Posts by jholland1964

You have not posted the MBA-M log which can be found within the program under the Logs Tab. Open the tab, double click the log. It will open in Notepad. Copy/paste the log back here. One cannot say the problem is solved just by running one scan. Chances are that it is NOT, especially since you had to change the name of the .exe file in order to run the program.
The choice however is yours. If you prefer to assume all is well then click the Mark as Solved listing and consider things done.

update: I managed to run hijackthis and it found a file called twext.exe... apparently this is a really dangerous file! I tried to remove it on hijackthis but it wouldn't do it. Does anyone know how to remove this file even though i can't install or run ANY antivirus programs? Please help! thanks, Hetty

That twext.exe is likely the file you were able to stop in the Task Manager. Check there and if you see it turn it off.

HiJackThis is basically a scanner program NOT a fixer program.
Please do the following:
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Reboot the computer. Run the HJT program again, save the log. Post back here with the …

...but this is the program that the owner of the company wants on all of the machines, so I get to make sure that he gets what he wants.

Hey, you "gotta do what you gotta do". You might recommend he consider something else next time.

Download and run a system scan with HiJackThis, save the log and post it here.
http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10781312.html

EDIT: Additional Information
Just found this info. Ewido, which is now part of AVG so you would think that AVG would take care of this themselves with the install files but they don't, leaves a registry key on the computer, even if it is uninstalled.
Download and run this uninstaller and see if it makes a difference
http://www.avg.com/filedir/util/support/remove_ewido_en.exe

That said, may I further advise that you switch to a different anti-virus program? AVG doesn't get as high a ranking as either Avira or Avast.

It would likely be located in C:\Program Files.
Also go to Start, Search, Files and Folders, be sure Advanced options to look in hidden files and folders, system folders and sub folders also have check marks in them.
Then type ewido in the search box and choose "C" drive and click search.
This will run a full search of the "C" drive for any files named Ewido. You need to open these to see what they are when found, there may be an Uninstall file there to use.
If you cannot find it that way you can also use Revo Uninstall Free to locate and Uninstall the program. It works quite well.

http://download.cnet.com/Revo-Uninstaller/3000-2096_4-10687648.html?part=dl-6294459&subj=dl&tag=button

Update MBA-M and do another Full Scan and Remove all found. Reboot and run another HJT scan.
Post back with both logs.
Judy

Files Infected:
C:\WINDOWS\system32\drivers\zhklr.sys (Rootkit.Agent) -> Delete on reboot.

And DID you reboot? This is a KEY part of MBA-M instructions, REBOOT after clicking Remove Selected.

Turn this program OFF and leave it turned off.
BitTorrent DNA
Good way to get infected is by doing P2P file sharing.
Do the following:
Run the ESET Online Scanner and post the ScanLog with your post for assistance.

* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

Reboot the computer.
Post back here with the ESET scan log.
Judy

i have the same problem on a acer aspire 6920 sexy machine n it turns out that it only switches off when it gets hot, i think its probably the heat is too much for the little fan to put out

joker050;
You need to begin with the steps given in this sticky
http://www.daniweb.com/forums/thread134865.html
complete all the scans as noted there and then begin your OWN thread noting your problems and including all the scan logs. Since this thread is 3 years old there is slim chance you will receive definitive answers to solve your problems in this one. A key rule here is never piggy back your question in another persons thread, makes things too confusing and then nobody receives the proper help they need. So do the steps given and then create your own new thread by clicking the Start New Thread Button on the upper left and somebody will be most happy to offer solutions.
Judy

nope im not...since you gave the command "kill all....."

Thanks alot for the help i appreciate it. So am i cured?=) should i check the solved button? =)

First you need to Uninstall Combofix as it will not be needed, it is a one time use program and should never be re-used. If you ever need it again...you will be told to use it and then you would download a brand new copy.

