Posts by jholland1964

What is the name of the folder again and where is it located?

1st of all, you don't need to save the log prior to cleaning. It will save the log automatically and it will be found in the Logs Tab.
However, the program itself may be damaged because of the multiple infections. Download and run this utility. mbam-clean.exe
It will ask to restart your computer (please allow it to).
Then download a NEW copy of the program and install it from HERE
Save it on your desktop. You'll see it will have a random name but it will be MBA-M
Doubleclick on it, so it will extract the files and will start Malwarebytes automatically.
In case the installer (random named file) won't run either, rename it to EXPLORER.EXE and try again.

When Malwarebytes opens, click the "Update" tab FIRST and select to check for updates in order to get the latest updates.
Then in NORMAL MODE perform a Full scan and let it remove what it found. Reboot afterwards (important).
After reboot, post the malwarebytes log which can be found in the program under the Log Tab.

Having to reset default browser again would be perfectly normal. The infection had full control over the computer and therefore changed the default browser in order to possibly be able to have access to your personal information and also to bring in new infection.
You need now to update MBA-M and run a Full Scan in NORMAL mode. Have it remove everything found and then REBOOT the computer, this is vitally important because much of the removals will take place early in the boot process.
Once the computer is rebooted then open MBA-M again and go to the Logs Tab and open the last log, copy/paste that log back here.

You also should go to Add/Remove and Uninstall the following, if they still remain:
BitTorrent
Dealio Toolbar v4.3

Whew! One thing that was on the system was an information stealing trojan so any and all of the personal info you may have on the computer has been at great risk, and may have been stolen. I would contact your bank and credit card companies and inform them of this very real possibility. Looks to me like it has been on there for quite awhile.
Now do the following:

· Make sure that combofix.exe that you downloaded is on your Desktop but Do not run it!
o If it is not on your Desktop, the below will not work.
· Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

KillAll::

c:\windows\system32\sbe.dll
c:\windows\system32\encdec.dll
c:\windows\system32\mstscax.dll
c:\windows\system32\mstsc.exe
C:\WINDOWS\rmopup.dll

· Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
· At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
· You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
· Now use your mouse to drag CFscript.txt on top of ComboFix.exe
· Follow the prompts.
· When it finishes, a log will be produced named c:\combofix.txt

Post back with that log.

Did you reboot MBA-M after hitting Remove Selected? You must reboot in order to have items fixed.
Ok, try this:
Please download ComboFix by sUBs from

http://www.bleepingcomputer.com/download/anti-virus/combofix

Please note that the BleepingComputer.com download link will expire in 10 minutes after you click it so if you don’t click within ten minutes after reaching the page you will need to refresh the page.

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When ComboFix has finished running, you will see a screen stating that it is preparing the log report
• This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
• Re-enable all the programs that were disabled during the running of ComboFix..
• Then post back here with that log and a new scan log from HiJackThis.

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF …

You didn't tell MBA-M to fix the items found. You DO have serious infection on the computer.
Please read carefully and follow these steps.

* Download TDSSKiller and save it to your Desktop.
http://support.kaspersky.com/downloads/utils/tdsskiller.zip
* Extract its contents to your desktop.
* Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

* If an infected file is detected, the default action will be Cure, click on Continue.

* If a suspicious file is detected, the default action will be Skip, click on Continue.

* It may ask you to reboot the computer to complete the process. Click on Reboot Now.

* If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
* If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

So far, so good, lol... I switched from Avast to Nod32, I've read that it is the best out there. Hopefully this never happens again...

You do know that this is a PAID program I hope? Yes, it is a good one but it isn't Free if that is what you were looking for. Actually if you do want a paid program the top one is F-Secure.
The infection you had is not one that most anti-virus programs will stop, it was a Trojan, av programs protect against viruses.

That looks really good. Is everything running exactly as it is supposed to run?

Good, sounds like progress is being made.

I'd like for you to do another scan, this time do this online one:
Please Run the ESET Online Scanner

http://www.eset.com/us/online-scanner?i_agree=14

* You can use Internet Explorer or you may use Firefox to complete this scan and you will need to allow an Active X to be installed
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt.

Post back with that log.
Judy

Can you boot to normal mode? Can you access the internet? You need to update MBA-M and run it again. Current database is 6304.

You also need to Uninstall the iolo technologies' System Mechanic. It can certainly bring many more problems than it is worth.

