Posts by PhilliePhan

Semantics.

No. Not at all.
But, if that's your interpretation, so be it.

It can be used to enable/disable programs to start automatically.

Yeah. That's called diagnostic startup for a reason. :)

Meh. It's not worth arguing about.
My friend chaslang sums it up pretty well here Dealing with Startup Processes.

Cheers :)
PP

Msconfig is a diagnostic tool and not a "startup manager."

You should try something such as CodeStuff's Starter to manage your unwanted startups.

Cheers :)
PP

I now have a usable keyboard. I used to have to hook up another keyboard to be able to type. Now I won't have to - thank you!!! ** :-) **

Thanks for the feedback, Karen.
Glad you finally got it sorted out! :)

Welcome and congratulations to all! :)

Wow, THANK you. That actually worked (I followed the steps in the link you included). I just wondered, do I have to go through those same steps each time I update to a new version of FF (I assume it constitutes wiping the slate clean in order for the new FF)? And I suppose there's a way of importing those renamed profile settings (of the old FF) into the new version?
Thanks again!

You're welcome. Happy to help :)

Now that you have done a clean re-install of Firefox, you may not have the same issues when trying to update in the future.
Because Firefox is a fluid and ever-changing animal, I really don't know how dealing with and importing profiles is going to ultimately shake out.
You are probably going to have to redo all your extensions and plugins manually rather than trying to import the old ones. I'd recommend starting fresh simply because there obviously are some issues with the existing profile.....

Have a look at this page:
http://kb.mozillazine.org/Profile_manager
There are some interesting links at the bottom of that page as well.

It is possible to use multiple profiles to help diagnose problems, if you want to take the time to do that, but again, you may not have these issues again with the clean install.

If you do end up having further problems, post back here and we'll see if we can sort it out.

…

How can one successfully get past the "Checking Your Add-ons" stage of the update process?

It sounds to me as though you need to "completely remove" Firefox before trying to reinstall it. This goes beyond simply uninstalling it - you need to remove all your profile data/settings/add ons.
-- You may be given the option to "Remove my Firefox personal data and customizations" at uninstall ( I can't remember ) and this should work. Or, you may simply be able to create a fresh user profile.

Personally, I suggest full removal procedure linked below:
http://kb.mozillazine.org/Uninstalling_firefox#Removing_user_profile_data

Then, you ought to be able to re-install with no problems.

Cheers :)
PP

Anyway, I guess my real question is, how legal is all of this movie torrent stuff? Maybe I shouldn't even be trying to download (upload?) movies.

It is not legal and in violation of our forum rules to discuss/aid/abet copyright infringement and piracy. Sorry :)

I would suggest staying away from torrents for the simple reason that it is one of the easiest and most effective ways to get your computer infected with malware. Think about how torrents work and to what you are exposing your computer.....

PP:)

It doesn't seem to affect anything but what should I do to get rid of this?

You could try uninstalling/reinstalling your printer and its driver/associated software.
Did you mess with your printer setup lately to cause this error?

Cheers :)
PP

Thank you so much for replying, here are the logs...

Happy to help - sorry for the late reply.

You still have some malware showing in the logs. Probably due to P2P - gotta be careful there.

Let's do this:
Please follow the steps in the link below to run combofix. Be sure to run it exactly as the steps in the link instruct you to.
Once combofix finishes, please post the resulting log and we'll go from there:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Let me know if you have any trouble - I'll try to check back tonight, EST.

PP:)

I would greatly appreciate it if anyone could help me fix this?

Please follow the steps in the linky below and post the results so that one of our volunteers can take a look at what is going on with your machine:

http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

Cheers :)
PP

I brought an older system tower home from work so that I could wipe the drive and reinstall windows XP. I have reformatted the drive and when windows goes to log in for it's first use, it comes up with "This copy of Windows must be activated with Microsoft before you can log in". I can't get beyond that, because I need to install drivers to make the network card work, so I'm stuck in a loop. I am using a OEM copy that was origionally used and I am using the same license key as well. I've tried reformatting the drive by using debug and fdisk. I even managed to boot to safe mode and used sysprep to try and reset the activation. It won't let me do that either. I am at a loss on this one. I think that there might be some firmware on the motherboard that has a "memory".
Anyone have any ideas???
Thanks.

