zkid Posted February 29, 2008 ID:14066 Share Posted February 29, 2008 Hi Folks,I have been battling what appears to be the vundo trojan and need some help. Through various research and trials I stumbled on Malwarebyte, which recognizes bad registry entries. Malwarebyte cleans the entries, and a re-scan verifies. However, as soon as I run Internet Explorer, I get pops and the registry entries are back. Here is the Malwarebyte log after infection:==========================Malwarebytes' Anti-Malware 1.05Database version: 405Scan type: Quick ScanObjects scanned: 44247Time elapsed: 11 minute(s), 16 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 4Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> No action taken.HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> No action taken.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> No action taken.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)==============================Any ideas? Posted is the hijackthis log AFTER a Malwarebyte scan and clean and before running IE to get re-infected.==============================Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:04:36 AM, on 2/29/2008Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Boot mode: NormalRunning processes:C:\WINDOWS2\System32\smss.exeC:\WINDOWS2\system32\winlogon.exeC:\WINDOWS2\system32\services.exeC:\WINDOWS2\system32\lsass.exeC:\WINDOWS2\system32\svchost.exeC:\WINDOWS2\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS2\system32\spoolsv.exeC:\Program Files\Network Associates\VirusScan\Avsynmgr.exeC:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exeC:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exeC:\WINDOWS2\System32\HPZipm12.exeC:\WINDOWS2\System32\svchost.exeC:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exeC:\WINDOWS2\Explorer.EXEC:\Program Files\Canon\CAL\CALMAIN.exeC:\Program Files\Network Associates\VirusScan\VsStat.exeC:\Program Files\Network Associates\VirusScan\Vshwin32.exeC:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exeC:\Program Files\Common Files\Network Associates\McShield\Mcshield.exeC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\Program Files\Java\jre1.5.0_03\bin\jusched.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\ATI\Catalyst Media Center\CMCService.exeC:\Program Files\Java\jre1.5.0_03\bin\jucheck.exeC:\WINDOWS2\System32\igfxtray.exeC:\WINDOWS2\System32\hkcmd.exeC:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exeC:\Program Files\TiVo\Desktop\TiVoNotify.exeC:\Program Files\TiVo\Desktop\TiVoServer.exeC:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exeC:\Program Files\Microsoft ActiveSync\wcescomm.exeC:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\PROGRA~1\MICROS~4\rapimgr.exeC:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exeC:\Program Files\Logitech\Harmony Remote\HarmonyClient.exeC:\WINDOWS2\System32\rundll32.exeC:\WINDOWS2\System32\wuauclt.exeC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.comR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comO2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: {608cb0ac-ee84-bc68-8b54-34eaf777fff5} - {5fff777f-ae43-45b8-86cb-48eeca0bc806} - C:\WINDOWS2\System32\qgcuipps.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS2\System32\msdxm.ocxO4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS2\system32\NeroCheck.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exeO4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXEO4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [CMCService] "C:\Program Files\ATI\Catalyst Media Center\CMCService.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS2\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS2\System32\hkcmd.exeO4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransferO4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotifyO4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServerO4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exeO4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"O4 - HKCU\..\Run: [ATI Remote Control] "C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe"O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exeO4 - Global Startup: Logitech Harmony Remote V5.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dllO9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dllO9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dllO9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS2\web\related.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS2\web\related.htmO15 - Trusted Zone: *.avsystemcare.comO15 - Trusted Zone: *.gomyhit.comO15 - Trusted Zone: *.imageservr.comO15 - Trusted Zone: *.imagesrvr.comO15 - Trusted Zone: *.onerateld.comO15 - Trusted Zone: *.safetydownload.comO15 - Trusted Zone: *.storageguardsoft.comO15 - Trusted Zone: *.trustedantivirus.comO15 - Trusted Zone: *.virusschlacht.comO15 - Trusted Zone: *.amaena.com (HKLM)O15 - Trusted Zone: *.avsystemcare.com (HKLM)O15 - Trusted Zone: *.gomyhit.com (HKLM)O15 - Trusted Zone: *.imageservr.com (HKLM)O15 - Trusted Zone: *.imagesrvr.com (HKLM)O15 - Trusted Zone: *.onerateld.com (HKLM)O15 - Trusted Zone: *.safetydownload.com (HKLM)O15 - Trusted Zone: *.storageguardsoft.com (HKLM)O15 - Trusted Zone: *.trustedantivirus.com (HKLM)O15 - Trusted Zone: *.virusschlacht.com (HKLM)O16 - DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - https://conference.oracle.com/imtapp/res/jar/cnsload.cabO16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189199683046O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocxO18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dllO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exeO23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exeO23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exeO23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exeO23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exeO23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS2\System32\HPZipm12.exeO23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exeO23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe--End of file - 10054 bytes==================================This is the hijackthis log after infection================================Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:23:47 AM, on 2/29/2008Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Boot mode: NormalRunning processes:C:\WINDOWS2\System32\smss.exeC:\WINDOWS2\system32\winlogon.exeC:\WINDOWS2\system32\services.exeC:\WINDOWS2\system32\lsass.exeC:\WINDOWS2\system32\svchost.exeC:\WINDOWS2\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS2\system32\spoolsv.exeC:\Program Files\Network Associates\VirusScan\Avsynmgr.exeC:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exeC:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exeC:\WINDOWS2\System32\HPZipm12.exeC:\WINDOWS2\System32\svchost.exeC:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exeC:\WINDOWS2\Explorer.EXEC:\Program Files\Canon\CAL\CALMAIN.exeC:\Program Files\Network Associates\VirusScan\VsStat.exeC:\Program Files\Network Associates\VirusScan\Vshwin32.exeC:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exeC:\Program Files\Common Files\Network Associates\McShield\Mcshield.exeC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\Program Files\Java\jre1.5.0_03\bin\jusched.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\ATI\Catalyst Media Center\CMCService.exeC:\Program Files\Java\jre1.5.0_03\bin\jucheck.exeC:\WINDOWS2\System32\igfxtray.exeC:\WINDOWS2\System32\hkcmd.exeC:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exeC:\Program Files\TiVo\Desktop\TiVoNotify.exeC:\Program Files\TiVo\Desktop\TiVoServer.exeC:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exeC:\Program Files\Microsoft ActiveSync\wcescomm.exeC:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\PROGRA~1\MICROS~4\rapimgr.exeC:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exeC:\Program Files\Logitech\Harmony Remote\HarmonyClient.exeC:\WINDOWS2\System32\rundll32.exeC:\WINDOWS2\System32\wuauclt.exeC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.comR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comO2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: {608cb0ac-ee84-bc68-8b54-34eaf777fff5} - {5fff777f-ae43-45b8-86cb-48eeca0bc806} - C:\WINDOWS2\System32\qgcuipps.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS2\System32\msdxm.ocxO4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS2\system32\NeroCheck.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exeO4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXEO4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [CMCService] "C:\Program Files\ATI\Catalyst Media Center\CMCService.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS2\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS2\System32\hkcmd.exeO4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransferO4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotifyO4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServerO4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exeO4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"O4 - HKCU\..\Run: [ATI Remote Control] "C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe"O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exeO4 - Global Startup: Logitech Harmony Remote V5.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dllO9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dllO9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dllO9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS2\web\related.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS2\web\related.htmO15 - Trusted Zone: *.avsystemcare.comO15 - Trusted Zone: *.gomyhit.comO15 - Trusted Zone: *.imageservr.comO15 - Trusted Zone: *.imagesrvr.comO15 - Trusted Zone: *.onerateld.comO15 - Trusted Zone: *.safetydownload.comO15 - Trusted Zone: *.storageguardsoft.comO15 - Trusted Zone: *.trustedantivirus.comO15 - Trusted Zone: *.virusschlacht.comO15 - Trusted Zone: *.amaena.com (HKLM)O15 - Trusted Zone: *.avsystemcare.com (HKLM)O15 - Trusted Zone: *.gomyhit.com (HKLM)O15 - Trusted Zone: *.imageservr.com (HKLM)O15 - Trusted Zone: *.imagesrvr.com (HKLM)O15 - Trusted Zone: *.onerateld.com (HKLM)O15 - Trusted Zone: *.safetydownload.com (HKLM)O15 - Trusted Zone: *.storageguardsoft.com (HKLM)O15 - Trusted Zone: *.trustedantivirus.com (HKLM)O15 - Trusted Zone: *.virusschlacht.com (HKLM)O16 - DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - https://conference.oracle.com/imtapp/res/jar/cnsload.cabO16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189199683046O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocxO18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dllO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exeO23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exeO23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exeO23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exeO23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exeO23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS2\System32\HPZipm12.exeO23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exeO23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe--End of file - 10103 bytesThanks! Link to post Share on other sites More sharing options...
