STJr Posted October 18, 2009 ID:145101 Share Posted October 18, 2009 Hello Malwarebytes Techs!As you can guess from the topic's title, my laptop keeps getting reinfected with the Vundu Trojan. I have run MBAM.exe several times and it appears to do the job of identifying and removing the same 8 occurrences of the trojan. But when I get on the Internet, I start to see weird pop-ups; that tells me the laptop is infected again.The following is a list of ocurrences that lead me to know I was infected:1. Laptop was acting really, really weird; running very slow. And McAfee kept telling me via it's own pop-ups (almost non-stop) that it was catching and deleting the Vundo trojan; only it wasn't.2. I searched for a good malware scanner/removal utility and found yours (via CNET.COM). Tried to install Anti-Malware and it would not install; received the following message, create process failed code 2 - system can not find specified file mbam.exe. The install did load all the necessary files Anti-Malware needed to run; which is important for Step 3 below.3. I went to my other (clean) computer and installed Ant-Malware on a thumb drive. Plugged the thumb drive into the infected laptop and was able to run Anti-Malware from the thumb drive (Woo-Hoo).4. Ran Anti-Malware successfully (was not in SafeMode when I did this) and it found and removed (so I thought) 8 occurrences of the Vundo Trojan.5. Rebooted the laptop and was back on the Internet and bam! Started seeing weird pop-ups again! I didi not go tto any sites. The pop-up happened when IE v8 launched by home site EXCITE.COM. It takes EXCITE.COM some time to load because it executes stuff on it's home page.6. Repeated Steps 5 and 6 three more times! Finally realized the trojan is not completely gone. So I realized I needed help, registered in your forum, followed the I'm infected - What do I do now? instructions and posted this newtopic as directed.I am running Windows XP Home SP3. For virus protection, I run Cox Security Suite by McAfee. This is a free service available to Cox Cable Internet subscribers. The version of McAfee components installed are Security Center v9.15, Virus Scan v13.15, Personal Firewall v10.15 and Site Advisor v2.9. And as I mentioned, I run IE8.Listed below are the contents of the Anti-Malware v1.41 Log file and Trend Micro HijackThis v2.0.2 Log file (listed in that order). I do sincerely hope you can help with this problem....trojans really stinks!Sincerely,STJrMesa, AZ-----------------------------------------------------------------------------------------------------------------------Anti-Malware Log:Malwarebytes' Anti-Malware 1.41Database version: 2775Windows 5.1.2600 Service Pack 310/18/2009 10:27:07 AMmbam-log-2009-10-18 (10-27-07).txtScan type: Quick ScanObjects scanned: 126521Time elapsed: 11 minute(s), 25 second(s)Memory Processes Infected: 0Memory Modules Infected: 1Registry Keys Infected: 1Registry Values Infected: 3Registry Data Items Infected: 3Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:c:\WINDOWS\system32\zizatewa.dll (Trojan.Vundo.H) -> Delete on reboot.Registry Keys Infected:HKEY_CLASSES_ROOT\CLSID\{9da5bc5d-0fff-4024-be2e-ba81decba760} (Trojan.Vundo.H) -> Delete on reboot.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gunujinus (Trojan.Vundo.H) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{9da5bc5d-0fff-4024-be2e-ba81decba760} (Trojan.Vundo.H) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\lohuregiy (Trojan.Vundo.H) -> Delete on reboot.Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\zizatewa.dll -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\zizatewa.dll -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:c:\WINDOWS\system32\zizatewa.dll (Trojan.Vundo.H) -> Delete on reboot.-----------------------------------------------------------------------------------------------------------------------HijackThis Log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:13:49 AM, on 10/18/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exeC:\Program Files\McAfee\SiteAdvisor\McSACore.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEc:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\McAfee\MPF\MPFSrv.exeC:\Program Files\NeatWorks\exec\NeatWorksDatabaseController.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\HPQ\Quick Launch Buttons\EabServr.exeC:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeC:\Program Files\Maxtor\ManagerApp\Onetouch.exeC:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exeC:\Program Files\Hp\HP Software Update\HPWuSchd2.