Jump to content

helper.sig on start-up


Recommended Posts

Hi,

I'm getting add pop-ups and other mysterious problems, like I can no longer sign on to AOL. I would sincerely appreciate any help you can give me.

Thanks in advance,

Dan

Malwarebytes' Anti-Malware 1.31

Database version: 1537

Windows 5.1.2600 Service Pack 3

12/23/2008 2:59:48 PM

mbam-log-2008-12-23 (14-59-48).txt

Scan type: Quick Scan

Objects scanned: 91270

Time elapsed: 44 minute(s), 46 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 3

Registry Keys Infected: 27

Registry Values Infected: 2

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 13

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\ddcYoPIY.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\urqOExwU.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\vletrr.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\urqoexwu (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f73f493a-632a-44b5-a638-18e6d4be76b5} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{f73f493a-632a-44b5-a638-18e6d4be76b5} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f7aab06b-1cb2-4880-94d9-aae990a6739b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{f7aab06b-1cb2-4880-94d9-aae990a6739b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f7aab06b-1cb2-4880-94d9-aae990a6739b} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f73f493a-632a-44b5-a638-18e6d4be76b5} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\main.bho (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\{a0e1054b-01ee-4d57-a059-4d99f339709f} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9c8a568e-4201-478a-8536-526cf371d2e2} (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\HID_Layer (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ac6fccf3 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\ddcyopiy -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ddcyopiy -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: digeste.dll -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\urqOExwU.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\ddcYoPIY.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\YIPoYcdd.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\YIPoYcdd.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\vletrr.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\wpv391229907443.cpx (Adware.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wmlfriyi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Laura\l.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Laura\Local Settings\Temporary Internet Files\Content.IE5\ZWQ52MJ7\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\baibdcso.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\digeste.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\pjjisjyb.dll (Trojan.Vundo) -> Delete on reboot.

C:\RECYCLER\ADAPT_Installer.exe (Heuristics.Malware) -> Quarantined and deleted successfully.

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-12-23 17:45:41

PROTECTIONS: 2

MALWARE: 68

SUSPECTS: 0

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

McAfee Internet Security Suite 2007 8.1 No Yes

McAfee VirusScan Plus 12.1 No No

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00029434 spyware/virtumonde Spyware No 1 Yes No hkey_local_machine\software\microsoft\ms track system

00029434 spyware/virtumonde Spyware No 1 Yes No hkey_local_machine\software\microsoft\ms juan

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel\Cookies\daniel@trafficmp[1].txt

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@trafficmp[2].txt

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Laura\Cookies\laura@trafficmp[1].txt

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@trafficmp[2].txt

00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@casalemedia[2].txt

00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel\Cookies\daniel@casalemedia[2].txt

00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@casalemedia[1].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel\Cookies\daniel@doubleclick[1].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@doubleclick[2].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Laura\Local Settings\Temp\Cookies\laura@doubleclick[1].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@doubleclick[1].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Laura\Cookies\laura@doubleclick[2].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel\Cookies\daniel@atdmt[2].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@atdmt[2].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Laura\Cookies\laura@atdmt[2].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Laura\Cookies\laura@atdmt[3].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Laura\Local Settings\Temp\Cookies\laura@atdmt[2].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@atdmt[2].txt

00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@tradedoubler[2].txt

00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Documents and Settings\Laura\Cookies\laura@tradedoubler[2].txt

00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@247realmedia[1].txt

00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel\Cookies\daniel@247realmedia[1].txt

00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel\Cookies\daniel@fastclick[1].txt

00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@fastclick[2].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Laura\Local Settings\Temp\Cookies\laura@tribalfusion[2].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@tribalfusion[2].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel\Cookies\daniel@tribalfusion[1].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@tribalfusion[1].txt

00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@mediaplex[1].txt

00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@mediaplex[1].txt

00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel\Cookies\daniel@mediaplex[2].txt

