JeanInMontana

Your looking clean, how are things running? BTW the IE Tab extension for FF will allow downloads from MS I've used it. I'm not saying you should remove Spyhunter, if you paid for it especially and IMO McAfee isn't a first choice either. It's a resource hog and rarely on the cutting edge of definitions. But they are not the same type of programs either. One is an AV and the other claims to remove spy/adware and other malware. So you did again essentially what KillBox does and no files. Looks like MBAM did get another trojan. So to be sure on those we will do this one. Please download this file: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe' rel="external nofollow"> SDFix.exe and save it to your desktop. Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following : * Restart your computer * After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; * Instead of Windows loading as normal, the Advanced Options Menu should appear; * Select the first option, to run Windows in Safe Mode, then press Enter. * Choose your usual account. * Open the extracted SDFix folder and double click RunThis.bat to start the script. * Type Y to begin the cleanup process. * It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot. * Press any Key and it will restart the PC. * When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. * Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. * Finally copy and paste the contents of the results file Report.txt with a new HijackThis log Reboot your system in Normal Mode. Then post the SDFix log and a new HJT log please. Also update MBAM and scan again post that log to please.

http://www.malwarebytes.org/forums/index.p...ost&p=15290 It's a F/P .

According to the ComboFix you don't have the recovery console installed. I don't use IE unless forced and am not sure what "find" is. IMO Spyhunter is worthless I doubt it would find what we are after. Do you have the system set to show all files and folders? The ComboFix was run after scans with those other right? If it is still showing the files and it is, then they weren't removed by anything else. My searches on those files link them to vundo. Let's do this. Author: Option^Explicit Download Location License: Freeware KillBox Download Link http://download.bleepingcomputer.com/spyware/KillBox.exe Operating System: Windows File Description: C:\WINNT\system32\wiwgerwu.ini C:\WINNT\system32\orutv.ini C:\WINNT\system32\orutv.ini2 C:\WINNT\system32\vturo.dll.bak C:\WINNT\system32\voulgouh.tmp C:\WINNT\system32\wyuinkvh.in Pocket KillBox is a program that can be used to get rid of files that stubbornly refuse to allow you to delete them. Usage Information: Download this file and run the killbox.exe file. save to desktop. When it loads type the full path to the file you would like to delete in the field and press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, allow it to do so, and hopefully your file will now be deleted. Also please update MBAM and run a full scan of C again and post the log with a fesh HJT.

I have always had RR give a notice there was an update until today. Didn't know there was one until reading new topics here. I had already closed out the program and when I reopened, it was in red text that monitoring was off. I clicked on the update and everything ran as normal after that. Update and new protections added scans were clean etc.

LMAO OK we are back to where this started for the most part and nothing has been learned. I am not aware of a site as you describe, I thought I had a fair grasp of all major security sites as I'm a member of most. I am really curious what this site might be. If there are regular members especially.

Hi there Caor, and welcome to Malwarebytes Please set your system to show all files; Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. If you haven't already, please get these programs, update and run a complete scan removing all items found. Spybot Search & Destroy Be sure to use the immunize feature. But do not enable TeaTimer at this time. Use the tutorial feature in the help tab to see how to go about this. Please run a full scan of your main drive, usually C with MBAM making sure you check all items found for removal. Please post that log in your next reply. Then go here and run a scan PandaActive Scan There is a full tutorial on how to to this at the top of this forum. Post the logs from the Panda and AVG scans please, along with a log from this program HiJack This! You will post three logs. 1. AVG scan. 2. Panda Active Scan. 3. HiJack This scan. You will finish the AVG first so go ahead and post that log, then move on to Panda and so forth. I will analyze the logs and give you further instructions. Be sure to set your email to allow mail from Malwarebytes.org and your personal settings to send an email on reply to your topic. This will let you know when there has been an update to your topic and you can come and see what has been said. Be patient and persistent. These things can take time and many procedures.

