Over 1 million tech questions and answers.

Solved: cmds and MS Juan

Q: Solved: cmds and MS Juan

Hi guys,

I'd be eternally grateful if you could help me in any way!

OS: Windows Vista
Machine: Acer Aspire 5715Z laptop

Unfortunately a family member used my machine, and since then the machine has become infected with a virus (or two...). They used Firefox, and downloaded some software that they subsequently deleted, so I can't be sure what it was.

Symptoms:

Open an IE window > extra tabs are opened with a random IP address in the address bar (all beginning 8).
Try to close IE > other IE windows are spawned.
Open Windows Explorer > Task bar disappears and Windows Explorer immediately closes

The symptoms can be temporarily relieved by disabling the processes in the Startup tab of MSConfig (named cmds and BM1fa22c55), and deleting the Registry entries at HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/Run. The virus is creating a couple of obvious dlls in the following locations (although I know next to nothing about dlls/viruses etc.!):

Rundll32.exe "C:\Users\Emily\AppData\Local\Temp\myqxuect.dll",s
rundll32.exe C:\Users\Emily\AppData\Local\Temp\wvuSjgDW.dll,c

I cannot delete the files as I get the old "the file is open in another program". When deleted from the registry, the two main culprit dlls reappear immediately. I've seen the name "MS Juan" in the registry, and also in autoruns/processexplorer - is this the actual virus? Lavasoft Ad Aware SE Personal reported a total of 5 other viruses/trojans that I marked to be removed. Spybot came back clean.

I ran HijackThis, and the resultant log is pasted below. The machine is relatively new so fortunately only has bits of other software installed:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:10:29, on 02/04/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\notepad.exe
C:\ProcessExplorer\procexp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot -

Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05

\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common

Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SetPanel] C:\Acer\APanel\APanel.cmd
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Emily\AppData\Local\Temp\wvuSjgDW.dll,c
O4 - HKCU\..\Run: [BM1fa22c55] Rundll32.exe "C:\Users\Emily\AppData\Local\Temp\myqxuect.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL

SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User

'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK

SERVICE')
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12

\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2

\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1

\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12

\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search

& Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-



58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007

\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program

Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program

Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard

Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program

Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\CCPD-LC\symlcsvc.exe

-
End of file - 5429 bytes
I've bolded the suspect registry entries. Please just holler if you need any more information.

I'm a software developer so kind of know my way around the machine... Just rubbish at this security stuff, obviously!

I appreciate any time and effort you can spare me.

Thanks,

Emily.

RELEVANCY SCORE 200
Preferred Solution: Solved: cmds and MS Juan

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

A: Solved: cmds and MS Juan

Read other 16 answers
RELEVANCY SCORE 49.6

My laptop was going through a file reset but then suddenly turns off. After it says other user and I wasn't able to get in. I found a YouTube video that helped me get it to a trouble shoot and then reset it to safe enable. When I got in the whole screen
was black! I was able to get it the cmds but not sure how the cmds work. It states C: \Users\Administrator> right now and now I am stuck here.

Read other answers
RELEVANCY SCORE 48.4

Respected Person,
Whenever I am switching on my computer, I find the display- CMDS TIME/ DATE NOT SET. thereaffter I need to go to Adjust Date/Time section. why this problem arise and how to solve it?

A:CMDS TIME/DATE not set

Boot into Setup (Bios or CMOS) and adjust the time and date Save and Exit. When you boot into Windows make sure you are in the right time zone. If your computer continues to loose time, you will need to change the CMOS battery on the motherboard. .

Read other 1 answers
RELEVANCY SCORE 48.4

I did a search but I coudln't find an answer for this.
I a mtrying to create a simple batch file that offers a user a choice it would simply do an ECHO prompting the user to select either choice 1 or 2, if the user selects choice 1 it would process the xcopy cmd with the /D flag, if the user selects option 2 it would use the same xcopy cmd but without the d flag.

What I am trying to do is simply create a small backup method, the /D being the one that backs up the files tha thave only changed while the straight xcopy cmd would be considered a full backup.

Option 1 - xcopy c:\QUICKB~1 F:\MumBackup\QUICKB~1 /D /E
Option 2 - xcopy c:\QUICKB~1 F:\MumBackup\QUICKB~1 /E

I did some reading on how to do this ,but I am still puzzzled.
 

A:If Cmds & Batch File

tripped said:

I did a search but I coudln't find an answer for this.
I a mtrying to create a simple batch file that offers a user a choice it would simply do an ECHO prompting the user to select either choice 1 or 2, if the user selects choice 1 it would process the xcopy cmd with the /D flag, if the user selects option 2 it would use the same xcopy cmd but without the d flag.
Click to expand...

not going to code the whole batch for you, but some suggestions.
you can use set /p to get your user input. for more info on set, type set /? on your prompt.
also, for if statements, if /?. If you are on older OS, there is a choice command you can use to get user input.
 

Read other 1 answers
RELEVANCY SCORE 48.4

Hello, I read your previous post about this trojan here:

http://forums.techguy.org/malware-removal-hijackthis-logs/564254-meta-juan-troyan-virus-need.html

and downloaded the sdfix.rar, extracted it, then ran it in safe mode. It looked like it worked but one day later, the trojan came back. So then I downloaded right off the norton site unhookexec.inf, turned off windows restore, updated my definitions (I have NIS 2005 by the way), and ran a full system scan. Norton came up with nothing yet I still get a stupid fake popup that brings me to the site that created the trojan to begin with! Every time the trojan executes, norton can't delete it because it's in use, so it says access was denied. It does however, delete the files meta.juan tries to duplicate itself at. The Norton site says that meta.juan is a very low risk but somehow it was able to install a rootkit so deep into my computer that it was able to successfully hide all the registry files and the ie5 folder that its hiding in. I cannot stress how much this thing is bugging me because it periodically crashes my computer and does something to make my restarts fail 60% of the time. It's probably another trojan or virus doing that but norton only detects meta.juan. Please help me. Your my last lifeline before I have to reformat my computer which I really don't want to do.

Here's my hijackthis report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:22:14 PM, on 2/5/2008
Platform: Windo... Read more

A:Solved: meta.juan just won't die!

Hi, Welcome to TSG!!

Please perform a scan with Kaspersky Webscan Online Virus Scanner

1. Read the Requirements and Privacy statement, then select "Accept".
2. A new window will appear promting you to install an ActiveX component from Kaspersky - "Do you want to install this software?".
3. Click "Yes" or select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. When the download is complete it will say ready, click "Next".
5. Click "Scan Settings" and check the option to use the Extended Database if available otherwise Standard).
6. Click "Scan Options" and select both "Scan Archives" and "Scan Mail Bases".
7. Click "OK".
8. Under "Select a target to scan", click on "My Computer".
9. When the scan is complete choose to save the results as "Save as Text" named kaspersky.txt to your desktop and post them in your next reply.

