Posts by jholland1964

Now do the following:
Download Malwarebytes'Anti- malware and save it to your desktop.
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button

Once downloaded, close all programs and Windows on your computer, including this one.

Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.

When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button. If MalwareBytes' prompts you to reboot, please do not do so.

On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for Personal Shield Pro related files.

MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the attached image below with infected files found noted in Red.
Scroll through the list and be sure there ARE check marks next to each item noted in Red. Once you are certain the check marks are there then click the Remove Selected button and then Reboot the computer.

Go to MBA-M and open the program. Go to …

There is no reason to remove these programs you noted, they are NOT P2P programs. They are normal programs found on most Windows 7 operating systems and likely cannot be removed. Just CLOSE them.

Ok, you are exactly where you should be right now, Safe Mode with Networking. Very good!
These instructions are the standard, always used instructions and they were created by Bleepingcomputer website and are used on most good, legitimate sites for these removals.
I have posted attachment pictures so you can see what is needed to do.
Here is what you need to do:
In Internet Explorer go up to Tools, Internet Options. Connections Tab. Click the LAN Button.
When LAN Settings opens if there is a checkmark in use Proxy Server, REMOVE that check mark and click OK. Then OK your way out of Internet Options.

Then do this:
Download rkill and save it to the desktop.

http://www.bleepingcomputer.com/download/anti-virus/rkill

When at the download page, click on the Download Now button labeled iExplore.exe download link. When you are prompted where to save it, please save it on your desktop.

If you are unable to connect to the site to download RKill, please go back and do steps again and make sure the infection has not reenabled the proxy settings. You may have to do this quite a few times before you can get RKill downloaded. If you still cannot download the RKill program …

Apology accepted. Now if you do want assistance with the removal of this infection I will be happy to give you the steps needed one at a time. You complete step one and report back with the needed log and then I will give you step two and so on. But you have to be willing to do the steps as given.
If you don't feel that you can follow the steps this way then your only option is to take it to a shop.

You are assuming a LOT and very wrongly. The Sticky, while dated, 2008, is kept up to date on a regular basis.
If your "handle" appendage, 1964, is a hint of your experience, you come from a generation of IT people that were notoriously abusive to "non-techs."

Again another wrong assumption. I am not a "tech" as you assume, I have never been and never have claimed to be. I am simply an ordinary computer user who has taken up assistance in malware removal as a hobby. The 1964 "appendage" was used in order to not have to go through "umpteen" other numbers to be able to use the name I wanted to use or take on a suggested user name that I didn't want to use.

The Sticky is user friendly if a person will use it as described and if you read other threads here you will see that it is used by all when posting here.

Honestly I don't know what it is that you are expecting or what it is that you want us to do. There is no magic bullet or button to push to remove infections like this one. They all require multiple steps and tools and there is no other way to remove them. We can't give you different steps if they are not available and they are not available. There is no ONE step to remove this infection.

If you don't feel you can follow the steps …

I have about no chance of following PhilliePhan's sticky without my head blowing off. As a longtime PR person I would go back and carefully read that sticky and decide whether it is conducive to "follow exactly as given," and determine whether or not the attitudes in communications project arrogance and distain,"or truly assist your mission of "helping."

Sgt Taylor, USMC and still frustrd

Then your chances of getting the computer clean are very slight. I am very sorry. There are multiple tools required to rid the computer of this infection and if you are not willing to run these simple tools then as stated the chances of getting the computer clean are very small.We have helped posters remove this infection many times with great success. There are accepted tools used to clean this and then fix damaged files but they must all be run correctly otherwise further damage will result until it is possible the computer will not be usable.
hopefully you will be willing to run the tools. We only want to assist.

svilla[/B, while we always welcome help here. We also have a sticky for those wishing to offer assistance. You need to follow those rules if you wish to assist.You will find it at the top of the page and I ask that you read it.

Forum Rules and Policy for First Responders
-- Please refer initial posters for assistance to our Read Me First Sticky Post
We would like everyone to start with these steps so that a "baseline" for further assistance can be established.

Do you really want to clean the computer?

Then follow the steps given by PhilliePhan which INCLUDES, along with other steps, Malwarebytes' Anti-Malware.

Do you really want it clean or not?

The steps you read from Spyware-Experts cannot be trusted, the website itself has a poor reputation.

Do you honestly think that the steps given were posted just for the sake of posting something? We have steps we request because THOSE are the ones that work to begin cleaning a computer.

