Posts by jholland1964

Thanks. Let me go through all this and I will get back with you. As you can imagine, it will take a bit.

Ok, to be sure, do the following:
Instructions from Bleepingcomputer;
1. Download tdsskiller from the following link and save it to your desktop.

tdsskiller Download Link - http://support.kaspersky.com/viruses/solutions?qid=208280684

2. If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.

3. Once the tdsskiller.zip file in your desktop, we need to extract the files from the zip file. You can do this by right-clicking on the tdsskiller.zip file and then selecting the Extract All.
At the next screen, keep clicking the Next button until you see a screen which says Extraction Complete. Click the Finish Button.
4. A folder will now open containing two files, including the TDSSKiller.exe program. Before you can run TDSSKiller, you first need to rename it so that you can get it to run. To do this, right-click on the TDSSKiller.exe and select Rename. You can now edit the name of the file and should name it a random name with the .com extension. For example, 123.com or 23kjasd123.com.

5. Once the file is renamed, you should double-click on it to launch it. When you run the …

Download and run Sysinternals Process Explorer and check it the next time you experience this error.

kristain;
You need to fully read all posts in a thread. The original poster, raya2, clearly states in the very first post that Sysinternals is all ready on the system and has been used. In fact a screenshot from Process Explore (from Sysinternals Suite) Is posted in the very first post in this thread.

kristain;
I suggest that you read this FULL Thread. All of these steps that you have just asked the poster to do have all ready been requested by Crunchie and completed by the poster.

It seems like you may have malware or a runaway add-on creating this issue.
I suggest installing/updating malware removal and protection software and performing a full scan.
I also suggest updating your anti-virus software and run a full scan.

kristain, our Read Me sticky http://www.daniweb.com/forums/thread134865.html
contains all the correct programs and instructions to assist in removal of the malware that IS showing in the posted log. We ask that all of those posting for help use these programs and post the logs in their threads.

Thanks. Let me go through all this and I will get back with you. As you can imagine, it will take a bit.

You have the TDSS rootkit need to do the following:
Note to others reading this thread, these instructions are for THIS computer ONLY. This tool is NEVER to be used unless first instructed to do so by a helper.

Unless you have access to another computer during the program run please print out these instructions for reference as you will not be able to refer to them while this program is running.

Please download ComboFix by sUBs from HERE
· You must download it to and run it from your Desktop
· Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
· Double click combofix.exe & follow the prompts.
· When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
· Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

Happy I could help!

Hi, other than the Malwarebytes' and HiJackThis logs I have no idea what those other logs you posted are from.
You have a huge number of running processes yet really no auto starting because you have disabled them using MSCONFIG. You have a large number of auto starting services.
You need to follow all the steps given in our Read Me Sticky
http://www.daniweb.com/forums/thread134865.html
and post back here with all of those requested logs.

Fantastic. Couple of things left for you to do;
You should remove HiJackThis, you don't need it any more. Also DDS and GMER can be removed.
You also should uninstall combofix. It basically is a "one time" fix. If a person is told to use it again some other time then a new copy would be needed.

* Click START then RUN
* Now type ComboFix /Uninstall in the runbox and click OK. The space between the combofix and the /uninstall, it must be there.
When shown the disclaimer, Select "2"

Then I would also recommend that you install SpywareBlaster by Javacool. A superb protection program, doesn't run in the background by protects the computer against unwanted ActiveX-based spyware, adware, dialers, browser hijackers, and other potentially unwanted programs. It can also block spyware/tracking cookies in IE, Mozilla Firefox. Just download, install, update and enable all protection. Close the program, that's it. Manually check for updates once a week. It doesn't update often,maybe twice a month. When there is an update install and then enable all protection and close the program.

You also need to set a new, clean Restore point.
To do this Right Click My computer.
Choose Properties
When System Properties opens choose the System Restore Tab.
Place a check mark in Shut down System Restore.
You will probably get a message telling you it will be shut down, click ok or yes.
Allow …

How are things running?