00145807 Cookie/Linksynergy TrackingCookie No 0 Yes No C:\Documents and Settings\Laura\Cookies\laura@linksynergy[1].txt

00145807 Cookie/Linksynergy TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@linksynergy[2].txt

00145807 Cookie/Linksynergy TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@linksynergy[2].txt

00145881 Cookie/NewMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Laura\Cookies\laura@anm.co[1].txt

00147824 Cookie/Clickbank TrackingCookie No 0 Yes No C:\Documents and Settings\Laura\Cookies\laura@clickbank[1].txt

00147824 Cookie/Clickbank TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@clickbank[1].txt

00149064 Cookie/Maxserving TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@maxserving[1].txt

00149116 Cookie/Ccbill TrackingCookie No 0 Yes No C:\Documents and Settings\Laura\Cookies\laura@ccbill[2].txt

00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@revenue[2].txt

00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\Laura\Cookies\laura@revenue[2].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@com[1].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel\Cookies\daniel@com[1].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Laura\Cookies\laura@com[1].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@com[1].txt

00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@yadro[2].txt

00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@xiti[1].txt

00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Laura\Cookies\laura@xiti[1].txt

00167730 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@ehg.hitbox[2].txt

00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@azjmp[1].txt

00167749 Cookie/Toplist TrackingCookie No 0 Yes No C:\Documents and Settings\Laura\Cookies\laura@toplist[1].txt

00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@statcounter[1].txt

00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Laura\Cookies\laura@statcounter[1].txt

00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Laura\Cookies\laura@perf.overture[1].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@ad.yieldmanager[1].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@ad.yieldmanager[1].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel\Cookies\daniel@ad.yieldmanager[1].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Laura\Cookies\laura@ad.yieldmanager[2].txt

00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@apmebf[1].txt

00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@apmebf[1].txt

00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Laura\Cookies\laura@burstnet[1].txt

00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@burstnet[2].txt

00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@burstnet[1].txt

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel\Cookies\daniel@serving-sys[1].txt

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@serving-sys[1].txt

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@serving-sys[2].txt

00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@bs.serving-sys[2].txt

00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@bs.serving-sys[1].txt

00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel\Cookies\daniel@bs.serving-sys[1].txt

00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@www.burstbeacon[1].txt

00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@www.burstbeacon[1].txt

00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel\Cookies\daniel@www.burstbeacon[2].txt

00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\Laura\Cookies\laura@adtech[1].txt

00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@adtech[1].txt

00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Laura\Cookies\laura@server.iad.liveperson[2].txt

00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@server.iad.liveperson[2].txt

00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@stat.onestat[2].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@advertising[1].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Laura\Cookies\laura@advertising[2].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Laura\Local Settings\Temp\Cookies\laura@advertising[1].txt

00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@media.adrevolver[1].txt

00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@media.adrevolver[1].txt

00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@statse.webtrendslive[1].txt

00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@statse.webtrendslive[2].txt

00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Laura\Cookies\laura@statse.webtrendslive[1].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@ads.pointroll[1].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@ads.pointroll[2].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel\Cookies\daniel@ads.pointroll[1].txt

00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@overture[1].txt

00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@overture[2].txt

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel\Cookies\daniel@realmedia[2].txt

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@realmedia[1].txt

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@realmedia[2].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@questionmarket[2].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel\Cookies\daniel@questionmarket[1].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@questionmarket[1].txt

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@zedo[1].txt

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@zedo[2].txt

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel\Cookies\daniel@zedo[1].txt

00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@bluestreak[1].txt

00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@bluestreak[1].txt

00182104 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\Laura\Cookies\laura@phg.hitbox[1].txt

00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@adrevolver[1].txt

00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@adrevolver[1].txt

00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\Laura\Cookies\laura@bravenet[2].txt

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@go[1].txt

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel\Cookies\daniel@go[1].txt

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@go[2].txt

00199981 Cookie/Seeq TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@www48.seeq[1].txt

00199983 Cookie/Valueclick TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@valueclick[1].txt

00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@searchportal.information[1].txt

00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@target[2].txt

00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel\Cookies\daniel@target[1].txt

00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@target[1].txt

00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@did-it[2].txt

00207936 Cookie/Adviva TrackingCookie No 0 Yes No C:\Documents and Settings\Laura\Cookies\laura@adviva[1].txt

00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@atwola[2].txt

00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Laura\Cookies\laura@atwola[1].txt

00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel\Cookies\daniel@atwola[1].txt

00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Laura\Local Settings\Temp\Cookies\laura@atwola[1].txt

00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@atwola[2].txt

00273339 Cookie/Smartadserver TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@smartadserver[2].txt

00286738 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@cgi-bin[1].txt

00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@ehg-dig.hitbox[1].txt

00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Laura\Cookies\laura@ads.addynamix[1].txt

