Posts by jholland1964

Did you uninstall ALL software for the printer?

Using a flash drive and another computer, do the following:
These are instructions given on the MBA-M General Help Forum
http://forums.malwarebytes.org/index.php?showtopic=10138
You need to DISCONNECT the affected computer from the internet.
You will need to download required files to the flash drive. Take it to the infected computer and run them.

MBA-M removal utility; http://www.malwarebytes.org/mbam-clean.exe

Download the randomized renamed mbam.exe version from http://malwarebytes.org/mbam-download-exe-random.php
In some cases, it will be needed to rename the random named mbam.exe to explorer.exe
since you will have the computer off line you also won't be able to do the regular update so go here and download the manual update file
http://malwarebytes.gt500.org/

After you have all those files on the flash drive then go to the infected computer and transfer those files and follow steps below.
# Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
# Restart your computer (very important).
# Download and run this utility. mbam-clean.exe
# It will ask to restart your computer (please allow it to).
# After the computer restarts, Temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware that you brought on the flash drive and update it using the manual update files also from the flash drive.

Next run a Full Scan with MBA-M. Have it remove everything found. Reboot the computer and save the log to the flash drive and post …

Since you cannot run any of the needed utilities you probably are going to have to do most of these using a flash drive to take them to the infected computer and then running the programs offline. Do you have a flash drive?

You forgot the GMER log. Please don't attach it, please copy/paste it. We don't like to open attachments from infected computers.

All those RPS things listed indicate another security program too. Remove those also.
Once you have done all this then I will give you another tool to put on the flash drive and take to the infected computer.

As I try to delete the file " index.dat", it won't let me. There is a warning/popup that keeps saying....
The action can't be completed because the file is open in another program
Close the file and try again.
I don't have anything else open. What should I do ?

Boot to Safe Mode and remove it.

Do a file search on the computer for Authentium AntiVirus SDK - 2 and if you find it remove it. If you don't find it then it is a likely left over listing. Right Click the entry and delete it.

Unplug the printer from the computer. Then Uninstall ALL the software that is on there for the printer.

AFTER you have done all of the above then we will begin again to clean up the computer. You had two anti virus programs on there, a big no-no. This is why I want all of them removed. Once things are clean then I will tell you how to reinstall Avast.
I stress again, LEAVE THE COMPUTER OFFLINE until we are finished and I tell you to plug the cord back in.
Judy

desktop.ini. - This hidden file is placed in every folder to tell the operating system how to display and customize the viewing of that specific folder

Index.dat are files hidden on your computer that contain all of the Web sites that you have ever visited. Every URL, and every Web page is listed there.
Delete them both.
Run CCleaner and make sure it is configured as show in my attachments. You will use the Windows Tab first, click Analyze and then click the Remove button once it lists everything.
Then do the same using the Applications tab.
Then close CCleaner.
Next I want you to Uninstall the following programs.
Authentium AntiVirus SDK - 2
avast! Free Antivirus
ESET Online Scanner v3
Eusing Free Registry Cleaner
RPS Ad Blocker
RPS AntiFraud
RPS AntiSpyware
RPS AntiVirus
RPS App Detector
RPS AsRealtime
RPS Backup
RPS Burn
RPS Diagnostic Utility
RPS Firewall
RPS ParentalControl
RPS Performance Tool
RPS PopupBlocker
RPS Privacy Manager
RPS RpsCore
RPS Security Cleanup
RPS Zip

Those are not really cookies. They are infected files that look like cookies. Empty EVERYTHING out of your cookie file.
Keep this computer OFFLINE until you are told to put it back online. You are going to have to do everything using a flash drive.
Do you have CCLEANER on that computer?

If the computer is connected any of the ways I stated above then it IS online even if you have no programs that you can actually see, like browsers that use the internet open. If you have it set to check for automatic updates for anything then that program is open in the background
Disconnect the computer.

While typing this, I watched cookies just start showing up, even though I'm not on line.

