JeanInMontana

I'm sorry I don't know what you mean. You had a log file open when you ran HJT? Run a scan with the program and put a check next to the file listed in the post I made. It is listed in the log right above HiJack This. That is where you will see it in the scan also. Then follow the rest of the instructions you were given. Edit to add: This is NOT the program notepad that comes with Windows. This is malware posing as notepad. The real file for notepad is not listed as all capitol letters.

Hi Simon and welcome to Malwarebytes. Please set your system to show hidden files and folders. To see hidden files: 1. On the Tools menu in Windows Explorer, click Folder Options. 2. Click the View tab. 3. Under Hidden files and folders, click Show hidden files and folders. Note To access Windows Explorer, click Start, point to All Programs, and then click Windows Explorer. Run HiJack This! again and put a check next to this item: C:\WINDOWS\system32\NOTEPAD.EXE Now reboot into safe mode by tapping the F8 Key as soon as you hear the beep. Use Windows Explorer to navigate to, and delete the file below. C:\WINDOWS\system32\NOTEPAD.EXE Reboot into normal mode and using Internet Explorer go here http://www.pandasoftware.com/products/activescan.htm and run a full scan. Remove anything found and please post the log as a reply in this thread along with a new HJT log.

Welcome to Malwarebytes!! We are happy to have you here.

Try doing a System Restore. HJT will uninstall using Add/Remove Programs cleanly and completely there is no need to use any third party programs. Leave the registry alone if you don't know what your doing.

Welcome to Malwarebytes!! It's great to have you here and having your expertise in testing MBAM is sure to be noticed. Let us know what you think. We are very pleased with it so far and it's just going to get better. Thanks Corrine!!

Install super fast and smooth. Had to get me a false positive to see a list, worked great. Quick scans are running right around 4 min 25 -29 seconds. I didn't do a full scan, need to get to bed.

Your welcome. Since this has been resolved I will now close this topic.

Did you go to the site MysteryFCM posted?

Yes, I have seen that too. I'm not criticizing, at all. I guess I misunderstood earlier post about this. I thought you were going to eliminate AntiVir being targeted and thought I should post it.

Malwarebytes' Anti-Malware Version 0.55 This logfile was saved before the removal process. Database version: 096 Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\temp\Upd30.tmp (Heuristics.Malware)

Hi lurking the f/p was fixed with the update.

Can you log on as the administrator and change your account?

Your log looks clean. Credit to njustice for suggesting the safe mode delete. I'm just so glad we beat this thing. Stay clear of those free game sites. They are breeding grounds for malware. If you need anything else just let us know. Take care.

Avira temp files here too http://www.malwarebytes.org/forums/index.php?showtopic=2070

I think we have it on the run. Google must have ditched the files. Scan again with HJT and put a check next to this: O4 - HKLM\..\Run: [gohgfhaaya] c:\windows\system32\gohgfhaaya.exe gohgfhaaya You could get rid of some stuff you don't need at startup too with StartUpLite, on the download page. Also your Adobe Reader is an unsafe outdated version. You need to flush all restore points and create a clean one. Stuff like this hides in system restore points then if you use one you are infected all over again. Do this after you run CCleaner. If you add a layer of prevention to your machine it will help immensely in the future. SpywareBlaster by Javacool is free and excellent also WinPatrol and a hosts file like hpHosts or IE-Spyads or both...LOL If you using the Windows firewall it isn't good enough you need one that monitors what is going out from your PC. ZonsAlarm, Sunbelt, Comodo are all good and free. A program like SiteAdvisor or SiteHound will warn you of a bad site. Also surfing with a non administrator account prevents anything installing. If you have kids, limit their permissions to no installs or downloads. Let me know if this removal gets it and post another log after reboot. Please.

Great!! Reboot and see if that did the trick. See if you can run AdAware now too.

Hey Joe, welcome to MWB! Love that avatar. That makes sense because I use Avira too.

New scan with updates. Malwarebytes' Anti-Malware Version 0.54 This logfile was saved after the removal process completed. Database version: 094 Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\temp\Upd2.tmp (Heuristics.Malware) -> Quarantined and deleted successfully. Are all these files UPd update files of some sort? Where are they coming from? Also wonder about the reg key in the first scan.

I'm willing to bet Ad-Aware is crashing because of the malware or the malware is crashing it. The miscreants behind this infection have obviously gotten much more determined. I can't remember if we tried this, so forgive me if you did but boot into safe mode and try to find the following files. gohgfhaaya.dat gohgfhaaya.exe gohgfhaaya_nav.dat gohgfhaaya_navps.dat If you want to try and zip them and send to me fine, otherwise (and I don't blame you) just delete them and run CCleaner immediately. http://www.ccleaner.com/ So get the program install, update ect and be ready. If the safe mode delete won't work or we already tried it, I woke up with this idea. (This is driving me nutty ) Get this program Author: Option^Explicit Download Location License: Freeware KillBox Download Link Operating System: Windows File Description: Pocket KillBox is a program that can be used to get rid of files that stubbornly refuse to allow you to delete them. Usage Information: Download this file and run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, allow it to do so, and hopefully your file will now be deleted. You will need to run it for every instance of the files listed above. Sorry I didn't get to this sooner. Good luck and let me know.

