Posts by jholland1964

Kevin, just noted in your Combofix logs that at least a portion of Norton remains on your system...Norton Internet Worm Protection.
This needs to go also.
Try running the Norton Removal Tool to get rid of this remainder.
Judy

Good. Now Update MBA-M and run a new Full System Scan with it. Allow it to Remove All that is found.
Reboot the computer and run a new HJT Full System Scan and save the log.
Post back here with both of those new logs.
Judy

Caution to all reading this thread. The script below is for THIS poster ONLY. It is not to be used or copied by anyone else. It is for use on this ONE computer.

Make sure that combofix.exe that you downloaded is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
Open Notepad and copy/paste ALL of the text in the below code box into it

KillAll::

File::

c:\windows\system32\pusupuro.exe
c:\windows\system32\pusupuro.exe
c:\windows\system32\dutudari.exe
c:\windows\system32\dutudari.exe
c:\windows\system32\vabazaja.exe
c:\windows\system32\vabazaja.exe

· Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
· At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
· You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
· Now use your mouse to drag CFscript.txt on top of ComboFix.exe
· Follow the prompts.
· When it finishes, a log will be produced named c:\combofix.txt
· Post back here with that log.

Honestly looks a bit worse than before. You need to TURN OFF, or better yet UNINSTALL that BitTorrent program, this opens a door directly to your computer and allows that many more items onto the computer.
After that is NOT RUNNING then do the following:
download ComboFix
Click on the Save button, and when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Close all open Windows including this one.
Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
double-click on the ComboFix icon found on your desktop
Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all.
You will receive a prompt from Windows.
Windows is issuing this prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.
ComboFix is now preparing to run and when it has finished you will see the Disclaimer screen you should press the number 1 key and then press the enter key to continue.
ComboFix will create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. …

Looks somewhat better. A few items left there however.
1st of all Disable Spybot's TeaTimer as it can interfere with any other fixes we need to do.

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

After reboot I would also recommend that you Uninstall AdAware. While it used to be an excellent program, recent versions just don't perform as the older ones did, plus it has a Service in this new one that runs all the time and unless you are running the Paid version it does nothing but run.
I would Uninstall it via Add/Remove, reboot after the removal.
Also do a search on the computer, Start, Search, Files and Folders and be sure to use Advanced Search to search through Hidden Files and Folders and search first for Norton, Delete all that is found and then search for Symantec and delete all that is found.

Then do the following:
Please Run the ESET Online Scanner and attach the ScanLog with your post for assistance.

* You will need to use Internet Explorer to to complete this scan.
* You will need …

Please ignore the above advice and follow the advice I have given in Post #2. We will need to see new logs from HJT run AFTER the MBA-M scan and fix before making determinations on what steps should be taken next.
Judy

Hi Meros, Welcome to daniweb.
First of all I see by your log you are running TWO anti-virus programs on the machine, Norton and Avast. This is an absolute No-No. One of them must be completely UNINSTALLED. If the Norton is current and not expired since it is a paid program you can leave it and Uninstall Avast. BUT if Norton is Expired then UNINSTALL Norton. You should do the Uninstall via Add/Remove. Do this FIRST.
AFTER you have uninstalled that extra anti-virus program then do the following:
Run HJT again and place a check mark next to the following entries:
O1 - Hosts: 82.98.231.89 browser-security.microsoft.com
O1 - Hosts: 82.98.231.89 best-click-scanner.info
O1 - Hosts: 82.98.231.89 antivirus-xp-pro-2009.com
O1 - Hosts: 82.98.231.89 microsoft.infosecuritycenter.com
O1 - Hosts: 82.98.231.89 microsoft.softwaresecurityhelp.com
O1 - Hosts: 82.98.231.89 onlinenotifyq.net
O1 - Hosts: 82.98.231.89 antivirusxp-pro-2009.com
O1 - Hosts: 82.98.231.89 microsoft.browser-security-center.com

O15 - Trusted Zone: http://*.trymedia.com (HKLM)

When you have those check marks in place then click the Fix Checked button.
Exit HJT.
Then do this:
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' …

Godsp3ed, you really need to do some better research before posting information

jrb, Please follow MY instructions and ignore info given by Godsp3ed.

