Jump to content

Unable to Run MBAM


Recommended Posts

Became infected after stupidly clicking on a link in an ex-boyfriend's hijacked e-mail. My machine wil now no longer run MBAM or Spybot S&D. I have tried uninstalling and reinstalling both programs from clean jump drives, reinstalling on the desktop, reinstalling after changing the name of a setup file, all to no avail. With MBAM in particular, setup runs as expected and checkboxes to Update and Launch are both activated on the final screen, but the program still fails to load.

I have downloaded Avira AntiVir and run it--first run removed a few trojans, subsequent runs have all come up clean. Ad Aware detects and removes a rootkit, and if I run Ad Aware twice a day my system remains partially functional. A scan immediately following will come up clean, another scan several hours later will turn up the same rootkit. I have included my Ad Aware log following the Hijack This for reference.

Major symptoms include the Hijacking of the formerly functional Google Toolbar. Searches appear normal, but clicking on the links provided (even those bearing the names and URLs of legit mainstream sites like Microsoft) redirect to Ad filled pages. I also strongly suspect that my AOL password was changed though I was able to use admin finctions to regain control of the account again. There were formerly startup errors that prompted me to revert to last known good configuration several times, but these seem to have stopped if I habitually run the Ad Aware twice daily and avoid restarting if at all possible.

Thanks in advance for any help.

xoxo

Viv

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:55:48 AM, on 3/10/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe

C:\WINDOWS\system32\lxddcoms.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Common Files\AOL\1212979139\ee\AOLSoftware.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\PROGRA~1\AMERIC~1.0A\waol.exe

C:\PROGRA~1\AMERIC~1.0A\shellmon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1212979139\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [lxddmon.exe] "C:\Program Files\Lexmark 2500 Series\lxddmon.exe"

O4 - HKLM\..\Run: [lxddamon] "C:\Program Files\Lexmark 2500 Series\lxddamon.exe"

O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Antivirus] C:\Program Files\AAV\aav.exe

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Documents and Settings\Sara\Desktop\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [Antivirus] C:\Program Files\AAV\aav.exe

O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRA~1\AMERIC~1.0A\AOL.EXE" -b

O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1215252774479

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://download-games.pogo.com/online2/pog...mjolauncher.cab

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe

O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe (file missing)

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)

O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)

--

End of file - 7470 bytes

Logfile created: 3/3/2009 12:7:19

Lavasoft Ad-Aware version: 8.0

Extended engine version: 8.1

User performing scan: Sara

*********************** Definitions database information ***********************

Lavasoft definition file: 146.17

Extended engine definition file: 8.1

******************************** Scan results: *********************************

Scan profile name: Full Scan (ID: full)

Objects scanned: 89269

Objects detected: 47

Type Detected

==========================

Processes.......: 0

Registry entries: 17

Hostfile entries: 0

Files...........: 0

Folders.........: 0

LSPs............: 0

Cookies.........: 30

Browser hijacks.: 0

MRU objects.....: 0

Removed items:

Description: *2o7* Family Name: Cookies Clean status: Success Item ID: 408943 Family ID: 0

Description: *ad.yieldmanager* Family Name: Cookies Clean status: Success Item ID: 409172 Family ID: 0

Description: *specificclick* Family Name: Cookies Clean status: Success Item ID: 408807 Family ID: 0

Description: *pointroll* Family Name: Cookies Clean status: Success Item ID: 408826 Family ID: 0

Description: *ads.pointroll* Family Name: Cookies Clean status: Success Item ID: 408927 Family ID: 0

Description: *omniture* Family Name: Cookies Clean status: Success Item ID: 408835 Family ID: 0

Description: *.stats.esomniture* Family Name: Cookies Clean status: Success Item ID: 409181 Family ID: 0

Description: *tacoda* Family Name: Cookies Clean status: Success Item ID: 409123 Family ID: 0

Description: *tribalfusion* Family Name: Cookies Clean status: Success Item ID: 408785 Family ID: 0

Description: *adbureau* Family Name: Cookies Clean status: Success Item ID: 409027 Family ID: 0

Description: *adserv* Family Name: Cookies Clean status: Success Item ID: 408921 Family ID: 0

Description: *ad.yieldmanager* Family Name: Cookies Clean status: Success Item ID: 409172 Family ID: 0

Description: *specificclick* Family Name: Cookies Clean status: Success Item ID: 408807 Family ID: 0

Description: *pointroll* Family Name: Cookies Clean status: Success Item ID: 408826 Family ID: 0

Description: *ads.pointroll* Family Name: Cookies Clean status: Success Item ID: 408927 Family ID: 0

Description: *2o7* Family Name: Cookies Clean status: Success Item ID: 408943 Family ID: 0

Description: *adbureau* Family Name: Cookies Clean status: Success Item ID: 409027 Family ID: 0

Description: *adserv* Family Name: Cookies Clean status: Success Item ID: 408921 Family ID: 0

Description: *insightexpressai* Family Name: Cookies Clean status: Success Item ID: 409259 Family ID: 0

Description: *real* Family Name: Cookies Clean status: Success Item ID: 408817 Family ID: 0

Description: *tacoda* Family Name: Cookies Clean status: Success Item ID: 409123 Family ID: 0

Description: *pointroll* Family Name: Cookies Clean status: Success Item ID: 408826 Family ID: 0

Description: *ads.pointroll* Family Name: Cookies Clean status: Success Item ID: 408927 Family ID: 0

Description: *omniture* Family Name: Cookies Clean status: Success Item ID: 408835 Family ID: 0

Description: *.stats.esomniture* Family Name: Cookies Clean status: Success Item ID: 409181 Family ID: 0

Description: *2o7* Family Name: Cookies Clean status: Success Item ID: 408943 Family ID: 0

Description: *questionmarket* Family Name: Cookies Clean status: Success Item ID: 408819 Family ID: 0

