Posts by jholland1964

You have posted the DDS log twice, it produces two logs, you need to also copy/past the second one labeled Attach.txt. We also need the GMER log and the MBA-M log.

Could very well be an infection. Follow the steps given in our Read Me Sticky and post back with the logs.

http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

Sorry, like I told you I don't use Chrome so somebody who does will have to answer that. Have you tried renaming it?

Sabre2th, you need to begin your own thread and not post in somebody else's thread. Please do not run combofix without first being asked to do so. Follow the steps given in our Read Me First sticky and then create your own thread with the requested logs.

That's great Jim. Take as long as you want to be sure things are fixed. That's what we are wanting, things to be fixed and you are the only one who can judge that. Keep us posted.

Not sure what to tell you Jim, perhaps another will have a fix for you. By the way, you asked about automatic updates with MBA-M, auto updates is only available with the PAID version, not with the Free version.

See if this helps.

http://www.dougknox.com/xp/tips/xp_easy_file.htm

Try running this to correct the problem with the .exe's
http://www.winhelponline.com/exefix_xp.com

run that and reboot. Report back with the results.

Please download TDSKiller.zip archive and extract it into a folder on the infected (or possibly infected) computer with an archiver (WinZip, for example);

Run the TDSSKiller.exe file;

Wait until the scanning and disinfection completes. A reboot might require after the disinfection has been completed.
Post back with the log.

Jim,your MBA-M program is several years out of date,which is why it didn't find anything, because it can't, it's too old and that database does not contain the proper files to look for today's infections.

You need to update that and run it again. Currect version number is 1.51.1200 and current database, as I write this, is 6963. though by the time you read this there likely will have been another one since they release updates multiple times a day.
Since you can't get to Normal mode, instead boot to Safe mode with Networking, this will allow you at least to go online and update that program.
Then run a Full Scan with it, have it Remove Everything found and then Reboot to normal if possible and see if you can use the computer. Post back here with that new MBA-M log.

Also please remove that attached file and copy/paste it's contents here. We don't open attached files here due to risk of possible infection from those files.

Jen, please read the responses I gave to Tex Tech. His advice was WRONG, no matter what the infection happens to be. So ignore what he said.

Nothing in System Restore would stop MBA-M from running because nothing works "out of or from" System Restore. System Restore is locked up until you open it and use it.
Infection processes that were actually running are what caused the inability to run MBA-M. You were able to run MBA-M in Safe Mode because the infection processes were obviously set to run as soon as the computer booted up in Normal mode but not set to run if the computer was booted to Safe Mode. System Restore had nothing to do with it.
In cases like that infection processes must be stopped prior to the run of MBA-M, either via Task manager, if you can tell what these processes might be, or using rkill to stop the running process.Then MBA-M should have been able to run, even in normal mode. Since you could run MBA-M in safe mode the preferred thing to have done at that time would have been Safe Mode with Networking which would boot to safe mode but also allowed you an internet connection and you could have updated MBA-M in safe mode and run it.

A note for others with a similar problem: Turn off System Restore and delete restore points. Download and install a current version of MalwareBytes. BOOT INTO SAFE MODE and run the malwarebytes. These type of malware will hide in the restore point and reinstall themselves. Once system is clean, restart system restore and create a good restore point.

Have to disagree about turning off System Restore. System Restore cannot reinfect a computer unless it is used. System Restore should be left alone prior to cleaning. Should something happen during clean up which would require its usage it is better to have even an infected restore point than NO restore point. Once the computer is clean then System Restore should be reset which will clean out all old points and begin with a new clean one.
Malwarebytes' WILL clean out infected restore points during it's run if any exist.

Just be careful is all I can tell you. Save your money and get a new computer with LEGAL software on it and get the paper work to prove it!

Honestly you would be better off taking the computer back to the guy who "fixed" it for you, HE caused all this.
I really have no more steps I can give you.
Print out all the logs to show him what HE caused. Ask for your $35 back too!

Just follow the other instructions and try to keep safe until you can get a new computer with a REAL Windows operating system and not a pirated version.
That really is the only advice I can give you.

but, most guys here, and all of my friends included, get a pirated windows for FREE from the person they hire to assemble their machines. compared to that,35 dollars seemed a better option at that time. zero experience has its toll... and I'm feeling it now!! :( :(

Look, I have no idea how the laws work in your country, the majority of countries do have laws against piracy of software, especially operating systems. Piracy is piracy whether you get for free or pay $35 for it, it is piracy. Your particular "pirate" was just "more clever" than others you mentioned, he figured out a way to make money doing it. But you still have a pirated operating system and there is no way it can be updated. You will just have to do your best to watch what you do and where you go, keep everything else updated and that's all you can do.

this just keeps getting worse.... i'm not going to jail am I?? this whole year, i'v only gotten into more and more trouble with my computer!!! i just want some peace really....

