Posts by jholland1964

Sorry, I was away for much of yesterday. Does the computer seem to be running better? Or are you still having problems?

One thing I AM questioning, you said you are using Panda Cloud Antivirus but there are a number of Symantec files on the computer...and running. Is this an OLD anti-virus program that you failed to totally uninstall?

Sorry, when you asked me if I'm using a firewall I didn't think of windows firewall.... yes my windows firewall was and is always on.
So I still don't understand why those IPs keep trying to connect to me?? You are saying if I format my windows hard drive, I will still be getting this?? What firewall would you recommend? How's ZoneAlarm?

Who said anything about formatting your computer? But yes, chances are I think you still would be getting these. You can try it if you wish, that is your choice.
No, I wouldn't recommend Zone Alarm, the one I would recommend would probably be Outpost as it also works on a 64bit system. Many don't but this one does. You will have to disable the Windows Firewall when you install another one.

One thing you have to check is the settings in the browsers you use, make sure only 1st party cookies are allowed, 3rd party are blocked.

I believe you mentioned that your router has a firewall but you are not using it? Use it.

Look, this has really gotten somewhat ridiculous. We've told you multiple times WHY this is happening, you are supposed to get these notifications with MBA-M Protection Module, it is doing the job it was created to do. But it won't replace a firewall. You are running Vista. It HAS a built in two way firewall, turn it on. No, it isn't the very best but it is certainly better than nothing and with the exception of MBA-M that is all you have. These pages are "calling in" what on your computer is "calling out"? You don't know. Turn on the Windows Firewall and get some additional protection at least. All you have to do is turn it on. Period. You can continue to question these websites forever, it won't stop them, you are running a non-secure computer and as long as you allow this to continue you WILL get another infection that is a guarantee.

It doesn't matter if my browsers are open or not, it still keeps notifying me even when I just turn my computer on and leave it without running anything.

Because you don't have a firewall on there. I say again, MBA-M is not a firewall, you KNOW MBA-M is blocking these. It is blocking them because, as they state in their information

it provides an additional layer of security for your computer, by preventing access to known malicious IP addresses and IP ranges.

These are ones which are listed within the MBA-M database so it doesn't block ALL.

A question, I don't see Windows Defender anywhere on there, is it on the computer and have you had it turned off? It is fine if you do have it turned off they just need to know if you do have it on the machine.

Did you do the ESET Online Scanner?

Can I ask, are you on dial-up?

here are few more IPs 89.248.168.63 | 95.211.96.37 | 212.117.164.26

None nice. Why don't you put a firewall on there?
Exactly WHAT webpage are you on when these occur?
Copy paste it here.

The last MBA-M scan didn't find anything.

And, I haven't downloaded anything except what you guys have told me to and a few powerpoint slides from some of my teachers.

I was on all innocent sites all weekend...or so i thought...

I think I was on Yahoo News when it originally popped up.....?

I'm not going to post your last entire MBA-M log where the infection showed, but take a close look at some of the files it found.....

C:\Program Files\Windows Police Pro\tmp\images\i1.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

Not that I know that these could have been the images you downloaded, but there were 25 of these.
Did you scan each and every slide you downloaded?

Having similar problems with this...

On boot to normal mode, WPP pops up and does its thing.

On boot to safe mode w/ networking, I just get a black screen.

Any ideas?

darkrecess, this thread is closed. You need to begin your own with all necessary information concerning the computer, the problems you are experiencing and steps you have taken thus far to attempt to fix it.

Thanks! This is an odd happening lately with MBA-M so I have a question going on it over at MBA-M so I will give them this info.
Judy

And what have you selected? Continue or Cancel?

Believe this is an HP computer, correct? Did it come with Vongo? Did you recently install it?

ok, cool. FYI... after every reboot there is a pop up from mba-m about running the program, and I need to continue or cancel

Vitally important that you give me the exact wording of this pop up. MBA-M people will need to know this.

Sorry, but Zone Alarm Security Suite doesn't show on your log, only the Zone Alarm Firewall. Maybe you installed the wrong program by mistake.

The Norton file, which is the installer for Norton 360 Security Suite is showing as a Running Process on your log
C:\Program Files\NortonInstaller{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\2.3.0.44[B]InstStub.exe[/B]
and showing as an auto starting program,

O4 - HKLM\..\Run: [NSS] "C:\Program Files\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\2.3.0.44\InstStub.exe" /RELAUNCH /RUNONCE /PRODID NSS

So you are going to have to go into the Task Manager and End the process. Highlight it and then Click End Process.

