JeanInMontana

Re-read my first reply. There is a link to the correct HJT program there. Panda will remove without buying. It won't remove cookies, but it shows a trojan that it should remove. I would like to see another log from Panda at this point, because ComboFix may have removed it. So we need a log from the TrendMicro HJT and Panda please. How is it running? Feed back is also important.

It looks like ComboFix took out some bad stuff. You can run HJT again with all programs closed and put a check next to these items and click fix. R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing) O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) Your Adobe Reader is an unsafe version, you need to update to version 8. What symptoms if any are you still having?

Hi there Teddyboy, and welcome to Malwarebytes. Please set your system to show all files; Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. Scanspyware is a "rogue" program and should be uninstalled. http://www.spywarewarrior.com/rogue_anti-spyware.htm If you haven't already, please get these programs, update and run a complete scan removing all items found. Use the "Buy RogueRemoverPro" link in my signature for a free trial of the program, be sure to use the immunize feature. Spybot Search & Destroy be sure to use the immunize feature with this program. AVG AntiSpyware Then go here and run a scan PandaActive Scan You must use IE. Post the logs from the Panda and AVG scans please, along with a log from this program HiJack This! Be sure you have all programs and browsers closed when you run the new HJT scan. I will analyze the logs and give you further instructions. Be patient and persistent. These things can take time and many procedures. Instructions must be followed exactly, print them for reference when you must be offline and with browsers closed.

When I say post the log, I mean post the log. I can't tell what any of the traces found are, or where they are at, from the screen shot. If Panda was finding things what were they where is the log? I have seen no evidence that you are clean. The ZoneAlarm alert is OK, and you can allow that to connect. Those alerts are ZoneAlarm doing it's job. It is telling you what is connecting and that is what your supposed to pay attention to. If you still have a bot connecting ZA will know. I thought I mentioned this before but maybe not. You need to update Adobe to version 8. Today is Patch Tuesday for Windows Updates. There are several critical security updates be sure you get them ASAP.

You did not follow my instructions. Nothing was removed and you are using the wrong HiJack This.

I understand how annoying this is. If all the people I helped were as attentive as you it would be wonderful. Download and Run ComboFix * Download this file from below: Here http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe * Disconnect from the Internet, then disable your anti-virus and any real-time anti-spyware monitors that are running. AVG AdAware and Sbot Search & Destroy. * Then double click combofix.exe & follow the prompts. * When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log. Note 1: Do not mouseclick combofix's window whilst it's running. That may cause it to stall Note 2:Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet. I'm going to bed soon so don't get impatient on me. My brain will work better in the morning.

No there is no difference in scanning....but please no more scans without being instructed. Answer questions please. What symptoms are you still having?

Your log shows it is on the desktop C:\Documents and Settings\Low Fai Ming\Desktop\HiJackThis.exe You need to move it to any other place on the hard drive. Program files is good. So after all those scans you are still getting the AVSystem care popups? Try running RogueRemover, you can get a free trial of the Pro version from the link in my signature.

OK wipe your System Restore points, they are infected. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK. Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name and today's date. Then run another AVG scan be sure to update again, and post that log. Go ahead and see if being connected makes ZoneAlarm react. Pay close attention to what wants out. Write them down if you don't recognize the program, and deny anything you don't know.

OK, run HJT again and put a check next to these items: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file) R3 - URLSearchHook: (no name) - _{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file) O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file) O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file) O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file) Click fix and close HJT. Now go to Add/Remove programs and uninstall your Java, also delete the program file. It's an outdated and a security risk. Then go here http://www.java.com/en/download/manual.jsp and install the correct version for your system. Choose the offline installation. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK. Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it. If you have no further symptoms we are probably done. If you still have symptoms let me know what they are please. Many of these infections can be avoided with an added layer of prevention. All reccommended programs are free and easy on system resources. You should install them as part of your protection arsenol. Keep Spybot Search & Destroy and always immunize when you update. You will also need at least one other scanning program AVG is good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use. A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient. Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan. SpywareBlaster from Javacool Software WinPatrol by BillPStudios SiteHound by FireTrust RogueRemover hpHosts For an excellent list of reliable free firewalls and antivirus programs see here . If you think you're infection free, go get Service Pack 2 from windows updates tomorrow. It's the monthly "Patch Tuesday". I also don't see a firewall you have to have a firewall. There is one in SP2 but it is not sufficient. Turn it off and get one that monitors traffic both ways. ZoneAlarm, Comodo, are both good with free versions. Check out the link above.

Let's hope it does.

Remove what AVG found and try Panda again. Do your best to get the names of the files it is finding. If indeed you do have rootkits, it may be the best thing to reformat the machine because I can't guarantee we can remove them completely. You need to contact any banking sites etc that you have exchanged sensitive data with and alert them to the possibility of identity theft and change all passwords. DO NOT log on to those sites with this machine under any circumstances.

You did not remove the items. They all say ignored. You must remove them. They are for the most part tool bars, you can remove them by going to Add/Remove and looking for the toolbar name. Disable in the Tools and Tool bars for IE.

This is the site for RR There is a link in my signature for a free trial of the Pro version.

Hi and welcome to Malwarebytes. Please don't post logs from scanning programs unless asked. Also please do not take action without being instructed. This process only works if the helpers instructions are followed and no outside actions are taken during the cleanup. That being said, please move HJT to a folder C:\ then, run a scan with RogueRemover and post a new HJT log.

Sounds good.

@ jedi the topic has been moved to here http://www.malwarebytes.org/forums/index.php?showtopic=2236

You have Avast not advast and you said you were scanning with it did it find things? Did you remove them? You posted a log from SuperAntiSpyware, did you have it remove the malware it found? I have no idea what superadaware is. Please use the correct names for programs because many are malware themselves. If your using some of the malware we need to remove. Follow the instructions carefully and in the order posted, and post the logs I asked for. It will take a while, be patient and persistent. We can beat this stuff.