Kaspersky does not remove anything but will provide a log of anything it finds. On August 8th, 2006 Kaspersky updated the software used for Free Online Virus Scanner. In order to continue using the online scanner you will need to uninstall the old version (if previously used) from your Add/Remove Programs list and then install the latest version. To do this, follow the steps here and reboot afterwards if your system does not reboot automatically or it will show 'Kaspersky Online Scanner ... Read more

Read other 3 answers
RELEVANCY SCORE 48

Hi,

When I boot my computer I get these windows (1 or 2) that say:

Error in: Users\Alex\AppData\Local\Temp\mtyunqkg.dll

Missing entry: runClick to expand...

Then along with that when I click to open control panel or any folder, it opens for few seconds then closes quickly.

I recently installed Spybot Search and destroy and it has a function to warn me of registry changes and that's how I found that MS Juan is at times attempting to edit or destroy->add registry entries, ones with names much like Users\Alex\AppData\Local\Temp\mtyunqkg.dll, but with different gibberish for the dll.

Thanks a lot in advance

Here is my Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:29 PM, on 2/12/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program ... Read more

A:Solved: MS Juan causing problems!

Read other 14 answers
RELEVANCY SCORE 48

I've been wrestling with riding my work laptop from Vundo and Trojan\Bdoor-CPK for 1.5 days. I've made a lot of progress however I'm evidently missing something. I have XoftSpySE which detects a registry entry "software\microsoft\juan" and I am receiving unsolicited pop-up windows.
Please, I need another set of eyes / brains to look over my HJT log and see if you have any recommendations.

Thank You !
 

A:Solved: Juan still hanging around (Vundo)

Read other 12 answers
RELEVANCY SCORE 48

Hi, My system is windows xp home edition and after doing checks with avg and superantispyware I have found the above virus.When i quarantine it and do usual stuff, reboot etc, everything is to no avail and the virus is still there. I have tried to get into sites like this offering advice from home but my computer will not let me access these sites so only way is to contact you through my work computer.It is impossible to download removal tools because I cannot access these sites from home . I am a complete computer novice and would welcome any advice apart from me throwing the computer out of the window!!!!!
 

A:Solved: trojan downloader san juan

Hi, Welcome to TSG!!
Click here to download HJTInstall.exe

Save HJTInstall.exe to your desktop.
Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

 

Read other 3 answers
RELEVANCY SCORE 47.6

I am new to programming and am starting with Java. It is all going ok but it is becoming time consuming typing the "cd" command to change the directory of the CMD to the locations of my Java programs every time I want to compile or execute my program as it defaults to C:\Users\Mike every time I restart CMD.

To save time, I want to be able to double-click an icon on my desktop to run a command which will change the default directory to my programming folder. I then want to click another icon on my desktop to change it back to the original.

Can somebody please give me the basic CMD code for changing the default directory (if there is one)? I will insert my directories afterwards.

GreenLightPC

A:How can the CMDs directory be changed using a batch file?

Hello GreenLightPC

I don't know about a *.bat file. But, I think I may have an easier way.

Create a shortcut to Command Prompt anywhere you like. In the Shortcut properties, change the Start In: to your desired directory.

Hope this is what you wanted.

Cheers!

Read other 6 answers
RELEVANCY SCORE 46.8

I recently downloaded a malware by accident it was 'Mail.ru' but using Malwarebytes and avast I removed it quickly.
 
Every 3 hours or so command prompt open and tries to download malware or virus, but Malwarebytes stop it before damage is done.
 
Is there any way to stop this.

A:Some sort of malware (Mail.ru) is begin downloaded using cmds

Hello Computa and welcome to the Bleeping Computer forum.
My name is Satchfan and I would be glad to help you with your computer problem.Please read the following guidelines which will help to make cleaning your machine easier:
please follow all instructions in the order posted
please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
if you don't understand something, please don't hesitate to ask for clarification before proceeding
the fixes are specific to your problem and should only be used for this issue on this machine.
please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!
IMPORTANT:
Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested
===================================================Note: Please run these in the order given in the instructions.
===================================================Download and run AdwCleaner
Download AdwCleaner from here and save it to your desktop.
run AdwCleaner by clicking on Scan
when it has finished, leave everything that was found checked, (ticked), then click on Clean
if it asks to reboot, allow the reboot
on reboot a log will be produced; ple... Read more

Read other 18 answers
RELEVANCY SCORE 46.4

This was all typed on a slightly unresponsive laptop keyboard. Forgive the spelling errors, I tried to correct them as much as possible. This post was written as I was conducting the diagnosis' and tests in a notepad file.

My Setup

Windows 7 x64 bit
C:\ is my partition for my OS.
Custom built PC.
------------------------------------------------------------------
Summary of problem

I was using the PC, quite a big load on the RAM 4-5 GB out of a total of 6 GB was being used.

Internet bandwidth was completely utilised, Chrome open with many tabs, ripping flac from a CD, testing films I've downloaded and downloading foobar2000 all at the same time.

All of a sudden both screens go black. I wait a while. I press ctrl+shift+esc, the primary screen flickers to my desktop for a couple milliseconds and then back to black. I then tried a load of other shortcut like ctrl+alt+del, win+L, Win+D etc. Nothing. I hit the power button (set to sleep) in the hope that It'll go t sleep and I'll be able to boot up roughly where I left off. On boot up, BSOD then dumps memory to disk. On a fresh boot I now had a flashing underscore post checking nvram message that did nothing.

The commands below aren't in the exact order that I did them as I've started this text file a couple hours after fiddling about trying to figure out what's going on. I did do a /fixmbr and /fixboot (Can't recall if /fixboot went smoothly at his stage as it doesn't execute as it should later on) and rebooted. This wa... Read more

A:Windows 7 will not boot up! Tried all BootRec CMDs, Repair, DISKPART and CHKDSK /R

OK, it sounds like you are corrupting data somehow. If I was the one working on that machine I would pull the HD, plug it into another machine, download and execute hddscan and check the smart status of the drive.
Second I would download and burn memtest to a CD and run a memory test on your machine.

Now if there are any errors with memtest you need to shut the machine off, pull a stick of ram and see if the error persists, if it does then keep at it tell you find the culprit.

With hddscan if anything is yellow or red your HD is shot. It's time to put in a new hard drive and reload your operating system.

