Posts by jholland1964 - Page 59

Give us an HJT log.

You said you ran as Administrator, did you do this by FIRST starting IE as Adminstrator and then going to the ESET page? This is the way it has to be done.
Do you have Windows Defender? This should be turned off also.

Just pull that key out manually, Judy.

PP:)

Can you explain to poster how this should be done? I am NEVER comfortable with registry fixes...as you well know!

Dang! Did it remove them?

No, I meant ESET Online Scanner
If you had clicked on my link in my first post, which is the same as I have here, it would take you to the ESET Online Anti-virus scanner.
The if the name of the program is in Blue then click on it, it will take you to whatever the poster wants you do use or do. Please go back up to my post #6 and follow those instructions. These are the programs which will make sure your computer is clean. The computer obviously has/had infections on it. We don't know yet if it is completely clean. This is why I requested multiple scans. Each scan looks for something a bit different, this is why you cannot rely on just one program.

Good. Now do the ESET Scan and post the log. Then do the new Full System HJT scan and post the log.

You Still have TeaTimer running which can interfere with any fixes attempted. Turn it off and leave it off.
If you have to do this in safe mode then please try that.
* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

Please uninstall that old MBA-M program you have on there and download a new one.
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware …

OK, I enabled it in IE and it appeared in Task Scheduler so I disabled there and disabled in IE again.

Good job.

You are using the two year old version of HiJackThis. Please delete that one and download the newest version.

Before you do a scan with the new version of HJT do the following:
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

REBOOT the computer

Then do a Full Scan and save the log. Post back here with that new log and please give us an idea of what problems you are having with the computer and what steps you have taken so far. Then we can better offer some advice.

Wow! This is by far the most embarrassing post I have made. I right clicked and was able to disable the search bar. I sincerely apologise for any time wasted and thank everyone.

However still worried about my programs not closing properly such as Win media player, Firefox and realplayer.:$

Hey, no need for embarrassment, we have all done something like this on occasion and our time was not wasted. We all always learn something with these posts, sometimes it is just the obvious...LOL
For your slow closing programs, does this happen when you try to close them down individually OR is it when you decide to shut down the computer completely and they all are slow in closing.
What version of each slow closing program are you running?
The reason I ask is that you have a lot of unnecessary auto-starting programs, Windows Media Player being one of them. If these all auto-start and then run all the time while in the background while you use the computer then when you DO try to shut down the computer, without turning each one off one at a time, then they are sort of "in a crowd trying to get out the door". I can't say for sure that this is the problem but it very well could be. Each individual program running also uses multiple processes to run so each one of those processes connected to that particular program has to be turned off too.
I …

Alright, I disabled it. Thanks for the easy instructions. So do I still have to remove User_Feed_Synchronization-{AEFD2DFF-6E9E-4138-BF94-F4A09C6BA9FE}.job from the task scheduler ?

Yes, I would just to be safe. After that do the MBA-Scan AND also update your SAS and do another scan with it and maybe that was the culprit. If not then we'll keep looking.
Judy

I went to unstill the program you mentioned, but I dont have it in my programs... is there any other way to find it?

For now just continue on with all the scans, remove all that is found. Reboot after MBA-M. Reboot after ESET. Run HJT and post all the logs. I will look at them in the morning.
Judy

You have at least one Rogue Program installed on the computer, maybe more. One called AdwareAlert is definitely considered a Rogue Program. It will show a multitude of false positives as goad to purchase; uses out-of-date reference database w/ no update function.
This needs to be Uninstalled Immediately. You have also a multitude of unnecessary programs running at start up and therefore running all the time in the background. This can certainly cause the CPU problems you are talking about. We will discuss those once the cleaning steps are complete.

First thing, AFTER uninstalling that AdwareAlert program is do the following steps and do nothing else while running all of these steps.
Please Download ATF-Cleaner.exe by Atribune
you can put ATF-Cleaner on your Desktop for easy access.
RUN ATF-Cleaner.exe.

-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK

If you use Firefox browser, do this also:

* Click Firefox at the top and choose Select All from the list.
* Click the Empty Selected button.
* NOTE : If you would like to keep your saved passwords, click No at the prompt.