00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@ads.addynamix[1].txt

00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@ads.addynamix[1].txt

01196325 Cookie/Enhance TrackingCookie No 0 Yes No C:\Documents and Settings\Laura\Cookies\laura@enhance[1].txt

01196325 Cookie/Enhance TrackingCookie No 0 Yes No C:\Documents and Settings\Spencer\Cookies\spencer@enhance[2].txt

01196325 Cookie/Enhance TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@enhance[2].txt

01606636 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\Laura\Cookies\laura@adserver.easyad[1].txt

01606636 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\Ian\Cookies\ian@adserver.easyad[1].txt

02800612 Generic Malware Virus/Trojan No 0 No No C:\Documents and Settings\Daniel\Local Settings\Temp\Temporary Directory 1 for power dvd (uncensored).zip\setup.exe[

mbam_log_2008_12_23__14_59_48_.txt

ActiveScan.txt

mbam_log_2008_12_23__14_59_48_.txt

ActiveScan.txt

Link to post
Share on other sites

  • Root Admin

Please note the Holidays are approaching and I may be unavailable for a couple days.

Please be patient, I've not forgotten you and will resume assistance when I return

Close down all applications and browsers, including the one you're reading this with so that the fixes can be completed.

STEP 01

Start HJT and do a Scan only and place a check mark on the following items
  • O20 - AppInit_DLLs: ttakxw.dll

    Then click on
    Fix checked

STEP 02

Please upload the following files for review
here

C:\WINDOWS\system32\ttakxw.dll

STEP 03

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download
JavaRa
and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on
    JavaRa.exe
    to start the program.
  • From the drop-down menu, choose
    English
    and click on
    Select
    .

  • JavaRa will open; click on
    Remove Older Versions
    to remove the older versions of Java installed on your computer.

  • Click
    Yes
    when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click
    OK
    .

  • A logfile will pop up. Please save it to a convenient location.

Update Java Runtime

The most current version of Sun Java is:
Java Runtime Environment (JRE) 6 Update 11
.
  • Go to
    http://java.sun.com/javase/downloads/index.jsp
  • Go to
    Java Runtime Environment (JRE) 6 Update 11
    about half way down the page and click on the
    Download
    button.

  • In Platform box choose Windows.

  • Check the box to
    Accept License Agreement
    and click Continue.

  • Click on
    Windows Offline Installation,
    click on the link under it which says
    jre-6u11-windows-i586-p.exe
    and save the downloaded file to your desktop.

  • Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.

  • Uncheck the Toolbar button (unless you want the toolbar)

  • Reboot your computer

STEP 04

    Download and install
    CCleaner
  • CCleaner


  • Double-click on the downloaded file "ccsetup213.exe" and install the application.

  • Keep the default installation folder "C:\Program Files\CCleaner"

  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"

  • Click finish when done and close
    ALL PROGRAMS

  • Start the
    CCleaner
    program.

  • Click on
    Registry
    and
    Uncheck
    Registry Integrity so that it does not run

  • Click on
    Options
    -
    Advanced
    and
    Uncheck
    "Only delete files in Windows Temp folders older than 48 hours"

  • Click back to
    Cleaner
    and click on the
    Run Cleaner
    button on the bottom right side of the program.

  • Click OK to any prompts


STEP 05

Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware

    • Update Malwarebytes' Anti-Malware
    • Select the
      Update
      tab

    • Click
      Update

    [*]
    When the update is complete, select the
    Scanner
    tab

    [*]
    Select
    Perform quick scan
    , then click
    Scan
    .

    [*]
    When the scan is complete, click
    OK
    , then
    Show Results
    to view the results.

    [*]
    Be sure that everything is checked, and click
    Remove Selected
    .

    [*]
    When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\
      mbam-log-date (time).txt

STEP 06

Reboot the computer and after the reboot run HJT scan and save the log.

