Posts by jholland1964

The simple ways is Restart Your computer and go to Safe Mode, Scan your PC from there. But if that is still failure .

You must Format your Disk and then Install the other Antivirus, and go to scan with Safe Mode. Do cleaning on the Safe Mode.

Nice :)

Re-format is the last way to go here. Take a look at other threads with similar situations in recent weeks, you won't find reformat given as the solution on any that I can recall. That would be the very last option. MBA-M has found many infections all ready so it is obvious we are taking the best steps at this point and have made some progress. Let's give the poster the chance to at least attempt to get things clean by re-running MBA-M and having it fix what it has found, then run a new HJT and post both logs here before we advise a re-format

How are you running the computer if files are missing? Are you using a different computer?
Give us the names of these files and we can tell you how to replace them.

Update and re-run that Malwarebytes' program and have it fix everything found. Reboot the computer and then run a new HJT scan. Post back with both logs.

Isaac, did you try to run the ESET scanner again?

You also need to MOVE HiJackThis from the temp folder where it is located now to it's own folder. It needs to have it's own folder in order to make backups for any fixes done with it. Backups cannot be made in a Temp folder.
Right Click on your desktop or maybe in My Documents and choose New, Folder. Then name the Folder HJT or whatever, just be sure it isn't a Temp folder then drag or move HiJackThis to that Folder.

You need to do this before any suggestions for fixes with HiJackThis are made OR done for that matter.

Judy

Isaac,
You are running two antivirus programs on your computer. This is something that you should never do. I see you have McAfee, which is a pay for program and also AVG8, which may be free. Please go to Add/Remove and Uninstall one of them, which ever one you choose is fine but you must remove one of them.
After you have uninstalled that extra antivirus program then run another scan with HiJackThis and post the log here.
Running the two programs may have been the reason Eset Scanner wouldn't complete. One of the requirements for running that online scan is you must turn off your antivirus program, if you had both or one running at the time of the scan it possibly wouldn't complete.
Judy

Give me a bit and I will get back with you on what to do next.
Judy

i have a question, i removed spybot from my computer but when i turn it on, the spybot icon shows in the icon tray. is there anyway to remove that?

How did you remove it and WHY? I only asked you to disable TeaTimer not remove the program.
Spybot is an EXCELLENT program. There was not need to Undo what it had fixed, as you stated that you did in your first post or remove the program.
It obviously isn't removed all the way because TeaTimer still shows in the HiJackThis log

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

Please tell my HOW did you remove the program from the computer?

Hi welcome to daniweb,
Can you give us the MBA-M log too please?
Judy

Obviously all is not and was not cleaned out.

Run the ESET Online Scanner and attach the ScanLog with your post for assistance.

* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked at this time and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us here.

Ok, please do the following;

Download ComboFix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.

* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
Doubleclick the combofix icon on the desktop to run the program.

Windows will issue a prompt asking whether you wish to run the program, click Run
You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.

Now just sit back and allow the program to run

Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is …

This start up process is unknown, have searched and found no information about it. Disabling the start up is really not enough this will stop it from starting but does NOT remove it from the computer, we need to find out what this is and possibly take steps to remove it. It could be a dangerous file so please do the following:

Go to http://virusscan.jotti.org/
Upload the following file

C:\Documents and Settings\Claire Macklin\SNlIKnwcXNF.exe
It will then be scanned by multiple virus scanners and you will receive a report about this file.
Please post back with that full report.

Judy

That is wonderful. Happy that all was solved.
Judy

Ok, since you say you will delete what needs to be deleted let's begin there.
Run HiJackThis again. What I need to see is an Uninstall list. To do this do the following;
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
You will now be presented with a list of programs installed on the computer.
At the bottom right you should see a button Save List. Click this specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here. You can also either print it out or save it someplace on the computer where you can find it for later use.
May be that no programs need to be removed but it is good to have the list.
You should go through that too and see if there are programs you have installed that you know absolutely are no longer used, like software for and old printer or camera you no longer have.
Hard drive is 140gb with 80 gb used, not too bad, slightly more than half but there are probably things you can get rid of and free up some space.
Now you say;

my son downloads all sorts of rubish,
nothing on the computer is of …

I see you still have that Modem On Hold program running at start up and all the time in the background. Program is located in C:\Program Files\NetWaiting\netWaiting.exe

