Posts by jholland1964

Hello, am very concerned here by several things you said,

First:Microsoft security essentials detected threats and then you said first thing I did was run avira scan
Are you saying that you have BOTH of these programs running on your computer? If so that is a BIG No-No. Both are anti-virus programs and the absolute rule is ONE anti-virus program should be running on a computer, never two. Uninstall one of these Immediately.

Second thing you say I find concerning, so I ran malwarebytes and that said it found 2 and when I hit remove it said one couldn't and needed a restart, but you did NOT restart but instead tried to open a browser. Instructions for malwarebytes' are very clear, REBOOT after running MBA-M!The reason for this request by malwarebytes is that the program cannot fully remove many infections except during the reboot process when the infected file is not yet in use. It is obivious by booting to safe mode instead of the normal reboot that the malwarebytes' removal was not complete because you said the process showed in the HJT log. Was it running or in start ups or where? I need to see that HJT log.
I need especially to see the log from that very first malwarebytes' scan, which can be found by opening the program, going to the Logs tab and it is likely it will be the bottom log on the list. Post that log immediately.

House Call does remove infections found without charge as far as I know.But obviously another tool needs to be tried.

Reboot your computer into Safe Mode with Networking using the instructions for your version of Windows found below:

http://www.bleepingcomputer.com/tutorials/tutorial61.html

Once booted to Safe Mode with Networking do this:

Download the following file to your desktop.
rkill
Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with the possible infection. A small black window will likely appear while the program looks for and stops the processes associated with the infection.When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning

Do not reboot your computer after running rkill as the malware programs will start again. Proceed to the next step.

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.
DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be …

How do you get them to stop? By posting the requested logs. We can't help until we see something more than "How do i get them to stop it i meant to say?????????????????"
If you are not willing to follow our requested steps then we cannot offer help. We have no idea what infection you have until we see the logs. Plus we have no idea what tools you have used and if those tools were the correct tools and up to date.

To Kristain, you have been warned before. Crunchie has given the correct instructions in this thread. If you have nothing constructive to add then don't post.

Without information we cannot advise anything. Do the steps in our Read Me sticky and post back here with all the requested logs.
http://www.daniweb.com/forums/thread134865.html

Hi welcome to daniweb.
First of all DON'T use system restore under any circumstances. It WON'T remove an infection. System Restore actually operates only on a very few system files and settings. System Restore backs up your registry. System Restore does not backup your data. If you delete or damage a file, System Restore will not recover it. System Restore will NOT uninstall a program. In fact if you have installed a program and find you don't want it if you use System Restore it may leave you with much of the program but it just won't be listed in Add/Remove, making it much harder to uninstall. System Restore does not keep old copies of your files or settings. If you're looking for an "old version" of a file or program that you used to have on your machine, System Restore isn't going to have it. System Restore does not fix your system. So if your computer crashes and needs to be repaired System Restore will not repair it.
I had downloaded a program whose site and program were approved by McAfee SiteAdvisor.
Please give me the name of the program AND the site where you got it.

Now I need to see the log from Malwarebytes'. Please post that here. Were any items found using any of the tools that you used? If so did you tell the tool to remove or quarantine whatever was found?
Post that log here for me and then we …

I also see two programs installed that must be removed as per our Read Me sticky:
Please Uninstall or Disable any P2P (peer-to-peer) programs on the infected computer before posting in this forum. Rather than write a long piece on the dangers of P2P, I’m just going to say this:

P2P software circumvents common-sense security measures and opens a user’s computer to a world of hurt.
Our regular volunteers' time is valuable and most are not willing to waste it on a machine that is almost certain to be reinfected in short order.
So, please remove or disable all P2P software for the duration of the cleaning process. Failure to do so may result in your thread being ignored.

Both Frostwire and uTorrent are installed on the computer. A likely reason for any infection. They must be removed for this thread to continue.

And the other two requested logs?

Sounds likely that her email account may have been hacked or she has an email worm sending mails. You need to have her follow the instructions given on our Read Me sticky and post back here with all the requested logs.
http://www.daniweb.com/forums/thread134865.html

Yes but that is only a partial DDS log, The log is much longer than that. Also especially need the Malwarebytes' Full scan log.
Please read and follow all of the instructions exactly as given on the Read Me sticky.
That is set up that way for a very good reason, so we can get as much information as possible. Partial logs or just one of the requested logs really give us nothing.

