JeanInMontana

Hello again. If your office is infected with ravmone.exe, you need to clean all machines one by one and make sure they are all disconnected from any network until they are all clean. They are going to reinfect each other again and again. Run HJT again and put a check in the following entries: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Hacked by pokemon O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user') Click on fix. Then go here http://www.pandasecurity.com/homeusers/solutions/activescan/? run a full scan and post the log here. Remove anything it finds.

Barbara here is the link for the Symantec removal tool http://service1.symantec.com/SUPPORT/tsgen...005033108162039 They have updated since I last had to use it or recommend. It looks to be a bit easier to use.

Smooth install, full scan ran in 30 min 26 sec. I'm sure it would be faster with the browser closed and WLM. Settings remained after close and open of program. Quick scan 4 min 19 sec.

No need to apologize. I know how long they get. You need an anti virus program, if you thought you got rid of Symantec we will finish the job. It is notorious for not going away. I need to know what the program was though, then I can look on the Symantec site for an uninstaller. Make sure you have the system set to show all files and folders Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. Run HJT again and put a check next to these two items and then click fix. O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZJfox000 Then look for this file C:\Program Files\MSN Messenger\MsnMsgr.Exe /background and delete it. http://siri.geekstogo.com/SmitfraudFix.php follow that link and the instructions on that page. Let me know how it goes and everything you can about the Symantec so we can clean that up too and you can reinstall your Panda. You need a firewall. So you either need to reinstall that or use the Windows one and it isn't very good. have you looked in Add/Remove programs for anything related to Symantec?

Please post the AVG log also. Thanks.

What addresses were reoccurring? Have you ran RogueRemover? If not please do. You can use the link in my signature or at the top of this page for a free trial or get the free program.

Hello Barbara and welcome to Malwarebytes. First I strongly advice you change any passwords for banking or other sensitive log ons and stay offline if possible until we rid you of these infections. Right now your PC is not safe. Second you must chose one antivirus to run for real time protection. You have two Panda and Symantec and this is possibly how you got infected, although I can't be sure. You can keep them both and run one as a backup scanner but you will have problems if you have them both active at the same time. Third, Print these instructions or save to a notepad file as you need to have all browsers closed and be off line. Download SDFix by Andy Manchesta and save it to your Desktop. http://downloads.andymanchesta.com/RemovalTools/SDFix.exe Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix) Please then reboot your computer in Safe Mode by doing the following : * Restart your computer * After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; * Instead of Windows loading as normal, the Advanced Options Menu should appear; * Select the first option, to run Windows in Safe Mode, then press Enter. * Choose your usual account. * Open the extracted SDFix folder and double click RunThis.bat to start the script. * Type Y to begin the cleanup process. * It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. * Press any Key and it will restart the PC. * When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. * Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). * Finally paste the contents of the Report.txt back on the forum. Fourth, please get this program install it, update and run a full system scan. Allow it to remove whatever it finds http://free.grisoft.com/doc/28415/lng/us/tpl/v5 . Reboot and post a new HJT log. To be clear, you will post the SDFix log and the HJT log. They can be in separate posts since one will be done before you have run AVG. This also gives me a chance to review one and make assessments. Be patient and thorough these things can take time. Good luck. Also please inform me if your symptoms have ceased, any changes good or bad. Details are important.

