map1983 Posted December 30, 2008 ID:43239 Share Posted December 30, 2008 I ran malwarebytes and was able to delete all infected files except for these. Here is my scan log. Any help would be greatly appreciated.Scan type: Full Scan (C:\|D:\|)Objects scanned: 167123Time elapsed: 32 minute(s), 22 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 2Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
nosirrah Posted December 30, 2008 ID:43246 Share Posted December 30, 2008 We are unable to tell if your updates are out of date , please update MBAM , perform a quick scan and post a full log file . Link to post Share on other sites More sharing options...
map1983 Posted December 30, 2008 Author ID:43256 Share Posted December 30, 2008 We are unable to tell if your updates are out of date , please update MBAM , perform a quick scan and post a full log file .I ran an update. Here are the logs you requested. The first one is right after the update and the second after I rebooted the computer. It looks like everything is gone. Malwarebytes' Anti-Malware 1.31Database version: 1571Windows 5.1.2600 Service Pack 312/29/2008 9:18:29 PMmbam-log-2008-12-29 (21-18-29).txtScan type: Quick ScanObjects scanned: 59254Time elapsed: 1 minute(s), 13 second(s)Memory Processes Infected: 0Memory Modules Infected: 1Registry Keys Infected: 6Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 3Memory Processes Infected:(No malicious items detected)Memory Modules Infected:C:\WINDOWS\system32\pbiaiy.dll (Trojan.Vundo) -> Delete on reboot.Registry Keys Infected:HKEY_CLASSES_ROOT\CLSID\{bd2412e2-1846-4c0a-b9f6-e385113ff25f} (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bd2412e2-1846-4c0a-b9f6-e385113ff25f} (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bd2412e2-1846-4c0a-b9f6-e385113ff25f} (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\pbiaiy.dll (Trojan.Vundo) -> Delete on reboot.C:\WINDOWS\system32\sliiagks.dll (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Owner.YOUR-68B8D1092F\Local Settings\Temp\winsinstall.exe (Rogue.Installer) -> Quarantined and deleted successfully.Second Log:Malwarebytes' Anti-Malware 1.31Database version: 1571Windows 5.1.2600 Service Pack 312/29/2008 9:24:52 PMmbam-log-2008-12-29 (21-24-52).txtScan type: Quick ScanObjects scanned: 59011Time elapsed: 2 minute(s), 34 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 30, 2008 Root Admin ID:43284 Share Posted December 30, 2008 Good, please restart the computer and then run MBAM again and go to the UPDATE tab and check for updates again and do another Quick Scan and fix anything found.Then restart the computer again and AFTER the restart run HJT scan and save log.Post back the MBAM and HJT logs please. Link to post Share on other sites More sharing options...
map1983 Posted December 30, 2008 Author ID:43437 Share Posted December 30, 2008 Good, please restart the computer and then run MBAM again and go to the UPDATE tab and check for updates again and do another Quick Scan and fix anything found.Then restart the computer again and AFTER the restart run HJT scan and save log.Post back the MBAM and HJT logs please.I'm at work right now, but I will do this when I get home and post the logs. Thanks for your help! Link to post Share on other sites More sharing options...
