JeanInMontana

Hi and welcome to Malwarebytes. Please read these Terms of Service for this site and in particular posting to HiJack This log threads. http://www.malwarebytes.org/forums/index.php?act=boardrules Have you checked to make sure no services for SAS are not still installed and running? This will cause you to not be able to delete a file because the file is in use. Look in your Task Manager and see if you spot anything related to the program. Let us know how it goes.

Due to lack of reply I'm closing this thread. If you need further assistance please start a new topic.

I'm closing this due to lack of reply. If you need further assistance please start a new topic.

I'm closing this due to no reply. If you need further assistance please start a new topic.

I'm closing this due to no reply. If you need assistance please start a new topic.

That is good then. If you install the programs I suggested and do your security updates it will make a major difference in keeping the machine malware free. Since this issue is resolved I will close the topic. If you need further assistance please start a new topic.

I guess it's OK to leave that. I was going on what SDFix did here: Trojan Files Found: C:\WINDOWS\SYSTEM32\UTSCSI.EXE - Deleted But what I find on that is it is part of USBest PQI Card Drive . Do you or did you have it installed? Is the machine running good now?

Looking good. Run HJT and put a check in this: O23 - Service: USBest Service Zero (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE (file missing) click fix. Delete all quarantine files. We also need to delete all System Restore files and create a new clean one. To do that go to Control Panel>System Properties, click on the Restore tab and put a check in the box that says "turn off system restore" then apply and click OK. Depending on how large a space is allocated it may take a little time. Now Open up Help and Support and click on Undo Changes to my System. Choose create a system restore point. Give it a name you will remember like Malware free 7-10-2007 and make the restore point. Next go to Windows Updates and get any needed patches and updates. Do you have a firewall? Same as with your other machine you must have one. If your using the Windows one it really isn't adequate. Be sure to turn it off though when you add another. To get your Paint back do this go to add/remove programs. to your left select add/remove windows components and accessories and utilities, put a check in if there isn't one and uncheck if it is checked. I know that sounds weird but that is Windows not me. I would suggest you add a layer of prevention also by using SpywareBlaster, and a hosts file either or any of the following MVP Hosts, IE-Spyads or hpHosts. You might want to add a tool bar item that helps keep you off bad sites too like SiteHound or SiteAdvisor both have free versions. You should be running OK. If not let me know.

Sorry I don't know what happened with that link http://java.sun.com/javase/downloads/index.jsp that should do it and it is Java Runtime Environment (JRE) 6u2 Yes uninstall the one you have posted and delete the program folder from the Program files on C:\Program files.

Hi there, it's looking better. We still have some clean up and updating. The WinPatrol alert is normal and you should allow. First run HiJack This again and put a check in the following items. R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: (no name) - {100EA37C-2B0A-4A01-9A2E-3E4F21B5EAC7} - C:\WINDOWS\system32\sstqr.dll (file missing) O20 - Winlogon Notify: winccf32 - winccf32.dll (file missing) O20 - Winlogon Notify: yaywwvt - yaywwvt.dll (file missing) Print these instructions as you need to have all browsers closed and be off line. Download SDFix and save it to your Desktop. http://downloads.andymanchesta.com/RemovalTools/SDFix.exe Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix) Please then reboot your computer in Safe Mode by doing the following : * Restart your computer * After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; * Instead of Windows loading as normal, the Advanced Options Menu should appear; * Select the first option, to run Windows in Safe Mode, then press Enter. * Choose your usual account. * Open the extracted SDFix folder and double click RunThis.bat to start the script. * Type Y to begin the cleanup process. * It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. * Press any Key and it will restart the PC. * When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. * Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). * Finally paste the contents of the Report.txt back on the forum. Now update AVG Antispyware and run a full system scan, post anything it finds here. Next uninstall your Java from Add/Remove programs and delete the program file. Go here choose the offline one. Post a new HJT log and we will see how we are doing.

OK we have a few things to fix. It would be best to disconnect this PC from any network it's part of and from the Internet if you can while we rid it of the infections. Also don't let anyone else use it. I know that might not be possible but you have some serious infections going on. First move HiJack This from you desktop to a folder you create C:\ HJT Print these instructions because you should not have any browser windows open or be connected to the Internet. Download VundoFix to your desktop. * Double-click VundoFix.exe to run it. * You will receive a message saying vundofix will close and re-open in a minute or less. Click OK * When VundoFix re-opens, click the Scan for Vundo button. * Once it's done scanning, click the Remove Vundo button. * You will receive a prompt asking if you want to remove the files, click YES * Once you click yes, your desktop will go blank as it starts removing Vundo. * When completed, it will prompt that it will shutdown your computer, click OK. * Turn your computer back on. * Please post the contents of C:\vundofix.txt in your next reply. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot. Download ComboFix from Here to your Desktop. * Double click combofix.exe and follow the prompts. * When finished, it will produce a log for you. Post that log and in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall Post another HiJack This log also. Just to be clear you will be posting three logs back into this thread. Go ahead and make each log a new reply so you don't run out of space for the post. I will be gone most of tomorrow until late afternoon my time MDT so be patient, please.