Post back the most recent MBAM and HJT logs
Link to post
Share on other sites

OK, I followed the instructions as best I could. I've included the new MBAM and HJT logs. A few comments: Java said I already had the latest JRE 6-11 software but I replaced it anyway. Step 3 is a bit confusing. It seems to indicate that I am downloading two different Java softwares. Am I really just updating Java Runtime Environment (JRE 6 update 11) or did I goof? 2) When running CC cleaner, your instructions say "Click on Registry and uncheck Registry Integrity so that it does not run" . I cannot see how to "uncheck Registry Integrity". There is a list of items that come up so I unchecked all of them. I hope that was correct.

Thanks again for your help. I'd be lost without you. Happy Holidays to you!

Dan

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:46:53 AM, on 12/24/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\umonit.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\AOL 9.1\waol.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Common Files\AOL\1151114637\EE\aolsoftware.exe

c:\program files\common files\aol\1151114637\ee\services\safetysettings\ver3_6_6_1\AolIacMon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\AOL 9.1\shellmon.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.mcafee.com

O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/141p/html/gtdownlr.cab

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab

O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://mygmgw.gm.com/http://usabhemama14.m...om/iNotes6W.cab

O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://bl137fd.blu137.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab

O16 - DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} (Image Uploader Control) - http://cdn.smugmug.com/photos/activex/Imag...30.0-080212.cab

O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...460/mcfscan.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter hijack: text/html - {c6e3daf3-cab6-46b3-baf0-6b42b13c9e01} - C:\WINDOWS\system32\mst120.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Laura/LOCALS~1/Temp/msoclip1/02/clip_image002.jpg

--

End of file - 10115 bytes

Malwarebytes' Anti-Malware 1.31

Database version: 1540

Windows 5.1.2600 Service Pack 3

12/24/2008 7:41:54 AM

mbam-log-2008-12-24 (07-41-54).txt

Scan type: Quick Scan

Objects scanned: 92110

Time elapsed: 39 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 5

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\ttakxw.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{74dff64b-ad01-42a5-923c-8f0ff49859c5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{74dff64b-ad01-42a5-923c-8f0ff49859c5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{74dff64b-ad01-42a5-923c-8f0ff49859c5} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\ttakxw.dll (Trojan.Vundo.H) -> Delete on reboot.

Link to post
Share on other sites

  • Root Admin

Please note the Holidays are approaching and I may be unavailable for a couple days or more.

Please be patient, I've not forgotten you and will resume assistance when I return

Something doesn't look right here...

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:46:53 AM, on 12/24/2008

Malwarebytes' Anti-Malware 1.31

12/24/2008 7:41:54 AM

Time elapsed: 39 minute(s), 28 second(s)

If it took MBAM almost 40 minutes to complete a Quick Scan how could you run HJT within 4 minutes of MBAM ?

Please restart the computer. Run MBAM and update it to the latest version and do another Quick Scan, fix anything found an REBOOT the computer.

Then, AFTER the reboot run HJT and post back both logs. MBAM first, then HJT in that order please.

As for the JAVA, yes you already had the latest version but you also had multiple older versions still installed. Using the JavaRA program should allow you to remove ALL of those versions. For now just remove all Java, you shouldn't need it for now and can install it again later on.

You should also remove your old version of Adobe Acrobat Reader which shows as version 7 and Adobe is now at version 9. The older versions had code that was more susceptible to attack that has since been fixed.

Link to post
Share on other sites

ok..Here's the solution. I got it on this site from a guy named 'AdvancedSetup.' I am forever grateful to his posting. I tried a million different things but this was simple and best of all....it worked. The trick is as follows:

1. click on 'start', click 'run', and then type: devmgmt.msc and click OK

2. On the View menu click on: Show hidden devices

3. Browse to: Non-Plug and Play Drivers until you find TDSSserv.sys

4. Highlight that driver and right click on it and select DISABLE

5. Restart your computer.

6. Download a copy of Malwarebytes but do not run it yet.

7. Rename the downloaded installer file to any generic name (it could be your own name) but keep the .EXE extension on the file...... Now you can run it.

8. Once the program is installed go to the UPDATE tab and try to update the program if you can.

9. Then go to SCANNER and run a Quick Scan and .... voila! Virus destroyed!

The key step that everyone missed was disabling the TDSSserv.sys, whatever the heck that is. Another thing you might try after step 5 above if you are still having a problem opening the downloaded Malwarebytes is to download it to a good computer and store it on a flash drive. Then attach the flash drive to the bad pc and run the program off the flash drive.

Whoever created this virus should be locked up for life!

