Posts by jholland1964

I am sorry we couldn't do it with just cleaning procedures but I do believe you will be much happier doing it this way...essentially you should end up with a new computer!

And, in the long run, it will be much faster than trying to find every little bit of infection.

Those types of files should be ok, but be sure to scan them first before putting them onto the newly formatted computer.

As I said, totally reformat the drives, wipe them clean. Then install Vista and all of your drivers. Of course if you have a router and modem those will have to be hooked up also so you can get online.Do that after the system reinstall. Then go online and thoroughly update the system with all Windows updates. Then you can go forward with the upgrade. Once that is done and fully updated then begin just as you would with a brand new computer installing everything else. Begin with the security programs, including the built in Windows 7 firewall. It is excellent.

If you have any further questions about all this just post right back here and I will try to find the answers for you if I don't know them.

We KNOW that McAfee is not working so scanning with that is pointless. MBA-M was working but there is no guarantee that it truly still is working well.
Before putting them back onto a clean computer they most definitely should be scanned again with a brand new, fully updated copy of MBA-M and a brand new updated anti-virus program but honestly I cannot guarantee that they won't include infections. If any of these saved files are videos, music or games I would NOT back them up, I would get rid of them.
Neither of those programs should be kept for the new install. You will need to install brand new copies of each. They shouldn't be carried over to the new install.

I truly don't believe so. The original infected files are on that OLD install, new ones have appeared on the new install, telling me the entire computer is very infected. So essentially you have TWO operating system files on there with infections in each.
The GMER running for days is some indication of that. Several hours is what is listed as the longest time, not DAYS and that depends on the computer. Not the 50 hours & 20 hours as both of the runs you have done show...and you had to stop both of them in order to continue. That is nearly 3 days trying to scan with just one program and the scans never could complete, you had to physically stop them.
If you want to try I can give you other tools to use but as I said, the computer files are most likely damaged and running other tools could cause further damage.
As long as you have the Vista operating system disks a reformat/reload would take just a few hours. With all updates applied you could have the computer up and running Vista well by tonight, not several days from now.
You have been working on this well over three days here, that doesn't count the time spent before you came here and posted your question.

Ok, just wanted to be sure. Take a look at where most of those files found by ESET were located,

C:\Windows.old\Program Files\

This says that the upgrade from Vista to Windows 7 was done without first making absolutely certain that the computer was 100% clean and free of infection and it obviously was not clean. It also is very likely that the Vista operating system itself was not fully up to date before doing the upgrade to Windows 7, that is a must also. Those are the first two steps that must always be done when doing anything major on the computer, whether installing new Windows updates and service packs or upgrading the computer to a new operating system.

Some of these infections are very old infections, discovered back at least in 2008 or 2009 and all had removal and prevention steps almost immediately released at that time, but those obviously were not used before the upgrade was done because if they had been then there would have been no infected files in that Window.old folder. Most anti-virus and security programs today either prevent them entirely or at least scan for these and remove them. Most are rarely seen today, except in instances like this. There are also many system and program security updates that have been released in the last three years that would even protect against these getting onto the computer in the first place. This tells me that the computer itself was definitely not …

GMER should not be taking that long. Stop it. Are you actually posting from the infected computer or are you using a different computer? When doing any type of scan nothing else should be done. Are you using the computer for other things while attempting to clean?

I will take your word for this, however be aware, that if you have not been forthcoming with this and there are other cracked programs on there it is possible, even likely that any further fix steps will not work.

Do the following:
Go to the ESET Online Scanner

http://www.eset.com/onlinescan/scanner.php?i_agree=14

* You can use Internet Explorer to complete this scan and you will need to allow an Active X to be installed or you may use Firefox
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt.

Post back with that log.

Anything else? Those trial versions are only temporary and good for a short time I believe, not illegal unless you illegally upgrade to the paid versions without paying for them.
How many other programs are on there that are not paid for but should have been?
Nearly every infected file found by MBA-M was on there because of the use of a keygen, possibly all of them since that is one of the easiest ways to get an infection, illegal use of what are supposed to be paid programs. Obviously those two are not the only ones on the system. There are four different PAID programs listed with infected files from the MBA-M log, with keygen related infections.All serious trojans.

sony vegas 10
vegas 9
adobe photoshop cs4 v11.0
propellerhead reason 4
Approximate value of all of the above in the U.S. is around $1000.00

I am possibly also questioning the legality of your system based on these notations in the log

c:\Windows.old\

Do you have another Windows operating system installed someplace?

