Posts by jholland1964

Run HiJackThis again. Put check marks next to the following entries:
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe

Once you have placed those check marks then click the Fix Checked button. Exit HJT.
Reboot the computer.

Now, several things I need to as or point out, AVG 9 is out of date really, the program is now up to AVG 2011. Is this the paid version? Have you paid for renewal lately? I am not certain why the program would still be AVG 9 as it should gone to the newer version. AVG 9 was known for being quite bloated and resource consuming. It also wasn't or isn't very highly rated either. The newer versions have been somewhat better than 9 and previous versions but it still isn't as highly rated as others out there.
Are you running the paid version of Malwarebytes' Anti-Malware?

By the way, I am not a "Dude".

HiJackThis is a scanner program which gives a "snapshot" of processes running, toolbars, BHO's, auto starting programs and services and other info. It will produce a log which should be posted here so that it can be read. It will not change your system or setting unless fixes are recommended using the program. It is considered for advanced users because the logs must be read and interpreted by a helper who will then tell the user what or if anything is needing removal or fixing.
It can be downloaded here, http://free.antivirus.com/hijackthis/
Download version 2.0.4, run the system scan, save the log and post it back here and we can take a look.

If these buttons are greyed out this means the addon is locked and you need to start Firefox in safe mode, not computer safe mode but Firefox safe mode. Close Firefox completely.
Go to Start, All Programs, Mozilla Firefox, Firefox(safe mode) This will start Firefox without any addons or extensions and you should be able to remove it or disable it.
For additional info check this Mozilla page;

http://kb.mozillazine.org/Uninstalling_add-ons

So disable it. Am not certain what you mean when you say when you click enable it doesn't show up. Show up where?

I have to be honest here. You have done multiple things, out of order, or without being told, like running combofix. You have installed av programs run scans, removed av programs and then posted logs done before the av programs were removed.You were supposed to post the sophos log but didn't.
I don't know that there is anything I can do to assist you. I am certain there is a rootkit on there but I cannot be certain since the programs have really been run in a strange order. You say "it" tells you to uninstall MBA-M, what tells you to uninstall MBA-M?

Have you tried selecting view>toolbars> uncheck it?

Did you uninstall the old version of Panda?

You have two anti virus programs running on the computer. This is an absolute no-no. Only ONE antivirus program should be installed and running on a computer. Choose one of those you have on there and completely uninstall the other one. This would be one reason for your infections as the two programs would fight each other rather than protect. Do that uninstall and follow the steps given you by Crunchie.

Are you now able to use your Panda program?

uninstall the security updates or restore your pc to back date

A ridiculous suggestion. If you are going to post please be aware of exactly what you are suggesting.

Well all I can say is I'm sorry. Wish the results had been better.

Clean out your temp files, fill out as much personal info as you feel necessary at this link and follow the directions here. You have obviously have something very different on there.

http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

* Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
* Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
* A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
* Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
* If the scan did not start automatically, make sure the following are checked:
o Running processes
o Windows Registry
o Local Hard Drives
* Click Start scan.
* Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
* When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
* Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
o Files tagged as Removable: No are not marked for removal and cannot be removed.
o Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
o Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos …

Don't know what all you have disabled using msconfig but it is likely you have turned off some needed files. msconfig should only be used for trouble shooting not as a way to stop auto starts permanently. You only have one auto start in programs and one in services. Go back into msconfig and choose Normal start up, re-enable all the services you have turned off and reboot. Then run a new HJT scan and post that log.

If you see none in the Programs list then it is likely there are none installed. Go on with other instructions.

This all is quite strange really. Check your Internet Options in the control panel. Go to the Connections Tab, click the LAN button and make sure there are NO check marks in there under Proxy Server and try ESET once more.

