Posts by jholland1964

Really can't give advice on Chrome since I don't use it. One thing you need to do is update your Java program.

Go here to download the latest version:
http://java.com/en/download/manual.jsp

Choose the Offline install and save it to the desktop.

After you have downloaded then close all your browsers, email programs etc. and go to Add/Remove and Uninstall ALL Java that you see there
Java Auto Updater
Java(TM) 6 Update 24

Once you have uninstalled those then double click the install file on your desktop to install the new version. WATCH the install VERY CAREFULLY because it might contain a toolbar or other item you don't want. If you see one of these "extras" that the check mark OUT of the boxes you will see there so you won't get the extra item offered, like an Asktool bar or Yahoo toolbar, something like that...you don't need them

Allow the install to coninue to completion. Once it finished then open the browser and go back to the download page and on the right side look for Verify Now, click that to go to the verification page to be sure the install went as it was supposed to.

Then try your Chrome and see if it works ok.

Is this only in Google Chrome browser? Try a different browser and see if the same thing happens.

Thanks. Can I ask you, your logs show open ports, are these open intentionally to allow you to connect to games?
How is the computer running? Are you still getting the redirects?

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\System32\config\*.sav
CREATERESTOREPOINT

* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

We already did, I believe you can mark this thread solved.

Since you are not the original poster that is not up to you to decide or request.

Yes definitely needed that log. As you can see it is very large. Let me go through it and I'll get back to you if anything else needs doing with that.
In the meantime, update MBA-M and do another Full Scan with it. Have it remove everything it finds and Reboot the computer.
Post back with that new log.

I received the netbook from my cousin with windows 7 already on here. I went to link directed and apparently its not a validated copy

http://i790.photobucket.com/albums/yy182/Xjmas/hmm2.jpg

In the same breath i went to properties and it says its genuine so i'm at a lost for words. If you still will not be able to help me that's alright thank you for your time ill just send in the notebook to be repaired.

http://i790.photobucket.com/albums/yy182/Xjmas/hmm.jpg

I really doubt that your copy of Windows 7 is valid.

Here is why we suspected this as soon as we saw the logs:
RiskWare.Tool.CK>>>this is a pirated activator for Windows 7,
HackTool.Wpakill>>>remove windows activation technologies>>>This it so the system can continue to be used without activation.
windows 7 ultimate keygen 1.0.exe>>>this is the product key generator for a pirated system.
These along with at least one error showing in your Event Viewer Messages From Past Week which indicates that your operating system was installed with an invalid (non-genuine) product key.

We cannot continue to offer assistance on a pirated system, that is illegal.

By the way, is your copy of Windows 7 a legal and licensed copy? I am asking this because of questionable listings in your logs.
If the Windows 7 is NOT legal we can no longer offer assistance.

Everything in the Windows.old isn't affecting my computer if you insist though ill remove them too.

Those ARE infected files. Please remove them by running MBA-M again as requested. Post back with that new log.

Xjmaslord4, your MBA-M log shows that the infected files found were NOT selected for removal as shown in the log by this notation next to all of them
-> Not selected for removal.
Please UPDATE the program as they often have multiple updates daily and there has been an update since you ran your scan. Run a Full Scan and have it Remove Everything Found.
Reboot the computer>>this is Very important because some of the removals may have to be completed early in the boot process.
Post back here with that new log.

Give this a try - http://siri.geekstogo.com/SmitfraudFix.php

SmitFraudFix has not been updated in quite some time and is for use only on Windows 2K / XP / Vista
The poster stated he is running Windows 7.

Xjmaslord4, I am going to ask that you follow all the instructions given in our Read Me sticky and correctly linked by steven woodman earlier.
Those instructions are very clear;
When you post your request for assistance, please be sure to submit (Copy & Paste, not as an attachment unless requested) these requested scanlogs:

• MalwareBytes’ Anti-Malware log
• GMER One.log and GMER Two.log
• BOTH DDS ScanLogs (DDS.txt & Attach.txt)
We request copy/paste for a very specific reason, and that is to avoid the possible danger to others having to download an attached file to their own computer in order to view it. This puts other people's computer at risk. This is a standard request made at virtually all reputable malware removal forums and is requested here also.
I have removed your zipped gmer log and ask that you please copy paste all logs from the tools you ran in that Read Me first sticky.