At least one of the items found by MBA-M was the Boaxxe Trojan it installs other malicious programs on your computer that disable key security features and then attempt to steal any passwords you use, such as for your banking website. Another of the real "benefits" of trying to steal paid programs...the people who write these illegal cracks get your money anyway. It just goes to them …

You may have uninstall the keygens but you did not uninstall the program, it still shows in the log
Vegas Pro 10.0

This is one program you attempted to install illegally, how many others do you have on there?

if i click the dds link in the post posted earlier in this thread, i just get a blank page and nothing happens, the url in the url bar shows this: about:blank

i think the MBA-M log is the second one, (malabyte's anti-malware).

and for the GMER, i should scan my C:\ drive (windows installed on this one) and everything except sections and IAT/EAT right?

Just stop the GMER scan.

You must have a pop up blocker enabled on the browser. The DDS link given is a direct link for the executable which should pop up on your computer and ask you where to save it.

Here is a link to the download page itself. Turn off any pop up blockers

http://www.bleepingcomputer.com/download/anti-virus/dds

Stop the GMER scan it should never take 50 hours.

If you refuse to remove these two items found by MBA-M then we cannot go forward.

c:\Users\Cas\Desktop\unused\keygen\sony vegas 10 keygen + patch\Keygen.exe (RiskWare.Tool.CK) -> Not selected for removal.
c:\Users\Cas\Desktop\unused\keygen\vegas 9 free\Keygen2.exe (Trojan.Agent.CK) -> Not selected for removal.
besides being listed as extremely dangerous, these are illegal password and or license key generators, meaning to me anyway that you are running pirated copies of various paid progtams, at least Sony Vegas 9 and 10. Both of these are paid programs and by using a keygen to generate the license key shows you are using them illegally.

This is the number one rule listed here which includes the lines listed below:

[B]Keep It Legal
[/B]
Do not ask about obtaining pirated software, nor link to it
[B]Do not ask for help to pursue any illegal activity[/B] including, but not limited to, hacking and spamming
Do not pursue any illegal activity within forum posts

This includes requesting assistance in the removal of infections contained in or likely brought in by the use of illegally obtained programs.

If you do want assistance you will Uninstall each and every illegally obtained program on the computer and the keygens used to generate any and all of them. Otherwise this thread will not go further.

In order for us to know and see what may be going on with the computer please follow all of the instructions given in our Read Me First Sticky

http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

Post back here with Copy/pastes of all requested logs then we can tell you what you need to do next.

The laptop has been restarted with nothing running at all.
That isn't possible, except in Safe Mode. Otherwise each and every one of the unnecessary programs listed below auto starts with the computer and runs in the background, even if you are not using them at the time. Look at the huge number of running processes showing when you ran this and the previous DDS scan.

Turn all of these off, they do not need to auto start. All can easily be run manually when needed.
Pando Media Booster
msnmsgr
Google Update
WMPNSCFG
Steam
ManyCam
Windows Defender>>> disable this entirely and leave it disabled. It is useless and can interfere with any other security programs running on the computer.
HP Software Update
Google EULA Launcher
Google Desktop Search
DivX Download Manager>>>can often be considered very questionable.
Camera Assistant Software
Adobe Reader Speed Launcher
Malwarebytes' Anti-Malware (reboot)
QuickTime Task
iTunesHelper
ApnUpdater
SunJavaUpdateSched
DivXUpdate
OSA9.EXE

Have you cleaned all the dust and air vents on the computer recently? This almost sounds to me like an over heating problem. Too much running all the time for sure.

µTorrent is still on there.

Yes, sorry have looked at the logs. Did you uninstall all the items I noted earlier?
If so please run a new DDS Scan and post back with both logs.

You have a lot more than missing drivers, there are key system files missing or damaged.

Ok, followed the sticky cleaning process and it fixed it. It was some trojan and rootkit. Thanks for the help!

How can you be 100% certain that everything is gone. Those are preliminary steps only. There likely would be other steps required to complete the cleanup. If everything isn't gone then further work will be much more difficult.

This is a help forum, it would have also provided help to others experiencing the same problems if you had been willing to share all the information with others and also the helpers here.

