Posts by jholland1964

Do you have a way to do a HiJackThis scan on the machine and transfer the log to the machine you are using and post it here? Have you tried Safe Mode with Networking? There may be some infected files still lurking there stopping your access.

You're welcome. Are all problems fixed? If so then you can mark it solved.

UNINSTALL Norton absolutely!!!! This is also one reason for your infections...two anti-virus programs running at the same time will not increase protection because they fight each other. Uninstall Norton and then try a couple of those online anti-virus scans again. I cannot say the infections are gone because the only scan run was MBA-M and SAS. We really need to see an anti-virus scan or two because MBA-M and SAS don't look for the same things as an anti-virus scan. Some things do over lap on searches but each security scan looks for something slightly different.
Go via Add/Remove to Uninstall ALL Norton AND Symantec files. Then run the Norton Uninstall Tool to be sure everything is gone.
THEN try the online scans again and see what happens. THEN post the logs and do a NEW HJT scan.
Rebooting for all of these steps may be necessary, if so please do so.
When all is complete then run a new HJT scan and save the log. Post back with all new logs.

You can not count on being prompted to install anything. You have to have Automatic Updates fully enabled for sure. But with a reformat you cannot count on that, and obviously these ARE NOT on the computer or you wouldn't have gotten those notices from the Trend Housecall scan. It's a pretty thorough scan, if they had been there then they would have been detected.

Just a quick "look through" on this log and I see immediately that you are running TWO anti-virus programs. Symantec/Norton and AVG8. A BIG No-No. Both ARE showing as running in the Running Processes.
One of these MUST be Uninstalled Immediately. Not deleted but UNINSTALLED. The choice is yours. If you PAID for Norton and it is current then Keep it. If you did NOT pay for Norton but either got it for free via your school or whatever then choose...AVG or Norton. BUT NOT BOTH.
Same goes for firewalls, if you have two running, Uninstall one of them.

Another thing showing in the Top portion of the log is this computer is NOT fully updated. You are running XP SP2....SP3 has been available for a year and a half almost. You are still using IE6, IE7 was released TWO years ago. Heck, IE8 (which I don't recommend) was released for general use in March of this year.

I asked you if you did the critical updates of the system because the Detected vulnerabilities from the Trend Housecall scan that you posted ALL refer to Critical Updates which SHOULD be on the system and ARE NOT. A reformat erases all files, necessitating the install of the operating system to the point it was when purchased, period. THEN in order to bring the system up to the CURRENT security level available ALL Critical Updates MUST be installed BEFORE adding anything else...new hard ware, software, printers, scanners and yes EXTERNAL drives. One very simple means of infecting a computer is Not having these Critical updates. They don't call them Critical for no reason...Critical means absolutely needed, not "might be needed" but absolutely needed. The Critical updates ALWAYS refer to security issues and most definitely should be done. You said it was likely you didn't do these before adding the external drive, this Trend Housecall scan shows they were NOT installed and have not been installed yet. So your ENTIRE system is WAY OUT OF DATE.

You said you want to install Windows 7 when it comes out, you do know this won't be FREE don't you?

Your HiJackThis log is incomplete. The ENTIRE log must be posted.

#1.Yours does not show any running processes except for HiJackThis, these are KEY items that we must see and there is no way this could have been the only thing running.

#2. It does not show the …

You didn't answer my question either.

You know this thread is 19 days old. You have NOT submitted the logs from the steps I gave you, 19 days ago. The information just posted doesn't tell me WHEN this happened only that it DID happen. While the files found COULD be a sign of infection they also Could have been legitimate files because there ARE legitimate files which have the same name. Just deleting them without knowing for sure could have caused damage to the computer, rather than delete them you should have submitted them. But I have know idea WHEN this happened...21 or more days ago, this morning, last night? I have no idea.
Have you done ANY of the steps I requested? We request these for a very good reason, to help us help you AND to clean the computer.
I can not offer any advice because I have nothing new to look at except a HiJackThis log which now is 21 days old and was 2 days old when you submitted it here.
The slowness of the computer cannot be too much of a problem since you failed to return and failed to do the steps given to you 19 days ago.

