Posts by jholland1964

Originally Posted by AndyOne

Yeah...I should have mentioned...that Repair Wizard doesn't fix it, either. Thanks anyway. At least now that I know I shouldn't use just any old program someone on a forum suggests!

I am going to reiterate what Crunchie has said;

Shouldn't be using combofix anyway without instruction. It can mash your whole OS if you do something wrong.

Combofix is a VERY SPECIALIZED tool, NEVER, EVER to be used without FIRST being instructed to do so under the supervision of someone who has been trained in its use It is NOT your ordinary, "garden variety" clean up tool.
It is only recommended in special circumstances.
If it IS recommended within a specific thread then that recommendation applies ONLY to that SPECIFIC computer and under those SPECIFIC circumstances. Using it when it is not needed or incorrectly can result in permanent damage to the computer.

Combofix updates frequently.
Combofix should NEVER remain on the computer after the computer is deemed clean and used again or over and over. It should be UNINSTALLED, NOT just DELETED, following the strict uninstall instructions which will be given once the clean up is complete for that specific problem.

All this said, today some malware removal tools, now including Combofix, already disable Autorun by default. Don't complain about this. This is an extra security measure and you should have it disabled..WHY? Because malware authors have begun to exploit the autorun/autoplay feature which can spread infections from computer …

Not just in start up programs also in services.

The 017 entry does concern me. What is that?

SBC Internet Services, is that your internet provider?

Really happy I could help. To make you feel better, you rarely, if ever would have to get a new computer because of infections.
You need to uninstall combofix because it shouldn't be used as a regular cleaner, only specific circumstances and then only when directed to do so.
To remove it do the following:
* Click START then RUN
* Now type Combofix /u in the runbox and click OK. The space between the combofix and the /u, it must be there.
When shown the disclaimer, Select "2"

Also uninstall HiJackThis, it is no longer needed. This can be done via Add/Remove.
You also need to set a new, clean Restore point.
To do this Right Click My computer.
Choose Properties
When System Properties opens choose the System Restore Tab.
Place a check mark in Shut down System Restore.
You will probably get a message telling you it will be shut down, click ok or yes.
Allow it to shut down.
Wait a moment. Then go back in and take that check mark Out so that System Restore will turn back on.
Do all of the above and you should be good to go!
Judy

On most programs you do have to tell them to remove or clean. They rarely do it automatically

Update the MBA-M program, run a full system scan again and this time REMOVE ALL found.
Reboot the computer.
Run a new HJT scan save the log.

Post back here with both new logs.

Where is the MBA-M log?

Turn Off TeaTimer, it can interfere with fixes done.

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

Now, can I ask, what all do you have disabled from auto start? Go back into msconfig and put a check mark in Normal Start and then reboot.
Can you go back into msconfig and re-enable everything? We need to know what's on there.

Just to be safe I would recommend that you also do an online scan with ESET Online Scanner.
* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is
checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. If items ARE found then post that log for us here.

Reboot the computer
Next please do the following right click on the desktop and choose New, Folder. Then Name this folder HJT: Download
HiJackThis to the new folder you created on the desktop.
Open the folder and double click the HiJackThis Icon to open the program
Run a full system scan and save the log and post it please.

Ok, just new things showing in this log that hadn't shown before. Seem to be legitimate programs though.
Are you still getting those bad image errors?

Can you run a HJT Full System scan, save the log and post it back here?

Did you just re-enable Start programs or something? You have a lot more showing in this log than in previous ones.

Run a new HJT scan and post the log.

Ok, I would like you to delete combofix. Then download a new copy as it updates often and run it again. Combofix Post the new log here.

Malwarebytes' Anti-Malware (MBA-M)
download, install and update.
Single file scanning is not slow. Right Click that file and choose Scan with Malwarebytes' Anti-Malware.
One should never save or transfer files until you are certain they are clean. If they are infected then yes, the infections quite possibly transfer to the meda you are using to save them on...cds, dvd, floppy disk, flash drive...another computer or hard drive. Doesn't matter.
You have a suspicion there is infection on the computer, you need to get it clean before doing and file transfer or saving. Any anti-virus program can have false positives, BUT...something in those pop ups don't look right to AVG, I take that as a good warning additional cleaning should be done.
MBA-M is pretty much top of the line right now for scanning and removal of infections. Quick scan is just that, quick, doesn't scan all the files on a computer but does scan key ones, should take a few minutes.
Full scan is longer depending on the size of the hard drive and how many drives you choose to scan. Can take up to an hour or a bit more, again depending on the size of drives you are scanning. But it scans each and every file.

