Posts by jholland1964

1) Fake anti-virus software alert (opens up fake Windows security alert bubble from icon taskbar in bottom right and internet pages to porn, viagra etc). Each time i try to open programs i get infection errors, do i want to continue etc. I assume these are ok to click OK and proceed.

NO not ok. Each time you click ok are telling the infection to "come on in"

You have run a version of Malwarebytes' Anti-Malware that is probably 2 years old so it is most definitely NOT going to find any infections that are prevalent today. Current version of Malwarebytes' is version 1.46 and database version is 4194 as I make this post.

You need to follow the instructions given on our Read Me sticky
http://www.daniweb.com/forums/thread134865.html
...to the letter, which includes the running of a current, up to date version of Malwarebytes' among other things. Once you have completed all the scans requested please post back here with those logs and we can go forward.

Since this thread is two years old I would imagine it is very likely the problem has been solved.

The cable modem has no storage or processor. There's no way any virus can infect a modem. Viruses only reside on computers. The modem is controlled by your internet provider so I believe if there is infection it would be coming from your internet provider.
More likely there is an infection ON his computer which is "calling home" to bring in more infection.

There is NO AVG installed on your machine but it does show McAfee installed and running. If you want to install another anti-virus program you have to UNINSTALL McAfee first.
I would advise that AVG not be the one you choose. It isn't very highly ranked.
I would choose instead Avira Free. But you cannot have TWO anti-virus programs on the computer at once and if you have all this time and your computer IS infected, this would be why. Uninstall that McAfee.
You DO need to complete ALL the steps in the Read Me sticky and post the logs, not just the DDS scanner.
You also need to do this is a more rapid manner. If the computer IS infected then working every two or three days to clean it up won't work.

Also please note this from our Read Me Sticky:
Please endeavor to reply to your thread promptly and to follow all cleaning steps in a timely manner. The reason for this request is twofold:

• Our volunteers can only address a limited number of threads at a time. If you wait too long to reply, they may move on to helping others and no longer have the free time to devote to your issues.
• Malware tends to reconstitute itself if not addressed quickly and completely.

Thanks so much. Even AFTER the removal of the Charter Firewall you couldn't get the combofix to run? This concerns me. Sounds like there is infection on there stopping it.

Now, delete that first copy of Combofix, download a new one and see if you can run it this time. If it still won't run then try it in Safe Mode, but if it can be run in normal mode that certainly is the preferred way to do it.

One OTHER thought, have you looked in Services for this firewall? Start, Control Panel, Administrative Tools, Services.
Scroll through the list there and look for any listings related to this Firewall. If you see any, double click to open the properties, Stop any files "allegedly" running and then change start up type to Disabled. Do this with all you may find. Then Reboot the computer.

Malwarebytes' Anti-Malware also has a tool within it's program called File Assassin which can be used to delete any type of locked files that are on your computer. It is under the Tools Tab on the MBA-M program

When you tried to remove the files in Safe Mode did you actually try to delete all those actual files you found...not do an uninstall of the program but remove each individual file?
These are the ones I am talking about:
Program Files named Charter Security Suite. There are several folders, most of them empty. There are six files not in folders: fsdeph.dll; fsisu.dll; fsisuNT.dll; fsld32.dll; fsuinst.ENG; and install

Have you tried turning it off via the Security Center?

I think I just forgot to update first. It updated just fine now. I'll run it again & post here when done. Thanks!

I "hoped" that was the case and after all we did here last night it isn't a surprise if you did forget to update it. If the log is clean then that is really all we need to know, you won't have to post it.
If the log is clean and the computer is running well then I would say "you are good to go" and you can mark this solved.
Judy

I did a system restore to get back the files I deleted earlier. The program once again deleted them, this time in Safe Mode. While all efforts to locate any Charter files of any kind comes up blank, it is still riding high and ever vigilant in Security Center. Thanks for the "one more try".