Edit: Looking back through 7 threads you have begun in the last 2 years this seems to be very common for you, post a question and NEVER return. If you want problems solved then you MUST stick with it. Nothing can be done otherwise.

Yes, please restore them all prior to the scan.

You said in your title that hotmail is not displaying in IE6 and 7. Did you HAVE IE7 on the computer and roll back to IE6?

Have you tried this page for sign in?
http://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1253510713&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-US

thank you very much Sir, I will try to understand and go step by step.

You're very welcome.
I will wait to see your logs. If you have any questions don't hesitate to ask. Take each step one at a time. Both are very easy to do, they both DO take some time however to complete, so be patient. Begin with the MBA-M scan. When it is complete then Reboot. Then do the ESET Scan and reboot and post both logs here.

Can I ask you, when you reformatted the hard drive then did you do ALL of the Critical Updates for your Windows program? And If so, did you do all of these BEFORE attaching that external drive?

Not so fast. I need you to download and run a Full Scan with HijackThis and save the log. Post back here with the log and we'll see if anything else needs to be done.

THanks!

I am withdrawing my help on this thread because one of the "tools" downloaded was USBThief - This hacktool goes against everything we in the anti-malware community stand for.
It involves the user's active and "hands on" participation in stealing information from a victim's computer therefore we WILL NOT be involved in assisting what many consider illegal activity.

I need you to do something for me:
1. Click the Start Menu.
2. Click Run.
3. Type in "mbam.exe /developer", without the quotes.
4. Run the same type of scan you did before and save the logfile and post it.

No, you can't do more than one at once AND if THIS is the infected computer then you shouldn't be doing ANYTHING at all on it while the scans are running. That would most definitely slow them down. If fact you should only be using the browser for the scan, nothing else. You seriously need to contact your bank asap. I don't know where you are located but here my bank does have a telephone number in operation 24/7 and 365 days a year for these types of notifications. If I were you I would also contact PayPal and eBay. Not sure of what is required there, as I don't use either, but they should be notified also. Especially if you possibly had these on the system over two months.

Con'tyou do the Word Document attachment of the OLD log. Please Update MBA-M and do a new Developer scan with it and attach THAT new scan ok?

They believe they have it fixed but need to see a log from somebody who was receiving both of these findings. So Update MBA-M...the new database is 2832. So update to that and then do another developer log and attach it ok?
Here are instructions again for getting the developer log;
1. Click the Start Menu.
2. Click Run.
3. Type in "mbam.exe /developer", without the quotes.
4. Run the same type of scan you did before and save the logfile and post it.

Well I hate to alarm you BUT two of the Trojans found are extremely dangerous to your personal files, your passwords, your bank accounts, your credit cards, anything personal like that very likely have been compromised.

Trojan.Banker steals information such as bank accounts, usernames, passwords and credit card details from your computer and sends it to the attacker.

Trojan.Ambler is a Trojan designed to steal passwords from users who run Windows operating system on their computers.

You DO need to contact your bank and any credit card companies you deal with and inform them there has been a information stealing infection on your computer and there is a possibility that your account information was stolen. Do this IMMEDIATELY.

I also would advise that you change ALL passwords on the computer itself, email account passwords, PM passwords, etc.

At least one file was in a temp file so please download CCleaner and run the default scan with it to remove your temp files.
Since your couldn't get the ESET to work try these two;

http://housecall.trendmicro.com/ Scan with IE or Firefox for this one
http://www.bitdefender.com/scanner/online/free.htmlScan with IE only for this one

Also do this online malware scanner;
http://www.superantispyware.com/onlinescan.html IE or FF for this one

Report back with the logs.

You definitely have some malware showing in the log.
You need to look in Add/Remove for a program called shopperreports and if you find it Uninstall it.
You also need to do the following:
Download ATF-Cleaner.exe by Atribune
Save it to your desktop for easy access.
RUN ATF-Cleaner.exe.

-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Reboot the computer.

Run a NEW HiJackThis scan and post the log here along with the MBA-M log.