Description: *tacoda* Family Name: Cookies Clean status: Success Item ID: 409123 Family ID: 0

Description: *adserv* Family Name: Cookies Clean status: Success Item ID: 408921 Family ID: 0

Description: zedo* Family Name: Cookies Clean status: Success Item ID: 408736 Family ID: 0

Quarantined items:

Description: HKU:S-1-5-21-854245398-412668190-682003330-1003\software\microsoft\windows\currentversion\ext\stats\{9034a523-d068-4be8-a284-9df278be776e}: Family Name: Win32.Trojandownloader.Zlob Clean status: Success Item ID: 40976 Family ID: 1035

Description: HKU:S-1-5-21-854245398-412668190-682003330-1003\software\microsoft\windows\currentversion\ext\stats\{1e1465f3-56cf-4fc4-8684-1bd6245aa30d}: Family Name: Win32.Trojandownloader.Zlob Clean status: Success Item ID: 41032 Family ID: 1035

Description: HKU:S-1-5-21-854245398-412668190-682003330-1003\software\microsoft\windows\currentversion\ext\stats\{d46beaa4-a304-40b3-a9da-ec7f7f501f25}: Family Name: Win32.Trojandownloader.Zlob Clean status: Success Item ID: 41033 Family ID: 1035

Description: HKU:S-1-5-21-854245398-412668190-682003330-1003\software\microsoft\windows\currentversion\internet settings\zonemap\escdomains\funcodec.com: Family Name: Win32.Trojandownloader.Zlob Clean status: Success Item ID: 40744 Family ID: 1035

Description: HKU:S-1-5-21-854245398-412668190-682003330-1003_Classes\software\microsoft\windows\currentversion\internet settings\zonemap\escdomains\funcodec.com: Family Name: Win32.Trojandownloader.Zlob Clean status: Success Item ID: 40744 Family ID: 1035

Description: HKU:S-1-5-21-854245398-412668190-682003330-1003\software\microsoft\windows\currentversion\internet settings\zonemap\escdomains\gocodec.com: Family Name: Win32.Trojandownloader.Zlob Clean status: Success Item ID: 40745 Family ID: 1035

Description: HKU:S-1-5-21-854245398-412668190-682003330-1003_Classes\software\microsoft\windows\currentversion\internet settings\zonemap\escdomains\gocodec.com: Family Name: Win32.Trojandownloader.Zlob Clean status: Success Item ID: 40745 Family ID: 1035

Description: HKU:S-1-5-21-854245398-412668190-682003330-1003\software\microsoft\windows\currentversion\internet settings\zonemap\escdomains\gomyron.com: Family Name: Win32.Trojandownloader.Zlob Clean status: Success Item ID: 40746 Family ID: 1035

Description: HKU:S-1-5-21-854245398-412668190-682003330-1003_Classes\software\microsoft\windows\currentversion\internet settings\zonemap\escdomains\gomyron.com: Family Name: Win32.Trojandownloader.Zlob Clean status: Success Item ID: 40746 Family ID: 1035

Description: HKU:S-1-5-21-854245398-412668190-682003330-1003\software\microsoft\windows\currentversion\internet settings\zonemap\escdomains\inc-codec.com: Family Name: Win32.Trojandownloader.Zlob Clean status: Success Item ID: 40748 Family ID: 1035

Description: HKU:S-1-5-21-854245398-412668190-682003330-1003_Classes\software\microsoft\windows\currentversion\internet settings\zonemap\escdomains\inc-codec.com: Family Name: Win32.Trojandownloader.Zlob Clean status: Success Item ID: 40748 Family ID: 1035

Description: HKU:S-1-5-21-854245398-412668190-682003330-1003\software\microsoft\windows\currentversion\internet settings\zonemap\escdomains\nmextensions.com: Family Name: Win32.Trojandownloader.Zlob Clean status: Success Item ID: 40750 Family ID: 1035

Description: HKU:S-1-5-21-854245398-412668190-682003330-1003_Classes\software\microsoft\windows\currentversion\internet settings\zonemap\escdomains\nmextensions.com: Family Name: Win32.Trojandownloader.Zlob Clean status: Success Item ID: 40750 Family ID: 1035

Description: HKU:S-1-5-21-854245398-412668190-682003330-1003\software\microsoft\windows\currentversion\internet settings\zonemap\escdomains\the-codec.com: Family Name: Win32.Trojandownloader.Zlob Clean status: Success Item ID: 40755 Family ID: 1035

Description: HKU:S-1-5-21-854245398-412668190-682003330-1003_Classes\software\microsoft\windows\currentversion\internet settings\zonemap\escdomains\the-codec.com: Family Name: Win32.Trojandownloader.Zlob Clean status: Success Item ID: 40755 Family ID: 1035

Description: HKU:S-1-5-21-854245398-412668190-682003330-1003\software\microsoft\windows\currentversion\internet settings\zonemap\escdomains\web-codec.com: Family Name: Win32.Trojandownloader.Zlob Clean status: Success Item ID: 40756 Family ID: 1035

Description: HKU:S-1-5-21-854245398-412668190-682003330-1003_Classes\software\microsoft\windows\currentversion\internet settings\zonemap\escdomains\web-codec.com: Family Name: Win32.Trojandownloader.Zlob Clean status: Success Item ID: 40756 Family ID: 1035

Scan and cleaning complete: Finished correctly after 995 seconds

*********************************** Settings ***********************************

Scan profile:

