Posts by jholland1964

You still have infection on there. Let me get one of the other Mods to take a look and one of us will get back with you.
Judy

They BOTH need to go ASAP. Even though that NamiRobot was supposedly removed it is still listed in your HJT logs, so there are some remnants. The other one is most definitely malware and also must go.
Uninstall both, do a file search for any remaining parts and then update MBA-M again and do another Full Scan with it. Have it remove everything it finds.
Also clear all your temp files, cookies, etc. before you do the scan. Reboot following that MBA-M scan and do another HJT scan and post both logs.
Judy

Lordy, glad you caught that...it just totally slipped my mind! Glad you were paying attention!
Let's back up here...do you know what these two programs are?
Baidu Hi
NamiRobot

Most of the infected files were located in Baidu Hi and can find no info on the NamiRobot

Thanks, it wasn't that I didn't believe you I needed to know exactly what was happening.
I would like you to follow the following instructions exactly as given. Read them all very carefully before you proceed:

Please download ComboFix by sUBs from HERE or HERE
· You must download it to and run it from your Desktop
· Physically disconnect from the internet.
· Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
· Double click combofix.exe & follow the prompts. Sometimes if you are using Windows Vista you may receive UAC prompt asking if you would like to continue running the program, you should press the Continue button.
· When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
· Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

Once it is complete run a new HJT scan and save the log. Post back here first with the Combofix log and then …

Yes, the program did find the infections and remove them and I used internet explorer as instructed. But when I go try to go into C:\Program Files\ it wasn't there.

Also I said my notepad, workpad and microsoft are all not working because they seem to be removed by the infection.

Ok, sometimes it doesn't save the log. If the above items were removed then how did you post the logs? In other words, how were they displayed to you as they are displayed in Notepad.

Which Microsoft program do you mean was removed?

Did it find infections and remove them? Were you actually able to find the file by going into C:\Program Files\ ?

I don't understand when you say that my notepad, workpad and microsoft are all not working because you have been able to post all the other logs and they all would have first been in Notepad.

Why can't you access the ESET log? It should be located at
C:\Program Files\EsetOnlineScanner\log.txt

Be sure to check the Windows Security Center and be sure it is working. Definitely get a new AV program the one you have could have been damaged by the infection.
Also add SpywareBlaster for additional protection. It is free. Download, install, update and Enable ALL protection and close the program. Check manually for updates every couple of weeks. It doesn't update often but be sure you keep checking.

How are things running? Couple of things here, that AVG8 is out of date there is a new version. I would recommending uninstalling it and going with a higher ranked free av program like Avira or Avast.

Check also in your Add/Remove to see what version of Java you have on there. Current version is 6 update 18. If you are not running that one you need to first download the Offline Install file for the newest version from HERE and save it to the desk top. Then close all browsers and go to Add/Remove and Uninstall ALL old versions you find there. Once those are uninstalled then go to the Install file on the desktop and double click to install the new version. Watch the install progress as they very often include tool bars that you don't want, if you see one of those listed please remove the check mark next to it so you won't get one of those. Once the program is installed then go back to the download page and click Verify Now on the right side to go to the verification page to assure the install was complete.

I would also like to see the original MBA-M log. Open the programs and go to the Logs tab and open the first log that had the removals in it, copy/paste it here.
Judy

I have a flash drive with some backup data plugged in. Could that be the reason?

Yes, most definitely the backup data may very well be infected. I hate to tell you but you really should clean out that flash drive completely, even though you will lose backup data, there is no way of knowing exactly what is infected on there but it should go to be safe.
The second thing, if I am reading this correctly, these 4 computers are networked together. You need remove that networking for now and work on only ONE computer and get it clean. Install all new copies of the software you use, don't use backups if at all possible.

After that one computer is clean then, don't network it to others but pick another and get that one also clean, and so on. After all computers are clean is when you can then network them together.
Looking at the DDS scans there are unknown files running on both of those logs, are these from two different computers or did you just post the log twice?
The files showing as running when the scans were done and which are unknown for sure are:
C:\Documents and Settings\XPUser\My Documents\Downloads\qby679ys.exe
C:\DOCUME~1\XPUser\LOCALS~1\Temp\RarSFX2\78tr28.exe
C:\DOCUME~1\XPUser\LOCALS~1\Temp\RarSFX2\k6mdsXP.exe

The MBA-M scan is obviously not correct because it shows a full scan was run but the number of Objects scanned: 114758 but it only took 12 minutes to run. This cannot be correct. A full scan …

Your log shows signs of definite infections. You need to do the following:
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Reboot the Computer

Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.

* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed …

I would recommend that you follow the steps given here
http://www.daniweb.com/forums/thread134865.html

Post back here with all the logs generated by running those programs. Be sure you follow all the instructions exactly as given.

many viruses and malicious present on my computer

Begin your own thread. This one is two years old and you won't receive help within somebody else's thread. We need full information, operating system, anti-virus program, firewall and how do you know you are infected.
Follow the steps given here and then begin your own thread with all requested information and required logs and you will receive help, until you do that you cannot be offered assistance.
http://www.daniweb.com/forums/thread134865.html

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Reboot the computer

Post back here with that log.

You mean you cannot open your regular home page or the home pages of those two accounts? Neither browser will go to those pages?
Try clearing the internet temp files and cache on both browsers.

What firewall are you using? If it is both browsers sounds as if those pages were blocked by a third party application...firewall, spybot, spywareblaster, browser restrictions.
Doesn't really sound like an infection to me.

The HiJackThis version you used is at least two years out of date. Uninstall it immediately.
Please follow these instructions as given on bleepingcomputer. This is the accepted way to remove this infection followed on many, many forums:

They have worked very well and hopefully they will work for you. These work best when done using a USB flash drive to carry these programs to the infected computer. If you don't have one I recommend that you get one, they are not expensive.
From another computer, please download Malwarebytes' Anti-Malware, or MBAM, and the reg files to a USB flash drive.

Malwarebytes' Anti-Malware Download Link

FixExe.reg

Once you have downloaded all the necessary files to a removable device, you need to plug it into your infected computer so it can access them

On the infected computer make sure XP Internet Security 2010, Antivirus Vista 2010, or Win 7 Antispyware 2010 is running. If it is not, you can launch it by running any program on your computer as that will trigger the rogue program to run. Once running, do not close it during the entire length of this guide.

Now open the drive that corresponds to the removable media that contain the removal programs. Once open, double-click on the FixExe.reg file. When Windows prompts whether or not you want to allow the data to be added to your computer, click on the Yes button.

Now …

Obviously either all of the infection was not removed the last time, or your McAfee program was damaged by the first infection or you have unwittingly visited some dangerous websites. I think it may be all of the above.
Let's start by trying to remove this xp security tool 2010. These are the instructions which are pretty standard and are given on bleepingcomputer and other sites as well. They have worked very well and hopefully they will work for you. These work best when done using a USB flash drive to carry these programs to the infected computer. If you don't have one I recommend that you get one, they are not expensive.
From another computer, please download Malwarebytes' Anti-Malware, or MBAM, and the reg files to a USB flash drive.

Malwarebytes' Anti-Malware Download Link

FixExe.reg

Once you have downloaded all the necessary files to a removable device, you need to plug it into your infected computer so it can access them

On the infected computer make sure XP Internet Security 2010, Antivirus Vista 2010, or Win 7 Antispyware 2010 is running. If it is not, you can launch it by running any program on your computer as that will trigger the rogue program to run. Once running, do not close it during the entire length of this guide.

Now open the drive that corresponds to the flash drive that contains the removal programs. Once open, double-click …

Sorry you are having problems again. I have to admit, I probably jumped too soon saying the thread was solved. One thing I didn't have you do was Uninstall Combofix and this definitely should have been done. So please do that now by following these instructions:
* Click START then RUN
* Now type ComboFix /Uninstall in the runbox and click OK. The space between the combofix and the /uninstall, it must be there.
When shown the disclaimer, Select "2"

Now with that done, I need to ask you why you felt you had to reinstall MBA-M? It should have still been on the system. It is a program you should have kept and continued to use. When did you uninstall it?

