JeanInMontana

OK, sorry this slipped into another day. Been busy in RL work. You have a lot of stuff starting at boot you don't need. Also AdAware is a resource hog with a constant running service in this new version. We have a program here called StartupLite that can stop many of these un-needed things from starting. It doesn't uninstall them, just stops them from starting safely. You can manually load the program. You might also benefit from a disk check for errors and a defrag. Do these in that order, error check then defrag. Now moving on, Adobe needs updated version 8 is current. Let's see a new log from MBAM, be sure to update quick scan and post a new HJT too.

Please copy and paste the log here as soon as you get a chance to get back to the PC.

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h <===== Why is this back? Do you realize using this software will almost guarantee infection again? Downloading music without paying for it is stealing and illegal. I already gave you one chance, the majority of help forums see a P2P program and your thread gets closed, end of story. They will not help someone involved in illegal activities and known behavior to cause infection. Malwarebytes does not condone this activity either and we will not continue to help someone obviously involved in illegal activity. Furthermore, your IP number and user name will go on a watch list and you won't get help here again either. These files below all indicate something missing from the system. Java and SiteHound are damaged in some way. O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll (file missing) O3 - Toolbar: SiteHound - {73F7F495-A325-4C52-BE48-5F97FA511E89} - C:\Program Files\FireTrust\SiteHound\SiteHound.dll (file missing) O9 - Extra button: (no name) - {11316B13-33F0-4C9F-BD55-09994CCFA8EB} - C:\Program Files\FireTrust\SiteHound\SiteHound.dll (file missing) Your log looks clean. We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK. Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it. Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenal. Keep MBAM and Spybot Search & Destroy and always immunize SBS&D when you update. You will also need at least one other scanning program Asquared or SuperAntiSpyware are good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use. A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient. Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan. Keep other software known for vulnerabilities updated also. Use the Secunia Inspector free scan to identify risks in outdated versions. SpywareBlaster from Javacool Software WinPatrol by BillPStudios SiteHound by FireTrust RogueRemover hpHosts The windows firewall is not sufficient to protect. It doesn't monitor outgoing traffic and this is a must. I use and recommend Online Armor Free Also the full protection of MBAM is offered at a very low price. Give it a trial using the link in my signature. Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you. The fixes and advice in this thread are for this machine only. Do not apply to your machine. Please start a thread of your own and someone will be happy to help you.

Ewww

Due to lack of response this topic will be closed. Should you decide to continue with the fix contact any Malwarebytes staff to reopen the topic. Thanks Tigger93!!

Since the infection has been removed from this machine I will close the topic to prevent others from posting into it. Jintan your help has been beyond and above the norm and is appreciated so very much. The fixes in this thread were for this machine only. Applying them to your machine can result in utter destruction. If you need assistance follow the directions here http://www.malwarebytes.org/forums/index.php?showtopic=2936 and begin your own topic.

Broken LSP is quite common after malware infection. HJT doesn't show errors. It would be to your advantage to follow the directions here http://www.malwarebytes.org/forums/index.php?showtopic=2936 and begin your own topic.

Run a scan with the new version after updating it and post the log and a new HJT log.

OK.. I have to get to bed and will go over the SDFix log in depth in the AM but please upload this C:\DOCUME~1\mg\Desktop\SDFix\backups\backups.zip So Bruce gets the Trojan it found. How you running now?

Where is it? There are 4 distinct areas in the registry directory. Where is this key. What do you know about Mr. Enigma? MBAM came out with a new version too. Now 1.20.

Congratulations Marcin!! I always knew I was bound for corporate greatness.

Link to your thread at BC please. You can't get help at two forums at the same time. This can cause major damage and takes up the time of two helpers.

Scan time increased significantly, and after it was complete I hit the exit button and MBAM froze for a while. Finally got Task Manager end program notice and I said yes. Malwarebytes' Anti-Malware 1.20 Database version: 930 Windows 5.1.2600 Service Pack 2 6:05:22 PM 7/7/2008 mbam-log-7-7-2008 (18-05-21).txt Scan type: Quick Scan Objects scanned: 38832 Time elapsed: 6 minute(s), 12 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

MS Juan is the Vundo trojan. The IE add on is most likely a BHO malicious in nature. The registry keys and dll's are never the same name. What you had on your system will not be the same on the next.

I'm not looking at any logs. You say it's current in your post and it's not.

http://www.malwarebytes.org/forums/index.php?showforum=53 You should see it on the main index too. Under Private rooms.

Hi Sparky!! Welcome to Malwarebytes.

Since this topic has had no reply for over 5 days it will be closed to prevent other from posting into it. Should you decide to resume with your assistance PM any staff member and we will be happy to reopen the topic. Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.

I know you use Ares to download music. But that music is not out there for free in most cases. It's stealing. I still haven't got to chat with Bruce. You are 3 definition versions behind on MBAM. This program updates often 4 times a day. You must update it every time you scan. I would need to see the entire reg key to give any sort of answer, but messing in the registry is so very risky. You can totally destroy the system.

You can't run two firewalls at once. You have both ZA and OA stuff running. Also lots of other start up items not needed. O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) <==== This is just clutter O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" <==== This is Zone Alarm O9 - Extra button: Support - {1DF60FA2-19D2-11D6-8756-00A0D2170C61} - http://www.comcastsupport.com (file missing) (HKCU)<=== More clutter. O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone-dev.ubisoft.com/dev/packages/GSManager.cab <==== Would be great if you can upload a sample of that installer to Bruce. Here http://uploads.malwarebytes.org/ . O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe <=== This is Zone Alarm. Uninstall ZA and run HJT again. Those lines should be gone, but if not, remove them with HJT. Also remove that game installer and what game did it install? Let's run this to be sure we are not missing stuff. Please download this file: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe' rel="external nofollow"> SDFix.exe and save it to your desktop. Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following : * Restart your computer * After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; * Instead of Windows loading as normal, the Advanced Options Menu should appear; * Select the first option, to run Windows in Safe Mode, then press Enter. * Choose your usual account. * Open the extracted SDFix folder and double click RunThis.bat to start the script. * Type Y to begin the cleanup process. * It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot. * Press any Key and it will restart the PC. * When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. * Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. * Finally copy and paste the contents of the results file Report.txt with a new HijackThis log Reboot your system in Normal Mode. Then post the SDFix log and a new HJT log please.

OK I need the HJT log always after the MBAM log. O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h <===== Ares is a P2P program and a huge risk. Most of the stuff your going to download with it is copyright protected and should be paid for. Getting it this way is illegal and can cost you more than an infected PC. Remove these lines with HJT O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll (file missing) Looks like Java is damaged or didn't install? I'm waiting on word of the files for further instruction.

Wow. OK, trying to sort through this. 1. Your system is not up to date. Current Service Pack is 3. 2. You didn't have a virus, it's a trojan and whether or not you removed it is not known without proper analysis. That will be difficult with no connection. This http://www.bleepingcomputer.com/tutorials/tutorial59.html may fix it for you. If it does then you should follow the directions here http://www.malwarebytes.org/forums/index.php?showtopic=2936 and begin your own topic.

Hi welcome to Malwarebytes! Let us know if we can help you out with anything.