I am very surprised that Norton cannot remove this. It is a very old virus, first discovered over 10 years ago. What version of Norton are you running? Did you attempt to run Norton in Safe Mode in order to do this? Is your Norton program up to date?

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Reboot the Computer

Please Run the ESET Online Scanner and attach the ScanLog with your post for assistance.

* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and …

Do me another favor. Can you save this log as a Word Document and attach it here? I cannot seem to get the full log to copy. Thanks!

Obviously when you

saved all my files onto an external hard drive and reformatted my hard drive and reinstalled windows...

you ALSO saved all those infections on that external drive. Then as you said after the reformat of the hard drive, which then should have been clean, and plugged in the external drive these infections began putting themselves back onto the hard drive.
First thing I would recommend, of course unplug this external drive first, then do the following info from BleepingComputer:

Use Flash_Disinfector, by sUBs. Clicking that link will download it to your computer. Save it to your Desktop for easy access.
Then do the following:

* Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.

* The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.

* Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.

* Wait until it has finished scanning and then exit the program.

* Reboot your computer when done.

Now what this will do is disable the autorun feature of the external drive. THAT is ALL it will do. You WILL still be able to access the drive and Windows WILL see it, it will just stop it from being able to automatically running when plugged in or when the computer boots.
To access …

This thread can be closed.

Thanks! Have sent this onto MBA-M and I will let you know what they come up with. Thanks for hanging in there with me on this!
Judy

Music files can definitely be infected if they were downloaded from the web via file sharing. Really anything can be infected, or pretty much anything.
You need to scan that memory stick too.
The MBA-M scan got rid of a LOT of that Police Pro infection but your MBA-M program is out of date. The current version is 1.41, yours is 1.40 and the current database is 2825 so yours is more than 100 behind. You need to update that program and run it again, Full Scan and Remove everything found. Save the log. Reboot. Then run HiJackThis and post the log here.
And please DON'T attach logs but copy/paste them into your post.

You know waiting 6 days between completing steps has done nothing but complicate things as you can see. This thread is now 28 days old. I have no idea what you have been doing for this 28 day period, except ADD new infections. If you want a computer clean you have to follow steps as fast as possible AND NOT use the computer or at least go online with it without doing the clean up steps first.
I didn't say you HAD to remove TeaTimer via Safe Mode, only if you couldn't do it another way. You don't say that's the reason so I have no idea why you attempted safe mode.
But that is past now.
In order to run MBA-M you need to do the following:
locate and rename mbam.exe to mbam.com

Click on the renamed file to run it and then perform a quickscan.Allow it to delete what it finds and then allow the computer to reboot.

This will allow MBAM to run and remove the rogue install + repair the hijack on the running of other exe files.
After this is complete then don't forget to rename mbam.com back to mbam.exe. Post the log here.

Update to the previous "Solved" thread on this issue.

I attempted to just add on to the same thread for the same problem but was told it was solved.

So here goes.

Does anybody know how to solve the SAME problem if one is only able to boot to Windows > Dos Prompt ?

Being that windows only boots to wallpaper (error in explorer) etc. and am unable to install, run programs etc. From the dos prompt I am able to scandisk the C drive, make my way around most if not all the dir's (I didn't waste time with evey dir). And all of the software recommended assume one has Windows booted and running semi-normally - I'm at a loss.

We need more information here. Asking how to solve the SAME problem doesn't tell us what the "SAME" is. We can assume you mean the infections noted in your title but other than that we know nothing except that you cannot boot the computer. We don't know your operating system, what steps you took to remove the infection or even how you know that these are what you have. Skipping steps as you say you did is not the way to run any operation, whether it is scandisk or a removal program. They are there for a reason and skipping them doesn't help and in fact many times can make matters worse.
Please post back with more information and somebody will be happy to try to help, at …

Well, if this also involves a flash drive then it is very possible IT is infected also and should also be scanned, or totally cleaned.

yes its a external with loads of shit on, it was not connected when i had the original problem but thought it best to scan anyway. i have no more avast warnings popping up at present.

Even though it was not connected when you first got the warning it obviously was/is grossly infected. Do you regularly move files back and forth between the computer and this external drive? Are there P2P sharing files on there? What is it primarily used for?