Look, there is NO way you can get cookies on your machine unless the computer IS online with a browser is open.
How are you connected to the internet? If you are connected via broadband, dsl, wireless and have the computer powered up even if you don't have a browser OPEN the computer IS online unless you remove the connection cord if you have broadband/dsl, and with wireless you must manually Disconnect the connection. You CAN get more infections on there without a browser open but you CANNOT get cookies without a browser open to a web page.
You can't be posting here UNLESS you are online. And WHERE are you watching cookies show up? Please tell me how to do this as it makes no sense.

No need for another log. Here are the instructions for UNINSTALLING Combofix, it must be Uninstalled NOT just deleted:

* Click START then RUN
* Now type ComboFix /Uninstall in the runbox and click OK. The space between the combofix and the /uninstall, it must be there.
When shown the disclaimer, Select "2"

Are you still getting these Avast warnings and the additional cookies?

I would like to see an Uninstall list generated by HiJackThis. To get this do the following:
Start HijackThis
Click on the Misc Tools button
Click on the Open Uninstall Manager button.
Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad into a reply

You have some anti-spy programs on there and running, Emisoft Anti-Malware, Trojan Killer 2.0, SpywareTerminator, Spybot, SpywareBlaster and AdAware.
Spybot has TeaTimer enabled and running, turn it off as it interferes with fixes done and is not needed. Uninstall SpywareTerminator, it is not very good, uninstall Trojan Killer, Emisoft Anti-malware is ok I guess.

Also Uninstall MediaBar, it is used with Bearshare, a P2P program and it considered malware.
Run HiJackThis again and put check marks next to the following entries;
O2 - BHO: MediaBar - {0974BA1E-64EC-11DE-B2A5-E43756D89593} - C:\Program Files\BearShare Applications\MediaBar\ToolBar\BearshareMediabarDx.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: UrlHelper Class - {74322BF9-DF26-493f-B0DA-6D2FC5E6429E} - C:\Program Files\BearShare Applications\MediaBar\DataMngr\IEBHO.dll
O3 - Toolbar: MediaBar - {0974BA1E-64EC-11DE-B2A5-E43756D89593} - C:\Program Files\BearShare Applications\MediaBar\ToolBar\BearshareMediabarDx.dll
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')
O20 - AppInit_DLLs: C:\PROGRA~1\BEARSH~1\MediaBar\DataMngr\datamngr.dll
O20 - Winlogon Notify: ACNotify - Invalid registry found

After you have placed the check marks then click the Fix Checked button and Exit HJT.
Reboot the computer and run another HJT scan and post the log.
Judy

You need to update MBA-M and run a full scan with it. It IS the tool of choice for trojan removal today. Have it remove everything found and post the log.

Combofix was run back on 9/8/2009. If I remember correctly, it was this site that I worked with when I ran it.

Don't believe so. I went back through all of your previous threads here. The only one with Combofix in 2009 was this one;
http://www.daniweb.com/forums/post781415.html#post781415

and you had run it before your opening post. Crunchie told you at that time, Combofix should not be on your computer unless someone has advised you to use it. He then told you to uninstall it and gave the specific instructions that must be used to do so. If these instructions had been followed then the Combofix would have been removed along with it's quarantine files. It obviously was either not removed, removed incorrectly at that time or it has been used since then because the files found and removed by the ESET scan, with the exception of two, were all Combofix quarantine files.
You also did not post the entire ESET scan log. We need to see the entire log, from top to bottom not just the infected files removed.

Verizon Security pops up

What happened to McAfee? Are you telling me that you have TWO security programs running? That is an absolute No-No
and why in the world are you trying to install a printer when you are in the middle of a clean up?

sorry, I should mention that 'Artemis!117A7F38669A' comes up

I have no idea what you are talking about.

I requested a new scan with MBA-M but instead you are attempting to install a printer. Not sure I can continue with this since you evidently feel installing a printer is more important than completing the clean up. You failed to follow the instructions to disable the McAfee during the Combofix run and now you are installing a printer instead of continuing with the instructions given to get this computer clean.
The only other thing I can suggest since you don't want to continue cleaning is to reformat.
But when you do be sure to only install ONE security suite, not two. Running more than one and having them fight each other makes it that much easier for severe infections to invade a computer. Add to that the use of P2P and you are pretty much guaranteed of major infections which you obviously have on there.