If you don't use dial up then you don't need this program. There is no reason at all for it to be starting or running. Disable it

The other thing is your java is out of date so you should update that.
Go HERE and download the Offline Install to the desktop. Once you have done that then go to Add/Remove and Uninstall all old versions of Java you find there.
Then double click the Java Install icon on the desktop to install the newest version. Once you have done that then go back to the Java download page and on the right side you will see Verify Now. Click that to verify the installation was successful.
Other than those two things I would say you are good to go!
Judy

Turn off that Norton program. You should only have one running on the system at a time.
You need to download Malwarebytes program and follow the directions given in the sticky in order to install, update and run it.
Then reboot the computer.
Then download HiJackThis and run a full system scan and save the log. Post back here with both logs.

TeaTimer would be off yes, but you didn't have to uninstall the program, it is a good program. The TeaTimer portion isn't required and can cause problems with some removals of malware by other programs.
Go ahead and delete that installer. It is probably for the older version and there is a newer version that you can download and install later if you wish.

For one thing, get an up to date antivirus program. You are running AVG6, current version is AVG 8. If you have an up to date program it probably would have caught and removed it without difficulty.
Yes you are showing at least one infection, could be more but we won't know until you run some programs. Protection against this infection has been available since June of 2004.

UPDATE that antivirus program now.

Please Run the ESET Online Scanner and attach the ScanLog with your post for assistance.

* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us

Also update and run a scan with Spybot. Fix everything found there too.
Then reboot and run a new HiJackThis scan and post the ESET log and the HJT log back here.
Judy

Did you remove that extra antivirus program?

do u see anything wrong with the 2 log files i have posted other then limewire (blush)

Absolutely, not crazy about the limewire but since you blushed I guess you realize the risk you are taking with file sharing.
The main thing I notice is you are running TWO antivirus programs, Norton and AVG8. This is an absolute no-no. The rule is ONE antivirus program and ONE firewall on a computer. Run more than one and you open yourself to real trouble.
The choice is yours...Pick ONE and then totally UNINSTALL the other one immediately.

After you do that then do the following;

Run HJT again and place checkmarks next to the following entries;
O2 - BHO: (no name) - {01A95BD7-63C9-489D-AF51-026366EB2CEb} - C:\WINDOWS\system32\jshggelj.dll (file missing)
O2 - BHO: (no name) - {028B8384-FF17-4C5B-8937-C0999725CAA4} - C:\WINDOWS\system32\jshggelj.dll (file missing)
O2 - BHO: (no name) - {0352B7AE-63C9-489D-AF51-026366EB2CEb} - C:\WINDOWS\system32\jshggelj.dll (file missing)
Once you have placed the check marks then click the Fix Checked button.
Exit HJT.
Reboot the system and if you feel all is running fine then you are good to go.
Judy
GET THAT EXTRA ANTIVIRUS PROGRAM OFF THERE ASAP!

conormacklin, you need to run another HiJackThis scan just to be sure and post the log here. There were a couple other fixes that needed doing that I saw when looking at your last HJT log but wanted you to run that Malwarebytes' program first.
Judy

First of all TURN OFF Spybot TeaTimer, it can interfere with fixes we need to do.
Open the Program, Click Mode at the top and choose Advanced. When you do that you should see three buttons on the bottom left side, one of them is Tools. Click Tools. When that opens you should see a row of buttons on the left side. Click Resident. When Resident opens Take the check OUT of TeaTimer. Close the program.

Now do the following;
Download ComboFix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.

*Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
Doubleclick the combofix icon on the desktop to run the program.

Windows will issue a prompt asking whether you wish to run the program, click Run
You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.

Now just sit back and allow the program to run

Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is …

I am thinking that the remaining problems probably stem from the attempt to repair the system while it was infected. A system repair is not going to remove a virus or a trojan, a full reformat probably would but that is a very drastic step to take instead of just removing the virus and one I would only recommend as a very last resort.
Can you get online and use a browser at all with this computer?

Post all scan results you have here in this thread.