I need to know if SPYWARE DOCTOR (Spyware-Experts.com) and/or STOPzilla(iS3)are legit software to use to obliterate Personal Shield Pro, completely or as much as possible.
No they are not. If they were they would be in PhilliePhan's sticky.
Please use those programs listed in his sticky and post the logs here.
WE read the logs, you don't. You just need to follow the instructions exactly as given.

These services are REQUIRED for your internet to work properly.
Please check to be sure that ALL of these services listed here are enabled and NOT disabled.
http://www.blackviper.com/wiki/WLAN_AutoConfig#Additional_Information

There are very FEW Windows Services that should be completely disabled.Please read the information found on this website concerning Services and their proper configuration and then please set yours to the recommended DEFAULT configuration and reboot the computer:
http://www.blackviper.com/2010/12/17/black-vipers-windows-7-service-pack-1-service-configurations/

Note:
Manual ~ Manual mode allows Windows to start a service when needed.

Disabled ~ This setting will stop a service from starting, even if needed. Errors in the Event Viewer will show up complaining of that fact. Some services, while Disabled, will constantly complain. However, this situation is taken care of if placed in Manual. You have a LOT of Event Errors showing and none of these Services should be Disabled but they obviously are disabled or something they are dependent on has been changed to disabled because they were unable to start.

I have disabled services that run with start up only
Did you do this before or after the problem began?

MBA-M should ALWAYS be run in Normal mode unless it will not run at all. It was created to be run in NORMAL mode. It does not work like other scanners and therefore will NOT scan everything in Safe Mode.

Have you gone through and disabled any Windows Services? I am not saying you should, I am asking if you have and have you run any other security programs other than ESET?
Update MBA-M and run a Full Scan with it. Have it remove anything found. You will have to update via Safe Mode BUT, then go offline, reboot in normal mode and run the scan.

Exactly WHEN did this begin? Date I mean. The reason I ask is that it shows in your log on 7/7/2011 you removed the Linksys Wireless-G PCI Adapter.

Now clarify something;
You said this:
When I use my computer without wireless it works perfect.
And then you said:
I have the same trouble when I connect with an ethernet cable

This is rather confusing, if you NOT using wireless or ethernet cable then how can you connect???
I don't understand at all, I am sorry.
Do you mean that as long as you ARE NOT going on the internet the computer works well?
Has the computer ever worked correctly while online?

At least give us a DDS Scan log so we can see what may be going on, right now this is like shooting in the dark. We have no idea what may be running that could be causing this. If it runs fine in safe mode then this leads me to think it has to be either a setting or program that runs in normal mode but of course doesn't run in safe mode.

Download DDS by sUBs and save it to your Desktop.

If your AV has a script blocker, please disable it
• DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

• Copy&Paste both the DDS.txt and the DDS Attach.txt into your post for assistance.

It can be run in safe mode if needed to do so.

You probably have virus in your computer... Download Malwarebytes Anti-Malware and run a scan to confirm it...
If it does found it, please proceed to instruction link posted by crunchie to completely remove them... He'll help you out till you done

The link provided by Crunchie includes Malwarebytes' Anti-Malware as ONE of the steps. That link is where to begin.

One final question: If I do need to install some application that I don't fully trust, is it safe to use a virtual machine to do a test install? Will malware be able to breach through the VM onto the actual machine?

Once again, thank you greatly for your time and patience.

Quite honestly I don't know, though I would think that if there is a security vulnerability in VM software that is known to an attacker and it is unpatched, it certainly can be exploited like a vulnerability in any other type of software used for security. But like I said, I am not that familiar with VM software. But as devious as these malware writers are today one must assume that really nothing is 100% safe today. We just have to make the best attempt to keep our machines as safe as possible so the question I then would have for you is why would you NEED to or even consider running a application that you don't fully trust? To me that would be like hiring a convicted bank robber to be the guard in a bank just because he promises not to rob any more banks. Would you trust him completely? I doubt it, would you even hire him? I doubt it.

Still no sign of svchost playing up. Dare I say I'm cured?
It looks pretty good.I would say you are very lucky for several reasons, one probably due to the fact that you had just done the reinstall. Not a lot of the usual extras that can easily be infected and make the removals difficult, if not impossible. Probably also not a lot of personal information on there that then puts really a person's whole financial and personal life at risk. Another reason is the fact that you obviously DO or DID P2P sharing. Such a dangerous activity! As I said, probably the easiest way to get an infection. It never ceases to amaze me that persons are more than willing to risk the computer itself, personal and banking information, telephone numbers, email addresses and yes, their ability to be served by their internet provider all for the sake of illegally getting "for free" a 99 cent song or a $50 game or $100 program. I always ask person's who use P2P to illegally obtain these things if they would even seriously consider walking into a restaurant and eating the rest of a partially eaten sandwich left on a table by an unknown customer rather than purchasing their own, untainted and freshly prepared sandwich. The answer of course given by 99.9% of persons asked always say unless they actually were starving to death they would never even consider this. But yet this is what is being done using …

I meant avast. They have some good boasts on their site.

