intel_outside Posted September 16, 2008 ID:28016 Share Posted September 16, 2008 There have been other people with this problem, but since every computer is different, I can't follow their steps to resolution. My Hijackthis log is really long, sorry! MS Track System is usually there too, but since I had manually deleted it recently, it didn't pop up on the MAM log yet. I have been dealing with this for 3 days now. It started when I accidentally allowed AntiMalWare Guard to be downloaded. After numerous scans, I finally got it down to MS Juan and MS Track System only. Malwarebytes' Anti-Malware 1.28Database version: 1159Windows 5.1.2600 Service Pack 39/15/2008 5:35:19 PMmbam-log-2008-09-15 (17-35-19).txtScan type: Quick ScanObjects scanned: 61489Time elapsed: 7 minute(s), 54 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:17:37 PM, on 9/15/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\Program Files\Be Secure 2007\Symantec Client Firewall\ISSVC.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Be Secure 2007\Symantec Client Firewall\CfgWzSvc.exeC:\Program Files\Wave Systems Corp\Common\DataServer.exeC:\Program Files\Be Secure 2007\Symantec AntiVirus\DefWatch.exeC:\WINDOWS\system32\lkcitdl.exeC:\WINDOWS\system32\lkads.exeC:\WINDOWS\system32\lktsrv.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exeC:\Program Files\National Instruments\MAX\nimxs.exeC:\Program Files\Dell\QuickSet\NICCONFIGSVC.exeC:\Program Files\National Instruments\Shared\Security\nidmsrv.exeC:\WINDOWS\system32\nisvcloc.exeC:\Program Files\National Instruments\Shared\Tagger\tagsrv.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Be Secure 2007\Symantec AntiVirus\Rtvscan.exeC:\Program Files\Be Secure 2007\Symantec Client Firewall\SymSPort.exeC:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Apoint\Apoint.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeC:\Program Files\Intel\Wireless\bin\ZCfgSvc.exeC:\Program Files\Apoint\HidFind.exeC:\Program Files\Apoint\Apntex.exeC:\Program Files\Intel\Wireless\Bin\ifrmewrk.exeC:\WINDOWS\stsystra.exeC:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exeC:\Program Files\Dell\QuickSet\quickset.exeC:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\WINDOWS\System32\DLA\DLACTRLW.EXEC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exeC:\Program Files\Windows Defender\MSASCui.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\PROGRA~1\BESECU~2\SYMANT~2\VPTray.exeC:\Program Files\Microsoft IntelliPoint\ipoint.exeC:\Program Files\TrojanHunter 5.0\THGuard.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\QuickTime\QTTask.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\Program Files\NetWaiting\netWaiting.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exeC:\Program Files\3M\PSNLite\PsnLite.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exeC:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exeC:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exeC:\PROGRA~1\3M\PSNLite\PSNGive.exeC:\Program Files\Spybot - Search & Destroy\SpybotSD.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=usR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=usR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/hlidOffice...=EC010227221033R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dllO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dllO2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLLO2 - BHO: (no name) - {8B50A1B5-8EF2-4AB0-B105-A06D61DB4D9F} - (no file)O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dllO2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dllO2 - BHO: (no name) - {D000F365-B799-4FB3-BF36-66AB7AEE6836} - (no file)O2 - BHO: (no name) - {E8BCF159-49B9-496F-AB23-F727641F2468} - (no file)O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dllO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installquietO4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,StartO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeO4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/WirelessO4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exeO4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exeO4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exeO4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startupO4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXEO4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exeO4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hideO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\BESECU~2\SYMANT~2\VPTray.exeO4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quietO4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automountO4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Bluetooth Manager.lnk = ?O4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exeO4 - Global Startup: Post-itActiveScan.txthijackthis.txtActiveScan.txthijackthis.txt Link to post Share on other sites More sharing options...
