jekyll Posted June 22, 2008 ID:20878 Share Posted June 22, 2008 Hello,i have ran your rogueremover and successfully got rid of xpsecurtirycenter (unexpected... great tool) but just can't get rid of this Antivirus 2008. According to google search, several articles states that it's a rogue. I tried searching your past post but i couldn't really find anything ... please advise. (T^T========Malwarebytes' Anti-Malware 1.18Database version: 87610:09:44 PM 6/21/2008mbam-log-6-21-2008 (22-09-44).txtScan type: Full Scan (C:\|)Objects scanned: 59981Time elapsed: 5 minute(s), 56 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\3P_UDEC (Rogue.Installer) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Documents and Settings\Walden Research\Desktop\AntvrsInstall.exe (Rogue.Installer) -> Quarantined and deleted successfully.===========Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:12:57 PM, on 6/21/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exeC:\Program Files\Java\jre1.6.0_06\bin\jusched.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\DrvMon.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Antivirus2008y\antvrs.exeC:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [HPWNTOOLBOX] C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe "-i"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NOO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Antivirus2008y] C:\Program Files\Antivirus2008y\antvrs.exeO4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO20 - AppInit_DLLs: cru629.dat--End of file - 2712 bytes===========;***********************************************************************************************************************************************************************************ANALYSIS: 2008-06-21 22:02:34PROTECTIONS: 0MALWARE: 32SUSPECTS: 0;***********************************************************************************************************************************************************************************PROTECTIONSDescription Version Active Updated;===================================================================================================================================================================================;===================================================================================================================================================================================MALWAREId Description Type Active Severity Disinfectable Disinfected Location;===================================================================================================================================================================================00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.trafficmp.com/]00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.trafficmp.com/]00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.trafficmp.com/]00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.trafficmp.com/]00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.trafficmp.com/]00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.casalemedia.com/]00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.casalemedia.com/]00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.casalemedia.com/]00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.doubleclick.net/]00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.doubleclick.net/]00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.atdmt.com/]00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.tradedoubler.com/]00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.247realmedia.com/]00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.fastclick.net/]00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.fastclick.net/]00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.fastclick.net/]00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.tribalfusion.com/]00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.tribalfusion.com/]00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.tribalfusion.com/]00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.tribalfusion.com/]00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.mediaplex.com/]00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.mediaplex.com/]00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.com.com/]00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.statcounter.com/]00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.statcounter.com/]00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.statcounter.com/]00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.statcounter.com/]00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.statcounter.com/]00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.statcounter.com/]00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.statcounter.com/]00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.statcounter.com/]00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.statcounter.com/]00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.statcounter.com/]00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.statcounter.com/]00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.statcounter.com/]00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.statcounter.com/]00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.ad.yieldmanager.com/]00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.ad.yieldmanager.com/]00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.ad.yieldmanager.com/]00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.ad.yieldmanager.com/]00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[ad.yieldmanager.com/]00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[ad.yieldmanager.com/]00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[ad.yieldmanager.com/]00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[ad.yieldmanager.com/]00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[ad.yieldmanager.com/]00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.burstnet.com/]00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.burstnet.com/]00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Cookies\walden research@bs.serving-sys[2].txt00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[www.burstbeacon.com/]00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[server.iad.liveperson.net/hc/27854455]00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[server.iad.liveperson.net/]00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[server.iad.liveperson.net/hc/LPneimanmarcus]00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[server.iad.liveperson.net/]00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[server.iad.liveperson.net/hc/89841647]00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[stat.onestat.com/]00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Cookies\walden research@stat.onestat[2].txt00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[stat.onestat.com/]00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.advertising.com/]00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.advertising.com/]00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.advertising.com/]00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.advertising.com/]00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.advertising.com/]00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.advertising.com/]00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Cookies\walden