Posts by jholland1964

Download Combofix and save it to your desktop.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Note: It is important that it is saved directly to your desktop

Close any open browsers.
Please disable your antivirus program and firewall while running combofix.
Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Post the ComboFix.txt in your next reply.

Note:
Do not touch the computer while combofix is running. That may cause it to stall

the program doesn't crash immediately now it is only crashing when I try to load certain presets for sounds that came with the version that was the source of the problem (I reinstalled an earlier version recently)

Ok, a bit of clarification; It was a NEWER version that did the immediate crashing? So you re-installed an earlier version and that works but the presets which came with the later version are now what does the crashing?
If I understood this correctly then my question is this, did you Uninstall that newer version BEFORE installing that older version? If this is the case then I feel the newer version was not totally uninstalled, if it had been the presets of the new version shouldn't still be there. Then it seems to me that the reason for this is these presets of the newer version probably crash because the older version does not contain the needed files to run those presets of the newer version, so it crashes.
Now since I am completely in the dark as far as "music creating" programs go let me just use a different program as an example, and hopefully I won't sound like an idiot:)
I am going to use as an example the Microsoft Office program because I assume that no matter what type of computer program you are using the basic rules are the same and I had a somewhat similar situation recently.
I have Microsoft Office 2000, fully updated …

First of all you are running Spybot TeaTimer. This can interfere with fixes done. Spybot itself is a great program but the TeaTimer portion of the program really is more trouble than it is worth. Turn that off.
Disable Spybot's TeaTimer

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

Please Download ATF-Cleaner.exe by Atribune (Windows XP, 2K, 2003 & Vista ONLY)

• You can put ATF-Cleaner on your Desktop for easy access.
RUN ATF-Cleaner.exe.

-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view …

Sorry I am so late in responding. I was off site much of the day.
Run HJT again and place check marks next to the following entries;
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O2 - BHO: (no name) - {18EBFA65-F1B4-45DB-8CE1-0CBFF34D7950} - (no file)
O2 - BHO: (no name) - {25D12426-BA9F-44EB-8CB2-642DEEC2A951} - (no file)
O2 - BHO: (no name) - {CB84B07A-40B4-42D4-8796-4FAAACD61965} - (no file)
O20 - Winlogon Notify: jkkihhi - jkkihhi.dll (file missing)
O20 - Winlogon Notify: pmkhh - C:\WINDOWS\system32\pmkhh.dll (file missing)

Once you have placed the check marks click the Fix Checked button.
Exit HJT.
Reboot the system and run a new Full System scan with HJT.
Save that log and post it here.
Judy

mheidi, you should have put this reply in your original thread. The original poster never returned here.
http://www.daniweb.com/forums/thread164039-2.html

Your MBA-M program is WAY, WAY out of date. Current version is version 1.32 and the current database is 1649. You ALWAYS must update the program BEFORE each scan. MBA-M has daily updates, sometimes even more often. Do the update and then run the new Full System Scan and REBOOT after the scan. You must do this because you may have a lot more on the computer than was found in those first scans.
Then run HJT as requested by crunchie and post both of those logs here.
Judy

Does it freeze in Safe Mode with Networking? Or even just safe mode?
If it does not then the problem probably would NOT be the hard drive. You absolutely need more RAM for sure. That is NOT expensive and is easy to add.

The steps we recommend here will remove this threat. We are well aware here what this infection does. Since the original poster has not returned we have no idea what she has decided to do.
We need to wait for her return before offering other steps.
Judy

Thanks for the info. Don't worry about that Deckard Scanner, meant to tell you to ignore that one anyway, it hasn't been available for a long time. If you note in the list of instructions it will tell you to ignore that part of the instructions.
I notice you have several of the Native Instruments programs on the computer is the one you noted the only one which causes the computer to crash? Forgive me for asking what may sound like silly questions but I am not familiar with the program...is this a stand alone program, the Native Instruments Massive, or must it have the others to run properly? The reason I ask is maybe there is a problem with the entire "package" of Native Instruments programs that just the removal and reinstall of the one isn't enough. Do the other ones work ok? Were these installed via downloads or do you have an install disk for the programs?
Can you give me a new HJT scan run since the ESET and MBA-M scans were run? ESET didn't find anything but MBA-M certainly did.
Judy