The bulk of the infections were found by the ESET scanner on "F" Drive. Is this an external drive?

Are you saying that nothing is working? I am a bit leery of that zip drive. How can you be certain there are not infected files saved on that?

Hi Daniweb Community. I've just started getting the error msg "Error loading c:\windows\system32\hedafatu" recently. Does any one out there have a solution for this?

You need to begin your own thread. This one is nearly a year old for one thing and the other thing is you should not post your problems in somebody else's thead. It's impossible to work with more than one poster on a thread.
Start your own, give all the info about your computer, exactly when you are getting this message, what programs you are running when the error message occurs, what steps you have taken to correct it, along with any logs from programs you have run. Then somebody will be happy to offer some suggestions.

They are all showing, Judy - look more closely :)

That rules out any sort of false-positive.
Frankly, MBA-M should remove this, so something is restoring it: either the drive is infected or you have an infected pen drive(s).

There are a number of different ways to attack this - I'm sure Judy or tiger86 can help you on that front.

Best Luck :)
PP

I have never seen a jotti log look like that. No scanner names, just a header Scanner then just dates. 11 lines.

The server is MOST DEFINITELY infected, 7 out of 11 say so. But jotti uses 22 scanners, why are there only 11 showing?

at first avira worked quite impressively but then as soon as my pc started..avira begins giving me warnings that a file may contain code of virus ..and keeps doin this almost infinitely...at first i thought i might be havin a virus..but it want so...hence..i decided to uninstall and get rid of it....

regarding ur link...thanks for it..i l check it and let u know...
thanks a ton

How did you determine that you did not have a virus? Avira gave the warning because of specific markers in that file which indicated a virus. When you get a warning like this that is the reason. Yes, it could have been a false postive and that could have been determined by updating the Avira program, doing a full scan. If the file was still flagged as an infection but you didn't believe it then it is always recommended to do some online scans to determine if this is correct or not. If it IS found to be a false positive then all you had to do was tell Avira to ignore the file and you would not be given the warning again. But users should do further searching before deciding on their own that the anti-virus program is wrong. All GOOD anti-virus programs a designed to work this way. No matter WHAT anti-virus program you install you very likely get warnings like this for questionable files. That is why you should use an anti-virus program.

Your MBA-M program was not updated prior to the scan. Your database shows as 2775 which is at least 4 days out of date. Current database version is 2818.

BUT you must have a major problem there. Your log clearly shows the following;
Scan type: Full Scan (C:\|)
Objects scanned: 4812
Time elapsed: 9 second(s)

What in the world was scanned? No computer only has 4812 files! And NO MBA-M full scan would only take 9 seconds!

I would also like you to do the following, after that developer log.
Right click on your desktop and choose New Folder. A new folder will appear on the desktop.
Go to My Computer. Double click to open. Then double click "C" Drive to open that. Then go to Program Files. Double Click to open. Scroll down until you find the Microsoft Works folder. Double click to open that folder. Scroll through there until you find cpitv11.dll Right Click on it and choose Copy. Then go to the new folder on your desktop and open it. Place your cursor anywhere in there and Right Click and choose Paste. A copy of that file will be pasted into the folder.
Next do the same thing...locate another program folder, this one is going to be located in the MATLAB71 folder. Open that folder. You should see other folders in there this time open the toolbox folder. When that opens there will be more folders. Open the datafeed folder. When that opens you will again see other folders. In there again you should see another datafeed folder. Open that one. This time the file you need to Right Click and copy to that new folder on the desktop is bbdatafeed.mexw32

Close all that out. Hold that New Folder on your desktop until I request it. MBA-M first requested that these be put into a folder and zipped and then sent to them but now they want to wait until …

Can you do the following for me?

1. Click the Start Menu.
2. Click Run.
3. Type in "mbam.exe /developer", without the quotes.
4. Run the same type of scan you did before and save the logfile and post it.

Judy

There is only one on that last log. Just hang onto it for now. Don't remove it from Quarantine yet. I am submitting this info to MBA-M. You may need to restore that ONE. The only removals in question were those in that last scan that had items to remove. None of the other scans are in question. But don't clean out any of the quarantine files yet either. I will get back to you on this one as soon as I can.