Hi Alex.We need you do do some scans and post the logs. Can't help what we can't see.
Follow the instructions on our Read Me Sticky and post ALL the logs back here.
http://www.daniweb.com/forums/thread134865.html

You are contradicting yourself here...I removed a pretty big malware program with malwarebytes.and then you say...I have tired everything known to the net, not one of which were able to detect or remove anything.
Several of the programs you ran are for one specific infection and if you don't HAVE that infection then there is nothing for it to remove...i.e....smitfraud and sdfix
You ran Combofix without being asked to run it which is against ALL instructions for it.http://www.bleepingcomputer.com/forums/index.php?showtopic=273628&hl=combofix

ComboFix is an Anti-Malware tool used by advanced malware technicians
specifically trained in its use.

Please DO NOT USE COMBOFIX on your own without supervision!!!

We can't offer any assistance until we see some logs. You obviously must have some and we need to see them ALL beginning with the MBA-M log.

This thread is over one year old. Orginal poster never returned.

Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
Restart your computer (very important).

Download and run this utility. mbam-clean.exe
It will ask to restart your computer (please allow it to).
Turn OFF your Norton Program completely. If you have to stop all the processes running from it via Task Manager.
Download the latest version of MBA-M and save it to the desktop.

Be absolutely certain your download a NEW copy, don't try to reinstall the other.
Then follow the instructions given before.

Did you attempt to Turn Off Norton Security Suite prior to doing the update attempt?

Can you boot to Safe Mode with Networking? If so, then try the MBA-M update then. If it does update then reboot to Normal Mode and run the new scan.
Also, when you posted the DDS log you actually posted the same log twice.
Please instead download the new version of HiJackThis, do the system scan and post THAT log here.

12007 error usually means that the download is being blocked - by your anti-virus program or your firewall.

Exclude Malwarebytes' Anti-Malware's Files and Folders From Other Active Security Programs:

For Windows XP:

* C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
* C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
* C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
* C:\Program Files\Malwarebytes' Anti-Malware\zlib.dll
* C:\Program Files\Malwarebytes' Anti-Malware\mbam.dll
* C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
* C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref
* C:\Windows\System32\drivers\mbam.sys
* C:\Windows\System32\drivers\mbamswissarmy.sys

Your version of Malwarebytes is nearly 2 years old. The current version is 1.46 and current database, as of this morning, stands at 4469.

*The most important instruction for use of MBA-M is ALWAYS update before each and every scan.*

MBA-M issues updates daily, sometimes multiple updates in a day. This is why it is most important to ALWAYS check for updates before each and every scan, even those run one after another.

Please Uninstall this old version via Add/Remove, and follow these instructions exactly:

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.

REBOOT the Computer-VERY IMPORTANT
When the computer reboots The MBA-M log can then be found by opening the program and clicking the Logs tab. Double click that log and copy/paste it back here.

Your version of HiJackThis is also out of date, also please Uninstall that one and download the newest version 2.0.4 from HERE

Can you give us more info? Operating system especially. Are you saying you have no safe boot either?

I am not going to get into an argument over legal issues. These are our policies here and we will stick with them.

We need to know the exact wording of the error message.
You need to do the following scan:
Please Run the ESET Online Scanner and attach the ScanLog with your post for assistance.
You will need to use Internet Explorer to to complete this scan.
You will need to temporarily Disable your current Anti-virus program.
Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us after you reboot the computer.
Also please run a System Scan and save the log with HiJackThis 2.0.4 Post that log along with the ESET log.

The hesitancy in offering a reply is the result of the findings in your MBA-M scan which say \Microsoft Office 2007 Enterprise\keygen.exe
This shows that this is a pirated version of Microsoft Office.
This again is a violation of our stated Member Rules.
"Keep It Legal
Keep it clean and do not post pornographic material or link to it. In addition, do not post anything warez related or related to other illegal acts. This includes tech support troubleshooting pirated software or P2P programs (i.e. Gnutella, Kazaa) used to obtain pirated software. Exceptions are helping to remove spyware or browser hijacks (that may or may not be related to illegal material) from a computer."
The infected files WERE from Pirated Software. Uninstall ALL programs which you have pirated.

Ok, Delete that Combofix that you downloaded and download it to your desktop again.
Follow the scan instructions again and see what develops. If it runs all the way through then post back here with the log.

You didn't follow the instructions given for the using of MBA-M which clearly state:
Be sure that everything is checked, and click Remove Selected.
You need to Update the program again and run another Full Scan with it and be sure that you DO remove infected items found.
Reboot The Computer>>VERY IMPORTANT and post back here with the log.