Link to post
Share on other sites

AdvancedSetup, You are right, something is wrong with those log times. I really can't explain them and don't recall the details of how I ran them except that I sure didn't run them at the same time, which is what the logs seem to indicate. Any comments on the suggestions by sagent99? Sounds interesting and he/she attributes them to you, but of course, I won't do anything until I hear back from you. I'll be away from my problem PC for a few days so things will be on hold till I get back. Thanks again for the help.

Dan

Sagent99, Thanks for the tip. I hope that turns out to be the fix since it sounds pretty straight forward to fix.

Dan

Link to post
Share on other sites

  • Root Admin

That was for a variant that was blocking MBAM from running which is not your case.

I will be out of Town until Monday but I'll assist you further when I return. If you get back before then you can run the following please.

Download to the desktop: Dr.Web CureIt

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    check.gif
    If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.

Then run this...

Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer and AFTER the restart run a new HJT scan and save log.

Post back ALL the logs and I'll assist you further on Monday when I return.

Merry Christmas

Link to post
Share on other sites

I hope you had a Merry Christmas. I followed those steps and here are the latest logs. The Dr. Web Cureit sure found all sorts of stuff. I attached the log file since I could not open it and cut and paste it in to the text. Thanks again for your help.

Dan

Malwarebytes' Anti-Malware 1.31

Database version: 1550

Windows 5.1.2600 Service Pack 3

12/28/2008 7:20:04 PM

mbam-log-2008-12-28 (19-20-04).txt

Scan type: Full Scan (C:\|)

Objects scanned: 195294

Time elapsed: 2 hour(s), 5 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:04:11 AM, on 12/29/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\McAfee\MBK\MBackMonitor.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\umonit.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe

C:\Program Files\AOL 9.1\waol.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Common Files\AOL\1151114637\EE\aolsoftware.exe

c:\program files\common files\aol\1151114637\ee\services\safetysettings\ver3_6_6_1\AolIacMon.exe

C:\Program Files\AOL 9.1\shellmon.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.mcafee.com

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab

O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://mygmgw.gm.com/http://usabhemama14.m...om/iNotes6W.cab

O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://bl137fd.blu137.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab

O16 - DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} (Image Uploader Control) - http://cdn.smugmug.com/photos/activex/Imag...30.0-080212.cab

O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...460/mcfscan.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter hijack: text/html - {c6e3daf3-cab6-46b3-baf0-6b42b13c9e01} - C:\WINDOWS\system32\mst120.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Laura/LOCALS~1/Temp/msoclip1/02/clip_image002.jpg

--

End of file - 10176 bytes

Link to post
Share on other sites

  • Root Admin

Start HJT and do a Scan only and place a check mark on the following items

O8 - Extra context menu item: &Search - ?p=ZJxdm035YYUS

Then click on "Fix checked"

Your Java appears to be out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download
JavaRa
and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on
    JavaRa.exe
    to start the program.
  • From the drop-down menu, choose
    English
    and click on
    Select
    .

  • JavaRa will open; click on
    Remove Older Versions
    to remove the older versions of Java installed on your computer.

  • Click
    Yes
    when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click
    OK
    .

  • A logfile will pop up. Please save it to a convenient location.

Update Java Runtime

The most current version of Sun Java is:
Java Runtime Environment (JRE) 6 Update 11
.
  • Go to
    http://java.sun.com/javase/downloads/index.jsp
  • Go to
    Java Runtime Environment (JRE) 6 Update 11
    about half way down the page and click on the
    Download
    button.

  • In Platform box choose Windows.

  • Check the box to
    Accept License Agreement
    and click Continue.

  • Click on
    Windows Offline Installation,
    click on the link under it which says
    jre-6u11-windows-i586-p.exe
    and save the downloaded file to your desktop.

  • Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.

  • Uncheck the Toolbar button (unless you want the toolbar)

  • Reboot your computer

Then restart the computer and update MBAM again and do another Quick Scan and fix anything found.

Then if anything was found, restart the computer again and run HJT scan and save log after the reboot.

Post back both MBAM and HJT logs.

Let me know how the computer is running now and if there are still any indications of an infection or not.
Link to post
Share on other sites

I think I finally got the old version of Java removed. The only odd symptom I have now is a file called "Common" that always is open at start up. It contains two items, one titled "_helper.sig" and one titled "helper.sig". Otherwise, things seem to be running properly. I'll use my PC today and give you some feedback later. Thanks again for all your help.

