[Infected With Virtumonde[RESOLVED]]

Download Combofix to your desktop.

Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Post this log in your next reply .

[Trojan.vundo]

Would you repeat the OEMoveIt instructions from above except start your computer to SafeMode first.

(The only file you really need to copy/paste into the box is C:\WINDOWS\system32\iifdbxv.dll. You don't need to do the rest of the list.

That should get rid of it.

Post a fresh Combofix log plz.

Also post a Panda log (below)

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
  
• A new window will open...click the Check Now button
  
• Enter your Country
  
• Enter your State/Province
  
• Enter your e-mail address and click send
  
• Select either Home User or Company
  
• Click the big Scan Now button
  
• If it wants to install an ActiveX component allow it
  
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  
• When download is complete, click on My Computer to start the scan
  
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report.
  

[Trojan.vundo]

Let me have a look at this son-of-a-gun before we getr rid of it.

Please go here to upload a suspicious file for analysis.

• Enter your username from this forum
  
• Copy and paste the link to this thread
  
• Browse for this filename: C:\WINDOWS\system32\iifdbxv.dll
  
• In the comments, please mention that I asked you to upload this file
  
• Click on Send File
  

Please download the OTMoveIt by OldTimer.

• Save it to your desktop.
  
• Please double-click OTMoveIt.exe to run it.
  
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  C:\WINDOWS\system32\iifdbxv.dll
  C:\QooBox\
  J:\My Files\Backup\download\normal.zip
  D:\Game Files\Patches and Cracks\Battle Realms CRACK.exe
  
  
• Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  
• Close OTMoveIt
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Reboot if OTMoveIt didn't boot for you..(I'm betting it did)

Then redo the last step where you drug combofix-do.txt over Combofix and let it run..

(IF you get any popups about changes to the registry make sure to ALLOW them)

Post the latest Combofix log please.

[Infected Plz Help]

Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
  
• Doubleclick on the HJTsetup.exe icon on your desktop.
  
• By default it will install to C:\Program Files\Hijack This.
  
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  
• Put a check by Create a desktop icon then click Next again.
  
• Continue to follow the rest of the prompts from there.
  
• At the final dialogue box click Finish and it will launch Hijack This.
  
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  
• Come back here to this thread and Paste the log in your next reply.
  
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
  

[Trojan.vundo]

Sorry connection problems last two days..

Just wondering if Symantec is causing problems with these other tools?

Yeah iot seems to as often as not.

Copy the following to Notepad and save to your desktop as combofix-do.txt

Files::
C:\WINDOWS\SYSTEM32\iifdbxv.dll

Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifdbxv] 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{634C7583-74C6-4FEF-BD06-9721761A6815=-

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634C7583-74C6-4FEF-BD06-9721761A6815}]

Now drag the file you just made on top of ComboFix and drop it..It will start combofix running by it's self

After reboot

Clean your Cache and Cookies in IE:

Go to Control Panel > Internet Options > General tab.

Click the "Delete Cookies" button and then the "Delete Files" button next to it.

When prompted, place a check in: "Delete all offline content",

(You will have to re-enter passwords at websites that require them.)

Click OK

Clean other Temporary files + Recycle bin:

Go to start > run and type: cleanmgr and click ok.

Let it scan your system for files to remove.

Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.

Press OK to remove them.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
  
• A new window will open...click the Check Now button
  
• Enter your Country
  
• Enter your State/Province
  
• Enter your e-mail address and click send
  
• Select either Home User or Company
  
• Click the big Scan Now button
  
• If it wants to install an ActiveX component allow it
  
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  
• When download is complete, click on My Computer to start the scan
  
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report and a fresh HijackThis log AND the combofix log ...geez what a pain I am huh??
  

[Trojan.vundo]

Go to the folder C:\Program Files\Trend Micro\HijackThis\ and Right click on HijackThis.exe then choose Rename. Change it to newhj.exe (If you have a short cut on your desktop for HijackThis it will no longer work.) You can just run the file from here when needed or right click the newly renamed file and create a new shortcut and place it on your desktop.

Please download VundoFix.exe (by Atribune) to your Desktop

• Double-click VundoFix.exe to run it.
  
• Click the Scan for Vundo button.
  
• Once it's done scanning, click the Remove Vundo button.
  
