JeanInMontana

OK where is the Panda log? I would reinstall Firefox to the correct location if I was you. That way you know it is not an infection. Would you please attach this file to your next post: C:\WINDOWS\system32\lubcpmj.dll Unless you know what it is also run HJT again and please put a check in this: O2 - BHO: (no name) - {43ADFCB3-4379-4B82-2F74-4AB60840F294} - C:\WINDOWS\system32\lubcpmj.dll I would get rid of this too but it is your call O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll It is not necessary and questionable IMO Google and Dell have teamed up to control your browser. http://googlesystem.blogspot.com/2007/05/g...ress-error.html http://www.gadgetizer.com/2006/02/10/is-de...ealing-traffic/ Those are just two articles about it. I would like to see the Panda log from a fresh scan please. We have made huge progress. You had some horrible infections and any passwords you and any other users of this machine have for sensitive sites like banking or credit information should all be changed ASAP. I'm reasonably sure we have those gone so they can't get your new passwords. But I need to see the Panda log. Then we will still have a few final steps. You still need to uninstall Java, delete the program folder and reinstall the safe updated version too.

What is the situation here? We need to finish the fix.

It's looking better, still not done though. I missed a couple. Run HJT again and put a check next to these please. O4 - HKLM\..\Run: [systemOptimizer] rundll32.exe "C:\WINDOWS\system32\pycpromm.dll",forkonce O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE Make sure you have your system set to show all files and folders. Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. Press Control-Alt-Del to enter the Task Manager. Click on the Processes tab and end the following process, this is not Firefox the browser: C:\Documents and Settings\Colin.D48PRVC1\My Documents\Firefox\firefox.exe Exit the Task Manager when finished. Reboot into Safe Mode: By tapping the F8 key as soon as you hear the beep. Using Windows Explorer, locate the following files/folders, and delete them: C:\Documents and Settings\Colin.D48PRVC1\My Documents\Firefox\firefox.exe Exit Explorer, and reboot as normal afterwards. If you were unable to find any of the files then please follow these additional instructions: Download Pocket Killbox and unzip it; save it to your Desktop. Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it. The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes. Let the system reboot. Then please get the program below install, update and run a scan, put a check in anything it finds and click on fix. Have it remove all the spy and adware cookies you have. Spybot Search & Destroy Now please do another scan at Panda and post that log and a new HJT also. We are getting closer. You also need to update your Adobe Reader, it is a known security risk version and so is your Java. Go to Add/Remove programs and uninstall both. Also go to program files and delete the program file for Java and Adobe if it leaves one, I don't remember for sure on that one. You can get the current Java here http://www.java.com/en/download/manual.jsp and Adobe http://www.adobe.com/products/reader/

I never had it. Just ran quick scan in 2 min 18 sec!

Did you run the Vundo fix? Run HJT again and put a check next to the items below. O2 - BHO: (no name) - {D3D70E1B-659C-4B50-A07F-EDD9DBDE2DB8} - C:\DOCUME~1\Tristan\LOCALS~1\Temp\vturr.dll (file missing) O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\twtkfplf.dll O4 - HKLM\..\Run: [glbtmflA] C:\WINDOWS\glbtmflA.exe O4 - HKLM\..\Run: [win32062352826722007] C:\WINDOWS\win32062352826722007 O4 - HKLM\..\Run: [g4356cbvy63] C:\WINDOWS\g4356cbvy63 O20 - Winlogon Notify: pmnkkjh - pmnkkjh.dll (file missing) Click fix then run the Vundo fix again and post a new HJT log. Please give me some feed back as to what is happening on your end also.

counterspy 2.5 is not supported on the following platforms: * Windows 95, 98, 98 SE, ME * Windows NT 4.0 (or earlier) * Windows 2000 Server * Windows XP 64-bit http://www.dslreports.com/forum/remark,185...lite=counterspy Vista Shmista who needs it. Most of the real world is using XP or older.

Well, I guess I can't blame the program. I just saw where 64 bit isn't supported on V2.5 and I have been running it since I got this laptop. I'm not sure when the program went to 2.5

Well, this is totally off topic but my CounterSpy went south today also. I had forgotten about it til I read this. I couldn't get the service to start no matter what I did. It must have been the latest update to it? I will have to look into that.

I should have added if you decide to upload the files, please put them into a zip file. Thanks.

OK I will keep working with you. If you would like to submit files to our database please upload these files: C:\WINDOWS\glbtmflA.exe C:\WINDOWS\win32062352826722007.exe C:\WINDOWS\g4356cbvy63.exe Here: http://uploads.malwarebytes.org/ If you don't want to that is fine. You do have a new version of the Vundo trojan and we could add it to the definitions of the new product being tested. It is totally up to you. Please follow the instructions below. VundoFix.exe is a removal tool developed to remove Virtumonde infections. To use the tool follow the instrctions below. Please download VundoFix.exe by Attribune to your desktop. * Double-click VundoFix.exe to run it. * When VundoFix re-opens, click the Scan for Vundo button. * Once it's done scanning, click the Remove Vundo button. * You will receive a prompt asking if you want to remove the files, click YES * Once you click yes, your desktop will go blank as it starts removing Vundo. * When completed, it will prompt that it will reboot your computer, click OK. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot. After that scan please post a new HJT log and we will see how we are doing.

Yup. And so will anything you re-download. It's a bug.

You have 62 it just shows wrong. Is how I read the posts above.

Hi there. Your logs show evidence of fixes being run that I did not instruct. You are either doing things on your own, or getting help at another forum, either way you must decide if your going to follow my instructions only or seek help elsewhere. This is for your benefit and to make sure your system doesn't get damaged beyond repair. Let me know what you want to do. You are not clean of infection by any means.