If everything comes back clean then load your Win7 disk and go to the command console and you can re-write your MBR with the command "bootrec /fixmbr". I would also execute the command "chkdsk /f /r". If any of them ask if you want to dismount the partition or hard drive in use say yes.

Read other 7 answers
RELEVANCY SCORE 46.4

Hi, I have a Dell Inspiron 6400 laptop running XP (SP2) and IE7 which seems to have been infected with a trojan called Vundo. I have real-time virus scanning via McAfee and it leapt into action last weekend with a series of red 'critical system change' messages when I must have stumbled on a hacked webpage.

Initially nothing appeared to be wrong but the next day I noticed that the 'Security Centre' was giving me a red alert shield to tell me that automatic Windows Updates were turned off (and it couldn't turn them back on from the balloon that comes up) but when I looked into it via 'Control Panel' the Windows Updates were set to 'automatic'. Later on McAfee alerted me that it had found an removed a Trojan called 'Vundo' (about 8-9 instances of it) but it obviously hadn't because when I next switched on, it detected and 'removed' them all again. I have run AVG, Malwarebytes' Anti-Malware and Laversoft Ad-Aware which all found several infected files on different scans and they seemed to fix the issue I was having with the security centre and also a couple of error messages I had on start up.

Initially my net access was slowed to a crawl and the trojan was also bringing up a series of popups on my main IE browser window trying to encourage me to click on fake virus scan installers but these seems to have mainly stopped (and my net access is now at normal speed), however I'm still getting random ... Read more

Read other answers
RELEVANCY SCORE 42

Hi!

My Sony VAIO laptop computer is not feeling well.

I have Windows Vista 32 bit, which i have (presumably) upgraded to at least SP1.
As for Service Pack 2, i can not install it due to the problems i am about to describe.

When i first log into Windows, i log in as my only user account (named "Lizard"), which is also my administrator account.

Among the very first messages i get is an error from RunDLL stating that "Error loading C:\Users\Lizard\AppData\Local\Temp\ddcAsqpO.dll".

After closing that alert - everything works just fine for between 2 to 20 minutes.

Then, i get another message that says "Host process for Windows services stopped working and was closed.".
After this error message, my beloved laptop goes through a Dr. Jekyll/Mr. Hyde tranformation.
Everything related to Windows Explorer goes in slow motion, if i - for instance, want to save an image i have created - i have to wait for several minutes before the computer unfreezes. That is, if i'm lucky enough to get it back in the first place.
I have tried to get relevant updates for Windows; apart from Service Pack 2 i have also tried to use Windows Update, but i get an error message during the download procedure and then nothing is installed.

The same applies to Spyware Doctor, a program that used to run regular scans of my computer earlier, but now has been paralyzed by something.
Beeing a happy amateur, my investigations have produced very little.

I have, however... Read more

A:CMDS malware, blocked Windows Update and "Host process stopped working"

Read other 8 answers
RELEVANCY SCORE 38.8
Q: Ms juan

HEY ALL,

NEW user here..... HAVING MS JUAN IsSUES... i have ran hijackthis and combofix and atached both logs... any help would be appreciated..
ONE question though. if i am doing this off of the network that it will run on normally will these problems come back once connected to the network tht gave the issues in first place?????

thanks

scuba81
 

Read other answers
RELEVANCY SCORE 38.8

This is my first time here. I have a MS Juan Virtumonde virus that I can detect and locate on the registry, but I can't delete it. It pops up with an error saying unable to delete all specified values. This is causing all kinds of annoying pop ups that just won't go away. I run windows XP on an acer aspire laptop. I have spyware doctor, which detects but can't remove the file. I have read in the forums of people who have solved this problem, but all the hijack this logs and stuff confuse me, I don't know how to run those and don't want to further screw up my system. Please help.

A:Can't Get Rid Of Ms Juan

http://www.bleepingcomputer.com/forums/ind...mp;#entry944365MBAM should work, that's an older infection, however like malware scanners, malware can be updated also

Read other 1 answers
RELEVANCY SCORE 38.8
Q: Ms Juan

Hi all nivce site I have a windows XP dell box with service pack 3 I have this darn ms jaun crap keeps re directing my browser I can not remove it no matter what I remove it and it comes right back the funny thing is also none of my spy ware stuff will run spy bot will not run I can not even download a new version adware will run but will not update says can not find connections but I know its connected to internet becuase I keep getting pop ups I have never had this before I have tried everything its like something knows I am trying to run spy ware and it stops me other programs will run just not spyware I have deleted and re installed but it just wont run sorry for long post I need this computer to workEdit: Moved topic from Introductions to the more appropriate forum. ~ Animal

A:Ms Juan

Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2Make sure you are connected to the Internet.Double-click on Download_mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself.Press the OK button to close that box and continue.If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".Click OK to close the message box and continue with the removal process.Back at the main Scanner screen:Click on the Show Results button to se... Read more

Read other 1 answers
RELEVANCY SCORE 38.8
Q: ms juan

i have been invaded and need some help. I read your other post to parenthesis and followed, here are the results.

ComboFix 08-12-01.01 - CIN_MCon 2008-12-01 18:54:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.392 [GMT -5:00]
Running from: c:\documents and settings\CIN_MCon\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\CIN_MCon\Application Data\gadcom
c:\documents and settings\CIN_MCon\Application Data\gadcom\gadcom.exe
c:\documents and settings\CIN_MCon\Local Settings\Temporary Internet Files\bestwiner.stt
c:\program files\Mjcore
c:\windows\IE4 Error Log.txt
c:\windows\system32\aextfhfy.dll
c:\windows\system32\AutoRun.inf
c:\windows\system32\csevdhcx.dll
c:\windows\system32\daaxehah.ini
c:\windows\system32\ddvytnud.dll
c:\windows\system32\digeste.dll
c:\windows\system32\geBtQghE.dll
c:\windows\system32\hahexaad.dll
c:\windows\system32\hhunay.dll
c:\windows\system32\hyimxxmq.dll
c:\windows\system32\khfEVNhF.dll
c:\windows\system32\lancahsm.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\mshacnal.ini
c:\windows\system32\nkyrtj.dll
c:\windows\system32\pthdqt.dll
c:\windows\system32\qvdjpdeh.ini
c:\windows\system32\saqmey.dl... Read more

Read other answers
RELEVANCY SCORE 38.8

MS Juan keeps appearing in the registry as HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System

Malwarebytes detects and removes it, but everytime I open Internet Explorer, the entry reappears. I tried deleting it manually from the registry but it just keeps coming back. I am desperate and need this gone. I have included my HijackThis log. ANY help is very much appreciated. Thank you in advance!

codycapps

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:59:01 PM, on 12/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Goo... Read more

Read other answers
RELEVANCY SCORE 38.8

Hi. When I load windows I get an error message that says:

Error in C:\Users\ADMINS~1\AppData\Local\Temp\hhlucjjt.dll missing entry:runClick to expand...