• You will receive a prompt asking if you want to remove the files, click YES
  
• Once you click yes, your desktop will go blank as it starts removing Vundo.
  
• When completed, it will prompt that it will reboot your computer, click OK.
  

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting. Run the Vudnofix at LEAST 2 times OR until you get a "No vundo found message"

Download Combofix to your desktop.

Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Post this log in your next reply. Please post the contents of C:\vundofix.txt.

Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

[Hi Jack Log File]

You need to print this out or save a copy to Notepad for reading because you can NOT have IE/FF or any browser open while doing the fix.

Couple of things, You friend seems to be running different Anti_Virus programs(AVG and Avast) ...While one is a MUST have running two can/will cause them to fight for resources and control of system and can cause slow down and errors. She should pick one and uninstall the other.

Please go here to upload a suspicious file for analysis.

• Enter your username from this forum
  
• Copy and paste the link to this thread
  
• Browse for this filename: C:\WINDOWS\expro.dll also C:\WINDOWS\vpssup.dll
  
• In the comments, please mention that I asked you to upload this file
  
• Click on Send File
  

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.

Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

• Open Spybot Search & Destroy.
  
• In the Mode menu click "Advanced mode" if not already selected.
  
• Choose "Yes" at the Warning prompt.
  
• Expand the "Tools" menu.
  
• Click "Resident".
  
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  
• In the File menu click "Exit" to exit Spybot Search & Destroy.
  

Open HijackThis and click on Do a system scan only. Place a check mark next to the following:

O2 - BHO: MSVPS System - {E4BAF378-7320-4A48-91DD-D9CCDDF6458E} - C:\WINDOWS\vpsnetwork.dll

O21 - SSODL: vpssup - {B15AE7AF-F29B-4ACE-B50A-04E92BC95D9A} - C:\WINDOWS\vpssup.dll

O21 - SSODL: expro - {7099C0CD-08A5-46B5-BF83-B9CC93568BDF} - C:\WINDOWS\expro.dll

Close ALL other open windows and programs and click Fix checked.

Reboot

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
  
• A new window will open...click the Check Now button
  
• Enter your Country
  
• Enter your State/Province
  
• Enter your e-mail address and click send
  
• Select either Home User or Company
  
• Click the big Scan Now button
  
• If it wants to install an ActiveX component allow it
  
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  
• When download is complete, click on My Computer to start the scan
  
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report and a fresh HijackThis log
  

[Hjt Log]

You need to print this out or save a copy to Notepad for reading because you can NOT have IE/FF or any browser open while doing the fix.

Open HijackThis and click on Do a system scan only. Place a check mark next to the following:

O2 - BHO: MSVPS System - {49CF52D7-8D58-4E22-A874-AAD721F5B523} - C:\windows\ddesupport.dll

O21 - SSODL: msole - {BB35535F-AFB3-4BCF-A263-3ADC9DF204FF} - C:\windows\msole.dll

Close ALL other open windows and programs and click Fix checked.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
  
• A new window will open...click the Check Now button
  
• Enter your Country
  
• Enter your State/Province
  
• Enter your e-mail address and click send
  
• Select either Home User or Company
  
• Click the big Scan Now button
  
• If it wants to install an ActiveX component allow it
  
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  
• When download is complete, click on My Computer to start the scan
  
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report and a fresh HijackThis log
  

[Help Korean Virus]

Download Combofix to your desktop.

Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Post this log in your next reply .

[Hi Jack Log File]

Hello,

* Please download FixwareOut from one of the following sites:

http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.

The fix will begin; follow the prompts. If your firewall gives an alert about downloading an additional file from the internet,make SURE to allow it.

Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.

[My Hijackthis Log (please Help!)]

As far as deleting the 'moved' files..we'll remove them once you are ALL clean; there is not much sense in deleteing a folder if we may just recreate it later...the file that are in those folder are safe for now...

Go to start>run>type in cmd hit enter

Enter the following lines, one at a time with Enter after each one.

sc stop ereventlog

sc delete ereventlog

Close the command window now.

Open HiajckThis and put a check next to

O4 - HKLM\..\Run: [pcmedic] C:\Program Files\pcmedic\pcmedic.exe Icon

Close ALL windows and click fix checked.