Your Hijackthis log looks clean, there's just one thing i found..

O20 - Winlogon Notify: bbfedbbfedfccdbee - C:\WINDOWS\

Fix it by checking the box next to the entry and clicking 'fix checked'...search for a file named bbfedbbfedfccdbee.dll inside C:/Windows/system32 if it exists and delete it, restart and run hijackthis...If you still see that file exists then download the application below and delete the file using it..

UltraShredder

The HJT log is NOT completely clean. There are three items noted by me in the previous instructions which should be fixed using HJT.

The file you noted was removed earlier when the poster ran combofix listed in a previous thread. There is NO NEED to download another program for removal. Removal of the HJT entry with HJT will be sufficient.

Looks much better. One of the items found was MyWebSearch. You need to do the following just to be certain there are no remainders:
Go to Start, Control Panel, Add/Remove and look for any of the following:

My Web Search (Smiley Central or FWP product as applicable)
My Way Speedbar (Smiley Central or other FWP as applicable)
My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
Search Assistant - My Way
FunWebProducts.
Uninstall Any of the above items you may find there. If you DON'T find any that is fine. We just want to be certain.

Once you have done the uninstalls then run HJT again and place a check mark next to the following entries if they remain:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com

O20 - Winlogon Notify: bbfedbbfedfccdbee - C:\WINDOWS\

Once you have placed the check marks then click the Fix Checked button.
Exit HJT.
Reboot the computer and run a new HJT scan and post that log back here.
Judy

First of a a big word...CAUTION...you should never run Combofix unless first directed to do so by a helper. It can do severe damage to the computer if run at the wrong time.
First thing to do now is
Disable Spybot's TeaTimer as it will interfere with fixes done.

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

Next do the following:
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start …

Please do the following:
download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.
Reboot the computer.
Run a new HJT scan and save the log.
Post back with the MBA-M log and the new HJT log.
Judy

Did you actually wipe the drive?

Hi Crunchie,
Thanks for the reply. I clicked on the link to OTMoveIt you sent but the page is not found. Is there another link you can send me please to download OTMoveIt?

Thank you Crunchie!

It appears this is no longer available. Crunchie will get back with you ASAP. Just hang it there.
Judy

i suggest you to reformat your computer and don't forget to back up all important files. I recommend you to install REGISTRY and SPYWARE software . And i recommend you to install AVAST ANTI VIRUS as well.

Hope this could help you.

algismorales,
Crunchie has not given you this advice so continue with HIS instructions and ignore the above.
Judy

If you don't know how to boot to safe mode, instructions can be found
HERE

Update and run MBA-M one more time and see if it comes up clean. Of course remove anything found and post back with that log.

Sorry Algis,
Please do this:
Make sure that combofix.exe that you downloaded is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.

Open Notepad and copy/paste the text in the below code box into it

KillAll::

File::
d:\WINDOWS\system32\arwehdx.dll
D:\WINDOWS\system32\fxjjtlhq.dll

· Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
Now use your mouse to drag CFscript.txt on top of ComboFix.exe
Follow the prompts.
When it finishes, a log will be produced please post back with that log.

Reboot the computer and then run a new HiJackThis scan and post the log.
Judy

Of course reboot if you have not done so.
Then run HJT again and post the new log.

First of all
Disable Spybot's TeaTimer as it can interfere with fixes attempted.

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

Next do the following, you will probably have to download to another computer and load then either on a CD or Flash drive and take it to the infected computer OR if you can, try to Boot to Safe mode with Networking and try it with the infected computer. It is possible that the infection won't load in safe mode.
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. …

Good enough.

Ok, the bulk of those found were in the Norton Quarantine. Empty that quarantine. They really shouldn't hurt anything because they are LOCKED up, but get rid of them you don't need them.
The other one was found in combofix quarantine, leave that for now we will get rid of it later.
I am concerned with the MBA-M log, it shows that there was no action taken on any of those found. Update it, run a full scan again and this time Remove Selected.
Reboot.
Post back with that log.

Please run the ESET Online Scanner and attach the log.
# You will need to use Internet Explorer to to complete this scan.
# You will need to temporarily Disable your current Anti-virus program.
# Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
# When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us

First of all:
Disable Spybot's TeaTimer as it can interfere with fixes done or attempted.

