Posts by jholland1964

Believe this is an HP computer, correct? Did it come with Vongo? Did you recently install it?

No... I've been always careful without a firewall and haven't gotten infected for a while already. It's just when I got MBA-M I started getting suspicious why the infected IPs are constantly trying to connect to me. So I thought my computer is infected or something... I have a firewall in my router, maybe one day I'll configure it. This computer is mainly for work so I don't download any stuff on it that might be infected or so...

You have to remember that downloading is absolutely not the only way to get infected. Some of these infections, TROJANS I am talking about don't necessarily come from downloads that the user initiates they come from actual web sites themselves.
Here are the common ways that a Trojan will come onto your system as noted on Wikepedia

* Software downloads (e.g. A Trojan horse included as part of a software application downloaded from File sharing networks)
* Websites containing executable content (e.g. A Trojan horse in the form of an ActiveX control)
* Email attachments
* Application exploits (Flaws in a web browser, media player, messaging client or other software which can be exploited to allow installation of a Trojan horse)
* Social Engineering (e.g. A hacker tricking a user into installing a Trojan horse by communicating with them directly)

So as you can see, the user, personally, DOES NOT have to download anything. Many, many of the trojans we are commonly seeing today …

I'm not using a firewall.

Then this would explain at least partially you infections. MBA-M is doing the job it is supposed to be doing but if you had a firewall running on there, ESPECIALLY since you obviously have been using the uTorrent program we several times have recommended removing.
So in essence...MBA-M is the ONLY protection you are running against Online attacks. The anti-virus program steps up pretty much once something has all ready gotten on to the computer.
Do what you wish, I cannot be a keeper here, but you can thank your lucky starts for these MBA-M alerts because I now firmly believe you would be a lot more infected than you have been if not for these warnings.

I suggest that you read this information about the IP protection provided by MBA-M since version 1.40.
http://www.malwarebytes.org/forums/index.php?showtopic=21076

You CAN disable these notifications but as you will see, it is not recommended. But the choice is yours. Please note what types of programs can trigger these notifications and also that they DON'T mean you have infection on the computer, just that MBA-M has blocked a website.
Also please note that this DOES NOT take the place of a Firewall...what is your firewall?

What is the EXACT, FULL wording of the MBA-M prompts?
Since I don't use the MBA-M paid version I don't have this option but I will check it out for you if I can get the full wording.

fabianslo,
Can you update MBA-M again and rescan just like you did before? Post that log.
If these are found again I may have you do another type of MBA-M scan so it can be submitted to their crew over there for further study.

Please download Combofix from Here or Here

You will get a prompt asking if you want to run or save the file. Choose SAVE and save it to the desk top. DO NOT RUN it YET
You must take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:

* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

Windows may issue a prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.
ComboFix is now preparing to run and when it has finished you will see the Disclaimer screen you should press the number 1 key and then press the enter key to continue.
ComboFix will create a System Restore point so that if any problems occur while using …

I wonder if SAS has those keys set for removal on reboot?
Plus, I don't see the HKCR key that it flagged on the scan....
Odd.
Plus, this doesn't seem a big deal to me - looks like an orphaned key that should be easy to remove.

PP:)

Still have found nothing on this at the SAS forum. But I'm like PP, I don't think it is a big deal really. Of course you've tried to remove it and it won't go, but nothing else is picking this thing up and I have seen nothing about it anywhere else as being bad, heck I have found some threads other places where this has been totally ignored when regedits have been suggested. Maybe I am not searching correctly but have found nothing.

g3nX, for the moment leave system restore alone, thus far the affected files have not been located in System Restore. Have you emptied SAS Quarantine?

Did you reboot the system after running MBA-M? I need to see a log showing the items are no longer present. You must have saved the log too soon since it says No Action Taken.

You need to post much more info. I know you copied your post from a closed thread but remember, nobody knows exactly what symptoms YOUR computer is showing. We also need to know more about your computer. Operating system, antivirus program...etc.
How long have you been having whatever problem it is that you are having? In addition to MBA-M what else have you tried?

Now, MBA-M....your version is out of date. A new version was released last week the KEY rule with MBA-M is ALWAYS update before each scan. MBA-M has updates, daily, at the very least, sometimes more than once a day. Yours obviously had not been updated in quite awhile because the database alone is several weeks old, at least.
You need to open the program, go to the Update Tab and have it update. It will give you the new version and the latest database.
Then run a new Full Scan with it and please follow the instructions we give to all for running MBA-M;
Be sure that everything is checked, and click Remove Selected.
You didn't do that in your initial scan.