Lord no, you aren't going to jail. HE cheated YOU. HE could go to jail if reported I am fairly certain but you are just an innocent buyer. You didn't ASK for a stolen operating system did you? Did you KNOW it was a pirated system when he put it on there?

Did this person actually build the computer for you?

that's what i paid for, 35 dollars for a copy of the original, that "works just like the original" as i was told...
This is something you need to remember...$35 for something that is normally around $200 and it works just like the original...sounds too good to be true..

If it Sounds too good to be true then, 99.999% of the time, it IS too good to be true.

The only way to check if it is a legal copy of Windows XP is go here and validate it

http://windows.microsoft.com/en-US/windows/help/genuine/what-is-validation?os=winxp

If it is NOT a legal, valid copy of Windows XP then you will not be able to get any system updates. Sorry but that is just the way it works.

If that validation page finds that it is legal then the ONLY place to get those LEGAL updates is directly from Micorsoft Update pages, no place else. Anywhere else will likely infect the computer.

i was referring to this copy that you mentioned in one of the earlier posts.
do you mean the original copy from which this guy made other copies? yes that was legitimate. you just said so in your previuos post that he has one or two original copies, from which he sold to us.

I mean the actual Windows XP that is presently installed on your computer. Is THIS legitimate? I am not talking about that one on the F drive. I mean Windows XP that is presently installed on your "C" Drive.

Where did that come from? Did it come with the computer or did this "pirate" install it on there?

Are you saying the entire system is pirated? I thought it was just some copy he gave you but the original was legitimate.

Of course you can buy a "hand built" computer. Just make sure that the copy of windows IS a licensed product AND you get the actual disks for it. OR better yet, purchase your own and take it with you when you hirer somebody to build you a computer. OR, you can purchase excellent, high quality computers directly from manufacturers and these DO contain legitimate copies of the operating systems and you get the PAPER proof that they are if fact legitimate.
You can order a computer directly from any legitimate well known manufacturer and they WILL build it to your specifications. I have always done that and have always had very good luck with them. I also always purchased an extended warranty and they have truly been worth it for me with each and every computer I have owned.

If you don't want to format that F:\ drive then you need to fully scan that drive only, with multiple scanners, MBA-M, Kaspersky, ESET online scanner to be 100% certain there are no remaining infection "crumbs" on there.

You DO need to update Windows XP to SP3 and you do need to update the Java to version 6 update 26. Otherwise your system IS at risk.

I deleted that copy of win xp that i had,which showed the infections, and ran a scan again, and mbam showed no infections.
Not sure what you actually mean by that. You can't "delete" an operating system without a reformat of that drive. Meaning the drive is wiped clean. You have not had the time to reformat that drive since your last post. If you didn't format that "F" disk, then you do need to do that because the infection can still be contained in any other files on there.

i would get a genuine COPY of windows for $35 dollars
Copy can mean just the general term like a "copy" of a book. Nobody, except the author and the printing company, has the original of a book so each printed book is a LEGAL copy of the original. Your legitimately purchased Kaspersky program is a COPY of the original but it was packaged by the Kaspersky company so it is a legitimate genuine copy of the original. What HE did was copy the one HE purchased and sold THAT copy to you and likely others. If he paid $200 for it FROM Microsoft and then made copies and sold those to 6 people he got his money back and "ripped off" everyone he sold that to, plus also stole from Microsoft because THEY own the legal licensing rights to it.

the guy who assembled my computer gave me the xp that i have. he even took what would be equivalent to 35 dollars for that..

I hate to tell you but in US dollars $35 is not even close to the cost of a legitimate, legal copy of Windows XP. The cost of a new, legal copy of XP is generally will average around $200 in US Dollars. Price depends on the version you purchase and also the store where it is purchased. Some will be higher than $200 and some will be a little lower than $200 but certainly never only $35.

So I would say, as we say in the US, the guy "ripped you off". He has likely sold you a stolen operating system, also called a "pirated" copy of XP.
This is shown by the files found and removed by MBA-M, notice what they say they were:
xp keygen\keygen.exe
xp keygen\update_xp_cd_key.exe
xp keygen\windowsxp product key viewer.exe

A keygen is a computer program that generates a false product licensing key, serial number, or some other registration information needed to activate a software application. In most countries, the use of keygens to activate software without purchasing a license is fraudulent. When you purchase the software, IN THE BOX, as you said you did with Kaspersky, you are purchasing that license. Each and every copy of the Windows Operating System, no matter what version you have, is issued it's own registration or license number, …

Your Windows is not up to date, you show only SP2 on there. Your Java is not up to date. Those two things alone will keep your computer at risk.

