Jime Posted November 15, 2008 ID:34865 Share Posted November 15, 2008 For about a month now I've been having a serious problem with XP Antivirus Protection 2009. Originally I was tricked by it, installed it, but later removed it and attempted to completely clean my drive with MalwareBytes Malware Remover. However, it continues to return over and over again, attempting to get me to re-install. At one point I thought I had fixed this merely because I had deleted some of the problematic files in Safe Mode. Sadly though, it has returned and I am once again dealing with this issue and getting rather frustrated.Generally what occurs is the process C:\WINDOWS\system32\sp085skV.exe.a_a pops up after a period of time, which slowly begins to open up hidden explorer windows(I notice these because it drops me out of whatever programs I'm running.) and then, eventually, so many explorer windows pop up on my screen that it somehow results in a re-start for my machine which then has XP Antivirus2k9 telling me about false positives and wanting an install again. No matter how many times I delete sp085skV it always re-appears, though deleting it means the process of XP Antivirus re-appearing is slowed.I have done everything that was asked in the stickies on this folder(Running Spybot S&D, MalwareBytes again, and getting logs from the 3 different scans and MBM. Here is the results of the logs.)MBAM:Scan type: Quick ScanObjects scanned: 64817Time elapsed: 5 minute(s), 57 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 2Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4HYVW12R\install[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\system32\sp085skV.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.ActiveScan from the Panda site:ANALYSIS: 2008-11-14 11:31:46PROTECTIONS: 1MALWARE: 24SUSPECTS: 0;***********************************************************************************************************************************************************************************PROTECTIONSDescription Version Active Updated;===================================================================================================================================================================================Symantec Antivirus Corporate Edition 9.0 No Yes;===================================================================================================================================================================================MALWAREId Description Type Active Severity Disinfectable Disinfected Location;===================================================================================================================================================================================00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@trafficmp[2].txt00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\LocalService\Cookies\system@trafficmp[2].txt00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\LocalService\Cookies\system@casalemedia[2].txt00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[2].txt00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\LocalService\Cookies\system@doubleclick[2].txt00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@atdmt[2].txt00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\LocalService\Cookies\system@atdmt[2].txt00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@247realmedia[2].txt00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\LocalService\Cookies\system@247realmedia[1].txt00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@fastclick[1].txt00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[2].txt00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\LocalService\Cookies\system@tribalfusion[2].txt00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\LocalService\Cookies\system@mediaplex[2].txt00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[1].txt00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\LocalService\Cookies\system@azjmp[2].txt00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@azjmp[2].txt00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@statcounter[1].txt00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\LocalService\Cookies\system@statcounter[1].txt00167760 Cookie/Hitslink TrackingCookie No 0 Yes No C:\Documents and Settings\LocalService\Cookies\system@counter.hitslink[1].txt00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[1].txt00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@apmebf[2].txt00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\LocalService\Cookies\system@apmebf[1].txt00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\LocalService\Cookies\system@burstnet[1].txt00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@burstnet[2].txt00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[1].txt00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\LocalService\Cookies\system@serving-sys[2].txt00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\LocalService\Cookies\system@bs.serving-sys[1].txt00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@bs.serving-sys[2].txt00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\LocalService\Cookies\system@www.burstbeacon[2].txt00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@www.burstbeacon[1].txt00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@realmedia[1].txt00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\LocalService\Cookies\system@realmedia[2].txt00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\LocalService\Cookies\system@questionmarket[2].txt00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[1].txt00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\LocalService\Cookies\system@zedo[1].txt00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@zedo[2].txt00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@bluestreak[2].txt00392144 