ID: full, enabled:1, value: Full Scan

ID: scancriticalareas, enabled:1, value: true

ID: scanrunningapps, enabled:1, value: true

ID: scanregistry, enabled:1, value: true

ID: scanlsp, enabled:1, value: true

ID: scanads, enabled:1, value: true

ID: scanhostsfile, enabled:1, value: true

ID: scanmru, enabled:1, value: true

ID: scanbrowserhijacks, enabled:1, value: true

ID: scantrackingcookies, enabled:1, value: true

ID: closebrowsers, enabled:1, value: false

ID: folderstoscan, enabled:1, value: C:\

ID: scanrootkits, enabled:1, value: true

ID: usespywareheuristics, enabled:1, value: true

ID: extendedengine, enabled:0, value: true

ID: useheuristics, enabled:0, value: true

ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict

ID: filescanningoptions, enabled:1

ID: archives, enabled:1, value: true

ID: onlyexecutables, enabled:1, value: false

ID: skiplargerthan, enabled:1, value: 20480

Scan global:

ID: global, enabled:1

ID: addtocontextmenu, enabled:1, value: true

ID: playsoundoninfection, enabled:1, value: false

ID: soundfile, enabled:0, value: *to be filled in automatically*\alert.wav

Scheduled scan settings:

<Empty>

Update settings:

ID: updates, enabled:1

ID: launchthreatworksafterscan, enabled:1, value: normal, domain: normal,off,silently

ID: displaystatus, enabled:1, value: false

ID: deffiles, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall

ID: autodetectproxy, enabled:1, value: false

ID: useautoconfigscript, enabled:1, value: false

ID: autoconfigurl, enabled:0, value:

ID: useproxy, enabled:1, value: false

ID: proxyserver, enabled:0, value:

ID: softwareupdates, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall

ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall

ID: schedules, enabled:1, value: true

ID: updatedaily, enabled:1, value: Daily

ID: time, enabled:1, value: Mon Mar 02 00:43:00 2009

ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly

ID: weekdays, enabled:1

ID: monday, enabled:1, value: false

ID: tuesday, enabled:1, value: false

ID: wednesday, enabled:1, value: false

ID: thursday, enabled:1, value: false

ID: friday, enabled:1, value: false

ID: saturday, enabled:1, value: false

ID: sunday, enabled:1, value: false

ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31

ID: scanprofile, enabled:1, value:

ID: auto_deal_with_infections, enabled:1, value: false

ID: updateweekly, enabled:1, value: Weekly

ID: time, enabled:1, value: Mon Mar 02 00:43:00 2009

ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly

ID: weekdays, enabled:1

ID: monday, enabled:1, value: true

ID: tuesday, enabled:1, value: false

ID: wednesday, enabled:1, value: false

ID: thursday, enabled:1, value: false

ID: friday, enabled:1, value: false

ID: saturday, enabled:1, value: false

ID: sunday, enabled:1, value: false

ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31

ID: scanprofile, enabled:1, value:

ID: auto_deal_with_infections, enabled:1, value: false

Appearance settings:

ID: appearance, enabled:1

ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource

ID: showtrayicon, enabled:1, value: true

ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language

Realtime protection settings:

ID: realtime, enabled:1

ID: processprotection, enabled:1, value: true

ID: registryprotection, enabled:0, value: true

ID: networkprotection, enabled:0, value: true

ID: loadatstartup, enabled:1, value: true

ID: usespywareheuristics, enabled:0, value: true

ID: extendedengine, enabled:0, value: true

ID: useheuristics, enabled:0, value: true

ID: heuristicslevel, enabled:0, value: strict, domain: medium,mild,strict

ID: infomessages, enabled:1, value: onlyimportant, domain: display,dontnotify,onlyimportant

****************************** System information ******************************

Computer name: TAYLOR-BEA20423

Processor name: AMD Athlon 64 X2 Dual Core Processor 3800+

Processor identifier: x86 Family 15 Model 75 Stepping 2

Raw info: processorarchitecture 0, processortype 586, processorlevel 15, processor revision 19202, number of processors 2

Physical memory available: 1322508288 bytes

Physical memory total: 2078715904 bytes

Virtual memory available: 2042519552 bytes

Virtual memory total: 2147352576 bytes

Memory load: 36%

Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

Windows startup mode:

Running processes:

PID: 844 name: \SystemRoot\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY

PID: 892 name: \??\C:\WINDOWS\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY

PID: 916 name: \??\C:\WINDOWS\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY

PID: 960 name: C:\WINDOWS\system32\services.exe owner: SYSTEM domain: NT AUTHORITY

PID: 984 name: C:\WINDOWS\system32\lsass.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1204 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1296 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY

PID: 1424 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1584 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY

PID: 1680 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY

PID: 1808 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1896 name: C:\WINDOWS\system32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1952 name: C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe owner: SYSTEM domain: NT AUTHORITY

PID: 212 name: C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe owner: SYSTEM domain: NT AUTHORITY

PID: 240 name: C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe owner: SYSTEM domain: NT AUTHORITY

PID: 292 name: C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe owner: SYSTEM domain: NT AUTHORITY

PID: 308 name: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe owner: SYSTEM domain: NT AUTHORITY

PID: 348 name: C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe owner: SYSTEM domain: NT AUTHORITY

PID: 424 name: C:\Program Files\Java\jre6\bin\jqs.exe owner: SYSTEM domain: NT AUTHORITY

PID: 464 name: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe owner: SYSTEM domain: NT AUTHORITY

PID: 500 name: C:\WINDOWS\system32\lxddcoms.exe owner: SYSTEM domain: NT AUTHORITY

PID: 732 name: C:\WINDOWS\Explorer.EXE owner: Sandra domain: TAYLOR-BEA20423

PID: 740 name: C:\WINDOWS\system32\nvsvc32.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1368 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY

PID: 1492 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY

PID: 652 name: C:\WINDOWS\ehome\ehtray.exe owner: Sandra domain: TAYLOR-BEA20423

PID: 700 name: C:\Program Files\Common Files\AOL\1212979139\ee\AOLSoftware.exe owner: Sandra domain: TAYLOR-BEA20423

PID: 776 name: C:\Program Files\Common Files\AOL\ACS\AOLDial.exe owner: Sandra domain: TAYLOR-BEA20423