To do this do the following:
* Click START then RUN
* Now type ComboFix /Uninstall in the runbox and click OK. The space between the combofix and the /uninstall, it must be there.
When shown the disclaimer, Select "2"

Next Uninstall HiJackThis. You don't need it anymore and should you need it again you should download a new copy. Do this via Add/Remove.
Finally you also need to set a new, clean Restore point.
To do this Right Click My computer.
Choose Properties
When System Properties opens choose the System Restore Tab.
Place a check mark in Shut down System Restore.
You will probably get a message telling you it will be shut down, click ok or yes.
Allow it to shut down.
Wait a moment. Then go back in and take that check mark Out so that System Restore will turn back on.
After doing all of the above you can then mark this one solved.

hesusd, this thread is 3 years old and closed. You need to begin your own new thread.

What a miserable experience. Really.
Spyware that I couldn't get fixed.
Being fussed at by jholland1964.
Still don't have any idea how to remove spyware when the spy-removal-apps don't complete the job.

I just went ahead and reinstalled the OS last night. Painful. :(

Sorry you had to install the os. It was a good idea actually because the steps you took without proper supervision likely could have caused damage to key system files.

The only reason you were "fussed at" as you called it, was because you took major steps without checking with anyone first. By doing so the logs you posted really were not able to give an accurate picture of what may have been the cause of the problems you were having with the computer.

The steps to follow when facing a problem such as this one are all given it the Read me before posting a request for assistance sticky at the very top of this page. Very simple steps and programs to run in order to at least begin cleaning the system. If you will read that sticky you will see NO mention anywhere of using Smitfraudfix or Combofix as a usual course of action. Combofix is only mentioned when giving instructions on the top three items to familiarize yourself with, no where does it say to USE Combofix.

There are three basic tools noted (not ONE, three), ATF-Cleaner, MBA-M and ESET Scanner OR one or …

coz its a keygen n ived been using it for years now n thought its a false positive like other keygens n cracks. So should i?

Generally these are considered illegal and can bring infection to the computer. If you feel this is incorrect or a false positive you may contact Adobe and MBA-M and ask them and see what they say. If this one is considered legal or not a false positive then you could restore it. But I would contact Adobe and MBA-M about it.
Are you still getting multiple instances of IE opening?

We need to see the Full MBA-M log, not just what was found. Please give us a HiJackThis log also to begin with. I would advise against running Beta versions of any program but especially a remover program. These are TEST versions and not cleared for full release really and certainly not verified as fully safe yet.

The MBA-M error Error 732 means the following: Error updating the database or product

Hope theres no more nastiesü

Well I am sorry to say, there probably are still infections because of these showing in your MBA-M log:

Files Infected:
I:\Files\Intallers\Adobe.Photoshop.Lightroom v2\keygen.exe (Malware.Packer.Gen) -> Not selected for removal.
I:\Files\Intallers\EZ Antivirus\keymaker\keymaker.exe (Malware.Packer.Gen) -> Not selected for removal.

Why didn't you remove those? As long as they remain then your computer is still infected.
Is this an additional hard drive, a back up drive, a flash drive? What is it exactly and why didn't you tell MBA-M to clean it? There was another file listed but you told the program to clean it and it did.

I:\Files\Intallers\Installer\bejeweled 123\patch.exe (Trojan.Bancos) -> Quarantined and deleted successfully.

The problem is, by running all of those tools without supervision and some of them incorrectly we may not be able to get a correct read on what your problem actually is as there is nothing showing in the logs you have posted indicating infection.

Usually I can get a tool to fix my issues

I will say again, there is no ONE tool which can do all fixes.
But if there are constantly problems then your security settings must not be 100% correct either.

You need to clear all your cookies, your browser cache for sure.
What search tool do you use?

How are your cookies set in your browser? It should be set to accept 1st party cookies and BLOCK 3rd party cookies.
This holds true for both IE and Firefox.