Oh I am happy to help. Can I ask you when you ran Combofix and who told you do do so?

Much, much better. Now update MBA-M and do another full scan with it. Of course have it remove everything found and of course post the log.
Progress is absolutely being made now and it won't be long until we're finished.
Judy

this computer did some strange things while this was going on..it even downloaded something from microsoft for a restore point
That is normal, that is what it is supposed to do.

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active
You failed to follow this part of the instructions;

• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Turn off McAfee and then be sure to check the Task Manager for any of these you see, if you see any of them after turning off McAfee then end the process
2.0.181\SSScheduler.exe
McSvcHost\McSvHost.exe
mfevtps.exe
mcshield.exe
mfefire.exe
mcagent.exe

Now that said, it appears that it did it's work.
I would like to see a new DDS scan log.

My cookies are set like this.....(MEDIUM)
Blocks 3rd party cookies that do not have a compact privacy policy
Blocks 3rd party cookies that save info that can be used to contact you without your explicit consent
Restricts 1rst-party cookies that save info that can be used to contact you without your implicit consent.
Where do you have these settings? I have never seen any that are that explicit.
Is it this link below?
http://25yearsofprogramming.com/blog/2008/20080624.htm
You need to read everything on that page and I don't believe that you have.
First Party cookies:
If (and only if) the website already knows your name, email address, or any other information that personally identifies you, they might choose to store that information in their cookie (they usually don't), but since only they can read the cookie anyway, it doesn't matter. Furthermore, they only have that information if you gave it to them (such as by registering on their site), so you probably wanted them to have it.

I was speaking about IE:note my attachment which is the Advanced Setting spoken of on that link. All 1st party cookies are allowed. All 3rd party cookies are blocked.
Period. Session cookies allowed because those are the ones used for that specific browsing session which allows you to go page to page on various sites without losing your sign in or whatever is needed. Once you leave the website session cookies are deleted.
…

Some odd things about your log, you only have 3 auto starting programs for one thing. When did you turn off all the others and what were they?
I also note the AT&T Internet Security Suite Service listed in Services. When did you uninstall this and how? It contains and av program and a firewall.
This URL blocking, are you certain this is coming from Avast? Avast is an anti-virus program not a firewall which would normally be what would be blocking URLs.

Do you have your cookies set this way:
Accept 1st party cookies, Block 3rd Party cookies, Accept Session cookies.

I would like you to do the ESET Online Scanner.

http://www.eset.com/onlinescan/scanner.php?i_agree=14

* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt.
Post back with the log.

Post a HiJackThis system scan log for us.
http://free.antivirus.com/hijackthis/

I need to see the log done when MBA-M found the infections so I know what was found. I don't see an anti-virus program on the computer just several old anti-spy programs which would not be enough protection and really are out of date. You have some P2P programs or remnants of programs on there, they need to go. You have a very old copy of HijackThis on there version 1.99, this should be uninstalled then download and run the newest version, which is version 2.0.4. Run a system scan, save the log and also post it back here.
http://free.antivirus.com/hijackthis/

So post back here with the MBA-M log showing infections found and the new HiJackThis log and I can better tell you what you need to do. Your computer IS very much at risk.

Can you post the MBA-M logs when it found the infections? I need to see what all was found.

Well I tell you, the AOL stuff, most of it we can get rid of because it applies to dial-up connections and she still will be able to use AOL without difficulty but we will do that later.
I want you to do this:
Please download ComboFix by sUBs from

http://www.bleepingcomputer.com/download/anti-virus/combofix

Please note that the BleepingComputer.com download link will expire in 10 minutes after you click it so if you don’t click within ten minutes after reaching the page you will need to refresh the page.

• You must download it to and run it from your Desktop
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Turn off McAfee and then be sure to check the Task Manager for any of these you see, if you see any of them after turning off McAfee then end the process
2.0.181\SSScheduler.exe
McSvcHost\McSvHost.exe
mfevtps.exe
mcshield.exe
mfefire.exe
mcagent.exe
After that continue with the instructions below:
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply along with a fresh DDS log
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine …

We prefer that the logs be copy/pasted not attached. How exactly are you connecting to the internet? You are showing AOL dial up and a broadband connection.