I have just reinstalled the OS and that seems to have fixed it.

:D
Well I think it should have.

Worth a try, you really have nothing to lose if you cannot use the computer anyway.

Try steps noted in this link:
http://www.winvistaclub.com/t217.html

USE CC Cleaner Dear!!!!!!!!!!

Don't believe you know either myself or the original poster well enough to call us "Dear"

SouthernBark30, please follow the original instructions and run combofix.
Judy

You have a huge number of temp files on there, they should be removed.
Download and install CCleaner
Run the default scan, which is the first page that opens. Remove everything it finds.

Then UPDATE the Malwarebytes' Anti-Malware program. Run a full system scan and REMOVE everything found. Save the log.

Reboot and then run HiJackThis again, post both logs here.
It is going to take quite awhile to go through your combofix log. I will post that information when I am finished reading the log.

Run combofix as instructed.

Well run the combofix as instructed. I never found any information on FixO but in checking out posts in geekstogo the only ones I found noting that FixO program were over 4 years old. Not a good idea to try to use a program noted from that long ago. I did also go to the website noted where the download would come from, seems to be more of a blog rather than a website. Might be a good program, I just have never seen it.
Best advice is stick with current or recent posts in various sites when you are looking for information and don't download just any tool without checking it out.
It obviously did nothing for your computer or probably TO your computer so "no harm, no foul", this is just something to remember for the future.

Forget my previous question.
Please do the following;
Download ComboFix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.

* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
Doubleclick the combofix icon on the desktop to run the program.

Windows will issue a prompt asking whether you wish to run the program, click Run
You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.

Now just sit back and allow the program to run

Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will …

Do you have a wireless mouse?

Going through your HJT log nothing jumps out except all those Lenovo programs running at start, which are not required. You do have some other unnecessary starts but don't honestly know if those would slow the computer so much.
One thing I did find concerning the Windows Defender problem is that it seems that the same files protected by McAfee are also protected by Windows Defender. Some folks corrected the Defender problem by uninstalling Mcafee and the Defender then began to work.
You also might check the Event Viewer and see if these problems relating to Defender are noted in there, might give you a clue.

I've have been told I have a virus but I can't find it

WHO told you that you have a virus? If it was a person...why?
If it was your anti-virus program then it should have given the name and location and WHY it couldn't remove it.
Please do the following, update your anti-virus program and run a FULL scan with it, if it finds something then quarantine or remove it. Make certain you note the NAME and location of the infections found.

Next;
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Reboot the computer

Once the computer has rebooted then run a new full system scan with HJT, save the log.
Post …

No, I didn't download and run combofix.

Ok, then let's give it a try:
Please do the following;

Download ComboFix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.

* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
Doubleclick the combofix icon on the desktop to run the program.

Windows will issue a prompt asking whether you wish to run the program, click Run
You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.

Now just sit back and allow the program to run

Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not …

What is FixO? I can find no information for it whatsoever.

Just had a thought here, was one of the programs you ran combofix?

Tell you what, there has been a LOT more added to the Auto Starting programs since the last run of HJT.
When you emptied the Spybot Quarantine, did you reboot the computer?
If not can you do so now and then run another HJT and post the log?

