Posts by jholland1964

Update MBA-M and do another Full Scan with it. Have it Remove everything found.
Reboot the computer and then do another HJT system scan.
Post back here with both logs.

Sounds as if an infection has changed your LAN settings. Go to Internet Settings, Connections, LAN button and make sure there are NO check marks in there. Ok your way out and attempt to connect. If you can then follow all the steps in our Read Me sticky and post back here with all the logs.

http://www.daniweb.com/forums/thread134865.html

So you are continuing with the clean up or do you want to close the thread?

No it certainly ISN'T time to close the thread. You haven't completed cleaning the computer yet.
Of course the choice is yours, but the computer has not yet been deemed 100% clean. If you don't want to clean it up it is your choice but then I would advise that you stop using this computer entirely. I know I wouldn't use it until all infection was cleaned off and I knew that for certain.
The computer can be cleaned. If you don't want to then we can close the thread. Basically you have three choices; continue with the clean up, or stop using the computer completely and get another to use online, or completely reformat and reload.

CimmerianX, I realize you wish to assist but please look at the logs and the MBA-M run. The first log is likely a portion of the ESET scanner log, however without the entire log we cannot be certain the scan was done correctly.
The 2nd MBA-M log, while it looks clean, was NOT updated and not a Full Scan both of which should have been done. So to say "That's looks pretty good." is not correct. If if had been a full scan with an updated program, "maybe" you could say it looks pretty good but since steps have not been followed correctly, no it doesn't look pretty good. It looks incomplete and inaccurate.

Tania, please complete the steps given ok?

Since we have no idea what tools you have used or anything about the computer then there is no way we can give you any information. We need to know what you found and HOW.
You need to begin by following the steps given in our Read Me sticky
http://www.daniweb.com/forums/thread134865.html

Then come back here and copy/paste all requested logs along with ALL information requested. Then, and only then, can we offer additional steps or tools to use.

tania, that is not the full ESET log, we need to see the entire log from top to bottom, not just what was found/removed. Your computer appears to still be grossly infected.

Also, you did NOT update MBA-M as crunchie requested. Your database still shows 4784, which is the very same one you used on the last scan. MBA-M has multiple updates DAILY which is why updating must be run each and every time you scan, even for multiple scans done on the same day. The current database version, as of 5 minutes ago is Database version: 4840. Plus you only ran a Quick Scan. When infection is found using a Quick Scan, as your original scan showed, then the program should immediately be updated again and a Full Scan should then be run. The Quick Scan does not scan all files. If some of those files are found to be infected then it is vitally important that the Full Scan be run immediately.
Please follow these instructions and post back with the entire ESET log and also a log from a Fully Updated FULL scan with MBA-M.
Judy

Understand the time a 6 month old baby takes, hope though that you are not using the computer for anything else other than cleanup either. You obviously had/have some very serious infections on there. If you are using the computer for anything else than cleaning it up then all these steps will be for nothing.
Please now do the following:
Please Run the ESET Online Scanner and attach the ScanLog with your post for assistance.

You will need to temporarily Disable your current Anti-virus program.
Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.

When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us.

Continue with the rest of the instructions and post the logs. We cannot assist without these logs AND full information about the computer and the problems you are experiencing.

Hope you now see WHY we insist on all P2P programs be uninstalled. Look at those infected files you got from using P2P. This is one of the easiest ways to get some really bad infections.
Here is information about the infection removed by ESET which adds proof to this from ESET
WMA/TrojanDownloader.GetCodec has ranked fifth on ESET’s threat list
Win32/GetCodec.A is a type of malware that modifies media files. This Trojan converts all media files found on a computer to the WMA format and adds a field to the header that includes a URL pointing the user to a new codec, claiming that the codec has to be downloaded so that the media files can be read. WMA/TrojanDownloader.GetCodec.Gen is a downloader closely related to Wimad.N which facilitates infection by GetCodec variants like Win32/GetCodec.A

Note that is says it converts ALL media files on the computer. You cannot now assume that ANY of your media files on the computer are not carrying this Trojan but possibly have not yet been activated. Each time one of these files is accessed then the trigger will be pulled and this will then bring in more and more, that is what it was designed to do.

I note in your HiJackThis log that you obviously have an iPod. Yes, iPods also can become infected and then infect any computer they may be plugged into.
This is exactly WHY P2P sharing is so very dangerous. These infected …

I would like to see an Uninstall List generated by using HiJackThis. To do this do the following:
Open HiJackThis
Click on Msc. Tools button
Click on the Open Uninstall Manager button.
Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad into a reply

After that do the following:
Please Run the ESET Online Scanner and attach the ScanLog with your post for assistance.
You will need to use Internet Explorer to to complete this scan.
You will need to temporarily Disable your current Anti-virus program.
Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.
Please Reboot the computer.
Post back with the log from the ESET Scanner.