Update MBA-M and run a new Full Scan with it. Have it remove everything found and then of course Reboot. Post back here with the new log.

Also, uninstall that Old version of HiJackThis and download the new one, 2.04 from
http://free.antivirus.com/hijackthis/
and give me a new system scan after the MBA-M scan.

Hi and welcome to daniweb,

I have adequate virus protection, adware software installed.

Obviously not, unless you are located in the Ukraine, and your profile indicates that you aren't but your log indicates connections to the Ukraine, you have at least one backdoor trojan on the along with multiple others as indicated by the HJT log, and this is just a "snapshot" of what may be going on there.
I would strongly advise that you do NO personal business on the computer until the cleanup is complete, no banking, shopping, anything like that, honestly even email should not be used for now. No social networking

While at the moment it appears that Firefox is working well and the problem only lies with IE if you don't get the computer cleaned up then all aspects of your computer will be affected.

First of all, Uninstall that AdAware program, it is just not what it used to be and can interfere with any fixes attempted. Also go ahead and uninstall that CA Anti-Spyware program too, it obviously is doing nothing.

Frankly am not crazy about the MSE program either but we can deal with that later, though you can see here it really isn't worth much. Keep it on there for the moment however, "little protection" is better than none.

You need to complete all the steps found in our Read Me sticky found here, including the removal to TEMP files as some of these infections are …

Will wait for the log. Please copy/paste the entire combofix log.

If everything is ok and the computer is running well then you can mark this solved unless you have other questions or concerns.
Judy

Hey Judy - I'd suggest skipping ahead to a run of Combofix and making sure it addresses the infected atapi.sys.

Cheers :)
PP

Thanks PP will do!

kaylaface, here are the steps you need to do next.

Note to others reading this thread, these instructions are for THIS COMPUTER and THIS computer ONLY. This tool is NEVER to be used unless first instructed to do so by a helper.

Unless you have access to another computer during the program run please print out these instructions for reference as you will not be able to refer to them while this program is running.

Please download ComboFix by sUBs from HERE or HERE
· You must download it to and run it from your Desktop
· Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
· Double click combofix.exe & follow the prompts.
· When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
· Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored …

Thanks, now I would like you to run the ESET Online Scanner

* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.
Reboot and post the log for us.

I'll get right on it. Norton expires in a few days.

Good enough. In case you have problems removing ALL of the Norton files, because it does tend to hang on, you also, AFTER doing the normal Uninstall via Add/Remove, then run this Norton Removal tool to get rid of any remainders, this way you know it's all gone.
http://service1.symantec.com/support/tsgeninfo.nsf/docid/2005033108162039

Just pick the one for your particular program.
Remember too, there are multiple entries in Add/Remove for the Norton programs and all have to be uninstalled. Some versions have two some have more. One that many people miss is Live Update.
Most of the Norton stuff is listed Norton and/or Symantec, so look for both in there.
Once you have done that then complete those steps in the Read Me sticky I linked to, post the logs and I will give you the next steps. Remember, don't wait too long because there IS malware listings in that log and you don't want more to come in.
Judy

No, I all ready told you before this is NORMAL for a Vista system. If it weren't they wouldn't have instructions given to bypass this. The original scans you ran were done in Safe Mode which would bypass all this "security" stuff that Vista has built. That DDS scan is used because of these Vista securities settings don't stop it because it has no repair capabilities, just a scanner snd because DDS cannot be used to do any fixes, like you have been able to do with the previous HJT scan. HJT must be run, but the warning is perfectly normal for Vista and I imagine maybe for the new Windows 7, though haven't had it mentioned by anyone yet.

The warning still shows up though. Is that bad?

What warning still shows up?

