Posts by jholland1964

Did you try to run MBA-M in Safe Mode?
HiJackThis is rarely used anymore. Please follow the steps given in our Read Me First sticky and post back here with all logs.
http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

Then I would say the AVG findings are a false postive. AVG is just not a very good anti-virus program. When researching your problem I found no other av program that found this file. I would advise you use a different anti-virus program, it certainly is one that I never recommend.
It rarely ranks among the highest or most reputable. My advice would be use Avira Free 2012 or Avast Free, but not AVG.
Your System restore is set way to large. You have restore points going back over six months. System Restore should never be used to go back that far, if it is used at all and then it should be only for a very few things.
Your Java is way out of date, you are running version 6 Update 25 and the most recent update is version 6 update 30.
Uninstall All Java listed in add/remove and then go here to download the latest version. http://www.java.com/en/download/manual.jsp

We need the second log from DDS and also a log, not a screen shot, from AVG

Also please upload this file C:\WINDOWS\system32\services.exe

to https://www.virustotal.com/ for scanning.

Post back with that information given. Not a print screen, but full information.

AVG will not remove a trojan as you have found. You need to follow the steps given in our Read First sticky
http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

Run all the requested programs allow them to clean whatever is found.
Then post back here with Copy/Pastes of all requested logs and we can then help you complete the removal.

Happy to help. Hope things are working well for you. Thanks also for identifying those start up which were unknown to my.
PhilliePhan gave me that avatar years ago at another forum and I like it also so I "carry it with me":)

I would suggest you begin from scratch, however, previous advice was reformat, present advice would be no different. HiJackThis is really no longer used that much and offers little if any information that can determine infection. The Read Me first sticky is what we would work from.
Yes, a recovery disk will wipe the drive and bring the computer back to it's factory install condition. After 18 months and having no clean up done of the computer then that would be my recommendation. however if you wish to start a new thread of course this is your option, but those tools in the Read me first sticky would be required, that is the only way we can get the information needed to proceed. If one tool doesn't work, go on to the next. DDS scanner, both logs are two of the key things that must be done.Without those we have no information whatsoever.
But after 18 months without doing anything my advice is a clean install. It would likely take you only a few hours to do so. You have waited 18 months to even think about returning so I am certain a clean up may very well be totally impossible too much time has passed to even half way believe that this computer can be cleaned to the users satisfaction.

You are aware that this thread is nearly 18 months old I presume. We have no idea what project or audits you are talking about here, or what tutorial you are talking about either.No one offered to post a tutorial. We recommended reformatting the machine, which would likely remove all malware because the drive would be wiped clean.

Did you turn off usb auto play as directed?
Please follow all the steps given in our Read Me First sticky and post back with all the requested logs. We really aren't able to offer much assistance until we can see the logs. Please run the tools and post back with copy/pastes of those logs

http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

Really your log doesn't look bad. You have some definitely unnecessary auto starting programs that can consume unnecessary resources, all of these can be run manually when needed and that's my recommendation. A good program to control auto starts is the CodeStuff Starter
http://www.snapfiles.com/get/starter.html Download, install. Open it.
It is pretty straight forward. Three tabs, Startups this shows auto starting programs, Processes, pretty much the same as Task Manager, maybe a bit more in depth, and Services, Same as Windows Services. This one program gives you everything in one package.
Choose the Startups Tab and Choose the All Sections at the top. This will show you everything listed that can appear as an auto starting program on the computer. The ones with the check marks next to the are the ones that ARE auto starting every time you start the computer, some will start up when the computer starts and then, maybe turn off, some will continue to run all the time in the background.Of course some of those you do want to auto start and do want to run all the time, your Comodo for instance. But there are others that are not needed with to auto start or run all the time. The ones that startup and then stop, slow your start up time, the others slow startup time and consume resources. Here is a list of those that you can remove the check marks from the box next to the name, they definitely …

What operating system do you have? You need to disable the auto play of the usb drives so that when you plug it in it won't automatically run. Sounds to me like there is possibly an infected file on the usb drive. Have you run a scan of the usb drive with your av program AND MBA-M?