If you have used System Restore like this then this is the reason you cannot remove it all. System Restore actually operates only on a very few system files and settings. System Restore backs up your registry. System Restore does not backup your data. If you delete or damage a file, System Restore will not recover it. System Restore will NOT uninstall a program. In fact if you have installed a program and find you don't want it and you use System Restore to try to remove it then it may leave you with much of the program on the system taking up space but it just won't be listed in Add/Remove, making it much harder to uninstall. System Restore does not keep old copies of your files or settings. If you're looking for an "old version" of a file or program that you used to have on your machine, System Restore isn't going to have it.

Did you try it in Safe Mode? This I think, is the only thing we haven't tried here. The firewall shouldn't operate in Safe Mode so the files wouldn't be in use.

I wish I could have been more help. If you feel comfortable with a reformat then this may very well be your best option. That way you will know the "illusive" firewall will be gone and it no longer will be able to interfere with the normal usage of the computer.

I guess you're right. I'll have to do that when I get around to it.

Anyone care to hazard a guess as to how this infection managed to get in undetected? I 'm always careful about my downloads and use ForceField at all times. I think it may have been a temp file in a cache that was automatically dragged into a restore file before I deleted it in the system proper, as I stated above. Does that make sense? Can viruses run out of restore files? I don't remember if it was a scheduled scan or the virus trying something that caused it to get picked up.

Thanks.

Peace out and God bless.

No viruses generally don't run out of restore files UNLESS those particular files are restored.
You don't seem very concerned here... >>>I'll have to do that when I get around to it.
Setting a new Restore point takes maybe 30 seconds max..."when you get around to it."

Next time when you have a problem how would you feel if we say I will help you when I get around to it.?
As stated in our Read Me Sticky:
• Our volunteers can only address a limited number of threads at a time. If you wait too long to reply, they may move on to helping others and no longer have the free time to devote to your issues.

I am marking this one solved.

Have you tried contacting the Charter People? I know you no longer have the program but you DID maybe they can tell you how to get rid of it by calling their help line.

We would prefer that the logs be copy/pasted rather than attached. To do a copy/paste in notepad, where you read the log, go up to Edit, and click Select All. All of the text will then be highlighted. Go back up to Edit and this time click Copy. Then open a new reply here, put your cursor into the reply area and
Right click with your mouse and choose Paste. The text will be automatically copied into your reply.

Looks good EXCEPT...you didn't update MBA-M before the scan. You show database 4052 and current database is 4170 so you really should update it again and at least run a Quick Scan. Now if you DID update it is possible the program was corrupted by the infection. If that is the case you will need to remove the program and download a new copy. But before you do that let me know if you did just forget to update. If not, I will give you a specific removal step to take with it before you download a new copy.
Judy

Will check tomorrow morning for the results. I'm eastern time zone so you KNOW it's late here!
Judy

You need to follow all the steps given in our Read Me sticky and then post back here with all the requested logs and somebody will be happy to help you.
http://www.daniweb.com/forums/thread134865.html

Fantastic! Ok here are your next steps:
You can get rid of GMER, DDS, HostExpert, you won't need them anymore.
You should remove HiJackThis, you don't need it any more.
You also should uninstall combofix. It basically is a "one time" fix. If a person is told to use it again some other time then a new copy would be needed.

* Click START then RUN
* Now type ComboFix /Uninstall in the runbox and click OK. The space between the combofix and the /uninstall, it must be there.
When shown the disclaimer, Select "2"

Keep the ATF-Cleaner and use it at least weekly. After using ATF-Cleaner then use MBA-M, run a weekly scan at least, Quick Scan should be sufficient. ALWAYS update it BEFORE each scan. If Quick Scan finds something, have it remove whatever is found, reboot, update again and do a Full Scan with it. Have it Remove Everything found and always reboot after the scan is complete.
Keep SpyBot if you wish but DON'T use the TeaTimer portion and only use SpyBot for scanning, update first of course.

The last program you need is SpywareBlaster. It also is FREE. A superb protection program, I wouldn't run my computer without it.

