Posts by jholland1964

Bravo! Give yourself a pat on the back!

You have a very infected computer. You also have STOPzilla installed which, frankly ranks as just a "so-so" program. Those O10's are likely from that program, cannot be certain but found several references to it. Frankly, I would UNINSTALL it anyway, obviously did you no good whatsoever.
Every site listed on your log as a Trusted Site is a nasty one.
I would recommend that you do the following, after getting rid of that STOPzilla program.

Download ComboFix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.

* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
Doubleclick the combofix icon on the desktop to run the program.

Windows will issue a prompt asking whether you wish to run the program, click Run
You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.

Now just sit back and allow the program to run

Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do …

I just noticed a CID help log within the add/remove programs in the control panel. There is no file size like most programs have along side it but it is there. the CID is the pop up that is coming up. Should I remove this???

Yes. Try that and see if it helps.

Yes, just a couple final steps.
First of all you need to remove Combofix as it is no longer needed and it IS a specialty tool not commonly used.
Do the following:
* Click START then RUN
* Now type Combofix /u in the runbox and click OK. The space between the combofix and the /u, it must be there.
When shown the disclaimer, Select "2"

You should remove HiJackThis, you don't need it any more. Do this via Add/Remove.

Download, Install, Update SpywareBlaster
This is a MUST HAVE tool. Will protect your computer from Dialers, malware, adware, tracking cookies, hijackers and does it for FREE.
Works with both IE and Firefox
Once you have it updated then go into each section and Enable All, including the Restricted sites portion. Once you have enabled everything then CLOSE the program. It DOES NOT run in the background. Manually check for updates weekly.

Then you also need to set a new, clean Restore point.
To do this Right Click My computer.
Choose Properties
When System Properties opens choose the System Restore Tab.
Place a check mark in Shut down System Restore.
You will probably get a message telling you it will be shut down, click ok or yes.
Allow it to shut down.
Wait a moment. Then go back in and take that check mark Out so that System Restore will turn …

Still getting the pop-ups?

First item found by Norton was the Combofix quarantine. Second item was in System Restore.
Looks pretty good to me.
Do you feel things are running better? If so I can give the steps for a final step.

Go into the Scheduled Tasks folder and remove this entry:
c:\docume~1\rosedale\applic~1\interl~1\32 defy vga.exe

Download ComboFix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.

* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
Doubleclick the combofix icon on the desktop to run the program.

Windows will issue a prompt asking whether you wish to run the program, click Run
You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.

Now just sit back and allow the program to run

Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a …

Yes progress is definitely being made, combofix removed a lot of bad items. Now update your Norton Program and run a Full System scan with it. Have it remove or quarantine everything found. Please note names and locations of all that is found so you can post it back here.
Reboot the system.
Then Update MBA-M and run a Full System scan with it. Have it REMOVE everything found.
Reboot the system.
Run a new scan with HJT and save the log.
Post back here with both logs and the info from your Norton program.
Judy

I would like to see all new scans please.
Update MBA-M and do a FULL System scan, allow it to REMOVE all found. Save the log.
REBOOT the computer.
Run the ESET Online Scanner and post the ScanLog with your post for assistance.

* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.
REBOOT the computer
Run a Full System Scan with HJT and save the log. Exit HJT
Post back here with ALL three logs.

Hi Anne,
Appears that ESET did remove the files that Kaspersky found. But you still have two suspicious entries in the new HJT log so do this;
Please do the following;

Download ComboFix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.

* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
Doubleclick the combofix icon on the desktop to run the program.

Windows will issue a prompt asking whether you wish to run the program, click Run
You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.

Now just sit back and allow the program to run

Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take …

Are you still getting those pop ups?
Do you know what this program is?
O4 - HKCU\..\Run: [download draw] C:\DOCUME~1\Rosedale\APPLIC~1\INTERL~1\Surftrust.exe

Ok, just wanted to be sure what was installed on the computer. I see nothing unusual there.
Follow these instructions.
Be sure that Spybot TeaTimer is off and stays off. TeaTimer can be a tool for the prevention of spyware, but for an infected computer it will prevent its cleaning.
Do the following:
Please download ATF Cleaner HERE by Atribune. It does not require any installation.. It is set up to clean Windows TEMP folders, as well as IE, FireFox and Opera, Temporary Internet Files and Cookies.