You most definitely have trojans on there and they did not show in your last logs.
Please look for the MBA-M program in Add/Remove and see if it is still there.
If it is please Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
Restart your computer (very important).
Download and run this utility. mbam-clean.exe
It will ask to restart your computer (please allow it to)
Download a randomized renamed mbam.exe version from here.
Place the renamed mbam.exe in the Program Files\Malwarebytes' Anti-Malware folder on the infected PC and launch the renamed file.
Then malwarebytes should run. Update it and then do a Full System Scan with it. Have it Remove Everything …

You show Malwarebytes' Anti-malware all ready ON the computer. Did you run any scans with it? HJT isn't a cleaner program, it essentially gives a picture of what is running on the computer and basically what programs are set to run at start up.

Turn off the following programs and leave them turned off.
Spybot - Search & Destroy TeaTimer
Registry Mechanic
TheStubware
Then update Malwarebytes' Anti-Malware and do a full system scan with it. Have it remove all it finds, reboot and post back here with the log.

You know you have posted this question, word for word including

Sorry, I accidentally posted this before in the Windows NT-2000-XP forum. This is where it belongs.

on multiple forums.
Don't you think this is a bit much?
I will give you the same answer you have received on many of those forums, which is the correct answer, virtually any anti-malware program will run from a flash drive.

bullet89, this thread is 9 months old. You need to begin your own thread, with your log and clearly state all the problems you personally are having, not just

ive got the same problem with firefox,

that tells us nothing. Create your own thread and somebody will be happy to provide assistance.
Judy

How are things running?

I have to see that Malwarebytes' log in order to know exactly what was removed. I also need to see a HiJackThis log to start with also. If you have access to a flash drive you can move these from the infected computer to the one you are using and post them here that way.

You obviously have another computer since you are posting here. Please get that log from the infected computer and post it here.

Saying same problem as somebody else doesn't tell us anything. We need full information about your own computer and problems. Operating system, what programs did you run to fix your problems and we need to see all the logs produced by these programs.

We need full information here...operating system, av program, when does this error occur, how long have you been receiving this message, what have you done to correct it?

I copied this into notepad and saved it as a .reg. When I double click on it I get an error that says "....the file is not registry script. You can only import binary registry files within the registry editor"

What am I doing wrong here?

I honestly think I gave you the wrong answer. Sorry. Try this:
Go to Tools and select Manage Add-ons.

Then select Search providers.

You'll see Microsoft Live Search and whichever options you chose during install. If that was Live Search, that's all you'll see.

Now click Find more search providers.

You'll get a list of various options. Press "Add to Internet Explorer" to add the providers you want. Each time you'll get the option to make it a default search provider, and include terms in the suggested search terms. If you don't see your favorite. Scroll to the bottom and click "Create your own search provider."

Now open a new tab, and enter the URL of the search engine you want to include. Search for the word TEST in all capital letters. Copy the URL of the search results page by highlighting it and pressing the "Windows" and "C" keys at the same time.

Now click back to the tab that says "crate your own search provider." Use the "Windows" and "V" keys to paste the URL you copied earlier into the box marked URL. Then give the search engine a name. And press Install Search Provider. …

try to download and run this:
http://www.indowebster.com/FixExezip__1.html

this is not needed poster has removed infections.

Yahoo is NOT my default search engine, google is. How do I fix that?
Thanks Judy.

Open notepad and copy the below code in it :

Code:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.google.com"
"Search Bar"="http://www.google.com/ie"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""="http://www.google.com/keyword/%s"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://www.google.com/ie"

Now save this file as a registry file where you can easily find it, desktop is good. Give it any name and keep its extension as .reg. When saved, quit notepad and double click on this file, click on yes to add the registry entry. Reboot your machine

I only asked if your default search engine is Yahoo. That is showing in the HJT log. No biggy, just was going to have you fix it if it wasn't.

Yes I assume to the network name, you didn't answer the Yahoo search question.
You asked how this computer got this...I don't know, probably a drive by but cannot say for certain. What it was exactly was Trojan.Zbot here is some info on it:
http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99

One thing I would recommend is that you install, since you have been having continuing problems over the past few months SpywareBlaster on all your computers. It will at least keep out some of the nasties and also has a good restricted sites portion that keeps the user from even going to sites on the list. It's a great program, FREE, doesn't run in the background and does offer superb protection against spyware, adware, browser hijackers, and dialers. Simply download, install, update and then Enable All Protection and then close the program. Do this on all of your network computers. Manually check for updates weekly and when they have updates download, install and enable.
Also I would recommend that you update and run the AV program on all machines in the network and the same goes for MBA-M. Just to be sure all are clean.
Otherwise, looks good to me. If you feel all is fixed you can mark this one solved.
Judy

Is your local network of computers on a network named kafka?