JeanInMontana Posted September 16, 2008 ID:28044 Share Posted September 16, 2008 (edited) Hi there intel_outside and welcome to Malwarebytes. I need you to set your system to show all files and folders.Please set your system to show all files; Click Start.Open My Computer.Select the Tools menu and click Folder Options.Select the View Tab.Under the Hidden files and folders heading select Show hidden files and folders.Uncheck the Hide protected operating system files (recommended) option.Click Yes to confirm.Click OK.Now, please find these filesC:/Windows/System32/wxvault.dll C:/Windows/System32/rygdwv.dllC:/Windows/System32/mrkcza.dllC:/Windows/System32/ lbmqqz.dllCopy them all into a folder and zip it, then begin a topic here and attach the files to the post. Turn off TeaTimerOpen SB S&D Make sure you are in Advanced Mode. Click on the Mode link at the top of the program and then Advanced Mode.Click on the Tools section and then Resident.You will see two items.1. Resident "SD helper" (Internet Explorer bad download blocker.) active2. Resident "Tea Timer" (Protection of over-all system settings.) active.Uncheck number 2..Leave number 1 checked always.You can enable Tea Timer again if you wish once all special fixes have been done.Now turn off all programs not necessary and close all browsers run HJT again in scan only and put a check next to the following items and click fix.R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comO2 - BHO: (no name) - {8B50A1B5-8EF2-4AB0-B105-A06D61DB4D9F} - (no file)O2 - BHO: (no name) - {D000F365-B799-4FB3-BF36-66AB7AEE6836} - (no file)O2 - BHO: (no name) - {E8BCF159-49B9-496F-AB23-F727641F2468} - (no file)O20 - Winlogon Notify: rqRKCvTL - C:\WINDOWS\Reboot the machine.As soon as we can get those files the bad one will be added to MBAM and we can finish the clean up. Edited September 16, 2008 by JeanInMontana add info Link to post Share on other sites More sharing options...
intel_outside Posted September 16, 2008 Author ID:28078 Share Posted September 16, 2008 Thanks for the help Jean! (I'm assuming that's your name )I have done everything you've asked, should I post another MBAM log? Link to post Share on other sites More sharing options...
JeanInMontana Posted September 17, 2008 ID:28104 Share Posted September 17, 2008 Great, you get to break in a brand new forum! Update MBAM and run a quick scan, show me that log and a new HJT log. I'm hoping nosirrah has had time to get to your file. Link to post Share on other sites More sharing options...
intel_outside Posted September 17, 2008 Author ID:28114 Share Posted September 17, 2008 (edited) I have excellent news! After I deleted all the stuff you told me to and I was doing various things on my computer, I accidentally turned the power strip off. At that very instant (I don't know if there is a correlation, but I swear it was at the exact moment), my Windows Defender detected a dangerous trojan, it was one of the files that you told me to send in a zip file. I went along with the procedure to remove it, and then before I could restart my computer, it detected another one of the .dll files you told me to zip! So after restarting my computer, I looked into my C:\WINDOWS\system32 file and only saw wxvault.dll was left of the 4 .dll files.I still have the zip folder on my desktop though, should I delete it? Also, MS Juan and MS Track System have disappeared! My birthday is tomorrow (or today, depending on time zone) and this is an excellent gift Here is a scotch clean MBAM scan, but I can't tell if HJT this clean... Malwarebytes' Anti-Malware 1.28Database version: 1159Windows 5.1.2600 Service Pack 39/16/2008 11:17:41 PMmbam-log-2008-09-16 (23-17-41).txtScan type: Quick ScanObjects scanned: 61581Time elapsed: 14 minute(s), 8 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:20:56 PM, on 9/16/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\Program Files\Be Secure 2007\Symantec Client Firewall\ISSVC.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Be Secure 2007\Symantec Client Firewall\CfgWzSvc.exeC:\Program Files\Wave Systems Corp\Common\DataServer.exeC:\Program Files\Be Secure 2007\Symantec AntiVirus\DefWatch.exeC:\WINDOWS\system32\lkcitdl.exeC:\WINDOWS\system32\lkads.exeC:\WINDOWS\system32\lktsrv.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exeC:\Program Files\National Instruments\MAX\nimxs.exeC:\Program Files\Dell\QuickSet\NICCONFIGSVC.exeC:\Program Files\National Instruments\Shared\Security\nidmsrv.exeC:\WINDOWS\system32\nisvcloc.exeC:\Program Files\National Instruments\Shared\Tagger\tagsrv.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Be Secure 2007\Symantec AntiVirus\Rtvscan.exeC:\Program Files\Be Secure 2007\Symantec Client Firewall\SymSPort.exeC:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Apoint\Apoint.