There would be absolutely no reason a newly formatted computer should have infections, unless either the reformat was done incorrectly in the first place, or backed up infected files have been placed back onto the reformatted computer, which of course is a possibility, or you are continuing to use the computer unsafely and using illegal files on it.

It appears that your copy of Windows may not be legal, judging by the infected files found by MBA-M.

If I recall correctly the original problem causing the reformat was related to the use of P2P file sharing. It appears that you still are not following safe, legal practices when using the computer. Until you do the computer will continue to become infected.

Did you pay for the Kaspersky program?

Please go here and then post back with the results.

http://www.microsoft.com/genuine/validate/DownloadValidationSupport.aspx?displaylang=en

somjit, you certainly can post the logs here so we can be sure all is clean.
Your new kaspersky 2011 internet security suite is an excellent program and it contains an antivirus program, and a two way firewall so you certainly don't need another firewall. The absolute rule is ONE firewall should be running on a system.
You need to make sure the operating system is full updated, inluding all service packs and most recently offered updates.
Your Java should be fully up to date. Current version is update 6 version 26.
You need to be sure you have correct settings in your browser. I am not certain yet which one you are using but for Internet Explorer go to Tools, Internet Options.
On the General Tab click the Browsing History Settings Tab. Be sure there is a dot in Everytime I visit the web page. Set the disk space to use to around 250 MB. Choose the number of days you wish to keep in History. The number of days is of course your choice. I have mine set to 7.
Hit Ok on that and then go to the Privacy Tab.
Hit the Advanced Button. Make sure there is a dot in Accept 1st Party Cookies, BLOCK 3rd Party cookies and a check mark in Accept Session Cookies.
Hit Ok. and then close out Internet Options.

I strongly recommend that you download, install, update, enable all protection in

Isn't this new "Google paradigm" sweet? You are now actually able to clock up some sleep, Jude.

What what??:D

You are still showing tracking cookies being found. You need to change your browser settings on all of your browsers to block all 3rd party cookies which include tracking cookies.

Now you said the chrome browser had been renamed. That isn't showing in the logs.
Look at my attachments do you mean that where google normally shows, as in my first attachment that it now shows "what what" similar my second attachment? I don't have the chrome browser so I just had to create these from web pictures so they may not be what you are talking about. If you can could you post a print screen to make it clearer?

Where is the new SAS scan with the updated program?

You SAS program is out of date. One absolute rule when doing any scan, update the program before doing the scan. You posted two scans and the program had not been updated for either one. On the 22nd the database was 7304 and the Trace # was 5116.
Please update the program and do another Full Scan. Post back with the log.
You cookie setting is incorrect for Google Chrome because these are all 3rd party tracking cookies. I don't use Chrome so I am not sure where you would find that setting in the program but it should be changed to block 3rd party cookies and accept only 1st party cookies.

LimeWire 5.4.6 must absolutely be removed. P2P is the easiest way to get an infection and to have your computer hijacked.

Open SAS, click the Preferences button. There you will see a lot of tabs. Click the Statistics/Logs tab. The log will be in there.

Hate to say this but since it has been 8 days since your last reply there is no way I can say what could have caused this.
Have you been using the computer in the last 8 days rather than completing the requested steps? SAS was the other request, it hasn't been completed.
Run DDS scanner again and post back with both logs.

:D Sorry about that! Yes I did read that, then the "java thing" came up and I completely forgot.
Now a couple things you need to do. One is to remove the tools used here as they won't be needed anymore.
To do this follow these instructions:

Please download OTC by OldTimer: http://oldtimer.geekstogo.com/OTC.exe
Save it to your Desktop.
Double click OTC.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes.

Next add this protection program:
SpywareBlaster by Javacool. I wouldn't run a computer without it.
Prevents the installation of ActiveX-based spyware, adware, dialers, browser hijackers, and other potentially unwanted programs. It can also block spyware/tracking cookies in IE, Mozilla Firefox, Netscape, and many other browsers, and restrict the actions of spyware/ad/tracking sites.
Simply download, install, update, enable all protection and close the program. Doesn't run in the background to there is no interference with any other security programs. Manually check for updates every couple weeks.When there are updates simply download, install, enable all protection and close it out.

Keep MBA-M on there, update at least once a week and run a Quick Scan. If the Quick Scan finds something then remove of course, immediately update again and run a Full Scan just to be safe.

You also should look into replacing the Power Supply as Rik noted earlier. …

Installed and updated. :)

All of the Windows Updates including SP3? How could you get all that downloaded and installed in this short of time? SP3 alone would take a very long time to download. It has only been 35 minutes since you got the Java installed.

Very good! Now you DO need to update the system. Especially now when you know it is clean. That is a key requirement before doing major system updates and right now today you can be pretty certain that is the case.
An out of date system is a very easy way to end up with major infections. You of course have been running, even though you say you don't use it, IE6, current version is IE8 and I would also advise that you do take that also.
You need to use IE to go to Windows Updates.

