Posts by jholland1964

so in the 24 hours or so since i first got the program, and updated it, it has updated the database 7 more times?

Essentially yes, that doesn't necessarily mean all the updates were offered one at a time.
I find it very unusual that the scan would take 8 hours, there must be something slowing it down. How large is your hard drive?
A full scan for me takes about 1 hour. I have seen them take a couple but honestly not 8 hours. Can you tell me, is it actually scanning all the time or does it seem to freeze? They are currently examining a possible issue with freezes during scans which might be cause by Zone Alarm firewall, they are not certain at this point but it is a possibility. The scan should never take 8 hours.
I wasn't meaning to be critical when asking if you had rebooted, it is just that many people don't understand they must reboot if the log says -> Delete on reboot. They will run the program and then immediately run HijackThis without rebooting. We have to ask to be absolutely certain.

yes it is.

No, it is out of date. MBA-M updates sometimes more than once a day. Your database version is 1497. Newest database version is 1504. You must run the Update prior to each and every scan.
Are you shutting down and rebooting after running MBA-M?
Note what it says in the log on many of the items found....-> Delete on reboot.

meaning that file cannot be removed until the computer is rebooted because it must delete it BEFORE it begins to run.
Please update your MBA-M do another scan, REBOOT and then run a new HJT scan and post the log.

We need to see an HJT log done AFTER the MBA-M program was run.

MBA-M has a tool called File Assassin which may be able to remove this. Open MBA-M, More Tools. There you will see the File Assassin button. Click Run Tool. Then you will have to navigate to that file we want to remove.

We MUST see the logs. Please run MBA-M again and post the log. We cannot help without the logs.

Here is the problem:
O20 - AppInit_DLLs: C:\WINDOWS\System32\ds16gt32.dll
O20 - Winlogon Notify: f063d96d511 - C:\WINDOWS\System32\ds16gt32.dll
This is the file you had to upload for checking which came back with the Trojan identifications from multiple scanners.
Can you boot to safe mode and do a search for this file?

C:\WINDOWS\System32\ds16gt32.dll

If you find it, delete it, just the file in RED BOLD not the entire folder.

Your HJT log looks ok, you have a LOT of things running in the back ground and a lot running unnecessarily at start up, this could give you the high usage of svchost processes, as crunchie noted in his attachment. Each one handles multiple processes, and you have a LOT running.
Judy

Ok, there is still infection showing in the HJT log and it was NOT caught by MBA-M this time, though copy 1 was caught the first time.
C:\Documents and Settings\mfutch\Application Data\Google\fhexj6825097.exe (Trojan.FakeAlert) -> Delete on reboot.

Prior to that it did NOT show in the HJT log, now it does, note the 2:
O4 - HKCU\..\Run: [windpipe] "C:\Documents and Settings\mfutch\Application Data\Google\fhexj6825097.exe" 2

Try this again:
Download Combofix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.

*Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

Doubleclick the combofix icon on the desktop to run the program.

Windows will issue a prompt asking whether you wish to run the program, click Run
You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.

Now just sit back and allow the program to run

Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take …

Infection still showing in your HJT log. Update MBA-M and run another Full System scan. Allow it to remove everything found.
Reboot.
Run a new HJT scan and post back with both logs.

I'm guessing this file isnt supposed to be there?

No it is not.
Do the following:
Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the quote box by highlighting all the text and right click and choose copy

File::
c:\windows\system32\ds16gt32.dll

Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Drag the file you just created CFScript.txt and drop it on the main ComboFix.exe icon
Please wait for ComboFix to finish running

Post back here with that new combofix log

Looks better, are things running better? You need to update your java it is woefully out of date. Go HERE and download the newest version which is version 6 update 11. Choose the Offline Install and save it to the desktop.
Once you have that downloaded then go to Add/Remove and Uninstall ALL old versions of Java showing there.
Once you have uninstalled all those then double click that install file on the desktop and install the new version, read through carefully, watch in case there is a yahoo toolbar offered there...there will be a check mark all ready in the install, take that check mark OUT.
Continue with the install. When it is complete go back to the download page and on the right side you will see Verify Now. Click that to go to the verification page where you can check to be certain the install was complete.
Judy

I would also recommend that you Run the ESET Online Scanner and attach the ScanLog with your post for assistance.

* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us too.
Judy

Run HJT again and place a check mark next to the following entries:
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusremover2008.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)

Once you have placed the check marks then click the Fix Checked button. Exit HJT.
All of the above are known to download Rogue programs.
Once you have done that run a new full system scan with HJT and post that new log.
Judy

By the way, acrord32.exe is usually Acrobat Reader. Also, don't do anything else while running a scan like MBA-M, you want it to find everything it can and if interrupted it can miss something.

