JeanInMontana

Welcome Home!! No one has been killed yet.

Since this topic has had no reply for over 5 days it will be closed to prevent other from posting into it. Should you decide to resume with your assistance PM any staff member and we will be happy to reopen the topic. Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.

Hi Adam Splitter and welcome to Malwarebytes. Empty the quarantine of MBAM, update it and run a quick scan. Post the MBAM log and a new HJT log please.

You didn't remove anything with MBAM. Update MBAM, do a quick scan, be sure you take action. Copy and paste that log in to your reply and a new HJT log.

Due to total lack of cooperation and response this thread will be closed to prevent others from posting in to it.

Well, AVG was making the PC at my job boot at least 3 times slower than it does now with it gone. If your drive is making noise, there is a good chance it is failing. I would get it backed up and look into getting a new one. Your logs look clean. You do have excess stuff starting that isn't needed at boot, but a noisy drive in not a good sign.

Probably the hosts entries are from SBS&D. Run HJT again in scan only and put a check next to the following then click fix. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blan R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank Your log looks clean. We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK. Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it. Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenal. Keep MBAM and Spybot Search & Destroy and always immunize SBS&D when you update. You will also need at least one other scanning program Asquared or SuperAntiSpyware are good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use. A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient. Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan. Keep other software known for vulnerabilities updated also. Use the Secunia Inspector free scan to identify risks in outdated versions. SpywareBlaster from Javacool Software WinPatrol by BillPStudios SiteHound by FireTrust RogueRemover hpHosts The windows firewall is not sufficient to protect. It doesn't monitor outgoing traffic and this is a must. I use and recommend Online Armor Free Also the full protection of MBAM is offered at a very low price. Give it a trial using the link in my signature.

Your Adobe reader is outdated and a known compromisable version. I would like another quick scan with an updated MBAM and that log.

Hi Berny and welcome to Malwarebytes. I don't think there are any issues at all with Kaspersky's. You can buy right from the link in my signature.

It's going to keep finding them until you "take action" and remove. The log shows your not doing that.

Did you look in the file location? I'm real sure it ran, if you saw a DOS like box. Skip Windows Recovery Console, and run CF, if there is no file where they are saved to.

Follow the instructions here http://www.malwarebytes.org/forums/index.php?showtopic=2936

3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt. Post that log and a HiJack log in your next reply

Hi Esschoir and welcome to Malwarebytes. Review this article here how to use ComboFix Be sure you cover the section on How to install and use the Windows XP Recovery Console and make sure it is installed on your machine. This is important should anything go wrong and we need to recover your PC and not lose all the data. 1. Download this file : http://download.bleepingcomputer.com/sUBs/ComboFix.exe save it to your desktop. 2. Double click combofix.exe. It will be a red icon with a white X on your desktop. Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter. 3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt. Post that log and a HiJack log in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Since this topic has had no reply for over 5 days it will be closed to prevent other from posting into it. Should you decide to resume with your assistance PM any staff member and we will be happy to reopen the topic. Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.

Since this topic has had no reply for over 5 days it will be closed to prevent other from posting into it. Should you decide to resume with your assistance PM any staff member and we will be happy to reopen the topic. Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.

Since this topic has had no reply for over 5 days it will be closed to prevent other from posting into it. Should you decide to resume with your assistance PM any staff member and we will be happy to reopen the topic. Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you. The fixes and advice in this thread are for this machine only. Do not apply to your machine. Please start a thread of your own and someone will be happy to help you.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you. The fixes and advice in this thread are for this machine only. Do not apply to your machine. Please start a thread of your own and someone will be happy to help you.

Get the logs posted and someone can look at them and tell you what to do next.

Obviously the "previous cleaning" didn't clean. Snippits of a HJT log are useless, follow the instructions in the link I posted and we will see if your clean.

you need to be more specific with the messages your getting. What exactly is it and how are you posting this if you can't connect?