You need to Uninstall Combofix.
Do this by doing the following:
Click START then RUN
Now type ComboFix /Uninstall in the runbox and click OK. The space between the combofix and the /uninstall, it must be there.
When shown the disclaimer, Select "2"

You also need to remove all those other extra tools you used, like Smitfraudfix and Vundofix because they obviously found nothing, because there was neither of those to find and these are one time only tools, as is combofix. But none of them should be used unless there is clear indications that those infections exist, just advertising pop ups or redirects alone …

I guess i just assumed there'd be a tool to fix all spyware programs.

There is no such "one tool fixes all" program.
You ran combofix incorrectly. Your anti-virus program was turned ON during the run. If you had been told by somebody to run Combofix then the instructions would have been clearly given to you:

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.
Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

Turn off the Lavasoft Adaware Service, Turn off the Trojan scanner program, Turn off that CounterSpy Antispyware program. All of those programs can work against each other and there is no reason they should be running all the time in the back ground either, and they are.

The files or most of those removed by Combofix were just remnants of the Smitfraudfix program that you say you ran, they aren't infections however just files from the program itself.

First of all we don't know anything about your computer. We have seen no logs.
2nd, Combofix is NEVER to be run without a user first being told to run it. It can severely damage a computer if it is run incorrectly or without supervision or if it was an old version.
Third, Malwarebytes' is not meant to be run in Safe Mode. It will not scan all files in Safe Mode. It is meant to be run in Normal mode.

VunduFix, (I assume you mean Vundofix) SmitfraudFix shouldn't be run either unless you are certain you have these infections on the machine. Plus MBA-M would remove them if you had them.

Please post back here with a HJT log, the Malwarebytes log and the Combofix log...which also shouldn't be run in Safe Mode.

Well I didn't see that lower portion of the log on there last night and oddly enough, I saved a copy of both logs as they appeared last night and the lower portion was not there in my saved copies either.
At any rate, you now need to Uninstall combofix as it should not be used again. To do this do the following:

* Click START then RUN
* Now type ComboFix /Uninstall in the runbox and click OK. The space between the combofix and the /uninstall, it must be there.
If shown the disclaimer, Select "2"

That ESET log is not a new log, it is the same one you posted earlier. Look at the dates and times noted on each one:
1. # utc_time=2010-02-02 04:29:40
# local_time=2010-02-01 11:29:40 (-0500, Eastern Standard Time)

# utc_time=2010-02-02 05:11:34
# local_time=2010-02-02 12:11:34 (-0500, Eastern Standard Time)

2. # utc_time=2010-02-02 04:29:40
# local_time=2010-02-01 11:29:40 (-0500, Eastern Standard Time)
# utc_time=2010-02-02 05:11:34
# local_time=2010-02-02 12:11:34 (-0500, Eastern Standard Time)

You can also see it says it removed exactly the same file
C:\Documents and Settings\Admin\My Documents\Softwares\desktopsmiley_installer.exe a variant of Win32/Adware.DoubleD.AB application (cleaned by deleting - quarantined)

Go back into that ESET Scanner folder C:\Program Files\EsetOnlineScanner\ and find the correct second log and post it here.

Please update MBA-M do another full scan and have it remove everything found, reboot and then do another HiJackThis scan and post the new MBA-M log and the new HJT log.
Judy

Tell you what, I don't believe that your MBA-M program is fully scanning. It MAY have been damaged by the infections. I would like you to # Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
# Restart your computer (very important).
# Download and run this utility. mbam-clean.exe
# It will ask to restart your computer (please allow it to).
# After the computer restarts, Temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware
* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Reboot your computer

Do another ESET scan please, following the same directions given in post #10.
Again Reboot the computer after the ESET Scan. Be sure now to re-enable your anti-virus program.

Now please update MBA-M and run another full scan with it, remove everything found and post back here with that log.