It doesn't go away easily. If you do a file search for aol i bet you still find some scattered about your hard drive. It is a scourge IMO. Once your free of infection there are some things you can do that may help too. Just being free of infection will probably increase your performance. I don't want to have you doing things while your also working on getting clean. Post here again when your done over there, I'm getting notifications.

Ahh I see. You have the same programs as when we cleaned your other computer. RogueRemover should get rid of wnantivirus no matter what version you have. There isn't much we can do if you can't access the machine. If anyone is going to be using it between now and you get back to it I will need a new log also.

John, here is a free program that will get rid of some of your un-necessary start up programs http://www.malwarebytes.org/startuplite.php. Have you ever thought about dumping AOHell? That is a resource hog and not even that great an ISP.

Why do you think you have winantivirus? What have you done since we cleaned you up a few days ago? Download RogueRemover http://www.malwarebytes.org/rogueremoverpro.php update it and run a scan. Remove anything it finds. Go to your Add/Remove Programs and uninstall this utorrent.exe Put a check in these items in HJT and click fix. O2 - BHO: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O3 - Toolbar: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O4 - HKCU\..\Run: [utorrent] C:\Documents and Settings\Administrator\Desktop\utorrent.exe Reboot and post a new log please.

Let's try running an online scan here http://www.pandasoftware.com/protected/?si...da=particulares Don't use the "Infected or Not" link. Look just to the right of that and use the link that says "Is your PC infected? Free online virus check". I'm having a hard time finding anything that works on a system as old as yours. Panda will work on all systems so let's have a go with it. Let it fix anything it finds and save the log from the scan. Post that log in this thread.

Your Java Runtime is not the current version you should update it for security reasons. Since this issue appears to be resolved I will now close this thread. Should you require further assistance send a PM to a moderator or administrator and we can reopen the topic.

hehe me either but these things do often take time.

Run the HiJack This program again and put a check next to this line: O22 - SharedTaskScheduler: coronally - {1b17f1db-790e-4d42-8e0c-d4d19123ee5b} - C:\WINDOWS\system32\xnvaogd.dll Reboot and see if that does it. It should fix your problem. If not let me know.

They just released the program to a non beta that probably broke the link we have been using. That is the program you need to get, be sure you put it into a folder on your hard drive. Then run the scan and post the log here. Did you update RogueRemover before you did a scan? Where is the other log you posted from?

That is possible. You are receiving help from a Microsoft Most Valued Professional awardee. It doesn't get much better than that. I have not gone through your entire thread and wouldn't question the advice your getting. I just noticed you do have a HJT thread and some of the issues would certainly cause a slow PC.

Hi and welcome to Malwarebytes. Please follow the instructions below. 1) Download Malwarebytes' RogueRemover Free or Malwarebytes' RogueRemover PRO from one of these links. Malwarebytes' RogueRemover Free - http://www.malwarebytes.org/rogueremover.php Malwarebytes' RogueRemover PRO - http://www.malwarebytes.org/rogueremoverpro.php 2) Install it and start it up. 3) Press Check for Updates 4) It will tell you that there is a newer version of the database. Press Download 5) Go back to the main screen and press Scan 6) If a SpyLocked infection is found, remove all objects found. You will have a removal I can see the infection in your log. Next reboot and post a new HJT log in this thread. The program has just been re-released please get it here http://www.trendsecure.com/portal/en-US/th...p?page=download and use that program to post your new log. Be sure you save the file to your hard drive. You have it in a temporary folder now.

John be sure to mention this in your HJT thread. You probably need to disinfect each account. Hang tight until you are completely cleaned up then see how it's running.

The log you need to post is from the program in the initial instructions you were given. Use the save file function in the program. Do not save it in any other format. Copy and paste it as a reply in this thread. What is this log you posted from?

Hello and welcome to Malwarebytes. You have at least two trojans that disable AV programs. I don't know what you have done to this line O1 - Hosts: <HTML><HEAD><TITLE>Separ Web Filter Blocking Page</TITLE><META http-equiv=Content-Type content="text/html; charset=utf-8"><META http-equiv=Content-Language content=en-fa></HEAD><BODY><P> </P> <P> </P> <P> </P><P> </P><P align=center><B><FONT face="Arabic Transparent" color=#800000 size=5>مشترک گرامي<P align=center><B><FONT face="Arabic Transparent" color=#800000 size=5>دسترسي به اين سايت امکان پذير نمي باشد</P></BODY></HTML> I don't trust the log with that error please post a new log (using just plain text) into this thread using this program. http://www.trendsecure.com/portal/en-US/th...p?page=download after I get that log we can work on getting you cleaned up.