Also see if you can locate the Norton program on the computer. This shows that it probably is located in [B]C:\Program Files[/B] and would show as NortonInstaller...
If you find it see if you can delete it.

Then see if you can do the following:
Please download Malwarebytes' Anti-Malware to your Desktop.

• DoubleClick[B] mbam-setup.exe[/B] and follow the prompts to install MBA-M.
• Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected
• When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start …

You may be using Zone Alarm Firewall and your log shows that it is there and running but no Zone Alarm anti-virus shows in your logs, anywhere. It only shows Zone Alarm Firewall.
If, as you say, you have Zone Alarm anti-virus then why are you trying to install Norton Anti-virus?

Zone Alarm is a firewall not an anti-virus program. What was the program you said you all ready ran?

I have ran spyware and it has not fixed the problem

There is no program called spyware. What program did you run?
You don't show an active anti-virus program on there. All you show is the installer for Norton. But the program is not installed.

No... I've been always careful without a firewall and haven't gotten infected for a while already. It's just when I got MBA-M I started getting suspicious why the infected IPs are constantly trying to connect to me. So I thought my computer is infected or something... I have a firewall in my router, maybe one day I'll configure it. This computer is mainly for work so I don't download any stuff on it that might be infected or so...

You have to remember that downloading is absolutely not the only way to get infected. Some of these infections, TROJANS I am talking about don't necessarily come from downloads that the user initiates they come from actual web sites themselves.
Here are the common ways that a Trojan will come onto your system as noted on Wikepedia

* Software downloads (e.g. A Trojan horse included as part of a software application downloaded from File sharing networks)
* Websites containing executable content (e.g. A Trojan horse in the form of an ActiveX control)
* Email attachments
* Application exploits (Flaws in a web browser, media player, messaging client or other software which can be exploited to allow installation of a Trojan horse)
* Social Engineering (e.g. A hacker tricking a user into installing a Trojan horse by communicating with them directly)

So as you can see, the user, personally, DOES NOT have to download anything. Many, many of the trojans we are commonly seeing today …

I'm not using a firewall.

Then this would explain at least partially you infections. MBA-M is doing the job it is supposed to be doing but if you had a firewall running on there, ESPECIALLY since you obviously have been using the uTorrent program we several times have recommended removing.
So in essence...MBA-M is the ONLY protection you are running against Online attacks. The anti-virus program steps up pretty much once something has all ready gotten on to the computer.
Do what you wish, I cannot be a keeper here, but you can thank your lucky starts for these MBA-M alerts because I now firmly believe you would be a lot more infected than you have been if not for these warnings.

I suggest that you read this information about the IP protection provided by MBA-M since version 1.40.
http://www.malwarebytes.org/forums/index.php?showtopic=21076

You CAN disable these notifications but as you will see, it is not recommended. But the choice is yours. Please note what types of programs can trigger these notifications and also that they DON'T mean you have infection on the computer, just that MBA-M has blocked a website.
Also please note that this DOES NOT take the place of a Firewall...what is your firewall?

Go to the Start menu and click Run... Type in "regedit" without the quote marks, and hit enter. Navigate to HKEY_Local_Machine -> Software -> Microsoft -> Windows -> Current Version -> Run or RunOnce. Should look something like this in the path (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run)

Right click on the key (Run or RunOnce -- depending on where the value shows up) and export it to your desktop. Go to your desktop, right click on the registry file and click "Edit". Copy and paste the full entry in your next post.

merlot6767

For the moment, you can hold off on this instruction. MBA-M is taking a look at this. I will get back with you ASAP.
Judy

What is the EXACT, FULL wording of the MBA-M prompts?
Since I don't use the MBA-M paid version I don't have this option but I will check it out for you if I can get the full wording.

Go to the Start menu and click Run... Type in "regedit" without the quote marks, and hit enter. Navigate to HKEY_Local_Machine -> Software -> Microsoft -> Windows -> Current Version -> Run or RunOnce. Should look something like this in the path (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run)

Right click on the key (Run or RunOnce -- depending on where the value shows up) and export it to your desktop. Go to your desktop, right click on the registry file and click "Edit". Copy and paste the full entry in your next post.

