ulysses Posted July 16, 2008 ID:22979 Share Posted July 16, 2008 Hi. I picked up something nasty over the weekend. Ran Norton and Malwarebytes. Malwarebytes was excellent and caught a bunch of stuff. Only thing that keeps showing up is the pesky MS Juan, that I've noticed others have as well. Below are my logs. Any help wiping this thing out is GREATLY APPRECIATED. Thanks for help in advance.Malwarebytes' Anti-Malware 1.20Database version: 945Windows 5.1.2600 Service Pack 22:17:41 AM 7/15/2008mbam-log-7-15-2008 (02-17-41).txtScan type: Quick ScanObjects scanned: 42457Time elapsed: 12 minute(s), 46 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected);***********************************************************************************************************************************************************************************ANALYSIS: 2008-07-16 01:00:30PROTECTIONS: 1MALWARE: 4SUSPECTS: 0;***********************************************************************************************************************************************************************************PROTECTIONSDescription Version Active Updated;===================================================================================================================================================================================Norton Internet Security 2006 2006 Yes Yes;===================================================================================================================================================================================MALWAREId Description Type Active Severity Disinfectable Disinfected Location;===================================================================================================================================================================================00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Justin Bright\Cookies\justin_bright@ad.yieldmanager[1].txt00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Justin Bright\Cookies\justin_bright@advertising[1].txt00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Justin Bright\Cookies\justin_bright@ads.pointroll[1].txt03268358 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\hssjyayr.dll03268358 Spyware/Virtumonde Spyware Yes 2 Yes No C:\WINDOWS\system32\oanpfg.dll;===================================================================================================================================================================================SUSPECTSSent Location ;===================================================================================================================================================================================;===================================================================================================================================================================================VULNERABILITIESId Severity Description ;===================================================================================================================================================================================;===================================================================================================================================================================================Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:04:21 AM, on 7/16/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16674)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\Cisco Systems\VPN Client\cvpnd.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exeC:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\Program Files\Dantz\Retrospect\retrorun.exeC:\PROGRA~1\Dantz\RETROS~1\wdsvc.exeC:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exeC:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeC:\Program Files\Apoint\Apoint.exeC:\Program Files\Intel\Wireless\Bin\ifrmewrk.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Dell\Media Experience\PCMService.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\WINDOWS\SCTray.ExeC:\WINDOWS\system32\WDBtnMgr.exeC:\Program Files\Dell\QuickSet\Quickset.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\MSN Messenger\MsnMsgr.ExeC:\Program Files\Apoint\Apntex.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exeC:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exeC:\Program Files\Cisco Systems\VPN Client\vpngui.exeC:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exeC:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXEC:\Program Files\MSN Messenger\usnsvc.exeC:\Program Files\Microsoft Office Communicator\communicator.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXEC:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEC:\WINDOWS\system32\wisptis.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: {8f5ea10d-17d1-a4cb-6544-b2e64f617690} - {096716f4-6e2b-4456-bc4a-1d71d01ae5f8} - C:\WINDOWS\system32\oanpfg.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dllO2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dllO3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dllO3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dllO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exeO4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/WirelessO4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exeO4 - HKLM\..\Run: [socketComm] SCTray.ExeO4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exeO4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exeO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostartO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')O4 - Global Startup: APC UPS Status.lnk = ?O4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: VPN Client.lnk = ?O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cabO16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cabO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1139960715531O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://captcolo.webex.com/client/v_mywebex...ort/ieatgpc.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{7A707D78-C360-4B48-9B59-6B691398C220}: NameServer = 10.10.10.101O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = captcolo.comO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exeO23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exeO23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exeO23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exeO23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exeO23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXEO23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exeO23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exeO23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exeO23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exeO23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exeO23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exeO23 - Service: SentinelProtectionServer - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeO23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: WLANKEEPER - Intel Link to post Share on other sites More sharing options...