Try this JavaMSIFix.exe

Reason I asked is that the error you got can happen when old java remains.

A JavaRa log? Honestly have never seen one, sure post it.

Did you Uninstall all the old java first? using the tool that Crunchie gave you?

I am sure things will go just fine.

Jen, you can go here to get your java update. Much easier page.You evidently chose the 64bit version of the program and you are running a 32bit, that's why you got that message.
http://www.java.com/en/download/index.jsp

You DID do the right thing by updating IE. Even though you don't use it, you always need to keep it updated and there still ARE some websites that require that you use IE.
The KEY thing you need to update is the actual operating system. You do need SP3. Without SP3 your system is no longer supported and IS at great security risk.By updating to SP3 your system can receive critical updates until it's lifecycle expires which will be April of 2014. So it is to your advantage to do the update. Keep you a WHOLE lot safer too!

We need a lot more information than you have provided.What operating system? What tools did you use to clean the computer with and do they have logs? I fso we would need to see those logs. Wiithout knowing what infection it was and exactly what and how steps were run we are at a handicap here.
What file is it that you are trying to open? If the virus keeps reloading from the back up files made then this means those are infected also and would have to be cleaned BEFORE placing them back onto the computer. Since you saved the infection itself, placing the recovering those files may not be possible as the infection may have corrupted them beyond recovering.

The file removed by MBA-M shows a "cracked" copy of Microsoft Office entreprise 2007 which is very likely the way the infection came onto the system. The easiest way to infect a computer is file sharing.
Plus this is illegal. If your copy of office is illegal you need to remove it entirely.
We don't work to clean up computers with illegal file sharing files or programs.
If it is legal then you need to go to Microsoft and have the program validated as a real, legal copy.
If you can show us the validation we can continue.

You need to go to our Read Me Before Posting sticky and follow all of the instructions and run all the scans requested there.

Once you have completed all the requested scans then post back here with copy/pastes of all the logs produced. Then we can better help determine what the next steps will be.

Thank you, too, for your help. I updated MBAM last night, but after two attempts to run a full scan, I think I might try downloading a version or two earlier. Both times, I left the program to run the scan on its own and didn't touch anything, and both times when I checked, MBAM has "encountered a problem and needs to close."

I'll be sure to post the log when I get it. :)

Jen, a version or two earlier will not remove anything because the database will not contain the proper definitions. With any scanner, no matter what program you must have a new version for removal.
Boot the computer to safe mode and run the scan with the newest version, have it remove everything found and post back with the logs.

Hi Jen, Crunchie isn't here at the moment. The TDSKiller DID remove a rootkit. It is highly likely that you do still have infection on the computer.
Your version of MBA-M is a year out of date. Current version is 1.51.0.1200 and current database is at least database version 6897. So your database is over 2800 updates behind.

You need to update your MBA-M program to the latest version and latest database and run another Full Scan with it. Have it Remove Everything found and then Reboot the computer>>>this is VERY important as some of the removals may not be completed until the computer is rebooting.
Once you have done this then post back here with that new log and we will give you additional steps.

ClickPotato was removed by MBA-M so that is gone. I still see uTorrent running on the computer.
You have a HUGE number of processes running when the DDS scans have been done. Key thing about removing infections is that only NECESSARY programs should be running while doing this and many of those running here are not necessary for the running of the computer.
You need to change your Start Page from facemoods. Try going to a safe page, like the plain google home page and setting that as the start page and see if that makes a difference. Then you can certainly choose another but make sure it is a SAFE page and not something like facemoods. You also need to go into Addons in both browsers and disable and then delete if possible delete the facemoods tool bars.

Update MBA-M and run another Full Scan. Also download and install the FREE version of SUPERAntispyware and run a full scan with it also. Have it rmeove everything it finds.http://www.superantispyware.com/download.html
Post back with both of those logs.

Your MBA-M program is nearly 18 months old. Current version is version 1.51.0.1200 and the latest database version is 6851 so your database is 3000 behind.

The absolute rule is to always update MBA-M before each and every scan. They issue updates multiple times daily so even if you run multiple scans in one day the program should always be updated before each scan.
You absolutely must update this program and do another Full Scan with it and have it Remove Everything found and then Reboot the computer, this is very important since some of the removals often are not complete until the computer has been rebooted.

You need to Uninstall these programs as they are likely part of the cause for your infections:
µTorrent
ClickPotato
StreamTorrent 1.0
facemoods

After you have run MBA-M and posted the new log then please do the following:

Please Run the ESET Online Scanner

http://www.eset.com/us/online-scanner?i_agree=14

* You can use Internet Explorer or you may use Firefox to complete this scan and you will need to allow an Active X to be installed
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.

* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt.

Reboot the computer …