JeanInMontana Posted February 29, 2008 ID:14089 Share Posted February 29, 2008 Hi zkid and welcome to Malwarbytes. Your not *reinfecting* you have never removed it. The MBAM log clearly shows no action was ever taken.Run a full system scan after updating MBAM, your version of the definitions is way outdated, and be sure you click *remove selected* when the scan is completed.Also please follow the directions at the top of this forum for pre-HJT posting and post those logs. Link to post Share on other sites More sharing options...
zkid Posted February 29, 2008 Author ID:14106 Share Posted February 29, 2008 (edited) Sorry for the confusion - the Malwarebyte log I posted is just before clicking the "remove selected" button. A rescan after removal shows no items infected. However I will take the steps you suggested and post all logs. Thanks for your help. Edited March 1, 2008 by JeanInMontana Remove quote Link to post Share on other sites More sharing options...
JeanInMontana Posted March 1, 2008 ID:14155 Share Posted March 1, 2008 Ahh I see. We are interested in what was removed. What may be left to remove etc. Be sure to update everything before you scan. MBAM has been updated again. Malware updates also. We need to be sure you got everything. Vundo is extra nasty and can be very hard to remove. Link to post Share on other sites More sharing options...
zkid Posted March 3, 2008 Author ID:14232 Share Posted March 3, 2008 Here are those logs after first running an updated Spybot S&D. Thanks!========================== MalwareByte full scan===========================Malwarebytes' Anti-Malware 1.05Database version: 441Scan type: Full Scan (A:\|C:\|D:\|F:\|)Objects scanned: 269708Time elapsed: 2 hour(s), 0 minute(s), 21 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 4Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Documents and Settings\Shawn\Local Settings\Temp\xrun.exe (Trojan.Downloader) -> Quarantined and deleted successfully.============================== Panda Scan =====================================Incident Status Location Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS2\System32\qgcuipps.dll Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Guest\Cookies\guest@go[2].txt Spyware:Cookie/Mysearch Not disinfected C:\Documents and Settings\Guest\Cookies\guest@mysearch[2].txt Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Owner\Cookies\owner@as-eu.falkag[2].txt Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Owner\Cookies\owner@zedo[2].txt Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Shawn\Application Data\Mozilla\Firefox\Profiles\qtly6zlx.default\cookies.txt[.advertising.com/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Shawn\Application Data\Mozilla\Firefox\Profiles\qtly6zlx.default\cookies.txt[.atdmt.com/] Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Shawn\Application Data\Mozilla\Firefox\Profiles\qtly6zlx.default\cookies.txt[.trafficmp.com/] Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Shawn\Application Data\Mozilla\Firefox\Profiles\qtly6zlx.default\cookies.txt[.tribalfusion.com/] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Shawn\Application Data\Mozilla\Firefox\Profiles\qtly6zlx.default\cookies.txt[ad.yieldmanager.com/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Shawn\Cookies\shawn@advertising[2].txt Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Shawn\Cookies\shawn@atwola[2].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Shawn\Cookies\shawn@com[1].txt Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Shawn\Cookies\shawn@enhance[2].txt Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\Shawn\Cookies\shawn@findwhat[1].txt Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Shawn\Cookies\shawn@overture[1].txt Potentially unwanted tool:Application/MyWay Not disinfected C:\downloads\HJT\backups\backup-20061129-131344-590.dll Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe Potentially unwanted tool:Application/KillApp.A Not disinfected C:\hp\bin\Terminator.exe Spyware:Cookie/Serving-sys Not disinfected C:\RECYCLER\S-1-5-21-3839753570-1176159098-366014140-1003\Dc492.txt Spyware:Cookie/Casalemedia Not disinfected C:\RECYCLER\S-1-5-21-3839753570-1176159098-366014140-1003\Dc496.txt Spyware:Cookie/Com.com Not disinfected C:\RECYCLER\S-1-5-21-3839753570-1176159098-366014140-1003\Dc502.txt Spyware:Cookie/Doubleclick Not disinfected C:\RECYCLER\S-1-5-21-3839753570-1176159098-366014140-1003\Dc506.txt Spyware:Cookie/Go Not disinfected C:\RECYCLER\S-1-5-21-3839753570-1176159098-366014140-1003\Dc516.txt Spyware:Cookie/Overture Not disinfected C:\RECYCLER\S-1-5-21-3839753570-1176159098-366014140-1003\Dc543.txt Spyware:Cookie/Serving-sys Not disinfected C:\RECYCLER\S-1-5-21-3839753570-1176159098-366014140-1003\Dc554.txt Potentially unwanted tool:Application/Processor Not disinfected C:\RECYCLER\S-1-5-21-515967899-179605362-725345543-1004\Dc197.exe Potentially unwanted tool:Application/MyWay Not disinfected C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP798\A0073174.exe Potentially unwanted tool:Application/MyWay Not disinfected C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP842\A0080671.DLL Virus:Generic Malware Disinfected C:\WINDOWS\Downloaded Program Files\MiniBugTransporter.