Avast is an excellent antivirus program. Highly recommended and has very high ratings on independent testing also. Wait until you are certain the system is clean however before changing your av program. You don't want to damage a new program. Once it's clean you can remove AVG, which DOESN'T rank very high and go with Avast.

Daemon Tools Lite is fine as far as I can see. Azureus - now called Vuze is a Bittorrent Client and is a P2P program. Absolutely the easiest way to get serious infections, without a doubt.
Anything you may have already downloaded with it would also be very suspect and should also be removed.
Also uninstall Auslogics Registry Cleaner. There is absolutely no reason whatsoever to ever use a registry cleaner.

Uninstall this and leave it off the computer, if you want to keep a clean computer.
You now need to Update MBA-M and run another Full Scan with it. Have it remove everything found and Reboot.
Post back here with the new log.

After that then do the following:
Please run the ESET Online Scanner

http://www.eset.com/onlinescan/scanner.php?i_agree=14

* You can use Internet Explorer to complete this scan and you will need to allow an Active X to be installed or you may use Firefox
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt.

Post back with that log also.

I ask that you please don't disable or re-enable standard operating files during the clean up. By doing so you could make the scanners not see what they need to see or see something they need not worry about. So Please leave your security center and that type of thing alone. Also, if files are running, let them run, please do not do any manual stopping or anything else like that unless it is requested, ok?

You ARE aware that the COMODO Internet Security program is a FULL security suite aren't you? It contains both and anti-virus program and a firewall. This means you are running TWO anti-virus programs, which is a no-no. Plus, AVG is certainly not one of my favorites, but that is neither here nor there right now. You do have two anti-virus programs installed there.

You also did not post the Attach.txt log from the DDS Scanner and we DO need to see this. Please copy/paste that here also. Also please just copy/paste the logs directly into the posts, no need to put them into text boxes.

There is a rootkit on the system, which is evident by the findings of the Windows Malicious Software Removal tool and the DDS scanner, both of which have the notation of TDL3/Alureon rootkit.

Now, let's get rid of that rootkit. Please do the following and post back with the log.
Please read carefully and follow these steps.

* Download TDSSKiller and …

I thought that MSE was good because studies have shown more windows users use them. Have no idea what "studies" you are reading but never have seen that anywhere. Just because some program has a lot of users doesn't make it a good program to use...P2P programs for instance, lots of people use them and all of them are putting their computers at risk. Does that make P2P programs good programs? Hardly.

One last question is there a need to install two antivirus products

The ABSOLUTE RULE is ONE anti-virus program and ONE firewall should be installed on a computer NEVER two of either at the same time, ever.
Having two installed at the same time will lessen your protection because they can fight each other and miss the infections.

I agree with caperjack. MSE rarely ranks "up there". Avast is excellent. Avira Free is quite good, however, due to Avira's recent partnering with Ask.com to add the Avira SearchFree tool bar and Trialpay to help cover the cost of providing the WebGuard extra, which is included in their paid version, many forums have removed it from their lists of recommended free programs. This WebGuard with it's Ask.com provided SearchFree tool bar certainly is not required and this has resulted in many, many complaints posted on their forum.
IF you watch their installs closely you can opt out of these toolbars in Avira but of course many people neglect to watch these installs and end up with these toolbars. They certainly are NOT needed and often are flagged by anti-malware scanners.

Have never been a fan of AVG. On several other forums where I post there are a lot of infection removal threads where AVG was the av program installed so I personally would not recommend it. But "to each his own".

The Rising Antivirus Software Free Edition 2011 on caperjacks link was tested by a fellow at another forum and his results were not good. With scanner settings set at Medium/Default;
Quick Scan produced very high CPU usage which remained extremely high during the entire scan. Scan took 4 minutes to scan 1509 objects. Full scan test resulted in 9 false positives during the first half of the scan. This is …

You're welcome. Don't reinstall that P2P stuff when you do the reload. It will bring it all right back in.