No, I don't believe the computer is clean there are definitely some suspicious entries in your HJT log. But the first thing you need to do is UNINSTALL, via Add/Remove, one of the two anti-virus programs you are running.
I see both Avast4 and McAfee. The absolute rule is ONE anti-virus program on a computer. If McAfee is expired then uninstall ALL of it. If McAfee is current and NOT expired then uninstall Avast. But one of them MUST go.
A reboot will probably be necessary. Once that extra anti-virus program is uninstalled then UPDATE MBA-M and run a full system scan with it. Allow it to remove everything found. Save the log and Reboot the system. Then run a full system scan with ESET Online Scanner, you will have to use Internet Explorer to do this and temporarily disable the remaining anti-virus program to complete the scan. All it to remove everything found. Once the scan is complete then re-enable your anti-virus program.
Reboot.
Run and new HJT scan and save the log. Post back here with all three logs.

i have scanned my computer with kaspersky and eset wanted to install something so i opted not to use their scanner but kaspersky is always up to date and it found nothing
there is that weird thing at the bottom of the hijackthis log that wont go away when i try and get rid of it that has the "(file missing)" next to it
also
i recently noticed something popping up on my desktop after i run certain programs that is a .txt file called "memreport"
i have no idea what it does and it usually doesnt even have anything written in it??
very strange
thanks for your help too!
i hope something changes because i use my computer to make music with and its my life really
thanksssss
kilegoty

We ask that you run ESET Scanner because it does have the capability to fix whatever is found. It does require the use of and active X download. Kaspersky, while very good, no longer offers the option to fix.
the file you see appear on the desktop, while a lot of info is not found about it, does appear to be malware related.
I have repeatedly asked for the name of the program and it's version that you are having difficulties with but you have declined to be forthcoming on this.
We have certain steps we ask people to do, one of which is provide ALL information requested …

HELP a 37 yr old Lady who can't afford a guy to come in to fix this......

You don't need a "guy" to come in and fix this, believe me, you can do it yourself with the steps you'll get here.
Judy (not a guy):)

What program were you trying to install? Sounds like this may have caused something.

hmmm
where are these "steps" coming from that you're mentioning...?

:$ Sorry, forgot to give you the link;
http://www.daniweb.com/forums/thread134865.html

Now what is the exact name and version of the program you are having problems with?

What is the exact name and version of the program that you are having problems with?
I would suggest that you begin by following steps 2, 7, 8 and 9 (though in this step please allow the ESET scanner to remove whatever is found) Please REBOOT after both the MBA-M scan and then the ESET scan. Be sure to save both logs.
Once you have completed the scans and removed what they found then run a new HJT scan and post back with the logs.
Judy

Probably best to leave it and see . VundoFix *rarely* causes problems but there is still a risk i suppose. It is very good at finding infections though.

By the way WahooBoyd, i just want to congradulate you on being a great poster :) if every user provided as much information as you it would make everyones lives a lot easier.

And yeah, did you update the Java? Vundo commonly finds its way in through outdated JREs.

Post #7-Installed Java 6, version 11, and confirmed via Java web site that the installation succeeded and is operating correctly.

As far as running VundoFix that really is up to you WahooBoyd. If you feel you would like to check things out once more that is fine. I agree with jbennet concerning your thorough posting, it really makes a huge difference to receive full information.
Judy

Sorry we couldn't find a way to wipe out this sucker!

Yes you can clean out those quarantined items. Keep both programs updated and do regular scans with them. Judy

would it make sense at this point to use my system restore disc, restore my computer to factory settings and start from scratch? I have an external hard-drive to copy files that can't be replaced and it would just be a matter of re-installing and re-downloading other programs. It would be time consuming but if it would solve the problem it seems like that might be the best bet.