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS2\system32\fxgrrwaa.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS2\system32\gsiofhus.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS2\system32\yontnnpi.dll Virus:Generic Malware Disinfected D:\Backup\Office2003\Extras\MathType 5.1\mtype_v5_1_keygen.exe Virus:X97M/Laroux.A Disinfected Old Personal Folders\Deleted Items\Marketing\User Group\RE: JDE User Group - Response\All Meetings - 1998.xls Virus:W97M/Class.D Disinfected Old Personal Folders\Properties\Property for Sale\Thompson.doc Spyware:Cookie/Atlas DMT Not disinfected D:\Documents and Settings\dfg\Cookies\dfg@atdmt[1].txt Adware:Adware/SurfAccuracy Not disinfected D:\Program Files\SurfAccuracy\SAcc.exe Adware:Adware/SurfAccuracy Not disinfected D:\Program Files\SurfAccuracy\SAccU.exe Spyware:Generic Adware Not disinfected D:\WINDOWS\Downloaded Program Files\ysbactivex.dll Adware:Adware/SurfAccuracy Not disinfected D:\WINDOWS\qiovh.exe ============================== HJT log =======================================Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:43:42 PM, on 3/2/2008Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Boot mode: NormalRunning processes:C:\WINDOWS2\System32\smss.exeC:\WINDOWS2\system32\winlogon.exeC:\WINDOWS2\system32\services.exeC:\WINDOWS2\system32\lsass.exeC:\WINDOWS2\system32\svchost.exeC:\WINDOWS2\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS2\system32\spoolsv.exeC:\Program Files\Network Associates\VirusScan\Avsynmgr.exeC:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exeC:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exeC:\WINDOWS2\System32\HPZipm12.exeC:\WINDOWS2\System32\svchost.exeC:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exeC:\Program Files\Canon\CAL\CALMAIN.exeC:\Program Files\Network Associates\VirusScan\VsStat.exeC:\Program Files\Network Associates\VirusScan\Vshwin32.exeC:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exeC:\Program Files\Common Files\Network Associates\McShield\Mcshield.exeC:\Program Files\Network Associates\VirusScan\Avconsol.exeC:\WINDOWS2\Explorer.EXEC:\Program Files\Java\jre1.5.0_03\bin\jusched.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\WINDOWS2\System32\wuauclt.exeC:\Program Files\ATI\Catalyst Media Center\CMCService.exeC:\WINDOWS2\System32\igfxtray.exeC:\Program Files\Java\jre1.5.0_03\bin\jucheck.exeC:\WINDOWS2\System32\hkcmd.exeC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exeC:\Program Files\TiVo\Desktop\TiVoNotify.exeC:\Program Files\TiVo\Desktop\TiVoServer.exeC:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exeC:\Program Files\Microsoft ActiveSync\wcescomm.exeC:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exeC:\PROGRA~1\MICROS~4\rapimgr.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\WINDOWS2\System32\rundll32.exeC:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exeC:\Program Files\Logitech\Harmony Remote\HarmonyClient.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXEC:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEC:\WINDOWS2\system32\NOTEPAD.EXEC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Common Files\Microsoft Shared\MODI\11.0\MSPVIEW.EXEC:\WINDOWS2\System32\WISPTIS.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.comR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comO2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: {608cb0ac-ee84-bc68-8b54-34eaf777fff5} - {5fff777f-ae43-45b8-86cb-48eeca0bc806} - C:\WINDOWS2\System32\qgcuipps.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS2\System32\msdxm.ocxO4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS2\system32\NeroCheck.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exeO4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXEO4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [CMCService] "C:\Program Files\ATI\Catalyst Media Center\CMCService.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS2\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS2\System32\hkcmd.exeO4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransferO4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotifyO4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServerO4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exeO4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"O4 - HKCU\..\Run: [ATI Remote Control] "C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe"O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exeO4 - Global Startup: Logitech Harmony Remote V5.