Are you saying that your problems are now corrected? Can you use IE now?
You asked about why Kaspersky didn't stop this. I "think" you thought you were installing a P2P program, and that may be, however, read this info to see why your Kaspersky was not working after the install, it will explain what this does to virtually any security program, even one like Kaspersky.
http://www.prevx.com/filenames/X2508246232267282497-X1/BEARSHAREV9%5B1%5D.EXE.html
Anti-virus programs are not set up to look for things like this type. The first thing they do is disable the security programs then bring in more infection.
One problem also was the SpyBot TeaTimer. It very often blocks legitimate fixes attempted, this is why this should be left turned off. SpyBot is an excellent program for scanning and removals so do keep it, just keep TeaTimer off.

Now a word about P2P, I do hope that you read the portion of the Read Me sticky concerning these types of programs, they ARE dangerous. You truly don't know who you are sharing these files with and if they are clean. Many infections are spread by using P2P, that is why many people share these files, not because they are generous but because they truly want to "share" what they find on others computers, private info, bank account numbers, credit card numbers,email addresses, the contact names contained in others personal email accounts. P2P file sharing can open doors to the world. You actually were very lucky to have …

Hi welcome back,
You have found one of the major dangers of P2P, these programs can attempt to and very often do take over your computer. Even though you have uninstalled this program, "crumbs" of it still remain and show in the log. You can try first to get rid of these entries by running HJT again but then you DO need to follow the steps given in our Read Me sticky because I guarantee the items showing in the log are not the only remainders.
The first thing you should do is Turn Off the SpyBot TeaTimer as it interferes with any fixes attempted. To do this do the following:
Disable Spybot's TeaTimer

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

After the computer has fully restarted then run HiJackThis again and put check marks next to these listings;

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.bearshare.com/

O2 - BHO: MediaBar - {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - C:\PROGRA~1\BEARSH~1\MediaBar\ToolBar\bsdtxmltbpi.dll

O3 - Toolbar: MediaBar - {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - C:\PROGRA~1\BEARSH~1\MediaBar\ToolBar\bsdtxmltbpi.dll

O20 - AppInit_DLLs: C:\PROGRA~1\BEARSH~1\MediaBar\Datamngr\datamngr.dll C:\PROGRA~1\BEARSH~1\MediaBar\Datamngr\IEBHO.dll C:\PROGRA~1\KASPER~1\KASPER~2\MZVKBD3.DLL,C:\PROGRA~1\KASPER~1\KASPER~2\KLOEHK.DLL C:\PROGRA~1\GOOGLE\GOOGLE~1\GOEC62~1.DLL

After you have placed the check marks then click the Fix Checked …

Try using Rkill to kill the virus process prior to doing anything else.
Using the directions from bleepingcomputer on it's usage. It may take multiple tries to get the processes stopped. Try all 7 copies if need be, all are the same file, just with different names. Hopefully one of them will work.

http://www.bleepingcomputer.com/forums/topic308364.html

Then DON'T reboot but try to follow the steps in our Read Me Sticky.
http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

Copy/paste the logs requested right here.

Just remember, when the UAC prompt comes up it says "Unknown Program" etc amd names the program, if you are doing something and KNOW the program like the Adobe program click Yes to allow it. It is called an Unknown because it isn't a Microsoft program, not because it is necessarily bad. Obviously if you aren't doing anything with some other program you need to find out what the program is that is suddenly triggering this warning or permission prompt, if you know what it is and know whatever it is doing is 100% safe, then allow it.

I was keeping it turned off because it messes with Adobe and would not let me save my own files or rename files in Adobe. Otherwise it really doesn't bother me.

That in itself is rather odd. I have Adobe and can save files without difficulty and the UAC is on. It just asks if I want to allow, I say yes and files are saved.

Something else I would recommend, for the time being anyway, until you get everything on there exactly as it should be, is to leave that UAC that comes turned on by Default with Vista, leave it turned on. Let the computer act and work just as it was originally set up to do the day you took it out of the box. Get all your programs on there, all the updates on there, everything you need and as you would like to use it. When the UAC asks, "do you?" just click yes and go forward. AFTER you know that everything works 100% the way you know it should work, then, "maybe" you can try to turn that off. It can be a pain, I know, I am now using a Windows 7 computer after 7 years with XP, and it also has those UAC prompts that I found a royal pain to begin with and I almost "toyed" with turning it off but since it is brand new I didn't want to attempt a lot of "tweaking" so I have thus far left it alone. Now it has become 2nd nature, it asks and I say yes. I barely notice it now I am so used to it.