Oh, I meant to say RegCure, not RegEdit.
Doesn't matter, using a registry cleaner regardless is always a bad idea. Too much damage can be done. There is never a good reason to use a registry cleaner, optimizer, whatever.
Good tools like MBA-M will automatically clean out infected registry entries there really is hardly ever a good reason to "play" with the registry. Uninstall RegCure and continue with steps given.

Oh I don't think we need to worry, I believe questionmy's computer is still working well enough to post this identical question at three more forums several days after posting here along with his "imaginary friends" identical response and they also remain at seven other forums too. All but two have removed the "imaginary" or "extended" unapproved links given in the response as we have done here. So we don't need to be concerned.

Hi Ed, welcome to daniweb.

RegEdit is certainly NOT tool to run to remove infections, you need to know what registry entries ARE infected before attempting this.
Your MBA-M shows you only ran a Quick Scan and No Action Taken. Did you reboot after running MBA-M? This is one of the things you must always do when using MBA-M to remove infection.

Update MBA-M and run a Full Scan. Have it Remove everything found REBOOT and then go into MBA-M and copy/paste the last log in the Log tab back here.

I would like to see a system scan log done with HiJackThis

http://free.antivirus.com/hijackthis/

504mbof RAM, there is part of your problem. That is barely enough to even run XP, let alone any other programs. You should really see about increasing that. Go to http://www.crucial.com/ and run their scan, it will tell you exactly what type of RAM you need, how much you can add and how much it will cost. If you are in the U.S. it is likely the cheapest place you can get it.

Obviously you ARE infected. Please follow the steps given in our Read Me First sticky and post back here with all requested logs.

http://www.daniweb.com/forums/thread134865.html

You need to post the MBA-M log here. Other steps may be required, especially with the number of Trojans found. These may just be the "tip of the iceberg". There very well could be a rootkit on there which will just bring in more infections.

How much hard drive space remains and how much RAM is installed?

The steps given above are the least of your worries. NONE of those steps will remove this infection and that is the very first order of business that must be undertaken. File recovery at this point is useless, removal is #1.
To begin this process follow the instructions in our Read Me First sticky and post back here with all the requested logs.

http://www.daniweb.com/forums/thread134865.html

The log is incomplete, we need to see the full log, including the top portion that reads like this;
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:40:36 AM, on 10/9/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

What programs did you use to remove this infection? We need to see logs from those programs also.
We also need information about the computer, operating system especially. What symptoms were shown that convinced you that you had this infection. Until we have all this information we cannot make any judgments or offer advice of other steps needed.

You need to follow the steps given in our Read Me sticky and post back here with all requested logs.

http://www.daniweb.com/forums/thread134865.html

Get your money back. The program is worthless

Reboot to safe mode with networking and try to uninstall that way. Then also do these steps still in Safe Mode.
Please Download ATF-Cleaner.exe by Atribune (Windows XP, 2K, 2003, 7 & Vista ONLY)
RUN ATF-Cleaner.exe.

• Click on ATF-Cleaner to run it
• Where it says Select Files To Delete, Check the Select All Option
• Click Empty Selected > OK

If you use Firefox browser, do this also:

* Click Firefox at the top and choose Select All from the list.
* Click the Empty Selected button.
* NOTE : If you would like to keep your saved passwords, click No at the prompt.

download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware …

First of all you are using TWO antivirus programs on the computer,
Avast and Microsoft Security Essentials. The absolute rule is ONE antivirus program should run on a computer. Any more than one then, yes the computer can become extremely slow but, and more important, you actually can lessen your protection because the two programs will constantly battle each other rather than offer good protection.
Uninstall Microsoft Security Essentials, Avast is the much better choice.
Secondly, you are using IE 8, not the worlds fastest browser.

You also cannot even compare a phone to a computer, makes no sense whatsoever. They are not the same thing at all. The phone may be considered a "mini computer" in the sense it can do some of the same things but that is like comparing apples to oranges, they are both fruit, period, that's it. Otherwise no comparison.

Is this the only slow down you see, the browser or is it everything on the computer?

Ok, I apologize I didn't realize that, combofix doesn't work on 64bit systems.
I am going to refer this to another helper and see what he would advise.

Is this a 64bit operating system?

Works perfectly fine with Vista. If you are using Windows Vista, and receive UAC prompt asking if you would like to continue running the program, you should press the Continue button.

