Posts by jholland1964

I run malawarebytes without positive results
I didn´t find any threats. The win 32 problem keeps popping.
It disables my shared documents in my network

thanks

This is obviously not true. You MBA-M log DOES show infections which were NOT cleaned by you.

icheros Infectados:
C:\WINDOWS\system32\45.exe (Worm.Rimecud) -> No action taken.
H:\RECYCLER\autorun.exe (Worm.Rimecud) -> No action taken.

You have to tell the program to clean things up and you did not.
Plus you DID NOT update the program prior to running it as your database is out of date by several days at the very least. Current database is 3311.
You also have SpyBot TeaTimer running which can prevent fixes. You must turn this off by doing the following:

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

After doing that UPDATE Malwarebytes' Anti-Malware. Run a Full Scan with it and have it REMOVE EVERYTHING found.
Reboot the computer. Run a new HJT scan and save the log. Then post back here with the MBA-M scan log and the HJT log.
Judy

Are you having any symptoms of infection, other than this listing from the windows live one care safety scanner?
Run that again and see what it says. I am not familiar with this program but have seen other posts on other forums with this same finding without other scanners finding anything.

The other logs need to be posted. We need to know exactly what was removed and from where. MBA-M log is very important...the full log, not just names of removed items.

When did you run NoLop?

You need to go into Add/Remove and Uninstall Messenger Plus! Live
This is what carried in the Lop infection.
Then reboot and run a new HJT scan and post the log.

Can you tell me exactly WHERE the Windows Live One Care Safety Scanner told you this trojan was located, it should have given you that information also.
ESET was run first and it removed an item in quarantine of Spybot but of course didn't locate a trojan, as it mainly looks for viruses. MBA-M didn't find anything. You have a Norton program on there, have you done any scans with that? If not please update it and do a full scan with it also.
Have you had any other symptoms or indications of an infection other than this scan telling you this?
One thing you need to do is turn off Spybot TeaTimer as it can interfere with any fixes tried.

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer
Try your Norton program and let me know what it finds.

mjlatnc, welcome to daniweb. You need to begin your OWN thread rather than posting within somebody else's thread. While problems may seem similar no two computers are exactly alike and working with two different posters and computers on the same thread are next to impossible. Please create your own thread, with a definitive title and we will be happy to help you.
Judy

If you have no anti-virus on the computer then I would recommend instead that you install Avira. It is good, and it is Free.

Why didn't you note that you ran NoLop before you came here?

I need to see an Uninstall List generated by HiJackThis.
Run HijackThis and click Open the Misc Tools section

* Click Open Uninstall Manager
* Save list
* click on the Desktop icon or select to save the list on the desktop
* then click save.

Open the file and copy/paste the contents back here.

Its 32-bit Operating System .

Thanks, first then you need to Uninstall BitDefender entirely. I would use this program to do so;
BitDefender Uninstall Tool
After you run that tool THEN follow the instructions for the use and running of Combofix and post back with the log it produces.
Judy

Are you still getting the redirects?

Hi welcome to daniweb,
Run HiJackThis again and put check marks next to the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = [url]http://internetsearchservice.com[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = [url]http://internetsearchservice.com[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://internetsearchservice.com[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://internetsearchservice.com[/url]

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://google.com/[/url]

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://www.toshibadirect.com/dpdstart[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://internetsearchservice.com[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://internetsearchservice.com/ie6.html[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://internetsearchservice.com[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [url]http://internetsearchservice.com[/url]

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [url]http://internetsearchservice.com[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 

O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)

O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - [url]http://www.ietoolpro.com/redirect.php[/url] (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - [url]http://www.ietoolpro.com/redirect.php[/url] (file missing)

Once you have placed the check marks then click the Fix Checked button. Exit HJT and reboot.

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

• DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
• Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When …

HELP !!!

How do I remove TrojanDownloader:BAT/Ftper.gen ???

Thanx ... Bawb.

Begin with the instructions HERE and post back here with the requested logs. How do you know that you have this infection?

We need all info on the computer also, operating system, anti-virus program, firewall, what tools have you all ready tried? If you have logs from those please post them.
Judy

I installed AVG because when i uninstalled BitDefender , until halfway , it stopped uninstalling so i restart my computer , when i went back to Add/Remove Programme , BitDefender was not there anymore , i could still find the file location , but there's isnt any uninstall.exe so i installed AVG to protect my computer .