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

Second, since you didn't post the MBA-M log we have no idea what was removed or the locations of these infections. We NEED to see that.
Please UPDATE MBA-M and then do a FULL SYSTEM scan with it.
Be sure the option to REMOVE is checked.
Reboot the computer.
Then post back here with BOTH of those MBA-M scan logs.

No, there are just some online scans that don't work for everyone.
Try one of these, all don't give the option to remove but do produce a log.

http://support.f-secure.com/enu/home/ols.shtml

http://www.pandasoftware.com/products/activescan.htm

http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Please run the Housecall online virus scan located at:
http://housecall.trendmicro.com/housecall/start_corp.asp
Follow the prompts to scan your hard drive for viruses. Select the "Autoclean" option so that Housecall will remove any viruses from your system. I don't believe Trend Micro produces a log, if it does of course save it. If not please make note of the names and locations of anything found
When the scan is finished, please restart your computer.

Update MBA-M. Run another Full System scan with it and of course have it REMOVE EVERYTHING found.
Reboot.
Run another HJT scan, save the log and post back here with the MBA-M log, and HJT log.

Go to http://virusscan.jotti.org/
Upload these two files there for scanning and see what they show

d:\windows\system32\fxjjtlhq.dll

d:\windows\system32\arwehdx.dll

It will take awhile to read this log, as you can well imagine. Will get back with you ASAP.
Judy

Hi jholland,
Alright, done!

When I try to cut and paste the Combofix log on this quick reply thread, the screen will freeze and the page stops responding. Is it possible that due to the long length of the log, it gives me this trouble?
How can I send you the log?

Algis

Yes, it is possible because of the length, others have had this problem. Attach the log as a .txt file.
Look below the reply box when you are replying and you will see the button that says Manage Attachments.
Click that button and then a box will pop up which has a button which says Browse. Click that button and you will be given the options of where on your computer the attachment will come from.
Click that file, the name and location will appear in the box then click the Upload button. The file will be uploaded from your computer and attached to your post.
Judy

Please do the following;
Download ComboFix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.

* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
Doubleclick the combofix icon on the desktop to run the program.

Windows will issue a prompt asking whether you wish to run the program, click Run
You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.

Now just sit back and allow the program to run

Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually …

Try running System File Checker:
To run the System File Checker, follow these steps:

1. Click Start, click Run type sfc /scannow, and then press ENTER.
2. Follow the prompts throughout the System File Checker process.
3. Restart the computer when System File Checker process is complete.

This file is an integral part of Internet Explorer. Try a repair of IE by going to Start, Control Panel, Add/Remove. Click on Internet Explorer and try a Repair.

Did you in fact reboot?
If not do so now. Please update MBA-M and run another Fulls System Scan. Remove all that is found.
Reboot. Post back with the results.

Note: When I ran Malwarebyte's Antimalware and removed the selected infected items, I got a notice saying that a few items were not able to be removed.

Those would be those noted "Delete on Reboot". Reason then can't be removed immediately is the files are in use.
This means you must reboot the computer in order for these to be removed. When the computer is rebooted MBA-M can then reboot them BEFORE they are put into use again
I always recommend a reboot after running MBA-M and also the ESET scanner just as a matter of course.
So reboot the computer now if you have not done so yet. Otherwise these won't be removed.
Can you download and run HiJackThis and give me both the Full System Scan log and also the Uninstall List.

Start Up, Control Panel, Administrative Services. You will find it in there.

Have you checked Event Viewer for noted items around the time of these crashes?

I doubled clicked Recycle Bin and still get the error message.

What is the full error message you get? Have you checked Event Viewer for noted items around the time of these crashes? It should tell you quite possibly what is actually causing these crashes. I would need the full info on any of the noted items.

Can you tell me where in MY post did I mention the Microsoft AutoPlay Repair Wizard? I never said a thing about it. I was not commenting in any way shape or form about the Microsoft AutoPlay Repair Wizard. I was speaking solely about combofix. I quoted the original poster and our Moderator Crunchie, you were not quoted, I was not speaking about anything that you wrote.

What did spybot find?

