[Vundo and MS Juan Infection]

Please find this file C:\WINDOWS\system32\vtfahv.dll and put it in a zipped folder and attach here in your next reply.

Now run HJT in scan only with all programs closed, put a check next to the following and then click fix

O2 - BHO: (no name) - {B6F4CF56-A1E3-4655-8DE8-142A98C97892} - C:\WINDOWS\system32\ssqPhFWQ.dll (file missing)

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O23 - Service: Radmin Server V3 (RServer3) - Unknown owner - C:\WINDOWS\system32\rserver30\RServer3.exe (file missing)

reboot update MBAM and run a new quick scan, post that log and new HJT please.

[Is MBAM alone good enough for PC security?]

I would go with Avira or Avast, AVG has gone downhill with all the added crap.

[Cannot Get Rid Of MS Juan]

Hi Wanda and welcome to Malwarebytes. Please get the current version of HJT http://www.trendsecure.com/portal/en-US/th.../HJTInstall.exe

The HJT log is always posted last after the removal scans.

C:\Program Files\DNA\btdna.exe <====This program is most likely why your infected, it has little use for legal activities, please uninstall.

Make sure you have your system set to show hidden files and folders.

Please set your system to show

all files; Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

Please find the file below and attach it in a zipped folder in your reply.

C:\WINDOWS\system32\qfosfj.dll

Update MBAM, do a quick scan post that log and a new HJT with the correct version of that program please.

[Vundo and MS Juan Infection]

When did you run the HJT scan? That always needs to be last after a scan with any removal tool. Please update MBAM and run a quick scan again with it, post the log and a new HJT log.

[Trojan.Downloader - Which Files to Remove?]

Oh dear bad instructions from me. The lines with numbers should not have been included to be found in Safe Mode to delete. Those should be removed with HJT.

Please find this C:\WINDOWS\system32\cw9k9s4nfpzv.exe or the same C:\WINDOWS\system32\cw9k9s4nfpzv.dll and C:\WINDOWS\system32\devldr32.exe right click choose from the drop down menu, send to zipped folder. Then attach that folder to your next post please.

Run HJT in scan only please and put a check next to these lines then click fix.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

Review this article here how to use ComboFix

Be sure you cover the section on How to install and use the Windows XP Recovery Console and make sure it is installed on your machine. This is important should anything go wrong and we need to recover your PC and not lose all the data.

1. Download this file :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe save it to your desktop.

2. Double click combofix.exe. It will be a red icon with a white X on your desktop.

Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter.

3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt.

Post that log and a HiJack log in your next reply

Note:

Do not mouseclick combofix's window while its running. That may cause it to stall.

[MS Juan infection]

You never follow through. I asked for one simple thing, you report you "fixed it". That file would have helped hundreds if not thousands of other users, but this is the point where you almost always jump off and report it's all fixed. Since you don't seem to know how to fix them when you post here, I find it just a tad doubtful that you fixed anything. Follow through is crucial. So is my time.

[Friends, Romans, countrymen, lend me your ears]

Hi Fletch! Welcome to Malwarebytes, be sure to let us know if we can help in anyway.

[A-Squared false positive]

It looks like part of the log is missing, there is no definition number or program version. We need to see that.

[Hi]

Hi nebon and welcome!!

[MS Juan infection]

Did you upload the file? We are not going to continue to fix all these random PC's for you. My suspicion is your making money off our free help and that just wrong. You can go to a school and learn how to do this your self.

[Trojan.Downloader - Which Files to Remove?]

OK, the HJT scan needs to be after the MBAM or any other tool always. To find a file begin with the drive letter C for these, so go to start, my computer, Local disk C then follow the rest of the file path. c:\windows\system32\uyxgnon.dll so for this one, on C you see the Windows folder, open it, then you go to System32 and you will see a massive amount of files that all have the .dll extension. You look for the uyxgnon and bingo. Does that help?

OK, let's run a scan only with HJT and put a check next to these and then click fix.

O2 - BHO: (no name) - {3787B284-825E-486C-900D-D57056AED3E5} - c:\windows\system32\uyxgnon.dll

O4 - HKCU\..\Run: [cw9k9s4nfpzv] C:\WINDOWS\system32\cw9k9s4nfpzv.exe

O20 - Winlogon Notify: enqrkyuu - C:\WINDOWS\SYSTEM32\uyxgnon.dll

Reboot normally.

Update MBAM and do a quick scan and post a new log and a new HJT.

[portscan worm detection]

Well, you have to be connected to the internet to be alerted to an"attack" . So in light of that, there is no reason not to follow instructions. General PC questions are asked in PC Help. Port scans are not an attack. They happen all the time. You don't give enough details to make an intelligent assesssment of what actually happened. If your not going to following the instructions to see if you are infected I'm closing this topic.

A little bit about your IP address (Internet Protocol address). When you connect to the internet, either via your internet service provider (AOL, Prodigy, etc.), or your office LAN connection, you are assigned an IP address. This address identifies your computer from the other computers on the internet. Your IP address can be either static, meaning it never changes, or dynamic, meaning each time you dial-in or login you are assigned a new address for that session. Check with your internet service provider or network administrator to find out if your computer uses static or dynamic IP addressing.

If you want to see your settings, in Windows 95/98 try the following:

Go to Start/Run and do the command winipcfg

That will bring up a network screen with your values.