Don't run Combofix until we get this anti-virus program problem corrected. How did you try to Uninstall BitDefender?
Is this a 32bit or 64bit system?

If you don't know here is how to find out. We need to know this for sure before going forward.
View System window in Control Panel

1. Click Start, type system in the Start Search box, and then click system in the Programs list.
2. The operating system is displayed as follows:
* For a 64-bit version operating system: 64-bit Operating System appears for the System type under System.
* For a 32-bit version operating system: 32-bit Operating System appears for the System type under System.

You now appear to be running TWO anti-virus programs on the computer, BitDefender and AVG 9. When did you install AVG 9 as it did not appear on the previous log?
You need to completely Uninstall this as having two anti-virus programs on the same computer can cause major problems. Go to Add/Remove and Uninstall whichever program is current and up to date. After you do this please do the following:
Download ComboFix from Here or Here
You will get a prompt asking if you want to run or save the file. Choose SAVE and save it to the desk top. DO NOT RUN it YET
You must take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:

* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
Windows may issue a prompt because ComboFix …

Looks much better. Can I ask you when you ran the removal program Combofix? One of the infected files removed by ESET was the Quarantine file of Combofix? I also see remnants of Smitfraudfix, when did you run this removal tool?

Another file removed was in something called C:\Program Files\Native Instruments\Kontakt Player 2\ I am not certain that the entire player was removed or if it was just the one infected file. I would recommend that you uninstall it entirely if it is still on the computer.
Can you do this? I would like to see an Uninstall list generated by HiJackThis. To do this do the following:
Open HJT and go down to the Misc. Tools button, click that. When Tools opens click the Open Uninstall Manager and at the bottom you will see Save List..click that button and the list should open in Notepad. Copy/Paste that list here.
Judy

Please try this

1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
2. Restart your computer (very important).
3. Download and run this utility. mbam-clean.exe
4. It will ask to restart your computer (please allow it to).
5. After the computer restarts, install the latest version from here and try again to run it and let us know.

We did what we could, sorry it ended in a format but as you say, a learning experience...next time don't wait so long. Hopefully though there won't be a next time!
Judy

Not AVG. Go with Avira

Now who is the EXPERT!!!!! Good detective work!!!

I would like you to try MBA-M once more but follow these instructions:
Please navigate to the MBAM folder located in the Program Files directory.

Locate MBAM.exe and rename it to winlogon.exe
See if you can run it. If you can UPDATE it first and then run the Full Scan. Post back with the log.
Judy

Ok, I think we finally figured it out. Thank you :)

Fx must have changed something in one of their new versions, so in the privacy tab it didn't look like those options were available, but they were, they were just hidden under a different drop down menu.

I didn't realize it was deleting cookies every single time I closed Fx LOL

What about my virtual memory, was that # ok?

Thanks Judy :)

Michelle

Default and recommended size of this file is 1.5 times the amount of physical memory on both the minimum and the maximum. That way the page file does not dynamically grow and shrink. On your 2GB of RAM this would be 3072MB but other than increasing the amount of disk space it takes it probably is ok.

Are you deleting your cookies? Are you deleting your temp files? If so, doesn't matter how you have Firefox or IE set up, you will have to sign in each time. This is how they are remembered, with those cookies but if you delete them all then, no, it will not remember.
If you are using something like CCleaner to remove temp files and internet temp files then they will be removed. There are any number of reasons why this is happening, has absolutely nothing to do with a website thinking you are signing on from a different computer.
You also have to have your Privacy settings set to Keep Cookies until they expire and not have them clear when you close Firefox

B/c I don't want to have to pay for it if I don't have to.
Michelle :)

This is the only free one I know of, though it doesn't test memory only hard drive. To get one to test memory you must pay for it.
http://hcidesign.com/memtest/download.html

Here is the paid version

http://hcidesign.com/memtest/purchase.html

It's hard for me to read what you wrote b/c of my bad eye, but I don't think you are understanding me.

I'm not saying I expect the bank to remember my p/w, I'm saying it's asking me the sercurity question b/c it thinks I've changed computers, so that means the IP address is being changed (I think).