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\McAfee.com\Agent\mcagent.exeC:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.EXEC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Maxtor\Utils\SyncServices.exeC:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exec:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exeC:\Program Files\Maxtor\Utils\MaxSync.exec:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\HPQ\shared\hpqwmi.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Internet Explorer\iexplore.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%sO2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNCO4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMENameO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exeO4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /StartO4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeO4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\ManagerApp\Onetouch.exeO4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startupO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkeyO4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "E:\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscriptO4 - HKLM\..\Run: [gunujinus] Rundll32.exe "c:\windows\system32\zizatewa.dll",aO4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -schedulerO4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" autostartO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [EPSON Stylus CX8400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.EXE /FU "C:\WINDOWS\TEMP\E_S16F.tmp" /EF "HKCU"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: MasterCook: Select Image - C:\Program Files\MasterCook 9\Web\MCIEContext.htaO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - C:\WINDOWS\system32\shdocvw.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cabO16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabO18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dllO18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO18 - Filter hijack: text/html - {b448b46b-cd55-442d-ad82-6cf147229434} - C:\WINDOWS\batmeter16.dllO20 - AppInit_DLLs: c:\windows\system32\sowatoto.dll c:\windows\system32\kalahavi.dll bojilale.dll c:\windows\system32\gefejobu.dll c:\windows\system32\jodozome.dll c:\windows\system32\zizatewa.dllO21 - SSODL: yusosoroz - {a8a05912-a431-44ff-9ef8-7d995810fdb3} - c:\windows\system32\sowatoto.dll (file missing)O21 - SSODL: vabazetij - {0181729e-a48f-448a-8e3a-f7775e3cd1cc} - c:\windows\system32\sowatoto.dll (file missing)O21 - SSODL: wuroziyop - {ce1d1d16-84c6-4ca2-a43f-aa70f1594460} - c:\windows\system32\kalahavi.dll (file missing)O21 - SSODL: nodatofaw - {a6676dcf-79dc-47a6-a40a-0bbee2ffb213} - c:\windows\system32\gefejobu.dll (file missing)O21 - SSODL: zolejafuv - {1fcc332a-59b6-4bff-b7f1-53e1c5091555} - c:\windows\system32\jodozome.dll (file missing)O21 - SSODL: lohuregiy - {9da5bc5d-0fff-4024-be2e-ba81decba760} - c:\windows\system32\zizatewa.dllO22 - SharedTaskScheduler: kupuhivus - {a8a05912-a431-44ff-9ef8-7d995810fdb3} - c:\windows\system32\sowatoto.dll (file missing)O22 - SharedTaskScheduler: tokatiluy - {0181729e-a48f-448a-8e3a-f7775e3cd1cc} - c:\windows\system32\sowatoto.dll (file missing)O22 - SharedTaskScheduler: kupuhivus - {ce1d1d16-84c6-4ca2-a43f-aa70f1594460} - c:\windows\system32\kalahavi.dll (file missing)O22 - SharedTaskScheduler: jugezatag - {a6676dcf-79dc-47a6-a40a-0bbee2ffb213} - c:\windows\system32\gefejobu.dll (file missing)O22 - SharedTaskScheduler: jugezatag - {1fcc332a-59b6-4bff-b7f1-53e1c5091555} - c:\windows\system32\jodozome.dll (file missing)O22 - SharedTaskScheduler: jugezatag - {9da5bc5d-0fff-4024-be2e-ba81decba760} - c:\windows\system32\zizatewa.dllO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: getPlus® Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exeO23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exeO23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exeO23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exeO23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeO23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeO23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeO23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exeO23 - Service: NeatWorks Database Controller (NeatWorksDatabaseController) - The Neat Company - C:\Program Files\NeatWorks\exec\NeatWorksDatabaseController.exeO23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exeO23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exeO23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe--End of file - 11617 bytes Link to post Share on other sites More sharing options...