Windows 2000 and XP you can go to a command prompt and do:

ipconfig

On the Macintosh to get your IP address try the following:

Apple Menu --> Control Panels --> TCP/IP Control Panel

On Mac OS X:

1. Open system preferences

2. Under internet and network, click 'network'

It will show you your IP address..

If you receive a dynamic IP address from your internet provider, it will likely be different on your next session. So if you need your IP address for later use, please check when you log on for that session.

[Unable to access certain sites]

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine. Please start a thread of your own and someone will be happy to help you.

[Suspected keylogger (for World of Warcraft)]

OK, a quick Google search brings up lots of this. http://www.winxptutor.com/arpbuttons.htm looks like that might be what you need. Be sure you back up the registry prior to any edits. Create a System Restore point too, just to have your __ covered.

[Trojan.Downloader - Which Files to Remove?]

Yes I want to see the report from Virus Total. Do you have the system set to show all files and folders? Are you running as an admin?

Go ahead and follow the instructions. Update MBAM and run a new scan with it too please, post that log and a new HJT.

[Antivirus XP 2008 & Joke-bluescreen.c]

I understand your concern. Just run the scan again after you update. When it says to reboot just do a normal reboot. Post that log and a new HJT log.

[MS Juan infection]

I need you to attach this file please C:\WINNT\system32\wrstvb.dll in a zipped folder.

Update MBAM run a quick scan again and post that log and a new HJT.

[New user xompe90]

Please follow the instructions here http://malwarebytes.org/forums/index.php?showtopic=2936

[aa]

Hi jaykim and welcome to Malwarebytes. 오전 12:25:15 2008-07-13 Can you telll me what those strange characters are? They appear in the HJT log also whre the date should be.

Please move HJT to C:\ no other folders before and run a new scan. Report the error message with MBAM in the MBAM forum.

[portscan worm detection]

Hi and welcome to Malwarebytes. Please follow the instructions here http://malwarebytes.org/forums/index.php?showtopic=2936 . Be sure to get the HiJack This! program listed there. Yours is way out dated.

[Suspected keylogger (for World of Warcraft)]

Every system is different, I have no lag or excess usage with OA. I play Second Life on a laptop, and it's not supposed to be able to run the client. I often run two. I shut down everything but OA and Avira and crucial stuff of course. I was a user of AA for years until they added that service and I quit. AVG has added Link Scanner (and it's a good thing), but from what I have seen it slowed the program and is a forced install and, might be causing OA to be concerned. While OA is only doing it's job, the action from AVG scanning every link may be a conflict. Does that make sense? I'm not happy with how AVG has taken a new route with the program. If you didn't pay for it I would uninstall and try another AV that is more on the cutting edge of detection and elimination. Avira or Avast both are free. It could also be something in SP3 causing the new lag. I don't see anything malware in the logs. You are symptom free? MBAM has updated several times since your last scan and it does often update 4 times a day. You always need to update it prior to a scan. The only other sort of maintenance I might recommend and I am hesitant because it can go so wrong. But a reg cleaner can help, EasyCleaner is pretty safe as long as you never use the duplicate file remover. LOL I speak from experience here, some files are meant to be duplicates.

[Trojan.Downloader - Which Files to Remove?]

Logs for MBAM are stored right in the UI. Just start the scanner and you will see the Logs tab, they are dated and stored there until you delete them.

Please set your system to show

all files; Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

C:\WINDOWS\system32\cw9k9s4nfpzv.exe <====== I need you to scan that file here http://www.virustotal.com/

and please upload it to here===> http://uploads.malwarebytes.org/ and this one c:\windows\system32\uyxgnon.dll .

Now run a scan only with HJT again and put a check next to the following and click fix when done.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O2 - BHO: (no name) - {1C370672-A22D-438A-95A0-6217AE6304D0} - C:\DOCUME~1\Kendall\LOCALS~1\Temp\AOLUserShelld.dll (file missing)

O2 - BHO: (no name) - {3787B284-825E-486C-900D-D57056AED3E5} - c:\windows\system32\uyxgnon.dll

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: PowerReg Scheduler.exe

Reboot into Safe Mode: by tapping the F8 key as soon as you restart, then using the arrow keys go to the option Safe Mode. Don't be alarmed when your mouse is gone and your desktop is black. This is normal.

Using Windows Explorer, locate the following files/folders, and delete them:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

O4 - Startup: PowerReg Scheduler.exe

Exit Explorer, and reboot as normal afterwards.

If you were unable to find any of the files then please follow these additional instructions:

Download Pocket Killbox and unzip it; save it to your Desktop.

Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

Let the system reboot.

Update MBAM run a quick scan post that and a new HJT please. Let me know how your running.

[Antivirus XP 2008 & Joke-bluescreen.c]

Hi Foofighter and welcome to Malwarebytes. MBAM is designed to look for malware and eliminate it. What it has found on your system is nothing you want to keep. Please update the program, scan again and remove all items. Post that log from the popup log in notepad directly into your next reply and a new HJT log. Also follow the remaining steps in the topic here . Post the Panda log too please.

[MS Juan....]

At the request of 1972vet I am closing this topic. Should you decide to continue and follow his instructions, PM any moderator and we can re-open for you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine. Please start a thread of your own and someone will be happy to help you.

[Version 1.20]

Hi!

Thanks for your reply. I'm not an expert but i think that are false positives, aren't they?

I like your software but i need to now if it is secure.

Regards from Portugal

Carlos

Yes they are false positives. MBAM does not, never has and never will have any sort of malware/adware/spyware in it. It is as secure as any legitimate program out there and more secure than many. All programs are capable of a false positive.