JeanInMontana

Since this topic has had no reply for over 5 days it will be closed to prevent other from posting into it. Should you decide to resume with your assistance PM any staff member and we will be happy to reopen the topic. Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.

Hi Alice. Please open HJT and run a scan only. Place a check next to the following items and then click fix. O2 - BHO: (no name) - {108474A5-CEC4-40E1-98AB-E11B5A2A3F36} - C:\WINDOWS2\system32\cmcfg3.dll O2 - BHO: (no name) - {13788958-91B3-4F7B-8974-AD545F273548} - C:\WINDOWS2\system32\cmcfg3.dll O2 - BHO: (no name) - {18E5C3BB-5C14-4E46-9777-C3DA147042DC} - C:\WINDOWS2\system32\cmcfg3.dll O2 - BHO: (no name) - {3CB9A8AC-77C3-4F0E-A7A9-018733CEB512} - C:\WINDOWS2\system32\cmcfg3.dll O2 - BHO: (no name) - {57F3561D-9CCD-47FA-BB9B-DD939FB4FB4A} - C:\WINDOWS2\system32\cmcfg3.dll O2 - BHO: (no name) - {8941EE6E-A79B-4C51-92A2-BE08E1FB73E3} - C:\WINDOWS2\system32\cmcfg3.dll O2 - BHO: (no name) - {8C08F6AF-D3D6-4A1F-8D0D-9C11DD744D96} - C:\WINDOWS2\system32\cmcfg3.dll O2 - BHO: (no name) - {8F76AD5D-10A5-402F-8F1A-00402D807317} - C:\WINDOWS2\system32\cmcfg3.dll O2 - BHO: (no name) - {AE082777-1419-4E41-8A54-715C9A40BD0D} - (no file) O2 - BHO: (no name) - {E34B41FA-8CDB-4207-B085-234FE050A7B5} - C:\WINDOWS2\system32\cmcfg3.dll O2 - BHO: {c5daf727-f025-3c18-e744-70cd36ce7d0f} - {f0d7ec63-dc07-447e-81c3-520f727fad5c} - (no file) O2 - BHO: (no name) - {F3070ACD-9C0B-4C43-9557-FF2ED0BFF271} - C:\WINDOWS2\system32\cmcfg3.dll O2 - BHO: (no name) - {FBF7ADFC-F555-49FB-B257-54DEAB9CE485} - C:\WINDOWS2\system32\cmcfg3.dll O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing) Please set your system to show all files; Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. Reboot into Safe Mode by tapping the F8 key as soon as you reboot and choosing the Safe Mode option from the menu. You will have to use your up/down keys to do this as the mouse will not work at this point. Once booted the desktop will be very different and most of your programs will not be running. This is normal, stay calm. Create a folder on your desktop, name it AliceTestFiles. Now open C:\ Windows and find the following files: C:\WINDOWS2\system32\services.exe C:\WINDOWS2\Explorer.EXE C:\WINDOWS2\system32\lsass.exe C:\WINDOWS2\system32\svchost.exe C:\WINDOWS2\system32\winlogon.exe C:\WINDOWS2\System32\smss.exe Copy and paste each one into the AliceTestFiles folder and once you have done this to all, zip the folder by right clicking and choosing from the context menu "send to zipped folder". Upload this folder again to the Malwarebytes upload please. Reboot to normal. Your system is badly infected. You need to notify banks, credit card companies and any other institutions dealing with sensitive information on your machine. Change all passwords. I can continue to try and help you but at this point with what I'm seeing we can only be positive of a clean up with a system reformat. I'm willing to continue, but it's your decision. If you wish to continue please do this. Review this article here how to use ComboFix Be sure you cover the section on How to install and use the Windows XP Recovery Console and make sure it is installed on your machine. This is important should anything go wrong and we need to recover your PC and not lose all the data. 1. Download this file : http://download.bleepingcomputer.com/sUBs/ComboFix.exe save it to your desktop. 2. Double click combofix.exe. It will be a red icon with a white X on your desktop. Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter. 3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt. Post that log and a HiJack log in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall. Post the Combofix and a new HJT log please. You are running an outdated and unsafe version of Java. You need to uninstall it via Add/Remove programs and delete the program file also. Then go here http://java.sun.com/javase/downloads/index.jsp and install the correct version for your system. Choose the offline installation.

Need a response or I close the thread.

Hi Beau, please upload this file C:\WINNT\system32\cdrt.dll to http://www.virustotal.com/ and post the scan report. Also please place it in a zipped folder and upload to http://uploads.malwarebytes.org/ Now open HJT again and run a scan only place a check next to the following items and then click fix. R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {8305BB4B-417B-4C18-8293-F993A3811FB9} - C:\WINNT\system32\yayaYpQj.dll (file missing) O2 - BHO: (no name) - {902C8236-E940-461D-85D2-5BEDB72CA028} - C:\WINNT\system32\pmnoMdcC.dll (file missing) O15 - Trusted Zone: *.frame.crazywinnings.com O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM) Reboot, update MBAM run a quick scan again and post that log and a new HJT please.