See here to turn off Auto Play for whatever operating system you have. Also many, if not most AV programs can be configured to stop auto play when the devices are plugged in. This is done for your safety so that it stops the drive from auto playing and passing an infected file onto the computer. This won't stop the drive from being used, it will just have to be used manually.
http://support.microsoft.com/kb/967715

Until I can see current full scan logs, done today with the fully updated programs I cannot say for sure that the laptop is clean.
One of the problems with the scan you did with MBA-M on the 30th of December is that it was done in Safe Mode.
Unless it is absolutely 100% impossible to get MBA-M to run in normal mode then safe mode can be used as a last resort, however,even in situations like that there is a small file that can be run to very often stop the running infection processes so that MBA-M can then immediately be updated and run a Full Scan in normal mode.
MBA-M does not scan all files in Safe Mode, even with a Full Scan, so there were some files that were not scanned in that Safe Mode scan.
Normal mode should generally always be used for all scans, unless it is impossible to do so.
While those two findings on that safe mode scans were "technically" not trojans they were downloaders, meaning they bring in other things.
While your Comodo Internet Security and SuperAntiSpyware scans have found nothing, that is not a 100% assurance that there is not something else on the computer, all three programs, Comodo, SAS and MBA-M look for different types of infections, two can be clean but a third may find something and if you have not updated MBA-M and run another Full Scan in Normal mode since that …

Sorry HeidiGiller, We seemed to have overlooked your request for assistance. If you are still having difficulty I will be happy to assist. I have a suggestion, which I hope will simplify things a bit, work on one computer at a time. I would suggest beginning with the desktop, leaving the laptop powered completely off and disconnected from the home network. Get the desktop 100% clean and then begin with the laptop. To clean computers of malware/infection it is really most helpful if you have an additional clean computer to work through in order to be able to move cleaning tools back and forth from the clean computer to the infected computer while keeping the infected computer off line until it gets to the point where it can more easily go back online to finish the clean up.

One more thing, HiJackThis is rarely used today, it gives such a small picture of what may be going on that very often a log can look clean even when a very serious infection is at work on the computer.
Today the scanner tool most used, especially on computers running Vista and Windows 7 is the DDS scanner which gives a much more in depth picture.It is also used most of the time today on XP computers too.

If you still want assitance, begin with the desktop and follow the steps given in our Read Me First Sticky
http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

Use all the tools and post back …

No problem between SpywareBlaster and Avira, I also use it and have for many years along with Avira.

This "concern" comes from the new possible compatibility Caution that shows before new version of Avira is installed. This is just a general caution and not an ORDER to uninstall any of the programs mentioned in the warning prior to install the install file scans the computer for any programs installed that MAY cause a problem, it does not say it will cause a problem. It is just an Alert of POSSIBLE conflicts and you do not need to uninstall these software programs mentioned during the install. It is only there to make the user aware of the possibility.

It truly only applies to programs that also RUN real time protection...this is where the problem "may" come in, though not always either. This includes Resident SDHelper and Resident TeaTimer, Malwarebytes' Anti-Malware Paid version, which has realtime protection, SUPERAntispyware Paid which also has realtime protection.

And one more. You will receive this large pop up when one of the updates occurs.It is just the "price" you pay for using the Free version. Just click the "x" in the right corner to close it out.
There is one update built into the program, automatically schedule to occur around the time of your original install. The one you schedule will be one additional update for the day. I suggest that you make it 10 to 12 hours different from the time of the built in one. This way you are assured you have all the daily updates.

Here are the rest;

Here are print screens to show you how to set up Avira correctly, they are pretty self explanatory, any questions don't hesitate to ask.
this will take me two replies to get all the print screens on here.

yay! i turned windows defender off and ran the norton removal tool. i installed avira with no problems and installed comodo firewall too. :)
i kinda got ahead of myself though, is there certain settings i should set avira and comodo to? or should i post something for you guys to make sure my laptop is 100% safe now?

I am going to advise against that Comodo Firewall. It does not work well with Avira.This is noted at Avira also. I would advise you keep Avia, it is one of the top three av programs around but I would Uninstall the Comodo and go with
PC Tools Firewall. It works very well with Avira and is one they recommend to use with their program.
Uninstall Comodo.
Then install PC Tools Firewall from here:

http://majorgeeks.com/PC_Tools_Firewall_Plus_d5470.html

Also add, if you have not yet, SpywareBlaster. Truly a MUST HAVE for all computers. It blocks spyware, adware, browser hijackers, and dialers also will
Prevent the installation of ActiveX-based spyware and other potentially unwanted programs.
Block spying / tracking via cookies.
Restrict the actions of potentially unwanted or dangerous web sites.
It is FREE and it does NOT run in the background.
Download, Install, Update, Enable all protection and close the program. Check manually for updates every couple weeks. If there is an update available it will download and when it is finished be sure to Enable all protection again and close …

I am having PP take a look at this, he gave me the script to give to you. You will just have to wait until he can respond, sorry.

Try this:

copy and paste this to notepad:

@ECHO OFF

net stop winmgmt /y
cd /d %windir%\system32\wbem
if exist repository ren repository repository.bad
net start winmgmt

save it to desktop as Fix.bat and then close all windows and run it.
REBOOT and see if problem remains.

It has to be on the computer, it cannot be uninstalled, it is part of the Windows 7 System, it can only be turned off,

Try this:
To enable the viewing of hidden and protected system files in Windows 7 please follow these steps:

Close all programs so that you are at your desktop.