Hi Larry and welcome to Malwarebytes. Run a scan here http://www.pandasoftware.com/products/activescan.htm allow it to remove anything it finds and post the log as a reply in this thread. Also get this program and run a scan and save the log, post it here. http://www.trendsecure.com/portal/en-US/do...ad/download.php Don't take any action on your own. Please wait for instructions.

I will get that error if RRP trys updating before I'm actually connected. When there is an update available and I just boot up, with my wireless I will get that error. If I try again after I see I am connected then I get the update just fine. I have gotten that error also when I tried to update and there were none to be had. Have you never been able to update or it is a come and go thing? You might try a reinstall too.

This program updated today and is including navipromo let's give it a try http://www.lavasoftusa.com/products/ad_aware_free.php Run a full system scan and remove anything it finds. Let me know how it goes. I've been searching all over for a fix. We will get this Jean, heh two Jeans can't be beat.

I'm at a loss. I'm not giving up....just need to get some second opinions. There is a new version of your infection, that is why none of the fixes are working yet.

I don't know how I can. I can't keep anything running long enough to do much. I can probably get it to you in messenger if we are quick. I shut the machine down. Seems it needs to cool off after so many BSOD's. I get about 10 minutes of uptime in safe mode then things start going to hell. So let me know when you want to try that. I'm going to order a cable so I can get some stuff off there I need/want in the event I am forced to reformat.

Much to my surprise quick scan on my laptop came up with 34 items! I removed them and I'm doing a full scan now. Malwarebytes' Anti-Malware Version 0.54 This logfile was saved before the removal process. Database version: 091 Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 34 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv (Malware.Trace) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\temp\Upd10.tmp (Heuristics.Malware) C:\WINDOWS\temp\Upd11.tmp (Heuristics.Malware) C:\WINDOWS\temp\Upd12.tmp (Heuristics.Malware) C:\WINDOWS\temp\Upd13.tmp (Heuristics.Malware) C:\WINDOWS\temp\Upd14.tmp (Heuristics.Malware) C:\WINDOWS\temp\Upd15.tmp (Heuristics.Malware) C:\WINDOWS\temp\Upd16.tmp (Heuristics.Malware) C:\WINDOWS\temp\Upd17.tmp (Heuristics.Malware) C:\WINDOWS\temp\Upd18.tmp (Heuristics.Malware) C:\WINDOWS\temp\Upd19.tmp (Heuristics.Malware) C:\WINDOWS\temp\Upd1A.tmp (Heuristics.Malware) C:\WINDOWS\temp\Upd1B.tmp (Heuristics.Malware) C:\WINDOWS\temp\Upd1C.tmp (Heuristics.Malware) C:\WINDOWS\temp\Upd1D.tmp (Heuristics.Malware) C:\WINDOWS\temp\Upd1E.tmp (Heuristics.Malware) C:\WINDOWS\temp\Upd2.tmp (Heuristics.Malware) C:\WINDOWS\temp\Upd20.tmp (Heuristics.Malware) C:\WINDOWS\temp\Upd2E.tmp (Heuristics.Malware) C:\WINDOWS\temp\Upd3.tmp (Heuristics.Malware) C:\WINDOWS\temp\Upd3B.tmp (Heuristics.Malware) C:\WINDOWS\temp\Upd4.tmp (Heuristics.Malware) C:\WINDOWS\temp\Upd5.tmp (Heuristics.Malware) C:\WINDOWS\temp\Upd52.tmp (Heuristics.Malware) C:\WINDOWS\temp\Upd6.tmp (Heuristics.Malware) C:\WINDOWS\temp\Upd7.tmp (Heuristics.Malware) C:\WINDOWS\temp\Upd8.tmp (Heuristics.Malware) C:\WINDOWS\temp\Upd8B.tmp (Heuristics.Malware) C:\WINDOWS\temp\Upd9.tmp (Heuristics.Malware) C:\WINDOWS\temp\UpdA.tmp (Heuristics.Malware) C:\WINDOWS\temp\UpdB.tmp (Heuristics.Malware) C:\WINDOWS\temp\UpdC.tmp (Heuristics.Malware) C:\WINDOWS\temp\UpdD.tmp (Heuristics.Malware) C:\WINDOWS\temp\UpdE.tmp (Heuristics.Malware) C:\WINDOWS\temp\UpdF.tmp (Heuristics.Malware)