Posts by jholland1964

Well combofix caught at least one trojan, give me a bit to go through the rest of the log and I will get back with you.
Judy

Still some things in that HJT log I don't like the looks of...Do this:

You may want to print this out for reference as you cannot touch the computer until this program is finished and produces a log, except to respond to prompts from the combofix program.

Download ComboFix

Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix iconon the desktop.

*Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
Doubleclick the combofix icon on the desktop to run the program.
Windows will issue a prompt asking whether you wish to run the program, click Run
You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.

Now just sit back and allow the program to run

Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When ComboFix has finished running, you will …

Both Spybot and MBA-M did what they were supposed to do, however
This entry still shows in your new HJT log and before we can go further you have to turn this service off:

Adaware Services. It can interfere with fixes. Go to Start, Control Panel, Administrative Tools, Services. When that opens look for Ad-Aware 2007 Service (aawservice). Double click. When that opens click the Stop Button to turn it off. Then in the middle there you will see Start up type: in that small window there you will see Automatic. Click the little arrow to bring down the drop down menu and change that type to Disabled.

This service is really of no use. It can interfere with fixes attempted.
Judy

Hi,
First of all turn off that Adaware Services. It can interfere with fixes. Go to Start, Control Panel, Administrative Tools, Services. When that opens look for Ad-Aware 2007 Service (aawservice). Double click. When that opens click the Stop Button to turn it off. Then in the middle there you will see Start up type: in that small window there you will see Automatic. Click the little arrow to bring down the drop down menu and change that type to Disabled.

The spybot log shows this on all entires:
Virtumonde: [SBI $4D2BC948] Settings (Registry key, nothing done)....
Did you TELL it to fix these? You have to tell the program to fix or it won't do anything.
Run it again and have it quarantine what it finds.

I also ran HJT and got rid of them on startup

Doing this doesn't necessarily remove the program, it just removes that particular entry from start up. HJT should not be considered a fix program, it is basically a scanner program. Yes, some fixes are done AFTER clean up of the files is done on the computer, but just removing an item from the HJT log won't fix unless the program the entry is pointing to is gone.
Update MBA-M. Then run a Full System Scan with it. When it is finished then look at the results and Be sure that everything is checked, and click Remove Selected.
Reboot the computer
Run a new HJT …

Ok, it is listed in the Start Up section of your HJT log here;
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')

You can run HiJackThis again and put a check mark in that entry and then click Fix Checked.
Exit HJT.
If you NEVER use this you can uninstall the program. Not familar with the MySpace IM but it may be listed in Add/Remove and you can remove it entirely from there.
If it isn't listed there it is in the folder C:\Program Files\MySpace\
so it has been downloaded to the computer at some time. Now I use MySpace occasionally but have never used the IM program and just checked my computer and I do not have a MySpace folder in Program Files so I am guessing that you must have other MySpace items installed. As I said, I use My Space occasionally and have never had problems going through the various items on the page without anything installed from MySpace so that is what you should check out.
Judy

Downloaded SpyBlaster (I got rid of AVG because I thought you had said the rule of thumb is One protection per One computer

No, I said one ANTI-VIRUS program per computer, that was when you were running two of them, McAfee and AVG. SpywareBlaster is NOT an anti-virus program. You need ONE anti-virus program on there so put your AVG back on.
Reinstall AVG and then run a new HJT scan and post the log and I can better tell you how to stop the MySpace IM.
Judy

Looks pretty good. Just a couple of minor fixes you can do with HJT.
Run the program again and put check marks next to these two entries:
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
Then click the Fix Checked button.
Exit HJT.

You also really need to update your Java. It is out of date, keeping Java updated also helps with security.
Go HERE to download the latest version and choose the Offline Install and save it to the desk top.
Once that is downloaded then go to Start, Control Panel, Add/Remove and Uninstall ALL older versions of Java that you find there.
Once those are all removed then go to the Java install on your desktop and double click to install. When the install is complete go back to the download link I gave above. On the right side of the page you will see Verify Now. Click that to verify the install was complete.

I would also recommend that you KEEP that MBA-M program and use it for scanning at least weekly. Remember to Update BEFORE each scan as this program has almost daily updates. A Quick Scan weekly is generally sufficient unless the Quick Scan turns up a lot of problems, if that happens then do a re-scan only use the Full System Scan.
Also to beef up your security I …

Now for your security programs:
You can remove HiJackThis, you don't need this anymore. It should be used only when requested by a forum helper. It is not generally considered a clean up/fixer program but a scanner/investigative program really, though certain fixes of course are done with it when instructed to do so. Random use and removal without instruction can lead to damage to the computer if you really don't know for sure what you are fixing so it is always advisable to remove it once clean-up is complete.