Here is my Hijack This log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 1:58:49 PM, on 2/25/2008
Platform: Windows Vista (WinNT 6.00.1904)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint\Apoint.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\WDBtnMgr.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\WTablet\Wacom_TabletUser.exe
C:\Users\adminstrator\Documents\Art\opencanvas.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Users\adminstrator\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.... Read more

A:Need Help MS Juan

Update 03-03-08: I'm still having the same problem. Thought I'd post another HJT logfile cause the .dll file errors appearing now are different,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:12:49 PM, on 3/3/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint\Apoint.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\WDBtnMgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\AIM6\... Read more

Read other 1 answers
RELEVANCY SCORE 38.8

Hi, I think I've been infected with MS Juan. I can't remove it with my antivirus AVG or Anti-Spyware (Malwarebytes, Ad-Aware, Spybot, Super Anti-Spyware). When I go online, a ton of pop-ups show up. Please help. THanks a bunch.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:03:27 PM, on 1/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\PROGRA~1\AVG\AVG8\... Read more

A:MS Juan, Pop-Ups

Also, I use firefox as my default browser.
 

Read other 1 answers
RELEVANCY SCORE 38.8

Hi all,

My first post so I hope I'm doing this properly.

I have a Dell Latitude D630 laptop with the persistent MS Juan Trojan (running Windows XP Pro, SP3). I managed to eradicate it from a desktop last week, but this laptop infection is worse. I have the "WARNING: dangerous spyware" background on the laptop as well as the wonderful red X circle icon in the system toolbar.

I've attached a HJT log. Again, apologies if I've not done this right - feel free to smack me - or ask me for more details!

Thanks!
schooltechmgr
 

A:MS Juan - HJT log - please help!

bump
 

Read other 2 answers
RELEVANCY SCORE 38.8

So I had ms Juan on my laptop and i removed it, after 2 hours i realise my pc also has it (windows xp sp2, Advent mahcine) so i get combofix, but it wont run so i restart try it in safe mode etc still nothing, then i realise i cant perform a defrag or system clean up.

So I try to restart my computer, i login and then a horrible lag takes over, sometimes i am left staring at a blank blue desktop with no icons or task bar, sometimes I am left with a task bar and desktop that wont budge.

The first time it occured we had a blue screen of death. (only the once.)

I am really lost as i can no longer even access the system to perform a hijack this scan etc....

Any help is much appreciated!

A:MS Juan with lag

Insert the Windows XP CD into the CD drive, and then restart the computer. Click to select any options that are required to start the computer from the CD drive if you are prompted. When the "Welcome to Setup" screen appears, press R to start the Recovery Console. If you have a dual-boot or multiple-boot computer, select the installation that you must access from the Recovery Console. When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.Type: chkdsk /rIt's important to have a space before the "/".To exit the Recovery Console and restart the computer, type exit at the command prompt, and then press ENTER.

Read other 3 answers
RELEVANCY SCORE 38.8

I have Ms Juan on my computer. When I run malwarebytes it says it cant delete it without restarting my computer, but when I hit ok it doesnt restart my computer and MS Juan remains on the computer. Any help in getting rid of MS Juan would be appreciated. Thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:02:37 PM, on 2/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunes... Read more

A:Can't get rid of MS Juan

ComboFix 09-02-06.04 - Chris 2009-02-07 17:20:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.581 [GMT -5:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090207-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\HPqXIkkj.ini
c:\windows\system32\HPqXIkkj.ini2
c:\windows\system32\uniq.tll
c:\windows\system32\vevtrucg.ini
c:\windows\system32\win32hlp.cnf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SENEKA

((((((((((((((((((((((((( Files Created from 2009-01-07 to 2009-02-07 )))))))))))))))))))))))))))))))
.
2009-02-07 16:57 . 2009-02-07 16:57 <DIR> d-------- c:\documents and settings\Chris\Application Data\Antispyware
2009-02-07 14:01 . 2009-02-07 14:01 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-02-07 13:37 . 2009-02-07 13:37 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-07 22:02 --------- d-----w c:\program files\Trend Micro
2009-01-28 18:36 --------- d-----w c:\program files\World of Warcraft
2009-01-21 22:50 --------- d-----w c:... Read more

Read other 1 answers
RELEVANCY SCORE 38.8
Q: MS Juan

Norton did not detect anything but I kept getting random popups on Firefox. Downloaded Malwarebytes- Anti-malware and Spybot S&D and while both keep finding MS Juan in the registry and delete it keeps coming back. I have made sure that Spybot's TeaTimer is not undoing the deletion and I don't know what to try next. Right now I still get popups, I am getting errors saying that my subscription to Norton is done (still has 100ish days left), and I usually have a process going named explorer.exe running even though I do not have Internet Explorer enabled on my computer.
DDS (Version 1.1.0) - NTFSx86
Run by Christopher Kallas at 19:14:14.75 on Tue 12/23/2008
BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1524 [GMT -5:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated)
FW: Norton AntiVirus *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08... Read more

A:MS Juan

Hello borke, to BleepingComputer, My Nick is Net_Surfer, and I will be assisting you with your malware issues.Whatever repairs we make, are for fixing "your computer problems only" and by no means should be used on another computer.Please continue to respond to this thread until I give you the All Clean!. If you have any question or you're stuck in there please reply it to me. I will try my best to help you.!Please take note of the following:You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown Here. 1. Please do not make any system changes yet. as any changes you make may well alter your log. 2. The cleaning process is not instant. Please continue to review my answers until I tell you that your computer is clean. 3. If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes. 4. Most Important - Only do what I ask you to do. 5. Please reply to this thread. Do not start a new topic.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since reso... Read more