Hi and welcome to daniweb,
For the missing desktop icons be certain you don't have them hidden.
Do this:
Right click your desktop -> Select "Arrange Icons By"
Verify that the option to "Show Desktop Icons" is checked

Now for your infections, yes they are still there, I see at least one in the HJT log. I also see by the MBA-M log that you showed two but only removed one. The files found by the ESET scanner were backups made by Spybot of items removed. You can empty the quarantine of Spybot.
You should update MBA-M again, then run another full system scan with it, REMOVE ALL that is found.
Reboot.
Run HJT again and post back with both new logs.
I would suggest also the you Uninstall any of the programs you used for these removal attempts except Spybot and MBA-M.
I don't know what FixO is, Vundofix is not used too often anymore as MBA-M does a good job of removing that infection. MBA-M also cleans out infected registry entries so other registry searching/cleaning programs are not necessary either. Plus you can get rid of the wrong files too and cause problems. AdAware isn't what it used to be, at least in my opinion, I would also uninstall that one too. I am also not real crazy about Cyber Defender either. It was previously listed as a Rogue Program, though it is off that list now, it …

Run HiJackThis again.
Place a check mark next to the following entries;
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O20 - AppInit_DLLs: kjoost.dll

After you have placed the check marks then click the Fix Checked button.
Exit HJT.
Reboot the computer.
Update your anti-virus program, run another full scan with it and fix or quarantine anything found. If something is found please make a note of the name and location.
Then update the MBA-M program, run another full system scan and have it REMOVE everything found. If something is found please post back with the log. If the scan comes back clean then we won't need to see the log.
Run another HJT scan, save the log and post back here with that new log.
Judy

I really owe you a HUGE apology, I have no idea how I missed your last post. I am TRULY sorry.
You appear to not have an installed anti-virus program or firewall. Both of these are absolute MUSTS. There are several good FREE antivirus programs to choose from Avira or Avast Both are very good, choose one, download, install and update and KEEP it running.
You also don't show a firewall. Windows has a built in firewall, very easy to enable. Go to Control Panel, click Windows Firewall Icon, put a dot in Turn On and that's it. If you don't want to use the Windows Firewall there are also good FREE ones out there, easy to use and install...Online Armor Free, Sygate are two good ones.
Now run HiJackThis again. Place check marks next to the following entries;
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar1.dll
O4 - HKLM\..\Run: [1800] C:\cxfagn.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O23 - Service: Microsoft ASPI Manager (aspimgr) - Unknown owner - C:\WINDOWS\system32\aspimgr.exe (file missing)

Once you have placed the check marks then click the Fix Checked button.
Exit HJT.
Reboot the computer. Run another HJT scan and post the …

· Make sure that combofix.exe that you downloaded is on your Desktop but Do not run it!
o If it is not on your Desktop, the below will not work.
Open Notepad and copy/paste the text in the below code box into it

KillAll::

c:\windows\system32\wbsys.dll

· Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
· At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
· You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
· Now use your mouse to drag CFscript.txt on top of ComboFix.exe
· Follow the prompts.
· When it finishes, a log will be produced named c:\combofix.txt

Post back with that log.

Did you put in the full path to the file? Do you mean you didn't find the file at all or nothing was found?

For one thing your version of MBA-M is way out of date. The current version is 1.34 and database version is 1798. You should always make it common practice to update MBA-M before each and every scan. It commonly updates more than once a day so it can have updates between each scan but yours is definitely several months old.

You are not running any anti-virus program or firewall so the fact that your computer is grossly infected shouldn't come as a surprise to you.

You need to turn off Spybot TeaTimer, it will interfere with any fixes attempted.
Disable Spybot's TeaTimer

• Run Spybot-S&D in Advanced Mode
• If it is not already set to do this, go to the Mode menu
  
  
  • select
  • Advanced Mode
• On the left hand side, click on Tools
• Then click on the Resident icon in the list
• Uncheck
  
  
  • Resident TeaTimer
  • and OK any prompts.
• Restart your computer

Please turn it off immediately.
AFTER you turn off TeaTimer then run HJT again, place check marks next to the following entries:

O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O2 - BHO: BHO - {C9C42510-9B21-41c1-9DCD-8382A2D07C61} - C:\WINDOWS\system32\iehelper.dll
O2 - BHO: (no name) - {f203bc2f-a76d-418f-aae5-b7a2e6751732} - C:\WINDOWS\system32\vamibedi.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)

After you …

Please go to http://virusscan.jotti.org/ there you will be able to scan this questionable file by multiple scanners to see exactly what it is.

Upload this file c:\windows\system32\yomisujo.exe

Please report back here with ALL findings.

No, I don't believe that it would. Do you have recovery disks?