Ok Michael, try this:
Please try the following routine given in the MBA-M forum to see if you can get Malwarebytes to run.

* Click on Start, click Run, and then type devmgmt.msc and click OK
* On the View menu click on Show hidden devices
* Browse to Non-Plug and Play Drivers and you should see something like TDSSserv.sys
* Highlight that driver and right click on it and select DISABLE
* Now RESTART your computer.
* Download a copy of Malwarebytes but DO NOT run it yet.
* Rename the downloaded installer file to any generic name such as your own name but keep the .EXE extension on the file and run it.
* Once the program is installed go to the UPDATE tab and try to update the program if you can.
* Then go to the SCANNER tab and run a Full System and allow MBAM to fix anything found.

Ok, hope we don't hear from you....LOL...don't take it personally.
Judy

I would like you to go to virusscan-jotti which is a site where you can upload suspicious files from your computer and have them scanned by multiple anti-virus engines. They will do a quick scan and give you the results.
At the top of the page you will see: File to upload & scan next to a window. copy/paste this into that window

c:\windows\system32\ds16gt32.dll

Click the Browse button and it will scan your computer for that file. When it is found click Submit.
It will quickly scan the file and give you a report.
Please come back here and post that full report.
Judy

Looks good. Let's keep out fingers crossed.
Now you need to do the following
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
When shown the disclaimer, Select "2"
You also need to set a new Restore point. To do this Right Click My Computer, Choose Properties. When System Properties opens choose the System Restore Tab. Place a check mark in Turn Off System Restore, Apply. You may receive a warning that it will be turned off. Click ok. Wait few moments then go back in there and Remove that check mark.Click Apply, and ok.
Judy

Norton is uptodate totally, 98 days remaining.
Im not sure what you're asking of me though...
im a bit illiterate at all of this, do you want me to copy the whole log here? that's a lot of repeated spammage.

I really do appreciate the help though, ^_^

No it would have helped to have a couple of the errors so we would have maybe an idea.
Do this....
Please Download ATF-Cleaner.exe by Atribune(Windows XP, 2K, 2003 & Vista ONLY)

• You can put ATF-Cleaner on your Desktop for easy access.
RUN ATF-Cleaner.exe.

-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK

If you use Firefox browser, do this also:

* Click Firefox at the top and choose Select All from the list.
* Click the Empty Selected button.
* NOTE : If you would like to keep your saved passwords, click No at the prompt.

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
…

This time it appears like everything is gone for good. I'll run MBA-M again in a few days and check back.

Thanks again for all of your help in figuring this out!

Don't hold your breath...
This entry is still showing in the HJT log.
O20 - AppInit_DLLs: oxugxj.dll

Not supposed to be there, unknown, only things that come up on a search for info is this thread!
Run HJT again and put a check mark next to that entry.
Click the Fix Checked button.
Exit HJT.
Reboot.
Run HJT again and KEEP YOUR FINGERS CROSSED...save the log and post back here with that new one.
Judy

Actually would have preferred to see an actual error report rather than just comments on various errors...anyway
ccsvchst is your Norton Anti-virus
Automatic LiveUpdate...assume this is your Norton program, though it could also be Windows Updates.
The thing is many of these items you mention have to do with various auto updates to some programs, Norton...which SHOULD auto update, Bonjour service which shouldn't be needed, LightScribeService is a labeling service for CD's shouldn't running at all, gusvc is the google updater.
Turn off ALL of those auto udaters with the exception of the Norton program...is it current and up to date by the way or is it due for renewal.

in gigs?

Realize yes it is gigs, but if that much is gone...what is on there? Amount of RAM is way too low also which would certainly keep the machine slow. 47 processes running when the HJT scan was run, huge number of unnecessary items auto starting.
Know it is gigs but the idea that only 1/4 of the drive is left shows there is a lot installed, probably a lot that is either un used or uses a lot of resources when run. That was my point.

Not much space left on that hard drive, less than 1/4 left.

Think you better begin some clean ups....
Do the following:
Please Download ATF-Cleaner.exe by Atribune (Windows XP, 2K, 2003 & Vista ONLY)

• You can put ATF-Cleaner on your Desktop for easy access.

-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK

If you use Firefox browser, do this also:

* Click Firefox at the top and choose Select All from the list.
* Click the Empty Selected button.
* NOTE : If you would like to keep your saved passwords, click No at the prompt.

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > …

I do have the BitTorrent program on my computer but there are not any files shared through it and it has not been running or in use recently (or at all since the problems began), strange.