Trj/Downloader.USY Virus/Trojan No 1 Yes No C:\WINDOWS\system32\237W5341.exe02902637 Rootkit/Nurech.BC HackTools No 1 Yes No C:\System Volume Information\_restore{DA40DE85-14B8-48D9-AA43-9321316F9DBD}\RP630\A0250250.sys03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{DA40DE85-14B8-48D9-AA43-9321316F9DBD}\RP635\A0256914.sys03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{DA40DE85-14B8-48D9-AA43-9321316F9DBD}\RP635\A0256938.sys03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{DA40DE85-14B8-48D9-AA43-9321316F9DBD}\RP651\A0262753.sys03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{DA40DE85-14B8-48D9-AA43-9321316F9DBD}\RP630\A0250255.sys03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{DA40DE85-14B8-48D9-AA43-9321316F9DBD}\RP635\A0254888.sysAnd finally, Hijack Log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:04:32 PM, on 11/14/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\AOL\ACS\AOLAcsd.exeC:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exeC:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exeC:\Program Files\Symantec AntiVirus\DefWatch.exeC:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exeC:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exeC:\Program Files\Intel Audio Studio\IntelAudioStudio.exeC:\Program Files\Intel\IDU\iptray.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\PROGRA~1\SYMANT~1\VPTray.exeC:\Program Files\Common Files\AOL\1139609344\ee\AOLSoftware.exeC:\Program Files\Common Files\AOL\ACS\AOLDial.exeC:\WINDOWS\system32\WDBtnMgr.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\D-Tools\daemon.exeC:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exec:\program files\common files\aol\1139609344\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exec:\program files\common files\aol\1139609344\ee\aolsoftware.exeC:\Program Files\SigmaTel\C-Major Audio\WDM\Stacsv.exeC:\Program Files\Symantec AntiVirus\Rtvscan.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Intel\IDU\IDUServ.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeO3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dllO3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dllO4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exeO4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exeO4 - HKLM\..\Run: [intelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAYO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [ipTray.exe] "C:\Program Files\Intel\IDU\iptray.exe"O4 - HKLM\..\Run: [awTray.exe] "C:\Program Files\Intel\IDU\awtray.exe"O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exeO4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exeO4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139609344\ee\AOLSoftware.exeO4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exeO4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -RunO4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifworkO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTMLO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dllO9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cabO16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1139462547224O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLLO23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exeO23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exeO23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: Intel® Desktop Utilities Service (iHCService) - OSA Technologies, Inc. - C:\Program Files\Intel\IDU\IDUServ.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exeO23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exeO23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\Stacsv.exeO23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exeAny help would be GREATLY appreciated. Thanks guys. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 15, 2008 Root Admin ID:34888 Share Posted November 15, 2008 Please go ahead and delete that file again [C:\WINDOWS\system32\sp085skV.exe.a_a] then if you can, but at the same time try to delete this one too C:\WINDOWS\system32\237W5341.exeYour log for MBABM is missing part of it as well as part of HJT seems to be possibly missing. Please run MBAB go to the UPDATE tab and update the program then do another Quick Scan and post back that FULL log. Then run a HJT scan and save log.Then run this routine and report back.Please download the following scanning tool. GMEROpen the zip file and copy the file gmer.exe to your Desktop.Double click on gmer.exe and run it.It may take a minute to load and become available.Do not make any changes. Click on the SCAN button and DO NOT use the computer while it's scanning.Once the scan is done click on the SAVE button and browse to your Desktop and save the file as GMER.LOGZip up the GMER.LOG file and save it as gmerlog.zip and attach it to your reply post.DO NOT directly post this log into a reply. You MUST attach it as a .ZIP file.Click OK and quit the GMER program.How To Use Compressed (Zipped) Folders in Windows XPCompress and uncompress files (zip files) in Vista Link to post Share on other sites More sharing options...
