Homepage

My homepage keeps going to "about blank ". I also ran a spybot search and get a winlgn.exe that it says is write protected and can not be deleted. I am running xp. Thanks for your help

 

Have you used CTRL+ALT+DEL to bring up the task manager and "End Task" on Winlgn.exe? Once you've done that you should be able to delete the file (make sure you don't delete winlogon.exe).

 

MoveOnBoot can help.
It would not be a bad idea to get HijackThis, and unzip it into it's own folder.
Do a Scan, when it is done, the Scan button changes to Save Log. It will open in Notepad, and post the log on here, and it will be looked at to see if you are clean. The link is below.

 

i Have installed hijack this but I do not know how to make a copy of the list to show you

 

Here is what hijack this said
Logfile of HijackThis v1.97.7
Scan saved at 12:07:48 AM, on 28/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\crmd32.exe
C:\WINDOWS\system32\sdkqc32.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\ServicePackFiles\i386\iexplore.exe
C:\WINDOWS\ServicePackFiles\i386\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Rossi\My Documents\HijackThis.exe
C:\WINDOWS\System32\MsiExec.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jfrix.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jfrix.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jfrix.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jfrix.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: (no name) - {2D8F6DAA-6B2C-D070-B2CB-029A9926F9E4} - C:\WINDOWS\msue32.dll
O4 - HKLM\..\Run: [sdkqc32.exe] C:\WINDOWS\system32\sdkqc32.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [atluk.exe] C:\WINDOWS\system32\atluk.exe
O4 - HKLM\..\RunOnce: [apidh32.exe] C:\WINDOWS\system32\apidh32.exe
O4 - Global Startup: winlgn.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O15 - Trusted Zone: http://*.63.219.181.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{87169DCB-48C2-41FA-8DC0-DA98C02B46FC}: NameServer = 203.0.178.191

 

You have a lot of stuff there you do not want.
You should remove these items with all browsers and Windows Explorer closed.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jfrix.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jfrix.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jfrix.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jfrix.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
O2 - BHO: (no name) - {2D8F6DAA-6B2C-D070-B2CB-029A9926F9E4} - C:\WINDOWS\msue32.dll
O4 - HKLM\..\Run: [sdkqc32.exe] C:\WINDOWS\system32\sdkqc32.exe
O4 - HKLM\..\RunOnce: [atluk.exe] C:\WINDOWS\system32\atluk.exe
O4 - HKLM\..\RunOnce: [apidh32.exe] C:\WINDOWS\system32\apidh32.exe
O4 - Global Startup: winlgn.exe
O15 - Trusted Zone: http://*.63.219.181.7

Reboot.
Delete these files.
C:\WINDOWS\system32\sdkqc32.exe
C:\WINDOWS\system32\atluk.exe
C:\WINDOWS\system32\apidh32.exe
C:\WINDOWS\system32\winlgn.exe
C:\WINDOWS\jfrix.dll
C:\WINDOWS\msue32.dll

Then please post a new HJT log.

 

I'm very curious as to why Internet Explorer is running out of C:\WINDOWS\ServicePackFiles\i386\iexplore.exe instead of C:\Program Files\Internet Explorer, where it should be. Did you create a shortcut from that path?

You should first create a new folder and place HijackThis.exe into it. That will keep all of the backups together instead of scattered throughout your Documents folder.

One of the hijacks you have requires some special removal. After fixing the items listed by markp62 with HijackThis, do not yet reboot. Instead download About:Buster from either of the following locations.

http://www.atribune.org/downloads/AboutBuster.zip
or
http://tools.zerosrealm.com/AboutBuster.zip

Make sure you have printed this page and close ALL Internet Explorer windows. This is a very important step!!

Run AboutBuster.exe, click ok, then start, then OK. This will scan your computer for the files responsible for hijacking your home and/or search settings/page.

Reboot and post a new HijackThis log along with the report from About:Buster.

 

I downloaded and ran Aboutblaster and it removed alot of stuff but it keeps stoping with a 'run time error75' 'path file access error.
the 2 main problems are I keep getting a avg message popping up saying
Virus
Trojan horse Backdoor.Agent.BA
is found in file
c:\WINDOWS\system32\comfeo.dll
and now it keeps trying to load windows publisher
I appreciate the help and assistance I am recieving

 

Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

Download TheKillbox from here: http://tools.zerosrealm.com/killbox.zip

Unzip the files to a folder, then open and double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

C:\WINDOWS\System32\comfeo.dll

Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot ". On the next screen, click on the File menu and choose "Add File ". The filename and path should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot ". Reboot when prompted.