Sorry about that. Try this one;

http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

Clean out your temp files, fill out as much personal info as you feel necessary at this link and follow the directions here. You have obviously have something very different on there.

http://www.sophos.com/products/free-...i-rootkit.html

* Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
* Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
* A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
* Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
* If the scan did not start automatically, make sure the following are checked:
o Running processes
o Windows Registry
o Local Hard Drives
* Click Start scan.
* Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
* When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
* Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
o Files tagged as Removable: No are not marked for removal and cannot be removed.
o Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
o Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos …

Uninstall this program, Advanced SystemCare 3 as it is absolute junk. Also remove the Wise Registry Cleaner 5.8.5. There is rarely any reason to "clean" the registry. If there are infected registry entries then programs like MBA-M will remove them.
Your MBA-M program is way out of date and was not updated prior to running. Please update it and run another Full Scan. Have it remove everything found, reboot and post back here with the log.
Panda or most other av programs do not remove Trojans, which is what you have. The also, generally do no protect against Trojans. The reason being is that they are configured totally differently from viruses.

Log should be located here; C:\ComboFix.txt.

Ok, see if you can do this:
Note to others reading this thread, these instructions are for THIS computer ONLY. This tool is NEVER to be used unless first instructed to do so by a helper.

Unless you have access to another computer during the program run please print out these instructions for reference as you will not be able to refer to them while this program is running.

Please download ComboFix by sUBs from

http://www.bleepingcomputer.com/download/anti-virus/combofix

Please note that the BleepingComputer.com download link will expire in 10 minutes after you click it so if you don’t click within ten minutes after reaching the page you will need to refresh the page.

• You must download it to and run it from your Desktop

• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually …

Try this one:
http://housecall.trendmicro.com/

Change that to No Proxy

Do you have a proxy configured?

"Turns out there were a quite a few viruses left unfound."

That's because your MBA-M program was so far out of date. Now please do the following:

Please Run the ESET Online Scanner

http://www.eset.com/onlinescan/scanner.php?i_agree=14
* You will need to allow an Active X to be installed.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt.
Be sure to REBOOT the computer after running the scan. Post back here with that log.

Your MBA-M program is way, way out of date. Current database version is 5060, yours is listed as 4052. Please update the program and run a new Full Scan. Have it remove all items found, Reboot the computer and then come back here and post that new log.
Judy

Copy paste all logs if possible please.

You really should never run Combofix without first being told to do so.
Since you have all ready done so then you should be able to follow the steps given in our Read Me First sticky. Please do so and post back with all the requested logs.
http://www.daniweb.com/forums/thread134865.html

You may have deleted "some" of the infection but you need to follow all the steps given in our Read Me sticky, especially running MBA-M. Follow the instructions exactly. Post the logs back here when all have been completely and we can decide what needs to be done next.
http://www.daniweb.com/forums/thread134865.html
Judy

And why did you run HJT? We need to know. I see an excessive amount of processes running during the scan. A lot of unneeded auto starts,an excessive number of auto starting services, and extraordinary number of Trusted Sites, some of which are considered very dangerous. Are these work related? Remainders of an AVG anti virus program that appears to have been incorrectly removed. Otherwise since you don't state what problems you were experiencing that caused you to run HJT I cannot give any advice.
We ask that you follow the steps given in our Read Me First sticky and report back with copy/pastes of requested logs and full information on the problems you may be experiencing.
http://www.daniweb.com/forums/thread134865.html

The log looks ok to me. Stick with the Avira. AVG Used to be good but consistently ranks now behind Avira and the other good free one Avast. I use Avira, have for several years and am very pleased with it.

I would also suggest adding SpywareBlaster. It provides excellent additional protection against ActiveX-based spyware, adware, dialers, browser hijackers,block spyware/tracking cookies in IE, Mozilla Firefox,and many other browsers, and restrict the actions of spyware/ad/tracking sites.
Just download, install, update, enable all and close the program. That's it. Check for new updates once a week, if there are any download and install, enable all close the program. I wouldn't run my computer without it. It IS FREE also.
http://download.cnet.com/SpywareBlaster/3000-8022_4-10196637.html

If all seems to be working well I would say this can be marked solved if you agree.
Judy

Ok then, that must be normal for the computer. The one thing i need to see is a system scan from HiJackThis.

http://free.antivirus.com/hijackthis/

Run the scan, copy the log and paste it back here...almost done.