Read other 4 answers
RELEVANCY SCORE 38.8

Hello,This is my first post so I apologize if I did something wrong. I've been having trouble getting rid of Vundo, and Darksma from my computer. I read several websites regarding these and did some of the suggestions. Norton only downsized the Vundo problem. Kapersky couldn't find anything wrong with my computer. What finally removed majority of my problems was Malwarebytes. Now I only have ms juan still showing up and after being quarantined, it keeps coming back. Also, for some reason, I am unable to get my cookies enabled to log on to check my webmail. IE is marked to accept cookies so I do not know whats stopping me. Thank you for all your help in advance Deckard's System Scanner v20071014.68Run by Nosferatu on 2008-06-25 09:18:46Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------Successfully created a Deckard's System Scanner Restore Point.-- Last 5 Restore Point(s) --30: 2008-06-25 16:18:58 UTC - RP101 - Deckard's System Scanner Restore Point29: 2008-06-24 11:49:01 UTC - RP100 - System Checkpoint28: 2008-06-22 18:21:10 UTC - RP99 - Installed Ad-Aware27: 2008-06-22 15:27:08 UTC - RP98 - Last known good configuration26: 2008-06-22 15:27:01 UTC - RP97 - Last known good configuration-- First Restore Point -- 1: 2008-06-22 15:26:58 UTC - RP72 - System CheckpointBacked up registry hives.Performed disk cleanup.-- HijackThis (run as Nosferat... Read more

A:Ms Juan & Pop Ups

Hello lbspeedyx and welcome to BC. Let's see what we can find. Please follow the steps below in order:Before running a new scan let's clean out the temporary folders. Download ATF Cleaner to your Desktop.Double-click ATF-Cleaner.exe to run the program.Click Select All found at the bottom of the list.Click the Empty Selected button.If you use Firefox browser, do this also:Click Firefox at the top and choose Select All from the list.Click the Empty Selected button.NOTE : If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browser, do this also:Click Opera at the top and choose Select All from the list.NOTE : If you would like to keep your saved passwords, please click No at the prompt.Close ALL Internet browsers (very important).Click the Empty Selected button.Click Exit on the Main menu to close the program.Now download OTScanIt from here or here to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.Note: You must be logged on to the system with an account that has Administrator privileges to run this program.Close ALL OTHER PROGRAMS.Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
In the Drivers section click on Non-Microsoft.Under Additional Scans click the checkboxes in front of the following items to select them:Reg - BotCheck
File - Additio... Read more

Read other 5 answers
RELEVANCY SCORE 38.8

I have Ms Juan on my computer. When I run malwarebytes it says it cant delete it without restarting my computer, but when I hit ok it doesnt restart my computer and MS Juan remains on the computer. Any help in getting rid of MS Juan would be appreciated. Thank you.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:02:37 PM, on 2/7/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\ehome\ehtray.exeC:\WINDOWS\system32\igfxsrvc.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Intel\Wireless\bin\ZCfgSvc.exeC:\Program Files\Intel\Wireless\B... Read more

A:Cant get rid of MS Juan

Hi,Welcome to BleepingComputer HijackThis Logs and Malware Removal,suly14. My name is sundavis, I will be helping you to deal with your Malware problems today.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times. and we are trying our best to keep up.In the meantime, please refrain from making any changes to your computer, and please do in the following:Step1Download random's system information tool (RSIT) by random/random from here and save it to your desktop.Double click on RSIT.exe to run RSIT.Click Continue at the disclaimer screen.Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)In your next reply, please post back:1.RSIT log.txt and info.txt. Thanks

Read other 2 answers
RELEVANCY SCORE 38.8
Q: Ms juan

hi, Hope someone can help me before I pull what remains of my hair out. I've had a vundo trojan on my system since yesterday. Run Malwarebytes on it a few times and it seems to have done the trick except for a MS Juan that will not go quietly into the night.

I've just run hijack this and this is the log generated....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:32:20, on 26/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.... Read more

A:Ms juan

anyone help me with this problem???
 

Read other 2 answers
RELEVANCY SCORE 38.4

Okay, so I got infected by Vundo and have been able to clear the pop-ups, however, when I run MBAM --- MS JUAN key still shows up...Any help would be appreciated! Thanks_________________________ComboFix 09-01-10.02 - CIN3ASTA 2009-01-10 19:41:50.1 - NTFSx86 NETWORKMicrosoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1796 [GMT -8:00]Running from: c:\documents and settings\CIN3ASTA\Desktop\ComboFix.exeAV: avast! antivirus 4.8.1296 [VPS 090110-0] *On-access scanning enabled* (Updated).((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\windows\system32\iidcphlh.dllc:\windows\system32\xfdznq.dll.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_SENEKA((((((((((((((((((((((((( Files Created from 2008-12-11 to 2009-01-11 ))))))))))))))))))))))))))))))).2009-01-10 19:33 . 2009-01-10 19:33 664 --a------ c:\windows\system32\d3d9caps.dat2009-01-10 18:20 . 2009-01-10 18:19 410,984 --a------ c:\windows\system32\deploytk.dll2009-01-10 11:48 . 2009-01-10 11:48 <DIR> d-------- c:\program files\Syncplicity2009-01-10 11:47 . 2009-01-10 11:47 <DIR> d-------- c:\program files\MSBuild2009-01-10 11:40 . 2009-01-10 11:40 <DIR> d-------- c:\windows\system32\XPSViewer2009-01-10 11:39 . 2009-01-10 11:39 &l... Read more

A:MS JUAN has struck again!

Please note the message text in blue at the top of this forum.ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.Please be patient while one of our first responders determine if it is possible to assist you.

Read other 1 answers
RELEVANCY SCORE 38.4

Hi help please Norton 360 told me i had vundo and claimed to have removed it but i'm still getting unwanted pop-ups and slow downs when i launch a browser window (ie or mozilla). Malwarebytes keeps finding:Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace)Kaspersky is log as follows:Files scanned 326891 Threat name 10 Infected objects 17 Suspicious objects 14 Duration of the scan 05:29:41 File name Threat name Threats count C:\WINDOWS\system32\znddkj.dll/C:\WINDOWS\system32\znddkj.dll Infected: Trojan.Win32.Monderc.gen 1 C:\Apps\Nero_Ultra_Edition_8.3.2.1b.zip Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm 1 C:\Apps\Nero_Ultra_Edition_8.3.2.1b.zip Infected: Trojan.Win32.Monderc.gen 1 C:\Documents and Settings\Nick\Local Settings\Application Data\Microsoft\Outlook\archive.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 7 C:\Documents and Settings\Nick\Local Settings\Application Data\Microsoft\Outlook\archive.pst Infected: Trojan-Spy.HTML.Paylap.hl 1 C:\Documents and Settings\Nick\Local Settings\Application Data\Microsoft\Outlook\archive.pst Infected: Trojan-Spy.HTML.Wamufraud.au 1 C:\Documents and Settings\Nick\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 2 C:\WINDOWS ... Read more