After. You are going to have to have the computer set up normally. When Java is installed or updates in normal circumstances the security programs do NOT have to be turned off. About the only time security programs MIGHT have to be turned off is for an operating system update, that is rare but occasionally that should be done, like a Service Pack. When that is necessary then that would be in the install instructions.

For the moment at least, I would install whatever anti-virus program you choose and use the built in Windows Firewall. After you get "whatever else" you want or need on there THEN you can change Firewalls. One thing you had on there, was Office, that should probably go on also before the security programs.

Happy I could help.
Judy

Well then let it run until it is finished. Don't stop it or anything. Wait until it tells you that it is done.
Of course IF the drivers aren't there or aren't current you certainly can use another computer to download them to a disk and put them on that way so that really shouldn't be a problem. Keeping my fingers crossed.

Hopefully all will go well. Once it is finished and you can get online you need to do the following in this order:
1. Update the operating system.
2 AFTER the system is fully updated to today then would be when you add your antivirus program and other security programs. NOT before updating the system. That way you can be 100% certain that nothing is going to interfere with the System Update.

You have all ready downloaded all your drivers...right? You WILL need those in order to even to be able to get online with the computer, plus have the display look right and to hear audio.

Did you continue to tap F10?

Another suggestion I found said Alt + F10 to get factory default set up menu

with or without the recovery disk in?

With the Recovery Disk in.

Hang on, try it first WITHOUT the disk and see what happens. F10 is needed regardless though I believe.

What you DO want though, however you do it, is RESTORE COMPLETE SYSTEM.

F10 should take you to the Recovery Partition, like I said above.

IF you have the recovery partiton, then when you hit F10 it should take you to a hidden partion on the C: drive that has two restore options. Restore to last working configuration and secondly the option to format entire hard drive to "out of box" config.

The press F10 I found here:
http://www.kb.sony.com/selfservice/viewContent.do?externalId=C295487&sliceId=1&mdl=

Are you certain, I can't recall if you said so before, are you certain there isn't a recovery partition on the computer?

There doesn't appear to be a Driver disk so you would have to download those first and save them to a disk.
found this on the Sony web site:
>>>>Before performing a recovery, go to the Sony® eSupport Web site at http://esupport.sony.com and check your model-specific support page. Look for software and driver updates
You also have to unplug everything attached to the computer except the power cord.. no internet cord, no printer, scanner, external drives, nothing should be attached to the computer

I would guess you want to restore the complete system. Put the disk in the drive, close it. Turn off the computer. Wait a few moments, turn it on and press F10 as it reboots.
Is this how you did it?

How many disks and what is the name of each? It should give information of what is on each disk. Did instructions come with it?

ok, I feel super dumb, it is not letting me do a restore of the C drive. This is what the Sony site instructions said to choose but it is coming up with an error. It says that the recovery drive letter is the same as the system drive letter. I thought this was why I had purchased the recover disks. Nothing can be easy on this computer and I feel really dumb. There is a Restore complete system option, should I choose this?

Yes, you do want to restore the complete system.

What are the names of these disks?

You can wait if you want and see if anything comes up during or after the reinstall.
We tried and guess that's all we can say.

That is Comodo, don't know for sure if that is what gerbil wanted but the guard32.dll is Comodo

I must check that it it is not his sptd, judy. They rename every time... sp--.sys. It possibly is that.

Ok, you're losing me here...

And your DNS lookup is via Comodo, not your ISP. Gee, they are taking over your internet.

That's like a virus all it's own if that is the case. All of this is really odd, no other word for it!!!
PhilliePhan isn't going to believe all this when he comes back to look around. He left thinking java was working and all was well. He will be stunned to find nothing is working as it should.

Model specific help:
http://esupport.sony.com/US/perl/select-system.pl?DIRECTOR=TUT&PRODTYPE=24

Here is a link for Drivers for the Sony Vaio

http://esupport.sony.com/perl/select-system.pl?DIRECTOR=DRIVER&PRODTYPE=24&template_id=1&region_id=1

Also online help for the Sony Vaio including info for download which likely will help with reformat/reinstall

http://www.kb.sony.com/selfservice/microsites/searchEntry.do?locale=LA_eng_US&usemicrosite=true&region=UMRE_UNITEDSTATES_2_5&sonyregion=US&searchString=reformat%20sony%20vaio&product=&sonytemplate=&sonymodel=

I think you have really fought this long enough, each day it is going to get worse and worse. A reformat/reinstall will really take a few hours IF you have the disks to reinstall everything.
Looking at the DDS log I see these programs that likely need install disks:

Of course your reinstall/rescue disks that you got from Sony.
These should have the drivers on them too. Most of those would likely need updating AFTER everything is on there that brings the computer back to factory.
What you would do is reformat, which would wipe the drive and then reinstall the operating system.