Sorry you have chosen not to go forward with other steps. Hope all works well for you.

Hate to say this but think you have gone as far as possible in attempting to clean the machine. There are obviously key system files damaged and your best option now is to reformat the machine back to factory and reload the operating system. Attempting to do any further clean ups will be virtually impossible.

Task manager is where you look for running processes, not Device manager. That shows hardware installed, not if it is running.

Did you go to Administrative Tools, Services? That is where you start services.

Select the Plug and Play service and click Start.

To prevent the error from occurring in the future, do the following:

Services.
Select the Plug and Play service and click Startup.
Click to select the Automatic option in the Startup Type section.

Start, Control Panel, opening Administrative Tools and then clicking on Services.
Scroll down and find the Plug and Play service. Double-click on it and make sure the Start up type is set to Automatic and click Start if the service is not running.
Check to see if your Device Manager is still blank or not. If it is, then you can also try to enable more Windows Services by going to Start, Run and typing in MSCONFIG. Click on the Services tab and choose Enable All.
Also make sure checkbox NOT selected in "hide all MS services" at bottom of
dialog box
Restart the computer.

Why were you in Device Manager?

Can you get online?

Hey, happy to try to help.

Ignore that warning and run the program. It's not a requirement. Many people don't have recovery partitions.

Try this:
Please download ComboFix by sUBs from

http://www.bleepingcomputer.com/download/anti-virus/combofix

Please note that the BleepingComputer.com download link will expire in 10 minutes after you click it so if you don’t click within ten minutes after reaching the page you will need to refresh the page.

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When ComboFix has finished running, you will see a screen stating that it is preparing the log report
• This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Follow all the instructions given in our Read Me First sticky and post back with Copy/Pastes of all requested logs. Until you post those logs no advice can be offered.

http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

The MBA-M program could not have updated unless it was online. You said you ran it from the usb drive, that was not online.

The program itself is the current version but the database is way out of date. The one shown on your log is Database version: 7622 and as of yesterday the database version was Database version: 8104 and as of right now the latest one is Database version: 8119 so you see the one you used was way out of date.

I see by the log you have used, at some time, msconfig to stop autostarting programs. Go back in there and re-enable everything that you have stopped. It may be that something you stopped would be a required file.

Your log shows at least one trojan on there, maybe more.

HOW CAN YOU TELL IF ITS A blue screen of deathCONCERN
- error msgs
-HD FAILED
-immediate blue screen
-ntldr missing or corrupt
-just plain balank screen

-------------------------------------------------------------
Booting is loading of software, process that will load all ur data in harddrive
hard drive errors are NO BOOT concern
*hard disk failed
*bsod
*ntldr missing or corrupted
*blank screen

TROUBLE SHOOTING
1. Ask them to restart the computer
make sure all non essential peripheral are not connected to the system
and run diagnostic tool

Run diagnostics F12

IF PASSED
*but ask to backed up files ur computer if cant back up, transfer call to solution station with SR
or OSRI(Operating System Reinstallation) pc restore.

IF FAILED,
*know the error code and if ever replace or reseat hard drive

If you encounter error 0141 or 0150, check BIOS to check if the HDD is detected
See if the HDD is properly seated
Recheck BIOS if HDD is detected, if yes rerun diagnostics and test
If it still won't load Windows, it's an OS issue and there's a need for OSRI

Check for HDD error codes:
Check BIOS
Reseat connectors/data cable
PSA (Fn + Power button) for laptops
F12 Hard Drive Diagnostics
For error code = STOP :Xnnnnnn ask the cx the first code
The Last Known Good Configuration (F8)

HDD Troubleshooting:

Check for HDD error …

hey man, having video issues. monitor not showing anything. give me step by step TS. c'',)

Please create your own thread instead of hijacking another person's thread.

With the exception of the MBA-M program this computer has absolutely no security programs installed.
The database for MBA-M is out of date. You need to go to this link and download to the usb device from there and update the program and run it again.

http://malwarebytes.gt500.org/

First problem is your cousin is running TWO full Security suites, McAfee and total pieces of junk
IObit Security 360
IObit Toolbar v4.1
This IObit Security 360 program gets terrible reviews, it's own website is rated as unsatisfactory and possibly unsafe to even visit.
Having this alone is a real problem but running two different av programs and firewalls is the number one No-No. It does not increase protection but lessens it because they fight each other and the "bad guys' come right on in.
Also on there from this same company and another lousy program is

Advanced SystemCare 3, also very dangerous because it contains a registry cleaner among other things and "allegedly" will speed the computer and keep it running at "top notch" level, it doesn't and a registry cleaner is never needed and can do more damage than good.