Those tools requested in the Read Me Sticky are the only tools you should be using at this time until we can actually view all of the previously requested logs.
Judy

That's fine for now, we will leave it and see what happens.
Now do the following:
Please download ComboFix by sUBs from

http://www.bleepingcomputer.com/download/anti-virus/combofix

Please note that the BleepingComputer.com download link will expire in 10 minutes after you click it so if you don’t click within ten minutes after reaching the page you will need to refresh the page.

• You must download it to and run it from your Desktop
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When ComboFix has finished running, you will see a screen stating that it is preparing the log report
• This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can …

Very sorry for the delay in getting back to you. Please do the following:
Download the TDSSKiller utility. This is a .zip file so extract it into a folder on the infected (or possibly infected) computer with an archiver (WinZip, for example);
Run the TDSSKiller.exe file;
Wait until the scanning and disinfection completes. A reboot might require after the disinfection has been completed.
The utility starts scanning the system for malicious and suspicious objects when you click the button Start scan.
If the utility detects an infection with the MBR bootkit, it will report the it has detected an infected object type “Physical drive” and prompt for action:

Cure. This action is only available if the utility has identified the exact type of the bootkit. If it has detected an unknown bootkit, it will be reported as Rootkit.Win32.BackBoot.gen.
Skip.
Copy to quarantine. The utility quarantines the infected MBR.
Restore. The utility restores a standard MBR.
A reboot might require after the disinfection has been completed.

By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder.
Logs have names like: UtilityName.Version_Date_Time_log.txt.
E.g. C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt

Please post back here with that log.

jholland

Read what the poster asked and I supplied him with what qqd.exe is.

Get you facts straight, enough said

Oh, If you wanna warn me of incorrectly posting, do it here, not in a PM

I followed the rules here by giving you a warning, which here at daniweb is given via PM. I am very aware of what the poster said, and I am telling you the original poster made an error in the attempts to remove this infection and the original infection is not removed. We would be doing disservice to this poster by not pointing out this fact, which, if you wish to post in this forum you will do also. If the original infection HAD been removed then this additional infection would not be on the system now because it too would have been removed.

Poster was looking for info, not help.

I'm sure if they get issue's if it not been cleaned right, they will be back askign for help this time.

If the poster was only looking for "info" not help then why didn't you just give information, that this file is a Trojan which can create, delete or modify files on the computer and bring in other infection processes and it likely was brought in by the original Trojan which has not been removed?
You also should have given the information that to remove this infection that all the steps given in our Read Me First Sticky should be followed and logs requested should be posted once those steps were complete? That is the information required here.

Using SAS is not going to remove the original infection which is in the Fake Alert Trojan family. This second one that you note is one that has been brought in by the original infection.
System Restore will NOT remove infections. System Restore works only on a very few files, namely registry entries. The only thing using System Restore had done is remove the "footprints" of the infection, not the infection itself. Using System Restore only will likely make it harder to find and remove.

In order to remove infections you must begin with the steps given in our Read Me First sticky.
Follow all directions carefully and exactly. Post back here with the requested logs.

http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

What did you do with the combofix log?

Doing a registry edit certainly didn't remove this infection and anti-virus programs are NOT going to remove this, it is a Trojan. They are not usually configured to do so.

What was the name of this "virus" found by Avast?

Try these steps, you will need a Clean computer in order to download this file, put it on either a flash drive or a CD and then take it to the infected computer.

http://download.bleepingcomputer.com/reg/FixNCR.reg

Once that file is downloaded and saved on the flash drive or the cd, insert that into the infected computer and open the folder the drive letter associated with it. You should now see the FixNCR.reg file that you had downloaded onto it. Double-click on the FixNCR.reg file to fix the Registry on your infected computer.