You could call M$ and activate by phone?
http://support.microsoft.com/kb/307890

What about downloading the necessary drivers to flash drive and transferring them to other computer and installing them?

PP:)

My computer tells me there is no such file C:\ComboFix.txt. Should I run combofix again?

Yes - please do that if you have the time. This time, use the command I posted previously.

It sounds like you are good to go for a reinstall, but let's see what the combofix says.

PP:)

where do i find this log?

You should find the log at C:\ComboFix.txt.
Just post that for me and we'll see where we stand.

-- Do you have a recovery partition on your machine? Or, did it come with a Windows CD?

-- Do you have a valid Windows product key? Usually it is a sticker attached to your computer - you'll know it when you see it.

-- What is the make and model of the ill computer?

Here's the argument:
1) I'd like to see how our cleaning efforts pan out before we reformat.
However:
2)If you don't have the time, reinstalling windows will be a lot quicker.
And:
3) You should be as certain as possible that the machine is clean before installing SP3 - and a reinstall will provide the most certainty.
And you gotta have SP3 or you leave the machine open to a lot of nasties...

If you have a valid recovery partition, then the fix will amount to the push of a button to revert your computer back to its "right out of the box" state.
You will lose any programs you have installed since and you'll need to do immediate updating of service packs and patches as well as Antivirus and firewall programs.

PP:)

so I think I will play it safe.

Thank you very much for your help! I'll probably close the thread following a successful reinstall.

You're welcome :)

It's always a good idea to play it safe - especially with backdoors and rootkits. You can't take the lack of further symptoms or issues to mean you have nothing to worry about.
Even cleaning these malware will not return your machine to a 100% trustworthy state - though, some people can live with that if they don't use the machine for sensitive issues such as work or financial transactions.

Best Luck :)
PP

i cant run combofix until i turn off "malware protection center" I cant find any way to do this. everything i found online about this program says it's actually a trojan so I dont know if I should just go ahead with combofix anyways.

Go ahead with combofix if you are able. Download it and place it on the Desktop as the page says to do.

Then Click START > RUN > in the box type or copy and paste everything in red below and hit ENTER

"%userprofile%\desktop\combofix.exe" /killall

This should run combofix - allow it to finish. It may reboot your machine - let it do so.
Once combofix finishes, please post the log for me.

PP:)

You can backup to another computer on your network. See --> http://windows.microsoft.com/en-US/windows-vista/Copy-files-to-another-computer
I don't recommend this with an ill machine. I much prefer an external drive for backups.

-- Wiping the hard drive and reinstalling Windows is fairly easy, providing that you have a valid license key and a Windows disk.
-- Your machine may have only a "recovery partition" with which to work. That actually makes things much easier, but, with some of the rootkits today, I wonder if it is 100% safe and effective. 'Course, for a lot of people these days, that's all they have....

If we try to clean this, you'll likely temporarily lose the internet connection - we ought to be able to deal with that.

-- What was the effect of the AVG run? Usually, it will pinpoint the infected driver but fail to remove it because of its critical nature. AVG should tell you that.
No worries - we'll find it soon enough.

Cheers :)
PP

"Firefox can't establish a connection to the server at [insert antivirus site here]." IE won't connect to them.

Hi hodgeemory,

If you need assistance with this problem, please start a new thread and a volunteer should be able to help you.

Cheers :)
PP

I havent had a chance to back up any of my pictures yet. Hoping to have this done tomorrow. do you know if I send all the photo files in a zip folder to my e-mail will I be able to recover those pictures once my computer is running correctly again? I just dont want to run the combofix and risk losing all my documents.