Jime Posted November 15, 2008 Author ID:34950 Share Posted November 15, 2008 Thanks for the assistance.I want to note that there is also a file sp085skV.exe in my system32 folder(NOT sp085skV.exe.a_a, I deleted that one again as asked), should this sp085skV.exe be deleted as well?Also, I have posted logs with the FULL text they give me and can zip up those files too if you want in another post, but they are as posted. I am not leaving anything out, what it is giving me is what I am showing.MBAM LOG2:Malwarebytes' Anti-Malware 1.30Database version: 1399Windows 5.1.2600 Service Pack 211/15/2008 3:40:03 AMmbam-log-2008-11-15 (03-40-03).txtScan type: Quick ScanObjects scanned: 66006Time elapsed: 7 minute(s), 19 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Hijack 2nd log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:42:07 AM, on 11/15/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\AOL\ACS\AOLAcsd.exeC:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exeC:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exeC:\Program Files\Symantec AntiVirus\DefWatch.exeC:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exeC:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exeC:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exeC:\Program Files\Intel Audio Studio\IntelAudioStudio.exeC:\Program Files\Intel\IDU\iptray.exeC:\Program Files\Intel\IDU\awtray.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\PROGRA~1\SYMANT~1\VPTray.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Common Files\AOL\1139609344\ee\AOLSoftware.exeC:\WINDOWS\system32\WDBtnMgr.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\D-Tools\daemon.exec:\program files\common files\aol\1139609344\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exec:\program files\common files\aol\1139609344\ee\aolsoftware.exeC:\Program Files\SigmaTel\C-Major Audio\WDM\Stacsv.exeC:\Program Files\Symantec AntiVirus\Rtvscan.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Intel\IDU\IDUServ.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeO3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dllO3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dllO4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exeO4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exeO4 - HKLM\..\Run: [intelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAYO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [ipTray.exe] "C:\Program Files\Intel\IDU\iptray.exe"O4 - HKLM\..\Run: [awTray.exe] "C:\Program Files\Intel\IDU\awtray.exe"O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exeO4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exeO4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139609344\ee\AOLSoftware.exeO4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exeO4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -RunO4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifworkO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTMLO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dllO9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cabO16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1139462547224O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLLO23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exeO23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exeO23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: Intel® Desktop Utilities Service (iHCService) - OSA Technologies, Inc. - C:\Program Files\Intel\IDU\IDUServ.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exeO23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exeO23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\Stacsv.exeO23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe--End of file - 9325 bytesI have sent the zipped log from GMER. Thanks again for the assistance.Gmerlog.zipGmerlog.zip Link to post Share on other sites More sharing options...
Raid Posted November 15, 2008 ID:34953 Share Posted November 15, 2008 Thanks for the assistance.I want to note that there is also a file sp085skV.exe in my system32 folder(NOT sp085skV.exe.a_a, I deleted that one again as asked), should this sp085skV.exe be deleted as well?I'm going to need more complete detailed information. Please follow the instructions below. The files it generates will be too big to paste into this reply window, so zip them both and attach as a file please.Always post complete logs. Any editing will likely cause the topic to be closed and no further assistance provided. Full logs are must, anything else wastes your time and ours.I need for you to download this program OTListIt.exe to your desktop.Close all applications and windows so that you have nothing open and are at your DesktopDouble-click on the OTListIt.exe file to start OTListIt. OK any warning about running OTListIt.Place a checkmark in the "Scan All Users" checkbox (Leave the 'Use Whitelist' checked' and the 'File Age:' at 30 days)Click the Run Scan buttonNOTE: Please be patient and let the scan run without using the computerWhen the scan is complete, a text file (OTListIt.Txt) will open in Notepad (if not, it can be found on your Desktop)In Notepad, click Edit, Select all then Edit, CopyReply to this topic, click in the topic reply window, and press Ctrl+V to paste the log or Righ click paste.Submit your reply and close the Notepad window with OTList.txtAlso OTListIt's Extras.txt log file will be minimized in the Taskbar (and located on your Desktop) - click on this and maximize the windowIn Notepad, click Edit, Select all then Edit, CopyReply to this topic again, click in the topic reply window, and press Ctrl+V to paste the extras log or Right click paste.NOTE: If the files (OTListIt.txt, Extras.txt) do not appear in your taskbar, just open the files in notepad from your desktop.Please allow me time to analyze your post. If you don't see a reply from me after 24 hours, feel free to PM me. Link to post Share on other sites More sharing options...