A:Help Please Vundo Ms Juan

Hello Nicktpp and welcome to BleepingComputer,1. * Clean your Cache and Cookies in IE:Close all instances of Outlook Express and Internet Explorer Go to Control Panel > Internet Options > General tabUnder Browsing History, click Delete. Click Delete Files, Delete cookies and Delete historyClick Close below.* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):Go to Tools > Options.Click Privacy in the menu..Click the Clear now button below.. A new window will popup what to clear.Select all and click the Clear button again.Click OK to close the Options window* Clean other Temporary files + Recycle bin Go to start > run and type: cleanmgr and click ok. Let it scan your system for files to remove. Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.Press OK to remove them.2. Please download Malwarebytes' Anti-Malware from Here or HereDoubleclick mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed... Read more

Read other 7 answers
RELEVANCY SCORE 38.4

Hi,

My computer has been acting funny since last night around 10pm. My internet browser(Mozilla Firefox) keeps opening on its own. It immediately opens to:

(DO NOT CLICK ON LINK. YOU MAY GET INFECTED)
http://sagipsul.com/go/?cmp=vm_mg_juan&uid=6731C0C2DA1B11DDB08B166350CFFFFF&lid=929&url=toolbarqueries.google.com%2Fsearch%3Fsourceid%3Dnavclient-ff%26features%3DRank%26client%3Dnavclient-auto-ff%26googleip%3DO%3Bnull%3B74%26ch%3D8778a1bd8%26q%3Dinfo%3Ahttp%3A%2F%2Fforums.techguy.org%2F&guid=BD25A520D72344E59AB0F4EC049ADA34&affid=166350&rid=zdez&cl=superjuan

the i.p. for the site is 70.38.98.32

I've used Malwarebytes' Anti-Malware and its removed several of the files infected in the registry and such. I woke up this morning and removed all of the quarantined items, restarted the computer. When I signed back on I was glad because it actually worked. Before It would freeze and not boot up the computer. I opened Mozilla Firefox to see if it would randomly open up a new window and go to the site again. It's still doing it.

Results from the Malwarebytes' Anti-Malware from first scan to last:

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

1/4/2009 10:09:09 AM
mbam-log-2009-01-04 (10-09-09).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 199209
Time elapsed: 1 hour(s), 9 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 3... Read more

A:HKLM MS Juan

Read other 16 answers
RELEVANCY SCORE 38.4

Hello everyone.

I just joined the site and am having popup trouble. I have run Malwarebytes Anti Malware and it flagged MS Juan and MS track system. It offers to remove them but on reboot they are back. Would someone please help me remove this?

Thank you

Ed

A:I'm having trouble with MS Juan

Hello and welcome. Please post the infected log so we can see exactly all that was found. We will be able to remove things better that way. Also what Is your Operating System and antivirus?

Read other 11 answers
RELEVANCY SCORE 38.4

Hey Tech Support Guy. I've been having this problem for quite a while now. I've been through a couple sites that gave me instructions on how to detect and get rid of malware and trojans and such, but even with Ad-Aware and SpyBot, the MS Juan keeps popping up after a while. SpyBot detects it and says that MS Juan is attempting to change the registry or something like that. I deny it access, but sometimes it even gets through. Juan also comes along with one or two pop-ups saying that there's a Run DLL error and Missing entry: Run. After I press OK on the pop-ups, my entire taskbar (the bar at the bottom of my screen with the Quick Launch and Start button) vanishes, so I'm forced to Alt+Tab through windows that were initially open. For now, my computer seems clean, after scanning my computer with both Ad-Aware and SpyBot, but I know it's only temporary. Help me out. Here's my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:39:58 PM, on 3/2/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Acer\Empowering Technology\eMode\PCM\PCMService.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Windows\System32... Read more

Read other answers
RELEVANCY SCORE 38.4

Hi guys,Having issues with pop up ads in ie 7, spy shredder prompts, antivirus 2008 and general slow running pc. I've run adaware, spybot and spynomore with no effective end to the problem, although the reoccuring issue is virtumonde/vundo/msjuan.Have looked up other posts namely here and followed Thunder's advice in points 1 and 2. Could you please look at my hijackthis and malwarebytes logs and offer any more advice on how to remove this stuff for good please?ThanksDMLogfile of Trend Micro HijackThis v2.0.2Scan saved at 3:41:08 PM, on 25/08/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16473)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.ex... Read more

A:Ms Juan And Vundo

Hello to everyone,One of our PC's has been infected with virtumonde and I need to bring in the heavy guns. If anyone can help, it'd be much appreciated. Here goes... Symptoms are very slow running speed, low virtual memory warnings, pop up ads in IE7, occasional spyshredder sales pitches, occasional antivirus 2008 sales pitches.virtumonde and vundo picked up by spynomore, removed, then after reboot, more pop ads in IE7. My PC is connected to a work server, but because we are small business we don't have a administrator as such, I've been lumped with the job. I've got a little experience and know how, but would love any advice from experts.I've had a look at other posts and have now downloaded hijackthis and cleared IE temporary files. Here's the log:Please help!ThanksCCLogfile of Trend Micro HijackThis v2.0.2Scan saved at 2:32:48 PM, on 26/08/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16473)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccE... Read more

Read other 4 answers
RELEVANCY SCORE 38.4

HI,

Pleae help me removing this malwre from the computer as I have tried to fix this but was unsucessfull. The name of the Trojan is trojan.virtuamonde. Which recreates itself after short instances.
It shows the registry keys with the name MS JUAN.

I would really appriciate if can get the instructions to get rid of this.

Thanks

JIMMI

A:Ms Juan Malware

Hi Jimmi,Start by going HERE, and reading through the pinned topics.

Read other 1 answers
RELEVANCY SCORE 38.4

http://forums.techguy.org/malware-r...s/684180-solved-ms-juan-causing-problems.html
Same problem as that guy, tried to follow those steps replacing his stuff with mine to no avail

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 19:51, on 2008-03-03
Platform: Windows Vista (WinNT 6.00.1904)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\rundll32.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
E:\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
E:\FireFox\firefox.exe
C:\Windows\explorer.exe
C:\Windows\system32\SearchFilterHost.exe
D:\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet E... Read more

A:MS Juan Problem

Read other 12 answers
RELEVANCY SCORE 38.4

Hi - I started getting loads of pop ups a day or so ago and my PC is running even slower than usual. AVG thinks my system is clean but when I run Spyware Doctor (which I have done several times) it higlights loads (fifty or so) infections. The majority of these seem to have MSJUAN somewhere in the name. Spyware doctor evidently does not seem to be able to remove the root of the problem. Having googled MS JUAN I found this site and followed the instructions under the "guide and tutorial on using combofix". The final part of the instructions tell me to register here and post the combofix log. However, although internet explorer loads my home page (google) I can not navigate away from that to anything and am posting this using a different machine. Now I've registered I've seen that copying the log isn't necessarily the best thing to do anyway... can anyone help?!

