Posts by jholland1964

many viruses and malicious present on my computer

Begin your own thread. This one is two years old and you won't receive help within somebody else's thread. We need full information, operating system, anti-virus program, firewall and how do you know you are infected.
Follow the steps given here and then begin your own thread with all requested information and required logs and you will receive help, until you do that you cannot be offered assistance.
http://www.daniweb.com/forums/thread134865.html

The HiJackThis version you used is at least two years out of date. Uninstall it immediately.
Please follow these instructions as given on bleepingcomputer. This is the accepted way to remove this infection followed on many, many forums:

They have worked very well and hopefully they will work for you. These work best when done using a USB flash drive to carry these programs to the infected computer. If you don't have one I recommend that you get one, they are not expensive.
From another computer, please download Malwarebytes' Anti-Malware, or MBAM, and the reg files to a USB flash drive.

Malwarebytes' Anti-Malware Download Link

FixExe.reg

Once you have downloaded all the necessary files to a removable device, you need to plug it into your infected computer so it can access them

On the infected computer make sure XP Internet Security 2010, Antivirus Vista 2010, or Win 7 Antispyware 2010 is running. If it is not, you can launch it by running any program on your computer as that will trigger the rogue program to run. Once running, do not close it during the entire length of this guide.

Now open the drive that corresponds to the removable media that contain the removal programs. Once open, double-click on the FixExe.reg file. When Windows prompts whether or not you want to allow the data to be added to your computer, click on the Yes button.

Now …

bullet89, this thread is 9 months old. You need to begin your own thread, with your log and clearly state all the problems you personally are having, not just

ive got the same problem with firefox,

that tells us nothing. Create your own thread and somebody will be happy to provide assistance.
Judy

I have to see that Malwarebytes' log in order to know exactly what was removed. I also need to see a HiJackThis log to start with also. If you have access to a flash drive you can move these from the infected computer to the one you are using and post them here that way.

You obviously have another computer since you are posting here. Please get that log from the infected computer and post it here.

Saying same problem as somebody else doesn't tell us anything. We need full information about your own computer and problems. Operating system, what programs did you run to fix your problems and we need to see all the logs produced by these programs.

I copied this into notepad and saved it as a .reg. When I double click on it I get an error that says "....the file is not registry script. You can only import binary registry files within the registry editor"

What am I doing wrong here?

I honestly think I gave you the wrong answer. Sorry. Try this:
Go to Tools and select Manage Add-ons.

Then select Search providers.

You'll see Microsoft Live Search and whichever options you chose during install. If that was Live Search, that's all you'll see.

Now click Find more search providers.

You'll get a list of various options. Press "Add to Internet Explorer" to add the providers you want. Each time you'll get the option to make it a default search provider, and include terms in the suggested search terms. If you don't see your favorite. Scroll to the bottom and click "Create your own search provider."

Now open a new tab, and enter the URL of the search engine you want to include. Search for the word TEST in all capital letters. Copy the URL of the search results page by highlighting it and pressing the "Windows" and "C" keys at the same time.

Now click back to the tab that says "crate your own search provider." Use the "Windows" and "V" keys to paste the URL you copied earlier into the box marked URL. Then give the search engine a name. And press Install Search Provider. …

try to download and run this:
http://www.indowebster.com/FixExezip__1.html

this is not needed poster has removed infections.

Yahoo is NOT my default search engine, google is. How do I fix that?
Thanks Judy.

Open notepad and copy the below code in it :

Code:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.google.com"
"Search Bar"="http://www.google.com/ie"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""="http://www.google.com/keyword/%s"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://www.google.com/ie"

Now save this file as a registry file where you can easily find it, desktop is good. Give it any name and keep its extension as .reg. When saved, quit notepad and double click on this file, click on yes to add the registry entry. Reboot your machine

I only asked if your default search engine is Yahoo. That is showing in the HJT log. No biggy, just was going to have you fix it if it wasn't.