Thanks for this log. I have submitted it to the MBA-M people in hopes we can clear up this problem with that entry which should not be there.
For the moment we need to wait on removing anything else to be certain that there is not a difficulty with the program.
Once they determine that then we can go through and stop some unnecessary startups which may be causing your excessive CPU usage.
So I hope you can be patient and know I will get back with you as soon as I hear from the MBA-M people. They are normally VERY rapid in their response when dealing with questionable issues such as this one.
Hang in there, know I haven't forgotten you.
Judy

I would like you to one more scan, the reason for this is trying to find the reason that this entry keeps appearing in your HJT logs, even though you have rebooted after the MBA-M scans, because it should not be there;

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

So I would like you to do generate a Startup List. To do this do the following:
Open HJT. Then click the MSC Tools button, it is the 4th button down.
When that opens click on Generate a Start Up log. This will take about a second for the log to pop open in Notepad.
Copy paste that entire log back here.

fabianslo,
Can you update MBA-M again and rescan just like you did before? Post that log.
If these are found again I may have you do another type of MBA-M scan so it can be submitted to their crew over there for further study.

I would really like to see a new HJT scan.

Please download Combofix from Here or Here

You will get a prompt asking if you want to run or save the file. Choose SAVE and save it to the desk top. DO NOT RUN it YET
You must take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:

* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

Windows may issue a prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.
ComboFix is now preparing to run and when it has finished you will see the Disclaimer screen you should press the number 1 key and then press the enter key to continue.
ComboFix will create a System Restore point so that if any problems occur while using …

That MBA-M wasn't updated before it was run. There was a new version released on the 10th, if it had been updated then you would have received it. New version is 1.41 and your database is of course out of date, current version is 2798. Update it again and run the new version.
Frankly I would DUMP as fast as possible Norton unless you are required to use it and go with Avira FREE. I have used it for over two years and have had no problems whatsoever.

You also say you Reinstalled the Norton program....where did you get this program? Was it a NEW download or did you restore from a previously SAVED install file? THAT could be your culprit...odd that the computer was clean and then you put the Norton back on and you have the same infection + some others which weren't there before.

A majority of the infected files were image files...where did you get these?

I wonder if SAS has those keys set for removal on reboot?
Plus, I don't see the HKCR key that it flagged on the scan....
Odd.
Plus, this doesn't seem a big deal to me - looks like an orphaned key that should be easy to remove.

PP:)

Still have found nothing on this at the SAS forum. But I'm like PP, I don't think it is a big deal really. Of course you've tried to remove it and it won't go, but nothing else is picking this thing up and I have seen nothing about it anywhere else as being bad, heck I have found some threads other places where this has been totally ignored when regedits have been suggested. Maybe I am not searching correctly but have found nothing.

g3nX, for the moment leave system restore alone, thus far the affected files have not been located in System Restore. Have you emptied SAS Quarantine?

Did you reboot the system after running MBA-M? I need to see a log showing the items are no longer present. You must have saved the log too soon since it says No Action Taken.

You're welcome. Happy to help!

Hi there, I too have been infected with the Police Pro Virus. I don't have much time (or patience) to really fix this problem, so I'm just going to reformat my entire computer (it's about time anyways). My question is this, is it safe to copy some of my files and folders onto an external, even though this virus is on my computer? I can't go into safe mode, every time I try to do this I get the blue screen of death. So is it still okay to transfer files/folder to an external, or would that risk the chance of the virus somehow coming onto the external and then back onto the computer after I reformat?

Thanks so much!

Well, I wouldn't do it, but the choice is yours. If you do, each and every file MUST be scanned for this infection BEFORE you attempt to put it back onto the newly reformatted computer or before you use it elsewhere. I cannot say for certain the infection wouldn't go from the computer to the external drive, but judging by a couple threads we've had here all ready, it can. Recently we had one computer which was totally cleaned of the infection...BUT when scans were done infection was found ONLY on the external drive because the user was transferring files BEFORE doing a clean up. So the infection was then on the external drive which then reinfected the computer each time connection was made between the two. The user would …

It would help us if you had the logs, at least the MBA-M and ESET logs. Is there a way you can get them. Can you get MBA-M to open at all? If you can go to the Logs tab and copy it and bring it to the computer you are using now and post it here.

What anti-virus program are you running? Did your school provide this for you or something, is this why you would have to call them? I know you had Norton on there didn't you? If the school GAVE it to you, why not remove it and install a very good FREE one...Avira is excellent as is Avast.

Yes, you need to do one more NEW scan with HJT and post the log. Then there could be just a fix with HJT to do but need to see the log.

You need to post much more info. I know you copied your post from a closed thread but remember, nobody knows exactly what symptoms YOUR computer is showing. We also need to know more about your computer. Operating system, antivirus program...etc.
How long have you been having whatever problem it is that you are having? In addition to MBA-M what else have you tried?