By the way, take HiJackThis out of the temporary folder. If you cannot do this, uninstall it and down load it again.
BUT first right click the desk top, choose New, Folder. Rename this folder HJT. Then download HJT to this folder. HJT should never be run from a Temp folder.

Don't worry about that now. You certainly don't want any updates running at the moment.

Good. Now do the following:
Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.

* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.
Reboot.
Run a new HJT scan, save the log and post back here with both logs.

Happy to help.

Try safe mode with networking. This will load minimal items but enough to get it online. See if Norton is still installed on there, if it is UNINSTALL it. Then try installing Avast, update it and run a scan with it. Let it remove what it finds. IF you are able to accomplish that then download Malwarbytes' Anti-Malware (MBA-M) to the desktop. Install and update it.
THEN attempt to boot to normal mode. MBA-M is not designed to run in Safe Mode.
If you are able to boot to normal mode then run a Full System scan with MBA-M. Have it REMOVE all that is found. Save the log.
Then download HiJackThis and run a Full System scan with it. Save the log and post back with both logs...GOOD LUCK

You need to begin with the following steps;
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

Then REBOOT the computer.
Download HiJackThis to your desktop. Run a Full System scan and save the log. Post back here with both logs.

Check for this:
Open Device Manager and on the VIEW Tab, select the Show hidden devices option.
Go down to non plug and play drivers and see if there is one called TDSSserv and disable it.

It it was there and you could disable it then try to download, install, update and run a Full System scan with Malwarebytes' Anti-Malware (MBA-M)
When the scan is complete be sure all items found are checked and then click the Remove button.
Reboot the computer.
Post back here with that log if you were able to run the program.
Judy

We'll be waiting to see the report. You did great.:)

Why do you want to mess with the registry? How are you trying and what message do you receive?

Well because of this I cannot send you to online scanners, which I would have preferred to do. But I am not certain the infections are totally removed. Online scanners may have removed them so I will ask that you follow these instructions;

Download ComboFix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.

* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
Doubleclick the combofix icon on the desktop to run the program.

Windows will issue a prompt asking whether you wish to run the program, click Run
You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.

Now just sit back and allow the program to run

Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When ComboFix has finished running, you will see a screen stating that …

Remove the default setting from Opera. Don't set any browser as default and see if that makes a difference

Do you have Opera set as default browser? And how do you get Windows updates?

One quick question when you say have mbam remove all thats its found does that mean i should delete it out of my quarantine too?

Absolutely. No reason to keep it :)
Just to be safe can you run the ESET Scanner and if it finds anything have it remove?
* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.
Then reboot and do one more HiJackThis.
Post both logs here please.

Ok, good. Now run HiJackThis again. This time place check marks next to the following entries if they still are showing;

O2 - BHO: (no name) - {a3521c5f-4483-4120-8220-68cb74791754} - (no file)
O2 - BHO: (no name) - {b1197a48-4e38-44cd-b5d7-10ab4d56f5c6} - (no file)

O4 - HKLM\..\Run: [gapuwehobi] Rundll32.exe "C:\WINDOWS\system32\yefeluki.dll",s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [gapuwehobi] Rundll32.exe "C:\WINDOWS\system32\yefeluki.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [gapuwehobi] Rundll32.exe "C:\WINDOWS\system32\yefeluki.dll",s (User 'NETWORK SERVICE')

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...S_ZUxdm082YYUS

O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - D:\CDS300\__CDS2.dll (file missing)

O20 - AppInit_DLLs: c:\windows\system32\zadimeve.dll sesbbo.dll,
O20 - Winlogon Notify: byXPIyYq - byXPIyYq.dll (file missing)

O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\zadimeve.dll

Once you have those check marks placed then click the Fix Checked button.
Exit HJT.
Reboot the computer.
Then double click My Computer. Double click "C" drive.
Then go to c:\windows\system32\ and look for this file zadimeve.dll

If it is there, delete it. If you don't find it then that is good. But we just have to be sure.
Reboot.
Update MBA-M and run another Full System scan. Have it REMOVE all that is found. Save the log.
Then run a new HJT scan and save the log. Post back here with both logs.
Judy