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dllO9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dllO9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dllO9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS2\web\related.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS2\web\related.htmO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO15 - Trusted Zone: *.gomyhit.comO15 - Trusted Zone: *.imageservr.comO15 - Trusted Zone: *.imagesrvr.comO15 - Trusted Zone: *.storageguardsoft.comO15 - Trusted Zone: *.gomyhit.com (HKLM)O15 - Trusted Zone: *.imageservr.com (HKLM)O15 - Trusted Zone: *.imagesrvr.com (HKLM)O15 - Trusted Zone: *.storageguardsoft.com (HKLM)O16 - DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - https://conference.oracle.com/imtapp/res/jar/cnsload.cabO16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cabO16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189199683046O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocxO18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dllO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exeO23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exeO23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exeO23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exeO23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exeO23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS2\System32\HPZipm12.exeO23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exeO23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe--End of file - 10461 bytes Link to post Share on other sites More sharing options...
JeanInMontana Posted March 3, 2008 ID:14262 Share Posted March 3, 2008 Reformatting and installing SP2 is your best option IMO. I don't often do this but you have so much going on that is so very bad and you don't have SP2 installed. We can't update you to SP2 until your clean, and the infections you have are of the sort that allow access to your information by outside sources. You have been totally compromised and there is no guarantee we can get it all. You should contact all financial institutions immediately and change passwords to sensitive sites. You also have a way outdated Java and a known security risk. We can give it a try to clean the system, but I really think in your case starting from scratch is best. Let me know what you want to do. If this is a networked machine disconnect ASAP and scan the other machines. Link to post Share on other sites More sharing options...
zkid Posted March 4, 2008 Author ID:14280 Share Posted March 4, 2008 I have done full Spybot, MalwareByte and Panda scans of all other machines in the house (4 of them) and while a few thing were picked up on my sons machine, there are no signs of vundo on those machines. No unwanted pops, no dlls, no registry entries. I can post the logs for any/all of those machines if you wish. So anyway I would like to try to take a run at cleaning this machine if you are willing. Thanks! Link to post Share on other sites More sharing options...
JeanInMontana Posted March 5, 2008 ID:14299 Share Posted March 5, 2008 OK we can proceed. However reformat would be safer and faster. If you want logs from the other machines analyzed please start a new topic for each machine. If they were not directly networked to this machine they may be ok.First let's keep this machine off active surfing for now. Your Java is way out dated and needs updating it is a version known to allow exploits. Run HJT in scan only mode and put a check next to these items then click fix.O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)O15 - Trusted Zone: *.gomyhit.comO15 - Trusted Zone: *.imageservr.comO15 - Trusted Zone: *.imagesrvr.comO15 - Trusted Zone: *.storageguardsoft.comO15 - Trusted Zone: *.gomyhit.com (HKLM)O15 - Trusted Zone: *.imageservr.com (HKLM)O15 - Trusted Zone: *.imagesrvr.com (HKLM)O15 - Trusted Zone: *.storageguardsoft.com (HKLM)Please download VundoFix.exeto your desktop. http://www.atribune.org/ccount/click.php?id=4 * Double-click VundoFix.exe to run it. * Click the Scan for Vundo button. * Once it's done scanning, click the Remove Vundo button. * You will receive a prompt asking if you want to remove the files, click YES * Once you click yes, your desktop will go blank as it starts removing Vundo. * When completed, it will prompt that it will reboot your computer, click OK. * Please post the contents of C:\vundofix.txt and a new HiJackThis log.Note: It is possible that VundoFix encountered a file it could not remove.In this case, VundoFix will run on reboot, simply follow the aboveinstructions starting from "Click the Scan for Vundo button." whenVundoFix appears at reboot.MBAM is outdated. Be sure you update this program before every scan. It often updates multiple times in a day. 451 is current definition version as I write this. Please update and scan again with it and post the log and a new HJT log. Link to post Share on other sites More sharing options...