Your best bet would be to use an external hard drive. Or, burn them to DVD or CD.

Frankly, investing in a good, large external hard drive is a good idea. That is the easiest and best way to keep all your important data safe. It is especially easy if you use a drive such as Seagate FreeAgent GoFlex - Though you might want a larger capacity drive.

It is always a good idea to have backups in the event disaster strikes.

-- Running combofix is not going to damage your pictures, etc...
Even on the tiny tiny tiny verrrry remote chance it wrecks your operating system, I should still be able to help you recover your data. So, don't worry about that.

PP:)

How much would I need to spend on a computer (desktop) that would be capable of playing BF3 at all the max settings?

That is difficult to say. Your cheapest option would probably be to build it yourself or have it custom built for you.
That way, you control the costs and components and can optimize the machine for a specific use while perhaps skimping on the stuff you don't really need....

'Course, it would involve a good bit of research on your end.

PP:)

Wow - this machine has collected a ton of malware.
Not as much as the MBAM log might indicate because a lot of those changes were made by one baddie.
But, still, there were a lot of baddies - many should have been cleaned via regular preventive maintenance....

--- Anyhoo, don't do anything else except run combofix as I mentioned in my last post. We need to see if it will remove the worst offender.
So, run combofix as the linky directs and post the resulting log for me.

I don't think it'll come to a reinstall of OS unless you choose to go that way. But, once the machine has been cleaned as best we can do, it'll need to be updated to SP3. But, you need to WAIT until the machine is clean before doing that.

PP:)

Hi Ossray2000,

You have contracted a popular and nasty malware. It is usually accompanied by a backdoor trojan that harvests passwords and other sensitive data. If you use this machine for financial transactions or other important business you should change your passwords via an uninfected machine.

-- Generally, in cases such as this, I recommend wiping the hard drive and reinstalling Windows.

If that is not a feasible option for you, we can try to clean it.

-- You will need a flash drive to transfer programs and scanlogs from the ill computer to one that you can use to post with.

-- Is the internet still disabled? If not, it will be during the cleaning process due to some registry changes and an infected driver tied to DHCP.

Anyhoo, let me know how you want to proceed. At any rate, I suggest you back up any important data, music, pix, documents etc...

Cheers :)
PP

If there is anything else I can do please let me know. I appreciate your willingness to help out!

You are doing fine so far - the malware is making life a bit difficult. The main thing I wanted to see was the GMER log and it shows me what I need to see.

--- In all honesty, since you have a rootkit onboard and are running XP with SP2, you may be best served backing up your important data and then wiping the hard drive and reinstalling Windows and then updating it to SP3.

If you'd prefer to try to clean this machine, we can try - but I still recommend backing up any important data beforehand - pictures, music, documents etc...

If you want to go ahead with the cleaning process, please follow the steps in the link below to run combofix. Be sure to install the Recovery Console.
Once combofix finishes, please post the resulting log and we'll go from there:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Let me know if you have any trouble - I'll try to check back tonight, EST.

PP:)

I dont know how to attach the other file that is supposed to be a ZIP file.

Just copy and paste it - we prefer all logs to be pasted into your replies.

What about the other tools I mentioned?
You have some baddies showing that we need to try to pin down. We need to see those logs, if possible.

PP:)

Hi AnnieJo,

Are you able to run the MBAM and the GMER scan as directed in the Read Me First post?
If so, please post the results.

Likewise, see if you are able to access, download and run http://public.avast.com/~gmerek/aswMBR.htm as directed by the linked page.

Let us know how you fare.

Cheers :)
PP

Would the Trojan be able to retrieve passwords from before the virus infected the system? I assume not, but maybe it is possible to access history to do this?

Never assume with these malware - Here's a quick overview of this type of malware:
http://searchsecurity.techtarget.com/definition/RAT-remote-access-Trojan

These trojans can/may give a bad guy Full Control over your computer.
-- I am operating on the "better safe than sorry" principle here. There is no way to really know what data has been compromised (if any - there may be none) until it is too late. Then, you find out the hard way.
It is possible to pin down whether the backdoor is active or merely waiting/listening for further instructions - but, again, I prefer the BSTS principle :)

Read This---> When Should I Re-Format?

