Posts by jholland1964

Did you allow ESET Scanner to fix or remove? If not please run it again and allow it to do so.
Then run HiJackThis and post the logs here.
Thanks!
Judy

How much RAM do you have? What you gave me was Hard Drive size.
If you Right Click My Computer and Choose Properties that First Tab which is General will tell you how much RAM is on the computer

Turn OFF Windows Defender for the duration.

Hi, some questionable entries there for sure. First of all you must TURN OFF the Spybot TeaTimer as it will interfere with fixes attempted.
To do this open the program. Go to Mode, Advanced. Then go to Tools and Click Resident. When Resident opens take the check mark OUT of TeaTimer. Close the program and reboot the computer.
Next run HiJackThis and place a check mark next to the following entries:

O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

O1 - Hosts: 70.38.73.25 www.downloadinga2.com
O1 - Hosts: 70.38.73.25 downloadinga2.com
O1 - Hosts: 70.38.73.25 secure.extrabilling.com
O1 - Hosts: 70.38.73.25 updateyourprotection.com
O1 - Hosts: 70.38.73.25 www.updateyourprotection.com
O1 - Hosts: 70.38.73.25 securedownloadcenter.com
O1 - Hosts: 70.38.73.25 www.securedownloadcenter.com
O1 - Hosts: 70.38.73.25 www.woodpckr-a2.com
O1 - Hosts: 70.38.73.25 woodpckr-a2.com
O1 - Hosts: 70.38.73.25 www.fastupdateserver.com
O1 - Hosts: 70.38.73.25 fastupdateserver.com
O1 - Hosts: 70.38.73.25 www.antivirusa2.com
O1 - Hosts: 70.38.73.25 antivirusa2.com
O1 - Hosts: 70.38.73.25 www.microsoft.browsersecuritycenter.com
O1 - Hosts: 70.38.73.25 microsoft.browsersecuritycenter.com
O1 - Hosts: 70.38.73.25 www.browsersecuritycenter.com
O1 - Hosts:

Thanks so much for your kind words they are really appreciated.

(I hope you get paid a lot of money!!!)

:D
Hardly, we are all volunteers here.
Basically I learned what little I know at web sites like this one, several are now gone...don't know if I played a part in their demise or not, hope not:D
Lots of "googling" looking up various file names, etc. I love research, and love computers, who knew those two would eventually go together?

If you feel all is well there are still a couple things you need to do:
You should remove HiJackThis, you don't need it any more.
You also should uninstall combofix. It basically is a "one time" fixer. If a person is told to use it again some other time then a new copy would be needed.

* Click START then RUN
* Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
When shown the disclaimer, Select "2"

You also need to set a new, clean Restore point.
To do this Right Click My computer.
Choose Properties
When System Properties opens choose the System Restore Tab.
Place a check mark in Shut down System Restore.
You will probably get a message telling you it will be shut down, click ok or yes.
Allow it to shut down.

Ok, things look much better. Do you feel things are fixed or are you still having difficulties?
Judy

There "could" still be something there. Do these steps you will find HERE using the directions you will find in that link; The MBA-M full system scan, removing all that is found, Reboot and do the ESET Online scan, removing all that is found.
Reboot and run a new HJT scan and save the log.
Post back here with all three logs.
Judy

You should remove HiJackThis, you don't need it any more.
and you must uninstall combofix as it cannot be used again either.

* Click START then RUN
* Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
When shown the disclaimer, Select "2"

You also need to set a new, clean Restore point.
To do this Right Click My computer.
Choose Properties
When System Properties opens choose the System Restore Tab.
Place a check mark in Shut down System Restore.
You will probably get a message telling you it will be shut down, click ok or yes.
Allow it to shut down.
Wait a moment. Then go back in and take that check mark Out so that System Restore will turn back on.
If all seems well after that you can mark this thread closed.
Judy

No, you should be good to go. Just watch where you surf, what you download and continue to use your anti-virus program and MBA-M weekly at least. You can mark this solved.
Judy

You aren't finished yet.
You should remove HiJackThis, you don't need it any more.

You need to uninstall combofix.
* Click START then RUN
* Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
When shown the disclaimer, Select "2"
You also need to set a new, clean Restore point.
To do this Right Click My computer.
Choose Properties
When System Properties opens choose the System Restore Tab.
Place a check mark in Shut down System Restore.
You will probably get a message telling you it will be shut down, click ok or yes.
Allow it to shut down.
Wait a moment. Then go back in and take that check mark Out so that System Restore will turn back on.

Looks pretty good. Are things running all right?

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

You didn't reboot after running MBA-M did you?
That is ok, there was nothing to clean up but please remember to ALWAYS do that.
Are things running better?