Please download ComboFix by sUBs from

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

· You must download it to and run it from your Desktop
· Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

· Double click combofix.exe & follow the prompts.
· When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log using the latest version which is version 2.0.4
http://free.antivirus.com/hijackthis/

· Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

I am very sorry for the delay.We are short handed. The first thing I see is you have two anti-virus programs installed on the computer, Windows Live OneCare which according to the DDS log is very outdated. You also have Avira AntiVir Personal - Free Antivirus installed. Pleas UNINSTALL the Windows Live OneCare. The absolute rule is ONE anti-virus program to a computer.
It appears the computer itself is out of date, your Java is way, way out of date.

Try this rootkit program,
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
* Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
* Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
* A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
* Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
* If the scan did not start automatically, make sure the following are checked:
o Running processes
o Windows Registry
o Local Hard Drives
* Click Start scan.
* Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
* When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
* Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended …

Hi and welcome to daniweb, We need more information, your operating system for instance. You should do the scans found in our Read Me sticky
http://www.daniweb.com/forums/thread134865.html

Copy/paste the logs back here and we will be happy to offer further assistance.

One thing to check is go to your Control Panel and open Internet Options.
Go to the Connections Tab and be certain that click on the LAN button at the bottom. Be sure there are NO check marks in any boxes on that page. If there are, remove them.

Just be VERY aware that because you are running an out of date computer and browser and must use it without the security updates installed that you most definitely at a much GREATER RISK for problems like these as the time passes and at an extremely great risk of having a fatal crash and losing everything you have on there. Not really sure why you cannot update the software without a new computer, can you explain that better? Is it due to hard drive size or what?

by normal I mean everything working correctly, surfing is normal, computer boots ok, no freezes, errors, etc. all programs work as they should.
Have you downloaded and installed a new copy of Avast and done a full scan with it? That would be the next thing to do.

Was the MBA-M run in normal mode?

Gronz, this thread is over one year old. Please create your own thread AFTER completing steps given in our Read Me Sticky and then post the logs along with a detailed description of your problems.

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

REBOOT after running MBA-M!

Post back here with that log.

Please download and run this program:
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
you actually have to register to use it but the program is free, be sure to NOT put a check mark in the box which says I am interested in a home version of this product.
* Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
* Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
* A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
* Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
* If the scan did not start automatically, make sure the following are checked:
o Running processes
o Windows Registry
o Local Hard Drives
* Click Start scan.
* Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
* When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
* Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
o Files tagged as Removable: No are not marked for removal and cannot be removed.
o Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
o Files tagged as Removable: Yes (but clean …

We need a LOT more info than what you have given us. We need to know all about your computer, operating system, what type of email program are you talking about, an actual program or webmail?
You say Norton picked up nothing but McAfee trial picked up?
You can't run two anti-virus programs on the same computer, they will fight against each other and do virtually nothing.
What other scans have you run? Have you followed the steps in our Read Me sticky? If not, do so and post back with all the requested logs.
But I have to say first, if this is webmail then the problem likely is not ON your computer. You need to contact the provider of the webmail service.
Other than that we cannot offer suggestions until we have much more information.

There would be no reason to use Sophos at all unless you suspect a rootkit, that is what that tool does, look for rootkits. It is no way related to anything that AdAware would look for. AdWare basically scans for spyware, not trojans and certainly not rootkits. It, at best, is a very minor removal program, much of which can be taken care of by proper cookie setting and security settings. If you want a better scanner then use SpyBot Search and Destroy.

Frankly am not sure what you mean about MBA-M not finding anything: It clearly found and removed
Memory Processes Infected: 1
Memory Modules Infected: 2
Registry Keys Infected: 8
Registry Values Infected: 6
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 16
So how can you say it didn't find and remove anything?
The KEY way these multiple infections work is to disable malware scanners. They LOOK like they are working but in reality they are not. This has been a KNOWN occurrence since the appearance of this family of infections more than a year ago. It isn't new or rare.
When you removed those deterents manually and then re-scanning MBA-M did remove them. What you did was remove the processes that masked the true infected files so that MBA-M could find them.

There is an automatic tool which will do exactly the same thing so that MBA-M and others CAN run, they …

I still have to say, AdAware just isn't one of those programs chosen today as a "top of the line" as it once was, no matter how large a drive needed scanning and it also is NOT one of those mentioned as being able to clean out these especially difficult infections that are out there today. Are you still having the problems you noted?

There is absolutely NO way that an AdAware scan should take 10+ hours! which is what you seem to be saying. Turn it off and Uninstall it. That is 100% wrong. I wouldn't trust anything it supposedly is finding.

You should NEVER run two scans of any kind at the same time! Neither one will do a proper job that way.

I'm sorry you had to wait so long for assistance. We are very short handed at the moment.

Please download ComboFix by sUBs

· You must download it to and run it from your Desktop

· Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix

· Double click combofix.exe & follow the prompts.

· Now when you click on the Combofix icon to run it you may get a security warning because Combofix does not have a digital signature. It will ask if you want to run the program, click Yes.