* Double-click ATF-Cleaner.exe to run the program.
First Step:
* Under Main choose: Select All
* Click the Empty Selected button.
.
Next, if you use Firefox (and some Mozilla-based browsers)
* Click Firefox at the top and choose: Select All
* Click the Empty Selected button.

. With all other applications closed (Taskbar empty), open HijackThis again, System Scan only. Place a check mark next to this entry, if it is still there:
O4 - HKLM\..\Run: [Fork live trust pop] C:\Documents and Settings\All Users\Application Data\Eq Anti Fork Live\Test Debug.exe
Then click the Fix Checked button. Exit HJT.
Reboot.
Update MBA-M and again run a full system scan and REMOVE items found. Save the log.
Reboot.
Run and new full system scan with HJT and save the log, post back with both logs.

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
click on the Save list... button. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad into a reply please post that list here.

These are the popup family member is getting on their computer:

\

Sorry, but I see nothing except your message and a \
Sorry, didn't wait long enough for you to upload.

Can you run the ESET Online scanner and have it remove what it finds? Save the log, reboot the computer and then run a new HJT scan and post back here with both logs.
*Please note: You will need to use Internet Explorer to to complete this scan.
You will need to temporarily Disable your current Anti-virus program.
Judy

Sorry, am I missing something? All I see is a webpage, which is a real web page by the way, I checked. I don't see any pop-up and I don't see 'CID' anywhere.

Here is the link for AviraFREE an excellent antivirus program. Download, install and update it. Run a Full System scan and allow it to remove or quarantine all that it finds.
Then go HERE
Follow ALL of the steps given WITH THE EXCEPTION of Deckard Scanner which is NO LONGER AVAILABLE. Do all scans requested and allow the removal of all items found. Save the logs from all scans completed.
Substitute instead HiJackThis for the FINAL step. Do a Full System Scan with it and save the log.
Post back here with the logs from MBA-M, ESET Online Scanner and the HiJackThis log.

You need to begin clean up by following all the steps given HERE with the exception of Deckard Scanner. It is no longer available. Substitute instead as the final step a Full System Scan with HiJackThis

Please post back here and copy/paste the logs from MBA-M, the online scanner and HiJackThis.
We will then be able to determine what other steps will be required.
Judy

All I see is the webpage Sportsbook.com...is that what it is?

Hi,
Still getting those same popups.

LOL...Wondered why you posted the printscreens from Spybot and ESET...what I want is a printscreen of the pop-ups if you can get one.

Can't read that ESET print screen, it's too blurry. The spybot screen shot is fine, just remove all.

There is a size limit. Maybe yours was too large. Take a look at mine.
Do print screen of the pop-up. Paste into photo editing program, crop print screen so only the pop-up shows. Save it as a .jpg where you can easily find it on your computer.
Click Reply.
Then right below Reply box you will see Manage Attachments.
Click that button.
Then a box like my second attachment will pop up.
Click the top browse button to browse your computer for the printscreen. When you find it Click the Upload button. Attachment will be uploaded to the site.

Can you possibly get print screen on one or more of them?

I was only asking about your location because the log shows an internet connection or ISP located in Iran. Just wanted to be certain that it was ok. If we see something like that we have to check to be sure, because some hijacking of computers take place from locations very far from the computer, in other countries. I, myself am located in the USA. If my scan showed an ISP in London or Paris that would mean serious problems and certain steps would be required to reset to the correct ISP.
That is a part of your log I can ignore then. I will go through the log and get back with you.
EDIT:
Here is what I see Danielle. You have a very SMALL amount of RAM for what is on the computer. This could certainly be a cause of the freezes.
I would advise increasing this to at least 1 GB. RAM is very easy to install and a very inexpensive way to upgrade the computer.
Now since you are in Iran I can't really tell you where to purchase it but you can go to
http://www.crucial.com/ where you can do a free scan of the computer and they will tell you what options you have for additional RAM, the proper RAM to purchase. Now this is located here in the US so I don't believe you could order it through them, but I cannot say for sure. But what …

Danielle, just continue on with my instructions.
Judy

Disable Spybot's TeaTimer

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer
Then go to ESET Online Scanner and run a Full System Scan. Save the log and post back here with it.