Since this has been going on 34 days, I think that is probably your best bet. Especially since you have a way to back up everything.
Judy

Probably the main reason it didn't find what others found is that it is WAY, WAY out of date. Current version is 1.32 and database version is 1643. So yours is, at the very least more than a month out of date. It has to be updated. MBA-M certainly is capable of fixing most problems. Depends on WHEN you ran it...if you ran it BEFORE the other two then it could have found more but of course it is out of date. If you ran it AFTER the other two ran then it would NOT find what the other two had all ready fixed.

I don't see anything suspicious in the log. Your java is out of date but other than that I see nothing. It would help to see the MBA-M log.

downloaded some files from rapidshare

Why are you downloading files when the computer is having problems? This won't help a thing.
Please give us some of these blocked pages.

I have a question, you had a thread going back in December and you never returned to it so we never knew if your problem was corrected at that time. Why didn't you return?
http://www.daniweb.com/forums/thread160954.html

So I ran Super Anti-Spyware, Malwarebytes, and Norton Malware.They found problems but not of them removed this problem.

Did you tell these programs to remove what they found? They won't just do it automatically, you have to tell them to do so and very often the computer must be rebooted in order to complete the removal process.
MBA-M most definitely should remove this. This is an email worm which has been around since 2004 as should the others. It is now spreading via file sharing too.

There is an enable protection button. I've pressed the button

That security center warning you are receiving is part of the worm itself so you should not be pushing any button. Just "X" out of it if possible.
We really have to see some logs or else we can't know completely what you are dealing with.

So in other words you cannot use IE 6 at all of all pages are blocked?

all active programs expext download process.

Not certain what you mean by the above. Sorry.

Standard buttons are changed

Not sure what you mean by this exactly.
One thing, disable that Spybot TeaTimer. It is more trouble than it is worth and can interfere with fixes you may do.
Disable Spybot's TeaTimer

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

some internet pages was blocked

Blocked by Internet Explorer or by one of your security programs?
Give us an example of one or two of these pages and also exact wording you receive when the pages are blocked.

This thread can be marked solved.

Looks pretty good. Do you everything is working ok? If so you should set a new and now clean Restore Point. Right click My Computer, choose Properties. When System Properties opens click the System Restore Tab. When that opens put a check mark in Turn off System Restore. Click ok. You may get a message that System Restore will turn off, click ok or yes. Allow it to turn off. Wait a moment and then go back in and Remove the check mark to turn it back on. Then you should have a good, clean Restore Point.
If you feel all is resolved then you can mark this one solved.
Judy

Looks a lot better. Some fixes required with HJT too however.
Run HJT again and place check marks next to the following entries;
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)

Once you have placed the check marks click the Fix Checked button.
Exit HJT.
Reboot the computer and run a new HJT scan and post that new log here.
Judy

I don't use the java auto updater either, seems like 9 out of 10 times I never got notification either. I just try to check every week or so.
You need to run HJT again and place check marks next to the following entries;
O2 - BHO: (no name) - {473F4E72-8EC0-4F84-982B-205C5FE7D7D3} - C:\WINDOWS\system32\hgGvspQK.dll (file missing)

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (this is the java scheduler. If you want to keep it then don't fix this one)

O20 - Winlogon Notify: ddcCUnmK - ddcCUnmK.dll (file missing)
Once you have placed the check marks then click the Fix Checked button.
Exit HJT.
Reboot and run one more HJT scan and post that new log.
Judy

You ABSOLUTELY have an infected computer.
Do steps 2, 7, 8, and 9 here. When doing step 9, the ESET Online Scanner please allow it to FIX or REMOVE whatever is found.
Be sure to REBOOT after using MBA-M and also the ESET Online Scanner.
Be sure to save both the log from MBA-M and ESET. Once you have completed those steps then run a new HJT scan and post back here with all three logs.
Judy

Run ESET Scanner again this time have it fix what it finds.
Your java program is WAY,WAY, WAY out of date. Current version is 6 update 11. Go HERE download the Offline Install to your desktop.
Then go into Add/Remove and uninstall ALL the java programs you find there.
Once you have done that then double click that install file to install the newest version. When the install is complete go back to the download page and click on Verify Now to check to be sure the installation was successful.
Reboot and run a new HJT scan, post back here with that new log and the new ESET scanner log.