research@statse.webtrendslive[2].txt00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[statse.webtrendslive.com/]00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.statse.webtrendslive.com/]00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.ads.pointroll.com/]00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.ads.pointroll.com/]00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.ads.pointroll.com/]00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.ads.pointroll.com/]00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.ads.pointroll.com/]00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.ads.pointroll.com/]00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.ads.pointroll.com/]00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.overture.com/]00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.overture.com/]00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.overture.com/]00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.realmedia.com/]00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.realmedia.com/]00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.realmedia.com/]00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.realmedia.com/]00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.realmedia.com/]00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.realmedia.com/]00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.questionmarket.com/]00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.questionmarket.com/]00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.zedo.com/]00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.zedo.com/]00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.zedo.com/]00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.bluestreak.com/]00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.adrevolver.com/]00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.adrevolver.com/]00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.adrevolver.com/]00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.adrevolver.com/]00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.adrevolver.com/]00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.adrevolver.com/]00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.target.com/]00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.target.com/]00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.did-it.com/]00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.did-it.com/]00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.did-it.com/]00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Application Data\Mozilla\Firefox\Profiles\7bw5zzie.default\cookies.txt[.ads.addynamix.com/]01196326 Cookie/GoClick TrackingCookie No 0 Yes No C:\Documents and Settings\Walden Research\Cookies\walden research@goclick[2].txt02902637 Rootkit/Nurech.BC HackTools No 1 Yes No C:\System Volume Information\_restore{0B9F3EE7-BC34-48CE-80F9-B1F4A13F2980}\RP210\A0009037.sys02902637 Rootkit/Nurech.BC HackTools No 1 Yes No C:\System Volume Information\_restore{0B9F3EE7-BC34-48CE-80F9-B1F4A13F2980}\RP210\A0009038.sys03099613 Adware/XPSecurityCenter Adware No 0 Yes No C:\Documents and Settings\Walden Research\Local Settings\Temp\Binaries1.zip[XPSecurityCenter.exe];===================================================================================================================================================================================SUSPECTSSent Location ;===================================================================================================================================================================================;===================================================================================================================================================================================VULNERABILITIESId Severity Description ;=================================================================================================================================================================================== 184380 MEDIUM MS08-002 184379 MEDIUM MS08-001 182048 HIGH MS07-069 182046 HIGH MS07-067 182043 HIGH MS07-064 179553 HIGH MS07-061 176382 HIGH MS07-057 176383 HIGH MS07-058 170911 HIGH MS07-050 170907 HIGH MS07-046 170906 HIGH MS07-045 170904 HIGH MS07-043 164915 HIGH MS07-035 164913 HIGH MS07-033 164911 HIGH MS07-031 160623 HIGH MS07-027 157262 HIGH MS07-022 157261 HIGH MS07-021 157260 HIGH MS07-020 157259 HIGH MS07-019 156477 HIGH MS07-017 150253 HIGH MS07-016 150249 HIGH MS07-013 150248 HIGH MS07-012 150247 HIGH MS07-011 150243 HIGH MS07-008 150242 HIGH MS07-007 150241 MEDIUM MS07-006 141034 HIGH MS06-076 141033 MEDIUM MS06-075 141030 HIGH MS06-072 137571 HIGH MS06-070 137568 HIGH MS06-067 133387 MEDIUM MS06-065 133386 MEDIUM MS06-064 133385 MEDIUM MS06-063 133379 HIGH MS06-057 131654 HIGH MS06-055 129977 MEDIUM MS06-053 129976 MEDIUM MS06-052 126093 HIGH MS06-051 126092 MEDIUM MS06-050 126087 HIGH MS06-046 126086 MEDIUM MS06-045 126083 HIGH MS06-042 126082 HIGH MS06-041 126081 HIGH MS06-040 123421 HIGH MS06-036 123420 HIGH MS06-035 120825 MEDIUM MS06-032 120823 MEDIUM MS06-030 120818 HIGH MS06-025 120815 HIGH MS06-022 120814 HIGH MS06-021 117384 MEDIUM MS06-018 114666 HIGH MS06-015 114664 HIGH MS06-013 108744 MEDIUM MS06-008 108743 MEDIUM MS06-007 108742 MEDIUM MS06-006 104567 HIGH MS06-002 104237 HIGH MS06-001 96574 HIGH MS05-053 93395 HIGH MS05-051 93394 HIGH MS05-050 93454 MEDIUM MS05-049 ;=================================================================================================================================================================================== Link to post Share on other sites More sharing options...
JeanInMontana Posted June 22, 2008 ID:20907 Share Posted June 22, 2008 Hi jekyll and welcome to Malwarebytes. Did you run the HJT scan before or after the MBAM scan? Your log is showing malware that MBAM takes out with no problems. Please update MBAM scan again post that log and then scan with HJT and post that log. Always post the HJT log after any removal scans. I also see no signs of an anti virus program or firewall. Your Adobe Reader is seriously outdated and a security risk. Get the current version 8 please. Link to post Share on other sites More sharing options...
jekyll Posted June 23, 2008 Author ID:20954 Share Posted June 23, 2008 Hi jekyll and welcome to Malwarebytes. Did you run the HJT scan before or after the MBAM scan? Your log is showing malware that MBAM takes out with no problems. Please update MBAM scan again post that log and then scan with HJT and post that log. Always post the HJT log after any removal scans. I also see no signs of an anti virus program or firewall. Your Adobe Reader is seriously outdated and a security risk. Get the current version 8 please.Hi JeanInMontana,Thanks for your advice. I thought i ran HJT after the scan, but i will do the procedure again. I use to have Mcafee but i think it expired... will fix that and Adobe. I am currently not at home and will be back end of this week. Will update the post on Thursday. Again, much thanks for your help =)Jekyll Link to post Share on other sites More sharing options...