As I told you I use Antivir and I see you've installed it also. I really like it a lot. It does auto update which I like, even though it has that annoying pop-up add for their paid version whenever it updates you just "X" it out. You have to run scans manually but if you make it a habit to run all these scans on a specific day and time then you will think nothing of it AND keep your computer running cleanly and smoothly.

ATF-Cleaner is a great cleanup program to keep, gets rid of the temp files and cookies, etc.

CCleaner is also a good one, does a bit more than ATF. You can keep it if you wish but only use the default settings. I have both on my system but ATF is the one I use on a regular basis.

Spybot Search and Destroy is excellent and one to keep …

Also, I am wondering about what all I am doing for protection & what is the difference of each program.
Spybot S&D
MBA-M
Antivir
Ad-Aware
CCleaner
AFT-Cleaner
HijackThis

I'm not clear on the differences of each of these, & when I should use them & how often.
Can you point me to the answer or provide some explanation?

Happy to do that shortly but one more thing you MUST to is update your java. Yours is WAY, WAY out of date. Current version is 6 update 11. Having out of date java can also raise security issues so it should be kept up to date.
You need to go HERE Download the Offline Install and save it to your desktop but DON'T install yet.
Once you have downloaded then go to Start, Control Panel, Add/Remove and Uninstall ALL versions of java you find there.
Once all have been uninstalled then go back to the desktop and with all browsers closed, double click the java install to install the newest version. Once the new version is installed then go back to that download page and on the right side you will see Verify Now. Click that to verify that the installation was successful.
Back shortly with explanation of the security programs noted and what to do with them.
Judy

So, I think the Dr. Web (Which I have now removed) may have found the TDSSserv.sys. I could not find it and I think I recall it removing something along those lines.

Who told you to run Dr. Web?
Please post a new HJT log.

Hi kelbor sorry you have waited so long for a reply.
First thing I see in your log that definitely will slow your computer is that you are running multiple anti-virus programs on the computer. I see AVG8, McAfee, some Symantec/Norton listings showing too, possibly from an old Norton program. You absolutely have to UNINSTALL ALL of these EXCEPT for ONE anti-virus program, that is the absolute rule, ONE anti-virus program running on a computer. More than one will slow the computer and actually lessen the protection because having more than one may have them fighting against each other and "something" can sneak in.
Secondly you have multiple listings for MySpaceIM auto starting, this really is unnecessary to have this many instances of this program in auto start. You also have AdAware Services running in the back ground, this can interfere with any fixes done, please turn this off by going to Start, Control Panel, Administrative Tools, Services. The listings here are in alphabetical order so please scroll through until you see the listing for Lavasoft Ad-Aware Service. Double click to open. At the bottom you will see the button to Stop the service, click that to turn it off. Once it is turned off then go up to Start up type. There you will see Automatic. Click that arrow next to Automatic, you will see a drop down menu, please change this to Disable. Click Apply and close out Services.
Then do the following;
Go …

I have used all three, not at the same time of course. I liked AVG8 but found it slowed my system. I tried AVAST but didn't care for it's interface, personal opinion really. I now have used Antivir for probably 6 months. I like it quite well. It updates regularly. Free version does not allow for scheduling scans but I don't mind doing them manually once a week or more often if I am concerned about something.
It's really just a matter of what you like really. I am pleased with Antivir protection so that is the one I would recommend but had not complaint about protection factor of the other two either.

not sure what to do with those "error while deleting" files from ESET?

These files were just part of deleted objects.

Any further thoughts?...

Yes, a BIG one...Where is your anti-virus program and where is your firewall. You are not running either one. You are very lucky you don't have many more infections on the computer.
There are some very good Free anti-virus programs, download ONE and install and update it.
Antivir
Avast
AVG8
You choose. But you MUST install and use an anti-virus program. Same goes for the firewall. There are several good free ones out there, also of course Windows XP has the built in firewall.
Run HJT again and place check marks next to the following entries if they remain:

O2 - BHO: VisualTool - {F3A54897-9E68-B11E-A37A-4D1422CE9CAA} - C:\Program Files\VisualTool\VisualTool-2.dll (file missing)
O3 - Toolbar: Mirar - {41B35E5E-FF7A-410E-9DBF-2485FB45C003} - C:\WINDOWS\system32\windg77.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
Once you have placed the check marks click the Fix Checked button.
Exit HJT.
Reboot.
Run another HJT scan and post the log. Please don't print it in italics or color, that makes it very hard to read.
Judy

Great job and very efficient following of instructions. Just the kind of threads I love!