Never said that uTorrent started up. The thing is p2p is p2p and connects you to people and places you don't know and many times have absolutely no control over whatsoever. It should be uninstalled. P2P puts a computer at great risk, especially to serious infection and, yes, computer hijacking.
Didn't request another MBA-M log but even though it shows nothing there obviously is something that is "running" IE and if you aren't then it is likely that "somebody else, somwwhere else" is.
Knew what Tunngle beta was essentially but it certainly should never have been auto starting and it is considered a p2p program. Means you have no guarantee that whomever you are sharing with is on the "up and up". Easy way to take over machines. Plus the program was a beta version, meaning TEST version and all the possible "bugs" are not removed. That in itself can be dangerous. You don't know what these bugs may be.

One thing I do want to mention, you have a program installed, Tunngle beta. Now I am not that familiar with this and I am not a gamer so possibly somebody else may be able to give more info, however, this program, according to your logs starts automatically when the computer boots up and then runs ALL the time in the background, whether you are actually using it or not. That shows in the logs. It does involve p2p most definitely. So there is something else that can be very questionable and if this program is running all the time this could also be the cause of your multiple instances of IE opening on its own.

You also have uTorrent installed which also is a p2p program.

I would like you to do the following please:
You are going to use RevoUninstaller, which is the free version of the program, to Uninstall these two Programs which really are considered malware in many cases and can be causing your problems, or at least are contributing.

DAEMON Tools Lite
DAEMON Tools Toolbar

Download and install Revo Uninstaller

Double click the Revo Uninstaller icon on your desktop to start the program
Scroll through the listed programs and Right Click on the program you wish to uninstall
From the pop out menu choose Uninstall
Click Yes to the confirmation dialogue
In the next window select the Advanced mode
Click Next to start uninstalling the program
Answer Yes to confirm the uninstall
When the program has completed the four steps, click Next to allow the program to search for leftovers
Once complete, click Next, then Finish
Repeat the above steps for any other programs you wish to remove.

Once those are removed, then reboot and update and run a new MBA-M scan. Post back with the log.

We won't worry about that for now then. One thing you need to do is turn off the SpyBot TeaTimer and leave it off. It often interferes with any kind of fixes attempted. To turn it off do this:
* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

Then do the following:
Run the ESET Online Scanner

http://www.eset.com/us/online-scanner?i_agree=14

* You can use Internet Explorer to complete this scan and you will need to allow an Active X to be installed or you may use Firefox
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt.

Post back with that log.

GMER log?

Where is the GMER log and the Attach.txt log from DDS Scanner, both of those also requested in our Read Me First sticky.Both of those must also be copy/pasted here.

The RiskWare.Tool.CK is a "hack" tool used to get a pay for software program via pirating...have you done this?

Probably not the best idea
You are right there, System Restore actually operates only on a very few system files and settings. System Restore backs up your registry. System Restore does not backup your data. It also will NOT uninstall a program or an infection. System Restore does not remove infections, only what may be a very clear pathway or footprints needed to FIND that infection.

Hello Twiggy159,
You forgot to update MBA-M before running the scan. You should remember you always should update before each scan.
Update it and run another Full Scan, have it remove everything found, reboot and then post back here with the new log.
You said that you had the Windows Repair" virus earlier and got it removed. How did you do this? Do you have any of the scan logs from the programs you ran at that time? If so could you post those also? That will possibly give us some help right now to decide what other tools should be run.

Well that may very well be that spyware removal would not be covered by warranty service. I had not thought of that. I too have had very good results dealing with their service techs. No, their techs would likely NOT be working on commission like that. Sales would be a different story possibly but not their service techs.

If that's the case then it should be ok. Have no idea why the dell tech support would tell you that they would charge you. You should have at least a 1 year warranty on the computer if it is brand new. That comes with the computer. If I were you I honestly would call Dell back and ask them about it. I have had Dell computers for 8 years and never had this happen.
Hey, you can't "pull the age card on me"....LOL...I am 65! We are always ready to help here so never hesitate to come here.

The SwagBucks Toolbar is a tracking toolbar. It is not recommended. The website appears to be ok but since I am not familiar with it I cannot say for sure, but the Toolbar is known tracking software.
The WinMaximizer was installed on July 1st. See if you can figure out what else you did that day. It may be located there.Try going to Start and type WinMaximizer into the search window there and see if it finds anything. DON'T delete anything you find just report back if something was found and exactly where.

"I went in and deleted some things that did not look necessary to me and the clicking has stopped"
And how did you know 100% that these were not necessary? You never just delete programs. The must actually be uninstalled. When you just delete them it only removes their name, not the program. Where did you go to delete these items?
Where did the clicking sound come from, INSIDE the computer itself or on a webpage? clicking sounds from INSIDE the computer would generally always be bad and would mean there is likely a bad component, usually the hard drive clicking from a webpage could just be sound effects from the page. Do you have your sound turned on all the time? Many very normal sounds will be heard with the sound turned on and clicking on various web pages.

