http://www.dslreports.com/forum/r20988485 en Wed, 11 Nov 2009 02:07:20 EDT Wed, 11 Nov 2009 02:07:20 EDT http://www.dslreports.com/forum/remark,21001059 PeeWee : Just want to say thanks for the help. Looks like you guys are awfully busy in here.
--
My grandkids ARE cuter than yours! ;-)]]> http://www.dslreports.com/forum/remark,21001059 Sun, 24 Aug 2008 21:12:48 EDT http://www.dslreports.com/forum/remark,20997677 bcastner : MBAM did a nice job. You fortunately had a Vundo variant that MBAM detects quite well, as well as a fairly easy variant of XP Antivirus. I think you are in good shape.

Open Acrobat if you have the Full Version installed Click Help and run the Upgrade applet found there. If no update is offered: Use the Preferences, Internet submenu of Acrobat and uncheck to integrate with your Browser. Close Acrobat.
Whether you had the Full Version of Acrobat or not, download and install Adobe Reader 9 and use this as the integrated PDF Reader insider your browser: »www.adobe.com/products/acrobat/r···ep2.html

Update your Version of Java. The current version is 1.6.07: go to »www.java.com/en/download/manual.jsp and download and install the newest Java JRE release.

Clean-up & Prevention:

• Right click "My Computer", Properties, and then click the System Restore tab. Checkmark the box at the top to stop System Restore on all drives. Click the "Apply" button. Agree to the deletion of old Restore Points. Then uncheck the box at the top and again click the "Apply" button. Finally, click the "OK" button. This will create a new Restore Point reflecting your clean system state.

• Please download OTMoveIt2 by OldTimer to your Desktop (only):

http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
• Please double-click OTMoveIt.exe to run it.
• Click on the green CleanUp! button. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
• After the list has been download you'll be asked if you want to Begin cleanup process? Select "Yes".
• This step removes the files, folders, and shortcuts created by the tools I had you download and run.

• Run ATF Cleaner , and checkmark "Empty Recycle Bin", click "Empty Selected" and exit the program. You can delete or keep this utility as you wish.

• Use Control Panel, Add or Remove Programs, and Uninstall any entry related to the ESET On-Line scanner. Uninstall MBAM. If you find any other files or folders created during this cleanup operation remaining, please feel free to delete them.

• Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.

• Download and Install Windows Defender by Microsoft (free):
http://www.microsoft.com/downloads/details.aspx?FamilyId=435BFCE7-DA2B-4A6A-AFA4-F7F14E605A0D
• Suggestion: Download and install Comodo BOClean (free):
http://www.comodo.com/boclean/CBO_download.html
• Suggestion: Download, install, and keep updated Spyware Blaster (free):
http://www.javacoolsoftware.com/spywareblaster.html
• Refer to my first set of instructions above, and reconfigure Hidden Files and Folders to your choosing.

Best wishes.
Bill Castner

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,20997677 Sat, 23 Aug 2008 23:52:56 EDT http://www.dslreports.com/forum/remark,20996853 PeeWee : Would you believe I reinstalled the program and through it I can still access the log files. There are three, as it instructed to do additional scans.

1.
Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 3

9:04:03 AM 8/21/2008
mbam-log-08-21-2008 (09-04-03).txt

Scan type: Quick Scan
Objects scanned: 50382
Time elapsed: 11 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 17
Registry Values Infected: 5
Registry Data Items Infected: 4
Folders Infected: 15
Files Infected: 33

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\fccaWOIa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lreehxjl.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0dd4a649-c5da-4612-97f8-f44149c23616} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0dd4a649-c5da-4612-97f8-f44149c23616} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Secure Solutions (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhc3n8j0erdl (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhc3n8j0erdl (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a8dd8fcd (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\fccawoia -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\fccawoia -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\rhc3n8j0erdl (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rex\Application Data\rhc3n8j0erdl (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rex\Application Data\rhc3n8j0erdl\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rex\Application Data\rhc3n8j0erdl\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rex\Application Data\rhc3n8j0erdl\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rex\Application Data\rhc3n8j0erdl\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rex\Application Data\rhc3n8j0erdl\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rex\Application Data\rhc3n8j0erdl\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rex\Application Data\rhc3n8j0erdl\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rex\Application Data\rhc3n8j0erdl\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rex\Application Data\rhc3n8j0erdl\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rex\Application Data\rhc3n8j0erdl\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\fccaWOIa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\aIOWaccf.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\aIOWaccf.ini2 (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lreehxjl.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ljxheerl.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtisqtgj.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jgtqsitv.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dkpyujcr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\odoptgns.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mxvioepd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rex\Local Settings\Temp\lwpwer.exe (Rogue.Agent) -> Quarantined and deleted successfully.
C:\Program Files\rhc3n8j0erdl\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc3n8j0erdl\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc3n8j0erdl\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc3n8j0erdl\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc3n8j0erdl\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc3n8j0erdl\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc3n8j0erdl\rhc3n8j0erdl.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc3n8j0erdl\rhc3n8j0erdl.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc3n8j0erdl\Uninstall.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\as2008xp.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rex\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphc7n8j0erdl.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phc7n8j0erdl.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pphc7n8j0erdl.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk (Rogue.Antivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rex\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

2.
Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 3

9:10:56 AM 8/21/2008
mbam-log-08-21-2008 (09-10-56).txt

Scan type: Quick Scan
Objects scanned: 14441
Time elapsed: 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