Click on the Start button. This is the small round button () in the lower left corner of your screen that has a Windows flag on it.

Click on the Control Panel menu option.
Now click on the Show hidden files and folders option as shown by the red arrow in Figure 2 above.

Under the Hidden files and folders section select the radio button labeled Show hidden files, folders, and drives.

Remove the checkmark from the checkbox labeled Hide extensions for known file types.

Remove the checkmark from the checkbox labeled Hide protected operating system files (Recommended).

it's not listed there either..... :(

Positive...It is in the "W"'s See my attached.

Think we will have to have somebody else take a look here. Obviously more damage than we thought.

Notice I said if not in your programs folder. then go to Services.
Go to Start and in the search box type services.msc
Now when that opens the Windows Services are all in alphabetical order so scroll down and look for Windows Defender. I guarantee it IS listed there. Then turn it off.

Are you certain you entered the script correctly? one of those still remains, and Windows Defender was enabled. It must be turned off.

Open Windows Defender by clicking the Start button Picture of the Start button, clicking All Programs, and then clicking Windows Defender.

Click Tools, and then click Options.

Under Administrator options, select or clear the Use Windows Defender check box, and then click Save. Administrator permission required If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

Also, go into Administrative Tools, Services and make sure that Windows Defender is Disabled. Double click the entry to open the properties. If it shows as running Stop it. Then change the startup type to Disabled. Then reboot.

the laptop restarted itself before combofix created the logs, is that normal?

Yes, it can do that.

Now do the following:
Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above SecCenter::

SecCenter::
{63DF5164-9100-186D-2187-8DC619EFD8BF}
{5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
{D8BEB080-B73A-17E3-1B37-B6B462689202}

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe which still should be on the desktop.
This will start ComboFix again. Ignore any warnings about Norton. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Ok, let's do this again:
Please download ComboFix by sUBs from

http://www.bleepingcomputer.com/download/anti-virus/combofix

Please note that the BleepingComputer.com download link will expire in 10 minutes after you click it so if you don’t click within ten minutes after reaching the page you will need to refresh the page.

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When ComboFix has finished running, you will see a screen stating that it is preparing the log report
• This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting …

Well your DDS log clearly shows Norton as installed though disabled but it also shows Windows Defender as Enabled. This might be the cause of the problem with removing Norton. Windows Defender interferes with pretty much anything tried by any other security program. Turn it off and leave it off.

AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

Turn off that Windows Defender and try running that Norton Removal tool once more and then run DDS once more and see if Norton still shows.

Run another DDS scan and post the logs, it obviously isn't gone.

i downloaded avira from their website, however when i try to install it, it says i should manually uninstall norton internet security, but it's not in my uninstall programs list.

should i just continue with installation??

No most definitely not.
Go here and get the Norton Uninstall Tool for your product and run it first.
https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?docid=20080710133834EN&lg=english&ct=united+states&product=home&version=1&pvid=f-home&entsrc=redirect_pubweb

After you run that and it's removed then do the Avira install. Be absolutely positive you use the Custom install so you don't take that Askbar and Webguard. You don't need either of those.

You have two anti-virus programs on there:
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated*
AV: Microsoft Security Essentials *Disabled/Updated*

Your log shows the TDSKiller was run, do you have a log?

We need a log from MBA-M, Fully updated Full Scan.

Avira is absolutely MY choice. Without a doubt! It consistently scores in the top 3 on most independent unpaid testing. I recommend it highly.

PP isn't here right now. Your log is clean. Thankfully.

To remove Norton go here and choose the correct Uninstall tool.
https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?docid=20080710133834EN&lg=english&ct=united+states&product=home&version=1&pvid=f-home&entsrc=redirect_pubweb

Once you have done that come back and I can walk you through the install and configuration of Avira 2012 Free. It's an excellent av program.

"Do the symptoms I described, right-click disabled, etc sound like it was the trojans that were causing problems?"
If you no longer have any of those problems then yes, probably they were the cause. For the right-click problem, maybe, depends on what it was that you were right clicking. If it was only on web pages and not everything on the computer, some web pages are written to disable this ability on purpose to protect it from unauthorized copying of the page or items on the page. If it only happened on a web page then it was the page itself.

It does not terminate legitimate processes. It terminates malware running that stops legitimate programs from running properly. If there were none then it would have terminated nothing.

Well portions of all of those programs are running or at least were running when you did the DDS scan.

Let's try something else: do the following in normal mode:

go to this link and download ALL copies available of rkill, there are 7 of them, same file just different names to fool the infection processes if needed

http://www.bleepingcomputer.com/download/anti-virus/rkill

Save all to the DESKTOP

double click on the first rkill file and see if it will run.
When RKill is run it will display a console screen, small black screen in other words, it will keep running until it rkill has finished. When it is finished it will close and then should show you a log telling you what processes were ended

After that do NOT Reboot but Update MBA-M and run another full scan with it, if it finds something have it remove of course and then reboot the computer.
Post back with that log.

