JeanInMontana

It's useless once you have already taken action. Shows nothing... that's why I said I hadn't read the instructions first.

Sorry I didn't read the instructions for posting F/P's before I took action. I have the regular log and the item is still in quarantine. Malwarebytes' Anti-Malware 1.04 Database version: 378 Scan type: Quick Scan Objects scanned: 24261 Time elapsed: 4 minute(s), 3 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\RECYCLER\S-1-5-21-55238811-1876427739-2962232704-1005\Dc25.tmp (Rogue.AntiSpyBoss) -> Quarantined and deleted successfully. I don't know how it could have got to Recycler much less even on my system.

Hi and welcome to Malwarebytes. Your version of MBAM is not current, please update it. You appear to have a root kit, which means your system is compromised in the worst way. All sensitive data may have been or is being seen by others. Change all passwords immediately and notify all institutions such as banking and credit cards. We can continue with removal, but the only sure way to know your clean is to reformat. If you wish to proceed please do the following. Set your system to show all files and folders. Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. Run HJT again in scan only and put a check next to the following items. O4 - S-1-5-18 Startup: Internet Explorer.lnk = C:\Program Files\Internet Explorer\IEXPLORE.EXE (User '?') O4 - .DEFAULT Startup: Internet Explorer.lnk = C:\Program Files\Internet Explorer\IEXPLORE.EXE (User 'Default user') O20 - AppInit_DLLs: cru629.dat O20 - Winlogon Notify: wenyuxni - wenyuxni.dll (file missing) Please download this file: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe' rel="external nofollow"> SDFix.exe * Open the extracted SDFix folder and double click RunThis.bat to start the script. * Type Y to begin the cleanup process. * It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. * Press any Key and it will restart the PC. * When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. * Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). * Finally paste the contents of the Report.txt back on the forum. Reboot your system in Normal Mode. Then post the SDFix log and a new HJT log please.

Oh.. I didn't read in depth. My mistake. Panda flagged MBAM in one log I was working in the online scan. I know Prevx is one of the online scanners used by VT.

Whoo Hoo Aquarians rule!! Happy Birthday SNOWHITE!!

Please don't post live links to malware. We appreciate your help but munged links are to protect others.

Umm yeah and Prevx labels it malware as do several others. http://spywarefiles.prevx.com/spywarefiles...XC=DGJD13704910

Yup... it has been my experience when a file gets no hits at all on Google it is malware. Seems this is no exception.

The extension is for temp file but strange. What else was going on that day? System wise, install anything? Have you done any other scans? Panda or Jotti's for the file? http://www.virscan.org/ http://virusscan.jotti.org/ We also have file submission here. On main site page

H Alfie and welcome to Malwarbytes. Please follow the instructions here http://www.malwarebytes.org/forums/index.php?showtopic=2936 and someone will be happy to help you.

Hi and welcome to Malwarebytes. You are infected so let's begin cleaning you up. Go to add/remove programs and uninstall BearShare this is known to contain malware and a dangerous practice to engage in. Run HJT again using scan only and put a check next to the following lines. O4 - HKLM\..\Run: [bearFlix] "C:\Program Files\BearFlix\bearflix.exe" /pause O4 - HKLM\..\Run: [bearFlix] "C:\Program Files\BearFlix\bearflix.exe" /pause O4 - HKLM\..\Run: [RelevantKnowledge] c:\windows\system32\rlvknlg.exe -boot O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing) O20 - AppInit_DLLs: C:\WINDOWS\system32\rlai.dll O23 - Service: FireDaemon Service: windll64 (windll64) - Unknown owner - C:\WINNT\system32\directx\asp\mech\FireDaemon.EXE (file missing) Click fix and exit HJT. Now please follow the instructions at the top of this forum for pre-post of a HJT log and post your requested logs back into this thread.

OK, after consultation with one wiser than I, CF did find stuff and it is obvious Panda did too and even removed a well known worm. You have some questionable stuff too a tool bar? http://www.castlecops.com/tk36013-Irocs_Ki..._IROCS_DLL.html I am going to have someone better versed in how to proceed take over from here on out and he will clean up the rest. TeMerc will get to you tonight and give you instructions.