Dan

Malwarebytes' Anti-Malware 1.31

Database version: 1574

Windows 5.1.2600 Service Pack 3

12/30/2008 8:44:12 AM

mbam-log-2008-12-30 (08-44-12).txt

Scan type: Quick Scan

Objects scanned: 73231

Time elapsed: 17 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:45:25 AM, on 12/30/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\McAfee\MBK\MBackMonitor.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\umonit.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\AOL 9.1\waol.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Common Files\AOL\1151114637\EE\aolsoftware.exe

c:\program files\common files\aol\1151114637\ee\services\safetysettings\ver3_6_6_1\AolIacMon.exe

C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe

C:\Program Files\AOL 9.1\shellmon.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.mcafee.com

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab

O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://mygmgw.gm.com/http://usabhemama14.m...om/iNotes6W.cab

O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://bl137fd.blu137.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab

O16 - DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} (Image Uploader Control) - http://cdn.smugmug.com/photos/activex/Imag...30.0-080212.cab

O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...460/mcfscan.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter hijack: text/html - {c6e3daf3-cab6-46b3-baf0-6b42b13c9e01} - C:\WINDOWS\system32\mst120.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Laura/LOCALS~1/Temp/msoclip1/02/clip_image002.jpg

--

End of file - 10141 bytes

Link to post
Share on other sites

  • Root Admin

It still looks like you may have some pieces of the old java

Please download a NEW copy of JavaRa as it was updated again recently

Run that again and remove ALL old versions, but DO NOT install any new version just yet.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location.

Click on START -> CONTROL PANEL -> Display -> Desktop -> Customize Desktop... -> Web tab

Then uncheck and delete everything you find in there (except for "My Current Home Page")

Remove the checkmark from the the Lock Desktop Items box if it is checked.

Click OK and Exit the Display properties.

Please start HJT and do a Scan Only and place a check mark on the following entries

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Laura/LOCALS~1/Temp/msoclip1/02/clip_image002.jpg

Then click on "Fix checked"

    Download and install CCleaner
  • CCleaner


  • Double-click on the downloaded file "ccsetup215.exe" and install the application.

  • Keep the default installation folder "C:\Program Files\CCleaner"

  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"

  • Click finish when done and close
    ALL PROGRAMS

  • Start the
    CCleaner
    program.

  • Click on
    Registry
    and
    Uncheck
    Registry Integrity so that it does not run

  • Click on
    Options
    -
    Advanced
    and
    Uncheck
    "Only delete files in Windows Temp folders older than 48 hours"

  • Click back to
    Cleaner
    and click on the
    Run Cleaner
    button on the bottom right side of the program.

  • Click OK to any prompts


RESTART your computer now.

After the restart update MBAM again.

Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART your computer again and AFTER the restart run HJT scan and save log

Post back MBAM and HJT logs as well as the JavaRa log you saved earlier.

Link to post
Share on other sites

Hi,

Here are the latest logs after completeing the above. The only symptom I'm seeing now is the strange folder named "common" that I see at start-up as I mention in my earlier post.

Thanks again!

Malwarebytes' Anti-Malware 1.31

Database version: 1579

Windows 5.1.2600 Service Pack 3

12/30/2008 5:54:26 PM

mbam-log-2008-12-30 (17-54-26).txt

Scan type: Quick Scan

Objects scanned: 73667

Time elapsed: 20 minute(s), 0 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:20:05 PM, on 12/30/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\McAfee\MBK\MBackMonitor.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\umonit.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Common Files\AOL\1151114637\EE\aolsoftware.exe

c:\program files\common files\aol\1151114637\ee\services\safetysettings\ver3_6_6_1\AolIacMon.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe

C:\Program Files\AOL 9.1\waol.exe

C:\Program Files\AOL 9.1\shellmon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.mcafee.com

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab

O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://mygmgw.gm.com/http://usabhemama14.m...om/iNotes6W.cab

O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://bl137fd.blu137.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab

O16 - DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} (Image Uploader Control) - http://cdn.smugmug.com/photos/activex/Imag...30.0-080212.cab

