Posts by jholland1964

Malwarebytes' Anti-Malware is updated via the program itself not by going to their website. Open the program, go to the update tab, click the Check for Updates button. If there are updates they will be downloaded and installed, if there are no updates you will receive a message that you have the latest version.

No where in this thread did you previously post anything about constantly receiving this message;
"Windows Registry Recovery. One of the files containing system Registry data had to be recovered by use of a log or alternate copy. The recovery was successful."

Do you have an operating system reinstall disk? There is a good chance that by incorrectly doing the registry edit that you have damaged key files and this is why you are receiving this message.

As long as you have the license code you should be able to download and reinstall it again. Do you have the license code?
If you don't want to use it that is fine, there are some very good free anti-virus programs out there to use. But in order to uninstall it you can try downloading and reinstalling and then go through Add/Remove and try uninstalling again. You can also use the free version of Revo Uninstaller to remove it and all of it's remaining files, it is really up to you.
http://www.revouninstaller.com/revo_uninstaller_free_download.html

Is the computer working as it should be now? Is the taskbar it's normal color and has the sound returned?

BitDefender is an ok program, it's a PAID anti-virus program, not free. Did you pay for it?
Not sure what you mean by "some anti spyware programs are suspect" BitDefender is not an anti-spyware program, though it's security suite contains and anti-spyware program. If you got it for free then you didn't get the true BitDefender program and then of course it would be very suspect.

Here is it's web page with purchase info

http://www.bitdefender.com/

Yes, do another Malwarebytes' scan. For the moment don't worry about the Bit Defender, we'll get rid of all that shortly.

How did you uninstall BitDefender? If it was uninstalled incorrectly then it would not all have been removed. Also, you failed to update Malwarebytes' before the scan, you have an old database,6594. Current data base is 6612. Malwarebytes' issues updates multiple times a day, that is why you always must check for updates before each and every scan, even when you run more than one scan a day.

After running MBA-M and posting the log, do the following:
Please download ComboFix by sUBs from

http://www.bleepingcomputer.com/download/anti-virus/combofix

Please note that the BleepingComputer.com download link will expire in 10 minutes after you click it so if you don’t click within ten minutes after reaching the page you will need to refresh the page.

• You must download it to and run it from your Desktop
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When ComboFix has finished running, you will see a screen stating that it is preparing the log report
• This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Rik,

Here's the Mbam full scan results. It did find a trojan in the restore area and with action taken said it was removed.

Again thank you for all the help.

Log:

Again I quote from the Read Me First Sticky
When you post your request for assistance, please be sure to submit (Copy & Paste, not as an attachment unless requested)
You also have NOT posted the TDSSKiller log this is a MUST.

You also did not update MBA-M prior to this latest scan. It still shows the same database that was showing in your first post of the log, Database version: 6585. Current database is 6612. You must always update MBA-M prior to each and every scan, even those run on the same day. They release updates multiple times daily.

Me[kk]A, please ignore comments by Portgas D. Ace, he obviously has NO "magic bullet" either as insults can never be mistaken for intelligence.

Now back to the business at hand, have you attempted to run DDS in Safe Mode?

I would like you to run this tool. Follow the directions exactly:

Download the TDSSKiller.zip archive and extract it into a folder on the infected (or possibly infected) computer
Run the TDSSKiller.exe file;
Wait until the scanning and disinfection completes. A reboot might require after the disinfection has been completed.

The utility starts scanning the system for malicious and suspicious objects when you click the button Start scan.

If the utility detects an infection with the MBR bootkit, it will report the it has detected an infected object type “Physical drive” and prompt for action:

Cure. This action is only available if the utility has identified the exact type of the bootkit. If it has detected an unknown bootkit, it will be reported as Rootkit.Win32.BackBoot.gen.
Skip.
Copy to quarantine. The utility quarantines the infected MBR.
Restore. The utility restores a standard MBR.

After reboot then please copy/paste the log back here.

Malwarebytes' is just ONE of the necessary steps we require. There is NO magic bullet to remove these infections, most require many steps for removal.
The choice is yours, if you truly want assistance then you should follow the steps, if you don't feel that you want to follow all the requested steps then please say so that valuable time is not wasted.