Hi Monkeys and welcome to Malwarebytes. Have a look here, http://malwarebytes.org/mbam.php

Hi Gav and welcome to Malwarebytes. Please follow the instructions here http://www.malwarebytes.org/forums/index.php?showtopic=2936

First get that site offline, before you infect a bunch of other people. It definitely has a malicious java script injected. My Avira goes off just using vURL to dissect the site. It gives an IFrame compromise. JS/Dldr.Iframe.BY Most likely you are reinfecting yourself every time you go there. Take it down now. I can't post the entire code for the site it's too long. Then follow the instructions here http://www.malwarebytes.org/forums/index.php?showtopic=2936 Headers: This link shows the site HTML dissection and the Javascript location http://vurl.mysteryfcm.co.uk/?url=http://w...&selUAStr=4 Date: Thu, 07 Aug 2008 12:49:29 GMT Server: Apache X-Powered-By: PHP/4.4.7 Keep-Alive: timeout=5 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html Who Is: ******************************************* WhoIs Information ******************************************* Registration and WHOIS Service provided by directNIC.com Intercosmos Media Group, Inc. provides the data in the directNIC.com Registrar WHOIS database for informational purposes only. The information may only be used to assist in obtaining information about a domain name's registration record. directNIC makes this information available "as is", and does not guarantee its accuracy. Registrant: Team Perfecto Starrangsringen 2 Stockholm, Stockholm Sweden SE 736924858x46 Domain Name: GABRIO.COM Administrative Contact: Moazzami, Peter peter@teamperfecto.com Starrangsringen 2 Stockholm, Stockholm Sweden SE 736924858x46 Technical Contact: Moazzami, Peter peter@teamperfecto.com Starrangsringen 2 Stockholm, Stockholm Sweden SE 736924858x46 Record last updated 04-27-2006 10:04:37 AM Record expires on 05-19-2009 Record created on 05-19-1999 Domain servers in listed order: NS.OXEO.COM 66.230.133.40 NS2.OXEO.COM 66.230.174.60 NOTE: THE WHOIS DATABASE IS A CONTACT DATABASE ONLY. LACK OF A DOMAIN RECORD DOES NOT SIGNIFY DOMAIN AVAILABILITY. WhoIs server: whois.directnic.com ******************************************* Net-block Information ******************************************* OrgName: ISPrime, Inc. OrgID: IPRM Address: 300 Boulevard East Address: Suite 100 City: Weehawken StateProv: NJ PostalCode: 07086-6702 Country: US ReferralServer: rwhois://rwhois.isprime.net:4321/ NetRange: 76.9.0.0 - 76.9.31.255 CIDR: 76.9.0.0/19 OriginAS: AS23393 NetName: ISPRIME-ARIN-3 NetHandle: NET-76-9-0-0-1 Parent: NET-76-0-0-0-0 NetType: Direct Allocation NameServer: NS.ISPRIME.COM NameServer: NS2.ISPRIME.COM Comment: Please send abuse complaints to <abuse@isprime.com> RegDate: 2007-02-08 Updated: 2007-09-13 RAbuseHandle: ISPRI1-ARIN RAbuseName: ISPrime Abuse RAbusePhone: +1-212-812-9028 RAbuseEmail: abuse@isprime.com RNOCHandle: ISPRI-ARIN RNOCName: ISPrime NOC RNOCPhone: +1-212-812-9028 RNOCEmail: noc@isprime.com RTechHandle: ITS7-ARIN RTechName: ISPrime Technical Support RTechPhone: +1-212-812-9028 RTechEmail: support@isprime.com OrgAbuseHandle: ISPRI1-ARIN OrgAbuseName: ISPrime Abuse OrgAbusePhone: +1-212-812-9028 OrgAbuseEmail: abuse@isprime.com OrgNOCHandle: ISPRI-ARIN OrgNOCName: ISPrime NOC OrgNOCPhone: +1-212-812-9028 OrgNOCEmail: noc@isprime.com OrgTechHandle: ITS7-ARIN OrgTechName: ISPrime Technical Support OrgTechPhone: +1-212-812-9028 OrgTechEmail: support@isprime.com # ARIN WHOIS database, last updated 2008-08-06 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database.