It IS running on the computer, or at least has been during each HJT scan. It is listed in auto-start so it starts up each time you start up the computer.
I also just noticed too, my error that I didn't see it before, but your McAfee program was running during the Combofix scan and the instructions clearly say to

Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

But, it looks as though ESET got rid of those questionable entries.
Update MBA-M and run a Full System Scan with it, REMOVE all that is found.
Reboot the computer and then run another Full Scan with HJT.
Post back here with both logs. Maybe this "bugger" is finally gone...hopefully.
Judy

there are several pop ups open with internet explorer

What types of pop ups?

Look in Event Viewer and see noted errors. This could give information on what is causing these crashes.
Start, Control Panel, Administrative Tools, Event Viewer. Check Applications and also System logs.

Very possible the server was busy at the time. If too many users are on at once the server could reach it's limits. Does this happen often? What were you doing at the time? How are you connected to the internet?

Here is a suggestion from the Malwarebyte's to try to get the MBA-M program for download if that has not been possible.
Please try the following routine to see if you can get Malwarebytes to run.

* Click on Start, click Run, and then type devmgmt.msc and click OK
* On the View menu click on Show hidden devices
* Browse to Non-Plug and Play Drivers and you should see something like TDSSserv.sys
* Highlight that driver and right click on it and select DISABLE
* Now RESTART your computer.
* Download a copy of Malwarebytes but DO NOT run it yet.
* Rename the downloaded installer file to any generic name such as your own name but keep the .EXE extension on the file and run it.
* Once the program is installed go to the UPDATE tab and try to update the program if you can.
Then follow the rest of Cohen's instructions for the running of Malwarebytes'

Btod9, you need to begin your own thread. The instructions from Cohen were for the thread starter, Needhelp21

Also, it appears as though the log posted from HJT was one collected while putting it through some sort of analyzer. Just run the scan, click save the log and then post it. It should come through without "editorial" comments as shown in the post:

/* Do not edit this file.
*
* If you make changes to this file while the application is running,
* the changes will be overwritten when the application exits.
*

What are some of the pages you get instead of Hotmail?
We are going to get this thing fixed but we need to see more scans and logs.
Update MBA-M and run another scan with it. Be sure to have it remove everything found and then REBOOT the computer.
Then run a new HJT scan and save that log. Post back here with both.
By the way, when you reply to a post, hit the yellow Reply to Thread button not the gray reply w/quote button. Ok?

Judy

Download Combofix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.

*Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

Doubleclick the combofix icon on the desktop to run the program.

Windows will issue a prompt asking whether you wish to run the program, click Run
You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.

Now just sit back and allow the program to run

Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a …

Have you tried to download MBA-M from HERE

Also the programs you noted in your earlier post are all fine. Many you wouldn't remember installing because they probably came pre-installed on the computer when you purchased it or came in as the result of an automatic update,
ati control panel-has to do with your graphics card
ati display driver-exactly what it says it is, your display driver
ati hydravision-ATI's HydraVision desktop management software, allowing for multi-monitor support, as included in ATI HydraVision versions 2.5 and earlier.
bonjour-installed with iTunes software. You can uninstall it.
fire gl control panel-also has to do with your graphics
highmat extension-extension for the Windows CD writing software
retrospect 7.5-backup software program essentially.

Honestly this is "a puzzlement" to me. Several things just don't add up here:

jholland1964= Are you sharing files via P2P? This is a very good way to get these types of infections.

atarischad = No, I am not.

HJT log
Running processes:
C:\Program Files\DNA\btdna.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"

BitTorrent DNATM is a content delivery service that uses a secure, private, managed peer network

No matter how you think of it....
Could you turn off this program until this fix is totally complete.

Now I would like you to do the following:
Please Run the ESET Online Scanner and attach the ScanLog with your post for assistance.

* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us

Give me a new HJT scan please, ok? Can you tell me, when you ran your last MBA-M did you reboot the computer BEFORE running the HiJackThis scan that you posted along with it?
Judy

Well, rats! Do this. First remove combofix like this:
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
When shown the disclaimer, Select "2"

After you have done that then download it again using same instructions from Post#5 http://www.daniweb.com/forums/thread161311.html
Do all you did before, let if scan, remove, finish and post back here with the new log.
Judy

Download ComboFix, You will get a prompt asking if you want to run or save the file. Choose SAVE and save it to the desk top. DO NOT RUN it YET
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:

* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
Windows may issue a prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.
ComboFix is now preparing to run and when it has finished you will see the Disclaimer screen you should press the number 1 key and then press the enter key to continue.
ComboFix will now start scanning your computer for known infections. This …

Are you sharing files via P2P? This is a very good way to get these types of infections.