I am going to post again exactly what we require ALL posters to do in order to receive assistance:
You must follow all of the steps given in the Read Me Sticky.

In order for the few volunteers who offer a bit of their free time and expertise in this forum to assist you in a timely manner, please adhere to our rules and complete the following steps before posting a request for help:

When you post your request for assistance, please be sure to submit (Copy & Paste, not as an attachment unless requested) these requested scanlogs:

• MalwareBytes’ Anti-Malware log
• GMER One.log and GMER Two.log
• BOTH DDS ScanLogs (DDS.txt & Attach.txt)

People may feel this is unnecessary, we would not make these requests if the logs weren't necessary for us to see. These logs will show us what infections were or are present. They help us make decisions what additional steps will need to be taken to remove the infections.

You said you completed the steps in the Read Me sticky, there should be more logs to post, the MBA-M log, the two DDS logs and the GMER log #2. All should be copy/pasted.
You stated that you had AVG on the computer and then you installed Bit Defender, did you UNINSTALL AVG first? If not, you should have done so. The absolute rule is ONE anti-virus program should be run at a time on the computer. More than one can cause major problems.
AVG would NOT have removed the Fake Alert infections, it is not configured to do so. Those are trojans, most anti-virus programs are not set up to do so. They can remove other viruses brought in by these trojans but cannot remove the trojans themselves.
We need to see the MBA-M log that removed infections, also the AVG log if one is available. You also need to run the DDS Scanner and post both of the logs it will give you. You also need to post the second log produced by GMER.

If I may, The TDSSKiller log should always be posted, it has not, even if it said it was clean we need to see that. The HJT log is not necessarily a mess, it is just difficult to read because Word Wrap was on when the log was copied. Plus it is rarely used anyway today. If you read the Read Me First sticky you will not see references to using HiJackThis. The preferred scanner is DDS and both of the logs were also not posted, both logs produced by DDS should always be copy/pasted as noted in the sticky. We don't want any logs attached here, all should be copy/pasted.
We also don't recommend turning off System Restore due to the power of the various tools to be used. While all are excellent tools no tool is 100% safe and can occasionally remove something that is key and a good file. The very first thing that Combofix does is create a restore point so that if that IF an incorrect file is removed then the user will have that point to return to, they are all dated and time stamped so the user will know exactly which one to use if that should be necessary. Files in system restore are LOCKED up and cannot reinfect a computer unless that infected restore point is used.
Once the computer is deemed clean then and only then would System Restore be turned off to clear all restore points. Then it would …

Both the firewall and antivirus programs are sufficient as long as they are current versions and kept up to date. Norton is a paid program so you must always continue to pay for and renew it immediately each year when the renewal comes due, otherwise it will stop updating as it should and will not offer protection for the latest infections. Norton does NOT offer a free version

If Comodo is the paid version then that same holds true for it. If it is the free version then of course payment would not be required.

Malwarebytes' and SpyBot are both excellent and weekly scans, updating first of course should be done.

I would recommend that you add one more program, SpywareBlaster from Javacool. I wouldn't run a computer without it.
You can get it from this link. http://www.majorgeeks.com/downloadget.php?id=2859&file=9&evp=61b0e8ad41924a03c37615f4682b4cef
This link will give you the setup file. Save it on your computer, double click to install it. Update the program and then enable all protection and close the program. Manually check for updates every couple weeks.
From Javacool Software:

SpywareBlaster doesn't scan for and clean spyware--it prevents it from being installed in the first place. SpywareBlaster prevents the installation of ActiveX-based spyware, adware, dialers, browser hijackers, and other potentially unwanted programs. It can also block spyware/tracking cookies in IE, Mozilla Firefox, Netscape, and many other browsers, and restrict the actions of spyware/ad/tracking sites.

You can remove all the programs necessary for …

Now, you need to uninstall these two programs:
LimeWire PRO 4.18.8
uTorrent

P2P file sharing is one of the easiest ways to infect a computer. These are likely one of the causes of your infections, and as you see, there were many.

Have things improved with the running of the computer?

