JeanInMontana

OK still evidence of infection. Run HJT again and put a check next to these items O3 - Toolbar: The jokwmp - {459C681F-AA94-49B7-A55B-110D924E5FCE} - C:\WINDOWS\jokwmp.dll (file missing) O21 - SSODL: rmvgor - {8B16C638-553E-4067-962A-2268EDDE0A33} - C:\WINDOWS\rmvgor.dll O21 - SSODL: sapnet - {F9EF8D5B-4072-44BF-B287-E9F205D2AD28} - C:\WINDOWS\sapnet.dll Reboot and post a new log please.

Great! Since this is resolved I will close the topic to prevent others from posting into it. The fixes and advice in this topic are for this PC only. Applying to your PC can be disastrous. If you need help please register for free and post a new topic.

Hi there, ps3gurl and welcome to Malwarebytes. If you haven't already, please get these programs, update and run a complete scan removing all items found. Spybot Search & Destroy Be sure to use the immunize feature. But do not enable TeaTimer at this time. Use the tutorial feature in the help tab to see how to go about this. AVG AntiSpyware Be sure to "take action" Then go here and run a scan PandaActive Scan There is a full tutorial on how to to this at the top of this forum. Post the logs from the Panda and AVG scans please, along with a log from this program HiJack This! You will post three logs. 1. AVG scan. 2. Panda Active Scan. 3. HiJack This scan. You will finish the AVG first so go ahead and post that log, then move on to Panda and so forth. I will analyze the logs and give you further instructions. Be patient and persistent. These things can take time and many procedures.

Hi there Rishi, and welcome to Malwarebytes. Please delete the version of HiJack This you have now and use the one posted below in my instruction. If you haven't already, please get these programs, update and run a complete scan removing all items found. Spybot Search & Destroy Be sure to use the immunize feature. But do not enable TeaTimer at this time. Use the tutorial feature in the help tab to see how to go about this. AVG AntiSpyware Be sure to "take action" Then go here and run a scan PandaActive Scan There is a full tutorial on how to to this at the top of this forum. Post the logs from the Panda and AVG scans please, along with a log from this program HiJack This! You will post three logs. 1. AVG scan. 2. Panda Active Scan. 3. HiJack This scan. You will finish the AVG first so go ahead and post that log, then move on to Panda and so forth. I will analyze the logs and give you further instructions. Be patient and persistent. These things can take time and many procedures.

Well good news about the Panda scan, but the 020 is still there. Run HJT again and put a check next to these below (if you did remove Spycatcher) O4 - HKLM\..\Run: [spyCatcher Reminder] C:\Program Files\SpyCatcher\SpyCatcher.exe reminder O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe O20 - AppInit_DLLs: secuload.dll Now let's also do this: 1. Download this file : http://www.techsupportforum.com/sectools/combofix.exe 2. Double click combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall Post that log and a new HJT.

Hi rajeshk and welcome to Malwarebytes. Please post all replies in the body of your post, not as an attachment. You did not take action with AVG, nothing was removed. Please scan again and take action. You also didn't post your HiJack This log at all. We can proceed with the information from the Panda scan. Please download VundoFix.exe to your desktop. http://www.atribune.org/ccount/click.php?id=4 * Double-click VundoFix.exe to run it. * Click the Scan for Vundo button. * Once it's done scanning, click the Remove Vundo button. * You will receive a prompt asking if you want to remove the files, click YES * Once you click yes, your desktop will go blank as it starts removing Vundo. * When completed, it will prompt that it will reboot your computer, click OK. * Please post the contents of C:\vundofix.txt and a new HiJackThis log. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot. Post the log from this and then a HJT log please in your next reply.

Move HJT from your desktop to program files. 1. Download this file : http://www.techsupportforum.com/sectools/combofix.exe 2. Double click combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall Post the log from Combofix and a new HJT log please.

It's always nice to hear someone appreciates the effort. I am not alone in this endeavor by any means. Since this is resolved I will close the topic to prevent other from posting in it. The fixes in this topic are for this machine only. Applying them to your system can result in ruination. Start your own topic and someone will be happy to assist you.