Scan with RAV. If any infected files are found, check the box to autoclean and rescan. If anything is uncleanable, click report then copy and paste it here, along with a new HijackThis log.

 

I downloaded the killbox and then scanned it with the Rav Antivirus and this is what it come up with I hope this helps. The main virus is the
windows system32 comfeo.dll and it keeps trying to load publisher.

Scan started at 30/06/2004 11:19:53 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe - Trojan:Win32/StartPage.AI -> Infected
C:\Documents and Settings\Rossi\Application Data\owmc.exe->(UPXW)->(EXEEmb) - Clicker:Win32/BuddyLinks.A -> Infected
C:\Documents and Settings\Rossi\Local Settings\Temp\bi.cab->biprep.exe - TrojanSpy/Win32.BiSpy.A -> Infected
C:\Documents and Settings\Rossi\Local Settings\Temp\bi.exe - PWS:Win32/Bispy -> Infected
C:\Documents and Settings\Rossi\Local Settings\Temp\sdexe.exe->(UPXW)->(EXEEmb) - Clicker:Win32/BuddyLinks.A -> Infected
C:\Documents and Settings\Rossi\Local Settings\Temp\xxxvideo.com - Trojan:Win32/Startpage.F -> Infected
C:\Documents and Settings\Rossi\Local Settings\Temp\ICD8.tmp\ISTactivex.dll - TrojanDownloader:Win32/IstBar.EN -> Infected
C:\Documents and Settings\Rossi\Local Settings\Temp\Temporary Internet Files\Content.IE5\5T8IOODT\nocheat[1].jar->Parser.class - Java/Bytverify -> Infected
C:\Documents and Settings\Rossi\Local Settings\Temporary Internet Files\Content.IE5\78WVX6NB\arc[1].zip->VerifierBug.class - Java/Bytverify -> Infected
C:\Documents and Settings\Rossi\Local Settings\Temporary Internet Files\Content.IE5\T9BGNU6E\bridge[1].cab->bridge.dll - PWS:Win32/Briss -> Infected
C:\Documents and Settings\Rossi\My Documents\backup-20040629-181324-689-winlgn.exe - Trojan:Win32/StartPage.AI -> Infected
C:\Documents and Settings\Rossi\My Documents\backup-20040629-181358-984-winlgn.exe - Trojan:Win32/StartPage.AI -> Infected
C:\WINDOWS\crcr32.exe - TrojanDownloader:Win32/Agent.AN -> Infected
C:\WINDOWS\ctxiyn.dat - TrojanDownloader:Win32/Agent.AP -> Infected
C:\WINDOWS\fcqzck.dat - TrojanDownloader:Win32/Agent.AP -> Infected
C:\WINDOWS\ghgtqr.dat - TrojanDownloader:Win32/Agent.AP -> Infected
C:\WINDOWS\jealdj.dat - TrojanDownloader:Win32/Agent.AP -> Infected
C:\WINDOWS\netnm.exe - TrojanDownloader:Win32/Agent.AN -> Infected
C:\WINDOWS\nogovo.dat - TrojanDownloader:Win32/Agent.AP -> Infected
C:\WINDOWS\n_gjqmlc.dat - TrojanDownloader:Win32/Agent.AP -> Infected
C:\WINDOWS\n_hnrimk.dat - TrojanDownloader:Win32/Agent.AP -> Infected
C:\WINDOWS\quidam.dat - TrojanDownloader:Win32/Agent.AP -> Infected
C:\WINDOWS\sdkzd.exe - TrojanDownloader:Win32/Agent.AN -> Infected
C:\WINDOWS\srwpmh.dat - TrojanDownloader:Win32/Agent.AP -> Infected
C:\WINDOWS\tmcpgx.dat - TrojanDownloader:Win32/Agent.AP -> Infected
C:\WINDOWS\yorvyg.dat - TrojanDownloader:Win32/Agent.AP -> Infected
C:\WINDOWS\system32\ddnon.dll - Trojan:Win32/StartPage.GV -> Infected
C:\WINDOWS\system32\gelem.dll - Trojan:Win32/StartPage.GV -> Infected
C:\WINDOWS\system32\ibjfn.dll - Trojan:Win32/StartPage.GV -> Infected
C:\WINDOWS\system32\jiijkga.dll - Trojan:Win32/StartPage.GV -> Infected
C:\WINDOWS\system32\mae.dll - Trojan:Win32/Startpage.GV -> Infected
C:\WINDOWS\system32\mess.exe - Clicker:Win32/Small.W -> Infected
C:\WINDOWS\system32\pmbnne.dll - Trojan:Win32/StartPage.GV -> Infected
C:\WINDOWS\system32\sdkqc32.exe - TrojanDownloader:Win32/Agent.AP -> Infected
C:\WINDOWS\system32\sysqe32.exe - TrojanDownloader:Win32/Agent.AN -> Infected