Panda only found some cookies and the SmitFraud tool. Not what we are looking for unfortunately. http://www.geekstogo.com/forum/index.php?a...amp;showfile=19 Please download the file here at the very bottom of the page. Follow all directions carefully. This tool is compatible with Windows 2000 and up (that includes Vista). Download a single executable and run it. ComboScan gives your standard warnings, then does the following (in order): 1. Logs if the computer is in Normal Mode, Safe Mode, or Safe Mode with Networking. No more guessing! 2. Creates a restore point (Normal Mode XP and Vista only). Will try to re-enable System Restore if it was disabled. 3. Cleans Temporary Files, Downloaded Program Files, Internet Cache Files, and empties the Recycle Bin on all drives. 4. Searches for HijackThis on the system. If it cannot find it, it will ask the user permission to download a copy from greyknight17.com. The user also has the option of telling ComboScan where their copy of HijackThis is if they have already downloaded it. 5. Renames HijackThis based on the login name and gets a log using the /autolog parameter, closing both HijackThis and the Notepad without requiring interaction from the user. 6. Lists out HJT entries that the user has hidden. 7. Lists out HJT backups. 8. Dumps file associations (similar to SREng) and will highlight in red if something doesn't match up. 9. Dumps drivers (whitelisted) and tests for pe386/Rustock. 10. Dumps services (again, whitelisted). 11. Dumps the Scheduled Tasks folder. 12. Prints files created in the past 30 days and files modified in the past 90 days, similar to ComboFix. 13. Dumps various registry load points with whitelist (very similar to ComboFix). 14. Gets basic system information, such as number of CPUs, memory usage, drive information (filesystem type, space). 15. Dumps Security Center information (if appropriate). 16. Dumps DOS environment variables. 17. Lists all user profiles on the system (and says which are administrative accounts). 18. Dumps Add/Remove programs, looking in both HKLM and HKCU. Common Microsoft entries are whitelisted. 19. Turns off word wrap in Notepad. 20. Unhides files and shows extensions. 21. Opens the logs in Notepad for the user to post. In all, it takes anywhere from 1-5 minutes to do all the above, depending on the system. ComboScan produces two logs. The primary log contains everything up to and including the registry dump, and the supplementary log contains everything else. You can find both logs in C:\ComboScan. Some additional notes: If ComboScan downloads and installs HijackThis, installs it as %PROGRAMFILES%\HijackThis\HijackThis.exe and creates a shortcut on the Desktop. If ComboScan cannot download HijackThis and there is no local copy of HijackThis for ComboScan to use, ComboScan will produce a HijackThis-esque log. You will still need to install HijackThis or you will need to manually fix the system as ComboScan does not provide this ability. There is a command switch, /config, that will allow you to pick and choose which modules you want ComboScan to use. When ComboScan is run for the first time, it will produce a full set of logs. Each subsequent run will only produce a HijackThis log along with a file and registry dump (no restore point or cleanup is performed). If you want something else -- like the driver dump -- you will need to run ComboScan with /config. If you download and run a newer copy of ComboScan, it will produce a full set of logs again the first time the new copy is run. Don't expect this to fix your system. I need the logs to find what is hiding. Then we go after it. The logs will be quite long if you can't post them both into one post that's fine, just be sure to post both please.

Prevx doesn't like RogueRemover either. I think it detects the definition files and since it can't tell they are from a good program it jails them. It won't give the user the option to make a decision either to ignore or add to a whitelist. Very frustrating.

Good morning Simon. Print these instructions or save to a notepad file as you need to have all browsers closed and be off line. Download SDFix by Andy Manchesta and save it to your Desktop. http://downloads.andymanchesta.com/RemovalTools/SDFix.exe Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix) Please then reboot your computer in Safe Mode by doing the following : * Restart your computer * After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; * Instead of Windows loading as normal, the Advanced Options Menu should appear; * Select the first option, to run Windows in Safe Mode, then press Enter. * Choose your usual account. * Open the extracted SDFix folder and double click RunThis.bat to start the script. * Type Y to begin the cleanup process. * It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. * Press any Key and it will restart the PC. * When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. * Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). * Finally paste the contents of the Report.txt back on the forum. We will see what this tool finds. Nothing shows in the HJT log. If after SDFix you are still having popups please run the Panda scan again and post that log. It did show the files. If we know where they are hiding I can find a tool easier.