PID: 864 name: C:\Program Files\Real\RealPlayer\RealPlay.exe owner: Sandra domain: TAYLOR-BEA20423

PID: 508 name: C:\WINDOWS\stsystra.exe owner: Sandra domain: TAYLOR-BEA20423

PID: 1140 name: C:\Program Files\Lexmark 2500 Series\lxddmon.exe owner: Sandra domain: TAYLOR-BEA20423

PID: 1240 name: C:\Program Files\Lexmark 2500 Series\lxddamon.exe owner: Sandra domain: TAYLOR-BEA20423

PID: 1524 name: C:\Program Files\QuickTime\QTTask.exe owner: Sandra domain: TAYLOR-BEA20423

PID: 1560 name: C:\Program Files\iTunes\iTunesHelper.exe owner: Sandra domain: TAYLOR-BEA20423

PID: 1596 name: C:\Program Files\Java\jre6\bin\jusched.exe owner: Sandra domain: TAYLOR-BEA20423

PID: 2060 name: C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe owner: Sandra domain: TAYLOR-BEA20423

PID: 2160 name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: Sandra domain: TAYLOR-BEA20423

PID: 2276 name: C:\WINDOWS\system32\ctfmon.exe owner: Sandra domain: TAYLOR-BEA20423

PID: 2292 name: C:\WINDOWS\system32\wbem\wmiprvse.exe owner: SYSTEM domain: NT AUTHORITY

PID: 2344 name: C:\Program Files\Messenger\msmsgs.exe owner: Sandra domain: TAYLOR-BEA20423

PID: 2600 name: C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe owner: Sandra domain: TAYLOR-BEA20423

PID: 2612 name: C:\Program Files\America Online 9.0a\waol.exe owner: Sandra domain: TAYLOR-BEA20423

PID: 2672 name: c:\program files\common files\aol\1212979139\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe owner: Sandra domain: TAYLOR-BEA20423

PID: 2700 name: C:\Program Files\Common Files\AOL\1212979139\EE\aolsoftware.exe owner: Sandra domain: TAYLOR-BEA20423

PID: 3392 name: C:\Program Files\America Online 9.0a\shellmon.exe owner: Sandra domain: TAYLOR-BEA20423

PID: 3596 name: C:\WINDOWS\system32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY

PID: 3876 name: C:\Program Files\iPod\bin\iPodService.exe owner: SYSTEM domain: NT AUTHORITY

PID: 988 name: C:\WINDOWS\System32\alg.exe owner: LOCAL SERVICE domain: NT AUTHORITY

PID: 4064 name: C:\WINDOWS\eHome\ehmsas.exe owner: Sandra domain: TAYLOR-BEA20423

PID: 3584 name: \??\C:\WINDOWS\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1996 name: \??\C:\WINDOWS\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY

PID: 3460 name: C:\WINDOWS\Explorer.EXE owner: Sara domain: TAYLOR-BEA20423

PID: 3692 name: C:\WINDOWS\ehome\ehtray.exe owner: Sara domain: TAYLOR-BEA20423

PID: 2588 name: C:\Program Files\Common Files\AOL\1212979139\ee\AOLSoftware.exe owner: Sara domain: TAYLOR-BEA20423

PID: 3632 name: C:\Program Files\Common Files\AOL\ACS\AOLDial.exe owner: Sara domain: TAYLOR-BEA20423

PID: 3016 name: C:\Program Files\Real\RealPlayer\RealPlay.exe owner: Sara domain: TAYLOR-BEA20423

PID: 3196 name: C:\WINDOWS\stsystra.exe owner: Sara domain: TAYLOR-BEA20423

PID: 1156 name: C:\Program Files\Lexmark 2500 Series\lxddmon.exe owner: Sara domain: TAYLOR-BEA20423

PID: 3996 name: C:\Program Files\Lexmark 2500 Series\lxddamon.exe owner: Sara domain: TAYLOR-BEA20423

PID: 816 name: C:\WINDOWS\system32\RUNDLL32.EXE owner: Sara domain: TAYLOR-BEA20423

PID: 2000 name: C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe owner: Sara domain: TAYLOR-BEA20423

PID: 1728 name: C:\Program Files\QuickTime\QTTask.exe owner: Sara domain: TAYLOR-BEA20423

PID: 1676 name: C:\Program Files\iTunes\iTunesHelper.exe owner: Sara domain: TAYLOR-BEA20423

PID: 2816 name: C:\WINDOWS\eHome\ehmsas.exe owner: Sara domain: TAYLOR-BEA20423

PID: 3312 name: C:\Program Files\Java\jre6\bin\jusched.exe owner: Sara domain: TAYLOR-BEA20423

PID: 720 name: C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe owner: Sara domain: TAYLOR-BEA20423

PID: 724 name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: Sara domain: TAYLOR-BEA20423

PID: 4020 name: C:\WINDOWS\system32\ctfmon.exe owner: Sara domain: TAYLOR-BEA20423

PID: 752 name: C:\Documents and Settings\Sara\Desktop\Spybot - Search & Destroy\TeaTimer.exe owner: Sara domain: TAYLOR-BEA20423

PID: 2356 name: C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe owner: Sara domain: TAYLOR-BEA20423

PID: 3932 name: C:\Program Files\America Online 9.0a\waol.exe owner: Sara domain: TAYLOR-BEA20423

PID: 1760 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: Sara domain: TAYLOR-BEA20423

PID: 340 name: c:\program files\common files\aol\1212979139\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe owner: Sara domain: TAYLOR-BEA20423

PID: 3256 name: C:\Program Files\Common Files\AOL\1212979139\EE\aolsoftware.exe owner: Sara domain: TAYLOR-BEA20423

PID: 680 name: C:\WINDOWS\system32\wbem\wmiprvse.exe owner: NETWORK SERVICE domain: NT AUTHORITY

PID: 1212 name: C:\Program Files\America Online 9.0a\shellmon.exe owner: Sara domain: TAYLOR-BEA20423