zkid Posted March 5, 2008 Author ID:14304 Share Posted March 5, 2008 OK - HJT Scan and Fix was doneDownloaded VundoFix and ran - it found nothing to fixNo surfing - posted this from another machine========= MBAM Full Scan Log =======================Malwarebytes' Anti-Malware 1.05Database version: 451Scan type: Full Scan (C:\|D:\|)Objects scanned: 262229Time elapsed: 1 hour(s), 56 minute(s), 42 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 3Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)==================== Latest HJT Log ================Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:55:02 PM, on 3/4/2008Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Boot mode: NormalRunning processes:C:\WINDOWS2\System32\smss.exeC:\WINDOWS2\system32\winlogon.exeC:\WINDOWS2\system32\services.exeC:\WINDOWS2\system32\lsass.exeC:\WINDOWS2\system32\svchost.exeC:\WINDOWS2\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS2\system32\spoolsv.exeC:\Program Files\Network Associates\VirusScan\Avsynmgr.exeC:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exeC:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exeC:\WINDOWS2\System32\HPZipm12.exeC:\WINDOWS2\System32\svchost.exeC:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exeC:\Program Files\Canon\CAL\CALMAIN.exeC:\Program Files\Network Associates\VirusScan\VsStat.exeC:\Program Files\Network Associates\VirusScan\Vshwin32.exeC:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exeC:\Program Files\Common Files\Network Associates\McShield\Mcshield.exeC:\Program Files\Network Associates\VirusScan\Avconsol.exeC:\WINDOWS2\Explorer.EXEC:\Program Files\Java\jre1.5.0_03\bin\jusched.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\ATI\Catalyst Media Center\CMCService.exeC:\WINDOWS2\System32\igfxtray.exeC:\WINDOWS2\System32\hkcmd.exeC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exeC:\Program Files\TiVo\Desktop\TiVoNotify.exeC:\WINDOWS2\System32\rundll32.exeC:\Program Files\TiVo\Desktop\TiVoServer.exeC:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exeC:\Program Files\Microsoft ActiveSync\wcescomm.exeC:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exeC:\PROGRA~1\MICROS~4\rapimgr.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exeC:\Program Files\Logitech\Harmony Remote\HarmonyClient.exeC:\WINDOWS2\System32\cmd.exeC:\WINDOWS2\System32\wuauclt.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.comR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: {608cb0ac-ee84-bc68-8b54-34eaf777fff5} - {5fff777f-ae43-45b8-86cb-48eeca0bc806} - C:\WINDOWS2\System32\qgcuipps.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS2\System32\msdxm.ocxO4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS2\system32\NeroCheck.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exeO4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXEO4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [CMCService] "C:\Program Files\ATI\Catalyst Media Center\CMCService.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS2\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS2\System32\hkcmd.exeO4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransferO4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotifyO4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServerO4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exeO4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"O4 - HKCU\..\Run: [ATI Remote Control] "C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe"O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exeO4 - Global Startup: Logitech Harmony Remote V5.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dllO9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dllO9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dllO9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS2\web\related.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS2\web\related.htmO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO16 - DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - https://conference.oracle.com/imtapp/res/jar/cnsload.cabO16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cabO16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189199683046O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocxO18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dllO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exeO23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exeO23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exeO23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exeO23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exeO23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS2\System32\HPZipm12.exeO23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exeO23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe--End of file - 9698 bytes=================== end =============================== Link to post Share on other sites More sharing options...
