JeanInMontana

Fame doesn't mean it's good in all cases. McAfee claims there are malicious downloads. I have asked for a translation of the reviews on the McAfee page since I don't read French well enough to do justice.

Your welcome and what a nice thing for you to do. Karma point for you!! Race time from the sounds of RaceBuddy. Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you. The fixes and advice in this thread are for this machine only. Do not apply to your machine. Please start a thread of your own and someone will be happy to help you.

Looks good. The stubborn service is from a P2P program from Roxio. Do you still have it installed? You can stop the service via Righ Click on My Computer> Choose Manage then the Services and Applications click on Services, find Roxio and disable the service. Run HJT again and put a check next to these lines and then click fix. They are just clean up not infection. R3 - URLSearchHook: (no name) - {a5066406-348e-475e-9268-1d302b00c504} - (no file) O3 - Toolbar: (no name) - {a5066406-348e-475e-9268-1d302b00c504} - (no file) Your log looks clean. We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK. Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it. Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenal. Keep Spybot Search & Destroy and always immunize when you update. You will also need at least one other scanning program AVG is good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use. A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient. Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan. SpywareBlaster from Javacool Software WinPatrol by BillPStudios SiteHound by FireTrust RogueRemover hpHosts The windows firewall is not sufficient to protect. It doesn't monitor outgoing traffic and this is a must. I use and recommend Online Armor Free

MBAM started with boot this morning, but the scheduled update and quick scan failed. I did both manually. Quck scan was twice as slow as it has been with this version but I do have many tabs open in FF one a media player for RaceBuddy. Malwarebytes' Anti-Malware 1.17 Database version: 857 11:14:21 AM 6/15/2008 mbam-log-6-15-2008 (11-14-21).txt Scan type: Quick Scan Objects scanned: 36781 Time elapsed: 6 minute(s), 25 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

Spyblaster is a rogue program and should be removed.

Spybot is a rogue program and should be removed. Spybot Search and Destroy is not. Which do you have?

You should never use ComboFix or SDFix without the assistance of someone familiar with how they work. I suggest you start a topic in the HJT forum and follow the instructions at the top of that forum for Pre-HJT log posting. Someone should look at what is going on with your system.

So are we going to do this?

C:\WINDOWS\system32\wuauclt.exe <======== This is the Windows Automatic Update program, it's running evidently you have the settings to not install automatically. There is nothing wrong with that, but then there isn't much point of wasting the resources running it either. Go to Control Panel >Automatic Updates either allow them to do it or use the link there to go with IE and manually update. You must use IE or IE Tab extension for Firefox. You didn't post the new log after reboot. Update MBAM too and run a quick scan post that log. Then a new HJT with the lines removed.

No worries I usually do a daily check, your getting special treatment. Yes AOL can go and I would do a CCleaner scan it should find all the AOL crap on there. O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML You are running an outdated and unsafe version of Java. You need to uninstall it via Add/Remove programs and delete the program file also. Then go here http://java.sun.com/javase/downloads/index.jsp and install the correct version for your system. Choose the offline installation. You have both AVG and SAS running as active services, I would cut out AVG active and have it as backup only or just get rid of it. With SAS and MBAM she won't need AVG. Her Windows updates are not current get SP3 on for her. Do all this before you reset System Restore is best I think. Just in case SP3 breaks something. Be sure you warn her about MSN and the huge rise in infections from it. Make sure she knows not to click on links even if she thinks she knows who sent it. Your log looks clean. We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK. Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it. Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenal. Keep Spybot Search & Destroy and always immunize when you update. You will also need at least one other scanning program AVG is good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use. A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient. Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan. SpywareBlaster from Javacool Software WinPatrol by BillPStudios SiteHound by FireTrust RogueRemover hpHosts The windows firewall is not sufficient to protect. It doesn't monitor outgoing traffic and this is a must. I use and recommend Online Armor Free She can join my site and we will spoon feed her safe surfing too. LOL

Run HJT in scan only mode and put a check then click fix next to these items. O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) O4 - HKLM\..\Run: [lphc5skj0ee89] C:\WINDOWS\system32\lphc5skj0ee89.exe O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing) Remove those reboot and post a new log please. O2 - BHO: Sal's Realm's Toolbar - {a5066406-348e-475e-9268-1d302b00c504} - C:\Program Files\Sal's_Realm's\tbSal1.dll <===== What is this? I find nothing for it in searching. You are running an outdated and unsafe version of Java. You need to uninstall it via Add/Remove programs and delete the program file also. Then go here http://java.sun.com/javase/downloads/index.jsp and install the correct version for your system. Choose the offline installation. Your Windows System is also not up to date. The current Service Pack is 3. I suggest you get updated asap.