Happy to help. If you feel all is well then you can mark this one solved.

WAIT! You are not finished yet. You need to do two more things....

First you need to Uninstall Combofix. This isn't needed anymore
* Click START then RUN
* Now type Combofix /u in the runbox and click OK. The space between the combofix and the /u, it must be there.
When shown the disclaimer, Select "2"

You also need to set a new, clean Restore point.
To do this Right Click My computer.
Choose Properties
When System Properties opens choose the System Restore Tab.
Place a check mark in Shut down System Restore.
You will probably get a message telling you it will be shut down, click ok or yes.
Allow it to shut down.
Wait a moment. Then go back in and take that check mark Out so that System Restore will turn back on.

and yes the symantec was something which was uninstalled previously...

Well at least some of it remains. How did you uninstall it? Via Add/Remove? Which version was it, do you recall?
There is a Norton Removal tool that you can use but you have to use the step given specifically for the version you had on the computer.
It DOES need to come off there.

fabianslo,
You need to go back into MBA-M Quarantine Tab and restore ALL these files removed if possible;
:\Program Files\Microsoft Works\cpitv11.dll (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Works\pibase11.dll (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\MATLAB71\toolbox\compiler\mcr\matlab\verctrl\verctrl.mexw32 (Malware.Packer) -> Quarantined and deleted successfully.
C:\Program Files\MATLAB71\toolbox\datafeed\datafeed\bbdatafeed.mexw32 (Malware.Packer) -> Quarantined and deleted successfully.
C:\Program Files\MATLAB71\toolbox\matlab\verctrl\verctrl.mexw32 (Malware.Packer) -> Quarantined and deleted successfully.

Then go to http://virusscan.jotti.org/en
Upload each of those files for scanning. Report back on what is found for each one.

Did you update Avast and do a full scan, then have it remove or quarantine what it found? That would be the first step.
Then do this;
download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Reboot the computer.

Please Run the ESET Online Scanner and attach the ScanLog with your post for assistance.

* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created …

Andrew, you need to begin YOUR OWN thread. State all the problems you are having, the steps you have taken to remedy them and provide any logs you may have from the scans you may have used.
Give us info on the computer...operating system, all security programs you have installed and use and when the problem began. Somebody will be happy to help you on your own thread. It is impossible to work on two different computers on the same thread.

Yes, is this the instructions you used? I don't have Vista so I don't have all these options on the Windows Firewall on XP.
Check out this thread and see if you are following the correct settings there.
http://www.support4vista.com/tutorial/windows-firewall.htm

also take a look at this one
http://articles.techrepublic.com.com/5100-10878_11-6098592.html

and here
http://www.vistax64.com/vista-networking-sharing/56740-configure-windows-firewall.html

Hopefully. But watch where you surf and WHAT you do. Re-read my post about HOW you get infected.

Ok, I am also going to recommend that you download SpywareBlaster, install update and then ENABLE ALL PROTECTION, including Restricted Sites section. It is a MUST HAVE as far as I am concerned, wouldn't run my computer without it. It works on all Windows systems from 98 forward. It is FREE. You must check it manually for updates unless you purchase it. I use the free version. It will do the following:

* Prevent the installation of ActiveX-based spyware and other potentially unwanted programs.
* Block spying / tracking via cookies.
* Restrict the actions of potentially unwanted or dangerous web sites.

and it does all this WITHOUT running in the background. It DOES work.

darkrecess, you didn't have MBA-M do any removal. Update MBA-M again and run another Full Scan. This time when it shows what it finds be sure to Select All and then Click Remove Selected. This will clean the infected files. Then reboot the computer and post the new log back here.

Can you tell me first, what the burden was you experienced with Avira, it is probably the least "burdensome" of most of the anti-virus programs today. You are the first one I have heard say it was a burden.
Now, as far as the Kaspersky program, check THIS LINK for info.

As far as your other problems with Task Manager, you are probably correct that this is the result of one of the infections you had or have on the computer. I cannot give steps to correct this because I don't know the infections or what programs you used to remove them