I noticed soooooo many Windows updates on my uninstall list...is this
what's eating all my disc space on disc D?

Shouldn't be and you can't delete or uninstall those because then whatever had been updated would no longer be updated which could then cause a "domino" affect which would cause others not to work and so on.

To find out how much RAM is installed right click My Computer and choose Properties. When System Properties opens right there on the 1st Tab which is the General Tab the last bit of information shown there will be how much RAM is installed. I would be interested to know.
One thing I see that you have installed that is perfectly fine, but unnecessary is Ultimate Pop-up Blocker 3.2. IE 7 has a popup blocker, another one is not necessary.
Also I see Ares 2.1.0, a P2P file sharing program, very dangerous thing to do. Up to you of course but P2P is a real easy way to get an infection.
Can I ask where you are located? I ask because one entry in your HJT log points to Iran, are you in Iran?
Run the ESET Scanner again and have it fix those items it found.
Be sure to save the log.
Reboot and run HJT again and place a check mark next to the following entries;
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) …

Where is the MBA-M log? We DO need to know what was removed. Some things require additional steps to be certain that everything is totally removed.

My above reply was typed before jholland1964 added his sensible advice. We both want you to make sure and there is thus no conflict between both sets of follow up advice.

By the way, I am a she not a he...Judy...but no offense taken.:)
I always to "shy away" from recommending regedits here unless absolutely necessary. MBA-M will and does delete infected registry entries is one reason. I would rather see the logs before stating this thread is solved. Hopefully SimonHughes will return with those logs so we can say for sure, plus it is to the benefit of others who may be having the same problems. We have no idea what other trojans were found.
Judy

Can we see the logs please? There may be other steps required. Each Trojan is different, some leaving more behind when they are removed.
Was this done with an Updated MBA-M? If not it should be updated and run again.
Post the MBA-M log a new HJT log too, ok?

Honestly don't use either program so am not familiar with their inner workings.
You can stop their processes via Task Manager;
SUPERAntiSpyware.exe
I don't see Windows Defender listed as running so it must not be. You can also stop aawservice.exe, it does nothing anyway unless you have the paid version.

Try turning off SAS, Windows Defender and maybe your firewall and see if that makes a difference with updates.

Run HiJackThis again and place check marks next to these entries;
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askR...7&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askR...gct=&gc=1&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)

Once you have placed those check marks click the Fix Checked button.
Exit HJT.
Reboot and see if there is any difference.

Give us some more info on the computer itself...how many hard drives, how full are they, how much RAM is installed?
Have you done general clean up of the computer...removal of temp files, defrag and that type of thing?
Have you done scans with your antivirus program AND with SpyBot?

One thing which has probably nothing to do with your problem but can interfere with any fixes possibly needed is Turn OFF the SpyBot TeaTimer and leave it off.

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

Follow all the steps given HERE, Note the comment in RED about the Deckard Scanner, it isn't available anymore so you will substitute with a new Full System Scan with HiJackThis AFTER completing all the other steps.
Save ALL requested logs...MBA-M, ESET Scanner and HJT.
Post back with all those, in that order AND please in SINGLE space.
Thanks.
Judy

The HiJackThis program is still the old one. The version you need is HJT version 2.0.2
You need to TURN OFF the TeaTimer portion of SpyBot as it can interfere with fixes.
To disable Spybot's TeaTimer

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer
See if you can update MBA-M from here;
http://www.gt500.org/malwarebytes/database.jsp

Try these instructions and see if this file is there, if so, follow the instructions and then try updating all those again.
Open Device Manager and on the VIEW Tab, select the Show hidden devices option.
Go down to non plug and play drivers and see if there is one called TDSSserv and disable it.