Hello, One thing for sure I can tell you that is definitely wrong is you are running TWO anti-virus programs, AVG9 and Norton 360. That is an absolute No-No. The rule is ONE anti-virus program on a computer. I have no idea which one is current or if the AVG 9 program is paid or Free. But I know the Norton is a paid program. If it is not expired then you must Uninstall the AVG program. If both are paid programs and are both current then you decide, but ONE of them must be 100% Uninstalled using Add/Remove. Your Defraggler program WAS running during the HJT scan, totally unnecessary. There is no reason to have a program such as this running all the time. You have a huge number of unnecessary programs running automatically at start up and therefore many of those run all the time in the background, slowing the computer considerably. But the two anti-virus programs running all the time, fighting each other, both also being resource hogs would certainly also slow the computer a lot and could very likely also lessen your protection rather than improve it.
You also most definitely have some malware on there which will need to be removed.
Take care of the extra anti-virus program removal first, then follow all the instructions given on our Read Me sticky.
http://www.daniweb.com/forums/thread134865.html
Post back with ALL of the requested logs and we can go from there and get the computer …

Before I can say all is good could you do one more system scan with HiJackThis and post it here?

Thanks for those logs. You left one log off which we also need to see. As our instructions say
"Copy&Paste both the DDS.txt and the DDS Attach.txt into your post for assistance."
We need both of those logs.

Yes, this is the scan log. You did just fine.
You now need to run HiJackThis again. When it completes the scan you need to put check marks into the box next to the following entries:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

After you put in the check marks click the Fix Checked button.
Exit HJT.

Earlier you said
"Don't know how the proxy server got checked off." It was the infection that did that. Also that R1 listing above shows the infection WAS on there also.

Now, you are not running an anti-virus program, this is and ABSOLUTE MUST.
I know your logs show that you have AVG 9 installed but it is not running, and very likely has been damaged by the infection. I am recommending that you go to Add/Remove and Uninstall it. Also use this tool to remove any remaining files after you have done the normal Uninstall.
http://download.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe

I recommend that you download, install, update an excellent FREE anti-virus program Avira Free. http://download.cnet.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.html?part=dl-10322935&subj=dl&tag=button&cdlPid=11012914

I have used it for several years and am extremely pleased with it and I believe you will be also. Download, install, update it and have it do a full scan. If it finds anything have it remove/quarantine them.

Also another …

bubbaman, Please ignore the recommendations given by another concerning the use of an automated registry cleaner, this is very bad advice. A tech I have long respected said once:
"Using an automated cleaner to try to fix a problem is akin to using a shotgun to remove an appendix . The best way to deal with (possibly) registry-related issues is is to throughly research the problem and then use regedit to make any necessary changes and/or deletions (having first set a restore point or created a backup)."...this is advice I have always adhered to and always advice others the same. Stay away from these types of programs, you are only asking for trouble. At this point "playing with" the registry is not the answer. So IGNORE the suggestion given.

Just noticed in your Add/Remove you also still have One Symantec file listed, which also is still running on your system and that is the
LiveUpdate 3.0 (Symantec Corporation). You also need to go into Add/Remove and Uninstall this one also. It is very easy to miss when doing the uninstalls.
If it will not uninstall then download and run this Norton Removal tool to be certain that all the Norton/Symantec files are removed from the computer.
ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe

Do the above, and the other steps I have given you. I have referred this thread to one of the other mods here, crunchie, so he will be reviewing it all also. So you may have one …

Try right clicking HiJackThis and rename the file to analyse.exe and see if it will work

Try downloading HiJackThis again once more. See if you can run the scan

Sys restore used to keep about a month of restore points, I had one created when internet was ok. I used that as a quick fix. Suddenly my points went to 10 days. Not sure if related.

As I said, you don't want to use restore points older than a couple days at most. If you used it to go back to when internet was ok...I don't know when that was, then other points made AFTER that time would be gone. It just ISN'T a "good fixer".

Look in Add/Remove and see if HiJackThis is listed there, if it is Uninstall it.
As for the ESET Log, it should be located in that file, not certain why it is not.