JeanInMontana Posted June 23, 2008 ID:20967 Share Posted June 23, 2008 OK great. There is no sign of McAfee in your log. If you are not stuck on using it, I would recommend a better and free alternative. Avira or Avast are both much better and free. I personally use Avira and really like it. Low resource use and FREE....LOL Link to post Share on other sites More sharing options...
jekyll Posted June 29, 2008 Author ID:21419 Share Posted June 29, 2008 OK great. There is no sign of McAfee in your log. If you are not stuck on using it, I would recommend a better and free alternative. Avira or Avast are both much better and free. I personally use Avira and really like it. Low resource use and FREE....LOLHi JeanInMontana,My apologies for the delay. Per your direction i've updated the Adobe Reader and have ran the MBAM (after update) and lastely the HJT. The Avira is great! it keeps detecting Trojan... ( Is my computer that infected!!!???) i kept pressing delete. From the MBAM it detected the AntiVirus2008 and now i don't see it on the program!! =D Hopefully, it is completely gone. Here are the logs:Malwarebytes' Anti-Malware 1.19Database version: 904Windows 5.1.2600 Service Pack 22:57:19 PM 6/29/2008mbam-log-6-29-2008 (14-57-19).txtScan type: Full Scan (C:\|)Objects scanned: 61762Time elapsed: 12 minute(s), 46 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 2Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 3Files Infected: 3Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CURRENT_USER\SOFTWARE\Antivirus2008y (Rogue.Antivirus2008) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus2008y (Rogue.Antivirus2008) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Antivirus2008y (Rogue.Antivirus2008) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:C:\Program Files\Antivirus2008y (Rogue.Antivirus2008) -> Quarantined and deleted successfully.C:\Documents and Settings\Walden Research\Application Data\Antivirus2008y (Rogue.Antivirus2008) -> Quarantined and deleted successfully.C:\Documents and Settings\Walden Research\Start Menu\Antivirus2008y (Rogue.Antivirus2008) -> Quarantined and deleted successfully.Files Infected:C:\Program Files\Antivirus2008y\antvrs.exe (Rogue.Antivirus2008) -> Quarantined and deleted successfully.C:\Documents and Settings\Walden Research\Start Menu\Antivirus2008y\Antivirus 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.C:\Documents and Settings\Walden Research\Start Menu\Antivirus2008y\Uninstall Antivirus 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.----Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:58:06 PM, on 6/29/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Spyware Doctor\pctsAuxs.exeC:\Program Files\Spyware Doctor\pctsSvc.exeC:\Program Files\Spyware Doctor\pctsTray.exeC:\WINDOWS\System32\alg.exeC:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exeC:\Program Files\Java\jre1.6.0_06\bin\jusched.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\DrvMon.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exeC:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exeC:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wbem\wmiprvse.exeO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [HPWNTOOLBOX] C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe "-i"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NOO4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /minO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exeO4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO20 - AppInit_DLLs: cru629.datO23 - Service: Avira AntiVir Personal Link to post Share on other sites More sharing options...
JeanInMontana Posted June 30, 2008 ID:21501 Share Posted June 30, 2008 hi there. OK you are and were infected. MBAM took a bunch. Download Pocket Killbox and unzip it; save it to your Desktop.Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it. You will paste C:\Windows\system32\cru629.dat .The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.Let the system reboot. Update MBAM and run a quick scan again and post a new HJT log. Let me know how your running. Link to post Share on other sites More sharing options...
jekyll Posted July 1, 2008 Author ID:21560 Share Posted July 1, 2008 hi there. OK you are and were infected. MBAM took a bunch. Download Pocket Killbox and unzip it; save it to your Desktop.Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it. You will paste C:\Windows\system32\cru629.dat .The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.Let the system reboot. Update MBAM and run a quick scan again and post a new HJT log. Let me know how your running.Hi JeanInMontana,I've done the Killbox and deleted the files that kept popping up. Then the MBAM following through with the HJT. Log pasted below. it seems like the system is running great, that is ofcourse, unless you catch anything suspecious.Malwarebytes' Anti-Malware 1.19Database version: 910Windows 5.1.2600 Service Pack 29:41:34 PM 6/30/2008mbam-log-6-30-2008 (21-41-34).txtScan type: Full Scan (C:\|)Objects scanned: 62188Time elapsed: 9 minute(s), 44 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:42:13 PM, on 6/30/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeC:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exeC:\Program Files\Java\jre1.6.0_06\bin\jusched.exeC:\Program Files\Spyware Doctor\pctsTray.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\DrvMon.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exeC:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Spyware Doctor\pctsAuxs.exeC:\Program Files\Spyware Doctor\pctsSvc.exeC:\WINDOWS\System32\alg.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wbem\wmiprvse.exeO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [HPWNTOOLBOX] C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe "-i"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NOO4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /minO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exeO4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO20 - AppInit_DLLs: cru629.datO23 - Service: Avira AntiVir Personal Link to post Share on other sites More sharing options...