I'm also saying that when I change the p/w (this is on non bank types sites like my own) in Fx it doesn't change it, it keeps reverting back to the p/w that isn't correct.

Hope I'm clearer now.

Thanks

Michelle

I don't believe it is EVER going to remember your security question answer...that is the point of the security question. If a stranger logged on they might be able to figure out your password but chances of them knowing the answer to your personal security question is very unlikely. There would be no point of having a security question at all if it can easily be saved on the computer.
Look at my attachment. Do you have Firefox set up like this?

The computer shop I just called said they would be willing to test the memory that's already there which is a good idea.

Do you know of any sites that test the current memory & maybe the HD for bad sectors?

Thanks

Michelle

Why do you need to test it yourself if the computer shop is going to do it?
I have a disk which came with my computer containing Memtest and that will test the hard drive so I have never used any online testing like that which would be very comprehensive.

I finally remembered what else the computer is doing that concerns me:

1. I think it's changing my cookies or IP address or something, b/c I'll go onto a site where I have to log in, & it will ask me my security question as if I'm not using the same computer I was using last time.

This has happened several times on 2 different sites. I keep answering the question, then the next time I log in it asks again.

2. Same thing happens with Fx. I thought it was just a Fx issue, but I have a strong feeling it's not.

I have a user name & p/w saved in my p/w area in Fx & it keeps changing back to another p/w. Every time I copy & paste in the correct one & Fx saves the correct one b/c it gives me the "change" button to click on, then every time I go back to the site once I've rebooted, it has the wrong p/w in it & I have to do it all over again.

Before I tied to find the entry in the p/w area to delete it, but Fx doesn't show all the entries properly, so I couldn't find it.

One time I did delete one entry I thought it was it, but it didn't help, same problem over & over again.

Thanks

Michelle

This has to do likely with the way cookies are saved on the computer. If you empty them …

Where is the new HJT log?

You need to post the MBA-M log here. That is always requested.

First of all get rid of this HiJackThis. The version is way out of date, at least two years old. Current version is version 2.0.2

But please follow these steps exactly, run all the programs, save the logs, reboot when advised and then last run a HiJackThis scan with the new version linked above.

Download ATF-Cleaner.exe by Atribune Save it to your desktop for easy access.
RUN ATF-Cleaner.exe.

-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK

If you use Firefox browser, do this also:

* Click Firefox at the top and choose Select All from the list.
* Click the Empty Selected button.
* NOTE : If you would like to keep your saved passwords, click No at the prompt.

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove …

Wow! Lots of removals there. Good. To find the ESET log it should be located at C:\Program Files\EsetOnlineScanner\log.txt.
I DO need to see that for sure but in the meantime you can continue with the steps below.

One of the major items removed by MBA-M was My Web Search. But you need to be certain it is completely gone. Now you may not find ANY of this but you need to look to be absolutely certain.
1) Click on Start, Settings, Control Panel

2) Double click on Add/Remove Programs

3) Find "My Web Search" in the list of installed programs and click on Change/Remove to uninstall it. You may also want to uninstall any of the following items associated with FunWebProducts.

* My Web Search (Smiley Central or FWP product as applicable)
* My Way Speedbar (Smiley Central or other FWP as applicable)
* My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
* My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
* Search Assistant - My Way
Next, open My Computer, Drive C, and double-click on the Program Files folder

Right-click and delete the folders for:

* FunWebProducts
*MyWebSearch

Reboot the computer.

I have to ask, did you install the programs Gadu-Gadu which shows in your start ups. All info I find is that it is a Polish Instant Messaging program. If you did, that's fine it is a legal program, I …

Run HJT again. Place check marks in the following entries if they remain:

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O16 - DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} (Invoke Solutions Participant Control(MR)) - [url]http://rms2.invokesolutions.com/even...450/MILive.cab[/url]

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - AppInit_DLLs: sihetane.dll c:\windows\system32\dapogiyo.dll
O21 - SSODL: gikayukuf - {147d2046-0a60-4a28-86f9-6e1476258371} - c:\windows\system32\dapogiyo.dll (file missing)
O22 - SharedTaskScheduler: gahurihor - {147d2046-0a60-4a28-86f9-6e1476258371} - c:\windows\system32\dapogiyo.dll (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)

Once you have placed the check marks then click the Fix Checked button. Exit HJT
Reboot the computer.
Please Run the ESET Online Scanner and attach the ScanLog with your post for assistance.