From Javacool Software :

"SpywareBlaster doesn't scan for and clean spyware--it prevents it from being installed in the first place. SpywareBlaster prevents the installation of ActiveX-based spyware, adware, dialers, browser hijackers, and other …

>>>> Kinda made me wonder what I had already paid for!
No kidding!
Once you get that installed then you have a few more steps and I have at least one other program I want you to install to help with protection.

Here are the printscreens for correct configuration of Avira.
Go through each as you go through the program, they are pretty self explanatory
The last one you will see is a "nag screen" you will get when the program updates each day. It is just wanting you to purchase the program. Just "X" out of it. Some people get annoyed when they see this, but my feeling it is a way to know the program updated plus if you can use this free program and have this pop up once a day...what the heck. When you hit the "X" in the corner it's gone until the next update.
Install the program, set it up and then I will have a couple more things you will need to do.

Well I'm no genius, that is for sure. Just stuff like this drives me nuts and I keep researching until we hit the right answer.
Now for a virus program I really recommend that you NOT reinstall McAfee. It obviously didn't work for you. I would recommend that you install Avira Free. I have used it for years, provides great protection, it is not intrusive but does it's job. Here is the link. It is easily configured. You can set it to update daily automatically, and also scan weekly automatically. I will post attachments for you to follow to do this.
http://download.cnet.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.html?part=dl-10322935&subj=dl&tag=button&cdlPid=11012914

Download and install it and then I will post the attachments for configuring it.

I uninstalled McAfee Security so that shouldn't be a problem. Microsoft Security has a red circle with a white "x" on it, but did have "on" checked. I just clicked "off" for it. Refreshed
Firefox, and voila! Internet is working! Fabulous! You are a genius! Now what do I need to do to keep from getting any more nasty virus/malware issues?

So the problem was the Windows Firewall? Is it turned off now? Or when you say Refreshed do you mean you turned it back on?

do you have a firewall installed? Turn it off.

I will reset the router. If I take the router out of the mix, I will not have internet on this laptop. I will be offline briefly while resetting router.

Oh, that is right, sorry.
Try this;
Go into the Properties for the Local Area Connection and uncheck TCP/IP, click Okay. Reboot and then go back and check TCP/IP again. Reboot.

Have you reset the router?
Is it not possible to take the router out of the mix?

Try to connect directly using the internet cable without the router.

Are you directly connected or do you use a router?

1. Click on the Start button.
2. Click on the Settings menu option.
3. Click on the Control Panel option.
4. When the Control Panel opens, double-click on the Network Connections icon. If your Control Panel is set to Category View, then double-click on Network and Internet Connections and then click on Network Connections at the bottom.
5. You will now see a list of available network connections. Locate the connection for your Wireless or Lan adapter and right-click on it.
6. Click on the Repair menu option.

Alternatively, if your network icon also appears on the Windows taskbar, then you can repair it by right-clicking on the icon and selecting Repair

Ok, that's good. Those were questionable files and we needed to check to be certain there were no infections in them. Let me do some checking on this inability to go online however and will get back with you shortly.

Ok, see if this will work for removal:
Revo Uninstaller
http://www.revouninstaller.com/revo_uninstaller_free_download.html

You can download this and try to remove those files which will not remove. This is a free 30 day trial of this program. Hopefully it will work.
Select the application in the list of installed applications and press the "Uninstall" button in the toolbar, or right-click the application and click the "Uninstall" command in the displayed menu. Revo Uninstaller will show an uninstall wizard, which will give you 4 options to choose from:

* Built-in uninstall mode - run only the application's uninstaller without any additional scanning
* Safe uninstall mode - includes the Built-in mode and performs additional scans in the Registry and on the hard drive to find leftover items that are safe to delete. This is the fastest mode.
* Moderate uninstall mode - includes the Safe mode and performs an extended scan to find all of the application's leftover information in the most common places of the Registry and on the hard drive
* Advanced uninstall mode - includes the Moderate mode and performs a deep and thorough scan to find all of the application's leftover information in the Registry and on the hard drive. This is the slowest mode.