Then reinstall the drivers.You have to do that before the windows updates because for one thing your display will look very odd and also you don't want the Windows Updates offering you generic drivers and it will when it scans for updates and doesn't see them on there.

THEN you would go to Windows Updates and install All the updates that have been released since the computer was manufactured.

THEN update the drivers.

THEN reinstall these programs from their disks:
Microsoft Office Home and Student 2007
Adobe Photoshop CS2
Corel Painter 11
and any others you have disks for, those are just the ones I noticed, especially the Office program. You likely would have to "re-register" that one with Microsoft which is very easy to do online.
Then you would update the Office program.

I really hate to say this but honestly think your only option is reformat/reinstall. There are either major infections on there that are stopping anything from seeing them or major damage to very necessary system files probably going back to 2009.
Obviously things are now falling like dominoes and if you look back over the last, I am not sure how long, maybe going clear back to your original thread, which would the a year, things have not really worked correctly probably since then.
You obviously had the TDSS rootkit back then. Thought it was gone, though now I wonder. You installed Avira and Comodo. Then Avira quit, though that honestly could be Comodo doing that. You installed Comodo Av but you have said Windows updates didn't work right and for sure the ones done on March 7th didn't work, that error shows in one of the logs you did for PP. You have had java on, java off, totally uninstalled multiple times, installed multiple times. You said you had Comodo on and off at least one other times. Now since last week Word has become corrupted, or at least some of it's created documents. When opening Word you are getting an error saying Windows live sign in isn't working, that doesn't even have anything to do with Word so even if it isn't working that shouldn't make a difference with Word. You don't even have to have internet connections installed on a computer to use Microsoft Office …

So, I updated to the newest version of firefox today and java is now updated and working. So weird right? Why wouldn't it work in any other browser if it was a firefox issue? I always update firefox when it tells me to... Wow, :o maybe it won't stop again! fingers crossed

Here's another "oddity". You posted the above yesterday, note you say, Java is working and UPDATED but in the most recent DDS scan that you just did it says;
J2SE Runtime Environment 5.0 Update 22
No way that it updated if that is what is on the machine. Current version IF it updated should be version 6 Update 24

This is like being in "The Twilight Zone"!!!

The release date for that version in October 29, 2007!

I think the combofix was last time.

Yes, it was in 2009. Never run here at all. This one has centered on Java install problem. PP never asked for it and I didn't. I only asked for TDSSKiller because of the old logs in the other thread, since it was found then and that was before TDSSKiller was available. Didn't think it would find anything but you never know. Heck with THIS computer we evidently know nothing!
Now the new "stuff" with the Word program. Boy! I just don't know!
The only thing I do know at the moment I wouldn't do ANY work using this computer that you aren't willing to lose, the Word problem shows that.

We did the TDSSKiller, nothing. GMER was run of course to begin and posted in the first post. PP was working here then with her. Combofix wasn't run in this one..was it? I don't think so. That was run in her previous thread in 2009.

Ouch. a hard lesson for one so young. Yes, People do need to be aware that on the net is forever. Comes down to misplaced trust.. for your young friend, in a stranger [and that is so often fraught], and a lack of regard for other people {I wish that was not a growing thing, but I fear it is; it's possible to understand why]. We take so much pleasure in someone else's misfortune... that is, after all, a solid basis for humour [did you never burst out laughing when a friend fell in a puddle?], as well as some other disturbing feeling... them, not us.
But anyway...

Oh you are so right. Yes, of course I have laughed when a friend has fallen into a puddle or something similar, because of course it's funny, and as you said, "them not us". But, unless the person knocks out a tooth, it isn't permanent it is temporary but the net is forever. Even the now 15 year old I spoke of still hasn't quite "gotten it". Just a couple weeks ago she made a sort of "snarky" remark about somebody on her Facebook wall, but this time her grandmother, my friend, saw it almost immediately and posted the comment to the remark, "Your grandmother is reading this"...her granddaughter immediately removed it.
There are just so many "creeps" out there today, are there more? I don't know,maybe not, maybe they are just more visible today with the net. They certainly …

You ran the wrong program, you were supposed to run the DDS Scanner, from the Read me sticky, not the TDSSKILLER, that can be removed you don't need that program anymore.

and did I mention that my microsoft word files from last week are corrupt?