Staff miekiemoes Posted October 20, 2009 Staff ID:145887 Share Posted October 20, 2009 Hi,First of all, please update MalwareBytes, because the databaseversion is outdated.Start MalwareBytes and click the Update tab. There click "Check for updates"Once the updates are downloaded, perform a quick scan again.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. Link to post Share on other sites More sharing options...
STJr Posted October 21, 2009 Author ID:146304 Share Posted October 21, 2009 Hello Miekie...wonderful to meet. Thank you so much for helping me with this problem.I updated Malwarebytes to database v3001 and reran it doing a quick scan. The log is listed immediately below. MalwareBytes did find the Vundu Trojan again, and then deleted it. I rebooted the laptop as directed by MalwareBytes. No dificulties were encountered.I then ran HiJackThis. Its log is included after the MalwareBytes log.MalwareBytes Log:Malwarebytes' Anti-Malware 1.41Database version: 3001Windows 5.1.2600 Service Pack 310/20/2009 7:18:52 PMmbam-log-2009-10-20 (19-18-52).txtScan type: Quick ScanObjects scanned: 142074Time elapsed: 12 minute(s), 19 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\wenunuve.dll (Trojan.Vundo) -> Quarantined and deleted successfully.=================================================================================HiJackThis Log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:25:21 PM, on 10/20/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exeC:\Program Files\McAfee\SiteAdvisor\McSACore.exeC:\WINDOWS\system32\Ati2evxx.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exeC:\WINDOWS\Explorer.EXEc:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\McAfee\MPF\MPFSrv.exeC:\Program Files\NeatWorks\exec\NeatWorksDatabaseController.exec:\PROGRA~1\mcafee.com\agent\mcagent.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\HPQ\Quick Launch Buttons\EabServr.exeC:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeC:\Program Files\Maxtor\ManagerApp\Onetouch.exeC:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exeC:\Program Files\Hp\HP Software Update\HPWuSchd2.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.EXEC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Maxtor\Utils\SyncServices.exec:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exec:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\HPQ\shared\hpqwmi.exeC:\WINDOWS\System32\svchost.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%sO2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNCO4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMENameO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exeO4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /StartO4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeO4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\ManagerApp\Onetouch.exeO4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkeyO4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "E:\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscriptO4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -schedulerO4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" autostartO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [EPSON Stylus CX8400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.EXE /FU "C:\WINDOWS\TEMP\E_S16F.tmp" /EF "HKCU"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: MasterCook: Select Image - C:\Program Files\MasterCook 9\Web\MCIEContext.htaO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - C:\WINDOWS\system32\shdocvw.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cabO16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabO18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO18 - Filter hijack: text/html - {b448b46b-cd55-442d-ad82-6cf147229434} - C:\WINDOWS\batmeter16.dllO20 - AppInit_DLLs: c:\windows\system32\sowatoto.dll c:\windows\system32\kalahavi.dll bojilale.dll c:\windows\system32\gefejobu.dll c:\windows\system32\jodozome.dll O21 - SSODL: yusosoroz - {a8a05912-a431-44ff-9ef8-7d995810fdb3} - c:\windows\system32\sowatoto.dll (file missing)O21 - SSODL: vabazetij - {0181729e-a48f-448a-8e3a-f7775e3cd1cc} - c:\windows\system32\sowatoto.dll (file missing)O21 - SSODL: wuroziyop - {ce1d1d16-84c6-4ca2-a43f-aa70f1594460} - c:\windows\system32\kalahavi.dll (file missing)O21 - SSODL: nodatofaw - {a6676dcf-79dc-47a6-a40a-0bbee2ffb213} - c:\windows\system32\gefejobu.dll (file missing)O21 - SSODL: zolejafuv - {1fcc332a-59b6-4bff-b7f1-53e1c5091555} - c:\windows\system32\jodozome.dll (file missing)O22 - SharedTaskScheduler: kupuhivus - {a8a05912-a431-44ff-9ef8-7d995810fdb3} - c:\windows\system32\sowatoto.dll (file missing)O22 - SharedTaskScheduler: tokatiluy - {0181729e-a48f-448a-8e3a-f7775e3cd1cc} - c:\windows\system32\sowatoto.dll (file missing)O22 - SharedTaskScheduler: kupuhivus - {ce1d1d16-84c6-4ca2-a43f-aa70f1594460} - c:\windows\system32\kalahavi.dll (file missing)O22 - SharedTaskScheduler: jugezatag - {a6676dcf-79dc-47a6-a40a-0bbee2ffb213} - c:\windows\system32\gefejobu.dll (file missing)O22 - SharedTaskScheduler: jugezatag - {1fcc332a-59b6-4bff-b7f1-53e1c5091555} - c:\windows\system32\jodozome.dll (file missing)O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: getPlus® Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exeO23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exeO23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exeO23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exeO23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeO23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeO23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeO23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exeO23 - Service: NeatWorks Database Controller (NeatWorksDatabaseController) - The Neat Company - C:\Program Files\NeatWorks\exec\NeatWorksDatabaseController.exeO23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe--End of file - 10246 bytes Link to post Share on other sites More sharing options...
Staff miekiemoes Posted October 21, 2009 Staff ID:146363 Share Posted October 21, 2009 Hi,* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:O18 - Filter hijack: text/html - {b448b46b-cd55-442d-ad82-6cf147229434} - C:\WINDOWS\batmeter16.dllO20 - AppInit_DLLs: c:\windows\system32\sowatoto.dll c:\windows\system32\kalahavi.dll bojilale.dll c:\windows\system32\gefejobu.dll c:\windows\system32\jodozome.dllO21 - SSODL: yusosoroz - {a8a05912-a431-44ff-9ef8-7d995810fdb3} - c:\windows\system32\sowatoto.dll (file missing)O21 - SSODL: vabazetij - {0181729e-a48f-448a-8e3a-f7775e3cd1cc} - c:\windows\system32\sowatoto.dll (file missing)O21 - SSODL: wuroziyop - {ce1d1d16-84c6-4ca2-a43f-aa70f1594460} - c:\windows\system32\kalahavi.dll (file missing)O21 - SSODL: nodatofaw - {a6676dcf-79dc-47a6-a40a-0bbee2ffb213} - c:\windows\system32\gefejobu.dll (file missing)O21 - SSODL: zolejafuv - {1fcc332a-59b6-4bff-b7f1-53e1c5091555} - c:\windows\system32\jodozome.dll (file missing)O22 - SharedTaskScheduler: kupuhivus - {a8a05912-a431-44ff-9ef8-7d995810fdb3} - c:\windows\system32\sowatoto.dll (file missing)O22 - SharedTaskScheduler: tokatiluy - {0181729e-a48f-448a-8e3a-f7775e3cd1cc} - c:\windows\system32\sowatoto.dll (file missing)O22 - SharedTaskScheduler: kupuhivus - {ce1d1d16-84c6-4ca2-a43f-aa70f1594460} - c:\windows\system32\kalahavi.dll (file missing)O22 - SharedTaskScheduler: jugezatag - {a6676dcf-79dc-47a6-a40a-0bbee2ffb213} - c:\windows\system32\gefejobu.dll (file missing)O22 - SharedTaskScheduler: jugezatag - {1fcc332a-59b6-4bff-b7f1-53e1c5091555} - c:\windows\system32\jodozome.dll (file missing)* Click on Fix Checked when finished and exit HijackThis.Make sure your Internet Explorer is closed when you click Fix Checked!Since I know HijackThis has problems with fixing some orphaned registry entries here, also do this...Open notepad and copy and paste next present in the quotebox below in it:(don't forget to copy and paste REGEDIT4)REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html]"CLSID"=-[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]"AppInit_DLLs"=""Save this as fix.reg Choose to save as *all files and place it on your desktop.It should look like this: Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.Then reboot.After reboot, rescan with malwarebytes and post the log in your next reply together with a new HijackThislog. (also rescan) Link to post Share on other sites More sharing options...