Are you still having crashes?

hope ya dont mind me asking. If i do that scripting will i still be able use internet explorer,specially for windows update or malwarebytes update? Coz i tried to use a dummy proxy for IE so it wont connect but malwarebytes wont uodate n ofcourse i cant do windows update via IE. Is there a way i can update both via firefox browser? Thanks

That is your infection. You are not removing Internet Explorer, you are removing those listings from the auto start.
Those listings are in your Auto Start...pointing to your original complaint

IE opens on startup everytime!!!

and they are not supposed to be there.
See these entries in your HiJackThis log:

O4 - HKLM\..\Policies\Explorer\Run: [Microsoft Services] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKCU\..\Policies\Explorer\Run: [Microsoft Services] C:\Program Files\Internet Explorer\IEXPLORE.EXE

those are the auto starting programs, when your computer boots up everything listed there starts up and runs all the time in the back ground. Some are needed and are supposed to auto start, your anti-virus program for one, but Internet Explorer is NOT supposed to auto start with the computer. It is supposed to start up when YOU tell it to start up by opening the program. It is listed in your O4 listings NOT as Internet Explorer but as Microsoft Services, a clear sign this is an infection, because Internet Explorer is NOT a Microsoft Service, it wouldn't be listed as a service. There are many services, services are listed in the logs as O23 …

· Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
o If it is not on your Desktop, the below will not work.
· Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

KillAll::

Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"Microsoft Services"="c:\program files\Internet Explorer\IEXPLORE.EXE" [2009-03-08 638816]

[-HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"Microsoft Services"="c:\program files\Internet Explorer\IEXPLORE.EXE" [2009-03-08 638816]

· Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
· At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
· You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
· Now use your mouse to drag CFscript.txt on top of ComboFix.exe
· Follow the prompts.
· When it finishes, a log will be produced named c:\combofix.txt
· I will ask for this log below

When this completes, reboot the computer.
Post that new combofix log here.

Run HiJackThis again and save that log. Post that new log back here also.
Judy

Please download ComboFix by sUBs from HERE or HERE
· You must download it to and run it from your Desktop
· Physically disconnect from the internet.
· Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
· Double click combofix.exe & follow the prompts.
· When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
· Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

You really need to update MBA-M and run another Full Scan, of course have it remove everything it finds.
Reboot and then do this:
Run the ESET Online Scanner and post the ScanLog with your post for assistance.

* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.
Reboot again.
Run a new HJT scan and post back here with all three logs.
Judy

Can you tell me, can you now navigate websites normally?

Good. Now you need to work in NORMAL MODE.
Download RKILL.
There are three versions of RKill - all identical except that each one uses a different extension in order to avoid being blocked by a trojan:

Rkill.com http://download.bleepingcomputer.com/grinler/rkill.com
Rkill.scr http://download.bleepingcomputer.com/grinler/rkill.scr
Rkill.pif http://download.bleepingcomputer.com/grinler/rkill.pif

I would recommend downloading them all and try each one until one of them loads. Once it is downloaded, double-click on the rkill in order to automatically attempt to stop any processes associated with the infection. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the malicious processes. So, please try running Rkill until malware is no longer running. You will then be able to proceed with the rest of the steps. Do not reboot your computer after running rkill as the malware programs will start again.
Once rkill has stopped the malicious processes please run MBA-M again, another …

Have you been able to boot to normal mode?

You took no action in the MBA-M scan. Please do it again, FULL scan this time and have it remove everything found. Reboot the computer and see if you can run it in Normal Mode, if so do another Full Scan and have it remove everything found. Post back with the log.

Happy I could help.
Judy

So if you consider everything working well you can mark this one solved.

Are you still getting those pop-ups?

You are running or at least have some old McAfee Antivirus program files on the computer while running Avira. The McAfee files must come off the computer as it is only partially installed.
Run this tool to remove them:
http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe

Run HiJackThis and place check marks next to the following entries:

O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {259F616C-A300-44F5-B04A-ED001A26C85C} - (no file)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.9.0\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.9.0\IEViewBar.dll
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - file://I:\setup\RiffLick.cab
O20 - AppInit_DLLs: fozehuka.dll

After you have placed the check marks then click the Fix Checked button. Exit HJT.
Reboot and run a new HJT scan and post back with the log.