That makes no sense, if Word files are corrupt then there are major problems with the computer that has a lot more to do with the system itself than Comodo.
How do you know they are corrupt? Nothing was requested here by PP or myself that would have corrupted Word files. Is it only those Word files or All Word files? Have you looked at others to be sure? What date were those files created?

Yes, I've wanted to chuck this one across the room and give it a swift kick many times. I'm going to uninstall comodo and will get back to you. Thank you!

Yeah...that is one danger of using a laptop, you CAN pick it up and throw it out a window, not as easy with a desktop...without throwing your back out too!:D

I know how totally annoying it is when something on a computer doesn't work the way it is supposed to, makes you want to throw it out the window!
As PP well knows...these things drive me totally nuts! I want them solved! And this isn't even my computer!:D

I am not talking a week or even a day. I am talking an hour or two, max. But I just don't think Comodo, any part of it should be on there ever. It does cause problems with some Vista systems and I honest to god think yours is one of them.
The way I would want it done is uninstall using Add/Remove, reboot, then use Revo Uninstaller to be sure everything is gone. Reboot again.
Then another run of DDS scanner to actually SEE if it is not mentioned anywhere at all.
Then go from there.To try the Java in a very specific way see if it works, if it does then add NEW security.
We are talking a very short time.

What it is that I was hoping to try was to do an offline install, after all of comodo was 100% gone.
If it worked then I was going to have you install Avira, which is currently the top Free Antivirus program, it ranks the same as the paid program from F-Secure which received top honors in independent testing in December for paid programs.
Also SpywareBlaster, which gives superb protection and is 100% compatible with all security programs and operating systems.

I had another question too, in the list of installed programs is NVIDIA Drivers.
That would be video drivers but if you don't have NVIDIA video card then these would be the wrong drivers. I wondered where those came from if you don't have one of their cards on the system.

No, I am just trying to help, I am not frustrated and I certainly wouldn't leave you without protection. I just really and truly feel a part of the problem is Comodo. I found posts on other forums from people running Vista with similar problems with Comodo. That was why I suggested removing it.
Thanks for the clarification on the Elluminate program because I sort of panicked when I didn't see anything noted for it on the installed programs list.

Did you ever get the reinstall disks mentioned in your other thread? Reformat/reinstall may then be your only option, that was what I was hoping to avoid.
As I said, I wouldn't have left you with nothing but since you would rather keep the Comodo then perhaps it would be better to wait until the end of the school year if you can and then do a reformat and reinstall. That may be your best bet anyway.

I also don't see that Elluminate program even listed in the installed programs, do you run that from a separate drive or something?

Sorry, I hope it DOES "make her paranoid". I am just hoping to avoid what happened to good friend's granddaughter, 12 years old when it began, right here in my county. She recorded a "sexy" message to a boy she didn't know, but thought was "cute" at another middle school here, got his email address and sent it to him, hoping he would reply. He didn't, instead he sent it to some of his friends and within a week it had been sent multiple times to different students at all the other middle and high schools (there are 9 middle schools and 7 high schools) in the county. Kids who knew her recognized her voice, she didn't give her name in the recording, but one of them played it for his mother, because he thought it was wrong to send something like that. His mother contacted her mother and all "h" broke lose. They got the name of the original receiver and contacted his parents, he confessed he had sent it to a "couple" others. It went around our area for about a month and stopped, for awhile. Then it began again only this time somebody had added pictures to illustrate what the recorded message said. It is still going around and not only here in our state because the original girl who sent it out has now received it back from people she knows out of state with a message that says, "this girl sounds like you." It should …

Ok, good enough. I am going to ask that you totally Uninstall the Comodo program, all of it, via Add/Remove. When given the options box on whether to Modify, Repair or Remove, choose Remove.

You can always download and install it later if you decide but just turning it off to attempt to either install Java or use that Elluminate program obviously doesn't do the job.

We have to really see if that is the culprit or not and just having it turned off just doesn't seem to do it. It has to be off the computer entirely to see. As long as you don't surf around or open other programs, other than those I tell you to then you're safe.

After you do that, reboot the computer and do another DDS scan, post back with the logs, both logs should be copy/pasted.

I was working on the other computer, so I wasn't watching it. It took several hours. Would there be a log that I could pull up?

Not sure if there is one but try this:
Go to Start, Control Panel,
Administrative Tools, Event Viewer, Windows Logs, Application. Scroll down
the Application Events looking for Wininit in the Source Column.

It's not a big deal really, I just wondered.