Try this and see if you can connect. Go to the Control Panel, choose Internet Options. Open the Connections Tab. Then click LAN settings button at the bottom. See if there are any check marks in there, if there are Remove them and click Ok. Then Click Apply and close Internet Options. Reboot the computer and see if you can get online.
Was MBA-M all ready on the computer or did you install it via a flash drive?

Please follow the steps given in our Read Me First sticky and post back with the requested logs and we will be most happy to offer assistance.
http://www.daniweb.com/forums/thread134865.html

We prefer the logs be copy/pasted rather than uploading so next time please do that. You failed to update MBA-M before running the scan. As of writing of this post the current database is 4893. Please update MBA-M and run a new Full Scan with it. Have it Remove all items found, REBOOT the computer and come back here and copy/paste the log.
It would help us if you would clearly state the problems you are experiencing then we could better offer assistance.
Judy

Tell you what, I noticed something unusual about your first Full MBA-M scan and now with this second one and that is the fact that the scans only took 35 minutes. A full scan with MBA-M normally takes at least one hour. It is possible that these infections have corrupted MBA-M so I would like you to remove it and install a new copy.
Follow these instructions from the MBA-M website:
Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
Restart your computer (very important).
Download and run this utility.http://www.malwarebytes.org/mbam-clean.exe
It will ask to restart your computer (please allow it to).
After the computer restarts, Temporarily disable your Anti-Virus
To disable your Avira right click the little red umbrella in your system tray and remove the check mark from Enable Guard.
Next install the latest version of Malwarebytes' Anti-Malware from
http://fileforum.betanews.com/detail/Malwarebytes-AntiMalware/1186760019/1
Once it has installed, Update it and then run another Full Scan with it as you have previously. Have it remove everything found.
Reboot the computer, be certain your Avira has restarted and post back here with the log.

Reset your internet explorer settings.

This post is unnecessary. This same advice has been given twice all ready.

You could always stop the service for the iexplorer.exe process in task manager.

1. go into task manager and click on services or processes tab
2. click on services button down the bottom right of task manager window.
3. scroll through window in services (should direct you to services)and look for internet explorer or explorer.exe and stop.
4. right click on this service and switch to manual start and it should fix your problem.

Let me know how you get on
regards rangarecon

Crunchie has given correct information to this poster. If you wish to assist here you must follow proper procedures.

Go into Internet explorer ->click on tools ->click on internet options -> Advanced -> reset advanced settings. Hope this helps

rangarecon

Those steps are incorrect for this situation. If you are going to post instructions please be certain they are correct.

You can try either spyware doctor, Trend Micro Internet Security 2010 (I use this personally for my home computer). These all have advanced spyware removal features and can handle all spyware known currently. Avast! can also help, there is a free version to download, or avg free could also help. Give these ago and post an answer and i'll get back to you.

Thanks rangarecon

We have a standard procedure here that all posters must follow and that is to complete the steps given in our Read Me Sticky. These are the instructions I gave to Justin Hughes, the creator of this thread. Please do not suggest other tools.

Tania, the computer obviously is still infected. Likely the KEY reason of the for the continuing infections is found in that MBA-M log...

C:\Documents and Settings\Luke\My Documents\LimeWire\Saved\Virtual Dj Full Version.exe (P2P.Dropper)

Limewire is a P2P file sharing program. Used mainly to ILLEGALLY obtain copyrighted material, music and games especially, without payment to the rightful owners of the software being downloaded. This obviously is the case with these two infected files for sure.
Virtual Dj is a program that must be paid for when purchased LEGALLY. The cost is approximately $329. But, because the copy on your computer was obtained illegally via P2P it was "supposedly" FREE. But along with the illegally gotten software you also now have a grossly infected computer. This is proven by the fact that each and every scan finds newly infected files.
The files found by Avira scan contained a Trojan. These were contained in the folder C:\Documents and Settings\Luke\My Documents\Downloads\PDFTablet_Installer.exe
and held the TR/Dldr.Delphi.Gen Trojan. A trojan is created in order to bring onto the computer other infected files.