Now DELETE the Combofix you have on your Desktop.

Download the version from HERE

and run it.

NOTE it is VERY important NOT to click or do anything else while combofix is running....it may seem like it has stalled out at times so just be patient.

Post the latest combofix log

[New Problem...]

Well I guess since it's been 3 yrs since you posted this question i'll get areound to answering it now...Although I'm afraid I'm gonna ask more questions than give answers just now.

When you are getting the Zapchast trojan warning is it JUST in _restore or elsewhere too?? Give locations if possible.

The Firewall/Remote issue is not surprising as they are closelt related AND often affected by various infections.

The following steps will reset to the DEFAULT settings.

Copy the following to a new Notepad and save to the Desktop as "fwdef.reg" Make sure to use the quotes when you are naming the file, just like I typed it, else it will not run.

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]

"DependOnGroup"=hex(7):00,00

"DependOnService"=hex(7):4e,00,65,00,74,00,6d,00,61,00,6e,00,00,00,57,00,69,00,\

6e,00,4d,00,67,00,6d,00,74,00,00,00,00,00

"Description"="Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network."

"DisplayName"="Windows Firewall/Internet Connection Sharing (ICS)"

"ErrorControl"=dword:00000001

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

"ObjectName"="LocalSystem"

"Start"=dword:00000002

"Type"=dword:00000020

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch]

"Epoch"=dword:00002cd0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]

"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\

00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\

69,00,70,00,6e,00,61,00,74,00,68,00,6c,00,70,00,2e,00,64,00,6c,00,6c,00,00,\

00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup]

"ServiceUpgrade"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate]

"All"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum]

"0"="Root\\LEGACY_SHAREDACCESS\\ 0000"

"Count"=dword:00000001

"NextInstance"=dword:00000001

If saved correctly it will have an icon like

Right click on fwdef.reg and choose Merge> answer Yes to Are you sure you.......... Close the window.

Go to Start>Run>type cmd and hit Enter.

Enter the following line

netsh firewall reset

Close THAT window..

Now on a reboot does every thing still change now??

Let's see if we make any progess on this issue before we move on to some others.

I'm again able to respond in a timely manner now so you won't have to wait 9 months for a reply

PS thanks for your kind words in PM.

[My Hijackthis Log (please Help!)]

Well it's true what Matt said about finals etc but I've been out of college for 35 years or so so it didn't really pertain to me..lol

No I live in the US

post me one final(?) HijackThis log please

[My Hijackthis Log (please Help!)]

Open HijackThis and check the following

O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)

O4 - HKLM\..\Run: [asro] C:\WINDOWS\asrotray.exe

Close ALL other windows and programs (even this one) and click Fix checked.

Yeah just do the clear cache and cookies that I posted for EVERY profile the computer has.

How is every thing running now??

PS AVG popped up like that because an infected file was being "read or written to" IE read my Panda...

It's normal.

[My Hijackthis Log (please Help!)]

Please download OTMoveIt by OldTimer:

• Save it to your desktop.
  
• Please double-click OTMoveIt.exe to run it.
  
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose "Copy"):
  C:\WINDOWS\asrotray.exe
  C:\ktf\
  C:\WINDOWS\system32\onpcs.dll
  C:\WINDOWS\system32\apo.dll
  C:\WINDOWS\system32\a3p.exe
  C:\WINDOWS\asrotray.exe
  C:\WINDOWS\system32\ccman.exe
  C:\WINDOWS\system32\carion.exe
  C:\WINDOWS\rundl64.exe
  C:\WINDOWS\system32\mswasie.exe
  C:\WINDOWS\system32\drivers\erelog.exe
  C:\WINDOWS\nerochk.exe
  
  
• Return to OTMoveIt, right-click on the "Paste List of Files/Folders to be Moved" window and choose "Paste".
  
• Click the red "MoveIt!" button.
  
• Close OTMoveIt.
  

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".

Copy the following RED lines to Notepad and save it on your desktop as "fix.reg". When you are nameing the file to save on the desktop make sure you use the quotes just like I did else the file won't run right

REGEIDT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

"SystemManager"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=-

If you saved it right it will have an icon like

Right click on the fix.reg file and choose Merge . Anwser YES when asked if you are sure you want to merge. Close the window

Clean your Cache and Cookies in IE:

Go to Control Panel > Internet Options > General tab.