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeC:\Program Files\Apoint\HidFind.exeC:\Program Files\Apoint\Apntex.exeC:\Program Files\Intel\Wireless\bin\ZCfgSvc.exeC:\Program Files\Intel\Wireless\Bin\ifrmewrk.exeC:\WINDOWS\stsystra.exeC:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exeC:\Program Files\Dell\QuickSet\quickset.exeC:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exeC:\WINDOWS\System32\DLA\DLACTRLW.EXEC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\PROGRA~1\BESECU~2\SYMANT~2\VPTray.exeC:\Program Files\Microsoft IntelliPoint\ipoint.exeC:\Program Files\TrojanHunter 5.0\THGuard.exeC:\Program Files\QuickTime\QTTask.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\NetWaiting\netWaiting.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exeC:\Program Files\3M\PSNLite\PsnLite.exeC:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exeC:\PROGRA~1\3M\PSNLite\PSNGive.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exec:\progra~1\common~1\instal~1\update~1\isuspm.exeC:\Program Files\Common Files\InstallShield\UpdateService\agent.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=usR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=usR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/hlidOffice...=EC010227221033R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dllO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dllO2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLLO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dllO2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dllO3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dllO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installquietO4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,StartO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeO4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/WirelessO4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exeO4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exeO4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exeO4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startupO4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXEO4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exeO4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hideO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\BESECU~2\SYMANT~2\VPTray.exeO4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quietO4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automountO4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Bluetooth Manager.lnk = ?O4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exeO4 - Global Startup: Post-ithijackthis2.txthijackthis2.txt Edited September 17, 2008 by JeanInMontana add HJT inline Link to post Share on other sites More sharing options...
JeanInMontana Posted September 17, 2008 ID:28140 Share Posted September 17, 2008 Happy birthday!! Yes delete the malware folder.Your log looks clean. We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK. Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it. Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenal. Keep MBAM and Spybot Search & Destroy and always immunize SBS&D when you update. You will also need at least one other scanning program Asquared or SuperAntiSpyware are good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use.A firewall and antivirus are also essential. The Windows firewall in XP and Vista is not sufficient.Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan.Keep other software known for vulnerabilities updated also. Use the Secunia Inspector free scan to identify risks in outdated versions.SpywareBlaster from Javacool SoftwareWinPatrol by BillPStudios SiteHound by FireTrustRogueRemoverhpHostsThe windows firewall is not sufficient to protect. It doesn't monitor outgoing traffic and this is a must. I use and recommend Online Armor Free Also the full protection of MBAM is offered at a very low price. Link to post Share on other sites More sharing options...
intel_outside Posted September 18, 2008 Author ID:28195 Share Posted September 18, 2008 Thanks for the help! Just a small question, can you explain (with whatever technical level you want) what I deleted from my HJT log and why my Windows Firewall was suddenly able to pick the trojans up? Thanks again for the help, advice, and birthday wishes! Link to post Share on other sites More sharing options...
JeanInMontana Posted September 18, 2008 ID:28203 Share Posted September 18, 2008 All we removed with HJT was traces and redirects of your homepage. Windows Defender is not a firewall it's an antimalware program and I'm guessing it had that malware added to it's definitions. I can't be positive because I'm not sure if you can scanned with MBAM before this happened and after you had submitted the files to be added. Link to post Share on other sites More sharing options...