map1983 Posted December 30, 2008 Author ID:43549 Share Posted December 30, 2008 Good, please restart the computer and then run MBAM again and go to the UPDATE tab and check for updates again and do another Quick Scan and fix anything found.Then restart the computer again and AFTER the restart run HJT scan and save log.Post back the MBAM and HJT logs please.Here are the logs that you requested. Seems to be ok for now. Thanks for your help!Malwarebytes' Anti-Malware 1.31Database version: 1579Windows 5.1.2600 Service Pack 312/30/2008 3:08:49 PMmbam-log-2008-12-30 (15-08-49).txtScan type: Quick ScanObjects scanned: 59094Time elapsed: 2 minute(s), 31 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)HJT Log:MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\Explorer.EXEC:\WINDOWS\ehome\ehtray.exeC:\Program Files\Digital Media Reader\readericon45G.exeC:\Program Files\Intel Audio Studio\IntelAudioStudio.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exeC:\Program Files\Lexmark X6100 Series\lxbfbmgr.exeC:\Program Files\Java\jre1.6.0_02\bin\jusched.exeC:\Program Files\QuickTime\QTTask.exeC:\Program Files\Lexmark X6100 Series\lxbfbmon.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\ESET\ESET Smart Security\egui.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\Intel\IntelDH\CCU\AlertService.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\WINDOWS\arservice.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\ESET\ESET Smart Security\ekrn.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSC:\WINDOWS\system32\svchost.exeC:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exeC:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exeC:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\system32\rsvp.exeC:\WINDOWS\eHome\ehmsas.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exe Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 30, 2008 Root Admin ID:43599 Share Posted December 30, 2008 The HJT log you posted is not the full log.Download and install CCleanerCCleaner Double-click on the downloaded file "ccsetup215.exe" and install the application.Keep the default installation folder "C:\Program Files\CCleaner" Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"Click finish when done and close ALL PROGRAMSStart the CCleaner program.Click on Registry and Uncheck Registry Integrity so that it does not runClick on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"Click back to Cleaner and click on the Run Cleaner button on the bottom right side of the program.Click OK to any promptsYour Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.Please download JavaRa and unzip it to your desktop.***Please close any instances of Internet Explorer (or other web browser) before continuing!***Double-click on JavaRa.exe to start the program.From the drop-down menu, choose English and click on Select.JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.A logfile will pop up. Please save it to a convenient location.DO NOT reinstall any version of Java for right now, we can do that later on as needed.Malwarebytes' Anti-MalwareStart MalwareBytes AntiMalware Update Malwarebytes' Anti-Malware Select the Update tabClick Update[*]When the update is complete, select the Scanner tab[*]Select Perform quick scan, then click Scan.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Be sure that everything is checked, and click Remove Selected.[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply If you accidently close it, the log file is saved here and will be named like this:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txtThen RESTART the computer. AFTER the restart run HJT scan and save logPost back the new MBAM and full HJT logs as well as the JavaRa log. Link to post Share on other sites More sharing options...
map1983 Posted December 31, 2008 Author ID:43634 Share Posted December 31, 2008 The HJT log you posted is not the full log.Download and install CCleanerCCleaner Double-click on the downloaded file "ccsetup215.exe" and install the application.Keep the default installation folder "C:\Program Files\CCleaner" Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"Click finish when done and close ALL PROGRAMSStart the CCleaner program.Click on Registry and Uncheck Registry Integrity so that it does not runClick on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"Click back to Cleaner and click on the Run Cleaner button on the bottom right side of the program.Click OK to any promptsYour Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.Please download JavaRa and unzip it to your desktop.***Please close any instances of Internet Explorer (or other web browser) before continuing!***Double-click on JavaRa.exe to start the program.From the drop-down menu, choose English and click on Select.JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.A logfile will pop up. Please save it to a convenient location.DO NOT reinstall any version of Java for right now, we can do that later on as needed.Malwarebytes' Anti-MalwareStart MalwareBytes AntiMalware Update Malwarebytes' Anti-Malware Select the Update tabClick Update[*]When the update is complete, select the Scanner tab[*]Select Perform quick scan, then click Scan.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Be sure that everything is checked, and click Remove Selected.[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply If you accidently close it, the log file is saved here and will be named like this:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txtThen RESTART the computer. AFTER the restart run HJT scan and save logPost back the new MBAM and full HJT logs as well as the JavaRa log.Here are the logs you requested.JavaRa 1.13 Removal Log.Report follows after line.------------------------------------The JavaRa removal process was started on Tue Dec 30 20:38:33 2008Found and removed: C:\Program Files\Java\jre1.5.0_02Found and removed: C:\Program Files\Java\jre1.5.0_10Found and removed: Software\JavaSoft\Java2D\1.5.0_02Found and removed: Software\JavaSoft\Java2D\1.5.0_03Found and removed: Software\JavaSoft\Java2D\1.5.0_10Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D510002Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D511000Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D510002Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D511000Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D510002Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D511000Found and removed: SOFTWARE\Classes\JavaPlugin.150_02Found and removed: SOFTWARE\Classes\JavaPlugin.150_10Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.5.0.0Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.5.0_02Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.5.0_10Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.5Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.5.0_02Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.5.0_10Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D510002Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D511000Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D510002Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D511000Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0150020}Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0150100}Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBB}Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D610002Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610002Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610002Found and removed: SOFTWARE\Classes\JavaPlugin.160_02Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_02Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_02Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610002Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D610002Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610002Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160020}Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.5.0_02Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.5.0_10Found and removed: Software\Classes\JavaPlugin.160_02Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0_02Found and removed: Software\JavaSoft\Java2D\1.6.0_02Found and removed: Software\JavaSoft\Java Runtime Environment\1.6.0_02Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_02\Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_10\Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_02\Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_02\bin\Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core1.zipFound and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core2.zipFound and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core3.zip------------------------------------Finished reporting.Malwarebytes' Anti-Malware 1.31Database version: 1580Windows 5.1.2600 Service Pack 312/30/2008 8:43:41 PMmbam-log-2008-12-30 (20-43-41).txtScan type: Quick ScanObjects scanned: 59145Time elapsed: 1 minute(s), 11 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:47:09 PM, on 12/30/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\Program Files\Intel\IntelDH\CCU\AlertService.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\WINDOWS\arservice.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\ESET\ESET Smart Security\ekrn.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeC:\WINDOWS\ehome\ehtray.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Digital Media Reader\readericon45G.exeC:\Program Files\Intel Audio Studio\IntelAudioStudio.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exeC:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSC:\WINDOWS\ARPWRMSG.EXEC:\Program Files\Lexmark X6100 Series\lxbfbmgr.exeC:\Program Files\Java\jre1.6.0_02\bin\jusched.exeC:\Program Files\QuickTime\QTTask.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exeC:\Program Files\Lexmark X6100 Series\lxbfbmon.exeC:\Program Files\ESET\ESET Smart Security\egui.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exeC:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exeC:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\eHome\ehmsas.exeC:\WINDOWS\system32\rsvp.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch...P&M=GM5266ER0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://steelers.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch...P&M=GM5266ER3 - URLSearchHook: (no name) - {3b5aaea6-ae6d-45ab-a626-99ac24fd105b} - (no file)O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: (no name) - {54EEC4BC-A8D2-4EAC-BE76-DCE359911677} - (no file)O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dllO2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: (no name) - {3b5aaea6-ae6d-45ab-a626-99ac24fd105b} - (no file)O4 - HKLM\..\Run: [ehTray] "C:\WINDOWS\ehome\ehtray.exe"O4 - HKLM\..\Run: [readericon] "C:\Program Files\Digital Media Reader\readericon45G.exe"O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /installquiet /keeploaded /nodetectO4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exeO4 - HKLM\..\Run: [intelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAYO4 - HKLM\..\Run: [Reminder] "C:\WINDOWS\Creator\Remind_XP.exe"O4 - HKLM\..\Run: [Recguard] "C:\WINDOWS\SMINST\RECGUARD.EXE"O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exeO4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exeO4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXEO4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitserviceO4 - HKCU\..\Run: [Power2GoExpress] NAO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKUS\S-1-5-21-2526031092-4069878275-2214655276-1009\..\Run: [Power2GoExpress] NA (User 'IUSR_NMPR')O4 - HKUS\S-1-5-21-2526031092-4069878275-2214655276-1009\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'IUSR_NMPR')O4 - Startup: PowerReg Scheduler V3.exeO4 - Global Startup: Adobe Gamma Loader.lnk = ?O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cabO16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cabO20 - AppInit_DLLs: pbiaiy.dllO23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exeO23 - Service: Intel® Alert Service (AlertService) - Intel Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exeO23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exeO23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Intel® Software Services Manager (ISSM) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: Intel® Viiv Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exeO23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSO23 - Service: Intel® Remoting Service (Remote UI Service) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe--End of file - 10182 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 31, 2008 Root Admin ID:43714 Share Posted December 31, 2008 Please note the Holidays are here and I may be unavailable for a few days or more. Please be patient, I've not forgotten you and will resume assistance when I returnMany of the other helpers are also visiting Family and Friends so please be patient.Please Download OTMoveIt3 by Old Timer and save it to your Desktop.Double-click OTMoveIt3.exe to run it.While connected to the Internet, Click on the green CleanUp! button and it will populate a list of items to clean from your system that we used or may have used.It should ask if you want to clean up, select Yes and allow the system to clean up these items.NOW please reboot your computer to finish the cleanup process and post back the log from OTMoveIt3Try downloading a new version of JavaRa from the FRANCE mirror of Sourceforge - you still have old versions of Java(you will have to manually select it) the version you have doesn't appear to be the new one.Also check in the ADDITIONAL Settings and choose the TOP 5 items and check them off and click GO.Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.Please download JavaRa and unzip it to your desktop.***Please close any instances of Internet Explorer (or other web browser) before continuing!***Double-click on JavaRa.exe to start the program.From the drop-down menu, choose English and click on Select.JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.A logfile will pop up. Please save it to a convenient location.Also you have something blocking the HJT REGISTRY changes. It might be AVG or some other product you have installed.You need to disable any tools that might be blocking the Registry changes and run the previous HJT changes I've already posted before.Try running this AntiVirus tool while I'm away to see if it can cleanup some of it.Download to the desktop: Dr.Web CureItDoubleclick the drweb-cureit.exe file and Allow to run the express scanThis will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.Once the short scan has finished, Click Options > Change settingsChoose the "Scan"-tab, remove the mark at "Heuristic analysis".Back at the main window, mark the drives that you want to scan.Select all drives. A red dot shows which drives have been chosen.Click the green arrow at the right, and the scan will start.Click 'Yes to all' if it asks if you want to cure/move the file.When the scan has finished, look if you can click next icon next to the files found:If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)After selecting, in the Dr.Web CureIt menu on top, click file and choose save report listSave the report to your desktop. The report will be called DrWeb.csvClose Dr.Web Cureit.Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.I might not be able to get back with you on this for a few days, please be patient. Link to post Share on other sites More sharing options...