It is the policy of daniweb and stated very clearly in our Read Me First sticky that anyone posting for assistance in removing infections must do the following:
Please Uninstall or Disable any P2P (peer-to-peer) programs on the infected computer before posting in this forum. Rather than write a long piece on the dangers of P2P, I’m just going to say this:

P2P software circumvents common-sense security measures and …

Well I just tested my computer using IE 7. It took also 8 seconds to respond and nearly 30 seconds to fully load my home page which is http://abcnews.go.com/.
So I certainly think yours is within reason. That said, notice I have IE 7 not IE 8. That browser is primarily for Vista and Windows 7. Many people using XP have found that it does not work well for them with XP. Also, I rarely use IE at all, with the exception of websites that require IE and now that basically is Windows Updates, I use Firefox. This is consistently a much faster browser. Another much faster browser than IE is Opera. I use it also but am not as fond of the interface of Opera but it too is much faster than IE. Both are much more secure than IE also. So this would also be one suggestion I would make, consider using a faster browser.

You're welcome Ed. Any other problems or questions don't hesitate to start a new thread and ask. We are happy to offer as much help as we can.

Yes.

Yes, SpywareBlaster will protect Opera also. It doesn't show there, but it will because it uses the Internet Explorer engine. Any browser which uses the IE engine is protected and Opera does use the IE engine, along with all of these others:
AOL web browser
Avant Browser
Slim Browser
Maxthon (formerly MyIE2)
Crazy Browser
GreenBrowser
http://www.javacoolsoftware.com/spywareblaster.html#Browsers

Your Java is woefully out of date. Go to http://www.java.com/en/download/manual.jsp
Choose the Offline install and save it to the desktop.
Once you have done that, close all browsers. Go to Add/Remove and Uninstall all of these
Java(TM) 6 Update 11
Java(TM) 6 Update 4
Java(TM) 6 Update 6
Java(TM) 6 Update 7

Once all are removed then go to that Java install file on your desktop and install the newest version which is version 6 update 22. Watch the updating very closely as it automatically offers various toolbars. The check marks will all ready be there so REMOVE the check marks so that you don't get those unneeded toolbars. Once the install is complete go back to that download page and click Verify Now on the right side to go to the verification page to test that the install went as it should have.

Now some advice. I see you are running AVG 9 Free version. I would recommend that you change your anti-virus program to another. Avira Free is the one I use, I like it a lot and it ranks much higher in most tests than AVG.
Here is the link http://www.avira.com/en/avira-free-antivirus
Another good free one is Avast. It also ranks higher in most tests than AVG.
Here is the link for Avast Free http://download.cnet.com/Avast-Free-Antivirus/3000-2239_4-10019223.html?part=dl-85737&subj=dl&tag=button

I prefer Avira because it is quite easy to run, not intrusive and provides excellent …

It was me taking IE out of the picture, wasn't it. I didn't think of that.
Yes it was. I need to see the new Uninstall list and I will give you a couple more steps but I need to see that first because I don't know now what was removed.

The problem was, I told you I would get you the fixes and I spent all that time making a list for you to work with and then you did things manually that I had not requested. This is why we ask people to wait a moment. I worked as quickly as I could. Each line of that log had to be checked.
Ok, run HiJackThis again. This time though put check marks next to the following entries:
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"

O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab

O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)

Once you have the check marks in place click the Fix Checked button and exit HJT.
Reboot.
Please give me a NEW Uninstall list like you did before. There are other items which must be removed but I need to see a new list.

Please follow the instructions as I give them.
Since you jumped ahead we now have to go back.DON'T do the steps in my last post, as I had to delete it since the log shown has likely now been changed by your changes.

Please run a new scan with HJT and post the log. I am going to have to go through it again since you did steps not called for.

SweetIM is a program to Send fancier smiley-faces and IM graphics to friends who are using MSN Messenger. BUT - they are only able to see these advanced smiley-faces if they also have SweetIM installed.

Just wanted to point that out to you. Good thing you don't use IE. We can fix it easily. That isn't a google page.
Do you only use IE for Windows Updates correct? Give me a few moments and I will have some fixes for you to do using HJT

You know the page you have set as your homepage, sweetim.com, is not considered to be a very safe page.
Look at this information. Be sure to scroll all the way down to read the comments there.
http://www.mywot.com/en/scorecard/search.sweetim.com