Yes I assume to the network name, you didn't answer the Yahoo search question.
You asked how this computer got this...I don't know, probably a drive by but cannot say for certain. What it was exactly was Trojan.Zbot here is some info on it:
http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99

One thing I would recommend is that you install, since you have been having continuing problems over the past few months SpywareBlaster on all your computers. It will at least keep out some of the nasties and also has a good restricted sites portion that keeps the user from even going to sites on the list. It's a great program, FREE, doesn't run in the background and does offer superb protection against spyware, adware, browser hijackers, and dialers. Simply download, install, update and then Enable All Protection and then close the program. Do this on all of your network computers. Manually check for updates weekly and when they have updates download, install and enable.
Also I would recommend that you update and run the AV program on all machines in the network and the same goes for MBA-M. Just to be sure all are clean.
Otherwise, looks good to me. If you feel all is fixed you can mark this one solved.
Judy

Is your local network of computers on a network named kafka?

No, there is no log generated. What it does is remove those bad host entries and puts it back to the MS default host. No log generated there. Just wanted to be sure you ran it.

What about HostXpert? You do show two bad sites in the hosts file in the DDS log. Known hijacker.
Are you using Yahoo search as your search engine?

Download HostXpert and run it. When it opens, click on the Restore MS Hosts button and then exit HostsXpert.
You have some out of date programs on there, Java is one. Current version is 6 update 18. You need to download a new copy from HERE, choose offline install and save it to the desk top.
Then close all browsers go to Add/Remove and uninstall the two old versions showing there. Once they are uninstalled then double click that install file on the desk top to install the new version, watch the install, very often it will give you extra toolbars, like yahoo. There is a check box on there with the check mark all ready in it for anything extra, remove those check marks. Proceed with the install and when it is complete go back to the download page and click Verify Now to go to the verification page to be certain the install was successful.

Download and run a Full System Scan with HiJackThis. Post back here with that log.

The MBAM was run with a fresh update so that log was with current updates. I will run another in the morning and post log again. I will also post and attach the other logs once run. Thanks for your help Judy!!

PP, this is one of the terminals that had some trouble in the past. Has been fine since.

I really appreciate all the help everyone offers on their own time here. You guys are a savior for sure!

Scott

No Scott it wasn't updated. I shows:

Database version: 3510

That is the install database. The current database from today is 3838. Remember, I told you not to reboot if MBA-M asked you to, so you didn't. That was the correct thing, not reboot but just run the scan. But you need now to update MBA-M and run another Full System scan just like before, have it remove what it finds and then reboot and to the DDS scan. Post back with both logs.
Judy

Hey PP! Your right I should have shot this past you. I guess I got to excited.
So is it safe to assume that I am good to go or should I produce more logs?
Any clue how this might have been downloaded?
THanks
Scott

Lordy no Scott, no way are you done. The MBA-M program is way out of date. You need to update it and run another full scan with it. Have it remove all found and reboot. Post back with that new log.

Then you also need to do the DDS by sUBs scan by following the instructions below.
Be sure follow the instructions below carefully!

• If your AV has a script blocker, please disable it
• DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

• Copy&Paste the DDS.txt into your post.
• Please post Attach.txt as an attachment to your post - there is no need to Zip it. If you don’t know how to post an attachment, please Copy&Paste it along with the DDS.txt scanlog.

Judy

Good! Can you now get online with the affected machine?

Fantastic. Will wait for the log.
Judy

New rule DON'T click anything! There are some of these nasty items now that only need the click to install, even if it is clicking to close. So no clicking.
Download the rkill to a flash drive. Take them to the infected computer and put them on there that way. This requires no internet access so that shouldn't figure into this. Plus, it may be if you can stop the processes using rkill then internet access would be restored. If it isn't just try to run MBA-M without the update. If this doesn't work, let me know.
Judy

Tell you what, since you are pretty much "frozen" out of everything it cannot hurt to try this:
It is a tiny little program called rkill which maybe can stop whatever process is stopping You from doing anything. It sure can't hurt things any worse than they are right now.

You very likely will have to do this by downloading these files, putting them on a flash drive and then taking them to the infected computer and putting them on the computer from there.

Here are are three versions of RKill - all identical except that each one uses a different extension in order to avoid being blocked by a trojan:
http://download.bleepingcomputer.com/grinler/rkill.com
http://download.bleepingcomputer.com/grinler/rkill.scr
http://download.bleepingcomputer.com/grinler/rkill.pif
BE AWARE that some AV apps will give you an alert when you try to download RKILL.PIF. It may warn you that the PIF file was an executable (normally PIF files are not). Just ignore the warning.