Now, MBA-M....your version is out of date. A new version was released last week the KEY rule with MBA-M is ALWAYS update before each scan. MBA-M has updates, daily, at the very least, sometimes more than once a day. Yours obviously had not been updated in quite awhile because the database alone is several weeks old, at least.
You need to open the program, go to the Update Tab and have it update. It will give you the new version and the latest database.
Then run a new Full Scan with it and please follow the instructions we give to all for running MBA-M;
Be sure that everything is checked, and click Remove Selected.
You didn't do that in your initial scan.

Then REBOOT the computer....this is vital.

Then download HiJackThis and run a full system scan with it and save the log.
Post back here with ALL the Information I requested and both of those logs.

Rocky, you need to begin your own thread on this. This one has been marked solved and therefore you won't receive help in it.

With all due respect, Judy, that sticky post needs to be removed or edited. Stickies are there to be read and followed.

Ok, I agree all of them are out of date and many of the links in them no longer work.

Frustration I guess on my part for three weeks of wasted effort on my part.
I will now bow out.

hi,

i got the method from "Read Me: PC Cleaning Procedures & Detection Tools"....

Have to note something here. There is a WHOLE lot more going on here than you trying to force a Safe Boot using msconfig. I am referring back to your Original Thread concerning these problems which was begun about 21 days ago. Discounting the fact that it was "semi-hijacked" by some ridiculous suggestions by another poster, you yourself didn't follow through in a timely manner, which I noted 6 days ago

Honestly, trying to work on this problem with a week in between each request is virtually impossible...UNLESS...you have NOT been using the infected computer in between. Have you been using it since my last request one week ago?
Just using the computer for normal activities while it still has unresolved problems can certainly compromise everything all ready done, especially if those problems are the result of an infection.
Are you using this infected computer daily or are you using a different computer for your daily computing?

to which you didn't respond to until your post #21 in that thread yesterday. And you DIDN'T answer my question either...was the computer being used all this time?...which is approximately 3 weeks now since the original thread was begun.

PP=I suggest that you ask whoever told you to boot to safe mode via msconfig to help you fix the mess they got you into....

Going back to that original thread, …

What I meant, did you do this:
Do the following:
1. Close all open Web browsers
2. From the "Start" menu in Windows, select "Control Panel"
3. Under the "Programs" icon, select "Uninstall a program"
4. Select the program with the Ask logo and the text "Ask Toolbar"
5. Click "Uninstall" and then "Continue" to remove the Toolbar

I have no way of knowing if you did unless you give me the information that it was uninstalled, that you couldn't find it...etc.

Looks to me like you never rebooted your computer after running MBA-M which is in the instructions that you must do.

Did you follow all the instructions I gave in addition to the new hjt scan?

I have PM'd PP on this one again. Problem is partially your 64bit system. So many tools DON'T work on 64bit. We'll get back with you, probably tomorrow.
Did you ever contact SAS and see if they would respond concerning this?
I HAVE searched their forum and thus far have found nothing about this. Still wonder if it maybe could be a false positive.

Close ALL browsers.
You need to go to the Control Panel and go to Add/Remove and look for Fast Browser Search and Uninstall it IF it is listed there, or for Softomate. These programs are considered malware or spyware.
If you don't find them there then go to C:\Program Files\
and look for the Fast Browser Search folder and also Softomate folder if you find them DELETE them
Once you have done that then reboot the computer. Run a new HJT scan and post back with that new log.

Do the following:
1. Close all open Web browsers
2. From the "Start" menu in Windows, select "Control Panel"
3. Under the "Programs" icon, select "Uninstall a program"
4. Select the program with the Ask logo and the text "Ask Toolbar"
5. Click "Uninstall" and then "Continue" to remove the Toolbar
Reboot the system.
Run HiJackThis again, save the log and post that new log back here and I will give you additional steps.

Please do the full system scan with HJT, not the startups scan.
Don't worry about the ESET scan for now. I may have you try another scan, will wait for the MBA-M scan

Where can I find the HJT down load? and is it secure to down load and send to the site?
Benny

It is in BLUE on my first post here, just click on the Blue print and it will take you to the download site.
We NEVER, EVER would recommend anything here on this site which was NOT secure to download. Once you download it, save it to your desktop for easy access. (See HJT Install Icon Attachment)
Then click on the Install Icon to Install it. When the Install is done, which takes just a moment, you will then see a similar icon but it will not say Install on it, it will just say HiJackThis.

Once you click that Full system Scan and Save log button then you will next see the scanner working. Once it is finished then a log will open in Notepad. Go to the Edit button, choose Select All. The text will then be highlighted in blue. Then in the Edit button click Copy.
THEN come back here, open a new post, place your cursor within the post and Right Click your mouse and choose Paste.
Then click Submit. Your log will be pasted into the thread.

Please look at my attachments.