intel_outside Posted September 19, 2008 Author ID:28291 Share Posted September 19, 2008 Sorry to bother again, but today my Windows Defender actually caught another Trojan:Win32/Vundo.gen!R (Alert level: Severe) and the "Resource files" were (to me) some random combination of letters .dll files in C:\WINDOWS\system32, three of them. This is the same trojan that Windows Defender caught twice on Sept 16. Is this going to be a recurring thing (as in something is still in my system) or do you think that I just caught this today? I'm not going to anything out of the ordinary, just checking my email and doing a normal routine...I installed Online Armor but most of the things that pop up, I am semi confused about. Yesteday a "New Host Entry" was detected something about www.antispywareexpert.com (which I know is a bad site) wanting to be relocated my my Local Host 127.0.0.1. I denied it, but this occurred right after I did a Spybot Immunization, so I though Spybot wanted to change something. I denied it anyway. I ran a MBAM scan after Windows Defender caught the trojan today, it came out clean. Here is a HJT log, looks like those BHO (no name)'s are back. I'm sorry, I was hoping this matter was resolved Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:38:35 PM, on 9/18/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\Program Files\Be Secure 2007\Symantec Client Firewall\ISSVC.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Tall Emu\Online Armor\oasrv.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\SCardSvr.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Be Secure 2007\Symantec Client Firewall\CfgWzSvc.exeC:\Program Files\Wave Systems Corp\Common\DataServer.exeC:\Program Files\Be Secure 2007\Symantec AntiVirus\DefWatch.exeC:\WINDOWS\system32\lkcitdl.exeC:\WINDOWS\system32\lkads.exeC:\WINDOWS\system32\lktsrv.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exeC:\Program Files\National Instruments\MAX\nimxs.exeC:\Program Files\Dell\QuickSet\NICCONFIGSVC.exeC:\Program Files\National Instruments\Shared\Security\nidmsrv.exeC:\WINDOWS\system32\nisvcloc.exeC:\Program Files\National Instruments\Shared\Tagger\tagsrv.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Be Secure 2007\Symantec AntiVirus\Rtvscan.exeC:\Program Files\Be Secure 2007\Symantec Client Firewall\SymSPort.exeC:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Apoint\Apoint.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeC:\Program Files\Intel\Wireless\bin\ZCfgSvc.exeC:\Program Files\Intel\Wireless\Bin\ifrmewrk.exeC:\WINDOWS\system32\wbem\wmiprvse.exeC:\Program Files\Apoint\HidFind.exeC:\WINDOWS\stsystra.exeC:\Program Files\Apoint\Apntex.exeC:\WINDOWS\System32\alg.exeC:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exeC:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exeC:\Program Files\Dell\QuickSet\quickset.exeC:\WINDOWS\System32\DLA\DLACTRLW.EXEC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\PROGRA~1\BESECU~2\SYMANT~2\VPTray.exeC:\Program Files\Microsoft IntelliPoint\ipoint.exeC:\Program Files\TrojanHunter 5.0\THGuard.exeC:\Program Files\QuickTime\QTTask.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Tall Emu\Online Armor\oaui.exeC:\Program Files\NetWaiting\netWaiting.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exeC:\Program Files\3M\PSNLite\PsnLite.exeC:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exeC:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exeC:\PROGRA~1\3M\PSNLite\PSNGive.exeC:\Program Files\Windows Defender\MSASCui.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wbem\wmiprvse.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=usR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=usR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/hlidOffice...=EC010227221033R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dllO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dllO2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLLO2 - BHO: (no name) - {8B50A1B5-8EF2-4AB0-B105-A06D61DB4D9F} - (no file)O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dllO2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dllO2 - BHO: (no name) - {D000F365-B799-4FB3-BF36-66AB7AEE6836} - (no file)O2 - BHO: (no name) - {E8BCF159-49B9-496F-AB23-F727641F2468} - (no file)O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dllO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installquietO4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,StartO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeO4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/WirelessO4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exeO4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exeO4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exeO4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startupO4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXEO4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exeO4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hideO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\BESECU~2\SYMANT~2\VPTray.exeO4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quietO4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automountO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Bluetooth Manager.lnk = ?O4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exeO4 - Global Startup: Post-it Link to post Share on other sites More sharing options...
JeanInMontana Posted September 19, 2008 ID:28366 Share Posted September 19, 2008 Allow SBS&D to change what ever it wants. It is adding to your hosts file and that is what protects you from going to bad sites. You have two firewalls... not good .. Symantec or OnlineArmor...uninstall the other. Don't install new programs while we are cleaning please. Do install the one below. Uninstall one of the firewalls.You are running an outdated and unsafe version of Java. You need to uninstall it via Add/Remove programs and delete the program file also. Then go here Java Update and install the correct version for your system. Choose the offline installation.TeaTimer should be off for this.Open SB S&D Make sure you are in Advanced Mode. Click on the Mode link at the top of the program and then Advanced Mode.Click on the Tools section and then Resident.You will see two items.1. Resident "SD helper" (Internet Explorer bad download blocker.) active2. Resident "Tea Timer" (Protection of over-all system settings.) active.Uncheck number 2..Leave number 1 checked always.You can enable Tea Timer again if you wish once all special fixes have been done.Run HJT in scan only and put a check next to all items below and click fix.O2 - BHO: (no name) - {8B50A1B5-8EF2-4AB0-B105-A06D61DB4D9F} - (no file)O2 - BHO: (no name) - {D000F365-B799-4FB3-BF36-66AB7AEE6836} - (no file)O2 - BHO: (no name) - {E8BCF159-49B9-496F-AB23-F727641F2468} - (no file)O20 - AppInit_DLLs: wxvault.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLLO20 - Winlogon Notify: rqRKCvTL - C:\WINDOWS\Reboot, Update MBAM run a quick scan post that log and a new HJT log please. Link to post Share on other sites More sharing options...