After that do the following:
Download rkill to the desktop of the infected computer.
http://www.bleepingcomputer.com/download/anti-virus/rkill
When at the download page, scroll down and click on the click on the link labeled eXplorer.exe download link . When you are prompted where to save it, please save it on your desktop.
Double-click on the eXplorer.exe icon in order to automatically attempt to stop any processes associated with XP Anti-Virus 2011.
When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning …

where do i see the combofix log? should i run it again?
You see, here is the problem running a program like combofix without first being told to do so. You obviously didn't read the instructions for running it when you read whatever thread you found in on.
The combofix log will be found at C:\ComboFix.txt.

Absolutely DO NOT run it again unless I tell you to run it, leave it on the desktop and don't touch it unless I tell you to do so. That also is stated clearly in the instructions given to those we ASK to run combofix.

My problem was described exactly above. I cannot open programs or download programs to fix the problem. It always says: Choose the program you want to open this file. so I cannot run the fixes. HELP

This thread is over one year old and belongs to another person. You must create your own thread, stating all problems and including all requested logs from the tools you must run in advance which can be found in our Read Me First Sticky. Only after that can anyone provide you with assistance.
Follow the steps given here and create your own thread:
http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

I see no combofix log. You said you ran that. Where do you see info about a rootkit?

We can't offer assistance until we see ALL the logs. You shouldn't have run Combofix without first being PERSONALLY told to do so. It is not for use with all infections, only specific infections. We can't advise about what a log might have said without first seeing that log.
You seem to be using P2P programs, the easiest way to get a serious infection. BitTorrent shows in the HJT log. Uninstall it and all other P2P programs before going further.

Please post ALL logs.

Good enough. Thanks for posting back to let us know.

Yes, it very likely is, at least you must go on that supposition until proven otherwise. I wouldn't take the chance myself. Too much to lose. Personal info, email addresses, etc.
There really are NO simple viruses today. Especially when these redirects are one of the symptoms.

Anytime he is online then he is at risk. Outlook Express has to go online to get the mail. You don't need a browser to go online, you just need a connection. HiJackers don't use the browser, they use the connection itself.

And everytime he goes online with this computer it is very likely that "somebody" else is also using the computer. The longer he waits the more infected it will become.

Do as jholland says, but did you check the setting's I told you to check?

We need feedback to say yes or no sometimes.

What we really need is for all the steps in the Read Me sticky to be completed until those are done even a yes or a no is nothing.

A friend has suggested that the problem is 'google redirect'.
Is there a specific fix for this ?

No, there is not without running the tools noted on the Read Me sticky as previously indicated. This is a strong indication of infection on the computer and the longer you wait to begin cleaning the more infected it will become making it that much harder to clean.

Please also check this

http://www.daniweb.com/hardware-and-software/microsoft-windows/windows-vista-and-windows-7/threads/366094/1570095#post1570095

It will be you have Spyware/Malware but need to check that setting first.

Good catch and good advice. Malware will reset this setting so check that and then proceed with steps in the Read Me Sticky.

Don't delay, the longer you wait, the worse things will be.

Please follow all the instructions on our Read Me Sticky and post back with all the requested logs. We can't help without complete information.

http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

You are so right about Adobe, drives you nuts!! Another thing to install is WOT. It is Web Of Trust. It goes right on the browser and is available for both Firefox and IE. Not intrusive at all, gives a warning if you are on an unsafe site. Pretty self expanatory but any questions and I will be happy to answer.

http://www.mywot.com/

https://addons.mozilla.org/en-US/firefox/addon/wot-safe-browsing-tool/

Microsoft has absolutely nothing to do with Sunjava or it's updater. It is Oracle's problem not Microsoft. Microsoft automatic updates program only applies to the Microsoft software, things like the operating system, Office, MSE, etc., anything that is from Microsoft. Sunjava isn't from Microsoft it is from Oracle.It's up to the developers of other 3rd party programs that run ON the Microsoft system to make sure their programs run correctly not the other way around.

Other company software updaters generally run fairly well, Adobe, I use Avira anti-virus it updates exactly when I have told the Avira program to udate, there are many, many others. The problem with the Sunjava updater lies right with Oracle.
For heavens sake, don't turn off your MS auto updates it appears to be working fine. Of course you CAN always do a manual check to be sure but your logs looked to me like they were working.