That makes me think I am correct in thinking you have a new variant, since it is not well detected. I know your probably sick of scans and file submissions, but we have just implemented a file upload system. A new program is being developed also and submissions will be great to build the data base plus we might just cure you. http://uploads.malwarebytes.org/ If you want to submit all those there too it would be wonderful.

Would you add me to that list please.

Yipee! Took a bit of behind the scenes manipulation but I'm sure this is going to make MBAM even better.

Yes it appears that it is updating again. Not sure it is an issue though.

OK Simon, fresh eyes on your logs and bigger brain. We need you to scan the following files at this site http://www.virustotal.com/ C:\WINDOWS\system32\zfkxwg_nav.dat C:\WINDOWS\system32\zfkxwg_navps.dat C:\WINDOWS\system32\zfkxwg.dat c:\windows\system32\byidsn.exe c:\windows\system32\drivers\co_mon.sys C:\WINDOWS\system32\tmp.reg Download GMER from here: http://www.gmer.net/gmer.zip Unzip it and start GMER.exe Click the rootkit-tab and click scan. Once done, click the Copy button. This will copy the results to clipboard. Paste the results in your next reply. If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.. other rootkitrevealers don't. Then run a full scan with http://free.grisoft.com/doc/28415/lng/us/tpl/v5. Post a new HJT log. Also be sure to let me know what the Virus Total scan says and the others.

I'm consulting with someone much more experienced. I will let you know what he says.

I think we have it! Simon it is possibly monitoring every key stroke you make. That is why you much change all passwords for all accounts at any web site with sensitive data, banking, bill paying etc. rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Look for the bolded file and delete it if found. Also look in Add/Remove programs to see if you installed PCHealth, do this first before deleting the file if it's there uninstall it. If you can't find the file follow the instructions below. Download Pocket Killbox and unzip it; save it to your Desktop. Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it. The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes. Let the system reboot. While your in Add/Remove uninstall your way outdated and dangerous Adobe Reader. The current version is 8 what your using is a security risk. Let me know how this works.

Hi renrats and welcome to Malwarebytes. You do have a bit of a mess. With patience and perseverance we will get you all cleaned up. First please set your system to show all files and folders. Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. [*]Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake: O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\wvuttur.dll O2 - BHO: (no name) - {681D1C8B-AF1A-F8E9-4917-FC8DBB2CD090} - C:\WINDOWS\system32\xde.dll O2 - BHO: (no name) - {6D41C0C4-EDCC-47ED-BE5F-B98E4088082F} - C:\DOCUME~1\Tristan\LOCALS~1\Temp\vturr.dll O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\twtkfplf.dll O2 - BHO: (no name) - {CACFB41C-BF81-4F52-847B-3064A2F9511A} - C:\Program Files\MSN Gaming Zone\nizyd4.dll O2 - BHO: CIEIntegrator Object - {D3B4C621-6024-410B-9F0F-22CBD6981F5E} - C:\Program Files\AVSystemCare\Addons\popupg.dll O2 - BHO: (no name) - {DB28152F-2056-4481-BA69-634A3B3D970C} - C:\WINDOWS\system32\jkkjk.dll O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\sys022672235282007.exe ICM001 O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\DOCUME~1\Tristan\LOCALS~1\Temp\yhomjymf.dll",sitypnow O4 - S-1-5-21-600373968-3565873685-2217043775-1010 Startup: TA_Start.lnk = C:\WINDOWS\sys022672235282007.exe (User '?') O4 - Startup: TA_Start.lnk = C:\WINDOWS\sys022672235282007.exe O20 - Winlogon Notify: jkkjk - C:\WINDOWS\system32\jkkjk.dll O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe Click on Fix Checked when finished and exit HijackThis. [*]Reboot into Safe Mode: By tapping the F8 key as soon as you hear the beep when the system starts. Using Windows Explorer, locate the following files/folders, and delete them: C:\WINDOWS\sys022672235282007.exe ICM001 rundll32.exe "C:\DOCUME~1\Tristan\LOCALS~1\Temp\yhomjymf.dll",sitypnow O4 - S-1-5-21-600373968-3565873685-2217043775-1010 Startup: TA_Start.lnk = C:\WINDOWS\sys022672235282007.exe (User '?') O4 - Startup: TA_Start.lnk = C:\WINDOWS\sys022672235282007.exe C:\WINDOWS\system32\jkkjk.dll C:\WINDOWS\dls0523pmw.exe Exit Explorer, and reboot as normal afterwards. If you were unable to find any of the files then please follow these additional instructions: Download Pocket Killbox and unzip it; save it to your Desktop. Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it. The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes. Let the system reboot. Now please go here http://www.pandasecurity.com/homeusers/solutions/activescan/ and run a full scan, remove anything it finds and save the log. Post that log as a reply in this thread and a new HiJack This log. But please get this version http://www.trendsecure.com/portal/en-US/th.../hijackthis.php your using a beta version and the program is no longer in beta. We will have another look and see what else there is to do.

Not sure this is an issue, but in case. I did a definition update and ran a full scan, then tried to go from the "found heuristic antivir tmp update file" to the ignore list, after moving it there, and it wouldn't move until I went back to the main menu.

I got the pop up warning again today when I booted up. This time I chose to remove.

Is it running better? The log looks clean. There are several services running that are not needed and would slow down performance. You might want to get the free program StartUpLite here http://www.malwarebytes.org/startuplite.php

I updated RRP and during the immunization I got a warning I had a bad registry key. I couldn't do anything but kill the program with task manager. It totally froze up. I restarted it after that and continued with the immunization. Then did a scan and it again detected the same key. I tool a look in the registry and it doesn't exist. I had to add the key to the ignore list.