Posts by jholland1964

Ok, update MBA-M, there is a new version since you ran it last. Just click the update button and it will remove the old and download and install the new. Then do a Full System scan with it, allow it to Remove All found, save the log and reboot.
Then do a new Full System Scan with HJT and save the log. Post back here with both of those new logs.
Judy

can you advise if ComboFix will break or change anything dramatically on my puter. Reading a lot of threads it was explicitly mentioned to only do this as a last option as it can and may break a lot of things.

If I thought it would I would not request it. It is a very powerful tool

Combofix Info

Post#4
Combofix is a general tool that helps the helper cleaning up a Hijackthis log.
It is able to remove some common infections and helps a user detect files that general scanners cannot find.
It also lists registry keys such as the key keys, the desktop keys, and other areas where malware hide.
The tool has some rootkit detectors too, allowing a helper to see if a rootkit is present on the PC.

i am curious what lines are the worrying ones....

These lines shown here;
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb125\SearchSettings.dll>>>this is known malware
O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe>>>this is unknown but in review
O4 - HKLM\..\Run: [DriverCD] E:\Run.exe>>>unknown
O20 - Winlogon Notify: khfGaaaX - C:\WINDOWS\>>>unknown

There is a size limit. Maybe yours was too large. Take a look at mine.
Do print screen of the pop-up. Paste into photo editing program, crop print screen so only the pop-up shows. Save it as a .jpg where you can easily find it on your computer.
Click Reply.
Then right below Reply box you will see Manage Attachments.
Click that button.
Then a box like my second attachment will pop up.
Click the top browse button to browse your computer for the printscreen. When you find it Click the Upload button. Attachment will be uploaded to the site.

Well, if you are not going to use the computer at all then waiting until summer would be fine. But using an infected computer will only make things worse plus you run the risk of infecting others if you use email

SDFix did some work but there are still some questionable listings in that HJT log.
You absolutely HAVE to leave that SpybBot TeaTimer turned off. The actual SpyBot program itself is fine but the TeaTimer portion of the program is KNOWN to interfere with some fixes done so it really should be turned off and left turned off.
Disable Spybot's TeaTimer

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

Next tool I want you to run is Combofix

Please do the following;
Download ComboFix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.

* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
Doubleclick the combofix icon on the desktop to run the program.

Windows will issue a prompt asking whether you wish to run the program, click Run
You …

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\S5EJ0XQV\newmajorse2[1].cab Infected: not-a-virus:AdWare.Win32.WebSearch.ar

C:\Documents and Settings\QBDataServiceUser17\Local Settings\Temporary Internet Files\Content.IE5\S5EJ0XQV\newmajorse2[1].cab Infected: not-a-virus:AdWare.Win32.WebSearch.ar

Both of those items found are in Temporary Internet Files. Empty those.
Download, install and run CCleaner.
Just run the default scan which is the WindowsTAB that you see when the program opens Click the Analyze button.Let it scan and then when it is finished click the when it is finished click the Run Cleaner button. Close the program. Note, this tool must be run with all browsers closed. This should clean out your temp. files.
Can you give me the specs of the computer...hard drive size, how much RAM is installed?

Download SDFix and save it to your Desktop.

Please close/disable all anti-virus and anti-malware programs so they do not interfere with the running of SDFixFix and make sure you are disconnected from the Internet after downloading the program and before scanning.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* Open the c:\SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder …

Reformatting should really only take a couple hours.

Can you possibly get print screen on one or more of them?

Thanks Danielle. Happy to help!
Judy

Need you to run MBA-M first, remove all found post that log then post a new HJT log.
Judy

I was only asking about your location because the log shows an internet connection or ISP located in Iran. Just wanted to be certain that it was ok. If we see something like that we have to check to be sure, because some hijacking of computers take place from locations very far from the computer, in other countries. I, myself am located in the USA. If my scan showed an ISP in London or Paris that would mean serious problems and certain steps would be required to reset to the correct ISP.
That is a part of your log I can ignore then. I will go through the log and get back with you.
EDIT:
Here is what I see Danielle. You have a very SMALL amount of RAM for what is on the computer. This could certainly be a cause of the freezes.
I would advise increasing this to at least 1 GB. RAM is very easy to install and a very inexpensive way to upgrade the computer.
Now since you are in Iran I can't really tell you where to purchase it but you can go to
http://www.crucial.com/ where you can do a free scan of the computer and they will tell you what options you have for additional RAM, the proper RAM to purchase. Now this is located here in the US so I don't believe you could order it through them, but I cannot say for sure. But what …

That's good. Malwarebytes' is cinfugured to be run in Normal mode if at all possible. It can take quite awhile to run as it scans each and every file on the computer. I will wait for the logs. When it is finished post both the one run in safe and the one run in normal if you can.
Judy

You should run these programs in NORMAL mode.
UNINSTALL the program you feel is the offending program. That can be done in SAFE MODE.

You can leave your McAfee running when doing these scans but DO turn off SpyBot TeaTimer if you have it running as it can interfere with fixes done.
Run ONLY these programs you downloaded,
HiJack this
Malwarebyte anti-malware
Be sure to UPDATE Malwarebytes' Anti-Malware first and do a full system scan. Have it REMOVE everything found.