Ok. Just wondered as I seldom see so few auto starts unless the scan is run in safe mode...:)
Really don't see much out of the ordinary in the log other than the small number of auto starts. Is there a reason you have never updated your browser to IE7?
How much RAM do you have on the system?
You say you ran Spybot, did it find anything and if so, what?

Do the following;
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Reboot the computer.
Run a new scan with HJT after the reboot and save the log.
Post back here with both of those logs.

Originally Posted by AndyOne

Yeah...I should have mentioned...that Repair Wizard doesn't fix it, either. Thanks anyway. At least now that I know I shouldn't use just any old program someone on a forum suggests!

I am going to reiterate what Crunchie has said;

Shouldn't be using combofix anyway without instruction. It can mash your whole OS if you do something wrong.

Combofix is a VERY SPECIALIZED tool, NEVER, EVER to be used without FIRST being instructed to do so under the supervision of someone who has been trained in its use It is NOT your ordinary, "garden variety" clean up tool.
It is only recommended in special circumstances.
If it IS recommended within a specific thread then that recommendation applies ONLY to that SPECIFIC computer and under those SPECIFIC circumstances. Using it when it is not needed or incorrectly can result in permanent damage to the computer.

Combofix updates frequently.
Combofix should NEVER remain on the computer after the computer is deemed clean and used again or over and over. It should be UNINSTALLED, NOT just DELETED, following the strict uninstall instructions which will be given once the clean up is complete for that specific problem.

All this said, today some malware removal tools, now including Combofix, already disable Autorun by default. Don't complain about this. This is an extra security measure and you should have it disabled..WHY? Because malware authors have begun to exploit the autorun/autoplay feature which can spread infections from computer …

Not just in start up programs also in services.

The 017 entry does concern me. What is that?

SBC Internet Services, is that your internet provider?

Turn Off TeaTimer, it can interfere with fixes done.

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

Now, can I ask, what all do you have disabled from auto start? Go back into msconfig and put a check mark in Normal Start and then reboot.
Can you go back into msconfig and re-enable everything? We need to know what's on there.

Just to be safe I would recommend that you also do an online scan with ESET Online Scanner.
* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is
checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. If items ARE found then post that log for us here.

Reboot the computer
Next please do the following right click on the desktop and choose New, Folder. Then Name this folder HJT: Download
HiJackThis to the new folder you created on the desktop.
Open the folder and double click the HiJackThis Icon to open the program
Run a full system scan and save the log and post it please.

Malwarebytes' Anti-Malware (MBA-M)
download, install and update.
Single file scanning is not slow. Right Click that file and choose Scan with Malwarebytes' Anti-Malware.
One should never save or transfer files until you are certain they are clean. If they are infected then yes, the infections quite possibly transfer to the meda you are using to save them on...cds, dvd, floppy disk, flash drive...another computer or hard drive. Doesn't matter.
You have a suspicion there is infection on the computer, you need to get it clean before doing and file transfer or saving. Any anti-virus program can have false positives, BUT...something in those pop ups don't look right to AVG, I take that as a good warning additional cleaning should be done.
MBA-M is pretty much top of the line right now for scanning and removal of infections. Quick scan is just that, quick, doesn't scan all the files on a computer but does scan key ones, should take a few minutes.
Full scan is longer depending on the size of the hard drive and how many drives you choose to scan. Can take up to an hour or a bit more, again depending on the size of drives you are scanning. But it scans each and every file.

Worth a try, you really have nothing to lose if you cannot use the computer anyway.

No, I don't believe that it would. Do you have recovery disks?

Try safe mode with networking. This will load minimal items but enough to get it online. See if Norton is still installed on there, if it is UNINSTALL it. Then try installing Avast, update it and run a scan with it. Let it remove what it finds. IF you are able to accomplish that then download Malwarbytes' Anti-Malware (MBA-M) to the desktop. Install and update it.
THEN attempt to boot to normal mode. MBA-M is not designed to run in Safe Mode.
If you are able to boot to normal mode then run a Full System scan with MBA-M. Have it REMOVE all that is found. Save the log.
Then download HiJackThis and run a Full System scan with it. Save the log and post back with both logs...GOOD LUCK