Is it possible to transfer data to an external hard drive or could this infect the external drive and data on it?

There is always risk of reinfection - you need to be careful what you back up. Documents, photos and the like are usually OK. I prefer to use an empty external drive and then scan the crap out of it before transferring the data back to a compy.

I would prefer not to re-install as I don't have a copy of Vista to begin the re-installation.....

That is typically the biggest issue - it'd be a whole lot easier if OEMs still included OS disks with …

Hello, and Thank You for taking the time to read this!
ps : AVG seems unable to remove, delete or do anything to this Trojan, if I empty the virus vault I assume this does nothing and allows it back into the system?
I look forward to hearing from any one kind enough to offer advice or help!!
Thanks in advance!

Hi Treadiculous,

You have contracted a particularly nasty malware. It is usually accompanied by a backdoor trojan that harvests passwords and other sensitive data. If you use this machine for financial transactions you should change your passwords via an uninfected machine.

-- Generally, in cases such as this, I recommend wiping the hard drive and reinstalling Windows.

If that is not a feasible option for you, we can try to clean it. One of the reasons it is difficult to clean is that you will likely lose your internet connection during the cleaning process due to the removal of the infected driver (afd.sys, that you noted) and an altered registry.

-- You will need a flash drive to transfer programs and scanlogs from the ill computer to one that you can use to post with.

-- Let me know how you'd like to proceed. This infection can be cleaned, but you'll never be able to trust the machine 100% due to the specific nature of the infection (rootkit).

Cheers :)
PP

It looks like you are on the right track.

I'd like to see the other logs I requested because, if the rootkitted malware is still active, it'll just reinfect another driver and you'll be back at square one.

This malware infects a random driver (from a small predetermined pool) and cleaning attempts bork the internet connection because they do not replace the infected driver, nor do they address the registry damage.

-- Did you back up the registry before hacking it? If not, I suggest you do so with a tool such as ERUNT.

Anyhoo, please post the logs and we'll go from there.

Cheers :)
PP

I hope that I can find a solution through this community.

We can try :)

-- Do you have any logs from the malware removal process? If so, please post them.

-- Please download and run Farbar Service Scanner
Check all the boxes and hit scan. It should produce a log. Please post the FSS.txt for us.

-- Please follow the steps in the linky below to obtain the GMER scanlogs and the DDS Logs:

http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

I or another volunteer will try to check back as time permits.

-- 'Course, if you have issues connecting the ill machine, you'll need a flash drive to transfer the tools and scanlogs....

Cheers :)
PP

Hi PhilliePhan,
Thanks. Let me try

You're welcome.
Let me know how it turns out.

PP:)

Hi PhilliePhan,
Thanks. I am also using the same software which my friend trying to install. So what if i export that particular registry key and send to him ?.Is he able to add that key to his registry?.
-vinod

You could probably do that.
You might run into problems if the AppDataDir value is different for his setup, but a reinstall should work because the key will now exists and the value can written anew.

It is easier just to have him open a command prompt and create the reg key.
At command prompt, type:

REG ADD HKEY_LOCAL_MACHINE\Software\ESET\ESET Security\CurrentVersion\Info ENTER
Note it is REG<space>ADD<space>HKEY

Then, you'll need to reinstall as before and it should work this time.

If that fails, you'll need to completely remove ESET from the system (All files and reg keys) and start from scratch.

Cheers :)
PP

Then he searched the registry to find that particular key but he can't find that.

Hi Vinod,

That sounds like the problem - you may need to add that registry key. Do you know how to do that?

If not, I can help you. Let me know.

Cheers :)
PP

yay! i turned windows defender off and ran the norton removal tool.....

Great! One less thing to worry about tomorrow :)

I'll defer to Judy on the AV/Firewall side of things.