When you post your logs we only need to see the FINAL logs not all of them. Just the ones which show fixes have been applied.
Uninstall that old HJT and use the newest version, it gives much more information.

You need to update MBA-M and run that Full System scan again and this time follow the directions as they were given above:

* Be sure that everything is checked, and click Remove Selected.
Reboot the computer

Run a new HJT scan and save the log.
Post back here with both new logs.
Judy

You really need to explain your problem better than just listing Pop up Help. What types of pop ups for one thing, when did this begin, when do you get them?
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.
Reboot the computer.
Run a new HJT scan and save the log. Post back here with both logs.
Judy

Note it also says to check for ATI video driver updates so I would do that also.
http://www.amd.com/us-en/

Hey, that is why we are all here. Hopefully to help and make things easier.
Judy

OK, I will do that. This morning some machines started experiencing BSOD at login. One user said that the problem started when she installed Adobe 8 on the machine. I will do what you request and let you know. Also, has anyone heard of Adobe 8 issues?

Thanks so much.

Check these Adobe links concerning BSOD's and Adobe 8

http://kb.adobe.com/selfservice/viewContent.do?externalId=324073

http://kb.adobe.com/selfservice/viewContent.do?externalId=324073&sliceId=1

You are going to have to find a way to run MBA-M in normal mode. It is not made to run in Safe mode.

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.
Reboot the computer.
The version of HiJackThis you used is out of date. Right Click your desktop and choose New Folder, name it HJT. Remove that old version of HJT and download the newest version from HERE Please save it to the new folder on the desktop.
Run a full system scan with it, save the log and post back here with both logs.

Just pick ONE machine and let's run through entire clean up with that one machine. Start with MBA-M, allow it to clean everything found.
Reboot
Then run ESET Scanner and do the same.
Reboot.
Then run an new HJT scan and save the log.
Also run HJT and give us an Uninstall List using that program.
We will take a look.

Don't see anything suspicious in the logs. Is the computer running all right?
Judy

I got the same virus on one of the workstations. I did the antivirus thing got rid of what I thought was all but now the only problem is right after you log in (I tried safe mode too) it logs you off. tried doing a windows repair but no luck. any one have a clue what to do now?
Thanks

What "same virus"? Are you referring to another thread or something? We have no way of knowing what you are talking about unless you explain it a little better.
What virus, what "antivirus thing" did you do?
Can we see some logs and get more info?

I need the MBA-M log. If you have not run it yet then do so now. This is the removal program and should be run BEFORE running HJT.
Run MBA-M, let it REMOVE all found. Save the log.
Reboot the system and then run a new HJT scan.
Post back with both logs.

Looks like MBA-M did it's usual great work.
To be safe I want you to run one more program.
Please download ComboFix by sUBs from
HERE
or
HERE
* You must download it to and run it from
your Desktop
* Physically disconnect from the internet.
* Now STOP all your monitoring programs
(Antivirus/Antispyware, Guards and Shields) as they could easily interfere
with ComboFix.
* Double click combofix.exe & follow the prompts.
* When finished, it will produce a log. Please save that
log to post in your next reply along with a fresh HJT log
* Re-enable all the programs that were disabled during
the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is
running. That may cause it to stall.

CF disconnects your machine from the internet. The connection
is automatically restored before CF completes its run. If CF runs into
difficulty and terminates prematurely, the connection can be
manually restored by restarting your machine.

Run Combofix ONCE only!!

Alright So I uninstalled McAfee and I went through a full system scan with that program and removed 23 infections. The New Log is:

What program did you run the scan with? Can you post the log of the program that you scanned with and the names of the viruses removed?
Seeing the logs are key to telling us what needs to be done next.

Not certain which program you are talking about.
MBA-M version 1.33 can be downloaded HERE
HiJackThis version 2.0.2 can be downloaded HERE.