Jime Posted November 15, 2008 Author ID:34957 Share Posted November 15, 2008 Thank you again.As previously stated, I have given full logs each time a log has been requested. I am not here to waste time, just trying to fix my computer.Here is the logs you requested, in zipped format as asked.OTListItLogs.zipOTListItLogs.zip Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 15, 2008 Root Admin ID:34961 Share Posted November 15, 2008 Thanks Jim we got the logs and will review and get back to you. Not sure what happened but these logs look to be full, thanks again. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 16, 2008 Root Admin ID:35086 Share Posted November 16, 2008 Please try to run this if you can. Just follow it's onscreen instructions.Requires access to a working computer with a CD/DVD burner to create a bootable CD.Avira AntiVir Rescue System - downloadAvira AntiVir Rescue SystemAvira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to: repair a damaged system, rescue data, scan the system for virus infections.Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer.The Avira AntiVir Rescue System is updated several times a day so that the most recent security updates are always available. Link to post Share on other sites More sharing options...
Jime Posted November 16, 2008 Author ID:35098 Share Posted November 16, 2008 I ran Avira AntiVir Rescue Scan, unfortunately it did not come up with anything. Though it literally only took 1 second to scan, so I'm not sure if it is properly scanning my drive.However, today I deleted the 2nd sp085skV.exe(previously mentioned) and it has not reappeared within the last 2 hours so I am hoping that with running SpyBot, MBAM, and the removal of sp085skV.exe, sp085skV.exe.a_a and 237W5341.exe has removed all the damn files that continually restore themselves and try to infect my comp with XPAntiVirus 2009.Thanks for all the help thus far, if anything else occurs I will report back with findings. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 17, 2008 Root Admin ID:35212 Share Posted November 17, 2008 Hi JimPlease provide the OTLIST scan as that will hopefully let us know if there is still something there lurking.Important!All of the following instructions must be run on the affected computer. Logs from a different computer will not help me help you. So, if you need to download all of this and then copy it to CD or memory stick and take it to the other computer, please do so. Either way, it's important. The logs have to be made by the computer with the problem.I also need for you to download this program OTListIt.exe to your desktop.Close all applications and windows so that you have nothing open and are at your DesktopDouble-click on the OTListIt.exe file to start OTListIt. OK any warning about running OTListIt.Place a checkmark in the "Scan All Users" checkbox (Leave the 'Use Whitelist' checked' and the 'File Age:' at 30 days)Click the Run Scan buttonNOTE: Please be patient and let the scan run without using the computerWhen the scan is complete, a text file (OTListIt.Txt) will open in Notepad (if not, it can be found on your Desktop)In Notepad, click Edit, Select all then Edit, CopyReply to this topic, click in the topic reply window, and press Ctrl+V to paste the log or Righ click paste.Submit your reply and close the Notepad window with OTList.txtAlso OTListIt's Extras.txt log file will be minimized in the Taskbar (and located on your Desktop) - click on this and maximize the windowIn Notepad, click Edit, Select all then Edit, CopyReply to this topic again, click in the topic reply window, and press Ctrl+V to paste the extras log or Right click paste.NOTE: If the files (OTListIt.txt, Extras.txt) do not appear in your taskbar, just open the files in notepad from your desktop.Please allow me time to analyze your post. If you don't see a reply from me after 24 hours, feel free to PM me. Link to post Share on other sites More sharing options...
Jime Posted November 17, 2008 Author ID:35234 Share Posted November 17, 2008 Here are the new OtlistIt logs. Thanks for checking up on this.OTlistitlog.zip.zipOTlistitlog.zip.zip Link to post Share on other sites More sharing options...