DON'T run Combofix unless later instructed to do so. Don't run Vundofix, if this is the problem then MBA-M can remove that.

Do those two first and in normal mode then come back here and copy/paste both logs here.
Judy

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.
REBOOT the computer.
Then run a Full System Scan with HiJackThis & post log please
Judy

Danielle, just continue on with my instructions.
Judy

Disable Spybot's TeaTimer

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer
Then go to ESET Online Scanner and run a Full System Scan. Save the log and post back here with it.

I noticed soooooo many Windows updates on my uninstall list...is this
what's eating all my disc space on disc D?

Shouldn't be and you can't delete or uninstall those because then whatever had been updated would no longer be updated which could then cause a "domino" affect which would cause others not to work and so on.

To find out how much RAM is installed right click My Computer and choose Properties. When System Properties opens right there on the 1st Tab which is the General Tab the last bit of information shown there will be how much RAM is installed. I would be interested to know.
One thing I see that you have installed that is perfectly fine, but unnecessary is Ultimate Pop-up Blocker 3.2. IE 7 has a popup blocker, another one is not necessary.
Also I see Ares 2.1.0, a P2P file sharing program, very dangerous thing to do. Up to you of course but P2P is a real easy way to get an infection.
Can I ask where you are located? I ask because one entry in your HJT log points to Iran, are you in Iran?
Run the ESET Scanner again and have it fix those items it found.
Be sure to save the log.
Reboot and run HJT again and place a check mark next to the following entries;
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) …

You have given no information about the operating system.

friend said that registry cleaner software would help me

Is your friend a computer tech and an expert in working in the registry?
We cannot offer advice until we see the log, and have more information about the computer.

Where is the MBA-M log? We DO need to know what was removed. Some things require additional steps to be certain that everything is totally removed.

A question first, you said this;

I've ran Ad-Aware and Malwarebytes, but I'm still getting the pop ups. I realized that I was using old version, down loaded the new and still are getting pop-ups.

Old version of WHAT? We need to see the MBA-M log in order to see what was removed. Please update the program and then run another Full System scan with it, have it REMOVE everything it finds. Save the log.
Reboot the system and then run a new HJT scan and save that log. Then post back here with both of those logs.
Judy

My above reply was typed before jholland1964 added his sensible advice. We both want you to make sure and there is thus no conflict between both sets of follow up advice.

By the way, I am a she not a he...Judy...but no offense taken.:)
I always to "shy away" from recommending regedits here unless absolutely necessary. MBA-M will and does delete infected registry entries is one reason. I would rather see the logs before stating this thread is solved. Hopefully SimonHughes will return with those logs so we can say for sure, plus it is to the benefit of others who may be having the same problems. We have no idea what other trojans were found.
Judy

Can we see the logs please? There may be other steps required. Each Trojan is different, some leaving more behind when they are removed.
Was this done with an Updated MBA-M? If not it should be updated and run again.
Post the MBA-M log a new HJT log too, ok?

Honestly don't use either program so am not familiar with their inner workings.
You can stop their processes via Task Manager;
SUPERAntiSpyware.exe
I don't see Windows Defender listed as running so it must not be. You can also stop aawservice.exe, it does nothing anyway unless you have the paid version.

Try turning off SAS, Windows Defender and maybe your firewall and see if that makes a difference with updates.

Run HiJackThis again and place check marks next to these entries;
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askR...7&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askR...gct=&gc=1&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)

Once you have placed those check marks click the Fix Checked button.
Exit HJT.
Reboot and see if there is any difference.

First of all when you say Skybot I hope I am safe to assume that you mean SPYBOT Though if you actually mean SKYBOT my browser and firewall would not allow connection to the links given for the one link I found. The other references gave me links to information for a Skype Chat Box, though no links for a download.
So I am not certain which program you are talking about.
You HJT log shows you are running TWO anti-virus programs AVG 7 and Avast. AVG 7 would be expired for sure so it should be totally UNINSTALLED.
I am not certain either where you are located but the TCPIP listings in your HJT log point to the Ukraine. Is that where you are?
I would recommend you begin with the steps given HERE, paying close attention to the notation about Deckard Scanner which is no longer available so when you get to that final step make it a NEW Full System scan with HiJackThis.
Post back here with the MBA-M log, the ESET Scanner log and the new HJT log.

It would really help if we had real information about the computer...operating system, hard drive size and space remaining, programs installed, how much RAM is on the computer, how are you connected to the internet, what EXACTLY were these

unsuccessful un-installations of various softwares

and how did you try to uninstall them, we need the NAMES of those different softwares and WHY you were uninstalling them. What antivirus program and firewall are you using? We cannot even begin to assess the situation or advise anything without all of the above information and at least a Full System scan log from HiJackThis.
Judy

Give us some more info on the computer itself...how many hard drives, how full are they, how much RAM is installed?
Have you done general clean up of the computer...removal of temp files, defrag and that type of thing?
Have you done scans with your antivirus program AND with SpyBot?

