JeanInMontana

I'm sorry but this scan is too old to be of any use. Please start the process over and follow the instructions here http://www.malwarebytes.org/forums/index.php?showtopic=2936 . It's been 3 weeks since anything was done and there is no way to know if you have new things or what.

hey Sparky, sorry to see you back under these circumstances. The procedure is still the same for help in this forum. Please follow the instructions here http://www.malwarebytes.org/forums/index.php?showtopic=2936 and post the requested logs as a reply here.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you. The fixes and advice in this thread are for this machine only. Do not apply to your machine. Please start a thread of your own and someone will be happy to help you.

Glad we could fix you up. If you install the programs I listed or an equal alternative to them you will be far more protected with a good layer of prevention. Since this issue is resolved I will close the thread to prevent other from posting into it. The fixes and advice in this thread are for this machine only. Do not apply to your machine. Please start a thread of your own and someone will be happy to help you.

Hi Avoccado. Sorry I haven't got back to you sooner. I had trouble with my own PC and have been fixing it. Next the bad news is. I have consulted with a far more knowledgeable person and you seem to have a new variant of Vundo that takes a new process to remove. I will come right out and tell you I don't know how. I am going to ask for someone else to take over and help you. Your other option is to reformat. I will be posting a request for assistance in our experts forum immediately. If you don't want to wait for another helper please let us know in a reply here. I am very sorry, but it is best for me to step back rather than risk doing harm to your PC.

Congratulations to everyone on the MBAM team!! Not sure this is a bug, but the monitor test gave me an error that it had failed to run. I had also gotten a notice that it was already running so seemed a bit strange. Online Armor wanted to know if it should be allowed to run ant start up and I said yes. This has happened before with the monitor, but I am not sure what we decided was the issue.

Huge speed up with this new version and I even added the Recovery Drive to scan because Antivir had detected a F/P and I wanted to test with MBAM. Malwarebytes' Anti-Malware Version 0.86 Database version: 238 Scan type: Full Scan (C:\|D:\| ) Objects scanned: 79837 Time elapsed: 24 minute(s), 3 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

Yes it did find things and it removed them. Your not following directions. I want whole logs please, no edits. Use more than one post if that is what it takes. And the requested logs need to be posted in the order they are asked for. HJT will always be last. I'm not sure you are using AVG anti spyware for scanning either. I don't want the anti virus program I want you to do this please: If you haven't already, please get these programs, update and run a complete scan removing all items found. Spybot Search & Destroy Be sure to use the immunize feature. But do not enable TeaTimer at this time. Use the tutorial feature in the help tab to see how to go about this. AVG AntiSpyware Be sure to "take action" Then go here and run a scan PandaActive Scan There is a full tutorial on how to to this at the top of this forum. Post the logs from the Panda and AVG scans please, along with a log from this program HiJack This! You will post three logs. 1. AVG scan. 2. Panda Active Scan. 3. HiJack This scan. You will finish the AVG first so go ahead and post that log, then move on to Panda and so forth. I will analyze the logs and give you further instructions. Be patient and persistent. These things can take time and many procedures.

Hi there tpj104, and welcome to Malwarebytes. Please get rid of the program you used to make the log, it is not current. If you haven't already, please get these programs, update and run a complete scan removing all items found. Spybot Search & Destroy Be sure to use the immunize feature. But do not enable TeaTimer at this time. Use the tutorial feature in the help tab to see how to go about this. AVG AntiSpyware Be sure to "take action" Then go here and run a scan PandaActive Scan There is a full tutorial on how to to this at the top of this forum. Post the logs from the Panda and AVG scans please, along with a log from this program HiJack This! You will post three logs. 1. AVG scan. 2. Panda Active Scan. 3. HiJack This scan. You will finish the AVG first so go ahead and post that log, then move on to Panda and so forth. I will analyze the logs and give you further instructions. Be patient and persistent. These things can take time and many procedures.

OK run HJT and put a check next to this line and click fix; O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing) Now: Please download this file: SDFix.exe * Open the extracted SDFix folder and double click RunThis.bat to start the script. * Type Y to begin the cleanup process. * It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. * Press any Key and it will restart the PC. * When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. * Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). * Finally paste the contents of the Report.txt back on the forum. Reboot your system in Normal Mode. Then post the SDFix log. Then please do this: 1. Download this file : http://download.bleepingcomputer.com/sUBs/combofix.exe Or from here: http://www.techsupportforum.com/sectools/combofix.exe 2. Double click combofix.exe. It will be a red icon with a white X on your desktop. Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter. 3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt. Post that log and a HiJack log in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

I assure you I am not playing jokes. Renaming the program will sometimes allow it to show the bad lines we need to remove. I need to see the log after you do that however. I know that the Smifraud log can be very long, sometimes you will need to use more than one post to get the entire log posted. But I need to see it all please. Please run it again, and post everything, then also post me a log from HJT with the renamed avocaddo.exe it didn't get posted. Your not going to this site and clicking on the button to download are you? Stay away from that site, do not click on anything related to it. This is where your infection if from.