Raid Posted November 17, 2008 ID:35255 Share Posted November 17, 2008 No problem. I'm checking into a few things from your logs. So give me a bit of time.In the meantime, the logs indicate you have various bittorrent clients and an enterprise edition of office2007 installed. As enterprise is not normally used by homeowners, is this a corporate computer or have you... ehm, pirated office? Link to post Share on other sites More sharing options...
Jime Posted November 17, 2008 Author ID:35279 Share Posted November 17, 2008 No problem. I'm checking into a few things from your logs. So give me a bit of time.In the meantime, the logs indicate you have various bittorrent clients and an enterprise edition of office2007 installed. As enterprise is not normally used by homeowners, is this a corporate computer or have you... ehm, pirated office?At one point this computer was a business computer, when I was associated with a corporation that I am unfortunately no longer with. I currently use bit torrent to download various video files. Link to post Share on other sites More sharing options...
Raid Posted November 18, 2008 ID:35316 Share Posted November 18, 2008 At one point this computer was a business computer, when I was associated with a corporation that I am unfortunately no longer with. I currently use bit torrent to download various video files.Alrighty. Thanks for answering my question. Here's what I'd like for you to do:Please download and run the Trend Micro Sysclean Package on your computer.NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.Trend Micro Damage Cleanup EngineMake sure you read this document to understand how to use the program. Trend Micro Sysclean Package README 1stBasically there are 3 parts that need to be downloaded from these links:Sysclean PackageVirus Pattern FilesSpyware Pattern FilesAs an example on 2008-10-17 the files to download are: sysclean.com | lpt605.zip | ssapiptn697.zipNOTE! These file names are examples and you must visit Trend Micro for the very latest files which may have different names.Create a brand new folder to copy these files to.As an example: C:\DCEThen open each of the zipped archive files and copy their contents to C:\DCECopy the file sysclean.com to the new folder C:\DCE as well.Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.This self-extracting archive is a stand-alone fix package that incorporates the Trend Micro VSAPI Malware and Spyware scanning engines as well as the Trend Micro Damage Cleanup Engine and Template. This tool supports the following features: o Terminate all detected malware/spyware instances in memory o Remove malware/spyware registry entries o Remove malware/spyware entries from system files o Scan for and delete all detected malware/spyware copies in all local drivesHow To Use Compressed (Zipped) Folders in Windows XPCompress and uncompress files (zip files) in Vistahttp://windowshelp.microsoft.com/windows/en-us/help/7050d809-c761-43d4-aae7-587550cd341a1033.mspx' rel="external nofollow"> Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 18, 2008 Root Admin ID:35358 Share Posted November 18, 2008 Please don't forget to upload the logs from the scan as well. Thanks. Link to post Share on other sites More sharing options...
Jime Posted November 18, 2008 Author ID:35383 Share Posted November 18, 2008 Please don't forget to upload the logs from the scan as well. Thanks.Seems there was a fair amount of spyware that was found and cleaned, but no viruses. Though it had alot of -94 errors when scanning for viruses, not sure what that Error implies but there were quite a few(Around 25?).Regardless, here is the log and I appreciate you guys continuing to help clean my system up.Syscleanlog.zip.zipSyscleanlog.zip.zip Link to post Share on other sites More sharing options...
Raid Posted November 18, 2008 ID:35432 Share Posted November 18, 2008 Great. Please provide a fresh hijackthis log. How is your computer running now? Link to post Share on other sites More sharing options...