I ran ATF-Cleaner, except for Firefox files.
I need to know if it's necessary to delete all those files?

I also ran CCleaner.

One program or the other is fine, but yes the ALL files found should be deleted some of the infections found by the ESET scanner were within all of these items probably located by one or the other program. Use CCleaner and have it Analyze and Run Cleaner.
Open your Spybot program and Clean out the Recovery. This is also where some items found by ESET were located. They wouldn't be dangerous but no need to keep them as you would not want to put them back, they are infections.
Now run the ESET Scanner again and this time let it Fix/Remove everything found. Save the log for posting here.
Reboot.
Run MBA-M again. Update it first. Then run again and Remove everything found.
Then run a new HJT scan and save the log.
Post back here with all requested logs.
Judy

Hi jistoj and welcome to daniweb.
Once you have completed all the steps you should create your OWN thread, by clicking the Start New Thread button on the upper left side of the page just above the thread list, (see attachment) with a title that will convey to others what your problem is, like Crashing Explorer.exe and then give us the full information on what happens, when it happens, etc. Then list the steps you have taken and post the logs in your new thread. I will keep my eye out for it and take a look.
Just makes it easier on all if only one person's problems are worked on per thread.
Judy

Looks ok to me. Are things running well? If so you can mark this one solved.
Judy

Okay, so i just cleaned out the Temp files so i should be good now. I removed it from the Auto start programs also. To remove it from the Services, i just deselect it, right?

To remove it from Services you need to go to Start, Control Panel, Administrative Tools, Services.
When Services opens then scroll through the list to find MBAMService. Double click. When the box opens if it shows it is running click the Stop button. Once it stops then go up to the Start Up type and change that to Disabled.
Now you have one fix you need to do with HJT.
Run the program again and place a check mark next to the following entry if it still remains;
O20 - AppInit_DLLs: ufrvjh.dll
Once you have placed the check mark then click the Fix Checked button.
Exit HJT.
Reboot and to be safe run Update MBA-M and run one more MBA-M scan and of course if something is found have it remove it. Save the log.
Then run a new HJT scan and save the log. Post back here with both new logs.
Judy

I am not going to get into a contest here. But doesn't matter if he is a new poster or how many posts he has. Since I was the one working with him, I cannot, in all good conscience say this thread is solved. This is NOT for him, but for others with the same problem who search this out, and end up clicking on this thread and decide since somebody says the thread is solved will then take the same incorrect route as this original poster. To all those people, it is not solved.
His last post showed an MBA-M log without any action taken. He said at the bottom;

"i had 30 dang viruses got rid of em all deleted them from quaritene i will do the online scanner now. and btw the problem has stopped but im gunna make sure they wont come back",

He does NOT state what quarantine...MBA-M, an anti-virus program, some other program he ran...nothing. He also does not state how he is going to make sure they don't come back. But since his logs do NOT show an anti-virus program nor a firewall on the computer BUT does show BitComet, a P2P file sharing program, then the place to start was as I had him do, not assuming the cpu was overheating. He did check what you suggested and that was not the case. He DID run MBA-M which found 13 instances of the Vundo Trojan and various Adware, a Trojan dialer, …

You need to remember to keep your Temp files cleaned out. That one was located there.
Did you purchase the Pro version of Malwarebytes' Anti-Malware?
If not and you are running the free version then you need to remove it from the Services and also Auto start programs.

I did not add anything to either file. Is it possible that these numbers come from my router? The router IP addresses begin with 192.168.

Best regards

Probably is. Then the log looks ok to me.
Are things running all right?

Yes run it again. If it is clean just report back no need to post another log if it is clean. If it isn't then post the log.
I use MBA-M very often to be certain my computer remains clean. It is an invaluable program as far as I am concerned. Just always be sure to update before each run. One thing though, it is showing in your Start Up programs, take it out of there. There is no reason for it to run at Start Up unless of course it is cleaning. But otherwise it shouldn't be in that list because this would be a one time thing.
Judy

From what I could find cceraser.dll is a Norton File used to delete something, probably or possibly an infection of some kind. Sounds to me like maybe that file is damaged or corrupt and this is why Norton wanted you to reinstall the program. Since you obviously were downloading the program and had a disconnect what the second guy was telling you it was a problem with the server and would be fixed soon. I would go along with them for now and see if it is fixed. Are you on high speed or dial up? Downloading Norton via dial up will take a very long time and a disconnect on dial up isn't unusual.
Depending on how long you have owned the program you might consider uninstalling it completely and downloading a FREE anti virus program to take it's place. If you recently purchased the program online and it isn't due to expire soon then keep trying the download but if it doesn't work then call them back and ask for a disk.