I would recommend downloading them all and try each one until one of them loads.
Double-click on the rkill.com in order to automatically attempt to stop any processes associated with whatever this may be. Please be patient while the programs looks for various programs and closes them. When it has finished, the black window will automatically close. Do not reboot your computer at this point, or the programs will start again.
Then try to open MBA-M, update it and then run a Full …

Do you know if he clicked on it, or did it ask him to click to clean or whatever? Just trying to narrow down what this might be.

Honestly without knowing what that pop up was we don't know. Does sound like a drive by of some kind but would help to know what the pop up said. Did it look like an anti-virus pop up?

The user? This is not your computer? It would help to know what the pop up said and what the user was doing at the time.

We need a lot more information. What operating system are you using? When did this begin? Have you downloaded any new programs lately? Updated any hardware or added new hardware? Does this also happen in Safe Mode? If you don't know, try it and see.

Ok, heading down the stretch here.....
There are still some Uninstalls I would recommend, your choice really but here goes:
Ad-Aware (why you have two copies I don't know but the program itself just isn't what it used to be. I would uninstall everything here with Ad-Aware on it.
Ad-Aware
Ad-Aware Email Scanner for Outlook
Adobe AIR - Unless your Dad is a web developer of some kind this isn't needed either, also don't know why two copies show but uninstall both
Adobe AIR
Bing Bar-does he use Bing? If not uninstall
Driver Detective - doesn't get very good reviews, uninstall
iDump (Freeware) Build:29 does your Dad use this? I had to search to find out what this was and frankly sounds like a stupid program,

The days of lame excuses are finally over. Download iDump and start faking excuses today!

...but if he likes it...leave it I guess.
Norton Security Scan - maybe a leftover listing or possibly from their online scanner, I don't know but uninstall.
Spooky Halloween - have no idea what this is...game, video? Uninstall.
iTunes is there, if heor somebody there has an iPod leave it, if he doesn't then iTunes can go also. But that's up to you.

Also the Java is out of date on this machine so a new copy should be downloaded from HERE choose the Offline Install and save it to the desktop. Then Uninstall that one old version showing in Add/Remove. Once it's uninstalled …

Ok, give me a new HJT log and also do a new Uninstall list generated by HJT. Then I can give you what hopefully will be the final steps and get your Dad surfing safe and happy.
Judy

My dad had mcafee, unistalled it, cuz it sucks...norton has been on there, but i didn't think it was active...now he has avira...installed it yesterday i believe...it's just that the mcafee was uninstalled in the midst of the beginning of the malware problem...does that make sense?

Yes makes perfect sense. Just needed to clarify. Now...P2P? Gaming?

Ok looks clean, now can you answer my questions? I really need all this info before we can go farther and we really are not finished yet.

I am also confused here, earlier logs showed McAfee, Uninstall list shows NO McAfee but shows some form of Norton. Combofix doesn't show McAfee at all but does show Norton and the latest HJT log shows no anti-virus program whatsoever....??????
You say this is your Dad's computer? Is he really into P2P file sharing and gaming?

Well I see more has been found, that Koobface by the way came from the video in Facebook.
You say this is your Dad's computer? Is he really into P2P file sharing and gaming?
Another P2P program which should be removed is Vuze.
I also would recommend that any programs downloaded and installed using P2P be removed. P2P sharing is very dangerous and can lead to serious infections. I can say for sure the ONE infection Koobface came from the Facebook video, but cannot say what others may have been involved here. I would recommend uninstalling any programs NOT legally obtained, this includes music, videos, games which normally would be paid for but instead were gotten via P2P.

I am also confused here, earlier logs showed McAfee, Uninstall list shows NO McAfee but shows some form of Norton. Combofix doesn't show McAfee at all but does show Norton and the latest HJT log shows no anti-virus program whatsoever....??????
You need to run the online ESET Scanner.
* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us.

Not done yet. I really need to go through the log, which, as you can imagine can take a bit. You say you could update and run the MBA-M program. Can I see that new log?
Judy

Ok now do the following and if you have to carry the program file from the clean computer to the infected one that's fine, but first try to do the downloading on the infected one.