Scanned
============================
Objects: 26932
Directories: 1485
Archives: 6323
Size(Kb): 122739
Infected files: 35

Found
============================
Viruses found: 13
Suspicious files: 0
Disinfected files: 0
Mail files: 155

 

Wow! You may want to print this out, or save it to text where you can access it in safe mode.

With system restore still disabled, run another HijackThis scan. If any of those infected files are on an 04 Run line, check them and fix.

Go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and OK. Yes to restart. This will restart your computer in safe mode.

Now in safe mode, you will need to show hidden files and folders.

Open My Documents and delete the two backup files.

backup-20040629-181324-689-winlgn.exe
backup-20040629-181358-984-winlgn.exe

Open C:\Documents and Settings\All Users\Start Menu\Programs\Startup and delete the file winlgn.exe.

Open C:\Documents and Settings\Rossi\Application Data and delete the file owmc.exe.

Open C:\WINDOWS and delete all of the files listed by RAV in that location.

crcr32.exe, ctxiyn.dat, fcqzck.dat, ghgtqr.dat, jealdj.dat, netnm.exe, nogovo.dat, n_gjqmlc.dat, n_hnrimk.dat, quidam.dat, sdkzd.exe, srwpmh.dat, tmcpgx.dat, yorvyg.dat

Open C:\WINDOWS\system32 and delete all of the files listed by RAV in that location.

ddnon.dll, gelem.dll, ibjfn.dll, jiijkga.dll, mae.dll, mess.exe, pmbnne.dll, sdkqc32.exe, sysqe32.exe

Open C:\Windows\Temp, select all and delete.
Open C:\Documents and settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
Open C:\Windows\Prefetch, select all and delete.
Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and OK.
Uncheck the /safeboot box in msconfig and ok to reboot.

Back in Windows, scan again with RAV and post the report along with a new HJT log.

 

hompage

Edit note: I merged the new thread with the existing one. Newt

I started this a while back and lost track so I will start again. I have one Virus

"Trojan horse Backdoor. Agent.BA
is found in file
C:\WINDOWS\system32\comfeo.dll "

No antivirus can kill it They all reconise it but say unable to delete virus.
Can someone please help it is driving me crazy.
Thanks for your help

 

Please post a new HijackThis log, along with a current RAV scan report.

 

ugostar--One person got rid of it this way
http://forums.spywareinfo.com/index.php?showtopic=6708&st=0&#entry41177
No harm in running HiJackThis, but since Backdoor is a Trojan, it will be interesting to see if it finds anymore than your virus scan has. Perhaps HJT will find other things which you will be happy to get rid of.
You also could try scanning with TrojanScan.
http://www.windowsecurity.com/trojanscan/

 

I did A scan on Trojan scan and this is the result and also a hijack log hope it can help