A:Ms Juan Virus

Hello and welcome. Yep ,do not run that tool if possible,maybe later.Are you running XP?Please do this first.. If Vista ..Run As AdministratorPlease download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".Click ... Read more

Read other 5 answers
RELEVANCY SCORE 38.4

I'm running very slow, I'm getting pop ups, and recently had google hijacked. In the last few days I've had problems with SHuer, Vundo, Juan, Clicker, and many generic trojans, and downloaders. Spybot was attacked, and I've since removed it. I'm using AVG, Super antispyware, and Malwarebytes

This is my HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:21:34 PM, on 2/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSp... Read more

A:Vundo-Juan

Read other 16 answers
RELEVANCY SCORE 38.4

I have a trojan on one of my client computers, and exhausted myself for ways to rid it. I'm on my last two options: in the best of all possible worlds, I want to avoid the Windows Repair Reinstall.
I have read several posts, here and elsewhere, dealing with "ComboFix." I have a few questions:
1. Does it interfere with network setups? (i.e. will it alter the client's communication with my server?)
2. Is there any more information on what exactly it is doing?
3. In the event that I implement it, what information do I need to provide to obtain some help. I'm afraid it's too alien for me to confidently go it alone.
Thanks,
Alex.
 

Read other answers
RELEVANCY SCORE 38.4

Hi:

My laptop has been infected. Whenever I would open Firefox it would open random tabs on links to porn and other security prevention type sites.

I downloaded and ran Super Anti Spyware and Malware Bytes which said I had a bunch of vundo trojans that were apparently cleaned.

After subsequent runs of Malware Bytes, there was a MS JUAN registry key that Malware Bytes could not clean. After reading, I read a post that suggested I download and run ComboFix.

That was done and I am attaching that log in case it is helpful. I also ran HiJackThis and that log is also attached.

I then decided to manually attempt to delete the MS JUAN key. I modified the key permissions and was able to delete it. After a reboot, the key was still gone and a final scan with Malware Bytes said it was clean.

I see no more symptoms. Please let me know if my logs show any unsymptomatic problems or if you would like me to run other tools.

Thank you!!!
 

Read other answers
RELEVANCY SCORE 38.4

So normally I am pretty good at getting the bugs off my laptop but this one has me asking for help. It all started when we kept getting popups especially when typing in a search engine like google. So I ran the usual programs..McAffee (own) spybot, malwarebytes, SUPER antispyware, Spyware Blasting, ccleaner. All came up with the same problems....ms juan and ms track

here is the log from malwarebytes:
Malwarebytes' Anti-Malware 1.28
Database version: 1245
Windows 5.1.2600 Service Pack 3

1/13/2009 6:42:36 PM
mbam-log-2009-01-13 (18-42-36).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 117289
Time elapsed: 34 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I tried to delete the registry keys but they just come... Read more

A:ms juan and ms track

Hello first thing is we need an updated version and scan.Open MBAM in normal mode and click Update tab, select Check for Updates,when doneclick Scanner tab,select Quick scan and scan.After scan click Remove Selected, Post new scan log and Reboot.

Read other 9 answers
RELEVANCY SCORE 38.4

HimHere is the log files got after running dssI have attached the other logfile 'extra.txt':Deckard's System Scanner v20071014.68Run by ptewary on 2008-06-18 19:36:25Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------Failed to create restore point; System Restore is disabled (service is not running).Backed up registry hives.Performed disk cleanup.-- HijackThis Clone ------------------------------------------------------------Emulating logfile of Trend Micro HijackThis v2.0.2Scan saved at 2008-06-18 19:38:55Platform: Windows XP Service Pack 2 (5.01.2600)MSIE: Internet Explorer (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\SYSTEM32\smss.exeC:\WINDOWS\SYSTEM32\winlogon.exeC:\WINDOWS\SYSTEM32\services.exeC:\WINDOWS\SYSTEM32\lsass.exeC:\WINDOWS\SYSTEM32\ati2evxx.exeC:\WINDOWS\SYSTEM32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\SYSTEM32\svchost.exeC:\WINDOWS\SYSTEM32\spoolsv.exeC:\WINDOWS\SYSTEM32\BAsfIpM.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\SYSTEM32\mnmsrvc.exeC:\WINDOWS\SYSTEM32\rundll32.exeC:\Program Files\AT&T Global Network Client\netcfgsvr.exeC... Read more

A:Ms Juan Malware

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. Please download the OTMoveIt2 by OldTimer. Save it to your desktop. Please double-click OTMoveIt2.exe to run it. Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\WINDOWS\system32\humkgygn.dll
C:\WINDOWS\system32\kptskkmv.dll
C:\WINDOWS\system32\trpijiie.dll
C:\WINDOWS\system32\ranmtbbb.dll
C:\WINDOWS\system32\itdiigua.dll
C:\WINDOWS\system32\ytsdvvwj.dll
C:\WINDOWS\system32\ivesfqtl.dll
C:\WINDOWS\system32\geeflaly.dll
C:\WINDOWS\system32\fhlgcitt.dll
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.Click the red Moveit! button.A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.Close OTMoveIt2If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.================Download and scan with SUPERAntiSpyware Free for Home UsersDouble-click SUPERAntiSpyware.exe ... Read more

Read other 7 answers
RELEVANCY SCORE 38.4

Well, for the last 2 days i've been having vundo problems. I've tried using malwarebytes, atf-cleaner, superantispyware, and vundofix. I've gone from having 30 or so infections down to just 1- ms juan. Only malwarebytes can find this recurring key registry problem. It says it quarantines the problem, yet it keeps reoccurring after i reboot.
So now i don't know what to do. I downloaded dss and just ran a log and received 2 txt files which i have attached. Also I cannot say I'm great with computers so slower step by step help would be appreciated.
Thank you

A:Ms Juan And Vundo

Hello masterbraz and welcome to BC. Let's see what we can find. Please follow the steps below in order:First, it appears that there are multiple anti-virus applications running on this computer (Symantec and Avast). Running more than 1 anti-virus application at the same time can cause file access and resource issues and if there is an infection the multiple programs can actually block each other from dealing with the infected file(s). I highly recommend that you choose which application you want to keep and uninstall the other one(s) to prevent these problems. After that, continue with the rest of the steps.Before running a new scan let's clean out the temporary folders. Download ATF Cleaner to your Desktop.Double-click ATF-Cleaner.exe to run the program.Click Select All found at the bottom of the list.Click the Empty Selected button.If you use Firefox browser, do this also:Click Firefox at the top and choose Select All from the list.Click the Empty Selected button.NOTE : If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browser, do this also:Click Opera at the top and choose Select All from the list.NOTE : If you would like to keep your saved passwords, please click No at the prompt.Close ALL Internet browsers (very important).Click the Empty Selected button.Click Exit on the Main menu to close the program.Now download OTScanIt from here or here to your Desktop and double-click on it to extract the files. It will create a folder... Read more

Read other 15 answers
RELEVANCY SCORE 38.4

I seem to have the MS Juan and MS Tracker amongst other things going on with my machine since yesterday. I have since ran malwarebytes, ad aware and spybot. They all find and kill stuff but I am still getting trojan popups from Avast, as well as returning ms juan and tracker in malwarebytes.