You need to uninstall, using Add/Remove these programs;
Swag Bucks Toolbar
Coupon Printer for Windows

There is absolutely no need for a "special" coupon printer. Any page that has coupons on it can easily be printed using your printer software.
The Swag Bucks toolbar is known malware.

Since you did not purchase McAfee there is absolutely no reason to keep it.
Uninstall it and install one of these very good, highly rated FREE anti-virus programs. Either Avast Free from here;
http://www.avast.com/download-thank-you.php?src=http://files.avast.com/iavs5x/setup_av_free.exe&product=FA&page=free-antivirus-download&locale=en-ww&avast=0

or Avira Free from hee:
http://download.cnet.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.html?part=dl-10322935&subj=dl&tag=button&cdlPid=11012914

You can't just delete a program, it has to be Uninstalled using Add/Remove. That is where you have to look for it.

Hello the.avon.lady1, You did not post all the requested logs. It is important that you post the DDS Attach.txt log..So please copy/paste that log here.

flagstar is incorrect, tracking cookies ARE most definitely spyware, hence their name TRACKING cookies. You do NOT want these on the computer. If SAS keeps finding them this means that your browser is NOT configured correctly to block them
Open Internet Explorer, Click Tools, Internet Options. On the General Tab,Browsing History section in the middle click the Settings button. When that opens put a dot in Everytime I visit the web page. Reduce the space saved to use to about 250. Click Ok.
Click the Privacy Tab, then click the Advanced button. When that opens put a check mark in Override automatic cookie handling. Then put a dot in Accept 1st party cookies and a dot in Block 3rd party cookies (those are the tracking cookies)
Also put a check mark in Accept session cookies.Click OK Then close out Internet Options.

From your one DDS log it appears you have a program installed called WinMaximizer. Uninstall this program. It is unnecessary and a junk program. I certainly hope you did not pay for this program, it is a paid program, and is totally unnecessary. These types of programs are never necessary.

SpywareBlaster is an EXCELLENT program and works perfectly well with ALL other security programs, I have used it for years and would never run a computer without it …

the.avon.lady1, this is another person's thread and you shouldn't post your problems in anothers. Too confusing for one thing and also unfair to the original thread creator.

Go to the top of the front page and click Start a new thread, as shown in my attachment. Then name and create your own thread. State all of your problems and somebody will be most happy to assist.

Sorry, like I told you I don't use Chrome so somebody who does will have to answer that. Have you tried renaming it?

That's great Jim. Take as long as you want to be sure things are fixed. That's what we are wanting, things to be fixed and you are the only one who can judge that. Keep us posted.

Not sure what to tell you Jim, perhaps another will have a fix for you. By the way, you asked about automatic updates with MBA-M, auto updates is only available with the PAID version, not with the Free version.

See if this helps.

http://www.dougknox.com/xp/tips/xp_easy_file.htm

Try running this to correct the problem with the .exe's
http://www.winhelponline.com/exefix_xp.com

run that and reboot. Report back with the results.

Please download TDSKiller.zip archive and extract it into a folder on the infected (or possibly infected) computer with an archiver (WinZip, for example);

Run the TDSSKiller.exe file;

Wait until the scanning and disinfection completes. A reboot might require after the disinfection has been completed.
Post back with the log.

Jim,your MBA-M program is several years out of date,which is why it didn't find anything, because it can't, it's too old and that database does not contain the proper files to look for today's infections.

You need to update that and run it again. Currect version number is 1.51.1200 and current database, as I write this, is 6963. though by the time you read this there likely will have been another one since they release updates multiple times a day.
Since you can't get to Normal mode, instead boot to Safe mode with Networking, this will allow you at least to go online and update that program.
Then run a Full Scan with it, have it Remove Everything found and then Reboot to normal if possible and see if you can use the computer. Post back here with that new MBA-M log.

Also please remove that attached file and copy/paste it's contents here. We don't open attached files here due to risk of possible infection from those files.

Just be careful is all I can tell you. Save your money and get a new computer with LEGAL software on it and get the paper work to prove it!

Honestly you would be better off taking the computer back to the guy who "fixed" it for you, HE caused all this.
I really have no more steps I can give you.
Print out all the logs to show him what HE caused. Ask for your $35 back too!

Just follow the other instructions and try to keep safe until you can get a new computer with a REAL Windows operating system and not a pirated version.
That really is the only advice I can give you.