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
o If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected )

KillAll::

File::

c:\windows\system32\drivers\bgneofxh.sys
c:\windows\system32\drivers\tuhmadet.sys 

Driver::

bgneofxh
tuhmadet

· Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
· At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
· You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
· Now use your mouse to drag CFscript.txt on top of ComboFix.exe
· Follow the prompts.
· When it finishes, a log will be produced named c:\combofix.txt
Post back here with that new log.

Now run the ESET Online Scanner and have it remove anything it finds.
http://www.eset.com/us/online-scanner?i_agree=14

you will need to allow an Active X to be installed or you may use Firefox
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt.

It will take me awhile to go through this log. In the meantime, please Update Malwarebytes'Anti-Malware and run a Full Scan with it. Have it remove everything found. Reboot the computer, this is very important.
Post back here with that log.

I hope that you rebooted after running the tool.If you did not, please do so before following the next instruction.
Next you need to do this:

Please download ComboFix by sUBs from

http://www.bleepingcomputer.com/download/anti-virus/combofix

Please note that the BleepingComputer.com download link will expire in 10 minutes after you click it so if you don’t click within ten minutes after reaching the page you will need to refresh the page.

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When ComboFix has finished running, you will see a screen stating that it is preparing the log report
• This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is …

Taking offense has nothing to do with it. As I said, by posting and following steps at more than one forum instructions given at one may interfere or cause problems with steps given at another and therefore cause greater difficulty than you were having originally.Forums such as this one and the other one where you have posted your problems are operated by volunteers, our time and their time is limited. We work as quickly as we can. You also have to take into consideration, time zones. The internet is international, so while it may be day time where I am, it may very well be night time where you are, and vice/versa. As long as you are willing to continue only here then we will.
Your logs show the presence of a rootkit, please do the following:

Please read carefully and follow these steps.

* Download TDSSKiller and save it to your Desktop.
http://support.kaspersky.com/downloads/utils/tdsskiller.zip
* Extract its contents to your desktop.
* Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

* If an infected file is detected, the default action will be Cure, click on Continue.

* If a suspicious file is detected, the default action will be Skip, click on Continue.

* It may ask you to reboot the computer to complete the process. Click on Reboot Now.

* If no reboot is required, click on …

since you have also posted this question and logs at another website I suggest that you continue there. It is never a good idea to have threads running at two different forums at the same time as instructions and tools may conflict.
Good luck.

First of all your log shows two Security Suites on the computer, COMODO Internet Security and Norton. If both of these contain a firewall and anti-virus program this is a big no-no. Rule is ONE of each on a computer.
Malwarebytes'Ant-Malware should NOT be booting up with the computer, real time protection with MBA-M is only available on the paid version. However the Free version is all you need for scanning and removals as long as you keep it updated before each scan. They offer multiple updates DAILY so updating prior to scanning is an absolute must.

The computer itself is way out of date, you only have XP SP2 on there, SP3 has been available for install since 2008. Your computer is no longer supported by Microsoft because of this. If you had SP3 on there full support would be available until April 2014.

HiJackThis is generally considered a scanner program, not a fixer and really isn't used as much today because it definitely doesn't show everything that is needed to clean the computer.

Follow all the steps given in our Read Me First Sticky and post back here with all the resulting logs and we can go from there.

Here is the link for the Read Me First sticky which is actually found at the top of the list here on the forum.
http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

Normally all three of those files are legal files, avwsc.exe is from Avira Antivirus program, wscntfy.exe is the security notification file and rundll32.exe executable is a valid part of Windows, and normally shouldn’t be a threat.
That is not to say that any or all "could" be infection but they also may very well be legitimate files so don't necessarily assume they are infections.
Finish the scans and post the logs here.

I have a few suggestions (bare in mind these are only suggestions)

1.Avira antivirus and avast! antivirus should delete the virus.

2.Hold together Ctrl, Shift and Esc and stop the virus process.

3.Click start then run type cmd and click OK. Then type dir /s then hit enter after that type del TrojanDownloader:Win 32/Renos.JM and that might work.

Let me know if any of this helps.

Read the post above yours, this thread is solved and the infection was removed using the steps provided. I have removed your email address from your post,posting your email address in public is an excellent way to begin to receive spam, plus we don't offer personal help via email or pm here, this is a public forum and help is only offered publicly.

and I get connected but with limited access...then you are NOT getting connected. You are only booting to safe mode. Getting connected means connected to the internet.