I am not crazy about McAfee but it is at least it is from a reputable company and certainly not considered terrible as all that junk from iObit is considered to be.

Just do a search for reviews of iObit products and you will find the majority are "less than glowing".

Also on there is Norton Security Scan

Second no-no is your cousin is running, P2P programs, virtually the easiest way to infect a computer.

These also run all the time, and at start up.
µTorrent
uTorrentBar Toolbar

Is your cousins version of MBA-M …

No, if you notice I said it runs fine in Safe mode if required. Post that Attach.txt log Copy/Paste it.
I already see several key problems but need to see that one too.

There are 47 program files that run automatically at start up, most not required and several that MUST BE Uninstalled for sure.That's part of the slow down for sure.

I have not gone through the Services yet.

Windows Vista. - yes I have tried booting in safe mode and so far so good. He is complaining of the fact that if he is running a couple of programmes then it has a tendancy to crash and restart automatically or go to blue creen.

It takes 15 mins to load on initial start up due to the number of programmes that he has open upon booting. Therefore I do have a feeling that this could be just to pure overload.

Of course it could be malware too so that can't be ruled out yet.But since you say it takes 15 minutes to just boot the computer, which NO computer should require, it sounds to me like you have likely narrowed down the problem.

Run the DDS Scanner FIRST and post those two logs here, copy/paste BOTH logs.
It runs fine in Safe Mode. After you have done that then continue with the malware scanners to rule that out too. But give us the DDS logs. We may find the problem right there.

Try this with the Infected computer to see if maybe you can get it online.
Shut down, and then attempt to boot to Safe Mode with networking. You may be able to get online with it that way because that may bypass the autostarting infection processes. If you can you can then do the steps that way.

If not then another thing to try is download the removal tools to a flash drive from the good computer and then run them from the flash drive on the infected computer.

You have posted this problem at multiple forums. You should choose one and stay, doing steps from multiple places is never a good idea.
If you wish assistance here then complete the steps given in the link caperjack gave you and post back with all of the requested logs.
If you decide to stick with the other forum then please post that here so we can close this thread.

HiJackThis is rarely used today. Please follow all of the instructions given on our Read Me First sticky and post back with Copy/Pastes of ALL requested logs and we will be happy to assist you.

http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

You should remove DDS scanner, you don't need it any more.
You also should uninstall combofix. It basically is a "one time" fix. If a person is told to use it again some other time then a new copy would be needed.

Uninstall Combofix:
Go Start and in the Search Box
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

I am having the same problem with IE and the host process starting two weeks ago when IE updated itself in spite of my telling it to not install updates without my specific approval. I will wade through the above solution and hope it helps. Thanks for all the info.

First of all this thread is marked SOLVED and should only be used by the original poster.

You need to begin your very own thread. We cannot and do not offer assistance to more than one person in a thread. Though it seems that your problem is identical, it may very well not be caused by the same type of infection and therefore the steps given to jrobbins93 may not work on your machine or even be able to attempt.

Follow all of the instructions given in our Read Me First sticky

http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

Then create your very own thread, with a title that gives a brief synopsis of the problem. Be very specific in your first post about the symptoms and Copy/Paste ALL requested logs from the tools on the Read Me First sticky and we will be most happy to offer assistance.

No, Avira is EXCELLENT. Keep it. You just should have told me because the log of course showed that Norton was no longer there and Avira Free was there. That is the same program I have used for probably three years and have been very pleased with it.
Are you still having problems?

You need to explain some things, the Combofix log clearly shows it is turned on, it also shows that for some reason now you are running Avira Anti-Virus
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

but your DDS log showed you were running Norton Internet Security Suite, which also includes the Norton Firewall.
That log also shows that at the time of running DDS Windows Defender was turned off. It no longer is turned off.
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

When did you Uninstall Norton and install Avira and why? It does NOT show anywhere in the DDS log and it does not show that it was installed anytime in the last 3 months in the Combofix log.