Startup items:

Name: ehTray

imagepath: C:\WINDOWS\ehome\ehtray.exe

Name: HostManager

imagepath: C:\Program Files\Common Files\AOL\1212979139\ee\AOLSoftware.exe

Name: AOLDialer

imagepath: C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

Name: RealTray

imagepath: C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

Name: SigmatelSysTrayApp

imagepath: stsystra.exe

Name: NvCplDaemon

imagepath: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

Name: nwiz

imagepath: nwiz.exe /install

Name: lxddmon.exe

imagepath: "C:\Program Files\Lexmark 2500 Series\lxddmon.exe"

Name: lxddamon

imagepath: "C:\Program Files\Lexmark 2500 Series\lxddamon.exe"

Name: FaxCenterServer

imagepath: "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s

Name: NvMediaCenter

imagepath: RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

Name: Adobe Reader Speed Launcher

imagepath: "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

Name: Antivirus

imagepath: C:\Program Files\AAV\aav.exe

Name: AppleSyncNotifier

imagepath: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

Name: pccguide.exe

imagepath: "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"

Name: QuickTime Task

imagepath: "C:\Program Files\QuickTime\QTTask.exe" -atboottime

Name: iTunesHelper

imagepath: "C:\Program Files\iTunes\iTunesHelper.exe"

Name: SunJavaUpdateSched

imagepath: "C:\Program Files\Java\jre6\bin\jusched.exe"

Name: avgnt

imagepath: "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

Name: Ad-Watch

imagepath: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

Name: PostBootReminder

imagepath: {7849596a-48ea-486e-8937-a2a3009f31a9}

Name: CDBurn

imagepath: {fbeb8a05-beee-4442-804e-409d6c4515e9}

Name: WebCheck

imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED}

Name: SysTray

imagepath: {35CEC8A3-2BE6-11D2-8773-92E220524153}

Name: WPDShServiceObj

imagepath: {AAA288BA-9A4C-45B0-95D7-94D524869DB5}

Name: {438755C2-A8BA-11D1-B96B-00A0C90312E1}

imagepath: Browseui preloader

Name: {8C7461EF-2B13-11d2-BE35-3078302C2030}

imagepath: Component Categories cache daemon

Name: Malwarebytes' Anti-Malware

imagepath: C:\Documents and Settings\Sara\Desktop\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

Bootexecute items:

Name:

imagepath: autocheck autochk *

Running services:

Name: ALG

displayname: Application Layer Gateway Service

Name: AntiVirScheduler

displayname: Avira AntiVir Personal - Free Antivirus Scheduler

Name: AntiVirService

displayname: Avira AntiVir Personal - Free Antivirus Guard

Name: AOL ACS

displayname: AOL Connectivity Service

Name: AOL TopSpeedMonitor

displayname: AOL TopSpeed Monitor

Name: Apple Mobile Device

displayname: Apple Mobile Device

Name: AudioSrv

displayname: Windows Audio

Name: CryptSvc

displayname: Cryptographic Services

Name: DcomLaunch

displayname: DCOM Server Process Launcher

Name: Dhcp

displayname: DHCP Client

Name: dmserver

displayname: Logical Disk Manager

Name: Dnscache

displayname: DNS Client

Name: ERSvc

displayname: Error Reporting Service

Name: Eventlog

displayname: Event Log

Name: EventSystem

displayname: COM+ Event System

Name: FastUserSwitchingCompatibility

displayname: Fast User Switching Compatibility

Name: helpsvc

displayname: Help and Support

Name: iPod Service

displayname: iPod Service

Name: JavaQuickStarterService

displayname: Java Quick Starter

Name: lanmanserver

displayname: Server

Name: lanmanworkstation

displayname: Workstation

Name: Lavasoft Ad-Aware Service

displayname: Lavasoft Ad-Aware Service

Name: LmHosts

displayname: TCP/IP NetBIOS Helper

Name: lxddCATSCustConnectService

displayname: lxddCATSCustConnectService

Name: lxdd_device

displayname: lxdd_device

Name: Netman

displayname: Network Connections

Name: Nla

displayname: Network Location Awareness (NLA)

Name: NVSvc

displayname: NVIDIA Display Driver Service

Name: PlugPlay

displayname: Plug and Play

Name: PolicyAgent

displayname: IPSEC Services

Name: ProtectedStorage

displayname: Protected Storage

Name: RasMan

displayname: Remote Access Connection Manager

Name: RemoteRegistry

displayname: Remote Registry

Name: RpcSs

displayname: Remote Procedure Call (RPC)

Name: SamSs

displayname: Security Accounts Manager

Name: Schedule

displayname: Task Scheduler

Name: seclogon

displayname: Secondary Logon

Name: SENS

displayname: System Event Notification

Name: SharedAccess

displayname: Windows Firewall/Internet Connection Sharing (ICS)

Name: ShellHWDetection

displayname: Shell Hardware Detection

Name: Spooler

displayname: Print Spooler

Name: srservice

displayname: System Restore Service

Name: SSDPSRV

displayname: SSDP Discovery Service

Name: stisvc

displayname: Windows Image Acquisition (WIA)

Name: TapiSrv

displayname: Telephony

Name: TermService

displayname: Terminal Services

Name: Themes

displayname: Themes

Name: TrkWks

displayname: Distributed Link Tracking Client

Name: W32Time

displayname: Windows Time

Name: WebClient

displayname: WebClient

Name: winmgmt

displayname: Windows Management Instrumentation

Name: wuauserv

displayname: Automatic Updates

Name: WZCSVC

displayname: Wireless Zero Configuration

Link to post
Share on other sites

  • Root Admin

Please disable Spybot Tea Timer and run this tool.