intel_outside Posted September 20, 2008 Author ID:28419 Share Posted September 20, 2008 Allow SBS&D to change what ever it wants. It is adding to your hosts file and that is what protects you from going to bad sites. You have two firewalls... not good .. Symantec or OnlineArmor...uninstall the other. Don't install new programs while we are cleaning please. Do install the one below. Uninstall one of the firewalls.You are running an outdated and unsafe version of Java. You need to uninstall it via Add/Remove programs and delete the program file also. Then go here Java Update and install the correct version for your system. Choose the offline installation.TeaTimer should be off for this.Open SB S&D Make sure you are in Advanced Mode. Click on the Mode link at the top of the program and then Advanced Mode.Click on the Tools section and then Resident.You will see two items.1. Resident "SD helper" (Internet Explorer bad download blocker.) active2. Resident "Tea Timer" (Protection of over-all system settings.) active.Uncheck number 2..Leave number 1 checked always.You can enable Tea Timer again if you wish once all special fixes have been done.Run HJT in scan only and put a check next to all items below and click fix.O2 - BHO: (no name) - {8B50A1B5-8EF2-4AB0-B105-A06D61DB4D9F} - (no file)O2 - BHO: (no name) - {D000F365-B799-4FB3-BF36-66AB7AEE6836} - (no file)O2 - BHO: (no name) - {E8BCF159-49B9-496F-AB23-F727641F2468} - (no file)O20 - AppInit_DLLs: wxvault.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLLO20 - Winlogon Notify: rqRKCvTL - C:\WINDOWS\Reboot, Update MBAM run a quick scan post that log and a new HJT log please. I'm sorry. I few posts ago you said my log was clean and then had a whole list of helpful programs. I assumed it was OK to install one of those. Also, my Symantec Firewall is always disabled and I have no way to enable it. It is on "automatic" startup on services.msc and when I right click the icon on my taskbar all there is is a link for "about Symantec client firewall". I never uninstalled it because it came with the anitvirus program that I still use and update regularly. Should I just uninstall both Symantec Firewall and Antivirus? If so, I have "Symantec Client Security" and "Live Update 3.0" on my Add/Remove Programs List, should I remove both?I'll get to the Java and HJT log once I get the firewall issue squared away. Thanks! Link to post Share on other sites More sharing options...
intel_outside Posted September 20, 2008 Author ID:28425 Share Posted September 20, 2008 I also just remembered that when I used to live in the dorms, I was required to install "Be Secure 2006" and "Be Secure 2007" both of those are files in my "Program Files". Within each file is a file for Symantec Client Firewall. The 2007 subfile still has important looking files in there, but there is no direct Uninstall icon. There is also a file called "Symantec" in my Program Files which my cousin helped install for me before I went to the dorms and had to do the "Be Secure 2006" package. I don't actually know which one of these files, "Be Secure 2007" or "Symantec" corresponds to the one listed as "Symantec Client Security" on my Add/Remove Programs list. If this isn't something you deal with, I can ask someone else Link to post Share on other sites More sharing options...