O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...460/mcfscan.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter hijack: text/html - {c6e3daf3-cab6-46b3-baf0-6b42b13c9e01} - C:\WINDOWS\system32\mst120.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 9965 bytes

JavaRa 1.13 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Tue Dec 30 07:59:25 2008

Found and removed: C:\Program Files\Java\jre1.5.0_07

Found and removed: C:\Program Files\Java\jre1.5.0_09

Found and removed: C:\Program Files\Java\jre1.5.0_10

Found and removed: C:\Program Files\Java\jre1.5.0_11

Found and removed: C:\Program Files\Java\jre1.6.0_01

Found and removed: C:\Program Files\Java\jre1.6.0_02

Found and removed: C:\Program Files\Java\jre1.6.0_03

Found and removed: C:\Program Files\Java\jre1.6.0_05

Found and removed: C:\Program Files\Java\jre1.6.0_07

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_07\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_09\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_10\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_11\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_01\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_02\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_03\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_05\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_01\bin\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_02\bin\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_03\bin\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_05\bin\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_07\bin\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_01.b06\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_03.b05\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_05.b13\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core1.zip

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core2.zip

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core3.zip

JavaRa 1.13 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Tue Dec 30 08:00:32 2008

------------------------------------

Finished reporting.

JavaRa 1.13 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Tue Dec 30 16:14:13 2008

------------------------------------

Finished reporting.

Link to post
Share on other sites

  • Root Admin

Please note the Holidays are here and I may be unavailable for a few days or more.

Please be patient, I've not forgotten you and will resume assistance when I return

Many of the other helpers are also visiting Family and Friends so please be patient.

If you can't wait for me to get back and have more time with this please look at one of these utilities which can more graphically show you what is launching at startup. Be careful though and don't delete any entries unless your 100% certain of what you're doing.

Runscanner

http://www.runscanner.net/

AutoRuns

http://technet.microsoft.com/en-us/sysinte...s/bb963902.aspx

If you can wait then I'll assist you when I get back and have more free time.

Link to post
Share on other sites

Hi,

Here are the runscanner results. What do you think?

Thanks,

Dan

Runscanner logfile http://www.runscanner.net

* = signed file

- = file not found

General info

------------

Computer name : ASUS-A8N-SLI

Creation time : 1/3/2009 3:37:43 PM

Hosts <> 127.0.0.1 : 0

Hosts file location : %SystemRoot%\System32\drivers\etc

IE version : 7.0.5730.13

OS : Microsoft Windows XP

OS Build : 2600

OS SP : Service Pack 3

RunScanner Version : 1.7.0.0

User Language : English (United States)

User rights : Administrator

Windows folder : C:\WINDOWS

Running processes

-----------------

* C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (Lavasoft)

* C:\Program Files\Common Files\AOL\1151114637\EE\aolsoftware.exe (AOL LLC)

* C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (AOL LLC)

* C:\Program Files\AOL 9.1\waol.exe (AOL, LLC.)

* C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe (AOL LLC)

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple, Inc.)

* C:\WINDOWS\System32\alg.exe (Microsoft Corporation)

* C:\WINDOWS\system32\csrss.exe (Microsoft Corporation)

* C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)

C:\WINDOWS\system32\umonit.exe (General)

* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)

* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)

* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)

* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)

* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)

* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)

* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)

* c:\program files\common files\aol\1151114637\ee\services\safetysettings\ver3_6_6_1\AolIacMon.exe (AOL LLC)

* C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)

* C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)

* C:\WINDOWS\system32\lsass.exe (Microsoft Corporation)

C:\Program Files\Common Files\LightScribe\LSSrvc.exe (Hewlett-Packard Company)

* C:\Program Files\McAfee\MBK\MBackMonitor.exe (McAfee)

* C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe (McAfee)

* C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)

* c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe (McAfee, Inc.)

* C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)

* c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee, Inc.)

* C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)

* C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (McAfee, Inc.)

* C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)

* C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (McAfee, Inc.)

C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

* C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)

* C:\WINDOWS\system32\RUNDLL32.EXE (Microsoft Corporation)

* C:\WINDOWS\system32\rundll32.exe (Microsoft Corporation)

* C:\DOCUME~1\Laura\LOCALS~1\Temp\Temporary Directory 1 for runscanner.zip\RunScanner.exe (Runscanner.net)

* C:\WINDOWS\system32\services.exe (Microsoft Corporation)

* C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation)

* C:\Program Files\AOL 9.1\shellmon.exe (AOL, LLC.)