Try turning off Zone Alarm Firewall and see if this makes a difference.

Ok, now update MBA-M and run a full system scan with it. Allow it to remove everything it finds.
REBOOT
AFTER reboot then run HJT and save the log
Post back here with both of those new logs.
Judy

Warning to all who may be reading this: The CFScript below is written exclusively for THIS POSTER and THIS MACHINE and is NOT to be used by others;

· Make sure that combofix.exe that you downloaded is on your Desktop but Do not run it!
o If it is not on your Desktop, the below will not work.
· Open Notepad (it MUST BE Notepad) and copy/paste all of the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

KillAll::

File::

c:\windows\ifeqowaqifi.dll
c:\windows\Ajowofuqoqiwo.dll
c:\windows\system32\drivers\ndisprot.sys

Driver::

ndisprot.sys

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"=" "

· Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
· At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
· You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
· Now use your mouse to drag CFscript.txt on top of ComboFix.exe
· Follow the prompts.
· When it finishes, a log will be produced named c:\combofix.txt
· Please post that log below.

What is the full error message do you get before the computer shuts down?

I honestly think none of us know what to tell you here. Since you cannot get into Windows it seems you cannot run the programs needed. It sounds to me, I could be wrong, that key windows files have been damaged by whatever it was you downloaded or the attempted clean up. I cannot say for certain. Your only option may be a reformat.
Have you tried a repair of the affected Windows? The repair may keep the files you wish to keep but correct the damaged os files.

I ran HijackThis but did not come up with any checked instances, so I just closed it.

Not exactly certain what you mean by "checked instances" HJT is just a scanner. Can you run it again and save the log and post it here?

Exactly what firewall are you using?
There are several programs you need to uninstall, as shown in your combofix log.
Free Offers from Freeze.com
Viewpoint Media Player.
Look for those first in Add/Remove.
If you don't find them there then look here;
c:\program files\Free Offers from Freeze.com
c:\documents and settings\Cass Mortenson\Application Data\Viewpoint
c:\documents and settings\All Users\Application Data\Viewpoint
Reboot the computer. Update MBA-M and then run a full system scan and have it remove everything found.
Reboot the computer and run a new HJT scan and post back with both logs.

This is just not a program we recommend that people use on their own and that will continue to be our advice here.
We VERY STRONGLY AGREE with and adhere to the CAUTION given here concerning the use of this program and sincerely hope that all others will heed this advice

Due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.

Since I have seen no logs from you then I cannot advise.

Not sure what problems you are having for sure, we need a bit more of a description but one thing I note, you are running AVG8 antivirus, which is fine BUT there is at least one file of an old Norton program running and it most definitely should be removed.
Do a file search for it, searching first for Norton, delete all that is found then do a search for Symantec and delete all that is found.
Then run the steps HERE ignoring the references to Deckard Scanner, it is no longer available. When you have completed those steps then run a new scan with HJT and post back here with all logs.
Judy

Stay SAFE.
Judy

You know this has been going on nearly 30 days. Each time that you run MBA-M it shows up next time in start ups of HJT log, which is not what it is supposed to do. Then a couple days go by and you come back infected again. Either the programs are not being run correctly or something you are doing is reinfecting the computer.
Do this again please:
Download ComboFix, You will get a prompt asking if you want to run or save the file. Choose SAVE and save it to the desk top. DO NOT RUN it YET
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:

* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
Windows may issue a prompt because …

Looks pretty good to me. Do you feel all is running well now?
Judy

Are you stopping and then rebooting or stopping and then running combofix? You shouldn't reboot but go straight to combofix

You attachment shows it was in your System Restore and it was not a virus.
If you want to be certain you are clean, then run the steps given HERE, ignoring the Deckard Scanner recommendation as it is no longer available and post the logs here.
Judy

Follow the instructions given HERE
Ignore the section about Deckard Scanner and use instead HiJackThis
post back with all requested logs.

These are the processes you should be stopping;
MsMpEng.exe
avgrsx.exe
avgemc.exe
avgtray.exe
When combofix gives this warning are you then stopping it or does it stop itself?

I have tried combofix and a bunch of other stuff that usually works for me.

First of all combofix is not a "regularly used" tool. It should only be used when directed to do so and never should be re-used on another problem. The instruction to use combofix in a thread is ONLY FOR THAT PARTICULAR poster and NOT FOR OTHERS. It is supposed to be uninstalled following all steps given by the helper working with the poster. This can damage your system if used incorrectly or for the wrong reasons OR if used too early too.
If you have used it for this problem post the log.