The Comodo/Avira conflict was resolved a couple years ago.

I really like Avira - It just seems to have all sorts of imaginary issues with various firewalls and other security products these days. Especially with the latest versions.

Avira has had issues with SpywareBlaster (that Judy recommended, BTW :) ) and has even called for the removal of MBAM.

See below:
http://www.pcreview.co.uk/forums/re-avira-wants-uninstall-everything-t4042965.html

As long as you have configured your firewall properly to allow Avira's components to operate unhindered, there should be no problems.

Cheers :)
PP

error: the system was unable to find the specified registry key or value.

OK - let's add it, then.

Download the attached ZIP and Extract FIXWinDef.reg from the zip to the Desktop.
DoubleClick FIXWinDef.reg and Allow it to merge into the registry.

REBOOT and see if that helps.

I'll be back tomorrow - Judy may have additional steps to try should this fail....

PP:)

While I'm away, please try this command in elevated command prompt:

reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet/services/windefend /s >> C:\Peek.txt

Please post me the C:\Peek.txt

PP:)

ok i used an administrator command prompt and did the verifyrepository and salvagerepository. both commands returned with "wmi is consistent". after i rebooted, i went to services but windows defender is still not there.

OK - I will grab my Win7 compy and look at a few reg keys.

I'll probably won't be back until tomorrow evening, EST.

PP:)

WMI repository verification failed
error code: 0x80041003
facility: wmi
description: access denied

** Make sure you are running an Administrator Command Prompt

Let me get on my Win7 laptop and look at some reg keys.

In the meantime, let's try running this command:

winmgmt /salvagerepository

Run it over and over until it doesn't fail ( well, within reason, say 5-7 times).

If it runs with no error, REBOOT and see if windows defender shows up in services.

Again, be sure to use the elevated command prompt.

PP:)

i did the fix.bat step, services.msc still doesn't show windows defender

That was directed at the Norton and trying to remove that from Security Center, though it ought to resolve erroneous Windows Defender status, as well.

Let's have another look:
Open a command prompt and copy&paste:
winmgmt /verifyrepository ENTER
and tell us the result.

A number of AV programs will shut down Windows Defender + some malware will bork it. I'm not sure what is behind this current issue.

PP:)

the message popped up saying combofix is now uninstalled. no problems :)

Sounds like you're good to go!

Cheers :)
PP

ok i've done away with norton :D

Great!

All that is left to do is to uninstall combofix as per the linky below:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix#uninstall

Let us know if you run into any problems with the above.

Happy New Year :)
PP

So I am a little worried eset found so many corrupt files after performing the aforementioned tasks. Should I run a random virus/malware detection program from time to time?

Absolutely!
You should update and run MBAM every couple of weeks - more often if you engage in unsafe internet practices.

Keep a good AV/Firewall combo updated and running at all times. There are many good and free options available.
Online scans such as ESET are a good "backup" to your resident AV program if you feel you need a "second opinion."

The stuff ESET found is not worriesome.
You are going to get adware (or worse) in a lot of codec packs. I would recommend downloading them from a site such as Majorgeeks.com. The site owners are very good about keeping their downloads free of malware and crapware.

The Kryptik trojan was removed by combofix. What ESET detected was the combofix quarantine - no worries there.
To avoid these types of malware, always keep your Java updated and always remove older versions. If you automatically update it, this should be done for you.
Also, running ATF-Cleaner will flush the Java cache (if you set it to do so as directed in the Read Me First post).

The other detections are in System Restore. The combofix uninstall routine should have flushed System Restore points, or, at least it used to.
You can do this manually by turning System Restore …

i'm running the MBA-M right now. i have a few questions though. how do i re-enable system restore? i don't think i ever turned it off.

Malware could have turned it off. Or that service listed as not running may well be run on demand.... It can be hard to keep up with these things.

At any rate, we can verify it is running by doing this:
RightClick My Computer and select Properties >> System Protection and under Protection Settings make sure protection is on for the system drive.