This is the first time this has happened to me and I am unsure of what to do next to try to clean my machine up, any help would be greatly appreciated. I can post logs of my previous scans if you wish.

Thank you.

A:MS Juan, MS Tracker and more...

Here was my first scan last night
Malwarebytes' Anti-Malware 1.33
Database version: 1656
Windows 5.1.2600 Service Pack 3

1/15/2009 8:32:34 PM
mbam-log-2009-01-15 (20-32-34).txt

Scan type: Full Scan (C:\|E:\|F:\|G:\|H:\|I:\|J:\|)
Objects scanned: 214716
Time elapsed: 1 hour(s), 3 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 13
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
E:\WINDOWS\system32\geBrOedb.dll (Trojan.Vundo.H) -> Delete on reboot.
E:\WINDOWS\system32\qvorpbdt.dll (Trojan.Vundo.H) -> Delete on reboot.
E:\WINDOWS\system32\khfCvUnO.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3eb56daa-bd88-46ee-80c8-0bca5d5d6455} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3eb56daa-bd88-46ee-80c8-0bca5d5d6455} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3eb56daa-bd88-46ee-80c8-0bca5d5d6455} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID&... Read more

Read other 12 answers
RELEVANCY SCORE 38.4

Hello! My computer has recently started to slow down, and recieve strange pop-up ads when I opened Internet Explorer, and I couldn't open some websites. After a bit of research, I got a copy of Malwarebytes' Anti-Malware and found out that I had the Virtumonde malware. After alot of research, I removed it successfully with VundoFix. Just to be on the safe side, I ran MAM again and discovered that I had caught the MS Juan virus after the removal of Virtumonde. Virtumonde was the only malware it was detecting until I removed it, now it is MS Juan. I still get pop-ups, to a lesser extent though, and my computer is still running slower than usual. I can easily delete it from my registry, but it comes right back when I open Internet explorer. The more sites I visit, it seems to gain extra file names such as MetaJuan, Superjuan and others, all in the MS Juan directory in the registry. I have been doing lots of research, and after reading all of the HijackThis solutions I have found that there is no one solution to the problem, as they are different from mine and the others. (Taking into account the different usernames and possible programs.) My system restore points go to the exact point after I caugt Virtumonde. So I have decided to post a log of my own.For some reason, the extra.txt did not open. I tried posting before and it turned out I had the wrong copy of Hijack this, so I got the new one, ran DSS, and I ony got Main.txt this time.Main.txt:Deckard's System Scanner v2007... Read more

A:Ms Juan Infection

Hi,* Please visit this webpage for instructions for downloading and running ComboFix:http://www.bleepingcomputer.com/combofix/how-to-use-combofixThis includes installing the Windows XP Recovery Console in case you have not installed it yet.Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Read other 2 answers
RELEVANCY SCORE 38.4

i have run spybot , spyware doctor and AVG and have identified a vitrumonde trojan - i have tried to delete ms juan from the regeit - but it keeps reappearing - here is my hijack this log could anyone look at it and tell me what i need to do please?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:49:51, on 7/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvsca... Read more

A:Ms juan just wont go!

i have read in other post to run combo fix - so i've done it and here it is along with my hjt
Start Time= Thu 07/17/2008 15:13:37.60
QuickScan did not find any signs of infected files
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-07-17 09:31:02 ( .D... ) "C:\Program Files\Spyware Doctor"
2008-07-17 09:31:02 ( .D... ) "C:\Documents and Settings\boucher\Application Data\PC Tools"
2008-07-16 14:27:06 ( .D... ) "C:\Program Files\Trend Micro"
2008-07-16 13:38:14 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2008-07-16 11:35:24 60800 ( A.... ) "C:\WINDOWS\system32\S32EVNT1.DLL"
2008-07-15 16:28:52 10520 ( A.... ) "C:\WINDOWS\system32\avgrsstx.dll"
2008-07-15 16:28:34 ( .D... ) "C:\Program Files\AVG"
2008-07-15 16:28:26 ( .D... ) "C:\Program Files\Common Files\Microsoft Shared"
2008-07-15 15:42:58 105232 ( A.... ) "C:\WINDOWS\system32\zxrdhu.dll"
2008-07-15 15:42:58 105232 ( A.... ) "C:\WINDOWS\system32\gbdwbmbh.dll"
2008-07-10 13:06:58 5162777 ( A.SH. ) "C:\WINDOWS\system32\adsmsexth.sys"
2008-07-10 13:06:58 5162777 ( A.SH. ) "C:\WINDOWS\system32\adsmsexth.sys"
2008-07-10 12:58:20 4236 ( A.... ) "C:\WINDOWS\system32\skmy711.exe"
2008-07-10 12:58:18 701 ( A.... ) "C:\WINDOWS\system32\skmy749.exe"
2008-07-10 12:58:12 697 ( A.... ) "C:\WINDOWS\syst... Read more

Read other 1 answers
RELEVANCY SCORE 38.4

I got the vundo trojan, and I've cleaned it all out over and over with Malwarebytes but MS Juan keeps coming back. I can't seem to get rid of it. No matter how many times I run scans on it and delete it, it's always there again when I recheck.

If you need any other information please ask, I'm a bit low on sleep so I'm not exactly thinking right now, haha

Here's a HijackThis log. I'm sorry if I've been a bit vague. Thank you for any help you can give.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:15:53 AM, on 1/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\Rox... Read more

A:MS Juan infection won't go away

Hi Welcome to TSG!!

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System


Download the file & save it as it's originally named.
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

Please note once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall.

Drag the setup package onto ComboFix.exe and drop it.

Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

At the next prompt, click 'Yes' to run the full ComboFix scan.

When the tool is finished, it ... Read more

Read other 1 answers