Yes, this is my personal opinion based on what I see when working on computers. I have seen many, many computers where some of these supposed automatic registry cleaners have been purchased and used by persons who have no clue what they are doing who have removed much needed registry entries because this supposed "expertly" created program has flagged something as bad or dead when it is not and a program they use all the time no longer works. I am talking hundreds of dollars spent here. There is no way an automated program can possibly be configured to know each and every available program for each and every computer in the world, yet people continue to rely on them to do so. We see false positives every day by top of the line av programs for this very reason, people take the time, generally to check these out and do find out the listing is false and then tell their av to ignore. The av creators DO rapidly adjust their programs and definitions to correct the problems, but so many of these automatic registry cleaners/boosters/defraggers, etc. don't.
You can see how rich the writers of these bogus progams are, they NEED to make the money and they do. All at the expense of unknowing average "Joes" who trust that they are buying something necessary and all they are getting are expensive headaches.

As I said, if we SEE the infections are related to P2P then no, we reserve the right to not assist. There are very few, if any, legal,"as needed" reasons to use P2P. But infections due to other reasons posters always be assisted with removals.
As for the Java updates, I have learned to NOT rely on that auto updater, frankly I have rarely seen it work correctly, as you have found too. I always check manually for the Java updates now and don't allow the auto updater to even run. Why have it run if it isn't going to work all the time?

One program you DO need to add if you do not all ready have it is this FREE program, SpywareBlaster from Javacool. It truly is a MUST have and I would never run a computer without it installed.
SpywareBlaster doesn't scan for and clean spyware--it prevents it from being installed in the first place. SpywareBlaster prevents the installation of ActiveX-based spyware, adware, dialers, browser hijackers, and other potentially unwanted programs. It can also block spyware/tracking cookies in IE, Mozilla Firefox, Netscape, and many other browsers, and restrict the actions of spyware/ad/tracking sites.
There is a paid version of the program if you wish but the free one works just fine. Download, install, update and then click Enable All Protection and close the program. It DOES NOT run in the back ground, so therefore there is no risk of conflicts with other …

I some how doubt people would compile software if there was no need for it.

Shade01; If you believe this then you obviously are very naive` The NEED is to line the pockets of the creators, not to fix a computer. Most of these useless and dangerous programs are PAID programs. They are not created to fix computers, they are created for the MONEY the creators receive from people who have no clue what they are doing when they purchase them. Most work exactly the same way, scan the computer for FREE but you must PURCHASE the program to do the alleged cleaning of the hundreds of files that will always be found with it. When the programs are purchased then much of the time the buyer gets a whole lot more than he paid for, tracking software, infections, malware/spyware or something that causes enough damage that another program must then be purchased in order to repair the damage. The excuse these junk program creators use when the computer is damaged? The user was an amateur and obviously used it incorrectly and they are not responsible if the user didn't use it correctly. They all carry this advanced warning, which 99.9% of those purchasing the program ignore..."We, the creators are NOT responsible if you damage your machine by using this program. Use at your own risk"

There are a number of people who do computer repairs professionally, that use reg-cleaners extensively.

The key word in …

IE cannot be removed because it is part of the operating system.

since this doesn't appear to be an infection problem I am moving this thread.

Logs? we can't advise anything until we see logs.
http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

Reg cleaners are good as good computer use still leaves one with a cluttered registry.
I use Advanced System Care on Win 7 64 bit and it keeps my system running well. I used XP registry cleaner on XP and it keeps windows healthy. CCleaner is also quite good.

If registry cleaning *really* able to improve performance, the developers of these utilities would support their marketing claims with some form of factual and independent testing evidence (performance prior to cleaning -vs- performance post cleaning).Do they ever provide this? No, and that's because registry cleaning does *not* improve performance. Many programs put 1000's of entries into the registry without causing any performance hit. Similarly, the fact that registries tend to hold significantly more information than in years gone by (bigger hard disks = more programs installed/data stored = more registry entries) has not resulted in systems slowing to a crawl.

Using an automated registry cleaner is like using a table saw to remove a hang nail. The best way to deal with (possibly) registry-related issues is is to thoroughly research the problem and then use regedit to make any necessary changes and/or deletions (having first set a restore point or created a backup).