No, there is no log generated. What it does is remove those bad host entries and puts it back to the MS default host. No log generated there. Just wanted to be sure you ran it.

What about HostXpert? You do show two bad sites in the hosts file in the DDS log. Known hijacker.
Are you using Yahoo search as your search engine?

Download HostXpert and run it. When it opens, click on the Restore MS Hosts button and then exit HostsXpert.
You have some out of date programs on there, Java is one. Current version is 6 update 18. You need to download a new copy from HERE, choose offline install and save it to the desk top.
Then close all browsers go to Add/Remove and uninstall the two old versions showing there. Once they are uninstalled then double click that install file on the desk top to install the new version, watch the install, very often it will give you extra toolbars, like yahoo. There is a check box on there with the check mark all ready in it for anything extra, remove those check marks. Proceed with the install and when it is complete go back to the download page and click Verify Now to go to the verification page to be certain the install was successful.

Download and run a Full System Scan with HiJackThis. Post back here with that log.

A simple google search is going to give you all of these answers if you are willing to do it.

you CAN run 2 scanner-only antispyware apps at once.

You can run any number of scanner only antispyware apps on the same computer. Common sense will tell anyone they cannot be actually scanning at the same time. But they are only running during scans so there would be no conflict with each other.

But should you not run 2 real-time-protection antispyware apps at once?

You can try it. Some do conflict with each other. I have never found good reason to run any.

why can you run one antivirus app at the same time as a real-time-protection antispyware app?

because they are not looking for the same things or looking in the same places essentially.

Do all antispyware that offer real-time protection constantly run in the background

yes, again common sense tells you this. Sort of a silly question.

Do they all also offer manual and/or scheduled system scans?

No, another silly question really. Have not found a program which offers scheduled scans that doesn't offer manual scans. Generally also those with options to schedule scans are paid programs. Free ones most often do not.

Again, learn to do some searching on your own here, "google is your friend". You have asked these same questions using different words but essentially the same questions, multiple times, here and on multiple other websites and generally have gotten the same answers each …

The MBAM was run with a fresh update so that log was with current updates. I will run another in the morning and post log again. I will also post and attach the other logs once run. Thanks for your help Judy!!

PP, this is one of the terminals that had some trouble in the past. Has been fine since.

I really appreciate all the help everyone offers on their own time here. You guys are a savior for sure!

Scott

No Scott it wasn't updated. I shows:

Database version: 3510

That is the install database. The current database from today is 3838. Remember, I told you not to reboot if MBA-M asked you to, so you didn't. That was the correct thing, not reboot but just run the scan. But you need now to update MBA-M and run another Full System scan just like before, have it remove what it finds and then reboot and to the DDS scan. Post back with both logs.
Judy

Hey PP! Your right I should have shot this past you. I guess I got to excited.
So is it safe to assume that I am good to go or should I produce more logs?
Any clue how this might have been downloaded?
THanks
Scott

Lordy no Scott, no way are you done. The MBA-M program is way out of date. You need to update it and run another full scan with it. Have it remove all found and reboot. Post back with that new log.

Then you also need to do the DDS by sUBs scan by following the instructions below.
Be sure follow the instructions below carefully!

• If your AV has a script blocker, please disable it
• DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

• Copy&Paste the DDS.txt into your post.
• Please post Attach.txt as an attachment to your post - there is no need to Zip it. If you don’t know how to post an attachment, please Copy&Paste it along with the DDS.txt scanlog.

Judy

Good! Can you now get online with the affected machine?

Fantastic. Will wait for the log.
Judy

New rule DON'T click anything! There are some of these nasty items now that only need the click to install, even if it is clicking to close. So no clicking.
Download the rkill to a flash drive. Take them to the infected computer and put them on there that way. This requires no internet access so that shouldn't figure into this. Plus, it may be if you can stop the processes using rkill then internet access would be restored. If it isn't just try to run MBA-M without the update. If this doesn't work, let me know.
Judy

Tell you what, since you are pretty much "frozen" out of everything it cannot hurt to try this:
It is a tiny little program called rkill which maybe can stop whatever process is stopping You from doing anything. It sure can't hurt things any worse than they are right now.