OK...when you scan with NOD32 do you remove the things? Please answer my questions. Did you leave part of the log out that I asked you about in my previous post? Have you thoroughly read over and followed step by step the tutorial on running a Panda scan? "Some kind of warning sign" tells me nothing. What is the warning sign. Please be specific. Do this for me, rename HJT to avocaddo.exe and run a scan and post the log.

Hi there Sever22, and welcome to Malwarebytes. If you haven't already, please get these programs, update and run a complete scan removing all items found. Spybot Search & Destroy Be sure to use the immunize feature. But do not enable TeaTimer at this time. Use the tutorial feature in the help tab to see how to go about this. AVG AntiSpyware Be sure to "take action" Then go here and run a scan PandaActive Scan There is a full tutorial on how to to this at the top of this forum. Post the logs from the Panda and AVG scans please, along with a log from this program HiJack This! You will post three logs. 1. AVG scan. 2. Panda Active Scan. 3. HiJack This scan. You will finish the AVG first so go ahead and post that log, then move on to Panda and so forth. I will analyze the logs and give you further instructions. Be patient and persistent. These things can take time and many procedures.

Well you didn't follow directions either. I don't know where you might have found that file but it looks like a Vundo file, and I don't see any new Vundo log etc...etc. I can't stress the importance of following instructions enough.

Happy New Year to you also! I took the day off from forums. B) Your log looks clean. We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK. Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it. Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenol. Keep Spybot Search & Destroy and always immunize when you update. You will also need at least one other scanning program AVG is good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use. A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient. Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan. SpywareBlaster from Javacool Software WinPatrol by BillPStudios SiteHound by FireTrust RogueRemover hpHosts For an excellent list of reliable free firewalls and antivirus programs see here .

How did Ezulu get on your system? I couldn't tell you for sure. Your system is seriously infected and this usually happens due to lack of preventative measures and risky internet use. You have installed applications that are malware. Are you having NOD32 remove the items? Also please uninstall your Adobe reader and update to version 8. Version 7 is known to be exploitable. Make sure you have your system set to show all files and folders. Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. Burn4Free should be removed ASAP. http://www.sophos.com/virusinfo/analyses/burn4free.html Run HJT again and put a check next to these items and click fix. O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.3.0.0\Burn4Free_Toolbar.dll O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\3.bin\MWSBAR.DLL,S O4 - HKLM\..\Run: [ERS_check] "C:\Program Files\Common Files\WinAntiVirus Pro 2006\ers_startupmon.exe" O4 - HKLM\..\Run: [7853c498] rundll32.exe "C:\WINDOWS\system32\iqnysybo.dll",b Reboot into Safe Mode: please by tapping the F8 key as soon as you restart the computer. Using Windows Explorer, locate the following files/folders, and delete them: rundll32 C:\PROGRA~1\MYWEBS~1\bar\3.bin\MWSBAR.DLL,S C:\Program Files\Common Files\WinAntiVirus Pro 2006\ers_startupmon.exe Exit Explorer, and reboot as normal afterwards. If you were unable to find any of the files then please follow these additional instructions: Download Pocket Killbox and unzip it; save it to your Desktop. Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it. The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes. Let the system reboot. Be sure to delete all old copies of Vundo, Smitfraud and Combofix you have on the system. Now lets run a new Vundo, be sure you delete the old and get this new again. Please download VundoFix.exe to your desktop. http://www.atribune.org/ccount/click.php?id=4 * Double-click VundoFix.exe to run it. * Click the Scan for Vundo button. * Once it's done scanning, click the Remove Vundo button. * You will receive a prompt asking if you want to remove the files, click YES * Once you click yes, your desktop will go blank as it starts removing Vundo. * When completed, it will prompt that it will reboot your computer, click OK. * Please post the contents of C:\vundofix.txt and a new HiJackThis log. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot. And last but not least lets do a Panda scan and post those results.