Please download ComboFix by sUBs from HERE or HERE
· You must download it to and run it from your Desktop
· Physically disconnect from the internet.
· Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
· Double click combofix.exe & follow the prompts.
· When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
· Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

Run Combofix ONCE only!!
Again keeping my fingers crossed, though that didn't seem to help last time. But we must have confidence!

These programs MUST be uninstalled:
LimeWire 5.4.8, Playsushi, Zynga Toolbar

That can't be the entire list, it stops with the "G"s

Ok, we are likely going to have to run another very powerful tool but first of all I would like to see an Uninstall list generated by using HiJackThis.
To do this do the following;
Open the program, click on Msc Tools.
Click on the Open Uninstall Manager button. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad into a reply.

Very likely after seeing this list there are programs I am going to insist that you uninstall. Then the next step will be using the very powerful tool to try to remove whatever this is.
But let me see the Uninstall list first.
Judy

Yes, try to load it from another computer. These are just executable files, the links are good, I just tried them, and when you click them you should get the option to save the files. Save them on the clean computer then just move them to a flash drive or cd and take them to the infected computer. I would advise that you do the same with the MBA-M files also.
Then follow the instructions. Remember, normal mode. If you still can't get them then let me know.
Judy

Obviously this nasty thing is running in the background and stopping the MBA-M program. Uninstall MBA-M again the same way as before and also using that mba-m removal file posted earlier at the end.

Then download this program which hopefully will stop the nasty thing from running long enough to get a new MBA-M on there and installed.
You need to do all of the instructions below in NORMAL MODE.
Download the following files to the infected computers desktop
These are all actually the same program, rkill but with different names, hopefully one will work.
rkill.com
iExplore.exe
eXplorer.exe
These instructions below are from bleepingcomputer

Now try these one at a time beginning at the top. "Double click to run rkill. You should see a small blackscreen appear while the program runs. Please be patient while the program looks for various malware programs and ends them. When it has finished successfully, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the infection when it terminates programs that may potentially remove it. If you run into these infections warnings that close rkill, a trick is to leave the warning on the screen and then run rkill again using the next file. By not closing the warning, this typically will …

Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
Restart your computer (very important).
Download and run this utility. mbam-clean.exe
It will ask to restart your computer (please allow it to).
After the computer restarts, Temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from here
Then see if it will work.

I also am concerned about the dates showing on the logs todays logs show 3/30/2010 ???? The HiJackThis log shows 3/29/2010 so the date was put on the computer incorrectly when it was reformatted...at least that is what I am hoping happened. If that's the case you need to go in and change it to the correct date.
I am not sure of your location, I am in the US and the current date is 3/2/2010
You also just said, with this post;

I went back and brought the computer up insafe mode and rescanned just to get the logs.

MBA-M really should be run in NORMAL mode. Safe mode should only be used if the computer cannot be booted to normal or if the program won't run in normal mode.
Also the MBA-M program wasn't updated before any of the scans because the database showing is the one contained in the install file. Can you update it and run it again? The current database is 3817. Run a Full Scan in Normal mode this time as there is a good chance there could be more infection but it would not be found with the old database, it needs the new one to be able to scan for all infections which have developed since this version was released.
But I also do need to see the log that first removed whatever was on there.
If you open the MBA-M program and go to the Logs …

I had a same problem. Couldn't open mozilla and internet explorer 8. Tried lots of things but nothing helped just reinstalled windows and that was the best solution.
Btw when that virus strikes only best working exp.is "Google Chrome" it works perfect in that situation.

You know this thread is 14 months old. There is no guarantee the infection on this particular computer and yours are identical. Each computer is different and what works on one may not work on another, especially when discussing a problem posted 14 months ago and where the original poster neglected to return.

I would recommend that you totally disconnect that infected computer from the internet. Then boot to safe mode and run MBA-M on it and have it remove what it finds. Reboot.Then try again to run it in normal mode. It won't be fully updated I know but it's possible that the run in safe mode, which is only recommended for instances like this one as it doesn't scan everything in safe mode, will have removed enough to allow a normal mode run.
Post back here with both the safe mode log and the normal mode log. But continue to keep it offline for the moment.

I cannot say for certain if the recovery disks would give you the option for a repair or not, though I would think they would.
As far as Windows Updates and notifications they are not good or to wait, those generally don't come from Windows but from websites like these. Also some of the PC online magazines will often have notifications that people are having problems with an update of some kind.
You do need to check on the Bitdefender because it doesn't show in the Uninstall list.
As for the System Restore you might give a read to this info from here as it gives a good explanation of what System Restore is and how and when it can be counted on and also when it cannot.