Then REBOOT the computer....this is vital.

Then download HiJackThis and run a full system scan with it and save the log.
Post back here with ALL the Information I requested and both of those logs.

I have PM'd PP on this one again. Problem is partially your 64bit system. So many tools DON'T work on 64bit. We'll get back with you, probably tomorrow.
Did you ever contact SAS and see if they would respond concerning this?
I HAVE searched their forum and thus far have found nothing about this. Still wonder if it maybe could be a false positive.

Just pull that key out manually, Judy.

PP:)

Can you explain to poster how this should be done? I am NEVER comfortable with registry fixes...as you well know!

Dang! Did it remove them?

OK, I enabled it in IE and it appeared in Task Scheduler so I disabled there and disabled in IE again.

Good job.

Wow! This is by far the most embarrassing post I have made. I right clicked and was able to disable the search bar. I sincerely apologise for any time wasted and thank everyone.

However still worried about my programs not closing properly such as Win media player, Firefox and realplayer.:$

Hey, no need for embarrassment, we have all done something like this on occasion and our time was not wasted. We all always learn something with these posts, sometimes it is just the obvious...LOL
For your slow closing programs, does this happen when you try to close them down individually OR is it when you decide to shut down the computer completely and they all are slow in closing.
What version of each slow closing program are you running?
The reason I ask is that you have a lot of unnecessary auto-starting programs, Windows Media Player being one of them. If these all auto-start and then run all the time while in the background while you use the computer then when you DO try to shut down the computer, without turning each one off one at a time, then they are sort of "in a crowd trying to get out the door". I can't say for sure that this is the problem but it very well could be. Each individual program running also uses multiple processes to run so each one of those processes connected to that particular program has to be turned off too.
I …

Alright, I disabled it. Thanks for the easy instructions. So do I still have to remove User_Feed_Synchronization-{AEFD2DFF-6E9E-4138-BF94-F4A09C6BA9FE}.job from the task scheduler ?

Yes, I would just to be safe. After that do the MBA-Scan AND also update your SAS and do another scan with it and maybe that was the culprit. If not then we'll keep looking.
Judy

Sorry PP, told I SAID I might have missed something...I did once before:D
It also looks like a Google Deskbar OR Dave's Quicksearch Deskbar which will launch searches from multiple search engines...just throwing out there all I have found since looking at that log this morning and seeing nothing that looked out of the ordinary:)

You know, going back through this thread, reading the logs, not finding anything...one thing I did notice is that nobody replying on this thread, unless I missed it, had you attempt one logical thing; Put your cursor on the taskbar, Right Click, choose Toolbars and see if that Search bar is in there and if it is, is there a check mark there? If there is then remove the check mark.

FYI: msfeedssync.exe is the Microsoft Feeds Synchronization task found on PCs with Internet Explorer 7 and which automatic RSS Feeds synchronization turned ON. This task starts up at the intervals specified in Internet Explorer 7 & 8 and checks for updates to your RSS feeds. This is why I asked about this earlier. It is really User preference and since you have never subscribed to any RSS feeds you can get rid of this PLUS you can turn off the automatic updating of your RSS feeds in the Internet Explorer 7 & 8 options.

Here is how to disable that RSS Feed. It is also known to sometimes slow down IE.
Most people don't use this feature (if you don't know what it is, you aren't using it), and you can turn this off by going to:

Tools->Internet Options->Content->Feeds->Settings and then unchecking all boxes shown in my attachments:

FYI: msfeedssync.exe is the Microsoft Feeds Synchronization task found on PCs with Internet Explorer 7 and which automatic RSS Feeds synchronization turned ON. This task starts up at the intervals specified in Internet Explorer 7 & 8 and checks for updates to your RSS feeds. This is why I asked about this earlier. It is really User preference and since you have never subscribed to any RSS feeds you can get rid of this PLUS you can turn off the automatic updating of your RSS feeds in the Internet Explorer 7 & 8 options.

I don't know, can't find it.
Oh there it is User_Feed_Synchronization-{AEFD2DFF-6E9E-4138-BF94-F4A09C6BA9FE} (Description: Updates out-of-date system feeds.) C:\Windows\system32\msfeedssync.exe
One Time - At 8:53pm on 9/11/2009 - after triggered, repeat every 5min for a duration of 03:07:00.
Daily - At 12:04 AM every day - After triggered, repeat every 5min for a duration of 1 day.

