MS Juan keeps reappearing

[subvet646]

I have run:

1. Spybot Search & Destroy
   
2. Malwarebytes' Anti-Malware (Log attached)
   
3. PandaActive Scan (Log attached)
   
4. HiJack This (Log Attached)
   

However when I reboot and scan with Malware (registered copy) it show the MS Juan entry in the registry again.

Help Please.

Malwarebytes' Anti-Malware 1.18

Database version: 881

10:24:13 AM 6/23/2008

mbam-log-6-23-2008 (10-24-13).txt

Scan type: Quick Scan

Objects scanned: 61323

Time elapsed: 12 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Data\Mozilla\Firefox\Profiles\3irbxuyk.default\cookies.txt[.adultfriendfinder.com/]

00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Dodson\Application Data\Mozilla\Firefox\Profiles\3irbxuyk.default\cookies.txt[.adultfriendfinder.com/]

00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Dodson\Application Data\Mozilla\Firefox\Profiles\3irbxuyk.default\cookies.txt[.adultfriendfinder.com/]

00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Dodson\Application Data\Mozilla\Firefox\Profiles\3irbxuyk.default\cookies.txt[.adultfriendfinder.com/]

00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Linda\Cookies\linda@atwola[1].txt

00417513 Generic Adware Spyware No 0 No No C:\Documents and Settings\Dodsoncn\Local Settings\Temp\2CF3BI7P\uesetup\presetup\UltraEditTBSetup.exe[

ActiveScan.txt

mbam_log_6_23_2008__10_24_13_.txt

hijackthis_log.txt

ActiveScan.txt

mbam_log_6_23_2008__10_24_13_.txt

hijackthis_log.txt

Edited June 23, 2008 by JeanInMontana
place logs in line

[JeanInMontana]

Hi subvet646 and welcome to Malwarebytes. Please make sure you are running as the administrator of the machine and that you have enable immediate email reply to your posts. Also make sure Malwarebytes.org is in your email safe or allowed list.

The following items are malware and must be fixed

• The following explains how to remove items from your computer that are malware. These items must be fixed!
  
  • Please set your system to show
    all files; Click Start.
    Open My Computer.
    Select the Tools menu and click Folder Options.
    Select the View Tab.
    Under the Hidden files and folders heading select Show hidden files and folders.
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.
    Click OK.
  • Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:
    O2 - BHO: {66d36937-ab65-42a8-5ee4-b533346dc05b} - {b50cd643-335b-4ee5-8a24-56ba73963d66} - C:\WINDOWS\system32\nuwchgtk.dll
    O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE
    O4 - Startup: PowerReg Scheduler.exe
    O15 - Trusted Zone: *.gomyhit.com (HKLM)
    O15 - Trusted Zone: *.imageservr.com (HKLM)
    O15 - Trusted Zone: *.imagesrvr.com (HKLM)
    O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
    Click on Fix Checked when finished and exit HijackThis.
    
  • Reboot into Safe Mode: begin clicking the F8 key as soon as you reboot and then choose the option for safe mode. Don't be alarmed when you see a drastically changed desktop and missing icons and programs running. This is normal for Safe Mode.
    Using Windows Explorer, locate the following files/folders, and delete them:
    SOUNDMAN.EXE
    O4 - Startup: PowerReg Scheduler.exe
    Exit Explorer, and reboot as normal afterwards.
    If you were unable to find any of the files then please follow these additional instructions:
    Download Pocket Killbox and unzip it; save it to your Desktop.
    Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
    The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
    Let the system reboot.
    

You are running an outdated and unsafe version of Java. You need to uninstall it via Add/Remove programs and delete the program file also. Then go here http://java.sun.com/javase/downloads/index.jsp and install the correct version for your system. Choose the offline installation.

Post back a fresh HijackThis log and we will take another look. Please copy and paste the log into the body of your reply rather than attach it.

[JeanInMontana]

Since this topic has had no reply for over 5 days it will be closed to prevent other from posting into it. Should you decide to resume with your assistance PM any staff member and we will be happy to reopen the topic.

Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.