Since MBA-M found three more items you probably should run the ESET again just to be safe.

No need to re-scan with the ESET online scanner that would all be current if run today, post the log. HiJackThis we need to see a copy/paste of the actual log, not a snapshot of what you see.

No, not so good. You didn't update MBA-M prior to this scan. You are still showing the database used with the first scan done 7 days ago. Current database is 5169. This is a key to using MBA-M, you absolutely must update the program prior to each scan, even if scans are done on the same day. The MBA-M people are constantly updating the database, they often have multiple updates in one day. Please update it and run the full scan again. Make this part of your routine when using the program, update first before you scan.

First of all you need to follow the instructions given in our Read Me sticky, yes you have posted the DDS log, but you have posted no other logs. MBA-M in particular.
You also have not done as instructed in 1A of the instructions:
1A – Please Uninstall or Disable any P2P (peer-to-peer) programs on the infected computer before posting in this forum. Rather than write a long piece on the dangers of P2P, I’m just going to say this:

P2P software circumvents common-sense security measures and opens a user’s computer to a world of hurt.
Our regular volunteers' time is valuable and most are not willing to waste it on a machine that is almost certain to be reinfected in short order.
So, please remove or disable all P2P software for the duration of the cleaning process. Failure to do so may result in your thread being ignored.

Your log and uninstall list show the following P2P programs on the computer:
BitTorrent
LimeWire 5.4.8
Please uninstall these programs if you want assistance. They are very likely the reason you are infected.
You have grossly out of date Java installed along with the old version of HiJackThis.
The java we will worry about later.
You definitely have at least one serious infection on there, maybe more.
You need to remove the programs I noted. You need to update Malwarebytes' Anti-Malware and run a Full Scan with it. Have …

Good enough Gary. Post the logs and I will take a look. Hopefully it's all gone but have to be certain.

You know you are never going to get this computer clean. You last posted here six days ago. The scan log for the full scan was not updated prior to running and was done six days ago like the other one.
MBA-M is the first tool of choice for removing these types of infections, but never the only one used. Unless this computer has been fully powered off and not used and not connected to the internet for the past six days there is no reason to believe that additional infected files have not remained on the computer.
If you want to clean the computer then you will stick with this, without six days between posts. Because it has been so long I am going to ask you to update MBA-M and do another Full Scan with it. Have it remove everything found.
Next do the following:
Please Run the ESET Online Scanner

http://www.eset.com/onlinescan/scanner.php?i_agree=14

* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt.

Post back here with both of those logs along with a system scan log from HijackThis version 2.0.4 http://free.antivirus.com/hijackthis/

If you don't return within a reasonable time this thread will be considered …

Hi, Welcome to daniweb,
First we prefer that people begin with the steps found on our Read Me First sticky
http://www.daniweb.com/forums/thread134865.html
You HAVE completed one of these steps and that is running MBA-M however you only posted a portion of the MBA-M log. We need to see the Entire log from top to bottom, not just the infection notations. Please post back with that entire log.
We also would like you to this portion of the Read Me sticky which is the running of
the Microsoft® Windows® Malicious Software Removal Tool
*Due to the increasing prevalence of Rootkits, this step is especially important if you do not run this tool regularly when visiting Windows Updates.
Skip the ATF cleaner and instead use the built in Disk Cleaner on the computer. To access this go to Start, All Programs, Accessories, System Tools, Disk cleaner. Have it clean out ALL temp files there.
Since DDS is not compatible with Windows 7 you can use HiJackThis but the version of HijackThis you used is an old one. Please uninstall that one and download the newest version, which is version 2.0.4
http://free.antivirus.com/hijackthis/

Post back this the full MBA-M file and the new HJT log.
Judy

It is interesting to note that as I return to this forum that I get a new browser window opening in the background. Do you have a removal tool for that?

All the correct tools are found, as you have been told previously on this link;
http://www.daniweb.com/forums/thread134865.html

And you have been told several times that I am looking for manual remove instructions. I have used Google and have also tried search on 2 real search engines, but all I can find is recommendations to install exe files that more than likely will NOT remove the problem.

If you have no personal experience with this problem, why are you posting at all?