It appears Panda needs a heads up about MBAM Possible Virus. Not disinfected C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe From here http://www.malwarebytes.org/forums/index.p...ost&p=12934

I expected CF to find things we wern't aware of. Not what we know. Yes please run a complete scan with Panda and follow my initial instructions right after the CF scan post. New HJT etc

OK it just didn't show any deletions and I expected some.

Many thanks to screen317 for your help. Since this topic has been resolved it will now be closed.. Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.

Hi Sonja are you sure you posted all of the log from ComboFix? Yes, let's get these, I'm sure they are not good. O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe O4 - HKLM\..\Run: [delcab] C:\drivers\deltreew.exe C:\cabs I also see a folder for Spyhunter from Engigma, but no indication of it being installed. C:\Program Files\Enigma Software Group It is my opinion that this is a garbage program and should be completely scoured from your system. You have the Panda scan installed so let's get a log from that please. http://www.malwarebytes.org/forums/index.php?showtopic=2306 This is a detailed set of instructions and a link to the scan page. Post the Panda log and a new HJT after that please.

Your welcome, I wish we could have cured you, but reformat is the best option with your circumstances. Since this topic has been resolved it will now be closed.. Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.

I wish you the best and please let us know what is disclosed. We all learn this way.

Yes rootkits allow outside access to your system, that is why I warned you about passwords and any sensitive data that may have been stored or accessed. Yes it bypassed your router firewall. You wouldn't have it otherwise. Router firewalls don't alert you to anything "calling home" from your machine. I use a third party firewall also. This way I know what is accessing the web from my machine. There other preventative measures that are not apparent on your machine also. Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenol. Keep Spybot Search & Destroy and always immunize when you update. You will also need at least one other scanning program AVG is good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use. A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient. Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan. SpywareBlaster from Javacool Software WinPatrol by BillPStudios SiteHound by FireTrust RogueRemover hpHosts For an excellent list of reliable free firewalls and antivirus programs see here

Hi there and welcome to Malwarebytes. Marcin has asked me to help you with your malware problem. Let's begin. Open HJT and run a scan only. Put a check next to these lines and click fix. O2 - BHO: browser optimizer superiorads - {8E015787-B1E3-404a-95DE-3E71E1FA0305} - C:\WINDOWS\system32\spads.dll O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\spads.dll" DllVerify O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZUxdm080YYGB O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe <====== This is a suspect program from what I'm finding. Did you install it? O4 - HKLM\..\Run: [delcab] C:\drivers\deltreew.exe C:\cabs <======Also this one. What can you tell me? [*]Please set your system to show all files; Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. 1. Download this file : http://download.bleepingcomputer.com/sUBs/combofix.exe Or from here: http://www.techsupportforum.com/sectools/combofix.exe 2. Double click combofix.exe. It will be a red icon with a white X on your desktop. Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter. 3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt. Post that log and a HiJack log in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Have you tried just using the built in power settings? Or checking to what they are set at? Start>Control Panel> Power Options. Make sure nothing is set to power down or hibernate after x amount of time. Use caution when third party utilities are involved.

Using Kapersky's with out giving feed back first and waiting for the next set of instructions is what I am talking about. That is a poorly written sentence by me. Thank goodness you didn't delete all files on C:/ . My apologies for that. These things mutate with every new attempt to remove. We take a certain approach to try and not let them know we are on to them. Goofy as that may sound that's how it's done. Yes Kapersky's got some stuff. Was it what SDFix found? We don't know. Probably not by the looks of it. Bad news you had/have a root kit. There is no sure way to know if it ever goes away with out reformat. Take action now to change all passwords, notify any financial institutions etc you have used the machine to do business. If the machine is networked all machines may have been compromised. We can try to get you clean, but again, no way will we ever be sure you are not still rooted. The best course is really to back up what is most important and do a clean reformat. Don't ghost this drive. If you want to proceed we can. Delete these lines using HJT O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {F7973DF6-1D2D-4FB4-A3F2-D9326DD66947} - C:\WINDOWS\system32\asycfilta.dll (file missing) O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background Reboot and get MBAM from the link in the pre-HJT post instructions at the top of this page. Please be sure to update then scan with it let it repost anything it finds and post that log and a new HJT. If you wan to try and clean it. If not just go for backing up and reformat. I really recommend this as your best choice.

Haha thanks Sho-Dan that is among the coolest I have seen. Of course I grew up watching that cartoon. yeah Im old.