Hi Tippu and welcome to Malwarebytes. Delete all the files in your quarantine folder for AVG. Then please do the following: Print or Copy these instructions to notepad and save to your Desktoop as you will be offline with all browsers closed for this fix. Download: Use this URL to download the latest version (the file contains both English and French versions): http://siri.urz.free.fr/Fix/SmitfraudFix.exe * Double-click SmitfraudFix.exe * Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt Clean: * Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually) * Double-click SmitfraudFix.exe * Select 2 and hit Enter to delete infect files. * You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection. * The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file. * A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt * Optional: o To restore Trusted and Restricted site zone, select 3 and hit Enter. o You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone. Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm Please post that log and then do a scan here: PandaActive Scan There is a full tutorial on how to to this at the top of this forum. Now please post the log from the Panda scan and a new HJT log. You need to uninstall your Java progam, delete all program files. Then go here http://www.java.com/en/download/manual.jsp and install the correct version for your system. Choose the offline installation.

Sorry to see you back Junior40. Sorry to have you back under these circumstances is what I mean. You are indeed infected again. I need you to do a few things for me. First move HJT from your desktop to your program files. Second, uninstall your current Java and delete the program files. Then go here http://www.java.com/en/download/manual.jsp and install the correct version for your system. Choose the offline installation. I would also recommend getting rid of Ares. P2P file sharing is extremely dangerous and often illegal. Now please do the following. Print or Copy these instructions to notepad and save to your Desktoop as you will be offline with all browsers closed for this fix. Download: Use this URL to download the latest version (the file contains both English and French versions): http://siri.urz.free.fr/Fix/SmitfraudFix.exe * Double-click SmitfraudFix.exe * Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt Clean: * Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually) * Double-click SmitfraudFix.exe * Select 2 and hit Enter to delete infect files. * You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection. * The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file. * A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt * Optional: o To restore Trusted and Restricted site zone, select 3 and hit Enter. o You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone. Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm Please post this log and a new HJT log in your next post.

Hi there mystoran, and welcome to Malwarebytes. Unfortunately you downloaded an outdated version of HJT and it shows nothing concrete as the root of your troubles. The site your being redirected to is a bad site, but I need to see the logs from the programs below to try and find the root. If you haven't already, please get these programs, update and run a complete scan removing all items found. Spybot Search & Destroy Be sure to use the immunize feature. But do not enable TeaTimer at this time. Use the tutorial feature in the help tab to see how to go about this. AVG AntiSpyware Be sure to "take action" Then go here and run a scan PandaActive Scan There is a full tutorial on how to to this at the top of this forum. Post the logs from the Panda and AVG scans please, along with a log from this program HiJack This! You will post three logs. 1. AVG scan. 2. Panda Active Scan. 3. HiJack This scan. You will finish the AVG first so go ahead and post that log, then move on to Panda and so forth. I will analyze the logs and give you further instructions. Be patient and persistent. These things can take time and many procedures.

Hi nicko75 no I did not forget. Yesterday was a holiday and I'm not feeling real great either. Your log looks clean. We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK. Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it. Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenol. Keep Spybot Search & Destroy and always immunize when you update. You will also need at least one other scanning program AVG is good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use. A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient. Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan. SpywareBlaster from Javacool Software WinPatrol by BillPStudios SiteHound by FireTrust RogueRemover hpHosts For an excellent list of reliable free firewalls and antivirus programs see here .

I didn't have any seconds...didn't make it out of the house. Anyway, the HJT log should always be run after any other scans. It give me information on whether the scan has removed the malware. I edited out the Smitfraud, because it is showing your entire hosts file and I don't need to see that. So what I need now is a HJT log ran after the Smitfraud. You don't need to run Smitfraud again just give me a HJT log please.