* C:\WINDOWS\Explorer.EXE (Microsoft Corporation)

* C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation)

* c:\windows\System32\smss.exe (Microsoft Corporation)

Unrated items

-------------

002 * C:\Program Files\Common Files\AOL\ACS\AOLDial.exe (AOL LLC)

002 * C:\Program Files\Common Files\AOL\1151114637\ee\AOLSoftware.exe (AOL LLC)

002 C:\Program Files\McAfee\MBK\LogOnHook.exe (McAfee)

002 * C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe (McAfee)

002 * C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)

002 C:\Program Files\Microsoft Works\WksSb.exe (Microsoft

Link to post
Share on other sites

  • Root Admin

I'm sorry, I should have provided more information.

Start RunScanner and use the
Beginner Mode
and keep the top 2 check marks on and uncheck the
Online malware analysis
then click on
Scan computer

When it's done it should save the files to your desktop as the following:

runscanner.run

runscanner.log

Zip up those files and attach it to your next reply please as a .ZIP file.

Link to post
Share on other sites

  • 2 weeks later...

Hi,

I had a session going in December that fixed all of my pop-up issues but that session is now locked. I still have one issue, however, and that is that I have a folder open at start-up called "Common" and it contains two files, on titled "_helper.sig" and one titled "helper.sig". My last instruction was to run runscanner and zip the files. I thought I sent them but evidently never did. Here they are. Can you still help me?

Thanks,

Dan

Runscanner_01.04.09.zip

Runscanner_01.04.09.zip

Link to post
Share on other sites

  • Root Admin

Hi there.

That scanner file doesn't seem to be showing everything for some reason.

Please run the following and we'll see what we can find.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer and AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites

Hi,

Here are to log files. Thanks for the help!

Dan

Malwarebytes' Anti-Malware 1.33

Database version: 1668

Windows 5.1.2600 Service Pack 3

1/19/2009 1:59:17 PM

mbam-log-2009-01-19 (13-59-17).txt

Scan type: Quick Scan

Objects scanned: 76190

Time elapsed: 1 hour(s), 8 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:00:34 PM, on 1/19/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\McAfee\MBK\MBackMonitor.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\umonit.exe

C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\AOL\1151114637\EE\aolsoftware.exe

c:\program files\common files\aol\1151114637\ee\services\safetysettings\ver3_6_6_1\AolIacMon.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\AOL 9.1\waol.exe

C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.mcafee.com

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab

O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://mygmgw.gm.com/http://usabhemama14.m...om/iNotes6W.cab

O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://bl137fd.blu137.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab

O16 - DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} (Image Uploader Control) - http://cdn.smugmug.com/photos/activex/Imag...30.0-080212.cab

O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...460/mcfscan.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter hijack: text/html - {c6e3daf3-cab6-46b3-baf0-6b42b13c9e01} - C:\WINDOWS\system32\mst120.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 9577 bytes

Link to post
Share on other sites

  • Root Admin

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

When we're done you can go back and install the latest version but for now please do not install any.

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply

Then look for the following Java folders and if found delete them.

C:\Program Files\Java

C:\Program Files\Common Files\Java

C:\Documents and Settings\All Users\Application Data\Java

C:\Documents and Settings\All Users\Application Data\Sun\Java

C:\Documents and Settings\username\Application Data\Java

C:\Documents and Settings\username\Application Data\Sun\Java

Then remove your old Adobe Acrobat Reader 7 and install version 9 if you want the reader.

Adobe Reader 9.0.0 ENU (United States) Without Acrobat.COM

Then run an Online scan with Kaspersky please.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner.

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

This animation will guide you through the process:

KAS.gif

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs

Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Link to post
Share on other sites

  • Root Admin

You will need to re-install you Java to run the Online scan.

Download and Update Java Runtime

The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 11.

  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Go to Java Runtime Environment (JRE) 6 Update 11 about half way down the page and click on the Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says jre-6u11-windows-i586-p.exe and save the downloaded file to your desktop.
  • Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
  • Uncheck the Toolbar button (unless you want the toolbar)
  • Reboot your computer
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.