JeanInMontana Posted September 20, 2008 ID:28437 Share Posted September 20, 2008 C:\Program Files\Be Secure 2007\Symantec Client Firewall\ISSVC.exe <========= bingo. I would get rid of all that Symantec crap. Avira is a good antivirus and runs well with MBAM. But I need you to follow the instructions. I thought you were clean... your getting reinfected we need to find why.Turn off TeaTimerRemove the lines I said and update MBAM, scan post the log and a new HJT. Link to post Share on other sites More sharing options...
intel_outside Posted September 23, 2008 Author ID:28752 Share Posted September 23, 2008 OK so, I've updated Java, deleted all the Symantec stuff (but haven't downloaded an anitvirus yet) and am just using Online Armor for my firewall. You didn't explicitly tell me to download an antivirus, so I haven't yet. here is the MBAM log and HJT log: Malwarebytes' Anti-Malware 1.28Database version: 1159Windows 5.1.2600 Service Pack 39/22/2008 5:12:35 PMmbam-log-2008-09-22 (17-12-35).txtScan type: Quick ScanObjects scanned: 60035Time elapsed: 7 minute(s), 48 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:14:40 PM, on 9/22/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Tall Emu\Online Armor\oasrv.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\SCardSvr.exeC:\Program Files\Wave Systems Corp\Common\DataServer.exeC:\WINDOWS\system32\lkcitdl.exeC:\WINDOWS\system32\lkads.exeC:\WINDOWS\system32\lktsrv.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exeC:\Program Files\National Instruments\MAX\nimxs.exeC:\Program Files\Dell\QuickSet\NICCONFIGSVC.exeC:\Program Files\National Instruments\Shared\Security\nidmsrv.exeC:\WINDOWS\system32\nisvcloc.exeC:\Program Files\National Instruments\Shared\Tagger\tagsrv.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\WINDOWS\system32\wbem\wmiprvse.exeC:\WINDOWS\System32\alg.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Apoint\Apoint.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Intel\Wireless\bin\ZCfgSvc.exeC:\Program Files\Intel\Wireless\Bin\ifrmewrk.exeC:\WINDOWS\stsystra.exeC:\Program Files\Apoint\Apntex.exeC:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exeC:\Program Files\Apoint\HidFind.exeC:\Program Files\Dell\QuickSet\quickset.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\WINDOWS\System32\DLA\DLACTRLW.EXEC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exeC:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\Windows Defender\MSASCui.exeC:\Program Files\Microsoft IntelliPoint\ipoint.exeC:\Program Files\TrojanHunter 5.0\THGuard.exeC:\Program Files\QuickTime\QTTask.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Tall Emu\Online Armor\oaui.exeC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\Program Files\NetWaiting\netWaiting.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\Program Files\3M\PSNLite\PsnLite.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exeC:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exeC:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exeC:\PROGRA~1\3M\PSNLite\PSNGive.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wbem\wmiprvse.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=usR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=usR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/hlidOffice...=EC010227221033R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dllO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dllO2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLLO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dllO3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dllO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installquietO4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,StartO4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/WirelessO4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exeO4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exeO4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exeO4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startupO4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXEO4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exeO4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hideO4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quietO4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automountO4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Bluetooth Manager.lnk = ?O4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exeO4 - Global Startup: Post-it Link to post Share on other sites More sharing options...
JeanInMontana Posted September 24, 2008 ID:28871 Share Posted September 24, 2008 You need an antivirus program. So how are things running? Do another update with MBAM and post the log, hopefully we are done with the nastiness. Link to post Share on other sites More sharing options...
