JeanInMontana

I saw that. That's why I'm instructing a new download. Thanks.

The tool has been updated again, please get the latest version and run again, post the log.

Due to lack of response this will be closed.

Printer.exe was part of the infection and we deleted it with HJT. Let's clean this up with HJT O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing) You need to get the current version of Java, your running an exploitable version. You need to uninstall it via Add/Remove programs and delete the program file also. Then go here http://www.java.com/en/download/manual.jsp and install the correct version for your system. Choose the offline installation. Your new version should be 1.6 update 3. C:\Program Files\VIDCAP32.EXE <===== I'm not finding anything good about that file. Does it still exist on the machine? If so please scan it here http://www.virustotal.com/ and if they report it being bad uninstall the program and delete all files related.

OK make sure you have the system set to show hidden files. Please set your system to show all files; Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. Make sure you are using an administrator account. Turn off Tea Timer in Spybot Search & Destroy. Let's start this over from the beginning, and run Smitfraud again, and post the log. Delete the copy of Smitfraud you have and download it again.

You can destroy your system deleting things I need to see the log.

Hi there GuitarDude, and welcome to Malwarebytes. Sounds like you do have a nasty, let's run these scans and see just what we are dealing with. If you haven't already, please get these programs, update and run a complete scan removing all items found. Spybot Search & Destroy Be sure to use the immunize feature. AVG AntiSpyware Be sure to "take action" Then go here and run a scan PandaActive Scan There is a full tutorial on how to to this at the top of this forum. Post the logs from the Panda and AVG scans please, along with a log from this program HiJack This! You will post three logs. 1. AVG scan. 2. Panda Active Scan. 3. HiJack This scan. You will finish the AVG first so go ahead and post that log, then move on to Panda and so forth. I will analyze the logs and give you further instructions. Be patient and persistent. These things can take time and many procedures.

Hi cmkookah and welcome to Malwarebytes. You should never run tools on your system unless you are sure of what your doing. You have a Vundo infection, Smitfraud will not remove it. Please only perform actions you are requested to do. Since you are running AVG please do remove everything it finds and post that log and follow the instructions below. Please download VundoFix.exe to your desktop. http://www.atribune.org/ccount/click.php?id=4 * Double-click VundoFix.exe to run it. * Click the Scan for Vundo button. * Once it's done scanning, click the Remove Vundo button. * You will receive a prompt asking if you want to remove the files, click YES * Once you click yes, your desktop will go blank as it starts removing Vundo. * When completed, it will prompt that it will reboot your computer, click OK. * Please post the contents of C:\vundofix.txt and a new HiJackThis log. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Your experiencing normal infection tactics. Let's try this. 1. Download this file : http://www.techsupportforum.com/sectools/combofix.exe 2. Double click combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall

OK, fix the lines below with HJT, put a check in the box for each one and click fix. F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\printer.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O16 - DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} - Close HJT and get this program below, it should get your desktop back and finish off the beast. 1. Download this file : http://www.techsupportforum.com/sectools/combofix.exe 2. Double click combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Hi jifster, and welcome to Malwarebytes. Please delete the quarantine files in AVG and make sure your system is set to show hidden files and folders. Please set your system to show all files; Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. Print or Copy these instructions to notepad and save to your Desktoop as you will be offline with all browsers closed for this fix. Download: Use this URL to download the latest version (the file contains both English and French versions): http://siri.urz.free.fr/Fix/SmitfraudFix.exe * Double-click SmitfraudFix.exe * Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt Clean: * Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually) * Double-click SmitfraudFix.exe * Select 2 and hit Enter to delete infect files. * You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection. * The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file. * A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt * Optional: o To restore Trusted and Restricted site zone, select 3 and hit Enter. o You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone. Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm

Closing for lack of response.

OK that makes sense. CCleaner probably took it away also, but you can delete the backup folder items in HJT also. Then they won't confuse any tools in the future. So, now, because of my blunder with the name of the developer, we have a new version made of the program. The file identified by Panda was not detected by the tool, and now it is. Everything happens for a reason. Please download the new version, delete the old and start with option 2 again. Follow those directions and we will go from there.

It has been brought to my attention I made a terrible misspelling of the Navipromo tool developer's name. IL-MAFIOSO please forgive me and thank you for the advice and great tool! Paul, we need that log please and I have instructions from the developer that is important.

Since this topic appears resolved I will close the thread. Thanks to Tigger93 for your great work. The fixes in this topic are for this machine and applying to your machine can lead to total disaster. If you need help please start your own topic and we will gladly help you.

Hi Dariken, and welcome to Malwarebytes. It is a rogue application. Don't install unless you want lots of problems. What are you looking for? All recommended programs are free and easy on system resources. You should install them as part of your protection arsenol. Read the overviews of what each program below does so you have an understanding of their importance and how to use. A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient. Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan. Spybot Search & Destroy Be sure to use the immunize feature. TeaTimer is very good, but can be very confusing to users not very familiar with the registry and how it works. It tends to give many warnings and the user must make choices whether to allow actions or not. AVG AntiSpyware Be sure to "take action" SpywareBlaster from Javacool Software WinPatrol by BillPStudios SiteHound by FireTrust RogueRemover hpHosts For an excellent list of reliable free firewalls and antivirus programs see here .