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' …

* Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
* Double click on RSIT.exe to run RSIT.
* Click Continue at the disclaimer screen.
* Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Hi and welcome to daniweb.
Very first thing I see is you are running two anti-virus programs, AVG8 and Avira. You MUST UNINSTALL one of them. The absolute rule is only ONE anti-virus program should run on a computer.
I am going to recommend that you TOTALLY Uninstall AVG 8. Avira is a much more reliable program, plus it just does not have all the extra bloat that AVG has.
Go to Add/Remove and Uninstall AVG 8. After that you should also run the AVG Uninstall Tool, just to be certain that all is removed.

If you are running Vista 32-bit system then click HERE to obtain the correct Uninstall tool.

If you are running Vista 64-bit system click HERE for the Uninstall tool. You likely will have to reboot the system during the uninstall process.

Be absolutely certain you download the correct tool.

You java program is WAY out of date. You are running version 6. update 7 and the newest version is 6 update 16. You absolutely must do this update also. Go HERE and download the Offline Install and save it to the desk top for easy access. Once you have done the download then close all browsers and go to Add/Remove and Uninstall ALL old versions of Java you find there. Once those Uninstalls are complete then go back to the new install file on the desktop and double click to install …

Sorry PP, told I SAID I might have missed something...I did once before:D
It also looks like a Google Deskbar OR Dave's Quicksearch Deskbar which will launch searches from multiple search engines...just throwing out there all I have found since looking at that log this morning and seeing nothing that looked out of the ordinary:)

You know, going back through this thread, reading the logs, not finding anything...one thing I did notice is that nobody replying on this thread, unless I missed it, had you attempt one logical thing; Put your cursor on the taskbar, Right Click, choose Toolbars and see if that Search bar is in there and if it is, is there a check mark there? If there is then remove the check mark.

FYI: msfeedssync.exe is the Microsoft Feeds Synchronization task found on PCs with Internet Explorer 7 and which automatic RSS Feeds synchronization turned ON. This task starts up at the intervals specified in Internet Explorer 7 & 8 and checks for updates to your RSS feeds. This is why I asked about this earlier. It is really User preference and since you have never subscribed to any RSS feeds you can get rid of this PLUS you can turn off the automatic updating of your RSS feeds in the Internet Explorer 7 & 8 options.

Here is how to disable that RSS Feed. It is also known to sometimes slow down IE.
Most people don't use this feature (if you don't know what it is, you aren't using it), and you can turn this off by going to:

Tools->Internet Options->Content->Feeds->Settings and then unchecking all boxes shown in my attachments:

FYI: msfeedssync.exe is the Microsoft Feeds Synchronization task found on PCs with Internet Explorer 7 and which automatic RSS Feeds synchronization turned ON. This task starts up at the intervals specified in Internet Explorer 7 & 8 and checks for updates to your RSS feeds. This is why I asked about this earlier. It is really User preference and since you have never subscribed to any RSS feeds you can get rid of this PLUS you can turn off the automatic updating of your RSS feeds in the Internet Explorer 7 & 8 options.

I don't know, can't find it.
Oh there it is User_Feed_Synchronization-{AEFD2DFF-6E9E-4138-BF94-F4A09C6BA9FE} (Description: Updates out-of-date system feeds.) C:\Windows\system32\msfeedssync.exe
One Time - At 8:53pm on 9/11/2009 - after triggered, repeat every 5min for a duration of 03:07:00.
Daily - At 12:04 AM every day - After triggered, repeat every 5min for a duration of 1 day.

That sounds odd to me, though honestly I can't say for sure. But it certainly sounds like whatever it is doing could be your culprit for your constant warnings from MBA-M
See if you can delete it. Reboot and THEN try updating MBA-M...there IS a new version by the way since yesterday, and do a full system scan, removing everything found.
There ARE a number of trojans out there that scheduled task to constantly "call home" in order to bring in more infections. IF these are the "calls" that MBA-M is stopping then you have your culprit.

Those usually are hidden files I believe
Control Panel->Folder Options->show hidden files and folders.

