Posts by jholland1964

RE: tbr:res?id=tabs&rep=1
I Had the same problem. Found blog about regitry setting:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs...

Modified the value to: "res://ieframe.dll/tabswelcome.htm"
- No quotes

Exactly the same fix as posted above in post #7.
Since the original poster has not returned in over 34 days there is no point in posting in here again unless he returns.

Run HJT again. Place check marks next to the following entries if still present:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O23 - Service: Microsoft Update Service Helper (msupdsvc) - Unknown owner - C:\WINDOWS\system32\msupdsvc32.exe (file missing)
O23 - Service: Niku Beacon - Unknown owner - C:\niku\Clarity\bin\nikubeaconservice.exe (file missing)
O23 - Service: Niku System Admin Server - Unknown owner - C:\niku\clarity\bin\nikunsacmd.exe (file missing)
O23 - Service: NobleNet Portmapper for TCP - Unknown owner - C:\niku\Actuate7\Server/bin/portserv.exe (file missing)
O23 - Service: OracleOraDb10g_home1TNSListenerMITRE - Unknown owner - C:\oracle\product\10.2.0\db_1\BIN\TNSLSNR.exe (file missing)
O23 - Service: OracleServiceMITRE - Unknown owner - c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE (file missing)
O23 - Service: Actuate Process Management Daemon 7 (__AC_PROCESS_MGMT_DAEMON7) - Unknown owner - C:\niku\Actuate7\Server\bin\pmd7.exe (file missing)
Once you have placed the check marks then click the Fix Checked button.
Exit HJT.
Reboot the computer. Run HJT once more and post the new log here.
Judy

Please do the following:
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.
Reboot the computer.

Run the ESET Online Scanner and attach the ScanLog with your post for assistance.

* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.
Reboot the computer.
Then run a new HJT full …

Can you tell me who is your internet provider? Did you personally add all those trusted sites? Is this a business computer or used for your job?

Reboot and run update MBA-M then run a full system scan with it, reboot and run a new HJT full system scan and save the log, post back here with both.
Judy

Hopefully, you rebooted the computer. Next run HiJackThis on a full system scan. Save the log and post it here.
Judy

Couple more things you need to do:
First of all you need to remove combofix from the computer. It is not a "regular" cleaner program and is used only under special circumstances so it needs to be removed. To do this do the following:
* Click START then RUN
* Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
When shown the disclaimer, Select "2"

Next you need to set a new, clean restore point. Right Click My Computer. Choose Properties. When System Properties opens choose the System Restore Tab. When that opens put a check mark in Turn Off System Restore. Click Ok. You may receive a warning you are turning it off, choose Ok. Allow it to turn off. Wait a moment and then go back in there and remove that check mark to turn it back on.
I would advise that you continue to use MBA-M for weekly scanning, always updating before each scan. Allow it to remove whatever is found.
Judy

I would like you to do the following:
Open Notepad(NOT WordPad) and copy/paste the text in the below quote box into it

KillAll::

File::
c:\windows\system32\hidujuku.dll
c:\windows\system32\najowate.dll
c:\windows\system32\nasikunu.dll

Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe

*At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
Post back here with that new log.
Judy

The logs all look pretty good, how are things running?

Yes, reboot and do another HJT scan.

Give me a bit to go through all this and I will get back with you ASAP.
Can you update MBA-M and do another scan with it, reboot and then give me a new scan with HiJackThis.
Judy

We need to see a log of MBA-M AFTER fixes have been completed. Also a full system scan log of HJT also completed after a reboot following MBA-M.
Judy

Ok, update and run another MBA-M scan and allow it to remove all found.
Reboot and then run a new HJT scan and save the log.
Post back with both logs.

Ok, the files found by MBA-M were in your Recycler folder and they are gone now.
I would like you to do the following;
Go to this website http://virusscan.jotti.org/
This is a website which will scan suspicious files using multiple antivirus programs and then report back to you what is found by there various scans.
I would like you to upload these files to the site and allow the scans to take place. Report back on the complete findings for each one.
c:\windows\system32\hidujuku.dll
c:\windows\system32\najowate.dll
c:\windows\system32\nasikunu.dll
c:\windows\system32\noturoya.dll

Judy

Really doubt this has anything to do with Malware or Spyware. Also, the place to find out the full story of these errors is the Event Viewer. Check there. Also, don't just attach a copy of the error box, this will really tell us nothing, except there has been an error. If you check the event viewer you should be able to tell what may have actually caused the error in these processes.

No, I don't believe if I understand you correctly, these files which play incorrectly are now on a cd and on your mobile device then there is no way to fix them. BUT if the files DO play correctly on the CD and what you want is for them to play correctly on the computer then delete the ones on the computer and download the ones from the cd to the computer. But as I said, if you burned the disk and they are bad then there is no way to correct that.

I know that some of these protection programs can be difficult to turn off. Maybe the simplest way is to go into Task Manager...Ctrl-Alt-Delete keys and when that opens highlight each one of the items noted below and then click the End Task button.
These include all the McAfee processes I see running in your HJT log and also Windows Defender and AdAware Service (which really does nothing anyway unless you have the paid version and doesn't need to be running at all) I would also advise using Windows Defender only for scanning as it can interfere with fixes done also.
Here are those you should End.
MsMpEng.exe
aawservice.exe
McSACore.exe
mcmscsvc.exe
mcnasvc.exe
mcproxy.exe
mcshield.exe
MPFSrv.exe
mcagent.exe
MSASCui.exe
mcuimgr.exe
mcvsshld.exe
Once you have done that then try running combofix as directed.
Judy

Thanks for the info Brian. Let me go through this log, as you can see it will take awhile, but I will get back with you asap on it.
Try running another HJT scan and post that too. Do you feel things improved any with the running of combofix?
You might also update MBA-M and run a new scan with that too. Allow it to fix anything it finds.
Post that log also.
Judy

I am very familiar with the link provided, this is the one we all use.
If you don't have an XP disk then no, you cannot install the recovery partition. But it may all ready be on the computer.
If you would prefer not to run the program then you can try to fix with some fixes via HJT but the log shows there is still infection there and this may only stop it from running at the present, not actually remove it.
I have not had experience with people losing use of their computer while running combofix under supervision but this is your choice so we will forgo running it and attempt to remove this infection using HJT and then doing manual search and removals.

Anyway,
Run HJT again and place check marks next to the following entries:
O4 - HKUS\S-1-5-19\..\Run: [lolafegaku] Rundll32.exe "C:\WINDOWS\system32\fupuvuyu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [lolafegaku] Rundll32.exe "C:\WINDOWS\system32\fupuvuyu.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [lolafegaku] Rundll32.exe "C:\WINDOWS\system32\fomihari.dll",s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [lolafegaku] Rundll32.exe "C:\WINDOWS\system32\fomihari.dll",s (User 'Default user')

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL C:\WINDOWS\system32\zewuzano.dll
O22 - SharedTaskScheduler: {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - SSODL - (no file)
O23 - Service: lxcz_device - - C:\WINDOWS\system32\lxczcoms.exe

Once you have placed the check marks then click the Fix Checked button.
Exit HJT.
Reboot the computer.
Run a new HJT scan and save the log and post it back here.
There will then be some manual …

Download ComboFix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.

* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
Doubleclick the combofix icon on the desktop to run the program.

Windows will issue a prompt asking whether you wish to run the program, click Run
You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.

Now just sit back and allow the program to run

Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new …

Yes - work pc. Not getting any help from work IT support. They suggest I re image.

Regarding the trusted sites - they are all intranet sites... work related...

Thanks,
Brian

I hesitate to offer suggestions which may violate your work rules. Is it possible that there are other computers infected on this work network?
Have you updated all the removal programs and then disconnected the internet cord and run all these without being connected to the network? If you can rule your computer totally clean then I would think there is a chance of another infected computer within the network spreading this to everyone else. Don't know this is the case but something to think about.
Here is one thing you have not tried, if it doesn't violate your work rules you could do the following:
Download ComboFix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.

*Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
Doubleclick the combofix icon on the desktop to run the program.

Windows will issue a prompt asking whether you wish to run the program, click Run
You will then see a …

With these infections removed has the computer improved?
Post a full system scan with HiJackThis

Ok then on Norton. Can I ask why you are not allowed to uninstall the etrust? Is this a work computer or something? What about those trusted sites I noted?
Judy

Brian, can you run a new HJT scan and post that here?
Judy

Follow the instructions given HERE
Ignore the section about Deckard Scanner and use instead HiJackThis
post back with all requested logs.

Download ComboFix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.

* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
Doubleclick the combofix icon on the desktop to run the program.

Windows will issue a prompt asking whether you wish to run the program, click Run
You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.

Now just sit back and allow the program to run

Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see …

Not meaning to "step on toes" here but caperjack has informed me you have a double post going here
http://www.daniweb.com/forums/post769217.html#post769217
and since I didn't realize this and don't know if you will go back to the other thread I wanted to post this in this one also.
You note in this thread right here that you have tried multiple anti-virus programs, including CA, AVG, and also Avira. I didn't have this information in my post to you in the other thread, but there also I noticed in your log posted there that you currently have CA running and also Norton.
You obviously are not uninstalling all of these anti-virus programs completely. You must UNINSTALL all of these except one of them. Running more than one at a time will certainly complicate your problems.
I am not certain what two HJT logs that Suspishio is comparing, the two I see here are pretty much the same.
I will repeat here some of what I posted in the other thread since we don't know which one the poster is checking on;

The first thing I notice in your HJT log is that you are running two anti-virus programs, eTrust and Norton. This is an absolute NO-NO. The RULE is ONE anti-virus program running on a computer. One of these must be totally Uninstalled Immediately.
The second thing...did you personally add all of these Trusted Sites? I have tried them all and none of them …

I would like you to do the following:
Download ComboFix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.

*Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
Doubleclick the combofix icon on the desktop to run the program.

Windows will issue a prompt asking whether you wish to run the program, click Run
You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.

Now just sit back and allow the program to run

Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before …

The first thing I notice in your HJT log is that you are running two anti-virus programs, eTrust and Norton. This is an absolute NO-NO. The RULE is ONE anti-virus program running on a computer. One of these must be totally Uninstalled Immediately.
The second thing...did you personally add all of these Trusted Sites? I have tried them all and none of them can be found. I you personally did not add these then they should be fixed using HiJackThis.
You are running an extraordinarily large number of programs at once.
There are a large a number of programs I have never seen before and ones I cannot find information about, except google searches which come up with malware forums noting the same programs. But since I cannot find information on the majority of them I am at a loss to tell you what to stop.

How are you connected to the internet? Have you changed settings on your firewall recently? Have you tried turning off your firewall and attempting updates?

3. Ran the EST online scanner (will attach screenshot of results)

You need to have the ESET Scanner clean those items and then save the log and post that here. Two of those files found by ESET are .tmp files and should have been removed by AFT Cleaner
We definitely need a HJT log.
I would have preferred that you NOT have turned off System Restore. You generally would not be re-infected by something in System Restore AND if one of these programs should make changes you would need to undo...even if that meant re-introducing the infection...you will have no restore points.
Turn it back on please until directed to turn it off to set a new clean restore point.
Judy

Looks like MBA-M found and removed a lot.
Quick look through of the uninstall list shows me your Java is out of date. You need to go HERE and download the latest version. Choose the Offline Install and save it to the desktop.
Once the download is complete then go to Add/Remove and Uninstall ALL the older versions of Java you find there.
Once you have uninstalled all of those then go back to that install file residing on the desktop Double click to install the new version. When that is complete then go back to the download page and on the right side you will see Verify Now. Click that to go to the verification page to be assured that the install was successful.

Next we need to see a Full System Scan with HJT and save the log. Post that log back here before we can go further.
Judy

Are these the ONLY items found and removed by MBA-M? I really need to see the entire log, from top to bottom.

I don't really see anything in the log indicating infection. The only thing I see are a LOT of unnecessary processes running and yes, some unnecessary start ups. There really is no reason for a program such as Speed Startup. While there is nothing wrong with this program, the best ways I have found, and they are FREE, to control unnecessary start up items is control them with something like CodeStuff Starter or Mike Lin's StartUp Control Panel. Both FREE.
There is nothing wrong with the file avp.exe. That is a key file with Kaspersky's.
If something OTHER than an anti-virus or anti-malware program flags something as dangerous then, personally, I don't believe it.
Frankly, I hope you didn't purchase the program.
Like I said, there is nothing wrong with it that I have found but the other two programs do the same and for FREE.
Some things I do see in your log which would certainly slow your start ups and are not necessary to have running all the time are the following:
SpeedStartup
SUPERAntiSpyware
TuneUp Drive Defrag Service
Malwarebytes' Anti-Malware
Unless you have the paid versions of all of the above then the background scanning is not functional and does nothing but use valuable resources.
I also never recommend more than one anti-malware program RUNNING on a computer at any given time and frankly, I don't have ANY running in the background on my computer and have …

Ok, first of all to rikonos, the original poster of this problem, we need to know what your operating system is and if you have all the latest updates for your Microsoft programs.
Had you installed anything new prior to these errors occurring?
Have you done full system scans with your updated anti-virus program?

To Prof.Stendahl, you need to begin your own thread rather than posting within somebody else's thread. Even though the errors seem to be the same each computer is entirely different and what is causing your error may not be exactly the same thing causing rikonos.
Judy

Please try the following routine given in the MBA-M forum to see if you can get Malwarebytes to run.

* Click on Start, click Run, and then type devmgmt.msc and click OK
* On the View menu click on Show hidden devices
* Browse to Non-Plug and Play Drivers and you should see something like TDSSserv.sys
* Highlight that driver and right click on it and select DISABLE
* Now RESTART your computer.
* Download a copy of Malwarebytes but DO NOT run it yet.
* Rename the downloaded installer file to any generic name such as your own name but keep the .EXE extension on the file and run it.
* Once the program is installed go to the UPDATE tab and try to update the program if you can.
* Then go to the SCANNER tab and run a Full System and allow MBAM to fix anything found.

If the song files are infected then I doubt there is anything you can do to correct that but remove them, as they have probably been damaged. If the files are still on the computer then the computer IS still infected also.

I listen to it either in car music system/CD Player/Mobile

What is it that you are using to listen to these songs?

We would need to see some logs in order to have an idea of what may be going on with the computer.
First do the steps listed HERE but ignore step concerning Deckard Scanner and substitute instead HiJackThis.
Download HiJackThis
Do a full system scan with it and save the log.
Post back here with logs from Malwarebytes' Anti-Malware (MBA-M) and HiJackthis and then we can see what you may be dealing with, be sure to have MBA-M remove whatever it finds and then reboot the computer and run the HiJackThis scan.
Judy

This infects the computer via USB media drives and instant messaging clients Yahoo! Instant Messenger and Microsoft Windows Live Messenger, AOL IM. You also have to clean the USB drive also, if you don't each time you plug it in you will re-infect the entire computer.
I also must again caution against using combofix unless first being directed to do so by a helper on a forum like this one. It is for use only in special circumstances, incorrect use can definitely damage key system files.
When you run these scans...anti-virus for one thing, MBA-M for another, they must be updated and scans must be run on ALL DRIVES INCLUDING the USB drive.

=tkomo;

Okay these programs will help to get rid of this nasty virus.
Email me back if you have anymore trubs, I can help.

Tkomo

We don't work via email here at daniweb. All assistance is done within the forum itself.
Judy

What is this? BUNGIE I am not familiar with it, in fact don't believe I have ever seen this before.

#1 here is that you never have two anti-virus programs on one computer. This would be one reason neither work correctly and your protection was lowered. If both are old then uninstall both. If one is current then keep that one and totally Uninstall the expired one.
Then try the steps HERE, with the exception of Deckard Scanner as it is not available. Substitute instead HiJackThis.
Follow all steps if possible and then post back with the logs.
If you know that these downloads from Limewire were the culprits then uninstall those, and Limewire as well.
Judy

Can you open and leave opened..the RUN window? (START>>RUN)
Do you get any message when it won't open?
Do you have Administrator privileges on the machine?

We need to know operating system and also Internet Explorer version. How long has this been happening? Did you install anything new prior to the errors beginning? Have you done a scan with your updated antivirus program?
Check the Event viewer and see if it lists anything with Red X's around the time the computer restarts. Then record those and post them back here.
You also need to set the computer to Not reboot after the error
so you can record the blue screen error code and post it back here.
You can also stop this auto rebooting by doing this:
Right Click My computer, properties, Advanced, in Startup and Recoveryclick on settings and then Uncheck the Automatically restart option in the System failure area and click ok.

Follow all the steps given HERE, with the exception of Deckard Scanner instructions. That program is no longer available.
Substiture instead a full system scan with HiJackThis.
Post back here with all requested logs. DO allow all programs run to clean or remove all items found.

Use ESET Online Scanner. It definitely DOES remove items.
You will have to use Internet Explorer and turn OFF all security programs while scanning and removing.
Also try the Microsoft® Windows® Malicious Software Removal Tool for rootkit removal.

You don't need the Repair Console if you have the install disk.
See HERE.
Cohen, you never said how do you actually KNOW that you have a virus? The symptoms you show "can" be a virus but don't necessarily have to be caused by that either. Something you recently installed which is legitimate could cause these symptoms also. You are file sharing....this can be a big cause of the problem.
Have you done this step and then updated and run MBA-M again?

* Click on Start, click Run, and then type devmgmt.msc and click OK
* On the View menu click on Show hidden devices
* Browse to Non-Plug and Play Drivers and you should see something like TDSSserv.sys
* Highlight that driver and right click on it and select DISABLE
* Now RESTART your computer.
* Download a copy of Malwarebytes but DO NOT run it yet.
* Rename the downloaded installer file to any generic name such as your own name but keep the .EXE extension on the file and run it.
* Once the program is installed go to the UPDATE tab and try to update the program if you can.
* Then go to the SCANNER tab and run a Full System and allow MBAM to fix anything found.

When I am coonecting to net the amount of Data received is significantly higher than the amount of Data sent

\\\\\\\\\\\\\\\\\\\\
i don't understand why you don't see this as normal .as you are receiving web pages and all the content that is on them so received should be higher ,right

also i like superantispyware to run also with malwarebytes ,its in my signature

Have been checking mine off and on since you posted this and I, like caperjack, have a higher received amount than sent amount.

You shouldn't have run combofix without first posting the MBA-M logs showing items fixed and then the HiJackThis log run after a reboot.
Also combofix was run from c:\documents and settings\ and it should have been run from the desktop.

The administration tools shows an empty message as well as games :/.. Help!

The games were obviously infected as they were removed by combofix.

I need to see the ORIGINAL MBA-M log and also the ORIGINAL HJT log.

Also now update MBA-M and run a new Full System Scan with it, have it REMOVE anything found and save the log. Reboot and run HJT and save the log.
Post back here with both logs.

Turn off that uTorrent for the duration. Also turn off IndieVolume
Run the ESET Online Scanner and attach the ScanLog with your post for assistance.

* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log
J