Was one before the update? Well that shouldn't matter. That is strange.

Hi donnakin and welcome to Malwarebytes. You need to install Windows Update Service Pack 1 http://www.theeldergeek.com/service_pack_1.htm before we go any further. Without it you are wide open to being reinfected again and again. There is another service pack also, but your infected and it shouldn't be installed until your clean. Also uninstall the MyWebSearch toolbar and you should have better luck getting IE to work. If you connect to the net via dial up don't leave your laptop plugged into the modem while unattended. After you have run Avast and installed Service Pack 1 follow these instructions: Install the following programs, update and run a full scan, remove everything found and be sure to run them in the order they are listed please. CCleaner Spybot Search & Destroy Be sure to use the immunize feature on this program also. AVG AntiSpyware Then go here and run a scan PandaActive Scan Post the logs from the Panda and AVG scans please and a new HiJack This log. The logs from AVG and Panda will probably be fairly long and you may need two posts, that's fine do what ever it takes. You will finish the AVG first so go ahead and post that log, then move on to Panda scan. Once you have posted the logs I will analyze them and give further instructions. To be clear you will post an AVG log, a Panda log and a HJT log in that order.

HKLM\SOFTWARE\Classes\WR -> Adware.Generic : Ignored. C:\System Volume Information\_restore{EA201953-DEBF-40E8-82BE-C4A9C6512860}\RP979\A0040379.exe -> Adware.SystemDoctor : Ignored. HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ExplorerWAS -> Adware.WinAntiSpyware : Ignored. HKLM\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\ExplorerWAS -> Adware.WinAntiSpyware : Ignored. C:\Documents and Settings\Administrator\Local Settings\Temp\temp.frD080\up.dat -> Adware.WinAntiVirus : Ignored. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\QISKIKVT\poicxvnewuoiwwqdws[1].htm -> Downloader.Agent.gx : Ignored. C:\WINDOWS\system32\amcifire.exe -> Downloader.Tiny.id : Ignored. C:\WINDOWS\system32\brixrjxy.exe -> Downloader.Tiny.id : Ignored. C:\WINDOWS\system32\iiksmsma.exe -> Downloader.Tiny.id : Ignored. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5B3JE4TT\oiewuroiwuexzc[1].htm -> Dropper.Small.j : Ignored. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5B3JE4TT\WinAntiVirusPro2007FreeInstall[1].cab/UWA7P_0001_N91M0809NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Ignored. C:\System Volume Information\_restore{EA201953-DEBF-40E8-82BE-C4A9C6512860}\RP986\A0042858.exe -> Not-A-Virus.Downloader.Win32.WinFixer.x : Ignored. Files\Content.IE5B3JE4TT\WinAntiVirusPro2007FreeInstall[1].cab/UWA7P_0001_N91M0809NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Ignored. C:\System Volume Information\_restore{EA201953-DEBF-40E8-82BE-C4A9C6512860}\RP986\A0042858.exe -> Not-A-Virus.Downloader.Win32.WinFixer.x : Ignored. C:\System Volume Information\_restore{EA201953-DEBF-40E8-82BE-C4A9C6512860}\RP979\A0040375.exe -> Trojan.Fakealert.fb : Ignored. C:\WINDOWS\rau001978.exe -> Trojan.Small : Ignored. If you ran CCleaner it would remove the cookies and temp files, please do that a good share of these are in the temp files. All those files above are trojans and rogues. Run RogueRemover and see what it will get, then we will run Vundo/Virtuomonde again. Removal Steps: 1. Please print these instructions as they will be needed later when Internet access is not available. 2. Save these instructions in word or notepad to the desktop where they can be easily found. 3. Download Vundo Fix http://www.atribune.org/ccount/click.php?id=4 and save it to your desktop. 4. When it has completed downloading, double-click VundoFix.exe to run it. 5. Click the Scan for Vundo button. 6. Once it's done scanning, click the Remove Vundo button. 7. You will now receive a prompt asking if you want to remove the files, click the YES button. Once you click yes, your desktop will go blank as it starts removing Vundo. 8. When completed, it will prompt that it will shutdown your computer, click the OK button. 9. When the computer has shutdown, turn your computer back on. The WinFixer and Vundo infection should now be removed from your computer. If you are still having a problem then please perform the following steps. This step should only be used if the instructions in the previous steps did not remove the infection: 1. Download VirtumundoBegone http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe and save it to your desktop. 2. Now reboot into Safe Mode. 1. This can be done tapping the F8 key as soon as you start your computer 2. You will be brought to a menu where you can choose to boot into safe mode. 3. Select safe mode with networking using your arrow keys on the keyboard and then press enter. 4. When you computer reaches the desktop make sure you log in as the same user which you had performed the previous steps, 3. Once you are logged into safe mode, double-click VirtumundoBeGone.exe file you just downloaded and follow the instructions. 4. Exit when it has finished, and reboot back to normal mode. Run SpyBot Search & Destroy again after you update it and remove everything it finds. Put a check in it and say yes to remove. Then run a Panda scan again and post that log and a new HJT log please. Tell me what symptoms your still experiencing etc.

Welcome Jedi! That thread is in Admin/Mod forum. Personally I don't see why it can't be moved to Experts. I am not so sure it would be good to make it public. When I see Marcin come back active on WLM I will see what he thinks about moving it to Experts so you can see it.

No reply in 9 days closing this thread. If you need further assistance please start a new topic.

Kaspersky could still be disabled by the trojan. Are you still getting the CMD prompt? Your Java is a huge risk if your online with that machine.

Jean