That sounds odd to me, though honestly I can't say for sure. But it certainly sounds like whatever it is doing could be your culprit for your constant warnings from MBA-M
See if you can delete it. Reboot and THEN try updating MBA-M...there IS a new version by the way since yesterday, and do a full system scan, removing everything found.
There ARE a number of trojans out there that scheduled task to constantly "call home" in order to bring in more infections. IF these are the "calls" that MBA-M is stopping then you have your culprit.

Those usually are hidden files I believe
Control Panel->Folder Options->show hidden files and folders.

Start>>Search>>taskschd.msc

OR

Click Start
In the Start Search box, type task scheduler. Then, in the Programs list, click Task Scheduler.
On the View menu, click Show Hidden Tasks

If you find that one, delete it and see what happens.

No, what does this do?

I don't know. I have seen several threads on several forums that this should be deleted. I wonder if this could be your problem? Honestly I don't know what it is, I could never find a definitive answer, though none said it was necessary, especially if you didn't add it yourself...check your Task Scheduler and see how often it runs.

Did you add this to Task scheduler?

C:\Windows\tasks\User_Feed_Synchronization-{AEFD2DFF-6E9E-4138-BF94-F4A09C6BA9FE}.job

What about MBMA, it keeps popping up that its blocking infected IPs like every minute ?

Then I would believe it. Sounds like a possible hijacker on the computer then. Are these websites you are actually trying to visit? If so, then it is easy, stop. If not then I would say your firewall isn't doing it's job either. It should just be able to block them.
But are you running a Firewall? Are you using SpywareBlaster, which is an excellent FREE tool which will also stop this type of thing. But does it in a way that is not intrusive because it doesn't run in the back ground.

By the way, I heard that smitfraud fix doesn't work on 64bit computers. Is that true?

I wondered that also and searched a long time before I had you run it. Note that I did NOT have you run in Safe Mode and do fixing. That is why. Many instructions have you skip the normal boot scan and go straight to the safe boot cleaning but I chose not to have you do that because of the conflicting answers I found concerning this.
Many site says yes AND no, depending on which page you access. Other sites say it doesn't work on Vista at all, but then the very next thread says, download and run Smitfraudfix to your Vista computer. I just knew that the scan would not harm the computer and figured it was worth a try.

I am using Windows Vista Ultimate 64bit and been using SAS for around 6 months. Got it from their website. In begining of this week I updated to the latest version. The previous version also detected that infection.

If you will note I said that according to many posts on SAS website there have been many people with various types of difficulties with both of these versions.
Now according to recommendations found on their website it is recommended that a total uninstall of SAS be done, using their Uninstall tool
http://www.superantispyware.com/downloads/SASUNINST.EXE
After this is done then they recommend that a completely new copy of SAS be downloaded and installed from their website and then see if the problems happen again. If so, then really I would recommend that you contact SAS for assistance with this, especially since you have the paid version and you should be able to receive support from them.
I cannot say positively that you do not have this trojan on the system but since none of the other programs detect them then it could be that this is a false positive, especially since the tool designed specifically to detect a Smitfraud infection, Smitfraudfix, did not detect it on your system either.

You can also request help from SAS HERE

Are you running a Vista 32bit or 64bit system?

What Vista edition are you running?

Windows Vista Home Basic
Windows Vista Home Premium
Windows Vista Business
Windows Vista Ultimate

How long have you had this version of SAS on your system. When did you purchase the program? Did you download it directly from the SAS website?
From what I have found on their forum there have been many problems with actually the last two versions of SAS PRO

The log is correct, but it doesn't show a smitfraud infection anywhere.
Have you tried running SAS in Safe Mode to see if it would remove the files that way?
I have checked throughout their website and have seen these same files noted, though never as Smitfraud. I found no fixes on there either.
Try running in Safe Mode and see what happens.

Hi welcome to Daniweb,
Please download SmitfraudFix
Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

One more thing. Bitspirit IS installed in my c: drive (actually I just uninstalled it, following your advice).

Yes, I see that now in the Uninstall list from HJT. I just missed it, I'm sorry about that one.

I would recommend that you scan both drives now, just to be safe since that Bitspirit was installed on "C", with your McAfee which probably won't find anything since it really isn't configured to find Trojans like the type you had, though you never know some of them it will. Then also Update MBA-M and do a Full System Scan with it on both drives too. Remove all that's found and save the log.

Also then do the following as an added precaution;
Run the ESET Online Scanner on BOTH drives and attach the ScanLog.

* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us along with the MBA-M log...even if none of them find anything.
Since you said your McAfee scans every night I would say this scan is happening AFTER the backup is done, it needs to be scheduled BEFORE …

Are you sure my backup drive is still infected?

