JeanInMontana

Hi Don, I'm a little confused. You are still getting popups, but not redirects to the site? MBAM is on database 483 now. I can't stress enough update before every scan. The guys writing the defs for this program are on the ball and it updates daily if not more and usually it is twice a day. Run HJT in scan only mode and put a check next to the following items then click fix. R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R3 - Default URLSearchHook is missing I would like to see the log from a Panda scan Don. Please use the link at the top of this forum and also see the tutorial for how to run a scan. Run that scan and post the log please. Also run another scan with MBAM after update. Post that log and a new HJT.

Would you post the AVG log please. 100 literally? AVG has recently gone down a dark road with the release of the full suite program including a Yahoo toolbar that is a forced install. No way to opt out of it. There are several forums with discussions and obviously the whole line of software is now under scrutiny by most [certainly me, I will not recommend it any more] and people are watching to see what is next. I would love to see what it being flagged as malware. Your not the first to report similar occurrences in this forum with that program. Moving on I think your system is clean and you should reset System Restore. Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it. Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenol. Keep Spybot Search & Destroy and always immunize when you update. You will also need at least one other scanning program AVG is good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use. Have you rescanned with MBAM? Defender is mediocre at best IMO. A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient. Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan. SpywareBlaster from Javacool Software WinPatrol by BillPStudios SiteHound by FireTrust RogueRemover MBAM hpHosts

OK Scansy. It is to your advantage to proceed with the most speed possible, this stuff has a tendency to update as fast as the tools we use to remove if not faster. I know that isn't always possible.

I have to say do not like it. It isn't serious enough, I guess is the best way to say how it impacts me with first look. A bit cartoonish. I really like the looks of the tray icon now. Not sure why you want to change that. The cougar is well associated with the site and the program IMO. Kind of like Scotty and WinPatrol, I was among those asking for the old icon there too.

You never had SmitFraud. How are you running now? Still getting popups?

No I don't need the hosts file stuff. Sometimes SmitFraud lists the entire host file and since you are experienced enough to recognize what it is, I think it's safe to have you edit. Plus it makes my life ever so much easier.

How is the machine running now? I am not seeing anything in the log. That does not mean you can't still have problems. Many things are not seen by HJT. I would like to see your SmitFraud log please. The report can be found at the root of the system drive, usually at C:\rapport.txt

Since this topic has been resolved it will now be closed.. Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.

The programs below will help to avoid any infections in the future. A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient. Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan. SpywareBlaster from Javacool Software WinPatrol by BillPStudios SiteHound by FireTrust RogueRemover hpHosts Since this topic has been resolved it will now be closed.. Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.

Hi MikeV and welcome to Malwarebytes. You should never run a tool like SmitFraud unless asked by someone helping you. If you have the log please post it. You have a known unsafe version of Java also and you need to update ASAP or risk constant reinfection. Uninstall all version of Java on your system now and delete the program files in your Program files folder on C http://java.sun.com/javase/downloads/index.jsp Download the offline installer Run HJT again in scan only and place a check by these items then click fix. R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: dcads - {733716E1-76D2-4003-AC39-845281C0EF85} - C:\WINDOWS\system32\nsy2CF.dll Please post back a fresh HJT log after reboot and let me know how things are running.

Hi Scansy. We close dormant topics in this forum after 5 days of no reply usually. It is to keep others from posting into it. Your last reply was the 21st of Feb. I will need you to start all over please with a new full C:/ scan from MBAM after you update and one from Panda please. Also a new HJT log after both other scans have been done and all found malware removed.

I didn't see clean install was recommended until after the fact. I got the attached error message. It did seem to install fine after I kept clicking try again, and updated this morning. What I thought was a F/P in 107 is now gone. Marcin do you think I need to uninstall & reinstall?

Hi and welcome to Malwarebytes. Please follow the instructions here http://www.malwarebytes.org/forums/index.php?showtopic=2936

Don your problem is this below in bold. Your scanning and not removing. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1002\A0298563.exe (Adware.Fotomoto) -> No action taken. C:\WINDOWS\system32\WhoisCL.exe (Adware.Fotomoto) -> No action taken. When a bad file is found you need to remove it. There is no point in scanning for the sake of scanning. So update MBAM and do a full scan again.... go into the settings tab and put a check in every box. Take action when the bad files are found and post the log and a new HJT log please.

I can only speak for me, I am certainly not offended. I am finding this whole discussion extremely interesting. I see no reason anyone should be offended. Everyone has offered up their best knowledge/ideas and we have been shown some curious facts.

Please follow the instructions at the top of this forum for Pre-HJT posting.

Open SBS&D and click on the Tools button and then Resident. You will see two boxes. One is for IE, leave that checked or check it which ever the case. The second box is for Tea Timer, uncheck it. Your system shows no Navipromo after using the tool. It's possible AVG is giving a false positive. MBAM removed two items that could have been causing your pop-ups. Are you still having them? Run HJT again in scan only mode and put a check next to the following lines then click fix. R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) So, now you should have Tea Timer off. Update MBAM again and run a full system scan. Post that log and a new HJT log. Let me know how things are running.

Hi again, you have two strange things I see. Double notebook.exe and double C:\WINDOWS\system32\wuauclt.exe Please go to http://www.virustotal.com/ and scan the following files. Please post the results here. C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\S1AC7AB47.tmp Run HJT again and put a check next to the file below then click fix. O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) Now let's do an diffrent online scanner and see what comes up. http://www.kaspersky.com/virusscanner Do a complete scan ... remove what it will and post the results here. Along with a new HJT log.

Yes I did start from the tray icon and there is only one user for the machine. I don't even have Guest enabled.

If you still have Adware Alert on your system you can remove it using Rogue Remover from Malwarebytes. We also have a very good antimalware program here. http://www.malwarebytes.org/products.php You can find them both using that link.

When a program gets cracked it is not the authors fault. This happens all the time. The program gets cracked, a trojan inserted and its put on a shady site for download. There are numerous sites devoted to nothing but warez or cracked software. It's all illegal and none of the authors are involved.

Since it has been 5 days with no reply to this topic I will close it to prevent others from posting into it. Many thanks to JPS, your help is greatly appreciated. Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.

There are often legal and cracked versions of all sorts of software. I too came across references to the cracked programs containing malware and this is very common. You have a legal version and it is clean. I will agree SiteAdvisor is not always the best source and I have been a critic of their ratings system more than once. I have seen bad sites listed as good and good sites listed as bad. There is no criteria for who gets to be a reviewer and the reviewer ratings are based on popular vote. This means in theory, anyone can rate sites and all their friends can also and they can give each other great scores and none of them have a clue as to what constitutes a bad site. I have also seen a file be both ways. One instance it is bad in another it is fine. I suspect this is the case with this file.