Hi again. Hope you had a good Thanksgiving Holiday, if you celebrate. Make sure you have your system set to show hidden files. This maybe why you couldn't find the ones requested to scan. Please set your system to show all files; Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. Now let's clean up a bit with HJT, please put a check next to the items below and click fix when done. O2 - BHO: (no name) - {200D0AAD-71B1-51C9-DDB0-092BA4662A54} - C:\Program Files\Dbycjzow\ohirtsbs.dll O2 - BHO: (no name) - {2C80EAD3-74CD-4700-83A4-AA878CD1C03C} - C:\WINDOWS\system32\cbxwtus.dll O2 - BHO: (no name) - {4AE396DB-00D3-4284-825C-4D15D09EB15F} - C:\WINDOWS\system32\khfcb.dll (file missing) O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O20 - Winlogon Notify: kgapqhtv - kgapqhtv.dll (file missing) O20 - Winlogon Notify: winocp32 - winocp32.dll (file missing) Reboot and run this please: Print or Copy these instructions to notepad and save to your Desktoop as you will be offline with all browsers closed for this fix. Download: Use this URL to download the latest version (the file contains both English and French versions): http://siri.urz.free.fr/Fix/SmitfraudFix.exe * Double-click SmitfraudFix.exe * Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt Clean: * Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually) * Double-click SmitfraudFix.exe * Select 2 and hit Enter to delete infect files. * You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection. * The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file. * A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt * Optional: o To restore Trusted and Restricted site zone, select 3 and hit Enter. o You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone. Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm Post this log and a new HJT log. You also need to remove your current version of Java, delete the program file also and get that latest version. You need to uninstall it via Add/Remove programs and delete the program file also. Then go here http://www.java.com/en/download/manual.jsp and install the correct version for your system. Choose the offline installation.

Hi mrhorus87 I am asking a Microsoft Most Valued Professional who is also a good friend to come in and help with your situation. Please follow his instructions, he is an expert and far more qualified than I am. I have some things coming up I won't be able to stick with you and it is crucial at this point. You will be in good hands.

You are still seriously infected. Be patient and persistant. Please scan the following files here http://www.virustotal.com C:\Program Files\fyrqpedo\dofetsvs.dll C:\Documents and Settings\All Users\Application Data\lwxahujo.dll C:\Documents and Settings\All Users\Application Data\gpmvsnyz.dll C:\Documents and Settings\All Users\Application Data\ninyrgbg.dll C:\Documents and Settings\All Users\Application Data\topevkzs.dll You will have to do one at a time and maybe be in a wait "line" please post what the results are. Now I need you to run these scans also. Download SDFix and save it to your Desktop. Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, the Advanced Options Menu should appear; Select the first option, to run Windows in Safe Mode, then press Enter. Choose your usual account. Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. Finally copy and paste the contents of the results file Report.txt back onto the forum. After you post that log I need the results from this scan also please. 1. Download this file : http://www.techsupportforum.com/sectools/combofix.exe 2. Double click combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall Then a HJT log but remove the version your using and get this one please: HiJack This!

OK. I also would like a log from this program before the HJT log please. I had to track down a working link. http://www.techsupportforum.com/sectools/Deckard/dss.exe' rel="external nofollow"> ComboScan 1. Close all applications and windows. 2. Double-click on comboscan.exe to run it, and follow the prompts. 3. When the scan is complete, a text file will open - ComboScan.txt 4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt in your next reply. 5. A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt. 6. Please copy and paste the contents of Supplementary.txt to your post. Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so

What program made the first log? Just curious. You have some serious infections and I recommend you stick with the fix and get it done, if you can't get the machine offline. This has grown from your last posting. Let's start with these. Please follow instructions carefully and exactly, also in the order posted. Uninstall the Beta version of HJT and get the regular release here HiJack This! Download SDFix and save it to your Desktop. Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, the Advanced Options Menu should appear; Select the first option, to run Windows in Safe Mode, then press Enter. Choose your usual account. Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. ComboScan 1. Close all applications and windows. 2. Double-click on comboscan.exe to run it, and follow the prompts. 3. When the scan is complete, a text file will open - ComboScan.txt 4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt in your next reply. 5. A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt. 6. Please copy and paste the contents of Supplementary.txt to your post. Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so Finally copy and paste the contents of the results file Report.txt back onto the forum Reboot and do this: Please download VundoFix.exe to your desktop. http://www.atribune.org/ccount/click.php?id=4 * Double-click VundoFix.exe to run it. * Click the Scan for Vundo button. * Once it's done scanning, click the Remove Vundo button. * You will receive a prompt asking if you want to remove the files, click YES * Once you click yes, your desktop will go blank as it starts removing Vundo. * When completed, it will prompt that it will reboot your computer, click OK. * Please post the contents of C:\vundofix.txt. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot. Now after all these logs a new HJT log with the version above, not the beta. You can post the logs as you run the scans, as they will be long and it is easier to keep straight if they are each a post of their own.

