Hi there (especially Gringo) i'm infected with I can't remove Trojan.Ransom and PUM.UserWLoad. I have run Malwarebytes 2 times and it is alway reporting that the 2 virus are there. Then I followed the instruction in this post: http://forums.malwarebytes.org/index.php?showtopic=125970 Here are the logs: FROM : SECURITY CHECK Results of screen317's Security Check version 0.99.63 Windows 7 Service Pack 1 x86 (UAC is enabled) Internet Explorer 9 ``````````````Antivirus/Firewall Check:`````````````` Avira Desktop Antivirus up to date! (On Access scanning disabled!) `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware versione 1.75.0.1300 JavaFX 2.1.0 Java 6 Update 21 Java 7 Update 17 Java version out of Date! Adobe Flash Player 11.7.700.202 Adobe Reader 9 Adobe Reader out of Date! Mozilla Firefox (20.0.1) Google Chrome 26.0.1410.43 Google Chrome 26.0.1410.64 ````````Process Check: objlist.exe by Laurent```````` Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbamgui.exe Avira Antivir avgnt.exe Avira Antivir avguard.exe Malwarebytes' Anti-Malware mbamscheduler.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: ````````````````````End of Log`````````````````````` FROM ADWCLEANER # AdwCleaner v2.301 - Logfile creato il 21/05/2013 alle 14:54:23 # Aggiornamento 16/05/2013 by Xplode # Sistema Operativo : Windows 7 Professional Service Pack 1 (32 bits) # Utente : superscommesse - SUPERSCOMMESSE1 # Modalità Avvio : Modalità Normale # Eseguito da : C:\Users\superscommesse\Downloads\adwcleaner.exe # Opzioni [Elimina] ***** [servizi] ***** ***** [File / Cartelle] ***** ***** [Registro] ***** ***** [browser Internet] ***** -\\ Internet Explorer v9.0.8112.16483 [OK] Registro Pulito. -\\ Mozilla Firefox v20.0.1 (it) File : C:\Users\superscommesse\AppData\Roaming\Mozilla\Firefox\Profiles\ko1tullc.default\prefs.js [OK] File Pulito. -\\ Google Chrome v26.0.1410.64 File : C:\Users\superscommesse\AppData\Local\Google\Chrome\User Data\Default\Preferences [OK] File Pulito. ************************* AdwCleaner[R1].txt - [3137 octets] - [21/05/2013 14:44:23] AdwCleaner[s1].txt - [3089 octets] - [21/05/2013 14:45:32] AdwCleaner[s2].txt - [993 octets] - [21/05/2013 14:54:23] ########## EOF - C:\AdwCleaner[s2].txt - [1052 octets] ########## FROM --RogueKiller-- RogueKiller V8.5.4 [Mar 18 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website : http://tigzy.geekstogo.com/roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version Started in : Normal mode User : superscommesse [Admin rights] Mode : Scan -- Date : 05/21/2013 15:04:21 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 8 ¤¤¤ [RUN][bLACKLISTDLL] HKLM\[...]\Run : bit4id csp store register (M) ("RUNDLL32.EXE" "C:\Windows\system32\bit4upki-store.dll",RegisterMyPhysicalStore) -> Trovato [sHELL][sUSP PATH] HKCU\[...]\Windows : Load (C:\Users\superscommesse\Local Settings\Temp\mspzuya.com) [x] -> Trovato [sHELL][sUSP PATH] HKUS\S-1-5-21-1060465878-1994809615-1601912546-1004[...]\Windows : Load (C:\Users\superscommesse\Local Settings\Temp\mspzuya.com) [x] -> Trovato [DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{2D56DD36-113C-4408-AD8C-EBCD84D7FE78} : NameServer (83.224.70.54 83.224.70.77) -> Trovato [DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{2D56DD36-113C-4408-AD8C-EBCD84D7FE78} : NameServer (83.224.70.54 83.224.70.77) -> Trovato [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> Trovato [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> Trovato [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> Trovato ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ SSDT[84] : NtCreateSection @ 0x8302E13D -> HOOKED (Unknown @ 0x923F06A6) SSDT[299] : NtRequestWaitReplyPort @ 0x83048B22 -> HOOKED (Unknown @ 0x923F06B0) SSDT[316] : NtSetContextThread @ 0x830E8851 -> HOOKED (Unknown @ 0x923F06AB) SSDT[347] : NtSetSecurityObject @ 0x8300C7F7 -> HOOKED (Unknown @ 0x923F06B5) SSDT[368] : NtSystemDebugControl @ 0x830907D2 -> HOOKED (Unknown @ 0x923F06BA) SSDT[370] : NtTerminateProcess @ 0x83065D86 -> HOOKED (Unknown @ 0x923F0647) S_SSDT[585] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x923F06CE) S_SSDT[588] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x923F06D3) ¤¤¤ HOSTS File: ¤¤¤ --> C:\Windows\system32\drivers\etc\hosts ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: ST9320423AS +++++ --- User --- [MBR] a8d4a54cad1c03eae46a74b9dbd624e4 [bSP] 6c7757e8933a95df1fb93ccb70fd20e5 : Windows Vista MBR Code Partition table: 0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 290204 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[1]_S_05212013_02d1504.txt >> RKreport[1]_S_05212013_02d1504.txt