JeanInMontana

Today, I opened the scanner and got the attached infobox popup. I have never had this before and I have the pro version, protection shows as enabled and my license info is all on the about page.

Not sure this is an issue but will mention it. The monitor didn't start today with Windows start. I started it manually and protection was not enabled. I don't recall having to manually enable protection in past versions. Am I just having a poor memory day?

Topic closed due to lack of response.

5 days no response. Topic will be closes to prevent others from posting into it.

Due to lack of response I will close this topic to prevent others from posting into it. Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.

Closing this topic as it is double posted.

Don please turn off Tea Timer, this is requested in initial instructions and needs to be done to keep it from interfering with fixes. See the help tab on SBS&D for how to do this. I have also asked that you run a full scan with MBAM and you keep doing the quick scan. Please run a full scan of your C drive after you update. You are still using version 1.06 this is not current. Navipromo is not new. It's been around for a while and extra nasty. I see the file now AVG is tagging. Please scan this file c:\windows\system32\nwprovau.dll at http://www.virustotal.com/ and post the results. If they come out to be an infection follow the directions for Navipromo fix. Run HJT again put a check next to these and click fix. R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll <======= Only delete this if Virustotal says it is bad. Please download Navilog1 by IL-MAFIOSO: http://perso.orange.fr/il.mafioso/Navifix/Navilog1.zip * Extract its contents to the desktop. * Double click on navilog1.exe to install it on your computer. * When the installation is complete, the tool will start automatically. * If it doesn't start automatically, please double click on Navilog1 shortcut on your desktop to run it. * Press E for English from the language Menu. * Type 1 in the next Menu to select Search and press Enter. * Wait for the Scan to finish (It may take a reasonable amount of time) * Press any key as requested . * A new document will be produced: fixnavi.txt. * Please copy/paste the contents of this report in your next reply and a new HJT log. The report is also saved in the root of the directory, "%SystemDrive%\fixnavi.txt". (usually C:\fixnavi.txt)

They are basic services if they are the actual Windows files. Malware also uses these same names and every thing I used to determine what they were said they were bad. I really think reformatting in this case is the best route to go. I do have suggestions for you to prevent future infections and you should implement them on all your machines connected to the WWW. Note these are all free programs. Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenol. Keep Spybot Search & Destroy and always immunize when you update. You will also need at least one other scanning program AVG is good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use. A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient. I use Online - Armor from Tall Emu and love it. Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan. MBAM SpywareBlaster from Javacool Software WinPatrol by BillPStudios SiteHound by FireTrust RogueRemover hpHosts

Users aren't removed via Documents & Settings. You do it through the Control Panel and User Accounts. Are you logged on as Administrator? I would suggest you start a new topic on this problem in the PC Help forum. That way others will be able to contribute. HJT threads are restricted to one person responding to avoid confusing the victim of malware with several people giving instructions.

You posted an old Smitfraud log. Please delete anything associated with Smitfraud. I want a log from SDFix. Why can't you do auto updates? You can go to the MS Update website and manually do updates also. Please download this file: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe' rel="external nofollow"> SDFix.exe * Open the extracted SDFix folder and double click RunThis.bat to start the script. * Type Y to begin the cleanup process. * It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. * Press any Key and it will restart the PC. * When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. * Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). * Finally paste the contents of the Report.txt back on the forum. Reboot your system in Normal Mode. Then post the SDFix log and a new HJT log please.

Note the version of the program also. This was when MBAM was first released to the public. Whole lot has gone on since then. Seven new versions and I wouldn't have any idea how many definition updates.

Current version is 1.07 Please update. Put a check in these and click fix. We did take out the tool bars I think. R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O2 - BHO: (no name) - {1648E328-3E5A-4EA5-A9C6-E5F09EE272DA} - (no file) O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - (no file) O2 - BHO: (no name) - {9C8A568E-4201-478a-8536-526CF371D2E2} - (no file) Run new scan with MBAM please, and post the log. Reboot run HJT and post a new log. Let me know how the machine is running.

Hey Don MBAM has come out with a new version too. Please update again and scan again post that log before your new HJT please.

OK let's get these lines with HJT run scan only Put a check next to each and click fix O2 - BHO: MySidesearch Search Assistant - {1648E328-3E5A-4EA5-A9C6-E5F09EE272DA} - C:\WINDOWS\system32\mysidesearch_sidebar.dll O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {9C8A568E-4201-478a-8536-526CF371D2E2} - (no file) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) Reboot, and post a new log please. Give me some feed back on what is going on now with the system.