Do steps 7, 8 and 9 given HERE, be sure to reboot after MBA-M and ESET Scanner.
Then do a new HJT scan and post all three logs here.

O13 - Gopher Prefix:
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing) (it won't delete this one for some reason. Every time i scan it is still there.)

Also there is a lot of java stuff on there is that normal.

First thing you need to do, or any fixes done won't work, is to get rid of Spybot TeaTimer. You don't need this part of the program and it does interfere with fixes which may be done by blocking some changes.
To stop this from running do the following:
Disable Spybot's TeaTimer

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

The Gopher Prefix is nothing to worry about, it can be fixed if you wish but from what I have been able to find it is actually sort of a left over from when Gopher was a search protocol for the web before there was a web.
The Skytel entry is a program related to the Realtek Voice Manager used by some of their audio chipsets. This one is up to you, meaning …

Your java is out of date. You need to go HERE download the Offline Install program and save it to the desktop. Once the download is complete then go to Add/Remove and Uninstall ALL old versions of java that you find there.
Once you have completed that then double click that install file on the desktop to install the newest version. When the install is complete go back to the download page and click Verify Now to go to the verification page to check to be sure your install was successful.
Judy

I actually have two firewalls (Windows Defenders built in firewall and PeerGuardian2).

Windows Defender is the anti-spy program, you must mean you are using the built in Windows Firewall, that is fine then it just doesn't show on the HJT scans. If you have that one turned on then don't use another one. It can cause conflicts in programs, so I would remove that PeerGuardian.
There are several good, free anti-virus programs Antivir is the one I use, Avast is also good and many use AVG 8

Honestly have no clue what your thread title means. You need to spell out some symptoms so we can actually know what to look for in your log.
One thing I do see is you are running TWO antivirus programs. ESET NOD32, which is an excellent program, and Spyware Terminator (which is a so-so program). You may think Spyware Terminator is only an anti-spy program but it now includes anti-virus protection also, unless you have this portion of the program turned off.
Can you post back and give us more infor on what your problems are?
Also do the following:

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.
Reboot the computer.
When the computer has …

First thing I note is you are running NO anti-virus program and no firewall, unless you are using the built in Windows Firewall.
I see the following listings on the HJT log:
R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb126\SearchSettings.dll
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb126\SearchSettings.dll
O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe
SearchSettings.exe is generally considered malware (Trojan) and should be removed. . It has been known to install during some shareware and freeware program installations.

O4 - HKCU\..\Run: [garypro] C:\Users\Gary\AppData\Roaming\gary.exe>>>What is This?
O4 - HKCU\..\Run: [garypro] C:\Users\Gary\AppData\Roaming\gary.exe>>>What is This?
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe>>>certainly NOT needed to run on startup, meaning it will run all the time....you are really taking a giant risk P2P anyway and then doing it without an anti-virus program is doubly dangerous.

You certainly could use more RAM. But one thing I see or actually More than one thing I see running are these programs:
Advanced WindowsCare V2 Personal
Advanced SystemCare Free v3
SmartRAM which is also part of the above programs.
Turn these off. All three of them.
Here is the advice I find concerning all three of these from HERE:

This program is not required to start automatically as you can run it when you need to. It is advised that you disable this program so that it does not take up necessary resources.

There is absolutely no reason why this program should run all the time. If constant changes are being made to the registry then, at least in my opinion, this could cause problems. Turn these three programs completely off and see if this make a difference.
Also, please remove the OLD version of HiJackThis from your computer and use the new version.

Looks pretty good. Do you feel all problems are corrected?

