likely it is still there someplace. Right now it just can't run, But you must run an updated Full Scan with MBA-M and be sure to have it remove everything found and Reboot the system. That is vitally important.
Post back here with the log and we can give you other recommended steps if needed.
MSE would not have stopped this. This is a trojan, most av programs will not stop a trojan. One program that helps prevent them from getting onto the system is SpywareBlaster. Once the computer is assured to be clean then you need to install this, it is FREE and I would never run a computer without it. Doesn't run in the background and conflicts with nothing. Excellent program

Held off as long as I could:)

Run this scan it will give you a report of everything on the computer. The main portion you want is the upper portion which tells you all the hardware installed on the computer.
http://www.belarc.com/free_download.html

It sounds as if something was installed or updated which has installed an AMI driver of some kind.
Did you look at that AMI page?

Take a look at this page about the things that this company manufactures.http://www.ami.com/products/

You aren't going to see these listed in Programs. Check your Device Manager and see if there are any drivers from AMI.

Kim Barbie, you need to begin your own thread after following all steps given in our Read Me sticky

http://www.daniweb.com/forums/thread134865.html

AVG just doesn't do the job that others do. Avira and Avast both rank higher and are less bloated. While these rankings shown in my attachment note Avira Premium which is a paid program the Avira Free and Avast Free are both excellent. I have used Avira Free for several years and am extremely pleased with it. I had used AVG in the past but after several problems with missed infections and the slow down it caused on my machine I went with Avira Free and have been most satisfied. Plus it is very unusual to have requests for cleaning help from people using Avira.