map1983 Posted January 1, 2009 Author ID:43963 Share Posted January 1, 2009 Please note the Holidays are here and I may be unavailable for a few days or more. Please be patient, I've not forgotten you and will resume assistance when I returnMany of the other helpers are also visiting Family and Friends so please be patient.Please Download OTMoveIt3 by Old Timer and save it to your Desktop.Double-click OTMoveIt3.exe to run it.While connected to the Internet, Click on the green CleanUp! button and it will populate a list of items to clean from your system that we used or may have used.It should ask if you want to clean up, select Yes and allow the system to clean up these items.NOW please reboot your computer to finish the cleanup process and post back the log from OTMoveIt3Try downloading a new version of JavaRa from the FRANCE mirror of Sourceforge - you still have old versions of Java(you will have to manually select it) the version you have doesn't appear to be the new one.Also check in the ADDITIONAL Settings and choose the TOP 5 items and check them off and click GO.Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.Please download JavaRa and unzip it to your desktop.***Please close any instances of Internet Explorer (or other web browser) before continuing!***Double-click on JavaRa.exe to start the program.From the drop-down menu, choose English and click on Select.JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.A logfile will pop up. Please save it to a convenient location.Also you have something blocking the HJT REGISTRY changes. It might be AVG or some other product you have installed.You need to disable any tools that might be blocking the Registry changes and run the previous HJT changes I've already posted before.Try running this AntiVirus tool while I'm away to see if it can cleanup some of it.Download to the desktop: Dr.Web CureItDoubleclick the drweb-cureit.exe file and Allow to run the express scanThis will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.Once the short scan has finished, Click Options > Change settingsChoose the "Scan"-tab, remove the mark at "Heuristic analysis".Back at the main window, mark the drives that you want to scan.Select all drives. A red dot shows which drives have been chosen.Click the green arrow at the right, and the scan will start.Click 'Yes to all' if it asks if you want to cure/move the file.When the scan has finished, look if you can click next icon next to the files found:If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)After selecting, in the Dr.Web CureIt menu on top, click file and choose save report listSave the report to your desktop. The report will be called DrWeb.csvClose Dr.Web Cureit.Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.I might not be able to get back with you on this for a few days, please be patient.Here are the logs you requested:Dr. Web cure it GTDownAO_106.ocx;C:\Program Files\Common Files\AolCoach\en_en;Adware.Gdown;Moved.;stream019\data025;C:\WINDOWS\Downloaded Installations\{9DCDAF6A-19AB-4500-9DD7-FF20F3C629FE}\SETUP_ALL.msi\stream019;Adware.Gdown;;stream019;C:\WINDOWS\Downloaded Installations\{9DCDAF6A-19AB-4500-9DD7-FF20F3C629FE}\SETUP_ALL.msi;Archive contains infected objects;;SETUP_ALL.msi;C:\WINDOWS\Downloaded Installations\{9DCDAF6A-19AB-4500-9DD7-FF20F3C629FE};Archive contains infected objects;Moved.;stream007\data025;C:\WINDOWS\Installer\107bf.msi\stream007;Adware.Gdown;;stream007;C:\WINDOWS\Installer\107bf.msi;Archive contains infected objects;;107bf.msi;C:\WINDOWS\Installer;Archive contains infected objects;Moved.;GTDownIN_119.ocx;C:\WINDOWS\system32;Adware.Gdown;Moved.;aolcinst.exe\core.cab\GTDOWNAO_106.ocx;D:\i386\Apps\App00577\comps\coach\aolcinst.exe;Adware.Gdown;;aolcinst.exe;D:\i386\Apps\App00577\comps\coach;Archive contains infected objects;Moved.;A0000302.exe\core.cab\GTDOWNAO_106.ocx;D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP3\A0000302.exe;Adware.Gdown;;A0000302.exe;D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP3;Archive contains infected objects;Moved.;otmoveit3File/Folder avenger.zip not found.File/Folder avenger.exe not found.File/Folder Avenger not found.File/Folder avenger.txt not found.File/Folder bfu.zip not found.File/Folder BFU not found.File/Folder combofix.exe not found.File/Folder Combo-Fix.sys not found.File/Folder ComboFix not found.File/Folder erdnt\subs not found.File/Folder QooBox not found.File/Folder ComboFix*.txt not found.Service not present: catchme.File/Folder catchme.exe not found.File/Folder fdsv.exe not found.File/Folder grep.exe not found.File/Folder moveex.exe not found.File/Folder nircmd.exe not found.File/Folder sed.exe not found.File/Folder swreg.exe not found.File/Folder Swsc.exe not found.File/Folder Swxcacls.exe not found.File/Folder VFind.exe not found.File/Folder WS2Fix.exe not found.File/Folder zip.exe