intel_outside Posted September 26, 2008 Author ID:29113 Share Posted September 26, 2008 Everything has been running normally! (edit: MBAM found something ) I downloaded Avira and ran a scan, it found a couple things in System Volume Information: Begin scan in 'C:\'C:\hiberfil.sys [WARNING] The file could not be opened!C:\pagefile.sys [WARNING] The file could not be opened!C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP18\A0002648.exe [DETECTION] Contains recognition pattern of the WORM/Autorun.cxl worm [NOTE] The file was moved to '490b13aa.qua'!C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP9\A0000704.dll [DETECTION] Is the TR/Vundo.119808 Trojan [NOTE] The file was moved to '490b13b7.qua'!C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP9\A0000705.dll [DETECTION] Is the TR/Vundo.119808 Trojan [NOTE] The file was moved to '490b13c1.qua'!C:\WINDOWS\system32\drivers\OADriver.sys [WARNING] The file could not be opened!C:\WINDOWS\system32\drivers\OAmon.sys [WARNING] The file could not be opened!C:\WINDOWS\system32\drivers\oanet.sys [WARNING] The file could not be opened!C:\WINDOWS\system32\drivers\sptd.sys [WARNING] The file could not be opened!I moved all of them to quarantine, so I haven't deleted them yet. Here is the latest MBAM... and it found something (after I ran the Avira)log: Malwarebytes' Anti-Malware 1.28Database version: 1208Windows 5.1.2600 Service Pack 39/25/2008 10:12:36 PMmbam-log-2008-09-25 (22-12-36).txtScan type: Quick ScanObjects scanned: 61044Time elapsed: 14 minute(s), 16 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 1Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:C:\WINDOWS\system32\mC19 (Trojan.Agent) -> Quarantined and deleted successfully.Files Infected:(No malicious items detected)HJT: Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:17:23 PM, on 9/25/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Tall Emu\Online Armor\oasrv.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\SCardSvr.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeC:\Program Files\Wave Systems Corp\Common\DataServer.exeC:\WINDOWS\system32\lkcitdl.exeC:\WINDOWS\system32\lkads.exeC:\WINDOWS\system32\lktsrv.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exeC:\Program Files\National Instruments\MAX\nimxs.exeC:\Program Files\Dell\QuickSet\NICCONFIGSVC.exeC:\Program Files\National Instruments\Shared\Security\nidmsrv.exeC:\WINDOWS\system32\nisvcloc.exeC:\Program Files\National Instruments\Shared\Tagger\tagsrv.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\WINDOWS\system32\wbem\wmiprvse.exeC:\WINDOWS\System32\alg.exeC:\Program Files\Apoint\Apoint.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Intel\Wireless\bin\ZCfgSvc.exeC:\Program Files\Intel\Wireless\Bin\ifrmewrk.exeC:\Program Files\Apoint\Apntex.exeC:\WINDOWS\stsystra.exeC:\Program Files\Apoint\HidFind.exeC:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exeC:\Program Files\Dell\QuickSet\quickset.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\WINDOWS\System32\DLA\DLACTRLW.EXEC:\WINDOWS\System32\svchost.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exeC:\Program Files\Windows Defender\MSASCui.exeC:\Program Files\Microsoft IntelliPoint\ipoint.exeC:\Program Files\TrojanHunter 5.0\THGuard.exeC:\Program Files\QuickTime\QTTask.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\Tall Emu\Online Armor\oaui.exeC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exeC:\Program Files\NetWaiting\netWaiting.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exeC:\Program Files\3M\PSNLite\PsnLite.exeC:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exeC:\PROGRA~1\3M\PSNLite\PSNGive.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exeC:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wbem\wmiprvse.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=usR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=usR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/hlidOffice...=EC010227221033R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dllO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dllO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLLO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dllO3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dllO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installquietO4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,StartO4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/WirelessO4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exeO4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exeO4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exeO4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startupO4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXEO4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exeO4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hideO4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /minO4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quietO4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automountO4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Bluetooth Manager.lnk = ?O4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exeO4 - Global Startup: Post-it Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 1, 2008 Root Admin ID:29374 Share Posted October 1, 2008 I will be taking over for Jean for now.That top scan is not an MB scan, what program is that from?For now ignore the _System Restore which is where that scanner is checking.Run MB and go to the UPDATE tab and update MB again and do another Quick Scan and let it fix anything it finds and reboot the computerThen run another HJT after the reboot and post back both of those logs. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 1, 2008 Root Admin ID:29412 Share Posted October 1, 2008 Hi Intel_outside,Please post an update so we can finish this up. Link to post Share on other sites More sharing options...