I cannot say for sure, this is why I told you that you should do multiple scans of that drive only to be sure that it is not. I am not sure why you are reluctant to do this, especially since you said that all you back ups are replaced with new ones each time you back up.
The choice is yours, I cannot offer a guarantee.
Yes, there were multiple infections present, three that I see, maybe four. The all came from the same source BitSpirit which is a BitTorrent program and was infected. This brought the others in.

WHEN did you install this program? It NEVER shows as being installed on the "C" drive, at least for the last three months according to the Combofix log. So it was actually installed onto the "F" drive. I believe if it had been INSTALLED on the "C" drive it would have shown, even if it had been Uninstalled at a later date. It never shows there.

There were two files with Trojan.Downloader's in them and another which was a Backdoor.Bot. Backdoor.Bot is a backdoor trojan that can give an attacker to gain remote access
on compromised computer without users knowledge. Backdoor.Bot can also further infect computers by downloading additional threat from a remote server. The file removed by Combofix from the "F" drive was AUTORUN.INF. which is a USB worm. USB worms work by creating a …

Well there has to be a better way backing up, that's for sure. You really need to maybe stop the automatic backups for one thing. Do it manually AFTER you are assured the computer is clean. Because really what you are doing is backing up infections.
I think one thing you MUST do right now is scan ONLY that backup drive with multiple programs and make sure it is clean.

The OTHER key thing here is obviously there is something you are doing to keep bringing in all these infections. Your security certainly has some holes in it.
Do you download a lot of things...music, pictures, games, etc? If so from WHERE? Legitimate web sites or is there a lot of P2P going on? That is absolutely the EASIEST way to get infected.
You know since I have seen this happen twice now in just a matter of days I really wonder if people are using these backups correctly. I will be honest, I have no way of doing this, I have no external drive. The only thing I actually back up are my personal files...pictures mainly and a few documents but I just save them to CD's . Probably not the way many would recommend but at this point it is what I am limited to doing. Having now seen two computers with backup external drives backing up infections, kind of makes me wonder.
I don't "believe" yours is a bad as the other …

This search bar IS malware. There has to be a way to get rid of it.

Looking at ALL the logs again, ALL of the infections appear to be or have been in your "F" drive, none of them have been found on your "C" drive.
Is "F" your backup drive?
I have seen this recently, with a much more infected computer. The person was backing up everything to his external drive BEFORE running his security programs. So the computer would of course be cleaned if there was infection there but the backup drive contained the infections and so would reinfect the computer. Is this how you are doing things?

Still honestly see NOTHING in that HJT log. Very strange. Did you try my other suggestions?

Look in Add/Remove and see if there is an unknown toolbar listed there, if so, remove it.. Look for yeah and see if anything like that is listed.
Can you right click the taskbar, away from that search bar, and see if there is a notation there for toolbars. If so see if you can stop this.

Only thing I see as "risky" in the HJT log is this entry;
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Padraig\Program Files\DNA\btdna.exe"
Not really a wise idea to have this running automatically at start up, meaning then it is running all the time usually.
I'm not going to get into a big lecture on P2P here, forum policy on P2P is NO to that entirely and must say I agree. It can and often does lead to major infections, some of which the only way to recover is wiping the drive. But don't feel this is that type of case really...though cannot say for sure. Whatever and whereever this searchbar came from it obviously isn't a good place, we both found that when checking out their web page.

Just used it for the first time, it went to yeah.com looks nasty, firefox warned me.

Yes it gets a very bad rating via WOT. You obviously have some malware on there.
Update MBA-M and run the Full System Scan again. Let it remove whatever is found. Do the same with Spybot.
Look in Add/Remove and see if there is an unknown toolbar listed there, if so, remove it.. Look for yeah and see if anything like that is listed.
Can you right click the taskbar, away from that search bar, and see if there is a notation there for toolbars. If so see if you can stop this.
Update MBA-M again and run a Full System scan with it. Have it remove anything found and save the log.
Reboot. Do a new HJT scan and save the log
Post back here with the two logs

Sorry but something VERY strange is going on here. Your original MBA-M log, of the scan done on 9/06/2009 showed this info about the MBA-M program itself;
Malwarebytes' Anti-Malware 1.40
Database version: 2747

The most recent MBA-M scan, with the date 9/9/2009 so we KNOW absolutely was just completed says this;
Malwarebytes' Anti-Malware 1.36
Database version: 1945

What is going on here? What happened to the CURRENT version of MBA-M which was used for your first scan? The scan done here with this very old version wouldn't be accurate at all. The new one is 4 versions later and the latest database has 818 MORE items in it. I have no idea why you would possibly have TWO versions of MBA-M on the same computer. If versions are updated you either have to remove the old version first OR the install program will remove the older version. What happened here?