Only question I have is did you add these?
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A10A494-05FB-48A1-950D-13B0B6BA75A5}: NameServer = 192.168.10.10
These entries indicate the DNS server on the computer and I can find no information about 192.168.10.10.

Where is scandisk? I can't find it on a search? .

http://help.isu.edu/index.php?action=faq&catid=31&docid=668

excellent. just hit the "mark as solved" button on the thread so that others know you fixed it, and can either come here for help or know you don't need help at the moment.

Who are you replying to? The original poster has NOT returned for 8 days to respond to my question asking him if he DID tell the MBA-M program to apply the fixes or if he has run the program again. This thread is NOT solved, we don't know the outcome.
Judy

Did you reboot? Some infections cannot be removed until the computer is rebooted, because at the time of the scan the infected file is running. By rebooting MBA-M removes the file BEFORE it can automatically boot up during the start process.
Where is the MBA-M log?

The reason I asked was that if it had been AFTER the install of SP3 you could have still rolled back to IE6 but since it was after then that is not possible. You might try running scandisk and seeing if you have some files which can be repaired.

For heaven's sake ignore that warning. That's a nasty wanting you to install their trojan. First thing you need to do is disable Spybot TeaTimer as it will interfere with fixes.
To do this open Spybot. Choose Mode at the top and choose Advanced Mode. Then go to the bottom and click Tools. When Tools opens Click Resident. When Resident opens take the Check Mark OUT of TeaTimer.
Close the program and Reboot the computer.
Then do the following:
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Reboot the computer.
Run a new HJT scan and save the log. Post back here with the MBA-M log and the new HJT log.
Judy

When did you originally install IE7, before or after you installed SP3?

No your computer isn't clean.

AVG revealed one fairly unobtrusive virus that it removed.

What was the name of this virus and where was it located. One must never assume a virus is unobtrusive. One infection can open the door to many others.

I ran Spyware Doctor, and it found high risk sypware and removed it.

What was the name and location of this high risk spyware?
We really need to know the names of things so we know what we are dealing with.
You need to do the following:
First remove that version of HiJackThis, it is way out of date.
Then download the newest version HiJackThis version 2.0.2 and save it to that HiJackThis folder you have in your program files.
Next turn off that Abexo registry cleaner. There is no reason a registry cleaner should be running on the computer. Also turn off Win Patrol as it can interfere with fixes which need to be done.
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results …

You need to post the MBA-M log and also a HiJackThis log otherwise there is no way to tell if things are clean.

Don't know if you can do it but see if you can install it in Safe Mode.

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.
Reboot the computer.

Run a new HJT scan. Post back with that log and the MBA-M log.

Happy to help. You can mark this solved if all is well.
Judy

Those are the normally hidden system files. Did you follow the instructions on the Read Me sticky? One of those is to enable the viewing of Hidden Files and folders. Go back in and do the reverse and hide these files and folders again and see if these disappear.

Looks as if MBA-M has removed the Trojan. What do these

few extra icons on thedesktop

look like? Have you checked the properties of these icons? Do they have names?
Now some information about this Trojan....
We just had another thread here with this same infection. Do you use a router? If so you should reset the router to the default configuration.
Judy

P.S. Please turn off that BitTorrent program. File sharing is something we do not condone here. What you do on your own is your own business but this may very well be the way your machine was infected in the first place. It is pointless to try to clean a machine while the user is P2P file sharing.

I have AVG on my system, but it isn't showing up, and Norton is on, but I can't update it (the last update file say 1999). Spybot also doesn't show up. I ran adaware, but it didn't find the problem

Ok, going through your Uninstall list AVG doesn't show anywhere so it is not installed. When did you purchase the Norton program? What version is it?
If you have the install disk for the Norton program you may be better off uninstalling it all and doing a reinstall, obviously the program is damaged.
The one listing for AVG showing in your HJT log says

(file missing)

so it isn't there.
Spybot IS there if it isn't showing on your Start, All Programs list then you will have to do a search for it, but believe me it is there as it is showing in your Uninstall list AND is showing in your HJT log.