When you try using the flash drive are you MOVING the files from the flash drive to the hard drive or trying to run them from the flash drive? You need to move them, not run them.
Open the flash drive, Right click the file, choose copy and then paste it onto the desktop of the infected computer. It should move to the hard drive.

Can you get the computer to boot fully in normal mode?
Do you have install disks for this computer?

Don't know where you got mbam_rules.exe, that doesn't appear to be a current file. The manual update file can be found Here
http://malwarebytes.gt500.org/

But for the moment see if you can do the following without the manual update.
Also, for the moment, only try using either IE or Firefox since both are all ready on the computer.

Try booting the computer to Safe Mode with networking. Not sure what operating system is on there but try going this way.
Turn the computer on and tap the F8 key until you get the choice screen and choose Safe Mode with networking. This should get you online but in Safe Mode.
Then see if you can update MBA-M. If you can do a Full Scan in Safe mode, have it Remove everything found and Reboot. This is a must as some of the removals must be done early in the boot process.
Using IE see if you can get online. Don't install AdAware, it will do nothing.
Run another full scan with MBA-M and again have it remove everything it finds and reboot again.
Then try and see if you can Download DDS by sUBs and save it to your Desktop.
Be sure follow the instructions below carefully!

• If your AV has a script blocker, please disable it
• DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information …

Also check with your email provider. I know my ISP offers that if one wants to use it.

They want you to have a copy of the REGISTRY prior to changes made. But as I said, it backs up only a very FEW files. It doesn't back up your data it doesn't back up programs it backs up a very few registry files. It WILL never remove a program, uncluding infections. It also is meant to be used to only go back a few DAYS never weeks. It only holds so much and as it fills up old points are automatically deleted. When working to remove infections leave it alone. Don't touch it at all until the system is clean. Then turn it off to wipe out all old entries. Then turn it back on so points are all clean. Leave it alone.
As I said earlier, before offering advice you really and truly need to know and understand the advice you are giving. Giving wrong advice can seriously damage a person's computer. So you need to know what you are saying is 100% correct, in other words if you aren't certain of that then don't post.

You really need to know what you are posting before giving advice.

Firstly, Thanks for reply.

The steps that you told us are "Must need to be taken" steps. I would personally recommend to all users of XP (Not just Xp, But Vista ,7 and Linux users too)to backup their OS> if they dont want to buy a new HDD so Instead of Buying a new Hard Drive they can clone their Existing OS on a CD or a DVD.. Isn't it useful?, and it will save their money and time both.

Secondly, These kind of viruses (like system.exe, New Folder.exe, My Music.exe, Pictures.exe, HomeVideo.avi.exe) spread through autorun. That's why disabling aurotun will disable all these viruses. And i have also told to Use "Limited Accounts". These Viruses only activate and perform action in account with "Admin Privileges" they are disabled or deactivated in "Limited Account". Because of restrictions of "Limited Account" they can't change the system files. (The main cause of survival of these Viruses). So if you use "Limited Account" the sys-restore will be as powerfull as you want.

I am about 99% sure that you have used a account Admin Privileges (When this virus is activated) and that's why System Restore and Automatic-Updates couldn't help to remove these viruses

striker_1 you are 100% wrong about System Restore. System Restore actually operates only on a very few system files and settings. System Restore backs up your registry. System Restore does not backup your data. If you delete or damage a file, System Restore will not recover it.
System Restore …

Hi Feb20, first of all you say you are running TWO anti-virus programs, so your protection is cut way down. The absolute rule is ONE anti-virus program and ONE firewall should be run on a computer, never more.
Sounds like you have one of the Fake Alert infections, which anti-virus programs won't find or remove anyway.
You need to begin by following all of the steps given on our Read Me First sticky and post back with all the requested logs. This is the only way we know exactly what assistance you need.

http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

Judy

You need to really watch what you are downloading and from where. I would also advise you add SpywareBlaster. Superb protection, does not doesn't scan for and clean spyware--it prevents it from being installed in the first place. SpywareBlaster prevents the installation of ActiveX-based spyware, adware, dialers, browser hijackers, and other potentially unwanted programs. It can also block spyware/tracking cookies in IE, Mozilla Firefox, Netscape, and many other browsers, and restrict the actions of spyware/ad/tracking sites.
Download, install, update, enable all protection and close the program. Manually check for updates every couple weeks. If there are updates follow above procedure. I wouldn't run a computer without it.
http://download.cnet.com/SpywareBlaster/3000-8022_4-10196637.html