What Smitfraud listed was actually protection from bad sites that is in your hosts file. I removed the items, just for ease of reading through this thread. You want those items and more to keep you off bad sites. Please remove this with HJT O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE Please get this tool and follow the instructions. We are making progress! You might get a Happy New Year. Please download this file: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe' rel="external nofollow"> SDFix.exe * Open the extracted SDFix folder and double click RunThis.bat to start the script. * Type Y to begin the cleanup process. * It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. * Press any Key and it will restart the PC. * When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. * Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). * Finally paste the contents of the Report.txt back on the forum. Reboot your system in Normal Mode. Then post the SDFix log and a new HJT log please.

Does this mean you left part out? Or is it your editorial comment? I know the logs can be very long and sometimes they need to be put into more than one post. It is important that I see the entire log. Please remove these lines with HJT: O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\dulqxscj.exe (file missing) O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing) Delete Smitfraud, Vundo fix and Combo fix from your system please. It looks like we got the Smitfraud. How is the machine running? See if you can get a Panda scan now please and post that.

Sorry. I am not seeing the new Java installed and I need a new HJT log also please.

OK, you still have not run the Smitfraud tool. You need to do that. Print or Copy these instructions to notepad and save to your Desktoop as you will be offline with all browsers closed for this fix. Download: Use this URL to download the latest version (the file contains both English and French versions): http://siri.urz.free.fr/Fix/SmitfraudFix.exe * Double-click SmitfraudFix.exe * Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt Clean: * Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually) * Double-click SmitfraudFix.exe * Select 2 and hit Enter to delete infect files. * You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection. * The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file. * A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt * Optional: o To restore Trusted and Restricted site zone, select 3 and hit Enter. o You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone. Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm You are running an outdated and unsafe version of Java. You need to uninstall it via Add/Remove programs and delete the program file also. Then go here http://www.java.com/en/download/manual.jsp and install the correct version for your system. Choose the offline installation.

We are not finished. This must be a new version because RRP didn't remove it. Run HJT again and put a check next to these lines then click fix. O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKCU\..\Run: [spyClean] C:\Program Files\Netcom3 Cleaner\SpyClean.exe Now please get this and run it. Print or Copy these instructions to notepad and save to your Desktoop as you will be offline with all browsers closed for this fix. Download: Use this URL to download the latest version (the file contains both English and French versions): http://siri.urz.free.fr/Fix/SmitfraudFix.exe * Double-click SmitfraudFix.exe * Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt Clean: * Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually) * Double-click SmitfraudFix.exe * Select 2 and hit Enter to delete infect files. * You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection. * The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file. * A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt * Optional: o To restore Trusted and Restricted site zone, select 3 and hit Enter. o You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone. Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm

Ok good work. Still more to do. We have it on the run though. B) 1. Download this file : http://download.bleepingcomputer.com/sUBs/combofix.exe Or from here: http://www.techsupportforum.com/sectools/combofix.exe 2. Double click combofix.exe. It will be a red icon with a white X on your desktop. Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter. 3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt. Post that log and a HiJack log in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall. You are running an outdated and unsafe version of Java. You need to uninstall it via Add/Remove programs and delete the program file also. Then go here http://www.java.com/en/download/manual.jsp and install the correct version for your system. Choose the offline installation.

Hi Brad and welcome to Malwarebytes. We have some work to do so let's get after it. You are running an outdated and unsafe version of Java. You need to uninstall it via Add/Remove programs and delete the program file also. Then go here http://www.java.com/en/download/manual.jsp and install the correct version for your system. Choose the offline installation. Now go to Add/Remove programs in your Control Panel and look for SpyClean and Wild Tangent, remove all if you find them. Grab a free trial of RogueRemover Pro from my signature and run a scan with it and immunize. Post back a new HJT log and we will see how it's going. Be sure to give me some feed back on performance etc too.

Hi Ben and welcome to Malwarebytes. I don't know for sure how you got your Panda log into HTML format, but that is not how they are produced. There is a tutorial at the top of this forum on how to run a Panda scan and get the log. Please run it again and post the log, if you need to separate it into two posts go ahead and do that. Your AVG scan is also missing details. Did you remove the items found? Let's run this tool also: Please download VundoFix.exe to your desktop. http://www.atribune.org/ccount/click.php?id=4 * Double-click VundoFix.exe to run it. * Click the Scan for Vundo button. * Once it's done scanning, click the Remove Vundo button. * You will receive a prompt asking if you want to remove the files, click YES * Once you click yes, your desktop will go blank as it starts removing Vundo. * When completed, it will prompt that it will reboot your computer, click OK. * Please post the contents of C:\vundofix.txt and a new HiJackThis log. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.