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

Combo Fix Log:

ComboFix 09-03-10.03 - Sara 2009-03-12 0:44:28.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1607 [GMT -4:00]

Running from: c:\documents and settings\Sara\Desktop\LastResort.exe

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\CrucialSoft Ltd

c:\windows\system32\drivers\UACbftprqhr.sys

c:\windows\system32\UACcimtvllw.dll

c:\windows\system32\UACdotmodpx.dll

c:\windows\system32\UACfhiduyue.dll

c:\windows\system32\uacinit.dll

c:\windows\system32\UACjtkujbap.dll

c:\windows\system32\UACkvypetlk.dat

c:\windows\system32\UACnrrsxfrh.log

c:\windows\system32\UACtuwqpqjy.log

c:\windows\system32\UACwvirqqji.log

c:\windows\system32\UACxbhqaivm.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-02-12 to 2009-03-12 )))))))))))))))))))))))))))))))

.

2009-03-12 00:32 . 2009-03-12 00:32 <DIR> drahs---- C:\cmdcons

2009-03-12 00:31 . 2009-03-12 00:49 <DIR> d-------- C:\LastResort

2009-03-12 00:30 . 2009-03-12 00:49 <DIR> d-------- C:\Qoobox

2009-03-12 00:07 . 2009-03-12 00:07 22,255 --a------ c:\windows\system32\AAWService_2009_03_12_00_07_18.dmp

2009-03-11 08:43 . 2009-03-11 08:43 22,255 --a------ c:\windows\system32\AAWService_2009_03_11_08_43_03.dmp

2009-03-11 08:31 . 2009-03-11 08:31 1,374 --a------ c:\windows\imsins.BAK

2009-03-10 03:29 . 2009-03-10 03:29 <DIR> d-------- c:\program files\CCleaner

2009-03-10 02:04 . 2009-03-10 04:23 <DIR> d--hs---- C:\Config.Msi

2009-03-05 03:23 . 2009-03-05 03:23 22,255 --a------ c:\windows\system32\AAWService_2009_03_05_02_23_26.dmp

2009-03-03 17:20 . 2009-03-03 17:20 22,255 --a------ c:\windows\system32\AAWService_2009_03_03_16_20_03.dmp

2009-03-02 11:58 . 2009-03-02 11:58 22,315 --a------ c:\windows\system32\AAWService_2009_03_02_10_58_18.dmp

2009-03-02 02:16 . 2009-03-02 02:16 22,315 --a------ c:\windows\system32\AAWService_2009_03_02_01_16_53.dmp

2009-03-02 01:54 . 2009-03-03 17:19 15,688 --a------ c:\windows\system32\lsdelete.exe

2009-03-02 01:43 . 2009-03-03 17:19 64,160 --a------ c:\windows\system32\drivers\Lbd.sys

2009-03-02 01:40 . 2009-03-02 01:40 <DIR> d-------- c:\program files\Lavasoft

2009-03-02 00:38 . 2009-03-02 00:38 <DIR> d-------- c:\program files\Avira

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-10 07:09 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-03-10 06:05 --------- d-----w c:\program files\Common Files\Adobe

2009-03-09 19:46 --------- d-----w c:\program files\Lx_cats

2009-03-04 10:56 1,502 ----a-w c:\documents and settings\Sandra\Application Data\wklnhst.dat

2009-03-04 10:47 --------- d-----w c:\documents and settings\Sandra\Application Data\FaxCtr

2009-03-03 09:03 2,354 ----a-w c:\documents and settings\Sara\Application Data\wklnhst.dat

2009-03-02 05:41 --------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}

2009-03-02 05:40 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft

2009-03-02 05:24 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-03-02 04:51 --------- d-----w c:\program files\Trend Micro

2009-03-02 04:38 --------- d-----w c:\documents and settings\All Users\Application Data\Avira

2009-03-02 04:23 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-03-02 04:17 --------- d-----w c:\program files\Google

2009-02-25 18:53 410,984 ----a-w c:\windows\system32\deploytk.dll

2009-02-20 13:38 --------- d-----w c:\program files\America Online 9.0a

2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys

2009-01-29 23:12 --------- d-----w c:\program files\Common Files\aolshare

2009-01-29 07:09 --------- d-----w c:\program files\QuickTime

2009-01-29 07:09 --------- d-----w c:\program files\iTunes

2009-01-29 07:09 --------- d-----w c:\program files\iPod

2009-01-29 07:09 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2009-01-29 07:08 --------- d-----w c:\program files\Common Files\Apple

2009-01-29 07:08 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer

2009-01-29 07:07 --------- d-----w c:\program files\Apple Software Update

2009-01-27 07:45 --------- d-----w c:\documents and settings\Sara\Application Data\Apple Computer

2009-01-17 15:26 --------- d-----w c:\program files\AOL Games

2009-01-16 13:31 --------- d-----w c:\documents and settings\Sandra\Application Data\PlayFirst

2009-01-16 13:31 --------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst

2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll

2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\SET609.tmp

2008-06-09 02:05 61,224 ----a-w c:\documents and settings\Sara\GoToAssistDownloadHelper.exe

2008-07-05 10:55 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008070520080706\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-05-27 4269296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"HostManager"="c:\program files\Common Files\AOL\1212979139\ee\AOLSoftware.exe" [2007-04-12 42032]

"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2004-10-20 34904]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2008-06-08 26112]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]

"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-05-04 291760]

"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-03-05 20480]

"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-05-04 312240]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-23 86016]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-25 148888]

"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-03 515416]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 c:\windows\stsystra.exe]

"nwiz"="nwiz.exe" [2006-08-23 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Audible Download Manager.lnk - c:\program files\Audible\Bin\AudibleDownloadHelper.exe [2008-11-13 1774936]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\America Online 9.0a\\waol.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Yahoo! Games\\Scrabble\\Scrabble.exe"=

"c:\\Program Files\\Lexmark 2500 Series\\App4R.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddwbgw.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddpswx.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddjswx.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddtime.exe"=

"c:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-02 64160]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951120]

R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]

R2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [2007-04-26 99248]

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-12-18 36368]

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-12-18 280392]

S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe --> c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [?]