By the way, your Java is way out of date which also is a security risk in many ways. Current version is update 6 version 24 and you need to install this.

http://www.java.com/en/download/index.jsp

Yeah, I've checked. When I looked at Recent Documents, the shortcuts to the files were there but windows couldn't find the actual files they linked to. I think they somehow have gotten deleted. Is that why the folders came back after I did a system restore but not the files themselves?

Yes. System Restore actually operates only on a very few system files and settings. System Restore backs up your registry. System Restore does not backup your data. If you delete or damage a file, System Restore will not recover it.

Have you looked in the Desktop Folder in Windows Explorer?

What program did you use to view the pictures and videos? You have the VLC player on the computer, have you looked in the VLC folder?
You have to use "something" to view pictures they just don't open on their own, open that program and see if they can be found that way.

You need to uninstall Combofix before leaving:
Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

You also need to set a new, clean Restore point.
To do this Right Click My computer.
Choose Properties
When System Properties opens choose the System Restore Tab.
Place a check mark in Shut down System Restore.
You will probably get a message telling you it will be shut down, click ok or yes.
Allow it to shut down.
Wait a moment. Then go back in and take that check mark Out so that System Restore will turn back on.

Then you will have to download them again. You need to be very careful what you download and thoroughly scan each and every download BEFORE opening.

like I said the only way is to do a search on the computer by title and see if something turns up. There should be a folder where these were stored, generally things aren't stored on the desktop

As long as you have the purchase receipts you should be able to get them again by contacting the websites where the purchases were made. Usually if you explain the situation either infection or a reformat that caused you to lose whatever you purchased then you probably will be able to get them again.
Pictures, I am not sure about. I if you purchased these pictures and have receipts you should be able to get them again as long as you have receipts to show for the purchases.

Anything that you got via P2P I would advise against, solely because this is likely one of the ways your computer was infected in the first place. Use P2P again and you will shortly be right back in the same situation.
Copyrighted material must be paid for so if any of these were downloaded without paying for them then, no you likely will not be able to get them again.

Personal pictures and videos or ones that you downloaded?

Which missing files are those? If you are refering to those missing from the desktop, have you done a search on the computer for them? The files or icons on the desktop are normally shortcuts to the programs themselves which are located elsewhere on the computer so it would be very easy to create new shortcuts on the desktop for them. What kinds of files are they?

Ok. All I can tell you now is you will have to wait and see what crunchie says. I have asked him to take a look here, not sure when that will be but we need to be certain this computer is clean. You will get a message when he has taken a look. Ok?

Right click each and scan with MBA-M just to be safe. Then delete them

Do they actually say "0"

I want it over too. That's why I want another opinion, cover all bases. Don't download any programs, videos, games, etc., ok? We don't want anything new on this computer until we can be absolutely certain everything else bad is gone.
What are these files, do you know? All installed on March 19 at 11:23 pm.
c:\docume~1\owner\locals~1\applic~1\Identities
c:\docume~1\owner\applic~1\Hivuhe
c:\docume~1\owner\applic~1\Gyiz

I would like somebody else to take a look at all of this if you don't mind. Don't like the idea of infection still being found.

Can you give me another DDS scan? Just don't like it that more infected files are showing up.

It definitely creates a log it will be located at C:\Program Files\EsetOnlineScanner\log.txt.
I really need to see the log, especially since it found infected files.

Funny, I have never seen three options on there, this is in the ESET scanner? You only want to quarantine, to be sure there is no good file mistakenly removed.

What quarantined files?

So two different Microsoft folders correct? It is a Microsoft Operating system so obviously there would be a lot of Microsoft files. 2 hours for a full scan is not unusual.Depends on how much you have on the drive too.
Run this online Scan:
Run the ESET Online Scanner

http://www.eset.com/us/online-scanner?i_agree=14
* You can use Internet Explorer or you may use Firefox to complete this scan and you will need to allow an Active X to be installed
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt.