jholland1964 650

Did you try to run MBA-M in Safe Mode?
HiJackThis is rarely used anymore. Please follow the steps given in our Read Me First sticky and post back here with all logs.

jholland1964 650

Then I would say the AVG findings are a false postive. AVG is just not a very good anti-virus program. When researching your problem I found no other av program that found this file. I would advise you use a different anti-virus program, it certainly is one that I never recommend.
It rarely ranks among the highest or most reputable. My advice would be use [B][URL="http://www.filehippo.com/download_antivir/"]Avira Free 2012[/URL][/B] or [B][URL="http://www.filehippo.com/download_avast_antivirus/"]Avast Free[/URL][/B], but not AVG.
Your System restore is set way to large. You have restore points going back over six months. System Restore should never be used to go back that far, if it is used at all and then it should be only for a very few things.
Your Java is way out of date, you are running version 6 Update 25 and the most recent update is version 6 update 30.
Uninstall All Java listed in add/remove and then go here to download the latest version. [url]http://www.java.com/en/download/manual.jsp[/url]

Blahthing commented: Very Very helpful! +1

jholland1964 650

We need the second log from DDS and also a log, not a screen shot, from AVG

Also please upload this file C:\WINDOWS\system32\services.exe

to [url]https://www.virustotal.com/[/url] for scanning.

Post back with that information given. Not a print screen, but full information.

jholland1964 650

AVG will not remove a trojan as you have found. You need to follow the steps given in our Read First sticky

Run all the requested programs allow them to clean whatever is found.
Then post back here with Copy/Pastes of all requested logs and we can then help you complete the removal.

jholland1964 650

Happy to help. Hope things are working well for you. Thanks also for identifying those start up which were unknown to my.
PhilliePhan gave me that avatar years ago at another forum and I like it also so I "carry it with me":)

jholland1964 650

I would suggest you begin from scratch, however, previous advice was reformat, present advice would be no different. HiJackThis is really no longer used that much and offers little if any information that can determine infection. The Read Me first sticky is what we would work from.
Yes, a recovery disk will wipe the drive and bring the computer back to it's factory install condition. After 18 months and having no clean up done of the computer then that would be my recommendation. however if you wish to start a new thread of course this is your option, but those tools in the Read me first sticky would be required, that is the only way we can get the information needed to proceed. If one tool doesn't work, go on to the next. DDS scanner, both logs are two of the key things that must be done.Without those we have no information whatsoever.
But after 18 months without doing anything my advice is a clean install. It would likely take you only a few hours to do so. You have waited 18 months to even think about returning so I am certain a clean up may very well be totally impossible too much time has passed to even half way believe that this computer can be cleaned to the users satisfaction.

jholland1964 650

You are aware that this thread is nearly 18 months old I presume. We have no idea what project or audits you are talking about here, or what tutorial you are talking about either.No one offered to post a tutorial. We recommended reformatting the machine, which would likely remove all malware because the drive would be wiped clean.

jholland1964 650

Did you turn off usb auto play as directed?
Please follow all the steps given in our Read Me First sticky and post back with all the requested logs. We really aren't able to offer much assistance until we can see the logs. Please run the tools and post back with copy/pastes of those logs


jholland1964 650

Really your log doesn't look bad. You have some definitely unnecessary auto starting programs that can consume unnecessary resources, all of these can be run manually when needed and that's my recommendation. A good program to control auto starts is the CodeStuff Starter
[url]http://www.snapfiles.com/get/starter.html[/url] Download, install. Open it.
It is pretty straight forward. Three tabs, Startups this shows auto starting programs, Processes, pretty much the same as Task Manager, maybe a bit more in depth, and Services, Same as Windows Services. This one program gives you everything in one package.
Choose the Startups Tab and Choose the All Sections at the top. This will show you everything listed that can appear as an auto starting program on the computer. The ones with the check marks next to the are the ones that ARE auto starting every time you start the computer, some will start up when the computer starts and then, maybe turn off, some will continue to run all the time in the background.Of course some of those you do want to auto start and do want to run all the time, your Comodo for instance. But there are others that are not needed with to auto start or run all the time. The ones that startup and then stop, slow your start up time, the others slow startup time and consume resources. Here is a list of those that you can remove the check marks from the box next to the name, they definitely aren't needed, all can ...

jholland1964 650

What operating system do you have? You need to disable the auto play of the usb drives so that when you plug it in it won't automatically run. Sounds to me like there is possibly an infected file on the usb drive. Have you run a scan of the usb drive with your av program AND MBA-M?

See here to turn off Auto Play for whatever operating system you have. Also many, if not most AV programs can be configured to stop auto play when the devices are plugged in. This is done for your safety so that it stops the drive from auto playing and passing an infected file onto the computer. This won't stop the drive from being used, it will just have to be used manually.

jholland1964 650

Until I can see current full scan logs, done today with the fully updated programs I cannot say for sure that the laptop is clean.
One of the problems with the scan you did with MBA-M on the 30th of December is that it was done in Safe Mode.
Unless it is absolutely 100% impossible to get MBA-M to run in normal mode then safe mode can be used as a last resort, however,even in situations like that there is a small file that can be run to very often stop the running infection processes so that MBA-M can then immediately be updated and run a Full Scan in normal mode.
MBA-M does not scan all files in Safe Mode, even with a Full Scan, so there were some files that were not scanned in that Safe Mode scan.
Normal mode should generally always be used for all scans, unless it is impossible to do so.
While those two findings on that safe mode scans were "technically" not trojans they were downloaders, meaning they bring in other things.
While your Comodo Internet Security and SuperAntiSpyware scans have found nothing, that is not a 100% assurance that there is not something else on the computer, all three programs, Comodo, SAS and MBA-M look for different types of infections, two can be clean but a third may find something and if you have not updated MBA-M and run another Full Scan in Normal mode since that one done in Safe Mode then ...

jholland1964 650

Sorry HeidiGiller, We seemed to have overlooked your request for assistance. If you are still having difficulty I will be happy to assist. I have a suggestion, which I hope will simplify things a bit, work on one computer at a time. I would suggest beginning with the desktop, leaving the laptop powered completely off and disconnected from the home network. Get the desktop 100% clean and then begin with the laptop. To clean computers of malware/infection it is really most helpful if you have an additional clean computer to work through in order to be able to move cleaning tools back and forth from the clean computer to the infected computer while keeping the infected computer off line until it gets to the point where it can more easily go back online to finish the clean up.

One more thing, HiJackThis is rarely used today, it gives such a small picture of what may be going on that very often a log can look clean even when a very serious infection is at work on the computer.
Today the scanner tool most used, especially on computers running Vista and Windows 7 is the DDS scanner which gives a much more in depth picture.It is also used most of the time today on XP computers too.

If you still want assitance, begin with the desktop and follow the steps given in our Read Me First Sticky

Use all the tools and post back here with copy/pastes of all logs ...

jholland1964 650

No problem between SpywareBlaster and Avira, I also use it and have for many years along with Avira.

This "concern" comes from the new possible compatibility Caution that shows before new version of Avira is installed. [B]This is just a general caution and not an ORDER to uninstall any of the programs mentioned in the warning prior to install the install file scans the computer for any programs installed that MAY cause a problem, it does not say it will cause a problem. It is just an Alert of POSSIBLE conflicts and you do not need to uninstall these software programs mentioned during the install. It is only there to make the user aware of the possibility.

It truly only applies to programs that also RUN real time protection...this is where the problem "may" come in, though not always either. This includes Resident SDHelper and Resident TeaTimer, Malwarebytes' Anti-Malware Paid version, which has realtime protection, SUPERAntispyware Paid which also has realtime protection.

jholland1964 650

And one more. You will receive this large pop up when one of the updates occurs.It is just the "price" you pay for using the Free version. Just click the "x" in the right corner to close it out.
There is one update built into the program, automatically schedule to occur around the time of your original install. The one you schedule will be one additional update for the day. I suggest that you make it 10 to 12 hours different from the time of the built in one. This way you are assured you have all the daily updates.

jholland1964 650

Here are the rest;

jholland1964 650

Here are print screens to show you how to set up Avira correctly, they are pretty self explanatory, any questions don't hesitate to ask.
this will take me two replies to get all the print screens on here.

jholland1964 650

[QUOTE=natakudragoon;1729558]yay! i turned windows defender off and ran the norton removal tool. i installed avira with no problems and installed comodo firewall too. :)
i kinda got ahead of myself though, is there certain settings i should set avira and comodo to? or should i post something for you guys to make sure my laptop is 100% safe now?[/QUOTE]
I am going to advise against that Comodo Firewall. It does not work well with Avira.This is noted at Avira also. I would advise you keep Avia, it is one of the top three av programs around but I would Uninstall the Comodo and go with
PC Tools Firewall. It works very well with Avira and is one they recommend to use with their program.
Uninstall Comodo.
Then install PC Tools Firewall from here:


Also add, if you have not yet, SpywareBlaster. Truly a MUST HAVE for all computers. It blocks spyware, adware, browser hijackers, and dialers also will
Prevent the installation of ActiveX-based spyware and other potentially unwanted programs.
Block spying / tracking via cookies.
Restrict the actions of potentially unwanted or dangerous web sites.
It is FREE and it does NOT run in the background.
Download, Install, Update, Enable all protection and close the program. Check manually for updates every couple weeks. If there is an update available it will download and when it is finished be sure to Enable all protection again and close the program.

Direct download from this link;


jholland1964 650

I am having PP take a look at this, he gave me the script to give to you. You will just have to wait until he can respond, sorry.

jholland1964 650

Try this:

copy and paste this to [B]notepad:


net stop winmgmt /y
cd /d %windir%\system32\wbem
if exist repository ren repository repository.bad
net start winmgmt[/CODE]

save it to desktop as Fix.bat and then close all windows and run it.
REBOOT and see if problem remains.

jholland1964 650

It has to be on the computer, it cannot be uninstalled, it is part of the Windows 7 System, it can only be turned off,

Try this:
To enable the viewing of hidden and protected system files in Windows 7 please follow these steps:

Close all programs so that you are at your desktop.

Click on the Start button. This is the small round button () in the lower left corner of your screen that has a Windows flag on it.

Click on the Control Panel menu option.

Now click on the Show hidden files and folders option as shown by the red arrow in Figure 2 above.

Under the Hidden files and folders section select the radio button labeled Show hidden files, folders, and drives.

Remove the checkmark from the checkbox labeled Hide extensions for known file types.

Remove the checkmark from the checkbox labeled Hide protected operating system files (Recommended).

jholland1964 650

[QUOTE=natakudragoon;1729434]it's not listed there either..... :([/QUOTE]
Positive...It is in the "W"'s See my attached.

Think we will have to have somebody else take a look here. Obviously more damage than we thought.

jholland1964 650

Notice I said if not in your programs folder. then go to [B] Services.[/B]
Go to Start and in the search box type [B]services.msc[/B]
Now when that opens the Windows Services are all in alphabetical order so scroll down and look for Windows Defender. I guarantee it IS listed there. Then turn it off.

jholland1964 650

Are you certain you entered the script correctly? one of those still remains, and Windows Defender was enabled. It must be turned off.

Open Windows Defender by clicking the Start button Picture of the Start button, clicking All Programs, and then clicking Windows Defender.

Click Tools, and then click Options.

Under Administrator options, select or clear the Use Windows Defender check box, and then click Save. Administrator permission required If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

Also, go into Administrative Tools, Services and make sure that Windows Defender is Disabled. Double click the entry to open the properties. If it shows as running Stop it. Then change the startup type to Disabled. Then reboot.

jholland1964 650

[QUOTE=natakudragoon;1729356]the laptop restarted itself before combofix created the logs, is that normal?[/QUOTE]
Yes, it can do that.

Now do the following:
Open Notepad Go to Start> All Programs> Accessories> Notepad [B]( this will only work with Notepad ) [/B]and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above SecCenter::


Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe which still should be on the desktop.
This will start ComboFix again. Ignore any warnings about Norton. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

jholland1964 650

Ok, let's do this again:
Please download ComboFix by sUBs from


Please note that the BleepingComputer.com download link will expire in 10 minutes after you click it so if you don’t click within ten minutes after reaching the page you will need to refresh the page.

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When ComboFix has finished running, you will see a screen stating that it is preparing the log report
• This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
• Re-enable all the programs that were disabled during the running of ComboFix..

Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

jholland1964 650

Well your DDS log clearly shows Norton as installed though disabled but it also shows Windows Defender as Enabled. This might be the cause of the problem with removing Norton. Windows Defender interferes with pretty much anything tried by any other security program. Turn it off and leave it off.

[B]AV: Norton Internet Security Disabled/[/B]Outdated {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP:[B] Windows Defender Enabled[/B]/Updated {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: N[B]orton Internet Security Disabled[/B]/Outdated {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: [B]Norton Internet Security Disabled [/B]{5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

Turn off that Windows Defender and try running that Norton Removal tool once more and then run DDS once more and see if Norton still shows.

jholland1964 650

Run another DDS scan and post the logs, it obviously isn't gone.

jholland1964 650

[QUOTE=natakudragoon;1728133]i downloaded avira from their website, however when i try to install it, it says i should manually uninstall norton internet security, but it's not in my uninstall programs list.

should i just continue with installation??[/QUOTE]
No most definitely not.
Go here and get the Norton Uninstall Tool for your product and run it first.

After you run that and it's removed then do the Avira install. Be absolutely positive you use the Custom install so you don't take that Askbar and Webguard. You don't need either of those.

jholland1964 650

You have two anti-virus programs on there:
AV: Lavasoft Ad-Watch Live! Anti-Virus Enabled/Updated
AV: Microsoft Security Essentials Disabled/Updated

Your log shows the TDSKiller was run, do you have a log?

We need a log from MBA-M, Fully updated Full Scan.

jholland1964 650

Avira is absolutely MY choice. Without a doubt! It consistently scores in the top 3 on most independent unpaid testing. I recommend it highly.