Click the "Delete Cookies" button and then the "Delete Files" button next to it.

When prompted, place a check in: "Delete all offline content",

(You will have to re-enter passwords at websites that require them.)

Click OK

Clean other Temporary files + Recycle bin:

Go to start > run and type: cleanmgr and click ok.

Let it scan your system for files to remove.

Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.

Press OK to remove them.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
  
• A new window will open...click the Check Now button
  
• Enter your Country
  
• Enter your State/Province
  
• Enter your e-mail address and click send
  
• Select either Home User or Company
  
• Click the big Scan Now button
  
• If it wants to install an ActiveX component allow it
  
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  
• When download is complete, click on My Computer to start the scan
  
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
  

Please post the log from OTMoveIt, located here:

C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run. And a Fresh HijackThis log and a new HijackThis log.

[My Hijackthis Log (please Help!)]

That's only like 1/4 of what should be in the combofix log..will you try and run it again plz. Don't worry about quatentee folder just yet..we'll deal with it in time.

If you still havent rebooted since it ran..manually reboot and run it again plz.

[My Hijackthis Log (please Help!)]

the line and all below it are just my 'signature'. they are in every post I make.

I said a good start because there WILL be more to do. Although what I posted will go a long way to stopping a lot of your problems. You have SEVERAL, MAJOR infections.....we will NOT fix them all in one step, no matter how long and detailed it is.

[My Hijackthis Log (please Help!)]

Well you have got a couple of different infections...some Korean trojans probably an IRC bot or two...but you have a couple of unknowns also. So as a first step I'd like to do a little file collecting.

First (and this is VERY important)..Delete the HijackThis from your desktop.

Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
  
• Doubleclick on the HJTsetup.exe icon on your desktop.
  
• By default it will install to C:\Program Files\Hijack This.
  
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  
• Put a check by Create a desktop icon then click Next again.
  
• Continue to follow the rest of the prompts from there.
  
• At the final dialogue box click Finish and it will launch Hijack This.
  
• You can leave it open you'l need it in a minute.
  

Now go to Start>Run> type in cmd hit enter

Copy the following 2 lines, one at a time, into the command prompt that opens then hit enter after each one.

sc stop ereventlog

sc stop PCIlagacy

Close the command window now

Please download Suspicious file Packer from HERE then unzip it to your desktop.

Run SFP.exe.

Please copy the following lines by hilighting them all and then Right click and choose copy

C:\WINDOWS\asrotray.exe

C:\ktf\

C:\WINDOWS\system32\onpcs.dll

C:\WINDOWS\system32\apo.dll

C:\WINDOWS\asrotray.exe

C:\Program Files\MSN Messenger\Device Manager\Loc\3099\

C:\WINDOWS\system32\ccman.exe

C:\WINDOWS\system32\carion.exe

C:\WINDOWS\rundl64.exe

C:\WINDOWS\system32\mswasie.exe

C:\WINDOWS\system32\drivers\erelog.exe

C:\WINDOWS\nerochk.exe

and paste those into the box in SFP, then click "Continue".

It will create a file call RequestedFile[some numbers].cab on your desktop.

Please go here to upload a suspicious file for analysis.

• Enter your username from this forum
  
• Copy and paste the link to this thread
  
• Browse to your desktop for the filename: RequestedFile[some numbers].cab
  
• In the comments, please mention that I asked you to upload this file
  
• Click on Send File
  

THANK YOU!!

You need to print this out or save a copy to Notepad for reading because you can NOT have IE/FF or any browser open while doing the fix.

Open HijackThis and click on Do a system scan only. (unless it's still open from previous step) Place a check mark next to the following:

O2 - BHO: linkprohelper - {11E78485-C932-4944-BDCD-3B57CD676E5C} - (no file)

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: NetCtrl Class - {68FACDB7-76C2-481F-BED0-5176BFC06F40} - C:\WINDOWS\system32\jng.dll (file missing)

O2 - BHO: chkprc Class - {7DA7BE7D-A382-4AA7-A125-CA55A2070125} - C:\WINDOWS\system32\onpcs.dll