Log looks good. Let's do another MBAM scan, be sure to update it. Post that log and a new HJT.

Oops I have never used MD5 in HJT, it is usually challenge enough to just get the logs we need to remove. As you say Raid the sample is what we go after for you guys.

The link in your signature goes to a site rated red by McAfee I will be removing it because of this and your website also. Do not post links to this site anywhere on this site.

Hi Jason.gonzales23 and welcome to Malwarebytes. Danger teen in house. LOL Please follow these instructions: Make sure your running as an adminstrater on the machine. Allow email from Malwarebytes.org and set your preferences in the User Control Panel to email notifications for replies to your topics. This ensures you make prompt replies back and we get you cleaned in the fastest way possible. Please set your system to show all files; Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. If you haven't already, please get these programs, update and run a complete scan removing all items found. Spybot Search & Destroy Be sure to use the immunize feature. But do not enable TeaTimer at this time. Open SB S&D Make sure you are in Advanced Mode. Click on the Mode [b/]link at the top of the program and then Advanced Mode. Click on the Tools section and then Resident. You will see two items. 1. Resident "SD helper" (Internet Explorer bad download blocker.) active 2. Resident "Tea Timer" (Protection of over-all system settings.) active. Uncheck number 2.. Leave number 1 checked always. You can enable Tea Timer again if you wish once all special fixes have been done. Please run a quick scan of your main drive, usually C with MBAM making sure you check all items found for removal. Please post that log in your next reply. Then go here and run a scan PandaActive Scan There is a full tutorial on how to to this at the top of this forum. Post the logs from the Panda and MBAM scans please, along with a log from this program HiJack This! You will post three logs. 1. MBAM scan. 2. Panda Active Scan. 3. HiJack This scan. Please run and post the scans in this order. You will finish the MBAM first so go ahead and post that log, then move on to Panda and so forth. I will analyze the logs and give you further instructions. Be sure to set your email to allow mail from Malwarebytes.org and your personal settings to send an email on reply to your topic. This will let you know when there has been an update to your topic and you can come and see what has been said. Be patient and persistent. These things can take time and many procedures.

OK, run HJT in scan only and check then fix the following: O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) Then please upload these files to Bruce. C:\WINDOWS\system32\dllcache\iedw.exe C:\Program Files\HPQ\Default Settings\cpqset.exe????????8?3?3?3??????? ???B???????????????B? ??????

HJT does not do MD5. The upload link for submitting files is http://uploads.malwarebytes.org/ the HJT forum in a subforum of the PC Help section and you must be pre-approved to work in there.

I don't know if you still have the key logger because I have not seen any logs that indicate it is gone. Please do not do scans with programs not asked. Adware found by AdAware are cookies i'm sure and not even in the class we are dealing with. I want to see the log from the full MBAM scan please. Be patient, I need food too, I need a break from this all day, I will get back to you.

Ok looks like you have a bad trojan on there O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe If you can find that please upload it to http://uploads.malwarebytes.org/ Now let's run ComboFix Review this article here how to use ComboFix Be sure you cover the section on How to install and use the Windows XP Recovery Console and make sure it is installed on your machine. This is important shoudl anything go wrong and we need to recover your PC and not lose all the data. 1. Download this file : http://download.bleepingcomputer.com/sUBs/ComboFix.exe 2. Double click combofix.exe. It will be a red icon with a white X on your desktop. Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter. 3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt. Post that log and a HiJack log in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

OK, was HJT ran after the MBAM scan? I have to have these done in that order. For FF to be default browser here is an article

Well this is not good. I will be pointing Bruce & Marcin to this thread. Thanks Lurking for posting this.

OK, now the service will start? It's running. MBAM didn't start at boot but when I manually started it did update and tried the service it started.

We aren't done. Please post the logs I asked for. New MBAM log and new HJT log. Your welcome, but please let's finish this cleanup.

Hiya Lurking. What ya doin? Did you take action? I need to see the log after action taken, and a HJT log where I know you removed the stuff. Please update MBAM run a quick scan and post a new log for it and HJT.

You have to check the box to "Take Action" with MBAM. Your still infected from the log it found a ton of stuff. Update the program, current data base is 854, scan again post that log and a new HJT log. Looks like you didn't remove the lines in HJT I asked you to do also. Yes you can delete the files you uploaded.