Jime Posted November 18, 2008 Author ID:35451 Share Posted November 18, 2008 Great. Please provide a fresh hijackthis log. How is your computer running now?The computer is running pretty good. I haven't had a problem with the XP Antivirus for the past couple days now, so I'm hoping that's all over and done with. Here is the fresh Hijack log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 6:53:52 PM, on 11/18/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\AOL\ACS\AOLAcsd.exeC:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exeC:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exeC:\Program Files\Symantec AntiVirus\DefWatch.exeC:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exeC:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exeC:\Program Files\Intel Audio Studio\IntelAudioStudio.exeC:\Program Files\Intel\IDU\iptray.exeC:\Program Files\Intel\IDU\awtray.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\PROGRA~1\SYMANT~1\VPTray.exeC:\Program Files\Common Files\AOL\1139609344\ee\AOLSoftware.exeC:\WINDOWS\system32\WDBtnMgr.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\D-Tools\daemon.exeC:\Program Files\SigmaTel\C-Major Audio\WDM\Stacsv.exeC:\Program Files\Symantec AntiVirus\Rtvscan.exeC:\Program Files\iPod\bin\iPodService.exec:\program files\common files\aol\1139609344\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exec:\program files\common files\aol\1139609344\ee\aolsoftware.exeC:\Program Files\Intel\IDU\IDUServ.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeO3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dllO3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dllO4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exeO4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exeO4 - HKLM\..\Run: [intelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAYO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [ipTray.exe] "C:\Program Files\Intel\IDU\iptray.exe"O4 - HKLM\..\Run: [awTray.exe] "C:\Program Files\Intel\IDU\awtray.exe"O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exeO4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exeO4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139609344\ee\AOLSoftware.exeO4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exeO4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -RunO4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifworkO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTMLO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dllO9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cabO16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1139462547224O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLLO23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exeO23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exeO23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: Intel® Desktop Utilities Service (iHCService) - OSA Technologies, Inc. - C:\Program Files\Intel\IDU\IDUServ.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exeO23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exeO23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\Stacsv.exeO23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe--End of file - 9325 bytes Link to post Share on other sites More sharing options...
Raid Posted November 19, 2008 ID:35457 Share Posted November 19, 2008 The log looks good. Is IE surfing the web now? And is everything else as it should be?If so, I'll go ahead and close this thread. Link to post Share on other sites More sharing options...
Jime Posted November 19, 2008 Author ID:35458 Share Posted November 19, 2008 I use Firefox mostly for the web, but yes, everything seems to be running fine. I greatly appreciate all the help guys. Really great to have people who are winning to put forth this kind of effort to help others. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 19, 2008 Root Admin ID:35512 Share Posted November 19, 2008 Okay we'll close this thread then.You should update to Service Pack 3 and IE7 though as they offer better protection for your computer.At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:Disable and Enable System Restore-WINDOWS XPThis is a good time to clear your existing system restore points and establish a new clean restore point:Turn off System RestoreOn the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.Check Turn off System Restore.Click Apply, and then click OK. Reboot.Turn ON System RestoreOn the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.UN-Check *Turn off System Restore*.Click Apply, and then click OK.This will remove all restore points except the new one you just created.Here are some free programs I recommend that could help you improve your computer's security.Spybot Search and DestroyDownload it from here. Just choose a mirror and off you go.Find here the tutorial on how to use Spybot properly hereInstall SpyWare BlasterDownload it from hereFind here the tutorial on how to use Spyware Blaster here Install WinPatrolDownload it from hereHere you can find information about how WinPatrol works hereInstall FireTrust SiteHoundYou can find information and download it from hereInstall hpHosts Download it from herehpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad, tracking and malicious websites. This prevents your computer from connecting to these untrusted sites by redirecting them to 127.0.0.1 which is your own local computer.hpHosts Support ForumUpdate your Antivirus programs and other security products regularly to avoid new threats that could infect your system.You can use one of these sites to check if any updates are needed for your pc.Secunia Software InspectorF-secure Health CheckVisit Microsoft often to get the latest updates for your computer.http://www.update.microsoft.comNote 1: If you are running Windows XP SP2, you should upgrade to SP3.Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.The security suite can then be reinstalled afterwards.The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must. I recommend Online Armor FreeA little outdated but good reading on how to prevent MalwareKeep safe online and happy surfing.Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post InstructionsAlso don't forget that we offer FREE assistance with General PC questions and repair here PC Help If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org. Link to post Share on other sites More sharing options...
Recommended Posts