intel_outside Posted October 2, 2008 Author ID:29494 Share Posted October 2, 2008 Hi Advances Setup,Sorry for the delayed response. The first log from the previous post was from Avira, my antivirus. Here are the logs you requested. MBAMMalwarebytes' Anti-Malware 1.28Database version: 1225Windows 5.1.2600 Service Pack 310/1/2008 7:34:45 PMmbam-log-2008-10-01 (19-34-45).txtScan type: Quick ScanObjects scanned: 61768Time elapsed: 9 minute(s), 53 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)HJTLogfile of Trend Micro HijackThis v2.0.2Scan saved at 7:46:30 PM, on 10/1/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Tall Emu\Online Armor\oasrv.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\SCardSvr.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeC:\Program Files\Wave Systems Corp\Common\DataServer.exeC:\WINDOWS\system32\lkcitdl.exeC:\WINDOWS\system32\lkads.exeC:\WINDOWS\system32\lktsrv.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exeC:\Program Files\National Instruments\MAX\nimxs.exeC:\Program Files\Dell\QuickSet\NICCONFIGSVC.exeC:\Program Files\National Instruments\Shared\Security\nidmsrv.exeC:\WINDOWS\system32\nisvcloc.exeC:\Program Files\National Instruments\Shared\Tagger\tagsrv.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\WINDOWS\system32\wbem\wmiprvse.exeC:\WINDOWS\System32\alg.exeC:\Program Files\Apoint\Apoint.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Intel\Wireless\bin\ZCfgSvc.exeC:\Program Files\Apoint\HidFind.exeC:\Program Files\Apoint\Apntex.exeC:\Program Files\Intel\Wireless\Bin\ifrmewrk.exeC:\WINDOWS\stsystra.exeC:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exeC:\Program Files\Dell\QuickSet\quickset.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\WINDOWS\System32\DLA\DLACTRLW.EXEC:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exeC:\Program Files\Windows Defender\MSASCui.exeC:\Program Files\Microsoft IntelliPoint\ipoint.exeC:\Program Files\TrojanHunter 5.0\THGuard.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\QuickTime\QTTask.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Tall Emu\Online Armor\oaui.exeC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exeC:\Program Files\NetWaiting\netWaiting.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exeC:\Program Files\3M\PSNLite\PsnLite.exeC:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exeC:\PROGRA~1\3M\PSNLite\PSNGive.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exeC:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wbem\wmiprvse.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=usR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=usR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/hlidOffice...=EC010227221033R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dllO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dllO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLLO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dllO3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dllO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installquietO4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,StartO4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/WirelessO4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exeO4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exeO4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exeO4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startupO4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXEO4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exeO4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hideO4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /minO4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quietO4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automountO4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Bluetooth Manager.lnk = ?O4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exeO4 - Global Startup: Post-it Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 2, 2008 Root Admin ID:29503 Share Posted October 2, 2008 Okay the system logs look good aside from this one which I could not find conclusive information on it and the site it links to does not respond for me.I would remove this and if you need it then the next time your on a site that requires it your browser should automatically look for an update for it.Start HJT and do a Scan only and place a check mark on this itemO16 - DPF: {210D0CBC-8B17-48D1-B294-1A338DD2EB3A} (VatCtrl Class) - hxxp://209.169.162.30/VatDec.cabThen click on Fix selectedThen go through this routine (which will remove those items that your Antivirus was not happy about) and take a look at the other products to see if they might be able to assist you in keeping your computer clean.You may want to also review all the items that are auto starting every time the computer starts, you have a LOT and that is surely slowing your computer way down.At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:Disable and Enable System Restore-WINDOWS XPThis is a good time to clear your existing system restore points and establish a new clean restore point:Turn off System RestoreOn the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.Check Turn off System Restore.Click Apply, and then click OK. Reboot.Turn ON System RestoreOn the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.UN-Check *Turn off System Restore*.Click Apply, and then click OK.This will remove all restore points except the new one you just created.Here are some free programs I recommend that could help you improve your computer's security.Spybot Search and Destroy 1.5.2Download it from here. Just choose a mirror and off you go.Find here the tutorial on how to use Spybot properly hereInstall SpyWare Blaster 4.1Download it from hereFind here the tutorial on how to use Spyware Blaster here Install WinPatrolDownload it from hereHere you can find information about how WinPatrol works hereInstall FireTrust SiteHoundYou can find information and download it from hereInstall MVPS Hosts File from hereThe MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.You can find a tutorial here : http://www.mvps.org/winhelp2002/hosts.htmUpdate your Antivirus programs and other security products regularly to avoid new threats that could infect your system.You can use one of these sites to check if any updates are needed for your pc.Secunia Software InspectorF-secure Health CheckVisit Microsoft often to get the latest updates for your computer.http://www.update.microsoft.comThe windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must. I recommend Online Armor FreeA little outdated but good reading on how to prevent MalwareKeep safe online and happy surfing.Since this issue is resolved I will soon close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post InstructionsAlso don't forget that we offer FREE assistance with General PC questions and repair here PC Help If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org. Link to post Share on other sites More sharing options...
Recommended Posts