When I switch on my CPU a long beep sound is developed and there is no display in the moniter.
please send me reply ?

You need to begin your OWN thread and not hijack another's.

You have possibly a trojan on the system. Begin by following these programs linkedHERE
Don't run the DSS scanner when the other steps have been completed but run HiJackThis and post back here with all logs noted in the sticky and the HJT log.

Number one, if you all ready had McAfee on the system you never should have added AVG.
The rule is only ONE antivirus program installed on the computer.
Now you said

A virus scan i did said i had Trogan horses and Adware,

I need to know the name of the virus scan...where did you get it and why? Especially if you all ready had McAfee. If it was an online scanner that is different but if it is another program you downloaded then this is and has compounded your problem. What happened to the McAfee program, where is it? Why did you run another scan if you all ready had that one?
Your firewall "could" be blocking the downloading of these programs, though if you couldn't do it in Safe Mode with Networking I don't know. There firewall shouldn't have come on in safe mode I wouldn't think.

Can I ask what was the exact name of the virus? Did you ever have an antivirus program on the computer or only install one after the fact? Do you have a firewall? Is it enabled? How are you connected to the internet?

Hello asusrocks welcome to daniweb,

Try this first;
Run HJT again and put checkmarks next to the following;
O4 - HKLM\..\Run: [\YUR6.exe] C:\Windows\system32\YUR6.exe
O4 - HKLM\..\Run: [\YUR7.exe] C:\Windows\system32\YUR7.exe
O4 - HKLM\..\Run: [\YUR8.exe] C:\Windows\system32\YUR8.exe
O4 - HKLM\..\Run: [\YUR9.exe] C:\Windows\system32\YUR9.exe
O4 - HKLM\..\Run: [ANTIVIRUS] C:\Program Files\MSA\MSA.exe
O4 - HKLM\..\Run: [\YUR1.exe] C:\Windows\system32\YUR1.exe
O4 - HKLM\..\Run: [\YUR2.exe] C:\Windows\system32\YUR2.exe
O4 - HKLM\..\Run: [\YUR3.exe] C:\Windows\system32\YUR3.exe
O4 - HKLM\..\Run: [\YUR4.exe] C:\Windows\system32\YUR4.exe
O4 - HKLM\..\Run: [7ce7129d] rundll32.exe "C:\WINDOWS\system32\vfwopswy.dll",b
O4 - HKCU\..\Run: [\YUR6.exe] C:\Windows\system32\YUR6.exe
O4 - HKCU\..\Run: [\YUR7.exe] C:\Windows\system32\YUR7.exe
O4 - HKCU\..\Run: [\YUR8.exe] C:\Windows\system32\YUR8.exe
O4 - HKCU\..\Run: [\YUR9.exe] C:\Windows\system32\YUR9.exe
O4 - HKCU\..\Run: [ANTIVIRUS] C:\Program Files\MSA\MSA.exe
O4 - HKCU\..\Run: [\YUR1.exe] C:\Windows\system32\YUR1.exe
O4 - HKCU\..\Run: [\YUR2.exe] C:\Windows\system32\YUR2.exe
O4 - HKCU\..\Run: [\YUR3.exe] C:\Windows\system32\YUR3.exe
O4 - HKCU\..\Run: [\YUR4.exe] C:\Windows\system32\YUR4.exe
O20 - AppInit_DLLs: netusg.dll
Once you have placed the checkmarks then click the Fix Checked Button.
Exit HJT
Reboot.

I want to stress here...removing the above entries is NOT removing the infection we are hopefully going to stop it from running so it can be removed.

Now do the following;
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.