. ESET is for Creative Technology.
.

ESET is the Anti-virus program installed on the computer.

See nothing there. You were totally unable to run HiJackThis or did you only receive this message? This is normal for a Vista system.
If you DON'T have run as Administrator option, is there a Continue option? If there is then just click Continue.

As far as Internet Explorer...do you USE a proxy server? If you do not:
Open Internet Explorer, go to Tools, Internet Options, Connections, LAN Settings. If there is a check mark in the box which says Use a Proxy Server, then take the check mark OUT of there and see if you can connect using Internet Explorer.

Do you want to see a copy of the file it told me to delete?

Yes

Is this new Nancee or was it a problem before you ran the scans? What happens when you try to use Internet Explorer? Do you get any kind of error message? In Internet Explorer Click File and be certain that Work Offline does NOT have a check mark next to it. If it does, click and this will remove that check mark.

Skip the ESET scanner for now, use Firefox to download the HiJackThis program and run the scan.

Ok good. First of all you have SpyBot TeaTimer running. It is known to interfere with any fixes attempted so you need to turn that off first thing.
To disable Spybot's TeaTimer

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

Next your Java is woefully out of date. You are running version 1.5 Current version is 6 update 20.
You should go to the sunjava website;
http://www.java.com/en/download/manual.jsp

Download the Offline Install file, 2nd one down, and save it to the desk top.
Then close all browsers and go to Add/Remove and Uninstall all instances of Java that you find there.
Once it is uninstalled then double click that Java install file on the desk top to install the newest version. Watch the install closely, often times there are extra tool bars included that you do not need. They will be noted at the bottom of one of the install pages, take the check mark OUT before continuing on. Once the install is complete then go back to the download page and on the right side click Verify Now to go to the verification page to …

Ok, I did everything on that post except the second GMER scan, it kept failing, but the problem still occurs, what do I do now?

Where are all the requested logs? We have to see the logs in order to know what, if any, next steps to take.

Looking good. Now do the following:
Please Run the ESET Online Scanner and attach the ScanLog with your post for assistance.

* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.
Reboot the computer.
Next download HiJackThis version 2.4
Run a System Scan with it and save the log.
Post back here with both the ESET Scan log and the HiJackThis log.

Sorry for that unrelated babble....
Can you now try, in normal mode, to update Malwarebytes' Anti-Malware 1.46 and run another Full Scan in normal mode, having it fix whatever it finds. Reboot and then come back here and post that log.

ok granted, sometimes holding doesn't work.

but

I never said you have to go into BIOS. that's what I was correcting you on mate.

Well then what does this mean?

right after the Bois boot screen,

It should read right after Windows Splash Screen.

And sometimes holding doesn't work...not sometimes, it doesn't work. No where will you find instructions telling you to HOLD F8.

umm Jholland? please reread what I instructed.

hold F8 right after the Bois boot screen

And YOU please read what I posted.

You do not hold down the F8 key...you should gently tap the F8 key repeatedly

Also note these various websites instructions for using F8 to choose Safe Boot, note NONE of them say HOLD DOWN F8, they say either gently tap, repeatedly tap or press but NOT hold down:
http://support.microsoft.com/kb/315222
http://www.pchell.com/support/safemode.shtml
http://pcsupport.about.com/od/fixtheproblem/ss/safemodexp.htm
http://www.bleepingcomputer.com/tutorials/tutorial61.html
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/boot_failsafe.mspx?mfr=true
http://bertk.mvps.org/html/safemode.html
I can give you more links if you wish, but none say hold down.

Let me go through things you have mentioned one by one:

I installed a fresh SPybot and teatimer and teatimer was blocking my internet for some unknown reason.