You have at least one program installed, and running as an Auto Starting program and that is RelevantKnowledge
This MOST DEFINITELY is considered malware and most definitely should be removed ASAP. One reason for this is that is known to download other malware but a key reason here is THIS entry in your HJT log;

O20 - AppInit_DLLs: C:\program,files\relevantknowledge\rlai.dll,C:\program files\relevantknowledge\rlai.dll. This section corresponds to files being loaded through the AppInit_DLLs Registry value and the Winlogon Notify Subkeys. There are very few legitimate programs that use this Registry key …

Run HiJackThis again but this time give me this; Click Misc. Tools. When you get that open then click Open Uninstall Manager. When that opens click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad back here.
Judy

Other than the problems you have noted what else is going on and how long?
Not sure what you mean by "AVG suppressed" and Spybot shows as all ready being on your system so you shouldn't have to download it again. AVG doesn't show on the log as your anti-virus program the one showing is Norton. You should only have ONE anti-virus program on the computer anyway.
AdAware is also showing as installed and running in the background.

Well I'll be. Like I said, know next to nothing about router usage but when you said you used the router on a couple of the computers I thought maybe that could be the problem, especially since everything else looked clean.
Judy

For now I will say it appears to be a legitimate program. You should STOP it from running automatically via services the same way I told you to stop the others. There is no reason for this program to run all the time anyway.

I put "TuneUpDefragService.exe" into google and its malware sites galore that come up

Yeah, I know that is why I asked.

Also, have to say here I am not familiar with using a router, wireless or otherwise but have found multiple listings while searching that this particular infection does some changes with DNS settings on the router.
Concerning being connected to a wireless router and this particular infection take a look at this;
http://voices.washingtonpost.com/securityfix/2008/06/malware_silently_alters_wirele_1.html

and this one; http://forums.spybot.info/showthread.php?t=35568&page=2
and also this one;
http://extremesecurity.blogspot.com/2008/06/use-default-password-get-hijacked.html

I have 'Tuneup Utilities 2008' installed and just assumed it was connected with that in some way.

That's fine just wanted to be certain.
Now I am somewhat confused here....Exactly WHICH computer is the infected computer we are working on at this moment? Have any of the others been infected? Don't tell me anything about the ones that are not. Is the infected one the one on the router or the one directly connected to the internet?

Just noticed something...duh....don't know why I didn't see this before, did you purposely install TuneUpDefrag?

I have a question for you. I asked you to Remove from Automatic Start up the following services;
Spyware Doctor, TeamViewer 3, SupportSoft Sprocket Service, but they are still showing in the log did you remove them from auto start services?
Do you use a Router? If so you must reset that router too.
Try this too, shut down the computer, unplug the internet cord from the computer, reboot to safe mode go into C:\Windows\system32\kdhum.exe and delete that ONE file.
Run MBA-M again. Then shut down, plug the internet cord back into the computer, reboot to normal mode and run HJT again.
Post the logs here.

Looks to me like things are clean. MBA-M removed your Trojan, including your Windows Tribute Service and the TCIP entries.
Are things running well?
Judy

Hello redrevis and welcome to daniweb. Sorry you are having so many problems. You should not be using Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could adversely impact your system and prevent it from ever starting again. as you have found.

You need to uninstall combofix.
Do it this way;
Go to Start, Run
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
When shown the disclaimer, Select "2"

Next you need to turn off some services which are running automatically at start up.
To do this do the following:
Click the Start button.
From the Start menu, choose Control Panel.
From the Control Panel home page, choose the System And Maintenance option.
On the System And Maintenance page, click Administrative Tools.
From the Administrative Tools page double-click on the Services option.
# When prompted by User Access Control to verify that opening the Services Control Panel applet is allowed, click the Continue button. If you are not prompted, you have either disabled User Access Control or are logged in with an account that does not have the ability to run with administrative privileges.
You should now be at …

As far as I can find Combofix works just fine on Windows 2000 Pro.
One thing in your logs I note that you have Adaware aawservice.exe running.
You should stop this from running. I have seen multiple posts where this seemed to have interfered with some attempts at fixes.
Are you downloading and saving it to the desktop or are you attempting to download and run it?

Hi Tessy,
What anti malware program did you run?
You should do the following:
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Reboot the computer.

Next create a new folder on the desktop and name this folder HiJackThis.
Then download HiJackThis to this folder.
Close all browsers and unnecessary programs and run a Full System scan with HiJackThis and save the log where you can easily find it. The folder you created would be good.
Post back here and copy/paste the log from MBA-M and HiJackThis into this thread.
Judy

How did you delete them all? Your log shows

No action taken.

on ALL listed.
Did you run the program again and have it fix or did you manually do it? You should use the MBA-M program to do the fixing as instructed

* Be sure that everything is checked, and click Remove Selected.