3.
Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 3

9:23:28 AM 8/21/2008
mbam-log-08-21-2008 (09-23-28).txt

Scan type: Quick Scan
Objects scanned: 50103
Time elapsed: 4 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
--
My grandkids ARE cuter than yours! ;-)]]> http://www.dslreports.com/forum/remark,20996853 Sat, 23 Aug 2008 20:03:46 EDT http://www.dslreports.com/forum/remark,20996774 PeeWee : Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:23:50 PM, on 8/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Portrait Displays\HP My Display\DTSRVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NVIDIA Corporation\ForceWare\Multimedia\NVPVR\nvpvrmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\taskswitch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Comodo\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = »us.rd.yahoo.com/customize/ie/def···rch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = »us.rd.yahoo.com/customize/ie/def···ahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.comcast.net/comcast.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »us.rd.yahoo.com/customize/ie/def···rch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = »us.rd.yahoo.com/customize/ie/def···ahoo.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {36D84C7E-CC68-4EB4-84DD-1C39F19F8937} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Sandboxie Toolbar - {11E506DC-0976-4CDA-BB30-37E60A2F2F46} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O9 - Extra 'Tools' menuitem: Sandboxie - {11E506DC-0976-4CDA-BB30-37E60A2F2F46} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - »www.eset.eu/OnlineScanner.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.exe (file missing)
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Portrait Displays\HP My Display\DTSRVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA PVR Schedule Monitor (nvpvrmon) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\ForceWare\Multimedia\NVPVR\nvpvrmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\NVIDIA~1\FORCEW~1\NVRemote\x10nets.exe (file missing)

--
End of file - 8228 bytes

ESET
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3377 (20080821)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=d3557c3039661748aa9d1dee6d12d302
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-08-22 12:35:15
# local_time=2008-08-21 05:35:15 (-0800, Pacific Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=419650
# found=3
# scan_time=3521
C:\Documents and Settings\Rex\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\OP.jar-7d66d184-450c3742.zip Java/TrojanDownloader.OpenStream.NAB trojan (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Rex\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\OP.jar-7d66d184-450c3742.zip »ZIP »OP.class Java/TrojanDownloader.OpenStream.NAB trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Rex\My Documents\My Music\New Folder (2)\Top of Charts - 2004 (group).wma WMA/TrojanDownloader.Wimad.L trojan (unable to clean - deleted) 00000000000000000000000000000000

I removed MBAM. Would you like me to reinstal, run, and retrieve another log file? Or would the log file still be here in some location unknown to me?
--
My grandkids ARE cuter than yours! ;-)]]> http://www.dslreports.com/forum/remark,20996774 Sat, 23 Aug 2008 19:44:19 EDT http://www.dslreports.com/forum/remark,20996646 bcastner :
1. Open HijackThis again, System scan only. Checkmark these items:

O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {36D84C7E-CC68-4EB4-84DD-1C39F19F8937} - (no file)
O2 - BHO: (no name) - {8D64B4F4-EDFD-42D7-9A58-1AFF3A9EF147} - (no file)
O2 - BHO: (no name) - {EAD3A971-6A23-4246-8691-C9244E858967} - (no file)
O3 - Toolbar: Sandboxie - {E947A403-B614-4FA8-B9E7-E790F0BDC87E} - (no file)

Click "Fix checked" and when the log panel clears exit HijackThis.

2. Run HijackThis again, and save the log file.

Submit to the Forum:
• Your MBAM log results from its use;
• The ESET online scanner results, found here: C:\Program Files\EsetOnlineScanner\log.txt.
• The new HijackThis log.
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,20996646 Sat, 23 Aug 2008 19:12:35 EDT http://www.dslreports.com/forum/remark,20988485 PeeWee : My brothers computer, so I don't know how he got it. Followed every step after starting with MBAM. Would like someone to check just to be sure it's clean before I give the computer back. During the check it seemed like every method found something, which has me concerned.

Since posting I have removed all the extra toolbars he added to IE.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:28:17 PM, on 8/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\taskswitch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SmartDisk\FlashPath\sdstat.exe
C:\Program Files\Portrait Displays\HP My Display\DTSRVC.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\NVIDIA Corporation\ForceWare\Multimedia\NVPVR\nvpvrmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = »us.rd.yahoo.com/customize/ie/def···ahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.comcast.net/comcast.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »us.rd.yahoo.com/customize/ie/def···rch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = »us.rd.yahoo.com/customize/ie/def···ahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {36D84C7E-CC68-4EB4-84DD-1C39F19F8937} - (no file)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {8D64B4F4-EDFD-42D7-9A58-1AFF3A9EF147} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {EAD3A971-6A23-4246-8691-C9244E858967} - (no file)
O3 - Toolbar: Sandboxie - {E947A403-B614-4FA8-B9E7-E790F0BDC87E} - (no file)
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Sandboxie Toolbar - {11E506DC-0976-4CDA-BB30-37E60A2F2F46} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O9 - Extra 'Tools' menuitem: Sandboxie - {11E506DC-0976-4CDA-BB30-37E60A2F2F46} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - »www.eset.eu/OnlineScanner.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.exe (file missing)
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Portrait Displays\HP My Display\DTSRVC.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA PVR Schedule Monitor (nvpvrmon) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\ForceWare\Multimedia\NVPVR\nvpvrmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\NVIDIA~1\FORCEW~1\NVRemote\x10nets.exe (file missing)

--
End of file - 9293 bytes
--
My grandkids ARE cuter than yours! ;-)]]> http://www.dslreports.com/forum/remark,20988485 Fri, 22 Aug 2008 00:44:58 EDT