JeanInMontana

I was fairly sure of the CF logs from the location of items, but these operations can also cause damage and I stay away from guessing. LOL Malware does strange things also I had to check. I think we have made good progress. This is a new and not well detected version you managed to get. Please run HJT again and put a check next to these items: O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice') O23 - Service: Windows Alert Service (Winalert) - Unknown owner - C:\WINDOWS\System32\alertic.exe (file missing) <====clean up Is the Adobe distiller program updated? It is version 7 and Adobe is at 8. If your feeling everything is cleaned up there is a final step. We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK. Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it. Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenol. Keep Spybot Search & Destroy and always immunize when you update. You will also need at least one other scanning program AVG is good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use. A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient. Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan. SpywareBlaster from Javacool Software WinPatrol by BillPStudios SiteHound by FireTrust RogueRemover hpHosts For an excellent list of reliable free firewalls and antivirus programs see here . It would also be a good idea to run the disk error checker and then do a defragmentation. These infections make a mess of the entire system.

That is the normal format for VT scans. Looks like the file is either, clean, very new with no detection or it didn't actually get scanned. Is the last a possibility? How are you running? Another HJT log please. I'm going to be out of town with limited access to the net for the next few days. I will check on this tonight.

Do NOT run any thing unless you are advised to do so. Get Java and Adobe updated now. They are a risk for reinfection. I meant the logs from before the work we have already done, just for a double check for myself. I just did a quick scan now, and need to do a more thorough analysis later. I have posted for someone to take your other threads. You can sign on to them or have the user sign on and see if they are OK. Sometimes they will be others they won't.

OK I will be out of town for the next 3 days. I won't reply to your other topics because of this. I will post to alert another person equally or more qualified to help you. For this account: 2007-10-09 17:03 <DIR> d-------- C:\Program Files\XoftSpySE 2007-10-09 16:57 <DIR> d-------- C:\Program Files\Enigma Software Group I recommend getting rid of the programs associated with those files. While they are not considered rogue, they teeter on the edge and are not a program I support or respect. They will let you down. Having said that the following are suspicious unless you know better. 2007-09-27 17:11 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe 2007-09-27 17:11 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys 2007-09-27 17:10 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe 2007-09-26 15:49 <DIR> d-------- C:\Program Files\uTorrent 2007-09-26 15:49 <DIR> d-------- C:\Documents and Settings\Nathan\Application Data\uTorrent This below remove with HJT by placing a check next to it and choosing fix. O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat Reboot. Run HJT again and look for the entry. If it is still there get this: Author: Option^Explicit Download Location License: Freeware KillBox Download Link http://download.bleepingcomputer.com/spyware/KillBox.exe Operating System: Windows File Description: Pocket KillBox is a program that can be used to get rid of files that stubbornly refuse to allow you to delete them. Usage Information: Download this file and run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, allow it to do so, and hopefully your file will now be deleted. Copy and Paste the file name into the program and let 'er rip. If you saved the Panda log and AVG please post those also. You need to update Java and Adobe. Both are exploitable versions. Java current version is 1.6 update2 and Adobe is 8. Get this done soon for your benefit. See you in SecondLife?

Hi again. You can leave the IE download protection, it's just Tea Timer that may stop changes to the system that we need to happen. I also took out all the host file stuff from the CF log. I didn't understand what you meant when you said it was too long... hehe it will make it easier to follow the thread. Now I am not sure if there is a language choice in CF I think part of your log is in German. I'm not sure, but I don't speak/read the language that is in parts of the log. I can see things we still need to fix. Please, uninstall NoAdware if it is present. I would also uninstall SpySweeper, it has started adding adware to the program. Please download this file Author: Option^Explicit License: Freeware KillBox Download Link http://download.bleepingcomputer.com/spyware/KillBox.exe Operating System: Windows File Description: Pocket KillBox is a program that can be used to get rid of files that stubbornly refuse to allow you to delete them. Usage Information: Download this file and run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, allow it to do so, and hopefully your file will now be deleted. C:\WINDOWS\System32\alertic.exe <==== get that file and post a new HJT log please. Let me know if symptoms are better, worse etc. I'm leaving town in the morning and will have internet access but not til evening. Just so you don't think your abandoned.

We are making progress. Yes, Adobe has been a route for evil. There is nothing these miscreants won't try to use to gain entrance. You need to get this program: Author: Option^Explicit Download Location License: Freeware KillBox Download Link http://download.bleepingcomputer.com/spyware/KillBox.exe Operating System: Windows File Description: Pocket KillBox is a program that can be used to get rid of files that stubbornly refuse to allow you to delete them. Usage Information: Download this file and run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, allow it to do so, and hopefully your file will now be deleted. Use it to get this file AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat Scan this file C:\WINDOWS\xlavra.exe here http://www.virustotal.com/ post the results for me please.

You do NOT run CF with anything else at the same time. I will do my best to keep up with your topic. I am busy also. We are in the same time zone. That helps.