One thing which has probably nothing to do with your problem but can interfere with any fixes possibly needed is Turn OFF the SpyBot TeaTimer and leave it off.

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

Follow all the steps given HERE, Note the comment in RED about the Deckard Scanner, it isn't available anymore so you will substitute with a new Full System Scan with HiJackThis AFTER completing all the other steps.
Save ALL requested logs...MBA-M, ESET Scanner and HJT.
Post back with all those, in that order AND please in SINGLE space.
Thanks.
Judy

The HiJackThis program is still the old one. The version you need is HJT version 2.0.2
You need to TURN OFF the TeaTimer portion of SpyBot as it can interfere with fixes.
To disable Spybot's TeaTimer

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer
See if you can update MBA-M from here;
http://www.gt500.org/malwarebytes/database.jsp

Try these instructions and see if this file is there, if so, follow the instructions and then try updating all those again.
Open Device Manager and on the VIEW Tab, select the Show hidden devices option.
Go down to non plug and play drivers and see if there is one called TDSSserv and disable it.

When you post your logs we only need to see the FINAL logs not all of them. Just the ones which show fixes have been applied.
Uninstall that old HJT and use the newest version, it gives much more information.

We need to see the MBA-M logs.

REally sorry to have missed your post. Are you still having problems?
Did you ask ESET scanner to REMOVE items found?

How do you KNOW you have these trojans? Nothing is showing in the MBA-M log, which is WAY out of date by the way. Current version is 1.33 and the database version is 1736.
Where is the HJT Full System Scan log, all you have posted is the Uninstall list.
wudfsvc IS a legitimate Microsoft Windows file. It is the platform for writing Microsoft Windows drivers. Where did you see that this is a Trojan?
The newly installed program is a legitimate program though that doesn't mean it couldn't be the problem.
I also see FOUR antivirus programs in the Uninstall list, or at least two full ones, Antivir and AVG8 and then two instances of Live Update from Symantec and McAfee VirusScan Enterprise.
The ABSOLUTE RULE is ONE antivirus program on a computer.
We really need much more info here along with the Full system scan log from HiJackThis.
Judy

We really need some more info here. Do you mean you tried to use MBA-M and couldn't or that you DID use it and it didn't find anything?
Have you tried a simple reboot of the system? Sometimes this will be enough.
Give use a HiJackThis Full System scan log ok?
Judy

You need to update MBA-M and run that Full System scan again and this time follow the directions as they were given above:

* Be sure that everything is checked, and click Remove Selected.
Reboot the computer

Run a new HJT scan and save the log.
Post back here with both new logs.
Judy

I STILL wonder why the whole log doesn't show.

You really need to explain your problem better than just listing Pop up Help. What types of pop ups for one thing, when did this begin, when do you get them?
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.
Reboot the computer.
Run a new HJT scan and save the log. Post back here with both logs.
Judy

Please give us the names of all the programs you cannot open.

Are you still getting the message?

glad the problem was solved

You are running TWO anti-virus programs on the computer, AVG8 and McAfeethis would cause a MAJOR slow down for certain PLUS lessen the protection on the computer since they will compete against each other rather than looking at what is coming onto the computer.
If McAfee is up to date, not expired then keep it, UNINSTALL AVG8. If McAfee IS expired then Uninstall that one.
Do that first and see if things improve

Note it also says to check for ATI video driver updates so I would do that also.
http://www.amd.com/us-en/

Hey, that is why we are all here. Hopefully to help and make things easier.
Judy

OK, I will do that. This morning some machines started experiencing BSOD at login. One user said that the problem started when she installed Adobe 8 on the machine. I will do what you request and let you know. Also, has anyone heard of Adobe 8 issues?

Thanks so much.

Check these Adobe links concerning BSOD's and Adobe 8

http://kb.adobe.com/selfservice/viewContent.do?externalId=324073

http://kb.adobe.com/selfservice/viewContent.do?externalId=324073&sliceId=1

Crunchie, ALL of those Trusted zone listings are bad.

You are going to have to find a way to run MBA-M in normal mode. It is not made to run in Safe mode.

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.
Reboot the computer.
The version of HiJackThis you used is out of date. Right Click your desktop and choose New Folder, name it HJT. Remove that old version of HJT and download the newest version from HERE Please save it to the new folder on the desktop.
Run a full system scan with it, save the log and post back here with both logs.

Just pick ONE machine and let's run through entire clean up with that one machine. Start with MBA-M, allow it to clean everything found.
Reboot
Then run ESET Scanner and do the same.
Reboot.
Then run an new HJT scan and save the log.
Also run HJT and give us an Uninstall List using that program.
We will take a look.

Also looks to me like the java program is out of date. Current version is version 6 update 11. http://www.java.com/en/download/manual.jsp
Download the Offline install and save it to the desk top. Close all browsers and double click to install.
Once the install is complete then go back to the download page and click Verify Now on the right side to verify the installation was fully successful.

Did the problem with the "missing" RAM begin with the infection or has this been on going?
Have you opened the case to see if the RAM is properly seated?