You say the install file is there? See if that works.

Ok, then you need to do the following using the flash drive on the affected computer;
On the infected computer go to the following locations, look for the following files noted in red and upload them to the flash drive:
c:\windows\system32\drivers\oycmitiy.sys
c:\windows\system32\drivers\yeddef.sys
c:\documents and settings\Kendra\Local Settings\Application Data\ijomrexeq
Then take the flash drive to the working computer. Go to http://virusscan.jotti.org/en
Upload each one of those files there for scanning by the 20 scanners there. Report back here with the findings.

In Firefox,
Where you would type in a url, type about:config. Next click the button "I promise to be careful". Next right click anywhere in the preference name field and choose new>boolean. Next, type in network.dns.disablePrefetch and click ok. Then finally choose true
See if you can go online then.

In firefox go to Tools, Options, Advanced, Network. Be sure there is a tick in No Proxy.

Have you done a file search for Charter Security?

Check both browsers by going to File and make sure that Work Offline is not checked. Also go to Control Panel, Internet Options, Connections, LAN Settings, make sure there are NO check marks in any of the three boxes you find there. Then try to go online again, normal mode, both browsers.

Can you try to go online now with the affected computer...normal mode please.

Ok hopefully this will work. Go with another brand new download of combofix when you try again. Don't use one from the other computer or from the flash drive. Delete both and download it again.

Are you absolutely certain that your anti-virus program and any other security programs you have on there are turned off?
I have seen some instances where McAfee absolutely will not allow combofix to run and this blue screen is the result. Can you uninstall it?

Note to others reading this thread, these instructions are for THIS computer ONLY. This tool is NEVER to be used unless first instructed to do so by a helper.
Please download ComboFix by sUBs from HERE
· You must download it to and run it from your Desktop

· Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
· Double click combofix.exe & follow the prompts.

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

Run Combofix ONCE only!!

· When finished, it will produce a log. Please save that log to post in your next reply.

Don't bother with the Recovery Console just go ahead and run the program.

Delete combofix and download it again and try it again.

I will be happy to read all the logs when they are posted.

That isn't the whole log. You have posted only the top portion.
Your computer is GROSSLY out of date. That Security Check log shows that. It shows no anti virus program, no firewall, AVG Rootkit Free which is NO LONGER available as a stand alone product so it is way out of date, out of date Firefox, way out of date Java way out of date.
Even though it "shows" that Security Suite 6.15 is on, it doesn't show anywhere in the logs you have posted, and it WOULD show.
Your computer is so out of date it is likely there is infection/malware on there, the original HJT log you posted showed that for certain.
You need to follow the steps in our Read Me Sticky
http://www.daniweb.com/forums/thread134865.html

That is probably a three year old version of HiJackThis. Where did you get it? That isn't the one from the link I gave you above.
It won't give a good reading at all. You need to delete or uninstall that one and download the newest version and run another System Scan
Get HiJackThis Version 2.0.4 from http://free.antivirus.com/hijackthis/

But even looking at this log it shows NO firewall and NO anti-virus program running on the computer.
Download the newest version and run another scan.

You really need to run the programs in our Read Me sticky. You have quite a few nasty items on there, even looking at this very old HJT version, that is obvious. The computer is out of date for sure, java is way out of date.

Download this program, run it and post back with the small log it will provide.

But FIRST:
Download Security Check by screen317 from here http://screen317.spywareinfoforum.org/SecurityCheck.exe or here.http://screen317.changelog.fr/SecurityCheck.exe
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

How about doing a System Scan with HiJackThis and posting the log here. We very likely then can give you the names and locations of the files you need to stop from running.
Get HiJackThis Version 2.0.4 from http://free.antivirus.com/hijackthis/
Open the program and Run a System Scan and save the log.
Copy/Paste the log back here and we can take a look.

From what I could find this thing can be a real @#%@! to remove.
Have you looked for it's program file? Maybe there is an uninstaller in there.
Have you tried in Safe Mode?