S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe --> c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [?]

S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe --> c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [?]

.

Contents of the 'Scheduled Tasks' folder

2009-03-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-03 17:19]

2009-03-11 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2008-12-03 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job

- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-01-26 16:31]

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-Antivirus - c:\program files\AAV\aav.exe

HKLM-Run-pccguide.exe - c:\program files\Trend Micro\Internet Security 14\pccguide.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = 687474703a2f2f7777772e676f6f676c652e636f6d2f

mSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-12 00:49:44

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2009-03-12 0:50:57

ComboFix-quarantined-files.txt 2009-03-12 04:50:55

Pre-Run: 142,043,668,480 bytes free

Post-Run: 142,370,775,040 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer

177 --- E O F --- 2009-03-11 12:31:25

Link to post
Share on other sites

  • Root Admin

Please try to install, update, and run MBAM now.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.34

Database version: 1839

Windows 5.1.2600 Service Pack 3

3/12/2009 3:36:32 AM

mbam-log-2009-03-12 (03-36-32).txt

Scan type: Full Scan (C:\|)

Objects scanned: 138310

Time elapsed: 24 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 8

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{037c7b8a-151a-49e6-baed-cc05fcb50328} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f58ff278-2198-403b-9170-c95022a194c6} (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACdotmodpx.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACfhiduyue.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACjtkujbap.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACxbhqaivm.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{472B1FBB-7E0F-4E33-99BA-4289A964BE72}\RP321\A0049825.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{472B1FBB-7E0F-4E33-99BA-4289A964BE72}\RP321\A0049826.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{472B1FBB-7E0F-4E33-99BA-4289A964BE72}\RP321\A0049827.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{472B1FBB-7E0F-4E33-99BA-4289A964BE72}\RP321\A0049828.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

=====================================================

=====================================================

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:37:41 AM, on 3/12/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe

C:\WINDOWS\system32\lxddcoms.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\explorer.exe

C:\PROGRA~1\AMERIC~1.0A\waol.exe

C:\PROGRA~1\AMERIC~1.0A\shellmon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1212979139\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [lxddmon.exe] "C:\Program Files\Lexmark 2500 Series\lxddmon.exe"

O4 - HKLM\..\Run: [lxddamon] "C:\Program Files\Lexmark 2500 Series\lxddamon.exe"

O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1215252774479

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://download-games.pogo.com/online2/pog...mjolauncher.cab

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe

O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe (file missing)

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)

O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)

--

End of file - 7230 bytes

Link to post
Share on other sites

  • Root Admin

Looks good.

Please remove any and all old versions of Java and update to the latest version.

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java
    When done, then update to latest.
    Download and Update Java Runtime
    The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 12.
    • Go to http://java.sun.com/javase/downloads/index.jsp
    • Go to Java Runtime Environment (JRE) 6 Update 12 about half way down the page and click on the Download button.
    • In Platform box choose Windows.
    • Check the box to Accept License Agreement and click Continue.
    • Click on Windows Offline Installation, click on the link under it which says jre-6u12-windows-i586-p.exe and save the downloaded file to your desktop.
    • Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
    • Uncheck the Toolbar button (unless you want the toolbar)
    • Reboot your computer

Then do an online Anti-Virus scan and if that also comes back clean you should be good to go.

Are there still any signs of infection?

Please run an Online Anti-Virus scan with either the Java or ActiveX version of Kaspersky

Java Version

Run Kaspersky Online AV Scanner

Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases

    [*]Click on My Computer under Scan and then put the kettle on!

    [*]Once the scan is complete, it will display the results. Click on View Scan Report.

    [*]You will see a list of infected items there. Click on Save Report As....

    [*]Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.

    [*]Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.

ActiveX version

Run Kaspersky Online AV Scanner

Using Internet Explorer Go to http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer" and then put the kettle on!
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.

Link to post
Share on other sites

When I attempt to remove Java via the control panel, I receive an error message that says "A fatal error occured during installation" and the control panel shuts down. When attempting to run JAVARA, I receive the standard Windows message "The program has encoutered a problem and needs to close ... Send error Report, etc" I reinstalled JAVARA and the same happened... Should I attempt to remove the files manually or just update?

JAVARA did appear to remove some files before the first error message, now it errors out immediately upon double click.

Computer does not seem to be otherwise symptomatic.

Thanks sooooo much for all of your help!!!

xoxo

Viv

Link to post
Share on other sites

After playing around and restarting a few times, got JAVA Ra to work...

Found and removed: SOFTWARE\JavaRa

JavaRa 1.13 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Fri Mar 13 10:02:41 2009

JavaRa 1.13 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Fri Mar 13 10:06:04 2009

JavaRa 1.13 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Fri Mar 13 14:18:57 2009

Found and removed: C:\Program Files\Java\jre1.6.0_07

Found and removed: Software\JavaSoft\Java2D\1.5.0_06

Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D510006

Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D510006

Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D510006

Found and removed: SOFTWARE\Classes\JavaPlugin.150_06

Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.5.0.0

Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.5.0_06

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.5

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.5.0_06

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D510006

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D510006

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0150060}

Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D610005

Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610005

Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610005

Found and removed: SOFTWARE\Classes\JavaPlugin.160_05

Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_05

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_05

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610005

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D610005

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610005

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160050}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.5.0_06

Found and removed: Software\Classes\JavaPlugin.160_05

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0_05

Found and removed: Software\JavaSoft\Java2D\1.6.0_05

Found and removed: Software\JavaSoft\Java Runtime Environment\1.6.0_05

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_06\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_05\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_05\bin\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_07\bin\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_05.b13\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core1.zip

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core2.zip

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core3.zip

------------------------------------

Finished reporting.