JeanInMontana Posted July 16, 2008 ID:23008 Share Posted July 16, 2008 Hi Ulysses and welcome to Malwarebytes. You have been stricken with the newest version of Vundo. I need you to please find these files C:\WINDOWS\system32\oanpfg.dll and C:\WINDOWS\system32\hssjyayr.dll put it in a zip file and attach here with your next post. Then delete them.Run HJT again in scan only with all programs closed. Put a check next to the items below and click fix when your done.R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comO2 - BHO: {8f5ea10d-17d1-a4cb-6544-b2e64f617690} - {096716f4-6e2b-4456-bc4a-1d71d01ae5f8} - C:\WINDOWS\system32\oanpfg.dllYou are running an outdated and unsafe version of Java. You need to uninstall it via Add/Remove programs and delete the program file also. Then go here http://java.sun.com/javase/downloads/index.jsp and install the correct version for your system. Choose the offline installation.Your running an outdated and unsafe version of Adobe latest version. Or get the alternative faster lighter on resources Foxit PDF Reader and Editor Look at the Downloads tab here or if you don't want to see the features etc. Use the Secunia Inspector free scan to identify risks in outdated versions of all your other softwares ie QuickTime, RealPlayer and others.Update MBAM run a quick scan and post a new log from it and from HJT. Link to post Share on other sites More sharing options...
ulysses Posted July 17, 2008 Author ID:23071 Share Posted July 17, 2008 Not getting the pop ups. Malwarebytes' Anti-Malware 1.20Database version: 960Windows 5.1.2600 Service Pack 23:20:11 AM 7/17/2008mbam-log-7-17-2008 (03-20-11).txtScan type: Quick ScanObjects scanned: 44164Time elapsed: 9 minute(s), 17 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:21:15 AM, on 7/17/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16674)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\Cisco Systems\VPN Client\cvpnd.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exeC:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\Program Files\Dantz\Retrospect\retrorun.exeC:\PROGRA~1\Dantz\RETROS~1\wdsvc.exeC:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exeC:\Program Files\Apoint\Apoint.exeC:\Program Files\Intel\Wireless\Bin\ifrmewrk.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Dell\Media Experience\PCMService.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\WINDOWS\SCTray.ExeC:\WINDOWS\system32\WDBtnMgr.exeC:\Program Files\Dell\QuickSet\Quickset.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\Program Files\MSN Messenger\MsnMsgr.ExeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exeC:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exeC:\Program Files\Apoint\Apntex.exeC:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXEC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dllO2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dllO3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dllO3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dllO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exeO4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/WirelessO4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exeO4 - HKLM\..\Run: [socketComm] SCTray.ExeO4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exeO4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exeO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostartO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')O4 - Global Startup: APC UPS Status.lnk = ?O4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: VPN Client.lnk = ?O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cabO16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cabO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1139960715531O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://captcolo.webex.com/client/v_mywebex...ort/ieatgpc.cabO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exeO23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exeO23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exeO23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exeO23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exeO23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXEO23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exeO23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exeO23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exeO23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exeO23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exeO23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exeO23 - Service: SentinelProtectionServer - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeO23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: WLANKEEPER - Intelhssjyayr.zipoanpfg.ziphssjyayr.zipoanpfg.zip Link to post Share on other sites More sharing options...
JeanInMontana Posted July 17, 2008 ID:23099 Share Posted July 17, 2008 Log looks good. MBAM has updated twice since that scan, do another update and scan with it, if nothing is found I think we got it whipped. Post the new MBAM log please. Link to post Share on other sites More sharing options...
ulysses Posted July 17, 2008 Author ID:23114 Share Posted July 17, 2008 Looks like everything is fine now. Thanks so much!Malwarebytes' Anti-Malware 1.20Database version: 962Windows 5.1.2600 Service Pack 24:32:01 PM 7/17/2008mbam-log-7-17-2008 (16-32-01).txtScan type: Quick ScanObjects scanned: 31715Time elapsed: 6 minute(s), 55 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
JeanInMontana Posted July 18, 2008 ID:23183 Share Posted July 18, 2008 Your log looks clean. We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK. Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it. Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenal. Keep MBAM and Spybot Search & Destroy and always immunize SBS&D when you update. You will also need at least one other scanning program Asquared or SuperAntiSpyware are good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use.A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient.Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan.Keep other software known for vulnerabilities updated also. Use the Secunia Inspector free scan to identify risks in outdated versions.SpywareBlaster from Javacool SoftwareWinPatrol by BillPStudios SiteHound by FireTrustRogueRemoverhpHostsThe windows firewall is not sufficient to protect. It doesn't monitor outgoing traffic and this is a must. I use and recommend Online Armor Free Also the full protection of MBAM is offered at a very low price. Give it a trial using the link in my signature. Link to post Share on other sites More sharing options...
JeanInMontana Posted July 28, 2008 ID:23998 Share Posted July 28, 2008 Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.The fixes and advice in this thread are for this machine only. Do not apply to your machine. Please start a thread of your own and someone will be happy to help you. Link to post Share on other sites More sharing options...
Recommended Posts