Hi Jerry and welcome to Malwarebytes. The HJT log has a formatting that is just too hard to read with broken lines. Make sure word wrap is off in your notepad when you post your next log please. Please set your system to show all files; Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. Also please turn off TeaTimer in SBS&D Open SB S&D Click on the Tools section and then Resident. You will see two items. 1. Resident "SD helper" (Internet Explorer bad download blocker.) active 2. Resident "Tea Timer" (Protection of over-all system settings.) active. Uncheck 2. Leave 1 checked always. You can enable Tea Timer again if you wish once all special fixes have been done. Please run a full scan of your main drive, usually C with MBAM making sure you check all items found for removal. Please post that log in your next reply. Then go here and run a scan PandaActive Scan There is a full tutorial on how to to this at the top of this forum. Post the logs from the Panda and AVG scans please, along with a log from this program HiJack This! You will post three logs. 1. AVG scan. 2. Panda Active Scan. 3. HiJack This scan. You will finish the AVG first so go ahead and post that log, then move on to Panda and so forth. I will analyze the logs and give you further instructions. Be sure to set your email to allow mail from Malwarebytes.org and your personal settings to send an email on reply to your topic. This will let you know when there has been an update to your topic and you can come and see what has been said. Be patient and persistent. These things can take time and many procedures.

Did you reboot before scanning again with HJT? How are you running now? I'm not seeing anything bad. But I need to know what your seeing.

How are you running now? ComboFix took out several Vundo looking files. I would like you to scan the items below and upload them for the team here to analyze also. C:\WINNT\system32\wiwgerwu.ini C:\WINNT\system32\orutv.ini C:\WINNT\system32\orutv.ini2 C:\WINNT\system32\vturo.dll.bak C:\WINNT\system32\voulgouh.tmp C:\WINNT\system32\wyuinkvh.in You can upload here http://uploads.malwarebytes.org/ Please scan them and post the results from those scans. Scan here virustotal.com Let me know how your running now also.

Firefox does not support active x period. It will never run a Panda scan. Are you running under an administrative account? The reason for the scan is the log after will show information I can use to help you. Purchasing MBAM will not make any difference in how it performs. Everything it does to remove is done for free. My attitude will change when you lose yours. You have given me an attitude. Don't think for o minute your going to come here asking for help and proceed to bash the products your asked to use. Why isn't Spyware Terminator saving you? Yes you will need to follow instructions for anyone, anywhere to help you. If you have a problem with that we might as well call it quits now. For someone claiming to be a software engineer you should be aware none of the programs you have been asked to run do the same thing. Your not getting customer support here. Your asking for help removing malware. No way are they related. Once again your knowledge fails you. Vundo fix does create a log and that is why I asked to see it. It's named rapport.txt and will be on your main drive usually C. MBAM says according to the log you posted that it did find Vundo and deleted it. Malware mutates and no program is capable of always having every variation in the definitions. I don't know what IPLed is. Please explain. Nor do I know why you think directory entries are coming back after removal. Your not following the procedures as they are laid out. You run the malware scan, and remove then you run the HJT scan. It makes no sense to do it the other way. If you want help follow instructions and procedures as they are given to you. You need to turn off TeaTimer in Spybot Search & Destroy. From your HJT log it is plainly still on. C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe I don't know what your using to post the HJT log, but the formatting is a mess and makes it unreadable. Use notepad only that is how the program saves the log, don't change that. Keep the lines all together, no spacing or wrapping of text. O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll <======= this should be all one line not 3. It is too hard to read like this. There is no need to scan any dive other than C with MBAM either. CD Rom drives don't get infected. Now, this is how we will proceed. 1. You will turn off Tea Timer. Open SB S&D Click on the Tools section and then Resident. You will see two items. 1. Resident "SD helper" (Internet Explorer bad download blocker.) active 2. Resident "Tea Timer" (Protection of over-all system settings.) active. Uncheck 2. Leave 1 checked always. You can enable Tea Timer again if you wish once all special fixes have been done. 2. Run this tool 1. Download this file : http://download.bleepingcomputer.com/sUBs/ComboFix.exe and save to your desktop. 2. Double click combofix.exe. It will be a red icon with a white X on your desktop. Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter. Note: Do not mouseclick combofix's window while its running. That may cause it to stall. 3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt. Post that log, and then scan with HiJack This and post that log in your next reply.

Non vendors outnumber the vendors by far. No one that is not a member can read the forum because of what is there. It can't get to the wrong hands. Membership is restricted and for good reason. I misunderstood you I guess. I thought you were a member of another forum that had direct ties to vendors.