And YOU have been told 4 times the rules here. We use TOOLS here to remove infectionswe do NOT do manual removals. You can say it until your computer crashes and we will tell you the same thing;
In order for the few volunteers who offer a bit of their free time and expertise in this forum to assist you in a timely manner, please adhere to our rules and complete the following steps before posting a request for help:
http://www.daniweb.com/forums/thread134865.html

rather than install unknown executables. You are kidding aren't you? These are all well known, well respected, top of the line tools we use here. You will find the very same tools requested on virtually every reliable, respected malware removal forum on the web.
I have no idea on how to give manual instructions on the removal of this malware there would be multiple registry edits and renaming of files required doing it manually. The use of automated tools would guarantee the removal of these, manual removal isn't going to be 100% effective.
Since you don't want to use "unknown executables" then I am afraid you need to ask elsewhere for the list of manual registry edits. I don't have them all.

:$ Didn't notice the "hijacked thread" until after I posted here.

Follow steps given here and post back with all logs. Please copy/paste all logs we do not open attachments.
http://www.daniweb.com/forums/thread134865.html

Why not post your question in the Spyware Doctor forum?
http://www.pctools.com/forum/forumdisplay.php?f=54

You absolutely must run MBA-M, just removing that one file would not remove the infection. It's very likely it is still there someplace. Right now it just can't run, But you must run an updated Full Scan with MBA-M and be sure to have it remove everything found and Reboot the system. That is vitally important.
Post back here with the log and we can give you other recommended steps if needed.
MSE would not have stopped this. This is a trojan, most av programs will not stop a trojan. One program that helps prevent them from getting onto the system is SpywareBlaster. Once the computer is assured to be clean then you need to install this, it is FREE and I would never run a computer without it. Doesn't run in the background and conflicts with nothing. Excellent program

I have to be honest here. You have done multiple things, out of order, or without being told, like running combofix. You have installed av programs run scans, removed av programs and then posted logs done before the av programs were removed.You were supposed to post the sophos log but didn't.
I don't know that there is anything I can do to assist you. I am certain there is a rootkit on there but I cannot be certain since the programs have really been run in a strange order. You say "it" tells you to uninstall MBA-M, what tells you to uninstall MBA-M?

Did you uninstall the old version of Panda?

Are you now able to use your Panda program?

Clean out your temp files, fill out as much personal info as you feel necessary at this link and follow the directions here. You have obviously have something very different on there.

http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

* Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
* Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
* A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
* Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
* If the scan did not start automatically, make sure the following are checked:
o Running processes
o Windows Registry
o Local Hard Drives
* Click Start scan.
* Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
* When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
* Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
o Files tagged as Removable: No are not marked for removal and cannot be removed.
o Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
o Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos …

If you see none in the Programs list then it is likely there are none installed. Go on with other instructions.

Uninstall this program, Advanced SystemCare 3 as it is absolute junk. Also remove the Wise Registry Cleaner 5.8.5. There is rarely any reason to "clean" the registry. If there are infected registry entries then programs like MBA-M will remove them.
Your MBA-M program is way out of date and was not updated prior to running. Please update it and run another Full Scan. Have it remove everything found, reboot and post back here with the log.
Panda or most other av programs do not remove Trojans, which is what you have. The also, generally do no protect against Trojans. The reason being is that they are configured totally differently from viruses.

Copy paste all logs if possible please.

You really should never run Combofix without first being told to do so.
Since you have all ready done so then you should be able to follow the steps given in our Read Me First sticky. Please do so and post back with all the requested logs.
http://www.daniweb.com/forums/thread134865.html

And why did you run HJT? We need to know. I see an excessive amount of processes running during the scan. A lot of unneeded auto starts,an excessive number of auto starting services, and extraordinary number of Trusted Sites, some of which are considered very dangerous. Are these work related? Remainders of an AVG anti virus program that appears to have been incorrectly removed. Otherwise since you don't state what problems you were experiencing that caused you to run HJT I cannot give any advice.
We ask that you follow the steps given in our Read Me First sticky and report back with copy/pastes of requested logs and full information on the problems you may be experiencing.
http://www.daniweb.com/forums/thread134865.html