Also, i plan to get rid of norton and replace with a combo of comodo and avira but i know that norton can be a pain to get rid of sometimes. can you walk me through it? Lastly, on my desktop, I am using comodo and avast, should i switch my antivirus to avira too?

The Symantec site has tools you can run to make the divorce from Norton a bit more amicable.
It may uninstall fairly cleanly these days - I guess you'll have to try that and see. Just make sure it is completely shut down before uninstalling it.

I like Avira. I have used it on one of my compys for many years and have been quite satisfied. It always ranks highly among the free options. My opinion is that it is the best of the free bunch.
Likewise, I'm sure there are people who prefer Avast! - I'm not one of …

That looks good - How are things running now?

-- Please update your Java here --> http://www.java.com/en/download/index.jsp
Then, look in Add/Remove programs and remove any old versions.

Or, you can open Javacpl and hit update and do this automatically.

-- Please run ATF-Cleaner as per the Read Me First sticky post and make sure Clear Java Cache is selected.

Then, please uninstall combofix as per the linky below:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix#uninstall

Let me know if you run into any problems with the above.

Cheers :)
PP

Hi natakudragoon,

Sorry for the late reply - awfully busy these days.

-- How are things running on the ill machine?
There were some discrepancies in the logs, but on closer look they seem OK.
The locked reg keys look benign and the suspect drivers are gone.

-- Please update MBAM and run a fresh scan and see if it reads clean.

I don't think the Olmarik trojan got a foothold on the machine.
You should, though, re-enable System Restore and definitely update Norton and make sure it is running properly.
Or, if it has expired and you don't want to renew, replace it with a good free option such as Comodo Firewall paired with Avira Free Antivirus.

Make sure both AV and Firewall are up and running as Olmarik is known to interfere with those.

Let me know how things shake out.

Cheers :)
PP

i re-downloaded GMER, but when i save the scanlogs, it's an empty text file. it's 0 bytes and there's nothing in it. should i still post it?

No - that's my fault. Sorry.

I'm working on some similar threads and, to save time, copied and pasted the next steps. GMER doesn't support 64-bit Windows.
No worries, though.
Try the others and post those logs.

I'll check back as time permits - there are still some issues in the combofix log, but I'm swamped at the moment.

PP:)

Great - that looks good. How are things running?

Before we give the "all clear," let's check a few other things:

-- Re-run GMER and post the logs.

-- Please download and run Farbar Service Scanner
-- Check Include All Files and hit scan. It should produce a log. Please post the FSS.txt for me.

-- Please run an ESET Online Scan and post the results.

PP:)

thanks for the reply. i'm just appreciative of the help and support that you guys provide.
It skipped asking me to install the recovery console, so i'm assuming i already have it installed beforehand?

Happy to help :)

-- I don't see the recovery console, but no worries.

Let's try this:
-- Re-run GMER and post those logs.

-- I'd like to doublecheck something. Please download and run Farbar Service Scanner
-- Check Include All Files and hit scan. It should produce a log. Please post the FSS.txt for us.

-- Please run an ESET Online Scan and post the results.

There are a few other issues in the combofix log that we'll need to look at - I'll try to put something together as soon as I get a chance.

PP:)

Hi opr8tions,

Please follow the steps in the linky below to run combofix and post the log for us:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Be sure to install the recovery console.

-- I or another volunteer will check back as time permits. I am not going to be around much through the New Year, so it may be slow going.

Cheers :)
PP

Hi natakudragoon,

Please follow the steps in the linky below to run combofix and post the log for us:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Be sure to install the recovery console.

-- I am not going to be online much through the New Year, but I or another volunteer will check back as time permits.

Cheers :)
PP

Last, but not least.

ESET_scan result
C:\Documents and Settings\chris\My Documents\Setup_FreeConverter.exe Win32/Adware.Toolbar.Dealio application deleted - quarantined

Great - looks as though you are good to go!

Happy New Year :)
PP