Hi again. Even if you don't see that Vundo fix finds a problem I want the log posted please. You still have Vundo. You have a bunch of other crap too. At some point you used Combofix? Please don't use tools without being requested to do so. this can cause the stuff we are after to mutate to a new form and makes it that much harder to find and get rid of. Please set your system to show all files; Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK.Press Control-Alt-Del to enter the Task Manager. Click on the Processes tab and end the following processes: C:\WINDOWS2\System32\smss.exe C:\WINDOWS2\system32\services.exe C:\WINDOWS2\system32\lsass.exe C:\WINDOWS2\system32\spoolsv.exe C:\WINDOWS2\Explorer.EXE C:\WINDOWS2\System32\cmd.exe C:\WINDOWS2\System32\wuauclt.exe Exit the Task Manager when finished. Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake: O2 - BHO: {608cb0ac-ee84-bc68-8b54-34eaf777fff5} - {5fff777f-ae43-45b8-86cb-48eeca0bc806} - C:\WINDOWS2\System32\qgcuipps.dll O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE Click on Fix Checked when finished and exit HijackThis. Reboot into Safe Mode: by contunually tapping the F8 key as soon as you restart your machine. Using Windows Explorer, locate the following files/folders, and delete them: C:\WINDOWS2\System32\smss.exe C:\WINDOWS2\system32\services.exe C:\WINDOWS2\system32\lsass.exe C:\WINDOWS2\system32\spoolsv.exe C:\WINDOWS2\Explorer.EXE C:\WINDOWS2\System32\cmd.exe C:\WINDOWS2\System32\wuauclt.exe ALCXMNTR.EXE Exit Explorer, and reboot as normal afterwards. If you were unable to find any of the files then please follow these additional instructions: Download Pocket Killbox and unzip it; save it to your Desktop. Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it. The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes. Let the system reboot. Post back a fresh HijackThis log and we will take another look.

Hi there Scavenger and welcome to Malwarebytes. I can answer some of your questions. 1. There is an option to have the program update at a specific time of day the user chooses. 2. No I can't MBAM is new, the general public is just getting a taste. I also can't allow you to see and threads that are in association with development although there is an entire section of this site devoted to that and some long ass threads In general MBAM has had good if not fantastic reviews from the general public as well as those in the security community. 3. Yes nosirrah is one of it's authors and that is listed in the about section of the program itself. Yes it is the same nosirrah from Castle Cops. 4. Besides real time protection there is the removal feature. Real time protection is what you pay for when you buy a license. The removal can be had for free. 5. This might be what your looking for for this question http://www.malwarebytes.org/forums/index.php?showtopic=3839 It's a great program, low on resources, updated several times a day and constant research for new variants.

OK we can proceed. However reformat would be safer and faster. If you want logs from the other machines analyzed please start a new topic for each machine. If they were not directly networked to this machine they may be ok. First let's keep this machine off active surfing for now. Your Java is way out dated and needs updating it is a version known to allow exploits. Run HJT in scan only mode and put a check next to these items then click fix. O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O15 - Trusted Zone: *.gomyhit.com O15 - Trusted Zone: *.imageservr.com O15 - Trusted Zone: *.imagesrvr.com O15 - Trusted Zone: *.storageguardsoft.com O15 - Trusted Zone: *.gomyhit.com (HKLM) O15 - Trusted Zone: *.imageservr.com (HKLM) O15 - Trusted Zone: *.imagesrvr.com (HKLM) O15 - Trusted Zone: *.storageguardsoft.com (HKLM) Please download VundoFix.exe to your desktop. http://www.atribune.org/ccount/click.php?id=4 * Double-click VundoFix.exe to run it. * Click the Scan for Vundo button. * Once it's done scanning, click the Remove Vundo button. * You will receive a prompt asking if you want to remove the files, click YES * Once you click yes, your desktop will go blank as it starts removing Vundo. * When completed, it will prompt that it will reboot your computer, click OK. * Please post the contents of C:\vundofix.txt and a new HiJackThis log. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot. MBAM is outdated. Be sure you update this program before every scan. It often updates multiple times in a day. 451 is current definition version as I write this. Please update and scan again with it and post the log and a new HJT log.

MBAM is outdated Don. Update the program please and scan again. Your also using an outdated version of HJT. Please follow the instructions here http://www.malwarebytes.org/forums/index.php?showtopic=2936 . You really don't need Antivir as it was a misunderstanding when it was referenced. It is a good program and I would recommend it as a replacement for AVG. Do not run both programs actively.

I could come up with a list of well known names also that I certainly don't recommend to users. Prime example are the recent toolbar additions to AVG, and ZoneAlarm, WebRoot has gone down a dark path too. Then there are the Spyhunters and Cyberdefender types that walk a slippery slope just a half step this side of full blown rogue. Marcin and Jack have a set of rules to define what gets included and what doesn't. None of the programs I named make the cut. This also keeps RR a reputable program with integrity. Opinions expressed by me are mine and mine alone.

Reformatting and installing SP2 is your best option IMO. I don't often do this but you have so much going on that is so very bad and you don't have SP2 installed. We can't update you to SP2 until your clean, and the infections you have are of the sort that allow access to your information by outside sources. You have been totally compromised and there is no guarantee we can get it all. You should contact all financial institutions immediately and change passwords to sensitive sites. You also have a way outdated Java and a known security risk. We can give it a try to clean the system, but I really think in your case starting from scratch is best. Let me know what you want to do. If this is a networked machine disconnect ASAP and scan the other machines.

This doesn't mean the rogue won't get added it was for prioritizing testing. If you note this thread is nearly 6 months old.

Moved to proper forum.

I'm so glad you did Tim. I feel like a real heel missing this topic. You made sure you got mine out there ...LOL with time to spare.

I have another email too. I thought I was missing an area to write them.