Your amount of RAM is somewhat low. You should consider adding more RAM, this would certainly speed the computer and additional RAM is not that expensive and generally easy to add.
To stop unnecessary starting programs and services which will certainly release necessary resources I recommend that you use this FREE program CodeStuff Starter
Download and install. It is very easy to use. When you open the program you will see three Tabs. Startups (these are the programs set to autostart and run all the time in the background when Windows Starts up.
Processes which is much like the Windows Task Manager which shows all the running processes. This is a bit more complete however, as it shows all files running with the particular process, and Services. These are the items which run as Services when Windows starts up.
Many of the Startups and Services can be stopped and run only as needed manually.
First click the Startups Tab and you can remove the check marks from those noted below. Unless noted as users's choice, all are not required to run at start up and can easily be run manually when needed. Those labeled User's choice can all also be run manually but there are some if you wish to leave running at start and all the time are ok. You will just have to make the choice. Nice thing about this program is IF you choose to stop something from running at …

Ok, give me a bit to make up the list and I will also link to a Free program to help control them too.

Judy, Thanks for your help so far! I was not able to use the ESET online scanner, well it scanned but would not remove because I needed to purchase the program, so I used Panda Active Scan.

It is ok that you used Panda BUT ESET online scanner does not require you to pay for removal.
Let me look through all this and will get back with you.
Judy

The files unable to be cleaned by ESET were part of the infection all ready deleted is why they couldn't be cleaned.
Run HJT again and put check marks next to the following entries
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {43CEC76F-CEA0-4C13-9C9B-15FEB741B74C} - C:\WINDOWS\system32\yaywtRiH.dll (file missing)
O4 - HKLM\..\Run: [GIZMO2] C:\Program Files\GIZMO2\GIZMO.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
Once the check marks are in place click the Fix Checked button.
Exit HJT

Now your java program is way out of date, one of the reasons I believe for the infection. You need to download the newest version from HERE. Download the Offline Install and save it to the desktop. Then go to Add/Remove and Uninstall ALL old versions of Java you find there. Once you have completed the uninstalls then double click that install file on the desktop and install the new version. When the install is complete go back to the download page and click Verify Now on the right side of the page. That will take you to the verification page where you can test to be sure the install was complete.
Reboot the system and run a new HJT scan and post the log.

Well there is a lot more running than the Norton Firewall. Are you absolutely certain your ISP is only providing the firewall?
If the answer is yes then I would run the Norton Uninstall Tool Uninstall it all and then get the firewall again from your ISP. All those items I noted are running at least partly on the computer, which is a lot more than the firewall and really compromises the AVG8. If the firewall keeps flagging it there must be some way to tell the firewall to ignore it.

How did you uninstall the Norton program? It absolutely IS running on the machine. Yes the firewall is there but also all of the others are showing as running, meaning they are not uninstalled.

Right-click on My Computer, click Properties, click the Advanced tab. Under “Startup & Recovery,” click Settings. Under “System Failure,” uncheck the box in front of “Automatically restart.”
Maybe this way you will be able to read the Blue Screen Message.

It certainly cannot get onto the CD.

I may be wrong but it certainly looks to me as if you are running TWO anti-virus programs. I cannot find any information for a stand alone Norton firewall. This appears to be contained within various Norton Security programs, all of which also contain Norton Anti-virus.
Your HiJackThis log shows numerous Norton files, a firewall certainly wouldn't have all of these files.
I see files which are connected to the following Norton products;
Norton 2003
Norton 2004
Norton AntiVirus 2006
Norton 360 security software
Norton Internet Security
Norton Personal Firewall
Symantec Internet Security Suite.
Symantec Licensing Detect Internet Connection", part of Norton antivirus
Symantec Shared Security Console
Symantec AntiVirus scanner
Norton Internet Security 2006
Only one of these files references the Norton Firewall, all the rest are either anti-virus programs or security suites which contain both anti-virus and firewall.
From what I have found, the file you noted IS part of AVG8 though whether it needs internet access seems up to debate and it often is "flagged" by various firewalls.
I think part of the problem is that you are running the two anti-virus programs. Your MBA-M log does show a Vundo infection which was removed, or at least some of it was removed.
You are also using Spybot TeaTimer which definitely will interfere with fixes done, it is more trouble than it is worth and should be disabled from within the Spybot …

Doesn't the ESET Scanner cost money to remove the files found?

No, not the online scan. http://www.eset.com/onlinescan/