not found.File/Folder tmp.reg not found.File/Folder dss.exe not found.File/Folder Deckard not found.File/Folder deljob.exe not found.File/Folder deljob not found.File/Folder logit.txt not found.File/Folder FindAWF.exe not found.File/Folder AWF.txt not found.File/Folder fixwareout.exe not found.File/Folder fixwareout not found.File/Folder fsbl.exe not found.File/Folder fsbl*.log not found.File/Folder gmer.exe not found.File/Folder gmer.dll not found.File/Folder gmer.ini not found.File/Folder gmer.log not found.File/Folder gmer_uninstall.cmd not found.File/Folder gmer.sys not found.Service not present: gmer.File/Folder haxfix.exe not found.File/Folder haxfix.txt not found.File/Folder killbox.exe not found.File/Folder !Killbox not found.File/Folder NoLop.exe not found.File/Folder NoLop.txt not found.File/Folder NoLopOLD.txt not found.File/Folder delete.bat not found.File/Folder OTListIt.exe not found.File/Folder OTListIt.txt not found.File/Folder Extras.txt not found.File/Folder OTMoveIt.exe not found.File/Folder OTMoveIt2.exe not found.File delete failed. C:\Program Files\Virus Software\OTMoveIt3.exe scheduled to be deleted on reboot.File delete failed. C:\Program Files\Virus Software\OTMoveIt3.exe scheduled to be deleted on reboot.JavaRa 1.13 Removal Log.Report follows after line.------------------------------------The JavaRa removal process was started on Wed Dec 31 17:18:13 2008------------------------------------Finished reporting.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:46:24 PM, on 12/31/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\Program Files\Intel\IntelDH\CCU\AlertService.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\WINDOWS\arservice.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\ESET\ESET Smart Security\ekrn.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSC:\WINDOWS\system32\svchost.exeC:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exeC:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exeC:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\system32\rsvp.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\ehome\ehtray.exeC:\Program Files\Digital Media Reader\readericon45G.exeC:\Program Files\Intel Audio Studio\IntelAudioStudio.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\eHome\ehmsas.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exeC:\WINDOWS\ARPWRMSG.EXEC:\Program Files\Lexmark X6100 Series\lxbfbmgr.exeC:\Program Files\Lexmark X6100 Series\lxbfbmon.exeC:\Program Files\QuickTime\QTTask.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\ESET\ESET Smart Security\egui.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch...P&M=GM5266ER0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://steelers.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch...P&M=GM5266ER3 - URLSearchHook: (no name) - {3b5aaea6-ae6d-45ab-a626-99ac24fd105b} - (no file)O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: (no name) - {54EEC4BC-A8D2-4EAC-BE76-DCE359911677} - (no file)O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dllO2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: (no name) - {3b5aaea6-ae6d-45ab-a626-99ac24fd105b} - (no file)O4 - HKLM\..\Run: [ehTray] "C:\WINDOWS\ehome\ehtray.exe"O4 - HKLM\..\Run: [readericon] "C:\Program Files\Digital Media Reader\readericon45G.exe"O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /installquiet /keeploaded /nodetectO4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exeO4 - HKLM\..\Run: [intelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAYO4 - HKLM\..\Run: [Reminder] "C:\WINDOWS\Creator\Remind_XP.exe"O4 - HKLM\..\Run: [Recguard] "C:\WINDOWS\SMINST\RECGUARD.EXE"O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exeO4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exeO4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXEO4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitserviceO4 - HKCU\..\Run: [Power2GoExpress] NAO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKUS\S-1-5-21-2526031092-4069878275-2214655276-1009\..\Run: [Power2GoExpress] NA (User 'IUSR_NMPR')O4 - HKUS\S-1-5-21-2526031092-4069878275-2214655276-1009\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'IUSR_NMPR')O4 - Startup: PowerReg Scheduler V3.exeO4 - Global Startup: Adobe Gamma Loader.lnk = ?O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cabO16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cabO20 - AppInit_DLLs: pbiaiy.dllO23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exeO23 - Service: Intel® Alert Service (AlertService) - Intel Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exeO23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exeO23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Intel® Software Services Manager (ISSM) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: Intel® Viiv Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exeO23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSO23 - Service: Intel® Remoting Service (Remote UI Service) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe--End of file - 9999 bytesI think that's it for now. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 1, 2009 Root Admin ID:43971 Share Posted January 1, 2009 Well logged on from my friends house. Seems the scanners are still missing a file.Start HJT and do a Scan Only and place a check mark on the following item.O20 - AppInit_DLLs: pbiaiy.dllThen click on Fix checked then quit HJTThen start MBAM and go to the UPDATE tab and update the program and do a Quick Scan and fix anything found.RESTART the computer and AFTER the reboot start HJT and do Scan and save log.Post back both MBAM and HJT logs.Yes when I get back an on my own computer we can review stuff and stop a lot of those programs from loading. They're normal most of them and not related to any infection, just how computers work in general. Link to post Share on other sites More sharing options...
map1983 Posted January 1, 2009 Author ID:44008 Share Posted January 1, 2009 Well logged on from my friends house. Seems the scanners are still missing a file.Start HJT and do a Scan Only and place a check mark on the following item.O20 - AppInit_DLLs: pbiaiy.dllThen click on Fix checked then quit HJTThen start MBAM and go to the UPDATE tab and update the program and do a Quick Scan and fix anything found.RESTART the computer and AFTER the reboot start HJT and do Scan and save log.Post back both MBAM and HJT logs.Yes when I get back an on my own computer we can review stuff and stop a lot of those programs from loading. They're normal most of them and not related to any infection, just how computers work in general.I will do the scans when I get home from work. I really appreciate all of your help! My computer is working much better. Link to post Share on other sites More sharing options...
map1983 Posted January 2, 2009 Author ID:44137 Share Posted January 2, 2009 I will do the scans when I get home from work. I really appreciate all of your help! My computer is working much better.Here are the logs.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:50:59 PM, on 1/1/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\Explorer.EXEC:\WINDOWS\ehome\ehtray.exeC:\Program Files\Digital Media Reader\readericon45G.exeC:\Program Files\Intel Audio Studio\IntelAudioStudio.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exeC:\Program Files\Lexmark X6100 Series\lxbfbmgr.exeC:\Program Files\Lexmark X6100 Series\lxbfbmon.exeC:\Program Files\QuickTime\QTTask.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\ESET\ESET Smart Security\egui.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\Intel\IntelDH\CCU\AlertService.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\WINDOWS\arservice.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\ESET\ESET Smart Security\ekrn.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSC:\WINDOWS\system32\svchost.exeC:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exeC:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exeC:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exeC:\WINDOWS\system32\dllhost.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\rsvp.exeC:\WINDOWS\eHome\ehmsas.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch...P&M=GM5266ER0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://steelers.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch...P&M=GM5266ER3 - URLSearchHook: (no name) - {3b5aaea6-ae6d-45ab-a626-99ac24fd105b} - (no file)O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: (no name) - {54EEC4BC-A8D2-4EAC-BE76-DCE359911677} - (no file)O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dllO2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: (no name) - {3b5aaea6-ae6d-45ab-a626-99ac24fd105b} - (no file)O4 - HKLM\..\Run: [ehTray] "C:\WINDOWS\ehome\ehtray.exe"O4 - HKLM\..\Run: [readericon] "C:\Program Files\Digital Media Reader\readericon45G.exe"O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /installquiet /keeploaded /nodetectO4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exeO4 - HKLM\..\Run: [intelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAYO4 - HKLM\..\Run: [Reminder] "C:\WINDOWS\Creator\Remind_XP.exe"O4 - HKLM\..\Run: [Recguard] "C:\WINDOWS\SMINST\RECGUARD.EXE"O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exeO4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exeO4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXEO4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitserviceO4 - HKCU\..\Run: [Power2GoExpress] NAO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKUS\S-1-5-21-2526031092-4069878275-2214655276-1009\..