You're welcome. Remember, any programs you disable from start up can always be re-enabled if you feel you want them to do so.
Judy

Hi zbizzy, will be waiting for your logs. Be sure to allow MBA-M to remove items found.
Judy

Hi dragz and welcome to daniweb.
We certainly need to see more than a combofix log. We need to see logs from

some of the steps I saw outlined in previous threads.

We cannot advise until we do. We need to see an MBA-M log, if you did any online scans and they produced a log we would need to see those. We also need to know what other steps you did in addition to other scans. When did this problem begin? Had you installed any new software or hardware, done any recent system updates or updates for other programs?
It is truly never advisable to use combofix unless First instructed to do so by somebody helping you on a forum. This is generally only used when certain clean up steps are not successful or seem to be successful but the problem returns. It is a VERY POWERFUL program which can, when used either improperly or at the wrong time can damage key files on a computer.
Please post back with all the requested logs and maybe we can figure out what the problem may be.
Judy

First of all, since you have Dishkeeper light on the computer then I would not install Auslogics Disk Defrag. Dishkeeper is a good program and like Auslogic's program runs faster than the built in Windows Defrag.

Now for the unnecessary starts ups:
Using CodeStuff Starter begin with the Start ups Tab and remove the checkmarks from these listed below. Be sure to read what each controls. Some absolutely are not needed for the program to run in order to run the program manually and listing as auto starts only really just speeds the start up of that particular program by a few seconds, but can slow the computer if running all the time in the back ground, others will be your choice on whether you want them to start automatically or not. But none of these are required to auto start for the running of the computer.

SigmatelSysTrayApp----System tray program for the Sigmatel Audio sound card. Often found on Dell computers. This program is not required to start automatically as you can run it when you need to. It is advised that you disable this program so that it does not take up necessary resources.
ATIPTA---Control panel for the ATI series of video cards allowing access to such features as display resolution, colour depth, etc. Available via Start ->Settings -> Control Panel -> Display. Some users may need it if they have optimised their settings. Choice is yours.
MBMon-CTMBHA.DLL----?Related to Creative_Audigy line of sound cards. Sounds like …

Hello Judy,

Yes, those nasty Internet Explorer popups seem to have vanished. Other than the computer running slow, it seems to be back to normal. Thank you so very, very much for your help! I appreciate it very much.

Lorraine

There are steps you can take to speed the computer, one is stopping unnecessary start ups and sevices, I can give you a list of those if you wish and CodeStuff Starter is a good free program to help control these, a general clean up, meaning getting rid of unneeded temp files and the like. A disk defrag can help speed it up, you can use the built in defrag or there is another one, Auslogic Disk Defrag you can download that works well and faster.
Judy

The fact that you still have some re-directs and several entries in the HJT log tells me that this infection still isn't gone all the way.
I first want you to try this:
Download SDFix
Save it to the desktop.
Double-click on the SDFix icon that should now be residing on your desktop. If a Open File - Security Warning box opens, click on the Run button.
A window will now open showing SDFix being extracted into the C:\SDFix folder. Once the installation program has finished extracting SDFix, it will open a Notepad with further instructions.

Next, please reboot your computer into Safe Mode by doing the following:

1. Restart your computer

2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

3. Instead of Windows loading as normal, a menu should appear

4. Select the first option, to run Windows in Safe Mode.

5. When you are at the logon prompt, log in as the same user as you usually do.

When your computer has started in safe mode, and you see the desktop, close all open Windows.

Click on the Start button, click on the Run menu option, and type the following into the Open: field:

C:\SDFix\RunThis.bat

Then press the OK button.
The SDFix window will open containing some brief info and a disclaimer on the use of the tool
please press …

Looks good. Do things seem to be running well?
Judy

Still not clean. Do the following:

Download Combofix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.

*Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

Doubleclick the combofix icon on the desktop to run the program.

Windows will issue a prompt asking whether you wish to run the program, click Run
You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.

Now just sit back and allow the program to run

Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually …

File is still there....hmmmm
First run HJT again and place a check mark next to these two entries:
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/dow...in/actxcab.cab
O20 - AppInit_DLLs: hhcefv.dll
after you place the check marks click the Fix Checked button.
Exit HJT.

Next update MBA-M. Then boot to safe mode and run a full system scan with it, remove items found and save the log.
Boot back to normal mode, run a new HJT scan and save the log.
Judy

You doing file sharing? Also what is your location?

Look in C:\SDFix and see if the log is there.