Hi Stoneman and welcome to Malwarebytes. Your version of HJT is outdated. Please get the one listed in the prepost HJT instructions at the top of this page. Follow all of those instructions and post the requested logs please. See the how to run a Panda scan tutorial also at the top of this page. You can't use Firefox. Do not use tools like Vundo fix without being instructed. This is very dangerous. Please post that log also.

@GT500 yes you have the correct site. I'm curious about what site you may have been a member of. There aren't that many that one can just post files at, serch that memory . @ Paul my point is using CC is basically a wasted step. They don't have any thing going on that an individual can't take care of themselves and probably in much less time. A file scan at Jotti's or VT will give faster more accurate answers.

I'm talking about Malware Research. Membership is very restricted and most known vendors are there to collect files. I checked and your not a member under this nym you use here.

As per instructions, you should not have a folder on C. When you extract, it should be extracted to the desktop. You can move it from C to the desktop. Remove this line using HJT in scan only mode. O23 - Service: Remote Procedure Call (RPC) Helper (

I found that the file was associated as you say with the ISP. It does seem to be a security risk in that it is P2P. I think we may have cleaned the machine and what your getting now are the popups that anyone will get if they aren't using something to stop them. The ones that won't load are most likely blocked by a host file or SpyBot Search & Destroy. As a Firefox user you can get Adblock extensions and they work very well. I also have the Google toolbar which blocks popups, I find it a most valuable tool. Update Spybot Search & Destroy and run a scan remove all it finds. Do the same with MBAM and let get another Panda scan. Please post the Panda log and the MBAM log. Also a new HJT.

What site?

Due to lack of response this will be closed to prevent others from posting to it. The fixes in this topic are for this system only! Applying them to another system can cause severe damage. If you need help please follow the instructions in Pre HJT Posting instructions and open a new topic. Someone will be happy to help you.

OK I'm still not clear and I'm sorry Don. I'm just not feeling well and the old brain is not working so well. You do still get popups? But FF will not open the page? I can't open that page either. Can you post a screen shot of the popup? Please go here http://www.threatexpert.com/submit.aspx and submit this file C:\Program Files\Kontiki\KService.exe Also please upload it for the guys here at Malwarebytes to have a look at here http://uploads.malwarebytes.org/ I will post a link back here so they know it is an active topic and needs attention ASAP.

To clarify a bit. CastleCops is not a software vendor. They must have submitted to Kasperskys to get a report. You can save yourself a ton of time by submitting yourself here http://uploads.malwarebytes.org/. Bruce and his team [also associated with CastleCops] will determine if it's malware and it helps MBAM at the same time. The other option Lurkingatu2 is to give me the file and I will get it to a site with restricted membership, but all major vendors are there and get their information from there for a good share of the new defs.

Are you following your topic here http://www.montanamenagerie.org/forum/view...php?p=3893#3893 ?

Since this issue has been resolved I will close the topic to prevent others from posting into it. Thanks Screen317 for your help! The fixes in this topic are specific to this machine. Applying them to another can be disasterous and cause permanent damage. If you feel you have a similar problem, please follow the instrucitons at the top of the page for Pre-HJT posting and open a new topic. Someone will be happy to help you.

Hi again. You didn't run SDFix from the desktop. I didn't have that in the instructions, I am at fault there. Please delete the folders on C:/ for SDFix and download a fresh copy in case there have been updates. Make sure you save it to your desk top and run it from there. Post the log. You are running an outdated and unsafe version of Java. You need to uninstall it via Add/Remove programs and delete the program file also. Then go here http://java.sun.com/javase/downloads/index.jsp and install the correct version for your system. Choose the offline installation. Run HJT in scan only mode and put a check next to the following: O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://i.grab.com/media/6512bd/games/files...aploader_v6.cab O23 - Service: Remote Procedure Call (RPC) Helper (

Hi JayMatt19 and welcome to Malwarebytes. Please follow the instructions at the top of this forum for Pre-HJT posts.

Hi TheGman and welcome to Malwarebytes. Please follow the instructions at the top of the forum for Pre-HJT posting.