You very likely will have to do this by downloading these files, putting them on a flash drive and then taking them to the infected computer and putting them on the computer from there.

Here are are three versions of RKill - all identical except that each one uses a different extension in order to avoid being blocked by a trojan:
http://download.bleepingcomputer.com/grinler/rkill.com
http://download.bleepingcomputer.com/grinler/rkill.scr
http://download.bleepingcomputer.com/grinler/rkill.pif
BE AWARE that some AV apps will give you an alert when you try to download RKILL.PIF. It may warn you that the PIF file was an executable (normally PIF files are not). Just ignore the warning.

I would recommend downloading them all and try each one until one of them loads.
Double-click on the rkill.com in order to automatically attempt to stop any processes associated with whatever this may be. Please be patient while the programs looks for various programs and closes them. When it has finished, the black window will automatically close. Do not reboot your computer at this point, or the programs will start again.
Then try to open MBA-M, update it and then run a Full …

Do you know if he clicked on it, or did it ask him to click to clean or whatever? Just trying to narrow down what this might be.

Honestly without knowing what that pop up was we don't know. Does sound like a drive by of some kind but would help to know what the pop up said. Did it look like an anti-virus pop up?

The user? This is not your computer? It would help to know what the pop up said and what the user was doing at the time.

We need a lot more information. What operating system are you using? When did this begin? Have you downloaded any new programs lately? Updated any hardware or added new hardware? Does this also happen in Safe Mode? If you don't know, try it and see.

Hi welcome to daniweb,
Try this:
Now this really works better if you can do this using another clean computer and a flash drive. The file should be downloaded to the flash drive and taken to the infected computer. I am not certain this will work downloading directly to the infected computer as the infection may try to stop it but you can try.
Download FixExe.req

Double-click on the FixExe.reg file. When Windows prompts whether or not you want to allow the data to be added to your computer, click on the Yes button.
Then you should be able to update MBA-M and run a full system scan with it. Have it remove all that is found.
Reboot if it says it must. Post back here with that MBA-M log.

You didn't uninstall any of the My Web Search items, they are still showing in the Uninstall list and also in the HiJackThis log. MyWebSearch is KNOWN malware.

How many programs showing in that Uninstall list were downloaded via P2P? Any that were also have to be suspect programs and should be removed. Also any music, videos, games obtained via P2P should also be deleted. Not saved someplace else, but actually and fully deleted. Any one of those items could contain an infection, especially judging by how outdated various programs are on the computer, allowing for a greater chance of infection.
Firefox is out of date, java is out of date, Adobe Reader is out of date, your Norton program is 2006. Do you think it may be out of date since this is 2010 and they don't offer updates for 2006 anymore? XP itself is out of date
Please remove any and all of the above, and AFTER all of those removals do the following:
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show …

Spyware Guard 2008 and Spyware Guard 2009 ARE infections and have no relationship with the actual product SpywareGuard from Javacool. As they say on their own page about this product

If you are worried about potential compatibility issues with SpywareGuard, we recommend that you download SpywareBlaster instead - our no-nonsense, polished anti-spyware solution.

There's your answer, straight from the developer. Stick with SpywareBlaster.

You have two anti-virus programs on the computer, Norton/Symantec and AVG. This is a no-no. The absolute rule is only one anti-virus program to a computer. You need to uninstall one of these.
You have a tremendous number of suspicious unwanted programs installed on this computer, many no doubt due to P2P file sharing which is evident also.
You need to uninstall all of the following programs, if needed do so in safe mode and please UNINSTALL via Add/Remove don't just delete them, this will not uninstall them.
Either Norton or AVG 8.
MyWebSearch and any other programs associated with FunWebProducts
Zango
Ares
uTorrent
and any other P2P program you may have on the computer, Limewire, etc.
either Norton or AVG 8.

These must all be uninstalled or we cannot go forward.

After you have uninstalled all of these programs please post back with a new HiJackThis scan log and also an Uninstall List generated using HiJackThis. To do this do the following:
On HiJackThis click the Msc Tools button.
lick on the Open Uninstall Manager button.
Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad into a reply