Yes reboot. You have two anti-virus programs on there, parts of both running or attempting to run, Avast and MSE. The absolute rule is ONE anti-virus program should run or even attempt to run on a computer.
You also have PC Tools Spyware Doctor running also and it too has multiple files running.
Pick ONE of those three and Uninstall the other two, I would recommend keeping Avast and removing the others.

There is no way any tool should take all night and only be at 37%. A piece of advice, never leave an online scanner running all night when you cannot be there to watch it scan. Stop that scan and run this tool.
Post back with the log:

http://support.kaspersky.com/downloads/utils/tdsskiller.exe

Save the tool to the desktop. Shut down all other programs and then run that tool.
When the scan is over, the utility outputs a list of detected objects with description.
The utility automatically selects an action (Cure or Delete) for malicious objects.
The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
After clicking Next, the utility applies selected actions and outputs the result.

A reboot might require after disinfection.
Come back with the log.

Post that log also and I will check tomorrow.

We request that all logs be copy/pasted, not attached. Please copy/paste those logs and also the MBA-M log and we will be happy to assist.

Glad all is working well!

I really find this odd. So you still cannot use wifi?
Removing that infection should not have damaged the connection.
If you can find a way to go online then do this scan:
ESET Online Scanner

http://www.eset.com/onlinescan/scanner.php?i_agree=14
* You can use Internet Explorer to complete this scan and you will need to allow an Active X to be installed or you may use Firefox
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt.

Post back with the log.

Ok do this, if you have to use a flash drive to get this program, that is fine, if you can fix the WiFi and do it with the computer that is fine too:

Download the TDSSKiller.zip archive and extract it into a folder on the infected (or possibly infected) computer with an archiver (WinZip, for example);

Run the TDSSKiller.exe file;

Wait until the scanning and disinfection completes. A reboot might require after the disinfection has been completed.

Post back with the log.

Fantastic! Do you feel things are running ok now?

Try going into the Device Manager and Uninstall the card, reboot and let the computer find and install it again.

Then we know that the computer can connect and the problem is with wireless only.
Try these steps:
Go to control panel Administrative Tools, Services.
Look for Wireless Zero Configuration on the list in the right pane. The list is alphabetical, so you should be able to locate it maybe third from the bottom.
Double-click it to open it.
Click on the STOP button to stop it (lower left). If it is not highlighted or is grayed out, then the service is stopped. (it should also say that the SERVICE STATUS is stopped).
Look for STARTUP TYPE drop-down menu. Change it from AUTOMATIC to DISABLED. then click on APPLY (lower right).
Then just change it right back from disabled to automatic and click on apply again.
Click on START button (right beside the STOP button) on the same window to start the service.
Close the services local window.

Go to Start and then Control Panel. Network Connections. If you don't see Wireless Network Connections or Local Area Connection after opening Network Connections, kindly look for Network Connections again (it maybe on the lower right).
Right-click on the icon for Wireless Network Connections then left-click on Properties.
You should have several tabs. Click on Wireless Network Connections tab (near the top of the window).
Make sure you have a checkmark on where it says, "Use windows to configure your wireless connections..." or something like that.

Make sure …

You said you cleaned this infection off the computer...how did you do this? What tools did you use?
I need to see the logs from the tools you used then, not the logs from today.

Can you connect the laptop directly to the internet using modem cable?

Thanks you for posting the Attach.txt log, I have removed your zip attachment.
Have you tried a full reset of the modem and router according to instructions given in link below?

http://www.ehow.com/how_2178176_highspeed-internet-modem-wireless-router.html

Please remove that zip file, and copy/paste the log here. We don't open attachments. Instructions are very clear in the Read Me Sticky,

http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

Copy&Paste both the DDS.txt and the DDS Attach.txt into your post for assistance.

I am sorry we couldn't do it with just cleaning procedures but I do believe you will be much happier doing it this way...essentially you should end up with a new computer!

And, in the long run, it will be much faster than trying to find every little bit of infection.

Those types of files should be ok, but be sure to scan them first before putting them onto the newly formatted computer.

As I said, totally reformat the drives, wipe them clean. Then install Vista and all of your drivers. Of course if you have a router and modem those will have to be hooked up also so you can get online.Do that after the system reinstall. Then go online and thoroughly update the system with all Windows updates. Then you can go forward with the upgrade. Once that is done and fully updated then begin just as you would with a brand new computer installing everything else. Begin with the security programs, including the built in Windows 7 firewall. It is excellent.

If you have any further questions about all this just post right back here and I will try to find the answers for you if I don't know them.