JeanInMontana Posted July 1, 2008 ID:21580 Share Posted July 1, 2008 O20 - AppInit_DLLs: cru629.dat <========== Still there. I'll get back to you jekyl, after I get to work on this. For now update MBAM again, run a Quick scan. Post a new HJT log and the MBAM log please. Link to post Share on other sites More sharing options...
nosirrah Posted July 1, 2008 ID:21631 Share Posted July 1, 2008 That appinit dll is likely gone , HJT I dont think can tell , should have a (file not found) but it does not .Kill that line and reboot , see if HJT sees it again . MBAM has this isn defs but only if the file is there . Link to post Share on other sites More sharing options...
jekyll Posted July 1, 2008 Author ID:21656 Share Posted July 1, 2008 That appinit dll is likely gone , HJT I dont think can tell , should have a (file not found) but it does not .Kill that line and reboot , see if HJT sees it again . MBAM has this isn defs but only if the file is there .Hello Guys,So... Just to confirm. I should putC:\Windows\system32\cru629.dat again to the killbox and reboot, then HJT?Jekyll Link to post Share on other sites More sharing options...
jekyll Posted July 1, 2008 Author ID:21661 Share Posted July 1, 2008 O20 - AppInit_DLLs: cru629.dat <========== Still there. I'll get back to you jekyl, after I get to work on this. For now update MBAM again, run a Quick scan. Post a new HJT log and the MBAM log please. MBAM updated and scanned. HJT log also copied below. I did not run killbox this time.Malwarebytes' Anti-Malware 1.19Database version: 913Windows 5.1.2600 Service Pack 24:41:45 PM 7/1/2008mbam-log-7-1-2008 (16-41-45).txtScan type: Full Scan (C:\|)Objects scanned: 54043Time elapsed: 9 minute(s), 22 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)-----Logfile of Trend Micro HijackThis v2.0.2Scan saved at 4:46:44 PM, on 7/1/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeC:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exeC:\Program Files\Java\jre1.6.0_06\bin\jusched.exeC:\Program Files\Spyware Doctor\pctsTray.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\DrvMon.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exeC:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Spyware Doctor\pctsAuxs.exeC:\Program Files\Spyware Doctor\pctsSvc.exeC:\WINDOWS\System32\alg.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\wuauclt.exeC:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXEC:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEC:\WINDOWS\system32\zstatus.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wbem\wmiprvse.exeO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [HPWNTOOLBOX] C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe "-i"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NOO4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /minO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exeO4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO20 - AppInit_DLLs: cru629.datO23 - Service: Avira AntiVir Personal Link to post Share on other sites More sharing options...
JeanInMontana Posted July 2, 2008 ID:21676 Share Posted July 2, 2008 That appinit dll is likely gone , HJT I dont think can tell , should have a (file not found) but it does not .Kill that line and reboot , see if HJT sees it again . MBAM has this isn defs but only if the file is there .How do you want it killed? Kill box, delete on reboot? Also don't you think the scan time for a full scan is too fast? I keep asking for quick scan but the log shows full evey time but under 10 minuts. Link to post Share on other sites More sharing options...
JeanInMontana Posted July 6, 2008 ID:21982 Share Posted July 6, 2008 Jekyll? What's going on? We have some final steps here before we close. Link to post Share on other sites More sharing options...
JeanInMontana Posted July 10, 2008 ID:22417 Share Posted July 10, 2008 Your log looks clean. We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK. Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it. Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenal. Keep MBAM and Spybot Search & Destroy and always immunize SBS&D when you update. You will also need at least one other scanning program Asquared or SuperAntiSpyware are good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use.A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient.Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan.Keep other software known for vulnerabilities updated also. Use the Secunia Inspector free scan to identify risks in outdated versions.SpywareBlaster from Javacool SoftwareWinPatrol by BillPStudios SiteHound by FireTrustRogueRemoverhpHostsThe windows firewall is not sufficient to protect. It doesn't monitor outgoing traffic and this is a must. I use and recommend Online Armor Free Also the full protection of MBAM is offered at a very low price. Give it a trial using the link in my signature.Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.The fixes and advice in this thread are for this machine only. Do not apply to your machine. Please start a thread of your own and someone will be happy to help you. Link to post Share on other sites More sharing options...
Recommended Posts