Start>>Search>>taskschd.msc

OR

Click Start
In the Start Search box, type task scheduler. Then, in the Programs list, click Task Scheduler.
On the View menu, click Show Hidden Tasks

If you find that one, delete it and see what happens.

No, what does this do?

I don't know. I have seen several threads on several forums that this should be deleted. I wonder if this could be your problem? Honestly I don't know what it is, I could never find a definitive answer, though none said it was necessary, especially if you didn't add it yourself...check your Task Scheduler and see how often it runs.

Did you add this to Task scheduler?

C:\Windows\tasks\User_Feed_Synchronization-{AEFD2DFF-6E9E-4138-BF94-F4A09C6BA9FE}.job

What about MBMA, it keeps popping up that its blocking infected IPs like every minute ?

Then I would believe it. Sounds like a possible hijacker on the computer then. Are these websites you are actually trying to visit? If so, then it is easy, stop. If not then I would say your firewall isn't doing it's job either. It should just be able to block them.
But are you running a Firewall? Are you using SpywareBlaster, which is an excellent FREE tool which will also stop this type of thing. But does it in a way that is not intrusive because it doesn't run in the back ground.

By the way, I heard that smitfraud fix doesn't work on 64bit computers. Is that true?

I wondered that also and searched a long time before I had you run it. Note that I did NOT have you run in Safe Mode and do fixing. That is why. Many instructions have you skip the normal boot scan and go straight to the safe boot cleaning but I chose not to have you do that because of the conflicting answers I found concerning this.
Many site says yes AND no, depending on which page you access. Other sites say it doesn't work on Vista at all, but then the very next thread says, download and run Smitfraudfix to your Vista computer. I just knew that the scan would not harm the computer and figured it was worth a try.

I am using Windows Vista Ultimate 64bit and been using SAS for around 6 months. Got it from their website. In begining of this week I updated to the latest version. The previous version also detected that infection.

If you will note I said that according to many posts on SAS website there have been many people with various types of difficulties with both of these versions.
Now according to recommendations found on their website it is recommended that a total uninstall of SAS be done, using their Uninstall tool
http://www.superantispyware.com/downloads/SASUNINST.EXE
After this is done then they recommend that a completely new copy of SAS be downloaded and installed from their website and then see if the problems happen again. If so, then really I would recommend that you contact SAS for assistance with this, especially since you have the paid version and you should be able to receive support from them.
I cannot say positively that you do not have this trojan on the system but since none of the other programs detect them then it could be that this is a false positive, especially since the tool designed specifically to detect a Smitfraud infection, Smitfraudfix, did not detect it on your system either.

You can also request help from SAS HERE

Your HiJackThis is way out of date so the log is likely not valid and I hesitate to give fixes based on this out of date program. What version of Windows are you using?

Are you running a Vista 32bit or 64bit system?

What Vista edition are you running?

Windows Vista Home Basic
Windows Vista Home Premium
Windows Vista Business
Windows Vista Ultimate

How long have you had this version of SAS on your system. When did you purchase the program? Did you download it directly from the SAS website?
From what I have found on their forum there have been many problems with actually the last two versions of SAS PRO

The log is correct, but it doesn't show a smitfraud infection anywhere.
Have you tried running SAS in Safe Mode to see if it would remove the files that way?
I have checked throughout their website and have seen these same files noted, though never as Smitfraud. I found no fixes on there either.
Try running in Safe Mode and see what happens.

Hi welcome to Daniweb,
Please download SmitfraudFix
Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

One more thing. Bitspirit IS installed in my c: drive (actually I just uninstalled it, following your advice).

Yes, I see that now in the Uninstall list from HJT. I just missed it, I'm sorry about that one.

I would recommend that you scan both drives now, just to be safe since that Bitspirit was installed on "C", with your McAfee which probably won't find anything since it really isn't configured to find Trojans like the type you had, though you never know some of them it will. Then also Update MBA-M and do a Full System Scan with it on both drives too. Remove all that's found and save the log.

Also then do the following as an added precaution;
Run the ESET Online Scanner on BOTH drives and attach the ScanLog.

* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us along with the MBA-M log...even if none of them find anything.
Since you said your McAfee scans every night I would say this scan is happening AFTER the backup is done, it needs to be scheduled BEFORE …

Are you sure my backup drive is still infected?