This would also make the last HJT log really useless too.

Can you save it as just a .jpg and then attach it?
There is a button down below this text box named Manage Attachments.
Click that.
Then when the Manage Attachments box opens click the Browse button to find the file on your computer.
Once you click on that and put what you want to upload into the little window then you click the Upload button. It will then attach whatever it is you wish to upload to your post.
Check my attachments and you will see what I mean.

I really don't see anything in the log indicating an "unusual" Search bar.
Is there a way for you to get us a Print Screen of it? Maybe that would give more of a clue. If you can do the Print Screen and then Crop everything out except the area where the search bar is located, then upload it here. Maybe it will give us a better idea.
Judy

Hi and welcome to Daniweb!
Uninstall HiJackThis if it is an old version and download a new one from here if needed. Do the full system scan and save the log and copy/paste it back here and I will be happy to take a look.
Judy

Sorry it has taken me so long to get back to you. I apologize. I was out of town for part of the weekend and then...just missed your post.
I see parts of Two anti-virus programs there on both the HJT log and the Combofix log. You said you are running McAfee, but there ARE files from Norton/Symantec showing there. You need to FULLY Uninstall this. Norton has a removal tool you should run.
There are also other programs which really need to go also.
They really are unnecessary.
Can you run HiJackThis again but this time get me an Uninstall List and I will tell you which ones need to go.
To get the Uninstall list do the following:
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad into a reply

Run HiJackThis again.
Place check marks next to the following entries if they remain:
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\hjmoi.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,rftrtap.exe,
9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553518000} - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} (VodClient Control Class) - http://www.cric7.com/vjocx-en-black.cab
O22 - SharedTaskScheduler: Master Browseui - {0B5F7FDF-0717-45BF-B49D-695F3168C7FE} - (no file)

Once you have placed the check marks then click the Fix Checked button. Exit HJT.
Reboot.

Your other logs show AVG8 on there, now it is gone and you show Avast, when did all this happen?

Update your Avast program and run a full system scan with it.Allow it to quarantine or remove anything found.
Then update MBA-M again and run a new scan with it. Remove anything found.
Reboot.
Run HJT again, save the log and post back here with those three new logs.
Judy

Hi and welcome to daniweb,
You have done a superb job. I would suggest now that you run the ESET online scanner.
* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt.
Reboot the computer. Run another HiJackThis scan and post back with the ESET log and the new HJT log.
Judy

Yes, I would like to see that Combofix log.
You also need to Turn Off that TeaTimer portion of SpyBot, it often will interfere with fixes done or attempted.
* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

Thanks, now I need to see a NEW HiJackThis log. From what I see on the MBA-M log there may be other programs you will need to run but I need to see the HJT log.
What OTHER programs did you run? I won't need those logs yet but need to know what they were.

I understand that I should not run into concluding the problem is solved, right? Do you guys think I should still re-run the tests and post the logs (unfortunately i did not keep the logs from my first run of tests)?

Fabian, we can't give you any answers because we have no idea the names of the programs you actually ran. If you ran the program from the link you gave then evidently it was combofix, which is most definitely a program that SHOULD NOT be run without first being told to run it. PP made that very clear in that thread. That is the only program noted in that thread. If this is the one you did run the log can be found at C:\ComboFix.txt.
You say you ran PROGRAMS...What programs? You, for some reason, are not being forthcoming here on what you have done. I have no idea why but we cannot offer ANY suggestions or conclusions until we know EXACTLY what was done. Just saying programs tells us absolutely nothing. There are good programs and bad programs out there, many of both, but we have no idea of even one that you ran. We will not offer advice until we see the logs or know the exact names of the programs you ran.
So NO I will not say your computer is clean.

goto google dwn laod trojan remover www.simplysup.com/ it will give you 30 days to remove your trojans

johnzzz.57 realize you want to help but the poster has not posted logs from programs all ready run. We need to see THOSE logs before deciding on how to proceed further.
fabianslo, please do not run any other programs. We need to see the logs from the ones you have run all ready and need more information on your system itself before deciding how to go further.
Judy

Sorry PP, didn't get back here. fabianslo, you need to post those logs for us Ok? Especially the MBA-M log, if you ran it, and HiJackThis.

Hi, Welcome to Daniweb,
What programs have you used and where are the logs? We really can't advise anything until we get a bit more info, especially the logs of the programs you have run.