STJr Posted October 23, 2009 Author ID:147632 Share Posted October 23, 2009 Hi Mieke!Sorry it took me a little while to respond. I followed the instructions you provided me in your last post; started HIJACKTHIS, ran its scan, set the check marks on the items you indicated and clicked Fix Checked, created the FIX.REG using Notepad and the parameters you provided, executed the saved file which did the registry merge, rebooted the laptop, ran MBAM.EXE (along with updating MBAM.EXE's database to v3019) and ran HIJACKTHISBoth logs are included below (phew):MalwareBytes Log:Malwarebytes' Anti-Malware 1.41Database version: 3019Windows 5.1.2600 Service Pack 310/23/2009 11:33:12 AMmbam-log-2009-10-23 (11-33-12).txtScan type: Quick ScanObjects scanned: 130164Time elapsed: 10 minute(s), 39 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)===========================================================================HIJACKTHIS Log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:33:31 AM, on 10/23/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exeC:\Program Files\McAfee\SiteAdvisor\McSACore.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\McAfee\MPF\MPFSrv.exeC:\Program Files\NeatWorks\exec\NeatWorksDatabaseController.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEc:\PROGRA~1\mcafee.com\agent\mcagent.exeC:\Program Files\Maxtor\Utils\SyncServices.exec:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exec:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exeC:\Program Files\Maxtor\Utils\MaxSync.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\HPQ\Quick Launch Buttons\EabServr.exeC:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeC:\Program Files\Maxtor\ManagerApp\Onetouch.exeC:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exeC:\Program Files\Hp\HP Software Update\HPWuSchd2.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.EXEC:\WINDOWS\system32\ctfmon.exeC:\Program Files\HPQ\shared\hpqwmi.exeC:\WINDOWS\System32\svchost.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%sO2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNCO4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMENameO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exeO4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /StartO4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeO4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\ManagerApp\Onetouch.exeO4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkeyO4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "E:\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscriptO4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -schedulerO4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" autostartO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [EPSON Stylus CX8400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.EXE /FU "C:\WINDOWS\TEMP\E_S16F.tmp" /EF "HKCU"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: MasterCook: Select Image - C:\Program Files\MasterCook 9\Web\MCIEContext.htaO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - C:\WINDOWS\system32\shdocvw.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cabO16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabO18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: getPlus Link to post Share on other sites More sharing options...
Staff miekiemoes Posted October 23, 2009 Staff ID:147730 Share Posted October 23, 2009 Hi,This looks OK.How are things now? Link to post Share on other sites More sharing options...
STJr Posted October 24, 2009 Author ID:147792 Share Posted October 24, 2009 Hi Miekie!If I was able to successfully install MBAM.EXE on the laptop's hard drive; would that be a valid litmus test that the Trojan is gone? Recall that that was one of the indicators that the laptop was infected with a Trojan; that I was not able to install MBAM.EXE on the latop's hard drive and had to run it from a thumb drive. When I tried ti install MBAM.EXE on the laptop's hard drive, I got the dreaded message; create process failed code 2 - system can not find specified file mbam.exe.I won't try anything until I hear back from you.Look forward to hearing from you!!Steve Mesa, AZ (it's a dry heat ) Link to post Share on other sites More sharing options...
Staff miekiemoes Posted October 24, 2009 Staff ID:147902 Share Posted October 24, 2009 Yes, you should be able to install mbam now. Let me know Link to post Share on other sites More sharing options...