Hi Alice, please upload this file C:\WINDOWS2\system32\cmcfg3.dll to here http://uploads.malwarebytes.org/ you'll need to zip it for this site. Also please send it here http://www.virustotal.com/ it shouldn't be zipped for this one. Please post the report from Virus Total.

Well, the best scenario is no manual cleaning and that is what MBAM does for us. But to be sure let's get one more scan from it with the new version and a new HJT log. Then we will have some last steps to clean up and send you on your way with some ways to stay clean.

You will need to do as requested Alice. Please follow these instructions http://www.malwarebytes.org/forums/index.php?showtopic=2936 Begin your own topic in that forum and someone can help you.

Welcome Adaox. It might be to your benefit to get a second opinion on the system. Follow the directions http://www.malwarebytes.org/forums/index.php?showtopic=2936 in that link and start a new topic in that forum posting the requested logs as your reply.

What is the status here please?

What do you mean? MBAM has a new version please update and post a log. Panda? You have done another scan? I want to see that log if it's new and please just follow my instructions. Update MBAM do a quick scan and post the log and a new HJT log.

OK please post logs in the reply not as an attachment. I need a new HJT log also.

Please get the latest version and post that log in the thread you created in the HJT forum.

Nice one!!

Hi Beau and welcome to Malwarebytes. Please download MBAM, update it and run a quick scan. Post that log and a new HJT log, we will see what you have going on.

Your infected with malware Alice. Please do as Mike suggested and someone will be happy to help you out.

Log looks good except you need to update Windows to SP3 and your Adobe reader is a known unsafe version. How are you running? Symptoms?

Your Windows System is not up to date. The current service pack is 3 and you have 2. If your going to decide how we do this it's not going to work. I can't stress it enough you do as instructed, when instructed, not what you decide. Please get this http://www.runscanner.net/download.aspx install it and do a full scan , then click save .text file. Name it drgill and save to your desk top post in your next reply.

Hi again. Just noticed you have HJT in a strange location. Please move it to C:\Program Files\HiJack This . Then run a new scan for me please. and post that.

Hi again MBAM log is clean. How are you running? Things are looking pretty good. Do you have any problems still? You are running an outdated and unsafe version of Java. You need to uninstall it via Add/Remove programs and delete the program file also. Then go here http://java.sun.com/javase/downloads/index.jsp and install the correct version for your system. Choose the offline installation. Adobe is also very outdated, and a known security risk. You should get the current version 8. Windows is also outdated and in need of update, current Service Pack is 3. I reccomend you read this also. How to install and use the Windows XP Recovery Console and make sure it is installed on your machine. This is important shouldl anything go wrong and you need to recover your PC and not lose all the data.

Hi Peco, I have asked this file to be removed with HJT several times. Is it getting checked and then fix checked? O24 - Desktop Component 0: Privacy Protection - (no file) Please upload this to Virus Total and to Malwarebytes C:\Program Files\Essentials Codec Pack\update.exe -silent Log is looking good but for that one and it can go either way. How are you running? You need to update your Java. You are running an outdated and unsafe version of Java. You need to uninstall it via Add/Remove programs and delete the program file also. Then go here http://java.sun.com/javase/downloads/index.jsp and install the correct version for your system. Choose the offline installation. Your Windows is also behind current Service Pack is 3. Post the Virus Total report, run HJT again and make sure that entry is checked and you click fix. Reboot and post me a new updated MBAM log, new HJT and the VT report please. Tell me how your running too.

Good luck.. you either follow instructions or your on your own.

Due to lack of response this topic will be closed. The advice and procedures in this topic are for this system only DO NOT apply them to yours. Should you need assistance follow the instructions in the post titled Pre-HiJack This! Posting Instructions. Begin your own topic and someone will be happy to help you.

MBAM does not remove SRP's and IMO it should never. I am fairly sure a full scan will clean, not positive though. I'll find out since this has come up it would be good to know. I can't think of any removal program, that is not a specialized tool that does remove the restore points. ComboFix does create a new restore point. But it should never be used without supervision.

No one said it was wise to leave them in tact. The point is they are not removed before the system is clean and should not be removed by the anitmalware program. The only way there is going to be re-infection is if that infected restore point is used. There had to be another factor that was overlooked if the restore point wasn't used. Re-infection is not uncommon with users who engage in risky behavior all the time or who do not have proper preventative measures or both of these circumstances exist. This is why during a HJT log analysis and system clean up we do education to prevent in the closing remarks. A good share of this stuff we see can be prevented, if the proper layers of protection are installed, the system is kept updated and risky behavior is changed.

Great work. Please update MBAM and run a quick scan post that log and a new HJT log.