You should clean one account at a time. Open a new thread for each one. I don't use the procedures in the preposting instructions but they are not going to do harm. The link for CF works fine for me. That site is the same as your link only with the creator's name added to the url. But that is fine what ever link works for you. Please post the log for that and a new HJT.

Hi bloodrayne03 and welcome to Malwarebytes. You will have to clean every account on the machine to totally rid it of infection. This infection has started a new turn in causing the control panel loss. I saw my first case just in the last day or two. 1. Download this file : http://www.techsupportforum.com/sectools/combofix.exe 2. Double click combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall

This is bad. 2007-09-29 19:43 --------- d-----w C:\Program Files\PokerStars I'm betting that is where you got your infection. Look for that in Add/Remove programs and uninstall. Delete all files associated with the program. How is the machine running? Did you get your old start menu back? You are running a seriously outdated and exploitable version of Adobe Acrobat Reader. You need to update that ASAP. Run HJT again and put a check next to these and then click fix and ok. O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe (file missing) O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat

OK, well SmitFraud isn't working. Be sure you have turned off T Timer in SB S&D. This can interfere with the fix. Let's try this tool. http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe Save it to your desk top and double click to run. Be sure you don't click your mouse during the scan, as it can freeze the program. Post the log here for me to see.

Umm wow.... this is a new one on me. Give ComboFix a try and see if it runs. Is the Control Panel icon in MyComputer? Maybe your start menu style has gotten changed?

Hi Katydid, and welcome to Malwarebytes. We can't offer you support while your machine is illegal. It is going to continue to be infected without the proper updates and it is against our site policies to engage in any type of actions with illegal software. My advice is get a legal copy of Windows and install it on your PC. Best of luck.

You have to be logged on as the administrator of the machine. You need to do that for all this process.

OK here we go. Turn off the Tea Timer function in Spybot Search & Destroy. Please run HJT again and put a check next to the following items. F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat Click fix and OK. Close HJT and get this program 1. Download this file : http://www.techsupportforum.com/sectools/combofix.exe 2. Double click combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Your not following directions. You have a smitfraud infection. Turn off the TeaTimer function in Spybot Search & Destroy. Move Smitfraud to your desktop and follow the directions for how to run it read carefully, it must be run in safemode. Use two posts if needed to post the entire log.

I need the HJT log Dave.

Norton is a notorious resource hog and not the highest rated in performance either. Plus you have to fork out big bucks. hpHosts doesn't turn anything off. It blocks bad sites. It uses no resources. There is a free version of RogueRemover. If you don't pay for the license for Pro after the trial it reverts to the free version. I thought that was explained...oops. I would try doing some basic maintenance again. Most likely your HD is fragmented with all the new installations and who knows what the shop did.

Normally Smitfraudfix would have taken care of your problem. But maybe you had an old version. We will try again. Print or Copy these instructions to notepad and save to your Desktoop as you will be offline with all browsers closed for this fix. Download: Use this URL to download the latest version (the file contains both English and French versions): http://siri.urz.free.fr/Fix/SmitfraudFix.exe * Double-click SmitfraudFix.exe * Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt Be sure to post this log. Clean: * Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually) * Double-click SmitfraudFix.exe * Select 2 and hit Enter to delete infect files. * You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection. * The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file. * A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt * Optional: o To restore Trusted and Restricted site zone, select 3 and hit Enter. o You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone. Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm

It's the infection locking it up Dave. Move on to the AVG and Panda please and post those logs.

When did you run Smitfraudfix? Do you have your system set to show hidden files and folders? If not please do. Please set your system to show all files; Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. I understand how frustrating it is for you to have these infections, but you can't continue running tools on your own. It just won't work and can end up doing damage to your system.

OK I need to see some logs. Please follow the instructions below just as they are listed. If you haven't already, please get these programs, update and run a complete scan removing all items found. Spybot Search & Destroy Be sure to use the immunize feature. AVG AntiSpyware Be sure to "take action" Then go here and run a scan PandaActive Scan There is a full tutorial on how to to this at the top of this forum. Post the logs from the Panda and AVG scans please, along with a log from this program HiJack This! You will post three logs. 1. AVG scan. 2. Panda Active Scan. 3. HiJack This scan. You will finish the AVG first so go ahead and post that log, then move on to Panda and so forth. I will analyze the logs and give you further instructions. Be patient and persistent. These things can take time and many procedures.

Im sorry it ended like this. This is a new development with this malware I have found. Prevention is your best defense. I recommend you install the programs below. And I hope your not back soon either. Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenol. Keep Spybot Search & Destroy and always immunize when you update. You will also need at least one other scanning program AVG is good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use. A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient. Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan. SpywareBlaster from Javacool Software WinPatrol by BillPStudios SiteHound by FireTrust RogueRemover hpHosts For an excellent list of reliable free firewalls and antivirus programs see here.

Hi Dave.... and welcome to Malwarebytes. Where did you find it? Is it in your Add/Remove programs? Details please.

Your welcome, just be sure to post the logs in a new topic in the proper forum.