OK what do you know about this file: Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Program Files\Trend Micro\HijackThis\backups\backup-20070718-084104-509-PowerReg Scheduler.exe How did anything get into the backup files of HJT? Normally that only happens if something has been removed using the program. There is no doubt GameBox is what gave you the rootkit. It is well documented as a source for Navipromo. That is the name of the infection you have, it is hard to find as it hides itself. Hurrah to ILLMAFIOSO for making this tool. On to the cleaning. Double click on Navilog1 shortcut icon on your desktop to run it. * Press E for English from the language Menu. * Type 2 in the next Menu and press Enter. * The tool will then advise you that it will restart your computer. * Close all open windows and save personnal documents, if open, too. * If your computer doesn't restart automatically, restart it manually. * Choose your usual session. * Wait for the *** Clean finished the ... *** message (It may take a reasonable amount of time) * A new document will be produced. * Please copy/paste the contents of this report in your next reply. * Your desktop will now appear. Note : In the event you lose your desktop, press CTRL+ALT+Delete and run Explorer.exe as a new task.

We are still not on the same page with this. My first post said I guess I need to add for all programs used maybe? I am still wondering what that line is all about with the backup in HJT.Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Program Files\Trend Micro\HijackThis\backups\backup-20070718-084104-509-PowerReg Scheduler.exe Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\lbxndbxodi.exe Potentially unwanted tool:Application/InternetGameBox Not disinfected C:\WINDOWS\Temp\NSIS_Install_igb.exe Virus:Trj/Spammer.ADX Disinfected Personal Folders\Junk E-mail\Something hot\game.zip[game.exe] Delete the backup item shown avove. Delete the item in your junk mail folder. If Internet GameBox is showing in Add/Remove programs, uninstall it. Run this program http://www.ccleaner.com/download/ remove everything it finds. Now please get this: Please download Navilog1 by IL-MAFIOSO: http://perso.orange.fr/il.mafioso/Navifix/Navilog1.zip * Extract its contents to the desktop. * Double click on navilog1.exe to install it on your computer. * When the installation is complete, the tool will start automatically. * If it doesn't start automatically, please double click on Navilog1 shortcut on your desktop to run it. * Press E for English from the language Menu. * Type 1 in the next Menu to select Search and press Enter. * Wait for the Scan to finish (It may take a reasonable amount of time) * Press any key as requested . * A new document will be produced: fixnavi.txt. * Please copy/paste the contents of this report in your next reply. The report is also saved in the root of the directory, "%SystemDrive%\fixnavi.txt". (usually C:\fixnavi.txt) I also need to tell you, since this is a rootkit, you are in danger of identity theft and should contact all banking, credit card companies etc and change account details. Also while I do think we can remove the rootkit, there is always the possibility we won't get it all. The only absolute way to be sure is a reformat of the hard drive, which removes everything and you start over as if the PC were new. If you decide to proceed with the fixes. Follow the instructions above and post the log. If you decide a reformat is your best option please let me know so I can close this thread and move on.

Hi Paul. What gave you the idea AVG found two rootkits? You didn't take any action on the cookies it found or what Panda found. There is no point in scanning just for the sake of scanning. Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Program Files\Trend Micro\HijackThis\backups\backup-20070718-084104-509-PowerReg Scheduler.exe Did you remove something with HJT? This file shows something in the backup folder for HJT. Now these below are rootkits but they don't show in the AVG. So I'm concerned you have taken action on your own. I can't proceed until I know what you may have done. Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\lbxndbxodi.exe Potentially unwanted tool:Application/InternetGameBox Not disinfected C:\WINDOWS\Temp\NSIS_Install_igb.exe

Since this issue has been resolved I will close the thread. The fixes in this thread are for this system only, applying them to your system can result in utter disaster. To get help start your own thread and someone will be happy to help you.

Well, let's just say, reviewer rankings don't actually reflect a whole lot. I don't know what a "bogus web site developer" actually means. The guy does make web sites and he seems to be advocating rape. IMO that is much more alarming than anything else. SA hasn't actually rated it at all. I didn't get a reply to my email, not that I expected one really. Although I was kind of looking forward to [word removed] slapping him with words a bit more.

It is going to be very difficult for anyone to determine what the might be if you don't provide some information about what you have installed. Infections will also cause behavior like this. I agree it is probably something on the systems you mention, so in light of this, what are the commonalities? Do you all have a specific program installed?

Maybe you have a rogue blocking it. Is the version the same?

Hi there Paulh45, and welcome to Malwarebytes. If you haven't already, please get these programs, update and run a complete scan removing all items found. Spybot Search & Destroy Be sure to use the immunize feature. AVG AntiSpyware Be sure to "take action" Then go here and run a scan PandaActive Scan There is a full tutorial on how to to this at the top of this forum. Post the logs from the Panda and AVG scans please, along with a log from this program HiJack This! You will post three logs. 1. AVG scan. 2. Panda Active Scan. 3. HiJack This scan. You will finish the AVG first so go ahead and post that log, then move on to Panda and so forth. I will analyze the logs and give you further instructions. Be patient and persistent. These things can take time and many procedures.

The latest version is 1.22. I can't tell what version Major Geeks has. But this is current http://www.freewarefiles.com/files/hds/rr-free-setup.exe