Combofix will back up the registry and then ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you don't have it then it will ask if you want it installed. This isn't really necessary so just say no and have it go on and do it's scan.

This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

Post back with that Combofix log.

Not that crazy about AdAware frankly. I know it is compatible with Windows 7 but can find no info that it is compatible with Windows 7 64bit.

This is also where you are at of a bit of disadvantage as many of the security programs are not compatible with a 64bit system.
You can try the Sophos Rootkit program, it is compatible with 7.
You will have to fill out an information form in order to download it but be sure you don't say you want info or newsletters.
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

Part of your problem is you are using programs which are not compatible with Windows 7 and/or also not compatible with a 64bit system.
GMER runs only on Windows NT/W2K/XP/VISTA

Malwarebytes's IS compatible with Windows 7 and 64bit systems however, where is the log? We can make no determinations of what is going on if we don't see all the logs and Malwarebytes' is a KEY log we must see, not a Printscreen of Quarantine.We have to see the actual log created when the removals were done. Since you have run this twice it likely would be the second log from the bottom in the Logs Tab of the program. I must see this log.

Please do not attach logs, copy/paste them. This protects others here from the possibility of downloading and infected file to their own computer.
Copy/Paste that Malwarebytes' log here pleas.

You receive the message when starting about the two items noted below because both are serious Trojans and were removed by Malwarebytes'

C:\Users\Xuyuan\AppData\Local\imanivago.dll
C :\Users\Xuyuan\AppData\Local\kSLexi.dll

You are receiving the message because they obviously were set to run at start up but since they were removed, as they should have been, sot therefore they cannot be found. And you most definitely DON'T want them back.

The version of HiJackThis you have used is literally years out of date. Please download the newest version which is 2.0.4 from this link http://free.antivirus.com/hijackthis/

Ok, thanks for posting back.

Can you try booting to Safe Mode with Networking and downloading the scanners and then run the scans and posting the logs that way.

Follow the instructions given on this link for correct booting to safe mode
for your operating system
http://www.bleepingcomputer.com/tutorials/tutorial61.html

After that Follow the steps given in our Read Me sticky
http://www.daniweb.com/forums/thread134865.html
performing all requested scans exactly as given. Be sure if given the option to Remove do so.
Once you have followed all those instructions then post back here with the requested logs.

First of all Uninstall that Perfect Optimizer, it's junk. Could even be how you got infected in the first place. There is no earthly reason to use a Registry Cleaner. If there are infected points in the registry then good tools like Malwarebytes' Anti-Malware will remove them.

First of all try this:
Open Device Manager and on the VIEW Tab, select the Show hidden devices option.
Go down to non plug and play drivers and see if there is one called TDSSserv and disable it.

Then do the following:

If your OS is Windows 2000/2003, XP , Vista or Windows 7, please run the Microsoft® Windows® Malicious Software Removal Tool
*Due to the increasing prevalence of Rootkits, this step is especially important if you do not run this tool regularly when visiting Windows Updates.
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.
DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When MBA-M finishes, Notepad will open with the log. Please save it where you can …

You should really consider updating Internet Explorer. Version 6 is pretty outdated and insecure and is probably one of the main reasons for your malware issues.

OldTime, you have been warned once by Crunchie. I realize that you want to help but at this time attempting to install updates on an infected computer is a bad idea. The #1 rule for updating any part of the operating system, and IE IS part of the operating system, is that the system be clean and free of infection.
When the computer is clean THEN I will advise the poster what updates need to be done, and there are many more in addition to Internet Explorer.
PLUS the poster had not yet posted all the requested logs. We cannot advise anything else until all of those programs have been run and the logs posted. THEN we will advise on other clean up steps to complete BEFORE any updates recommending will be done.

You have some malware loading:

C:\DOCUME~1\phil\LOCALS~1\Temp\Tj1.exe

You are correct OldTime. We saw that, this is why the poster must follow all the steps in the Read Me Sticky. The longer he waits the more infected the computer will become.

jmainzer, this thread is one year old. You need to create your own thread rather than hijacking another person's thread.You need to follow the steps given in our Read Me First sticky and then create your own thread, stating all your problems and posting the requested logs from that Read Me sticky. Then somebody will gladly assist you in cleaning up the computer.

http://www.daniweb.com/forums/thread134865.html

Let me give you some advice though, your log shows at least parts of three different anti virus programs on there, AVG, McAfee and Norton. The absolute rule is ONE anti virus program should be running on a computer, no more. The HiJackThis version you are using is out of date. The latest version is 2.0.4 and can be found here http://free.antivirus.com/hijackthis/

I can't tell you a thing until I see the Malwarebytes' log. But why did you say;
:Microsoft security essentials detected threats ?