Here is the info from the SpyBot FAQ:

The Resident TeaTimer is a tool of Spybot-S&D which perpetually monitors the processes called/initiated. It immediately detects known malicious processes wanting to start and terminates them giving you some options, how to deal with this process in the future....In addition, TeaTimer detects when something wants to change some critical registry keys. TeaTimer can protect you against such changes again giving you an option: You can either Allow or Deny the change.
The TeaTimer is always running in the background.

Now you know that it WAS running all the time, it could have easily been blocking your internet unless you allowed it. Know you have uninstalled it so that problem should have been taken care of, but FYI, you can use SpyBot without TeaTimer enabled. Then it will not run in the background UNLESS you also use it's Immunize feature, then it will block certain websites listed in its Immunize section. This also can cause a problem. I recommend using SpyBot ONLY for scanning purposes.

System restore does not create checkpoints and looses the previous month data.

System Restore is only alloted so much space on the hard drive and when that amount of space is used then the oldest listings are discarded to make room for the newest listings. That said, …

I posted the info for you one week ago but you have done nothing for a week. If you wanted to fix the computer you would have stayed with this thread.

safe mode

Restart and hold F8 right after the Bois boot screen, where it asks you to press Del (or F2 in some cases) to enter Bois.

Then it will list boot options just press enter on Safe mode and you should be able to run the scanners there.

Those are not correct instructions for entering safe mode. You do not hold down the F8 key and enter BIOS. Going into the BIOS is not necessary for booting to Safe Mode

If the programs have downloaded correctly then do the following:
1. Restart your computer.
2. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
3. Select the option for Safe Mode using the arrow keys.

If the programs are not all ready downloaded then choose Safe Mode with Networking. This will allow you to go online while in Safe Mode in order to download the programs.
4. Then press enter on your keyboard to boot into Safe Mode or Safe Mode with Networking.
5. Do whatever tasks you require and when you are done reboot to boot back into normal mode.
If you are running Vista the same instructions apply only you would be presented with Windows Vista Advanced Boot Options in …

This thread is one year old. As the original poster never returned I doubt that this suggestion will be used.

When you are viewing images on line via Firefox, exactly HOW are you doing this?
Are you clicking on the image using the scroll wheel or just the button? If you click with the scroll wheel then the image WILL open in a new Tab.

Be sure to follow the instructions in our read me sticky concerning P2P programs.

bubbaman, please just follow the instructions I gave you in my post and report back with the corrected HJT log and the other logs from our Read Me sticky as directed.

I just did another scan with Malwarebytes and it says no infections found...

That's good. As PhilliePhan said this is basically minor malware. I would recommend that you also install SpywareBlaster from Javacool. It is a great, free protection program.

SpywareBlaster doesn't scan for and clean spyware--it prevents it from being installed in the first place. SpywareBlaster prevents the installation of ActiveX-based spyware, adware, dialers, browser hijackers, and other potentially unwanted programs

Download, install, update and enable ALL protection. Close the program. Manually check for updates once a week. If it has an update, download, install and enable. Close the program.

Offers superb protection.

Are there any other questions of difficulties with the computer?

P.S. heres my registry:

C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBPIMSvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

Not certain what you mean by the above as this is not the registry.

The HiJackThis log you posted is incomplete. We need to see the entire log from top to bottom.

Please follow the steps given here http://www.daniweb.com/forums/thread134865.html and post back with all the requested logs.

You also are running Two Anti-virus programs or portions of two at least, Norton and AVG 8. AVG 8 would be likely out of date as there is a new version out now. I do not know what version of Norton you are running but one of these programs needs to be 100% removed ASAP. Running two anti-virus programs on one computer just adds to the possibility of infection.

What Add-ons do you have installed in Firefox?

Low level malware to be sure. But MBA-M isn't the only scanner that picks it up, SpyBot, SAS are just two others that also find it. Why leave it on a computer? Especially if the user didn't willingly install it?

http://www.google.com/search?hl=en&q=MBR+worm&sourceid=navclient-ff&rlz=1B3MOZA_enUS327US327&ie=UTF-8