Link to post
Share on other sites

Updated to the latest Java version, but am now wondering if I was able to remove all Java successfully before installation... Computer is acting normally...

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7 REPORT

Saturday, March 14, 2009

Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Saturday, March 14, 2009 14:01:24

Records in database: 1901276

--------------------------------------------------------------------------------

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

Scan area - My Computer:

C:\

D:\

Scan statistics:

Files scanned: 63774

Threat name: 2

Infected objects: 3

Suspicious objects: 0

Duration of the scan: 00:51:27

File name / Threat name / Threats count

C:\Documents and Settings\Chet\Application Data\Sun\Java\Deployment\cache\6.0\28\5eb47c5c-1338aa2c Infected: Exploit.Java.ByteVerify 1

C:\Documents and Settings\Chet\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-78d32a58-39494791.class Infected: Exploit.Java.ByteVerify 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACcimtvllw.dll.vir Infected: Packed.Win32.Tdss.f 1

The selected area was scanned.

_____________________________________________________________

_____________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:31:37 PM, on 3/14/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe

C:\WINDOWS\system32\lxddcoms.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Common Files\AOL\1212979139\ee\AOLSoftware.exe

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Lexmark 2500 Series\lxddmon.exe

C:\Program Files\Lexmark 2500 Series\lxddamon.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe

C:\WINDOWS\eHome\ehmsas.exe

c:\program files\common files\aol\1212979139\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe

C:\Program Files\Common Files\AOL\1212979139\EE\aolsoftware.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\PROGRA~1\AMERIC~1.0A\waol.exe

C:\PROGRA~1\AMERIC~1.0A\shellmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll

O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll

O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1212979139\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [lxddmon.exe] "C:\Program Files\Lexmark 2500 Series\lxddmon.exe"

O4 - HKLM\..\Run: [lxddamon] "C:\Program Files\Lexmark 2500 Series\lxddamon.exe"

O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRA~1\AMERIC~1.0A\AOL.EXE" -b

O4 - HKUS\S-1-5-21-854245398-412668190-682003330-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Sandra')

O4 - HKUS\S-1-5-21-854245398-412668190-682003330-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Sandra')

O4 - HKUS\S-1-5-21-854245398-412668190-682003330-1003\..\Run: [Antivirus] C:\Program Files\AAV\aav.exe (User 'Sandra')

O4 - HKUS\S-1-5-21-854245398-412668190-682003330-1003\..\Run: [69563571646465451143172083353563] C:\Program Files\AV9\av2009.exe (User 'Sandra')

O4 - HKUS\S-1-5-21-854245398-412668190-682003330-1003\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b (User 'Sandra')

O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1215252774479

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://download-games.pogo.com/online2/pog...mjolauncher.cab

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe

O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe (file missing)

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)

O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)

--

End of file - 9251 bytes

Link to post
Share on other sites

  • Staff

Hi,

Since AdvancedSetup is busy with other stuff, I'm taking over this thread :(

Clear your Java cache:

Clearing Java Cache:

  • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
  • It will say "Java Plug-in" under the icon.
  • Under Temporary Internet Files, click the Settings button.
  • Click the Delete Files... button below. Make sure next are checked:
      Applications and Applets
      Trace and Log Files

    [*]Click OK on Delete Temporary Files Window.

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

    [*]Click OK to leave the Java Control Panel.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

This should deal with what Kaspersky found :)

Let me know in your next reply how things are now.

Link to post
Share on other sites

Cleared Java as directed and uninstalled ComboFix and Kapersky is still coming up positive after restart. Are these "infections" threatening.

Thanks for taking over and for all of your help, by the way.

Sara

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7 REPORT

Friday, March 20, 2009

Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Friday, March 20, 2009 06:35:03

Records in database: 1937139

--------------------------------------------------------------------------------

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

Scan area - My Computer:

C:\

D:\

Scan statistics:

Files scanned: 57978

Threat name: 1

Infected objects: 2

Suspicious objects: 0

Duration of the scan: 00:45:01

File name / Threat name / Threats count

C:\Documents and Settings\Chet\Application Data\Sun\Java\Deployment\cache\6.0\28\5eb47c5c-1338aa2c Infected: Exploit.Java.ByteVerify 1

C:\Documents and Settings\Chet\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-78d32a58-39494791.class Infected: Exploit.Java.ByteVerify 1

The selected area was scanned.

___________________________________________

___________________________________________

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:19:38 AM, on 3/20/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe

C:\WINDOWS\system32\lxddcoms.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Common Files\AOL\1212979139\ee\AOLSoftware.exe

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Lexmark 2500 Series\lxddmon.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Lexmark 2500 Series\lxddamon.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe

c:\program files\common files\aol\1212979139\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe

C:\Program Files\Common Files\AOL\1212979139\EE\aolsoftware.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\America Online 9.0a\waol.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

C:\Program Files\America Online 9.0a\shellmon.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Java\jre6\bin\java.exe

C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll

O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll

O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1212979139\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [lxddmon.exe] "C:\Program Files\Lexmark 2500 Series\lxddmon.exe"

O4 - HKLM\..\Run: [lxddamon] "C:\Program Files\Lexmark 2500 Series\lxddamon.exe"

O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1215252774479

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://download-games.pogo.com/online2/pog...mjolauncher.cab

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe

O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe (file missing)

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)

O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)

--

End of file - 8602 bytes

Link to post
Share on other sites

  • Staff

Hi,

Normally if you have cleared the Javacache, those entries should be gone that Kaspersky finds. Not sure if you did this from the "Chet" useraccount.

Anyway, you can delete it manually, so, navigate to and delete the following files:

C:\Documents and Settings\Chet\Application Data\Sun\Java\Deployment\cache\6.0\28\5eb47c5c-1338aa2c

C:\Documents and Settings\Chet\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-78d32a58-39494791.class

Link to post
Share on other sites

  • Staff

Glad I could help. :(

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.