• You will need to use Internet Explorer to to complete this scan.
• You will need to temporarily Disable your current Anti-virus program.
• Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
• When you have completed that scan, a scanlog ought …

Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php

-- DoubleClick the .exe file and, if asked, allow the gmer.sys driver to load.
-- If you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO

-- Make sure the Rootkit/Malware Tab is selected (Top Left of GMER GUI)
Along the Right Side of the GMER GUI there will be a number of checked boxes. Please Uncheck the following:
- Sections
- Drives or Partitions other than your Systemdrive (usually C:\)
- Show All (be sure this one remains Unchecked)

-- Then, click the Scan Button
Allow the scan as long as it needs and then save the log to where you can easily find it and post it for us.

***Disconnect from the internet and do not run any other programs while GMER is scanning. Temporarily disable any real-time anti-spyware or anti-virus protection so they do not interfere with the running of GMER.
Post back with the log.

more fun...

I've just - prior to a crash, had a desktop.ini file created on the desktop.... containing this

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21799

I'm working back thorugh that list of torjans to try and make sure malwarebytes removed all it said it removed.

The only one on that list that would flag as a rootkit as far as combofix is concerned would be trojan fake...

This could appear if protected operating system files were "unhidden.
What list of trojans are you talking about? You mean those removed by MBA-M? If one was a rootkit then it would come back, even if MBA-M removed it. To try to find them manually can be nearly impossible.
Have you tried running GMER?

OK Judy - however I'm sure you didn't become a moderator with out being an expert.

My first virus was tequilla and made bright patterns on the screen :-)

My problem here is that I can't fight what I can't see.

You're the expert...

Gee...tequilla is one of my favorites...mixed with triple sec and Blue Curacao on the rocks with salt on the rim however I am certain you aren't talking about blue margaritas......:D
Hopefully crunchie or PhilliePhan will check in on this one and have more advice.
Judy

Just thought I'd mention it... you are the expert.

Not by even the biggest stretch of imagination!!! I am going to ask a couple others to take a look at this and see what they think, ok?
Judy

Hiya Judy..I just deleted the file and yes all things seem good now..I have one other wee problem but gonna start a new thread for it I think..thanks again for all your wonderful help and being so patient. i'm gonna mark this as solved now
Lisa

What is this "wee" problem, may be related to this one, if not then a new thread may be advised but what is the problem?
Judy

Couple things, as you can see MBA-M did virtually nothing in safe mode...11 seconds for a Full Scan. As you can see the original one took what is fairly normal, 1 hour and 51 minutes. So in safe mode it really is useless at this point.
I see no place in the combofix log that it is the second run, unless I am missing something. Normally they will be marked in a way that the reader can tell there has been more than one run.
I do need to ask, who told you to run Combofix? This is not recommended unless told to do so by "somebody". It is a very powerful tool and generally not a "first resort" but a last resort.

The HJT log in safe mode doesn't tell us much either, as far as running processes HOWEVER...there ARE some odd entries appearing in this latest one, run in safe mode which do NOT appear in the previous one which was done in Normal mode and those are THESE entries:

O23 - Service: NJBVC - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\NJBVC.exe
O23 - Service: WGB - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\WGB.exe
O23 - Service: YAUCRHW - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\YAUCRHW.exe
O23 - Service: ZFUTRHBWIR - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\ZFUTRHBWIR.exe

Note these are all running from a Temp file, all for some reason lead to systeminternals, though there is nothing on them at all …

Sorry Michelle, realized that you probably meant didn't know how to find virtual memory.
Here is how:
On Windows XP, look in Control Panel: System, Advanced, Performance, Settings, Advanced, Virtual Memory.
Here is an explanation of Virtual Memory which is fairly simplified and easier to understand:

Virtual memory is conceptually somewhere between RAM and hard disk space; it's disk space used to maximize the amount of RAM available to programs.
*You run programs that need memory. The operating system takes care of tracking which program is using what portions of memory, and allocating each program the amount of memory it needs.
* Those programs will need more memory as they do their jobs. Opening a large document may cause your word processor to request additional memory from the operating system in order to hold the document.
* If there isn't enough memory available to satisfy a request, the operating system may decide that another program's needs are less "important". Some of that program's memory will be freed, first by writing the contents to disk (the memory is "swapped out"), and then allocated to the program making the request.
*Later when the program whose memory was swapped out needs it back, that memory can be "swapped in" by reading it back from disk. This might cause memory from another program to be swapped out to make room.