I'm sorry, I can't advise on a wireless configuration as I have never used one. Maybe somebody else will take a look.
Judy

Stop them all in Task Manager. Ctrl-Alt-Delete
Then highlight each AVG file and end process.

If you still have combofix on the computer you MUST REMOVE it this way before you do anything else.
* Click START then RUN
* Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
When shown the disclaimer, Select "2"

Next
* Click on Start, click Run, and then type devmgmt.msc and click OK
* On the View menu click on Show hidden devices
* Browse to Non-Plug and Play Drivers and you should see something like TDSSserv.sys
* Highlight that driver and right click on it and select DISABLE
* Now RESTART your computer.

Now update MBA-M and run a Full System Scan with it.
Remove everything found.
RESTART the Computer.

AFTER the computer has restarted then run a new full system scan with HJT and post back here with the MBA-M log and the HJT log.

Tell you what, there is definitely "something" there because they are showing in your hjt log, these other programs aren't locating anything so it or they must be hiding.
Please do this:
Download ComboFix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.

* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
Doubleclick the combofix icon on the desktop to run the program.
* Windows will issue a prompt asking whether you wish to run the program, click Run

You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.

Now just sit back and allow the program to run

Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take …

Go to Start, Control Panel, Administrative Tools, Event Viewer. Look in Applications and also System and locate errors which may give an indication as to what is causing these Server busy errors.
Judy

Run HiJackThis again.
Place a check mark next to the following entries:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O20 - AppInit_DLLs: toydmj.dll ugnpwe.dll
Once you have placed the check marks then click the Fix Checked button.
Exit HJT.
Reboot.
Then run HJT again and post the log here.
Judy

Hope you have not disappeared. We have not heard from you in nearly 24 hours.

Well that NTRU Cryptosystems program has to do with your wireless network so maybe the program is damaged.
The system freezes definitely shows there is "something" trying to work or not working right in the background.
Were the freezes the reason you turned off some of those system32 files? While some may not be necessary they are often tied together with others which are necessary and sometimes turning off one may turn off many others that you didn't mean to disable. This is why it is always recommended that each and every one be totally researched before turn them off.
Did the freezing and internet not working come before or after the clean ups?
Can you give me a list of those system32 files you turned off and then turned back on?

I thought that might have had to do with some non-essential system32 files I'd removed from startup, so I replaced them and rebooted again.

How did you know for sure that these were unnecessary?
The file you get the error from is associated with NTRU Cryptosystems
what is the exact error that you get?

Download SDFix
double-click on the SDFix icon that should now be residing on your desktop. If a Open File - Security Warning box opens, click on the Run button.
A window will now open showing SDFix being extracted into the C:\SDFix folder. Once the installation program has finished extracting SDFix, it will open a Notepad with further instructions.
* Next, please reboot your computer into Safe Mode by doing the following:

1. Restart your computer

2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

3. Instead of Windows loading as normal, a menu should appear

4. Select the first option, to run Windows in Safe Mode.

5. When you are at the logon prompt, log in as the same user that you had performed the previous steps as.

* When your computer has started in safe mode, and you see the desktop, close all open Windows.

* Click on the Start button, click on the Run menu option, and type the following into the Open: field:

C:\SDFix\RunThis.bat

Then press the OK button.
The SDFix window will open containing some brief info and a disclaimer on the use of the tool, press the Y key on your keyboard and then press enter
SDFix will now start scanning your computer for known infections. This process can take a while, so you may want to do something else …

Can you run HJT on the infected machine? If so run it again.
Place a checkmark next to this entry
O20 - AppInit_DLLs: gmuxlx.dll
Then click the Fix Checked button.
Exit HJT.
Reboot the system and see what happens.
Judy

Let me look through all this and I will get back to you. This is a wireless connection correct? Have you tried a hard connection, is that possible?

This thread is 18 months old and he refers to a thread which is 4 years old so don't consider anything in these two threads as now gospel. Many things have changed since the original 4 year old thread quoted here in this 18 month old thread. The original poster in the 4 year old thread noted things were fixed, as did this one in the 18 month old thread. This should be considered closed.
Beetlebum, you should begin your OWN thread without quoting 18 month old threads but stating your problems as they occur today. Many things have changed in 18 months, there are whole new programs out there to work on things such as this. The Ewido/AVG Anti-spy program is no longer available as a stand alone program for one thing, it is part of AVG anti-virus suite.
DON'T under ANY CIRMCUMSTANCES run Combofix unless OR until directed to do so.
The steps we recommend today, 18 months later, can be found HERE Basically we ask that you run some temp cleanup, then the MBA-M program, the ESET Online Scanner and save the logs. You will find the links to those programs in the link I just gave you. Ignore the reference in there to Deckard Scanner, it is not available anymore. Substitute instead HiJackThis and do a full system scan and also save that log.
Do all of the above in NORMAL, NOT safe mode, all require running in …

Do you have the log from MBA-M? This is a program which isn't supposed to be run in Safe Mode but in normal mode. You are correct about TeaTimer. Leave it off, it interferes with some fixes attempted.
I don't know what firewall you are using or even if there is a firewall involved, but you might try turning this off and see if it helps.
Also don't know the operating system but have you tried Safe Boot with Networking? This allows the computer to boot in safe mode but also allows internet service without the unnecessary items which may be running during normal boot.
Is there a way you can get the log and post it from the computer you are using now?
Can you download HJT to another computer, burn it to a disk and then put it on the affected computer? If you can do that then try to get the log and post it back here.
System Restore should also be left ON until the computer is clean. After it is clean is when you then reset it. It is better to have at least something to go back to, even if infection is involved, rather than nothing which is what you have by turning off System Restore because that will erase all restore points. It is too late for that now just remember that in the future.
Judy

Your log basically looks clean to me. You could run HJT again and place a check mark next to these entries:
O2 - BHO: (no name) - {D6C69009-9E98-4DDC-9A25-BC2EF6520908} - C:\WINDOWS\system32\ddcCRLCu.dll (file missing)
O2 - BHO: AlxTB BHO - {F1FABE79-25FC-46de-8C5A-2C6DB9D64333} - C:\WINDOWS\system32\AlxTB1.dll (file missing)
O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O20 - Winlogon Notify: cbXNHxuu - cbXNHxuu.dll (file missing)
Once you have placed the check marks then click the Fix Checked button.
Exit HJT.
Reboot.
Run a new HJT scan and post it here

The only symptom I still have is that the computer makes the new device being added sound 10 minutes or so after starting up.

Don't know what would cause this. Perhaps your webcam?

Q: Would deleting the directory AskPBar from my Program Files folder cause any problem(s)? I suspect that answer is no. However, I still want to check with you.

Does it appear in Add/Remove? If it is there then remove it that way. Many anti-spy programs flag this as malware. While the bar itself may not be it is often included with other programs and is installed without your permission OR is installed because folks don't notice the "do you want the askpbar?" box and it gets installed.
A safer way, if it doesn't show in add/remove would be to remove it in Safe Mode... (keep tapping F8 key, when your computer starts, until menu appears)

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.

Delete): AskPBar folder from C:\Program Files

Restart in Normal Mode.
Mid-East...not a very safe place to be. My brother returned in Oct. from Iraq, he's with the State Dept. Relief to have him home, imagine your family will feel the same way.
I enjoy working with computers and offering what little help I can. Computers are great but can be annoying too. It is so nice when they run smoothly.
Judy

It is ctrl-alt-delete not alt-cont-delete. But even using those keys will only open Task Manager, then you have to end a process when you are in there, it doesn't stop something just pushing those keys.
You are using an out of date version of HiJackThis. Remove that one and download the newest version which is 2.0.2
Even with this scan with the older version I don't see anything bad on there. Have you removed all your temp files, done a defrag lately?
Have you just rebooted the computer?
How big is your hard drive and how much space is remaining? How much RAM do you have installed?

Have to be honest here, never heard of Dr. Web 32. It certainly isn't something I have see recommended here.
Do the steps we commonly recommend here
especially MBA-M, the ESET online scanner followed up by a full system scan with HiJackThis.
When you have completed those three programs post back here with the logs.
Judy

I am an older fellow (early 40s) doing a Ph.D. at IU, Bloomington. I am currently overseas for my dissertation research

:D Early 40's...my oldest daughter is soon to be 41, so I am old enough to be your mother:D
Don't know where you are overseas but hope it is warmer there than here in the good old Hoosier state...supposed to have an ice storm tomorrow.
Your log looks pretty good, one entry you didn't fix or I missed telling you to do it
R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL (file missing)
Other than that one, which isn't really major, how are things running?
Judy

CFScript should read this way.....Ignore my last post.

KillAll::

File::

c:\windows\system32\inf
c:\windows\xccwinsys.ini
c:\windows\system32\xcchit32.ini
C:\475804924
c:\windows\system32\KGyGaAvL.sys
c:\windows\system32\8B4B73CBA4.sys
c:\windows\Tasks\mgjnjhuy.job

Registry::

Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs""

You would be able to update MBA-M if online. You could use the one you have that would be no problem. It just won't be updated and will be an older database on it.
If you can run it definitely do that. If that clears things enough to get online then go online, update it and run a new scan with it.
Right Click My Computer, choose properties. When System Properties opens click the Hardware Tab. When that opens click Device Manager.
Judy