Not sure what is going on here, this is not actually a website but the actual executable file. What happens when you double click on that in my post, does it actually say the website is blocked?
In Internet Explorer go to Tools, Internet Options, Security. Click on Trusted Sites and put in there
http://www.besttechie.net/tools/
and click OK.
Also make sure your security settings are not too high. Move that glider over for now to Medium-Low and also click on Custom Level and scroll down and put "dots" in the following;
Automatic Prompting for File Downloads Enable and in File Downloads Enable
Click Ok and close that out.
Now first try to click on my link for the Malwarebytes' program and see if you still get a blocked message. What you SHOULD get is a prompt about downloading the program and where do you want it saved, desktop is what you should say. If that doesn't happen then go directly to the website above and the very last item on the list is mba-m. click that.
Judy

Hi jerseychik,
You should make your own thread, giving us the exact symptoms you are experiencing and yes do the same steps I gave to meishjennie but be sure to do them in your OWN thread.
Makes it much less confusing for all that way.
Judy

Hello BTerrence, welcome to daniweb. You have a HUGE number of programs running in the background which could really pose a problem. Give us some info on the computer itself...Hard drive size, how much space is remaining, how much RAM is installed
Judy

The only "odd" entry I see in your log, other than the NetWaiting thing is this one;
O4 - HKCU\..\Run: [sqoic] "c:\documents and settings\claire macklin\local settings\application data\sqoic.exe" sqoic
Do you know what this is?
Ordinarily I wouldn't recommend this but you might try "fixing" this with HJT.
Run the program again, put a checkmark next to that entry and click the Fix Checked button. Exit HJT.
Reboot the computer and see if you still have problems accessing the steps and sites given in my post #3. If you CAN do those then try them, especially the Malwarebytes's program.
Judy

What do you mean it didn't work again?

CAUTION others reading this THREAD that combofix will not work for every computer or every type of infection and combofix should NEVER be run unless directed to do so by somebody helping you.

Bleeping Computer
Due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.

Also, please do NOT post YOUR problems in another person's thread, some would call that thread hijacking. You should begin your OWN thread.
This thread was originally begun by g3nX. Two times now others have posted in it first Sheik who made two posts and was told to begin his own thread, and now by geckogates who has posted a combofix log for an unknown computer with unknown problems. This can be very dangerous. This combofix log posted is only a partial log. It shows nothing else...many more problems can be on his computer and be revealed by the rest of the log, but now we will never know.

Posting your problems OR results of scans run by others because of UNKNOWN problems can lead to a great deal of confusion, first to the original poster and their helper and secondly to others who may be reading the thread for information purposes.
Please Begin Your OWN thread if you have …

Actually for right now, skip those, if needed we can go back to them.
Right now, best thing to do is download and run the following; Instructions and download links can be found in the sticky. Also follow instructions for running the ESET Online Scanner
ATF-Cleaner, Malwarebytes' Anti-Malware program
Finally download HiJackThis and run it. The link for that is in my post above.
Do those four things, post the three logs here and we will go from there.
Judy

Happy I could provide some help. One more thing you need to do and that is set a new and now clean System Restore point. To do this Right Click My Computer and choose Properties.
When System Properties opens choose the System Restore Tab.
When that opens place a check mark in Turn Off System Restore. Click Ok. You will then get notification that you are turning off System Restore. Click Ok.
System Restore will turn off. Wait a moment and do the same thing in reverse and Remove that check mark. Click ok. System Restore will then turn back on and you're good to go!
Judy

Hi meishjennie, Welcome to daniweb!

Go HERE
Download and run Malwarebytes' Anti-Malware from there and follow the instructions given there. Be sure to have it fix items found.
Also run ESET Online scanner, you will find the link on the sticky I gave you. You have to use Internet Explorer to do the ESET scan. Follow the instructions given and save that log.
Then download HiJackThis
Do a full system scan and save the log.
Post back here with all three logs.
Judy

Try running it in safe mode. It should make it go somewhat faster because there won't be a lot of items running in the background.

Ok, wireless, is there a way you can connect the internet cable directly to the computer and bypass that wireless for now?

Hi Isabelle, welcome to daniweb. Let's begin with that laptop first ok, see if we can get it cleaned up and THEN go onto the desktop. It would be too confusing for both of us to try to work on both at the same time. First of all, you have answered one of your own questions;

I don't know how i got it as i didnt download anything but i did open a torrent file.

That is more than likely how you got it.
What operating system do you have on the laptop? XP....Vista?
I would like you to try to do this ;

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

...I fear that your …

If you are on highspeed then why are you not connected all the time? You should be, I know I am. You should just be able to open a browser and be online or else we are talking about a different kind of high speed.