Also remember that the operating system itself is also just a program. So it too …

Mike, we need aren't finished yet. Still some work with the HJT program so I need to see the MBA-M log and a new HJT scan log.
Judy

Well that showed nothing there. Go ahead and delete that Qoobox folder, especially since it is empty. Are you still having problems or do you feel all is ok now?
Judy

TB = thunderbird
I can't remember how to get that, pls. tell me.
Thank you
Michelle

Not sure either what you mean by that Michelle, how to get what? If you all ready have Thunderbird on the computer you don't need to get it again, or do you mean you need to reinstall it?

It is preferable that they be done in normal mode if possible. MBA-M will not actually do a complete scan unless all of it's drivers are loaded. If there is no possible way to do it in Normal then attempt in safe mode.
HJT should also be done in normal mode if possible since a true picture of things running in Normal mode cannot be given in safe mode so if the infection won't load in safe mode then we won't see it.

Glad you got the graphic driver issue corrected.

but I see you deleted my other thread.

There was no need for that thread as all work was done in this thread and they pertained to the same issues.

strange things happen like my main TB window just closed on it's own.

I don't know what program you are talking about here.
Can you give me the settings you have for Virtual Memory?

Hi, thanks for the logs. Is this the log from the FIRST run of Combofix?
I ask this because you said:

Combofix - id'd a rootkit, then nothing on the re run

I don't see a rootkit id'd in this log. There are some removed infections but I don't see where there is a notation of a rootkit.

Further more I've noticed that this infection whatever it may be is turning off windows firewall, not zone alarm just the windows firewall.

Don't know, since I don't use Zone Alarm, but with many 3rd party firewalls this is NORMAL. You should NEVER run two firewalls at the same time on the same computer. You may think this will make you safer but it will not. They end up conflicting with each other and let the bad stuff in. Instructions given for ALL 3rd party firewalls say TURN OFF BUILT IN WINDOWS FIREWALL when enabling another firewall.

I see that both Zone Alarm Anti-spy and Windows Defender were both enabled during the combofix run. Instructions for Combofix is VERY clear, ALL security programs should be turned off as they can interfere with the proper running of the program.

Several things you should turn off and LEAVE turned off...BitTorrent to begin with. Leave it off. Better yet, Uninstall it.
Turn off Windows Defender, Spybot TeaTimer and Lavasoft Ad-Aware Service any or all of those three can interfere with any fixes attempted.

Lavasoft Ad-Aware Service should …

Hi and welcome to daniweb,
Can you post the MBA-M log and also the Combofix log?
Also the HJT log.

Hi and welcome to daniweb;

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

REBOOT after running MBA-M!

Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.

* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

Reboot again and run …

Hi, All done! I did have to delete the combofix manually , and then I did the restore point so thats me all done..thanks so much for your wonderful help I dont know where I would have been with out you..

Not sure if this is something to do with the netsky or something random that I have done but I dont seem to have any audio, and I dont think we where near any of the audio settings ..should I start a new thread with this?

Lisa

Smodka, earlier you said you saw a file called Qoobox in "C". Can you look and see if it is still there? If so, open it and see if there is a .txt file in there. If there is, open it and copy/paste it here.

Update MBA-M and do another full scan, have it remove all that is found.

Please download Combofix from one of these locations:
HERE or HERE
It is very important that you save this file to your DESKTOP.
Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console - if you have not done that already:
http://www.bleepingcomputer.com/comb...o-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:
http://www.bleepingcomputer.com/forums/topic114351.html

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

* Close any open browsers.
* Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. Do not proceed with the rest of the fix if you fail to run combofix.

ComboFix will disconnect your computer from the Internet. Therefore, do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet as your connection will be completely restored at a later stage in the program. While the program is scanning your computer, it will change your clock format, so do not …

Couldn't you run MBA-M in Normal mode? It isn't meant to be run in Safe mode unless it cannot be run in Normal Mode. Running in safe mode doesn't allow it to load all of it's drivers so it won't scan everything. Update it and run it in normal mode.

Which tool are you running?