STJr Posted October 24, 2009 Author ID:148018 Share Posted October 24, 2009 Miekie...you are SO AWESOME!!! MBAM is INSTALLED!!! And.....I purchased a license and I now have a registered, fully operational copy of MBAM protecting my laptop....AND a very short while after I launched IE8, MBAM told me it blocked a malicious IP - 66-dot something!! Whoa!!! Thank you SOOOO much for ALL your hard work and dedication. I am very happy to be part of the Malwarebytes Customer base.You ARE the best. And if you ever want me to write a testimonial for a promotion or something; just let me know.Very sincerely,SteveMesa, AZ (it IS a dry Heat! ) Link to post Share on other sites More sharing options...
Staff miekiemoes Posted October 24, 2009 Staff ID:148020 Share Posted October 24, 2009 Glad I could help. Please read my Prevention page with lots of info and tips how to prevent this in the future.And if you want to improve speed/system performance after malware removal, take a look here.Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.Happy Surfing again! Link to post Share on other sites More sharing options...
STJr Posted October 24, 2009 Author ID:148042 Share Posted October 24, 2009 Hi Miekie!I will do as you suggest.Signing off.just Steve.... Link to post Share on other sites More sharing options...
Staff miekiemoes Posted October 24, 2009 Staff ID:148045 Share Posted October 24, 2009 You're most welcome Link to post Share on other sites More sharing options...
STJr Posted October 25, 2009 Author ID:148437 Share Posted October 25, 2009 Hi Miekie!One last question. Every time I launch IE8, Malwarebytes Anti-Malware is doing its job because the icon in the System Tray pops up a message box stating... Malwarebytes Anti-Malware successfully blocked access to malicious IP 66.235.126.52 The same pop-up message is then displayed for two more IP Addresses; 66.235.126.68 and 66.235.126.122. Is there something I can do that would stop IE8 (it appears that IE8 is the culprit that is trying to make the connection because of the word TO in the pop-up message box) from attempting to access these IP Addresses?SteveMesa, AZPS, I searched the MalwareBytes forum for 66.235.126. etc and found one entry that stated that the IP Addresses represent IAC-something. Did a Google search for IAC and did not find a clear answer of what IAC is and what problems they are responsible for causing, or why MY latop would want to connect to their IP Addresses.Hope you can help! Link to post Share on other sites More sharing options...
Staff miekiemoes Posted October 25, 2009 Staff ID:148501 Share Posted October 25, 2009 Hi,This is a connection that is being made through your IE8.This may be related with your startpage though, because I get the same when I visit your startpage http://www.excite.com/Malwarebytes probably blocks a certain unwanted advertisement there.What you can do is changing your startpage in IE8 to www.google.com or any other site you prefer. Link to post Share on other sites More sharing options...
STJr Posted October 26, 2009 Author ID:148702 Share Posted October 26, 2009 HI Miekie;I changed the start page to Google, exited IE8, rebooted the laptop and started IE8 which opened Google's home page. When Google's page loaded, MalwareBytes Anti-Malware still issued pop-up message indicating it blocked communication to the 66.235. IP Addresses. I'm thinking it's time to reinstall IE. That should take are of it.Please let me know your thoughts on this approach when you can.Thanks...you ARE the BEST! Steve Link to post Share on other sites More sharing options...
Staff miekiemoes Posted October 26, 2009 Staff ID:148778 Share Posted October 26, 2009 Hi,No need to reinstall IE8 though..Just restore it to the default settings again.http://support.microsoft.com/kb/923737But I wouldn't worry too much here though. Also read here: http://www.malwarebytes.org/forums/index.php?showtopic=21076The IPs being flagged are part of the IAC network. They aren't all bad It could be possible that your MasterCook IE addition makes connection to that IP. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted October 31, 2009 Staff ID:151900 Share Posted October 31, 2009 Since this issue appears resolved ... this Topic is closed.If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.Everyone else please begin a New Topic. Link to post Share on other sites More sharing options...
Recommended Posts