I would advise that you uninstall both of those programs before trying again. Is this a 32bit or 64bit system?

You're the boss, it's your computer. Let us know. Though that boot time is extremely long.

As I said, the Bearshare registry items Can be removed using Revo.
I honestly don't see anything else you need to turn off at boot up. How long does the actual boot process take?
Are you only connected via wireless connection? Just curiosity.

If those were Bearshare left overs then they can be removed. Any others leave alone. So be sure to check each listing to be sure it IS a Bearshare entry.

As I said MyWay is now as part of the Dell distribution with new computers so I would imagine it is going to stay because it IS installed with the Dell software. Just don't worry about it. It isn't spyware. MBA-M DID NOT flag it as spyware so if AVG does it again tell it to ignore it.

Ran the above program but it ends with a scan for leftover registry items. They look like they're in HKEY_CLASSES_ROOT and AppID. Is it ok to check them and delete?

You were only removing Bearshare. Leave all else alone. Not sure exactly what you meant in your next post
Bottled it, didn't delete anything alough bearshare is not there no. Just all the registry keys i'm sure.
Are you saying that Revo didn't see Bearshare so it couldn't remove it but you DO see it in the registry?
You can use Revo to only search for Bearshare by typing it's name in the search box.

You cannot just delete a program, you do have to Uninstall it. So it IS listed in Add/Remove but it did not uninstall when you chose that in Add/Remove?

Try this, Revo Uninstaller Free
Install this program and then run it. You can choose to Uninstall this Bearshare with it.

It is possible that Bearshare is no longer on the computer and just the listing remains in Add/Remove.
Do a file search for it and see if it can be found.
Is the computer still running slow and hanging?

I just noticed in your log that you have a Dell computer. I am sorry, I should have noticed that before.
MyWay is now as part of the Dell distribution with new computers. It is not spyware, though can still be flagged by various scanners as such. Just tell your AVG to ignore it, especially since you can't remove it.
But, I also notice that you only did the Quick Scan with MBA-M. Our instructions clearly say,
Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan,

Update that program and then do a full scan with it. See if it still shows clean.

Double click on Add/Remove Programs

Find "My Web Search" in the list of installed programs and click on Change/Remove to uninstall it. You may also want to uninstall any of the following items associated with FunWebProducts.

* My Web Search (Smiley Central or FWP product as applicable)
* My Way Speedbar (Smiley Central or other FWP as applicable)
* My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
* My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
* Search Assistant - My Way

4) Reboot your Computer and run HijackThis and post back with the log.

Good for you. I recommend Avira Free. Excellent program, FREE as stated and not intrusive either. Wait though until we see what combofix finds this time.

They must have run it since you never did because you have to run the program to produce the log. Very odd that only the log remains though.
Post that one you found right now, and then run the combofix that YOU personally downloaded and post that log.

The computer shouldn't be slower after this update. Couple things running there that need to be stopped for sure...
BitTorrent DNA Absolutely...this is a HUGE cause of infection. Please see section 1a of our read me sticky.
1A – Please Uninstall or Disable any P2P (peer-to-peer) programs on the infected computer before posting in this forum. Rather than write a long piece on the dangers of P2P, I’m just going to say this:

P2P software circumvents common-sense security measures and opens a user’s computer to a world of hurt.
Our regular volunteers' time is valuable and most are not willing to waste it on a machine that is almost certain to be reinfected in short order.
So, please remove or disable all P2P software for the duration of the cleaning process. Failure to do so may result in your thread being ignored.

You also have BearShare installed which tells me that P2P is a common activity on the computer. This too is unsafe.
At the time of this last scan there was an update to Google chrome being installed, updates likely are going to slow the computer somewhat.
You also have AdAware Service and Search & Destroy TeaTimer running all the time. Both are unnecessary and CAN both stop or interfere with any fixes attempted. Both of these need to be turned off.
To turn off TeaTimer do the following:
* Run Spybot-S&D in Advanced Mode
* If it is not …

Please do the following:
Please download ComboFix by sUBs from HERE

· You must download it to and run it from your Desktop
· Physically disconnect from the internet.
· Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
· Double click combofix.exe & follow the prompts.
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall

· When finished, it will produce a log. Please save that log to post in your next reply

Run Combofix ONCE only!!