Please turn off Windows Defender and leave it turned off. As you can see it is virtually worthless and it can interfere with fixes attempted.

Happy to help. Safe Surfing!

Yes that is the log and as you will see there the files removed were LeagueOfLegends files the others were trojans.
Update MBA-M once move and run another full scan with it.

Good. Now you absolutely, positively must get some good security programs on that computer, otherwise the next time you won't be so lucky. Without real time security programs on there you are guaranteed there WILL be a next time.

Keep MBA-M. It does NOT have real time protection but it is top of the line in removals. Use it at least once a week to do a Quick Scan. UPDATE first before each scan. If the Quick Scan finds something then have it remove whatever is found, reboot, update again and do a Full Scan immediately and of course have it remove anything found and reboot. If the Quick Scan finds nothing then you are done.

You can delete DDS Scanner and the TDSKiller, you don't need them anymore. Uninstall that AVG Security Toolbar via Add/Remove, it is worthless.

Next here are the security programs I use all are FREE and offer superb protection. You can use these or make your own choice but you are putting your computer at great risk without real time protection, as you have seen.

For an antivirus program I use Avire 2012 Free. Easily configured and it does a great job.

Follow these instructions for install and configuration:

Download the install package from here:

http://download.cnet.com/Avira-Free-Antivirus-2012/3000-2239_4-10322935.html?part=dl-&subj=dl&tag=button

Click the GREEN Download Now Button to get the executable install package, save it wherever you can easily find it, I chose My Desktop.

Before you begin the …

Ok, good. Are you still getting the IE pages opening?

That is not the log from Combofix it is the Quarantine file containing what was removed by the running of Combofix.

It shows the only program removed was League Of Legends.
The Combofix log is located here:

C:\ComboFix.txt.

Run this tool next and post back with the log.
Please read carefully and follow these steps.

* Download TDSSKiller and save it to your Desktop.
http://support.kaspersky.com/downloads/utils/tdsskiller.zip

* Extract its contents to your desktop.
* Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

* If an infected file is detected, the default action will be Cure, click on Continue.

* If a suspicious file is detected, the default action will be Skip, click on Continue.

* It may ask you to reboot the computer to complete the process. Click on Reboot Now.

* If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
* If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Honestly, I have no idea what it is that you are asking. Your attachment shows only a tiny icon that says PetrolPump which means nothing to me.
If you believe your computer is infected then you need to follow all the steps given in our Read Me First sticky and post back here with Copy/Pastes of all the logs produced. Do Not Attach any logs, Copy/Paste them please.

http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

After you post all the requested logs then we can better tell what else needs to be done.

I see some very glaring problems in the logs.
1. This is obviously essentially a brand new computer but you don't even have the very basic security programs installed on the computer. No anti-virus program, no firewall at all. With the exception of a minor listing for an AVG Security Toolbar, which is essentially worthless, your computer is totally unprotected.

2. Your Malwarebytes'Anti-Malware program, MBA-M, is grossly out of date and therefore it was definitely not updated prior to the scan so when the program scanned it did not scan for the any infections discovered in the last 18 months. Your log shows version 1.46 which was released in April 2010, so you are 18 months and 4 program versions behind . The most current Version is 1.51.2 was released September 12, 2011. The definition database shown in your log is 7430 and the most recent database is 8050. MBA-M releases definition updates multiple times a day and this is why the instructions for its use include the instruction
"Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version."
This should be done before each and every scan done with MBA-M, even those run one right after the other.

3. The very first instruction given in our Read Me First Sticky is this one:
"1A – Please Uninstall or Disable any P2P (peer-to-peer) programs on the infected computer before posting in this forum. …

I have never seen this result using combofix, "All folders inside /c/programs files(x86)...Folder marked for deletion"
I presume then you have no combofix log either.

Please follow all the steps given in our Read Me First sticky and post back here with all of the requested logs.

Please Copy/Paste ALL of the logs Do Not Attach them as we will not open attached logs.

http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

Please do the following:
Please download ComboFix by sUBs from

http://www.bleepingcomputer.com/download/anti-virus/combofix

Please note that the BleepingComputer.com download link will expire in 10 minutes after you click it so if you don’t click within ten minutes after reaching the page you will need to refresh the page.

• You must download it to and run it from your Desktop
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When ComboFix has finished running, you will see a screen stating that it is preparing the log report
• This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

…