Well, several things I note here, though you said in the original thread that you use BitDefender as your anti-virus program Norton, Bitdefender both have entries in your DDS log, however, there is no indication of either programs RUNNING on the system and the only semblance of a security program showing as being disabled, meaning it's at least installed is Spybot.

Going through the Uninstall list there is NO anti-virus program listed on that at all not even BitDefender so obviously there is no anti-virus program installed.
I see MBA-M in there and Spybot but neither of those is a real time scanner and neither is an anti-virus program so you don't have one installed. I don't see a Firewall listed either so unless you are using the built in firewall you don't have a firewall either. So you literally have no protection on the computer.

You said in the original thread

I tried to do a system restore, but ALL of my restore points were GONE! I have made some manual restore points since, and a few (not all!) are still there, but I cannot restore them.

You are operating under a mis-conception really, System Restore only works for a few key system files. It isn't going to give you your computer back to perfection usually.
The Windows Update you mention has caused problems for BOTH XP and Vista users and it was advised not to install it. Also for the Nvidial Display GeForce 9200 …

Ok, here's the program which is free and easy to use. Mike Lin's Start Up Control Panel Just download and install. Once installed it will be located in the computer Control Panel with a little computer icon labeled Start Up.
Open the program and you will see various tabs, some with programs listed, some with none so you will have to go through each tab to look for those listed below. Just take the check marks out of those listed, close the program and then reboot the computer.
Here is the list. Some are your choice as to whether you want them or not, others are absolutely not required and can be run manually when needed and I have listed them this way in the two lists with an explanation of what each is for the ones which are User's Choice:
Whether or not you need to run this program on startup must be decided by you. If you feel that you want this program starting automatically so that you have it available as needed, then do not disable it...............
LogitechVideoRepair-LogitechGalleryRepair/LogitechVideoRepair - part of Logitech Image Studio - installed with Logitech QuickCam cameras. Required from version 8.11 onwards if you use the software to take pictures and capture videos, not if you don't. Also not required for versions up to and including 7.30 and after version 8.30
SoundMAXPnP-SoundMax integrated sound. Required if you have custom settings for your sound, such as effects and environments
Kernel …

Give me a bit and I will give you a list and a little program to do it with.

Really looks ok. How are things running?
Lots of unnecessary auto starting programs there that can consume resources as they run all the time in the background, even if you are not using the program at the time.

Looks better for sure.
You need to go into Services, Start, Control Panel, Administrative Tools, Services. When this opens scroll through the list there, it's alphabetical order and look for the following:
Marvell Yukon Service
Messenger Sharing Folders USN Journal Reader service
Double click to open each and change the Startup type to Disabled.
Then Exit Services.
Reboot the computer.
Run HiJackThis again and place check marks next to the following entries if they remain:
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe (file missing)
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\shane\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\shane\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)
O16 - DPF: {81449547-EB5D-422E-8730-932DC5E412C8} (UVUPlayer Control) - http://www.howardstern.com/install/uvuplayer.cab
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - C:\Program Files\MSN Messenger\usnsvc.exe (file missing)
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)
Once you have placed the check marks click the Fix Checked button.
Exit HiJackThis and reboot the computer. Run another …

Anything in the Hijack log that should be removed?

Have not seen the MBA-M log from normal mode yet.

I would also like for you to do the Online ESET Scan. You will have to use Internet Explorer to do the and also Disable Your Anti-virus program while it runs.
Once the program opens you will be shown items that you can choose to do or not. Please leave default checkmarks as they are and continue the scan. Please allow it to Remove/Quarantine all that is found.
Once the scan is complete then reboot the computer.
Please then run a New HiJackThis scan and save the log.
Post back here with the ESET Scan log which should be located at located at C:\Program Files\EsetOnlineScanner\log.txt. and the HiJackThis log.

Is this part of the origanal antisoft problem or a new problem all together.

I really have no way of knowing, except if all the scans previously were run in safe mode then it is likely the same infection.

Why are you running these scans in safe mode? They should be run, if at all possible in Normal Mode.