Starting scan at 21:26:22:712...
Scan Memory
Memory not infected
Scan folder: 'C:\', recursive
Unable to scan C:\System Volume Information - Access is denied.
Unable to scan C:\WINDOWS\$NtUninstallKB828035$\$NtUninstallKB823182$ - Access is denied.
Unable to scan C:\WINDOWS\$NtUninstallKB835732$\$NtUninstallKB825119$ - Access is denied.
Finished scan at 22:03:50:224
Total number of files is 27839, number of infected files is 0
Average files per second is 12, average file size is 8805979
Starting scan at 21:26:22:712...
Scan Memory
Memory not infected
Scan folder: 'C:\', recursive
Unable to scan C:\System Volume Information - Access is denied.
Unable to scan C:\WINDOWS\$NtUninstallKB828035$\$NtUninstallKB823182$ - Access is denied.
Unable to scan C:\WINDOWS\$NtUninstallKB835732$\$NtUninstallKB825119$ - Access is denied.
Finished scan at 22:03:50:224
Total number of files is 27839, number of infected files is 0
Average files per second is 12, average file size is 8805979
Logfile of HijackThis v1.97.7
Scan saved at 10:13:25 PM, on 7/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ntss.exe
C:\WINDOWS\system32\sdkqc32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\internet explorer\IEXPLORE.EXE
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\PROGRA~1\Altnet\DOWNLO~1\ASM.exe
C:\Documents and Settings\Rossi\My Documents\HijackThis.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Altnet\Download Manager\adm.exe
c:\windows\temp\adware\fsg_4104.exe
C:\Documents and Settings\Rossi\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hwcyn.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hwcyn.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hwcyn.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hwcyn.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hwcyn.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hwcyn.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: (no name) - {41F3CA6F-89B1-AA39-EC13-EFBD507CB60F} - C:\WINDOWS\system32\atllm32.dll
O4 - HKLM\..\Run: [sdkqc32.exe] C:\WINDOWS\system32\sdkqc32.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [Trickler] "c:\windows\temp\adware\fsg_4104.exe "
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\Kazaa.exe /SYSTRAY
O4 - HKCU\..\RunOnce: [BullguardoptIn] C:\WINDOWS\Temp\BullGuard\bulldownload.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O15 - Trusted Zone: http://*.63.219.181.7

 

You are or were using Kazaa. This is not technically malware by itself, but it installs malware in order to run properly and it opens the door for every other nasty program you can think of. I strongly recommend that you remove it. Read this article for alternatives that will provide some of the same function without the garbage: http://www.spywareinfo.com/articles/p2p/ If you opt to remove it, first use Add/Remove Program to remove it and any reference to Altnet and P2P Networking. Go to your control panel, then to add/remove programs...uninstall P2P networking...If/when asked whether you also want to remove Altnet components, say 'Yes'.
P2P Networking is a totally useless Kazaa add-on, and it's been reported to be responsible for serious system slowdowns. You may also want to run KazaaBegone to completely purge it from the system. Make sure to get the available LSPFix, just in case. Additionally, there is another new 'nasty' virus using P2P networks to spread itself. More here.


Create a new folder in your documents. Name it HJT. Download the new version of HijackThis, v1.98, and save/unzip to that folder. Scan again and place a check next to the following entries. Close ALL other windows and click fix.


O2 - BHO: (no name) - {41F3CA6F-89B1-AA39-EC13-EFBD507CB60F} - C:\WINDOWS\system32\atllm32.dll
O4 - HKLM\..\Run: [sdkqc32.exe] C:\WINDOWS\system32\sdkqc32.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [Trickler] "c:\windows\temp\adware\fsg_4104.exe "
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\Kazaa.exe /SYSTRAY
O4 - HKCU\..\RunOnce: [BullguardoptIn] C:\WINDOWS\Temp\BullGuard\bulldownload.exe
O15 - Trusted Zone: http://*.63.219.181.7


Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.
Open C:\Program Files\Common files and delete the folder updmgr.
Delete the Altnet, KaZaa and P2P Networking folders.
Open C:\Windows\Temp, select all and delete.
Open C:\Documents and settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
Open C:\Windows\Prefetch, select all and delete.
Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and OK.
Download About:Buster from either of the following locations.

http://www.atribune.org/downloads/AboutBuster.zip
or
http://tools.zerosrealm.com/AboutBuster.zip

Close ALL Internet Explorer windows. This is a very important step!!

Unzip to it's own folder. Open and double click AboutBuster.exe. Click ok, then start, then OK. Wait for it to finish, then copy the report to notepad and save.

Reboot and run another HijackThis scan. Post the complete log along with the report from About:Buster.

Scan your PC with RAV. Check the box to autoclean. If any files are infected and uncleanable, click the report button then copy and paste it here, along with the new HijackThis log.

 

path

I have done all stages but when i run about buster it comes up with a run/path error 75 just as it gets to comfeo how can i avoid this

 

Did you install Move-on-Boot as suggested by markp62 in the third post of this thread? It gives you a new right click option when used on files, to 'delete on the next boot'. Use it to delete the comfeo.dll file. Before doing so, diable system restore. Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

Use RegSeeker to search the registry for comfeo.dll and delete any entries found. Then run about:Buster again to remove the other malware.

 

I give up

Thank you Noahdfear for your assistance but it is just driving me crazy now.I ran install boot as you said ran reg seeker and about buster all seemed to work ok but the virus is still there. If you try to deledte it it comes up with

access denied make sure disk is not full or write protected and that file is not currently in use.
I just do not know what to do anymore