You need to follow these instructions EXACTLY.
lease download ComboFix by sUBs from HERE or HERE

* You must download it to and run it from your Desktop
* Physically disconnect from the internet.
* Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

* Double click combofix.exe & follow the prompts.
* When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
* Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

When the program has finished I NEED to SEE the FULL COMBOFIX log so copy/paste it back here.

Then do a new scan with HiJackThis and post back with that new log.
Judy

Can you please Update MBA-M and do another Full Scan with it? Please have it REMOVE everything found and reboot.
Then Please go back into MBA-M and get that latest log and post it here.
I need to see this log before I can give you any other steps and if you want your computer clean.
Judy

Malwarebytes removed infected files it finished before AVG does. So what do i do now....coz IE stil opens =(

Not sure what you mean by it finished before AVG does...you never should do two scans at the same time, they will interfere with each other and maybe not remove at all, even if they say they do.
I need to see the Malwarebytes' log. Open the program, click the log tab and open the last log. Copy/Paste that log here.

A problem I see is that you took no action when you ran MBA-M. Just running the scan does absolutely nothing but identify the infections. The instructions clearly say the following:

* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected. Then reboot the computer. But your log says the following:

-> No action taken.

on all 32 infected items in the log.
Hopefully you will be able to run the program again, this time, Remove Selected.
If you DID tell it to remove selected then you have posted the wrong log, you have posted the log generated BEFORE the items were cleaned. If this is the case please go into the program, go to the logs tab and find the log generated AFTER the fix. This would likely be the last log showing.
The pop up you received was telling you that one of the infected files could not be found...GOOD, which leads me to believe that you DID tell the program to remove the selected items. This was likely a file set to run as soon as the computer was booted up and because it was removed it couldn't be found.
Post back with the other log if you can find it IF you did tell the program to Remove Selected.
I …

Hi thank you forthe response. So you suggest for me to uninstall the uniblue reg booster or i can just let it be n dont use it. Im kinda afraid it might mess up my system if i uninstall it with its peripherals. Anyway as ived said im just a regular computer user...please letme know whats a "MBA-M" and how to get what info you require. Il post both log from AVG n Hijack this. Again thanks alot.

MBA-M is Malwarebytes. I need to see that log.
I would definitely advise AGAINST using any type of program like this Uniblue program. Not sure what peripherals you are talking about...that should be a clue right there...if you are afraid to uninstall a program then it never should be installed in the first place.
Honestly don't see any removals done with AVG 8, virtually everything says either "Password-protected" or "Locked file. Not tested." this means nothing was done.

Hi and welcome to daniweb,
First of all please don't use that Uniblue registry booster 2010. There is really no way to "boost" the registry. Programs like that can cause more trouble than you all ready have.
Before we can offer advice we need to see the log from MBA-M for sure so we know what we may be dealing with, also a log from AVG if it produced one.
Also, please run a System Scan and save the log with HiJackThis and post that here along with the others.
Judy

I think the log looks fine. You can go ahead and uninstall HiJackThis via Add/Remove as you will not need it anymore.
Keep the MBA-M as it is an excellent program. Update it and do a Quick Scan with it weekly at least. If something is found, Remove it, Reboot, Update the program again and do a Full Scan, just to be safe. Remember ALWAYS update MBA-M before each and every scan, even one right after the other. This program had daily updates for sure and sometimes several updates in one day so be sure to always update first. You can mark this solved.
Judy

Ok, this still is likely Firefox but with the IE Tab.
Now for the problem with MBA-M. This means the mbam.exe was deleted by the malware you are dealing with.

To work around this download a randomized renamed mbam.exe version from here.
Place the renamed mbam.exe in the Program Files\Malwarebytes' Anti-Malware folder on the infected PC and launch the renamed file.
Then malwarebytes should run. Then follow the above directions.

There is a chance you might need to follow the instructions below also, but wait and see if you can get it to run first.
In some cases, it will be needed to rename the random named mbam.exe to explorer.exe (this for example when you are also dealing with "Security Tool" or another fake scanner - you can actually bypass whatever it blocks by renaming the program/ exe file you want to run, to explorer.exe).