\Run: [Power2GoExpress] NA (User 'IUSR_NMPR')O4 - HKUS\S-1-5-21-2526031092-4069878275-2214655276-1009\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'IUSR_NMPR')O4 - Startup: PowerReg Scheduler V3.exeO4 - Global Startup: Adobe Gamma Loader.lnk = ?O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cabO16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cabO23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exeO23 - Service: Intel® Alert Service (AlertService) - Intel Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exeO23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exeO23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Intel® Software Services Manager (ISSM) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: Intel® Viiv Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exeO23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSO23 - Service: Intel® Remoting Service (Remote UI Service) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe--End of file - 9940 bytesMalwarebytes' Anti-Malware 1.31Database version: 1591Windows 5.1.2600 Service Pack 31/1/2009 7:42:45 PMmbam-log-2009-01-01 (19-42-45).txtScan type: Quick ScanObjects scanned: 69637Time elapsed: 5 minute(s), 35 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 4, 2009 Root Admin ID:44658 Share Posted January 4, 2009 Well the logs look good, and MBAM did not detect anything at this time.How is the system running? Is there any sign of an infection still? Link to post Share on other sites More sharing options...
map1983 Posted January 4, 2009 Author ID:44768 Share Posted January 4, 2009 Well the logs look good, and MBAM did not detect anything at this time.How is the system running? Is there any sign of an infection still?Everything is running great with no signs of infection. Do I need to load a newer version of java now. Thanks for all the help! Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 5, 2009 Root Admin ID:44993 Share Posted January 5, 2009 That's great news, as for Java, that's up to you. Most sites do not require Java, but some do and won't operate properly without it.Update Java RuntimeThe most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 11.Go to http://java.sun.com/javase/downloads/index.jspGo to Java Runtime Environment (JRE) 6 Update 11 about half way down the page and click on the Download button.In Platform box choose Windows.Check the box to Accept License Agreement and click Continue.Click on Windows Offline Installation, click on the link under it which says jre-6u11-windows-i586-p.exe and save the downloaded file to your desktop.Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.Uncheck the Toolbar button (unless you want the toolbar)Reboot your computerAt this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:Disable and Enable System Restore-WINDOWS XPThis is a good time to clear your existing system restore points and establish a new clean restore point:Turn off System RestoreOn the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.Check Turn off System Restore.Click Apply, and then click OK. Reboot.Turn ON System RestoreOn the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.UN-Check *Turn off System Restore*.Click Apply, and then click OK.This will remove all restore points except the new one you just created.Here are some free programs I recommend that could help you improve your computer's security.Spybot Search and DestroyDownload it from here. Just choose a mirror and off you go.Find here the tutorial on how to use Spybot properly hereInstall SpyWare BlasterDownload it from hereFind here the tutorial on how to use Spyware Blaster here Install WinPatrolDownload it from hereHere you can find information about how WinPatrol works hereInstall FireTrust SiteHoundYou can find information and download it from hereInstall hpHosts Download it from herehpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad, tracking and malicious websites. This prevents your computer from connecting to these untrusted sites by redirecting them to 127.0.0.1 which is your own local computer.hpHosts Support ForumUpdate your Antivirus programs and other security products regularly to avoid new threats that could infect your system.You can use one of these sites to check if any updates are needed for your pc.Secunia Software InspectorF-secure Health CheckVisit Microsoft often to get the latest updates for your computer.http://www.update.microsoft.comThe windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must. I recommend Online Armor FreeA little outdated but good reading on how to prevent MalwareKeep safe online and happy surfing.Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post InstructionsAlso don't forget that we offer FREE assistance with General PC questions and repair here PC Help If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org. Link to post Share on other sites More sharing options...
Recommended Posts