O2 - BHO: ApoUp Class - {DA96C092-D3A6-4772-AB95-21523D152BEA} - C:\WINDOWS\system32\apo.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [asro] C:\WINDOWS\asrotray.exe

O4 - HKLM\..\Run: [MSNMessenger] "C:\Program Files\MSN Messenger\Device Manager\Loc\3099\msnmsgr.exe"

O4 - HKLM\..\Run: [Xweb] "C:\Program Files\SoftForum\XecureWeb\ActiveX\Xecureweb.exe"

O4 - HKLM\..\Run: [sdae] "C:\ktf\svchost.exe"

O4 - HKLM\..\Run: [ccman] C:\WINDOWS\system32\ccman.exe

O4 - HKLM\..\Run: [carion] C:\WINDOWS\system32\carion.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [rundl64] C:\WINDOWS\rundl64.exe

O4 - HKLM\..\Run: [exfine] C:\Program Files\Common Files\System\exfine.exe

O4 - HKCU\..\Run: [asro] C:\WINDOWS\asrotray.exe

O4 - HKCU\..\Run: [MSNMessenger] "C:\Program Files\MSN Messenger\Device Manager\Loc\3099\msnmsgr.exe"

O4 - HKCU\..\Run: [Xweb] "C:\Program Files\SoftForum\XecureWeb\ActiveX\Xecureweb.exe"

O4 - HKCU\..\Run: [mswasie.exe] C:\WINDOWS\system32\mswasie.exe

Close ALL other open windows and programs (even this one) and click Fix checked

Download Combofix to your desktop.

Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Post this log in your next reply together with a new HijackThis log.

Whew!!!! Pretty good start.

[Laptop Acting Up]

Download AVG Anti-Spyware from HERE and save that file to your desktop.

This is a 30 day trial of the program

1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
   
2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
   
3. On the main screen select the icon "Update" then select the "Update now" link.
   • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
     

[*]Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.

[*]Once in the Settings screen click on "Recommended actions" and then select "Quarantine".

[*]Under "Reports"

• Select "Automatically generate report after every scan"
  
• Un-Select "Only if threats were found"
  

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

1. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
   IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
   
2. Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
   
3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
   
4. AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
   Once the scan is complete do the following:
   
5. If you have any infections you will prompted, then select "Apply all actions"
   
6. Next select the "Reports" icon at the top.
   
7. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
   
8. Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.
   

[New Problem...]

Don't I know you from somewhere??

First let me apologize for kinda of "losing" you over the holiday weekend. I know we had thought you were about resolved but you had asked some questions that I never got around to answering.

Just as a reminder

Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

• Open Spybot Search & Destroy.
  
• In the Mode menu click "Advanced mode" if not already selected.
  
• Choose "Yes" at the Warning prompt.
  
• Expand the "Tools" menu.
  
• Click "Resident".
  
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  
• In the File menu click "Exit" to exit Spybot Search & Destroy.
  

Download

Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.

2. Double-click on dss.exe to run it, and follow the prompts.

3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized

4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply.

Let's have a look a few things.

[Hijack This Log]

Please go here to upload a suspicious file for analysis.

• Enter your username from this forum
  
• Copy and paste the link to this thread
  
• Browse for this filename: C:\WINDOWS\msn64.exe
  
• In the comments, please mention that I asked you to upload this file
  
• Click on Send File
  

You need to print this out or save a copy to Notepad for reading because you can NOT have IE/FF or any browser open while doing the fix.

Open HijackThis and click on Do a system scan only. Place a check mark next to the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O4 - HKLM\..\Run: [OSA64] C:\WINDOWS\spools\smss.exe

O4 - HKLM\..\Run: [OSA6432] C:\WINDOWS\spools\services.exe

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - hxxp://components.metastream.com/MTSInstal...MetaStream3.cab

Close ALL other open windows and programs and click Fix checked.

Download Combofix to your desktop.

Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Post this log in your next reply together with a new hijackthis log.

[Pls Hlp! Winlog.exe Removal]

Sorry I seem to have lost track of this over the long holiday weekend...

Would you post a fresh HijackThis log for me plz

[What Are You Listening To Right Now?]

Aerosmith--Lord of your thighs

[Seting Up Dual Boot]

http://www.syrlug.org/docs/HOWTO/MultiOS-HOWTO.html

[Friends Log[RESOLVED]]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.