It is just a warning from this test version that you may not be able to fix a Host Hijack using the HiJackThis program and will have to do this manually.
Don't worry about this, there is no indication that the Hosts file needs fixing.

Sorry, but I don't really understand. How can a pop-up be from a browser that is not running and the pop-ups show the firefox and google chrome logos on the corner of the page. This would indicate the pop up is coming from the browser you are using, not from IE.

Please do the following, first of all Uninstall that Beta version of HijackThis using Add/Remove. That is a test version and you need to use the current version.

Download a NEW copy of the current version of HiJackThis and run a scan and place a check mark next to these entries:
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.221 viruskill2009.com
O1 - Hosts: 91.212.127.221 www.viruskill2009.com
Once you have placed the check marks click the Fix checked button and Exit HJT.

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When …

Unfortunately no, I just recvd the tower. Where would I find the file ?

Probably C drive under programs. Microsoft Office Professional Edition 2003 and or
Microsoft Office Standard Edition 2003
You show Open Office on there also. Know it isn't exactly the same but it CAN open any files created with Microsoft Office. You need a newer version however.

It still shows as installed on your computer, Office 2003 I mean. You might look for the folder, maybe there is an install file in there.
Are you certain you didn't receive the cd's when you got the computer? You should have received them, for the Office 2003 anyway.

No, I didn't want a new combofix log, I wanted you to Uninstall combofix. Why did you run another one? You aren't supposed to run it twice. Please follow my directions given in my post #41.

You also should uninstall combofix. It basically is a "one time" fix. If a person is told to use it again some other time then a new copy would be needed.

* Click START then RUN
* Now type Combofix /u in the runbox and click OK. The space between the combofix and the /u, it must be there.
When shown the disclaimer, Select "2"

Looks good, except that Adobe Photo Downloader, but this is really up to you.
Here are the final steps you need to take:
You should remove HiJackThis, you don't need it any more.
You also should uninstall combofix. It basically is a "one time" fix. If a person is told to use it again some other time then a new copy would be needed.

* Click START then RUN
* Now type Combofix /u in the runbox and click OK. The space between the combofix and the /u, it must be there.
When shown the disclaimer, Select "2"

You also need to set a new, clean Restore point.
To do this Right Click My computer.
Choose Properties
When System Properties opens choose the System Restore Tab.
Place a check mark in Shut down System Restore.
You will probably get a message telling you it will be shut down, click ok or yes.
Allow it to shut down.
Wait a moment. Then go back in and take that check mark Out so that System Restore will turn back on.
Then let me know how things are running.
Judy

I didn't turn Windows Def. back on. How do how cut it off again?

It isn't running, just still listed in auto starts. Follow the instructions and then reboot and do another HJT scan and post the log. We will see if it is still showing in auto starts.
Judy

You have some unnecessary auto starts that can easily be run manually.
I am going to recommend you download and install Mike Lin's Startup Control Panel. A small, FREE program to easily control auto starts.
Simply download and install. Once that is complete you will find it in the Control Panel, a little computer icon labeled StartUp

Simply open the program and go through each tab. Remove the check marks that you find with these listings:
Windows Defender
Microsoft Works Update Detection
iTunesHelper
ISUSPM Startup
IgfxTray
GWMDMpi
GWMDMMSG
AdaptecDirectCD
Adobe Photo Downloader
Adobe Reader Speed Launcher
QuickTime Task
SunJavaUpdateSched
Mozilla Quick Launch
Once you remove the check marks close the program and reboot.
None of those are required for the running of the computer OR for the programs they are linked to, all can be run manually and therefore not needed to auto start.
If you find that a program does not behave the way you want you can go back into Mike Lin's program and put the check mark back in so it will auto start.
If you will note I told you to turn off Windows Defender. It just isn't the program that is worth it and it frankly can interfere with fixes done by other programs. Leave it turned off.