I am not upset. I am only trying to make it clear to others who read this thread that we will not help remove malware from computers when persons refuse to Uninstall P2P programs. We know from experience that infections will happen again so we make it very plain that we might not assist those who refuse to remove it. We know without a doubt they will be back. If that person returns with another infection assistance will absolutely not be offered.

Hey I call it as I see it. The infection found by MSE was the result of the out of date Java.
Anything installed on the computer from previously used P2P can result in infections being brought into the computer if it is opened at a much later date.This is how many of these are set up to work.
Believe me or not, as the read me sticky states, "P2P software circumvents common-sense security measures and opens a user’s computer to a world of hurt", since you doubt this then I guess this is complete.

One thing I see is uTorrent. This is a P2P program, probably the easiest way to get a severe infection such as the one that you had on this system. Keep doing this and you WILL infect the system again. Notice I say WILL, not maybe, not possibly but WILL. This does not even address the illegality of doing this. I don't know your location but at least in the U.S. downloading programs which are supposed to be paid for but getting them via P2P IS Illegal, and they CAN be traced to your machine if those holding the copyright choose to do so and you CAN be prosecuted and lose your right to go online. Your ISP does have that right to cancel the service if this type of activity is traced back to their company and then on to your machine.

Your Java is way out of date and needs to be updated, this also puts your machine at risk.
You need to Uninstall all old versions of Java listed in Add/Remove and download the latest version from here:
http://www.java.com/en/download/index.jsp

Please follow the instructions given in our Read Me Sticky concerning the posting of logs:
When you post your request for assistance, please be sure to submit (Copy & Paste, not as an attachment unless requested) these requested scanlogs:

• MalwareBytes’ Anti-Malware log
• GMER One.log and GMER Two.log
• BOTH DDS ScanLogs (DDS.txt & Attach.txt)
We want NO logs attached. All must be Copy/Pasted. We will not open attached logs so if you want us to read them then you will Copy/Paste ALL logs.

Well I hate to tell you this but because so much time was taken between steps it is very possible that the computer has been reinfected. If the computer was truly clean both the MSE scan and the MBA-M scan should have come back 100% clean and clearly they did not.
I would like you to Start Over again with the steps given in our Read Me First Sticky.
http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

you absolutely, positively must stick with this in a timely manner because as of today this thread is 23 days old and over 4 pages long. If you had stayed with this from the beginning the computer would be clean by now.

Before you begin the steps given in the Read Me Sticky you need to remove combofix from your machine using these steps;

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

Also remove the TDSSKiller application and then proceed with the Read Me Sticky steps and please post back with all the requested logs.

Did you remove it?

Hi All!

I'm new to the List but I was wondering what would be the best Dell Lap Top computer to buy? I would apprecate any recommendations.

GreenHornet2002;
This is not the place to post this question. We are working on a computer clean up here. I suggest that you post this in the PC Hardware forum

We actually know nothing here since no logs have been posted, other than the fact that the computer is probably 7 years out of date based on the service pack and You are running a 10 year old copy of Internet Explorer. IE7 was released nearly 5 years ago and IE 8 was released 2 years ago.

Cleaning the registry would certainly NOT be one of the recommended steps, expecially 300 entries. IF there were infected registry entries then Avast and MBA-M would have found those and removed them. Any other items would simply be dead entries and need not be worried about, they take up very little room and certainly shouldn't slow the computer.

Is the Avast program fully up to date? Is CCleaner fully up to date, is MBA-M fully up to date?

None of your scans will be done correctly or fully if those programs are as out of date as the system.

One of the easiest ways to end up with severe infections is to run a computer that is so many years of date. Security patches are released all the time to plug various holes in system security and you are missing probably too of them to even count or list by not having your system up to date. Regular programs also often have security updates added so you probably are missing those also again adding risk to the computer.

Please follow all the steps given in our Read Me …

Download and install this program, CodeStuff Starter
http://www.snapfiles.com/get/starter.html

Once installed then open the program and click the Startups Tab
Go in and Remove the check marks from these listings:
igfxtray
igfxhkcmd
igfxpers
Microsoft Default Manager
ISUSPM
AlcoholAutomount
Google Update

close the program and reboot.