I notice you have a program running in the background called NetWaiting. If you are on highspeed, why do you need this program running? This is a program provides a mechanism to suspend a dialup internet connection on the modem line while the user uses the line for a voice communication.

Looks good. Just needed to see what was removed. Be sure to update that Java program as noted in my other post.
I would also recommend that you download, install, update and then enable SpywareBlaster it truly is a MUST HAVE program, it is FREE and it DOES NOT run in the background.
Here is the information from their website on what it is and what it does;

The most important step you can take is to secure your system. And SpywareBlaster is the most powerful protection program available.

* Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
* Block spyware/tracking cookies in Internet Explorer and Mozilla Firefox.
* Restrict the actions of potentially unwanted sites in Internet Explorer.

SpywareBlaster can help keep your system spyware-free and secure, without interfering with the "good side" of the web.

And unlike other programs, SpywareBlaster does not have to remain running in the background.

This program really DOES work. I would hope you would install it and be certain to enable the Restricted Sites portion of it too.
Judy

When I start up my computer, a program opens to be able to connect to the internet (orange) and this isn't working in safe mode,

Have you tried Safe Mode with Networking? This will allow you to enter safe mode but with the ability to get online.
Are you on dial-up or high speed?

Sorry forgot to say, I have tried downloading all those programs that there are in the stickies (eg hijackthis) but when i click the links is says "page load error". I think this may be related to my problem :S

Whoops! Didn't see your last post.
See if you can run your antivirus program in Safe Mode first. Then see if you can get the HiJackThis I posted and run it.

Hi conormacklin and welcome to daniweb.
From the way things sound you posted in exactly the right place. You need to follow some steps and run some programs to help us see exactly what is going on with the computer.
Go HERE
Download and run the ATF-Cleaner to clean up unnecessary temps and such.
Then do a full system scan with your Antivirus program and allow it to fix everything found.
Then download, install and update Malwarebytes's Anti-Malware. Then follow the directions on running it given in the link by PhilliePhan. Save the log for posting here.
Run the ESET Online scanner if you can using the directions given by PP. Save that log too. If you cannot run it yet, don't worry, we can get to that later if needed.
Finally download and run HiJackThis Do a full system scan and save the log.
Post back here with all the requested logs and we can take a look.
Judy

Hi Isaac, basically all you have to do is click on the link provided and download and run the programs. You won't be asked a lot of questions. Just run the programs needed.
The main things to do are run the ATF-Cleaner. This will clean out temporary files.
Then run the online ESET Scanner. You have to use Internet Explorer. Save the Log.
Next program will be Malwarebytes' Anti-Malware. Install and Update. Then run the scan.
Let it FIX whatever it finds.
Save the log.
Run a new HiJackThis scan. Save the log.
Post back here with all those logs.

Take all the time you need. I'll be here.
Judy

This is a clean malwarebytes' log. What I need to see is the one that cleaned the infected files. You can find the logs in the program under the Logs tab. You will have to click each one shown to find the correct one. It would be good also to see the Smitfraudfix log.
Judy

Hi upspiral89, welcome to daniweb. You need to begin your OWN thread, stating your problems and what you have done to remedy them and include the log., Posting in another's thread makes it somewhat confusing for those of us who work the threads and others who may be doing some searching for solutions and for the original poster. While problems may seem exactly the same often times they are not and require different tools or solutions.
Judy

Looks like Malwarebytes' took care of a lot of items. But would like you to run one more program as there are a couple items in your log I can find no information about;

Download ComboFix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.

*Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
Doubleclick the combofix icon on the desktop to run the program.

Windows will issue a prompt asking whether you wish to run the program, click Run
You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.

Now just sit back and allow the program to run

Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, …

Still going through the combofix log, one thing I didn't notice on the last one...it was there just didn't see this then. There is a program listed, SpyRemover, may I ask, who is the manufacturer of this program? Is it ItCompany.com? The reason I ask, if it is THAT manufacturer then the program is a legitimate program, if it is NOT then it is considered a Rogue program and should be removed.

Can you run HiJackthis again, but this time choose the Misc tools button and get an Uninstall List for me?
It will take me a bit to go through this combofix log but I will get back ASAP to let you know if there are other fixes which need to be done with it. In the meantime post that Uninstall List for me if you can.
Judy