JeanInMontana Posted March 5, 2008 ID:14350 Share Posted March 5, 2008 Hi again. Even if you don't see that Vundo fix finds a problem I want the log posted please. You still have Vundo. You have a bunch of other crap too. At some point you used Combofix? Please don't use tools without being requested to do so. this can cause the stuff we are after to mutate to a new form and makes it that much harder to find and get rid of.Please set your system to show all files; Click Start.Open My Computer.Select the Tools menu and click Folder Options.Select the View Tab.Under the Hidden files and folders heading select Show hidden files and folders.Uncheck the Hide protected operating system files (recommended) option.Click Yes to confirm.Click OK.Press Control-Alt-Del to enter the Task Manager.Click on the Processes tab and end the following processes:C:\WINDOWS2\System32\smss.exeC:\WINDOWS2\system32\services.exeC:\WINDOWS2\system32\lsass.exeC:\WINDOWS2\system32\spoolsv.exeC:\WINDOWS2\Explorer.EXEC:\WINDOWS2\System32\cmd.exeC:\WINDOWS2\System32\wuauclt.exeExit the Task Manager when finished.Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:O2 - BHO: {608cb0ac-ee84-bc68-8b54-34eaf777fff5} - {5fff777f-ae43-45b8-86cb-48eeca0bc806} - C:\WINDOWS2\System32\qgcuipps.dllO4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXEClick on Fix Checked when finished and exit HijackThis.Reboot into Safe Mode: by contunually tapping the F8 key as soon as you restart your machine.Using Windows Explorer, locate the following files/folders, and delete them:C:\WINDOWS2\System32\smss.exeC:\WINDOWS2\system32\services.exeC:\WINDOWS2\system32\lsass.exeC:\WINDOWS2\system32\spoolsv.exeC:\WINDOWS2\Explorer.EXEC:\WINDOWS2\System32\cmd.exe C:\WINDOWS2\System32\wuauclt.exeALCXMNTR.EXEExit Explorer, and reboot as normal afterwards.If you were unable to find any of the files then please follow these additional instructions:Download Pocket Killbox and unzip it; save it to your Desktop.Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.Let the system reboot.Post back a fresh HijackThis log and we will take another look. Link to post Share on other sites More sharing options...
zkid Posted March 6, 2008 Author ID:14374 Share Posted March 6, 2008 No I did not run combofix. I'm pretty sure it's never been on this machine.You can't stop those first four services - Windows tells you to go pound sandDid the HJT fix thingyI was skeptical about deleting those files. smss, services, explorer, etc - pretty basic windows services - that's why you cant stop them.But kill box does it's job - it didn't work exactly like you said. When I followed your steps nothing was deleted after reboot. However it has this option to backup and delete now. Except when you delete services.exe, windows "NT Agent" or something tells you it is shutting down. Then when you reboot you go into this circular reboot cycle. I had to go to Windows XP repair to get the box back. And my D drive is corrupted - what fun!Thanks for your time and your good intentions and you can say "I told you so". I'll go ahead and scrape everything off, reinstall and rebuild. I will update from XP1 to XP2, and get my JRE up-to-date. If you have other suggestions about blocking malware that Network Associates virusscan won't block, let me know. Thanks again for your time. Link to post Share on other sites More sharing options...
JeanInMontana Posted March 6, 2008 ID:14416 Share Posted March 6, 2008 They are basic services if they are the actual Windows files. Malware also uses these same names and every thing I used to determine what they were said they were bad. I really think reformatting in this case is the best route to go. I do have suggestions for you to prevent future infections and you should implement them on all your machines connected to the WWW. Note these are all free programs.Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenol. Keep Spybot Search & Destroy and always immunize when you update. You will also need at least one other scanning program AVG is good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use.A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient. I use Online - Armor from Tall Emu and love it.Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan. MBAM SpywareBlaster from Javacool SoftwareWinPatrol by BillPStudios SiteHound by FireTrustRogueRemoverhpHosts Link to post Share on other sites More sharing options...
JeanInMontana Posted March 11, 2008 ID:14656 Share Posted March 11, 2008 Since this topic has been resolved it will now be closed.. Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you. Link to post Share on other sites More sharing options...
Recommended Posts