I cannot say for sure, this is why I told you that you should do multiple scans of that drive only to be sure that it is not. I am not sure why you are reluctant to do this, especially since you said that all you back ups are replaced with new ones each time you back up.
The choice is yours, I cannot offer a guarantee.
Yes, there were multiple infections present, three that I see, maybe four. The all came from the same source BitSpirit which is a BitTorrent program and was infected. This brought the others in.

WHEN did you install this program? It NEVER shows as being installed on the "C" drive, at least for the last three months according to the Combofix log. So it was actually installed onto the "F" drive. I believe if it had been INSTALLED on the "C" drive it would have shown, even if it had been Uninstalled at a later date. It never shows there.

There were two files with Trojan.Downloader's in them and another which was a Backdoor.Bot. Backdoor.Bot is a backdoor trojan that can give an attacker to gain remote access
on compromised computer without users knowledge. Backdoor.Bot can also further infect computers by downloading additional threat from a remote server. The file removed by Combofix from the "F" drive was AUTORUN.INF. which is a USB worm. USB worms work by creating a …

Well there has to be a better way backing up, that's for sure. You really need to maybe stop the automatic backups for one thing. Do it manually AFTER you are assured the computer is clean. Because really what you are doing is backing up infections.
I think one thing you MUST do right now is scan ONLY that backup drive with multiple programs and make sure it is clean.

The OTHER key thing here is obviously there is something you are doing to keep bringing in all these infections. Your security certainly has some holes in it.
Do you download a lot of things...music, pictures, games, etc? If so from WHERE? Legitimate web sites or is there a lot of P2P going on? That is absolutely the EASIEST way to get infected.
You know since I have seen this happen twice now in just a matter of days I really wonder if people are using these backups correctly. I will be honest, I have no way of doing this, I have no external drive. The only thing I actually back up are my personal files...pictures mainly and a few documents but I just save them to CD's . Probably not the way many would recommend but at this point it is what I am limited to doing. Having now seen two computers with backup external drives backing up infections, kind of makes me wonder.
I don't "believe" yours is a bad as the other …

This search bar IS malware. There has to be a way to get rid of it.

Looking at ALL the logs again, ALL of the infections appear to be or have been in your "F" drive, none of them have been found on your "C" drive.
Is "F" your backup drive?
I have seen this recently, with a much more infected computer. The person was backing up everything to his external drive BEFORE running his security programs. So the computer would of course be cleaned if there was infection there but the backup drive contained the infections and so would reinfect the computer. Is this how you are doing things?

Still honestly see NOTHING in that HJT log. Very strange. Did you try my other suggestions?

Look in Add/Remove and see if there is an unknown toolbar listed there, if so, remove it.. Look for yeah and see if anything like that is listed.
Can you right click the taskbar, away from that search bar, and see if there is a notation there for toolbars. If so see if you can stop this.

Only thing I see as "risky" in the HJT log is this entry;
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Padraig\Program Files\DNA\btdna.exe"
Not really a wise idea to have this running automatically at start up, meaning then it is running all the time usually.
I'm not going to get into a big lecture on P2P here, forum policy on P2P is NO to that entirely and must say I agree. It can and often does lead to major infections, some of which the only way to recover is wiping the drive. But don't feel this is that type of case really...though cannot say for sure. Whatever and whereever this searchbar came from it obviously isn't a good place, we both found that when checking out their web page.

Just used it for the first time, it went to yeah.com looks nasty, firefox warned me.

Yes it gets a very bad rating via WOT. You obviously have some malware on there.
Update MBA-M and run the Full System Scan again. Let it remove whatever is found. Do the same with Spybot.
Look in Add/Remove and see if there is an unknown toolbar listed there, if so, remove it.. Look for yeah and see if anything like that is listed.
Can you right click the taskbar, away from that search bar, and see if there is a notation there for toolbars. If so see if you can stop this.
Update MBA-M again and run a Full System scan with it. Have it remove anything found and save the log.
Reboot. Do a new HJT scan and save the log
Post back here with the two logs