Hi mvz2102 and welcome to Malwarebytes. The best way to proceed is to do this please. Move HJT from your desktop to program files. Please download VundoFix.exe to your desktop. http://www.atribune.org/ccount/click.php?id=4 * Double-click VundoFix.exe to run it. * Click the Scan for Vundo button. * Once it's done scanning, click the Remove Vundo button. * You will receive a prompt asking if you want to remove the files, click YES * Once you click yes, your desktop will go blank as it starts removing Vundo. * When completed, it will prompt that it will reboot your computer, click OK. * Please post the contents of C:\vundofix.txt and a new HiJackThis log. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Panda does show an infection. Files\Content.IE5\SZL5HIBK\asg_install[1].exe[AntiSpygolden 5.1.exe] Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe Potentially unwanted tool:Application/KillApp.A Not disinfected C:\hp\bin\Terminator.exe Get this program http://www.ccleaner.com/download and run a scan and remove all it says there is to remove. Then run Panda again and post the log please. Remove this line with HJT O2 - BHO: (no name) - {23B760D6-C98B-450B-9B32-26C7775CDF83} - C:\Program Files\Video Add-on\isfmdl.dll (file missing) Be sure to give me feed back too.

Just because I don't see it doesn't mean your clean. Your running an outdated version of SB S&D. I never saw logs from two programs I requested. I can't say your clean at all.

OK, I know what your running for security, it all shows in your HJT log and the other things we have run. BUT RegCure is malware. EEEEKKKK !!!! Uninstall is ASAP. Get RogueRemover either a free trial of the pro version from the link in my signature or the free version from the downloads page on this site run a scan and remove everything it finds. Delete Combofix and Smitfraud from your system. Both are updated regularly and will be useless in a few days if not already. I don't see a firewall and that is crucial. The SP2 firewall is worthless. I see the bad file is back in your log. The 020 line Run RogueRemover Do a Panda scan and post the results. Get a new Smitfraud, use the link previously, but not the one you have. Post that log and a new HJT. So that is 3 logs. Panda ....Smitfraud and HJT in that order please.

This is an English speaking forum for the most part. To the best of my knowledge there are no helpers here that can read the log you posted. Please begin the process from the beginning with the scans you were requested to do before and post in English.

Hello topgunzx and welcome to Malwarebytes. Never run special fixes like Vundo unless under the guidance of someone with experience to advise you. P2P is dangerous as you have found out and key generation programs are illegal. Since you have ran the scan I will need to see some new logs please. Please follow the instructions carefully. If you haven't already, please get these programs, update and run a complete scan removing all items found. Spybot Search & Destroy Be sure to use the immunize feature. But do not enable TeaTimer at this time. Use the tutorial feature in the help tab to see how to go about this. AVG AntiSpyware Be sure to "take action" Then go here and run a scan PandaActive Scan There is a full tutorial on how to to this at the top of this forum. Post the logs from the Panda and AVG scans please, along with a log from this program HiJack This! You will post three logs. 1. AVG scan. 2. Panda Active Scan. 3. HiJack This scan. You will finish the AVG first so go ahead and post that log, then move on to Panda and so forth. I will analyze the logs and give you further instructions. Be patient and persistent. These things can take time and many procedures.

Please fix this line with HJT: O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background Then please get a free trial of RogueRemoverPro from the link in my signature and scan with it. Remove everything it finds. Then run Panda scan again and post the log please, along with a new HJT log.