Well the GMER scan shows possible rootkit on there. I have requested that crunchie take a look at this and advise the next step.
Judy

Forget GMER. Please post that MBA-M log for us, even if it showed nothing we need to see it.

Hello kilegoty, Please do the following:
Before you can begin cleaning you must first end the processes that belong to Security Tool so that it does not interfere with the cleaning procedure. To do this, download the following file to your Desktop.

These instructions are from bleepingcomputer.
There are three versions of RKill - all identical except that each one uses a different extension in order to avoid being blocked by a trojan. If the first doesn't work then try the next until one of them works. This is what you will need to do:
http://download.bleepingcomputer.com/grinler/rkill.com
http://download.bleepingcomputer.com/grinler/rkill.exe
http://download.bleepingcomputer.com/grinler/rkill.scr
http://download.bleepingcomputer.com/grinler/eXplorer.exe - - This renamed copy may trigger an alert from MBAM. It can be ignored and is safe.
http://download.bleepingcomputer.com/grinler/iExplore.exe

When RKill is run it will display a black console screen
That console screen will continue to run until it RKill has finished. Once finished, the box will close and a log will be displayed showing all of the processes that were terminated by RKill and while RKill was running.

Depending on the malware that is installed on the computer, when you run RKill you may see a message from the malware stating that the program could not be run because it is a virus or is infected.
These warnings are just fake alerts by the malware that has hijacked your computer trying to protect itself. Two methods that you can try to …

Hi there, I don't want to appear impatient or ungratefull but I haven't had an update for about six days now
Regards,

I am very sorry for the delay. I have been away and we are very short handed here.
Can I ask your actual location? I realize you have a wireless set up on there but the locations showing are extremely varied and not likely to be correct.

Your Java is way out of date, you need to go here
http://www.java.com/en/download/manual.jsp

Download the Offline Install package and save it to the desktop.
Then close all browsers and go to Add/Remove and Uninstall
J2SE Runtime Environment 5.0

After that double click the install file on the desktop to install the newest version. Watch the install very closely, it will only take a few moments, because very often unneeded toolbars are included. If you see any of those noted just remove the check mark next to the toolbar and then it will NOT be installed.
After you have installed the new version go back to the download page and on the right side click Verify Now. This will take you to the verification page to assure the new version installed correctly.
After that run a new HJT system scan and post back here with the log and also the info on your exact location.

That is probably why. Microsoft nolonger supports windows Vista and as far as I'm aware Microsoft never did support Windows Vista. So upgrade to Windows 7 or at the very least download linux from your local internet hub. WindowsVista==WindowsME.
For all we know Internet Explorer might not be compatible with Windows Vista.

Have no idea WHERE you saw this but Vista always WAS and STILL is supported until April 2012 by Microsoft as long as SP 2 is installed. Same goes for XP, as long as SP3 is installed it also has support until April 2014.

You are also wrong about Internet Explorer. It is FULLY COMPATIBLE with Vista. It is part of the operating system.
You need to check your facts before posting 100% inaccurate information.

You are correct. Disable during the GMER run but re-enable after it is complete.

I am guessing it may be your Verizon security program scanning

Uninstall NOTHING. Post the requested logs from the Read Me sticky right here.

scruff74, this post has absolutely nothing to do with this thread. You need to begin your own thread with your own title. You will not receive help by hijacking another person's thread.

This is for fred sheehan and the advice to use System Restore;
This is dangerous advice. First, things can and do go wrong when attempting to remove malware. It doesn't remove the infection and can make removal that much harder.
System Restore is meant to restore from very RECENT changes like just day or two, not weeks. System Restore does not backup your data. If you delete or damage a file, System Restore will not recover it. System Restore will NOT uninstall a program. In fact if you have installed a program and find you don't want it if you use System Restore it may leave you with much of the program but it just won't be listed in Add/Remove, making it much harder to uninstall. So please stop recommending this.
Now for irincka; Please do not reinstall SpywareDoctor. That is not one of our recommendations. What you need to do is follow all instructions and do all the scans recommended in our Read Me...sticky.
http://www.daniweb.com/forums/thread134865.html

Post back here with all the requested logs and then you will be given any other needed instructions to remove this infection from your computer and get it working properly again.
Judy

Can you give us a print screen of what you are seeing? I have never seen "scanning' listed in my Task Manager, even when my av is scanning. It just shows that it is using resources and how much.

You can try the Norton Removal tool found at the link below
http://www.symantec.com/norton/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN&ln=en_US