Sorry but something VERY strange is going on here. Your original MBA-M log, of the scan done on 9/06/2009 showed this info about the MBA-M program itself;
Malwarebytes' Anti-Malware 1.40
Database version: 2747

The most recent MBA-M scan, with the date 9/9/2009 so we KNOW absolutely was just completed says this;
Malwarebytes' Anti-Malware 1.36
Database version: 1945

What is going on here? What happened to the CURRENT version of MBA-M which was used for your first scan? The scan done here with this very old version wouldn't be accurate at all. The new one is 4 versions later and the latest database has 818 MORE items in it. I have no idea why you would possibly have TWO versions of MBA-M on the same computer. If versions are updated you either have to remove the old version first OR the install program will remove the older version. What happened here?

This would also make the last HJT log really useless too.

Can you save it as just a .jpg and then attach it?
There is a button down below this text box named Manage Attachments.
Click that.
Then when the Manage Attachments box opens click the Browse button to find the file on your computer.
Once you click on that and put what you want to upload into the little window then you click the Upload button. It will then attach whatever it is you wish to upload to your post.
Check my attachments and you will see what I mean.

Let's wait for PP to weigh in on that one, ok?

jholland1964 i dont know what do you want to prove. It is only solution of the above problem and i am proud that i am the first to post it. better than experts here

Look I am not trying to prove anything. You didn't even preface your reply with "This is the solution I used to fix the problem", you just posted a registry edit (without explaining that is what it was) which many are uncomfortable doing first of all and secondly if done wrong can really damage a computer.

I really don't see anything in the log indicating an "unusual" Search bar.
Is there a way for you to get us a Print Screen of it? Maybe that would give more of a clue. If you can do the Print Screen and then Crop everything out except the area where the search bar is located, then upload it here. Maybe it will give us a better idea.
Judy

Hi and welcome to Daniweb!
Uninstall HiJackThis if it is an old version and download a new one from here if needed. Do the full system scan and save the log and copy/paste it back here and I will be happy to take a look.
Judy

mohitume,
I have no idea what it is that you have posted, an incomplete section of some sort of log obviously. This thread is three months old. You need to begin your OWN thread. State your problems. Give info on your computer, what symptoms you are having and what programs you have run to attempt to correct these problems. Somebody will then help you.

Can you try in Safe Mode? MBA-M doesn't fully work in Safe Mode but it may get some things if it is able to run.

Sorry it has taken me so long to get back to you. I apologize. I was out of town for part of the weekend and then...just missed your post.
I see parts of Two anti-virus programs there on both the HJT log and the Combofix log. You said you are running McAfee, but there ARE files from Norton/Symantec showing there. You need to FULLY Uninstall this. Norton has a removal tool you should run.
There are also other programs which really need to go also.
They really are unnecessary.
Can you run HiJackThis again but this time get me an Uninstall List and I will tell you which ones need to go.
To get the Uninstall list do the following:
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad into a reply

Ok, you are going to have to do the following:

First of all, look in Scheduled Tasks. See if there are any odd ones or ones you did not add yourself. These would be ones which say, run every minute or multiple times or continue...plus with odd names. If you find any Delete them.
Then do the following:
Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
Restart your computer (very important).
Download and run this utility. mbam-clean.exe
It will ask to restart your computer (please allow it to).
After the computer restarts, Temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from here

Again try renaming it if it does not install. Let me know what happens. One thing that really puts all this at a disadvantage is that you ran that combofix. We have absolutely NO idea what was done by that program because you never did post a log for it. So I am virtually "flying blind" here and I am going to be totally honest, I don't know that any of this will work. But I am trying to find a solution for you.

You never said, when you got the warning from the Windows Firewall DID you attempt to have the firewall BLOCK the program or not? You should.

Looks good. You did update it I hope.

If it shows in Processes then it is running stop the process and then try renaming the install file on your desktop and try again.
You have two processes showing there....
a.exe and b.exe
Stop both of those I believe they are infection files.

Please navigate to the MBAM folder located in the Program Files directory.

Locate MBAM.exe and rename it to winlogon.exe

Once renamed double click on the file to open MBAM and then see if you can run it.

Chim, you are welcome. Thanks for the kind words. Always appreciated.