Run time error '9' invalid row index when I was going to delete the leftover stuff in quarantine from version 59. I didn't have anything highlighted. Program crashes as soon as I click OK. When I highlight the entry it deleted with no problems. Install and full scan ran great 30 min and I think 26 sec, the run time made me forget . All the new buttons worked in as far as they gave me a message.

Hi Simon. I just didn't want you to think we were done. I was hoping deleting the files would take care of it, but it didn't, as you know. This is something new because nothing is detecting it yet. Thanks for your patience. We will beat this! Let's run this tool here http://siri.urz.free.fr/Fix/SmitfraudFix_En.php Follow the instructions carefully, you should print them or save to a notepad file, as you will be off line and no access to the site. When you finish post a fresh HJT log please and the Smit Fraud log.

Simon? What is the status of this, please?

I just checked I have two also, only one has a version number and that is 58, it doesn't have the program icon just a installer type icon, the other instance of the program has the icon. The size of the two is different too. The MBAM icon is an older version dated 7/18. Wow just uninstalled the older version and everything is gone as far as an installed program. No icons, nothing but an uninstaller in the start menu, in the program file there is an older installer and an uninstaller, in A/R there is version 58 showing. I used the installer dated 7/24 in the program folder and it installed version 59?

Quick scan 3 min 48 sec! Everything ran good, gave me the options for icons etc. Small bug with version still showing 58.

That's always a nice choice to have. Depending on the program I mix and match, some only get start menu.

That isn't the programs fault, any program you do that with is going to do the same thing I would bet. If your choosing to add an entry to the start menu at install it is going to choose the default location. How would it know you have created a new category?

Your welcome. Feel free to post a HJT log to be sure you are indeed clean.

Six days and no reply I'm closing this thread. If you need further assistance please start a new topic.

I only get the same folder in Program folders. New version goes into the existing folder.

Panda shows why you have the popups. Adware:Adware/NaviPromo Not disinfected C:\Program Files\InternetGameBox\InternetGameBox.exe Potentially unwanted tool:Application/InternetGameBox Not disinfected C:\Program Files\InternetGameBox\uninst.exe Adware:Adware/Comet Not disinfected C:\Program Files\Screensavers.com\SSSInst\bin\sinstaller2.exe Potentially unwanted tool:Application/Processor Not disinfected C:\sys\VirtumundoBeGone.exe Go to Add/Remove Programs and uninstall InternetGame Box and Screensavers from Comet Then boot into safe mode and find these files C:\Program Files\InterenetGameBox and Screensavers.com\SSSinst\bin\sinstaller2.exe and C:\Program Files\InternetGameBox\InternetGameBox.exe If you can't find them get this program: http://download.bleepingcomputer.com/spyware/KillBox.exe Author: Option^Explicit License: Freeware Operating System: Windows File Description: Pocket KillBox is a program that can be used to get rid of files that stubbornly refuse to allow you to delete them. Usage Information: Download this file and run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, allow it to do so, and hopefully your file will now be deleted. Did you install this... C:\sys\VirtumundoBeGone.exe ? If so did you use it? Let me know how getting rid of those files works and run a new scan with SuperAntiSpyware and have it remove what it finds. All those cookies should have been removed when you ran it the first time. RogueRemover will also remove several of the Rogue cookies I see, if you run the cookie scan.

Quick scan in 4 min 7 sec. All new functions showed with install. It found the Antivir update. Hehe.....I got the first run.

Install was smooooth, full scan 26 min 49 sec smooookin! That was with about 10 tabs open in Firefox, two chat boxes in WLM several programs too. Nothing found.

Simon you are correct the process doesn't show in the scan, it is viewable and removable in the Misc functions. But first please run the Panda scan and post that log and a new HJT with all browsers and programs closed. I'm hoping it will reveal and/or remove the infection behind your popups. It isn't evident in HJT at this time.

Did you run the Panda scan? I need to see that log and a new HJT log. When you run HJT to save a log, have all browser windows and programs closed.