Followed your 9 steps; posting 4 logs

[Sick&Tired]

Hello IANAG Forum -

I had a problem with malware, followed your 9 steps and am now posting. I would love to eradicate any vestige of the malware that had hijacked my machine...and protect myself in the future!

For some reason, my HiJackthis log will not attach

AG

[Sick&Tired]

I will try again to post the Hijackthis log as text in this window since I could not attach the file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:22 PM, on 9/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\TIREMOTE\wuser32.exe
C:\WINDOWS\TIREMOTE\TIRemoteService.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 2.exe
C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=0061012
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=0061012
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Macro International
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\sw g.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 2.exe
O4 - HKLM\..\Run: [Track-It! Workstation Manager Service Monitor] C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WebrootClientUI] "C:\Program Files\Webroot\Client\SpySweeperUI.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.health.org
O15 - Trusted Zone: *.macroalt.com
O15 - Trusted Zone: *.macroint.com
O15 - Trusted Zone: *.macrointernational.com
O15 - Trusted Zone: *.bethesda.orc.wan
O15 - Trusted Zone: *.burlington.orc.wan
O15 - Trusted Zone: *.orcmacro.orc.wan
O15 - Trusted Zone: *.plainsboro.orc.wan
O15 - Trusted Zone: *.rockville.orc.wan
O15 - Trusted Zone: *.orcmacro.com
O15 - Trusted Zone: *.shs.net
O15 - Trusted Zone: *.health.org (HKLM)
O15 - Trusted Zone: *.macroalt.com (HKLM)
O15 - Trusted Zone: *.macroint.com (HKLM)
O15 - Trusted Zone: *.macrointernational.com (HKLM)
O15 - Trusted Zone: *.bethesda.orc.wan (HKLM)
O15 - Trusted Zone: *.burlington.orc.wan (HKLM)
O15 - Trusted Zone: *.orcmacro.orc.wan (HKLM)
O15 - Trusted Zone: *.plainsboro.orc.wan (HKLM)
O15 - Trusted Zone: *.rockville.orc.wan (HKLM)
O15 - Trusted Zone: *.orcmacro.com (HKLM)
O15 - Trusted Zone: *.shs.net (HKLM)
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://fpass.ed.gov/vdesk/terminal/...2008,0122,2009
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://fpass.ed.gov/vdesk/terminal/...2008,0122,2001
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://fpass.ed.gov/vdesk/terminal/...2008,0122,2005
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://fpass.ed.gov/vdesk/terminal/...2008,0122,2004
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = orcmacro.orc.wan
O17 - HKLM\Software\..\Telephony: DomainName = orcmacro.orc.wan
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = orcmacro.orc.wan
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = orcmacro.orc.wan,orcmacro.com,calverton.orc.wan,ma croint.com,atlanta.orc.wan,burlington.orc.wan,orc. wan,rockville.orc.wan,bethesda.orc.wan
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = orcmacro.orc.wan,orcmacro.com,calverton.orc.wan,ma croint.com,atlanta.orc.wan,burlington.orc.wan,orc. wan,rockville.orc.wan,bethesda.orc.wan
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Numara Remote Control Helper ver. 9.00 (2007058) (NetOp Host for NT Service) - Danware Data A/S - C:\Program Files\Numara Software\Remote\Host\NHOSTSVC.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe (file missing)
O23 - Service: Track-It! Remote Control (TIRmtCtl) - Intuit Track-It! - C:\WINDOWS\TIREMOTE\wuser32.exe
O23 - Service: Track-It! Workstation Manager (TIRmtSvc) - Numara Software, Inc. - C:\WINDOWS\TIREMOTE\TIRemoteService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 11249 bytes

[cauzomb]

Thanks for re posting the Hijack this log, I've looked over your mbam log and your hijack this log..

some things in your hijackthis log to consider.

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present "did you set these restrictions?"

023 - service NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) -unnknown owner - C:\Program Files\NTRU cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe (file missing)

----------------------------------------------------------

Do you recognise any of the following as something you personally added tp your "TRUSTED" sites via internet options control panel?

O15 - Trusted Zone: *.health.org
O15 - Trusted Zone: *.macroalt.com
O15 - Trusted Zone: *.macroint.com
O15 - Trusted Zone: *.macrointernational.com
O15 - Trusted Zone: *.bethesda.orc.wan
O15 - Trusted Zone: *.burlington.orc.wan
O15 - Trusted Zone: *.orcmacro.orc.wan
O15 - Trusted Zone: *.plainsboro.orc.wan
O15 - Trusted Zone: *.rockville.orc.wan
O15 - Trusted Zone: *.orcmacro.com
O15 - Trusted Zone: *.shs.net
O15 - Trusted Zone: *.health.org (HKLM)
O15 - Trusted Zone: *.macroalt.com (HKLM)
O15 - Trusted Zone: *.macroint.com (HKLM)
O15 - Trusted Zone: *.macrointernational.com (HKLM)
O15 - Trusted Zone: *.bethesda.orc.wan (HKLM)
O15 - Trusted Zone: *.burlington.orc.wan (HKLM)
O15 - Trusted Zone: *.orcmacro.orc.wan (HKLM)
O15 - Trusted Zone: *.plainsboro.orc.wan (HKLM)
O15 - Trusted Zone: *.rockville.orc.wan (HKLM)
O15 - Trusted Zone: *.orcmacro.com (HKLM)
O15 - Trusted Zone: *.shs.net (HKLM)
-------------------------------------------
Did you download anything to access fpass.gov?
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://fpass.ed.gov/vdesk/terminal/...2008,0122,2009
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://fpass.ed.gov/vdesk/terminal/...2008,0122,2001
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://fpass.ed.gov/vdesk/terminal/...2008,0122,2005
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://fpass.ed.gov/vdesk/terminal/...2008,0122,2004
--------------------------------------------

Did you add this info to your TCP settings? do you know what they are, if not you should be concerned, where did they come from, what application installed them etc..

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = orcmacro.orc.wan
O17 - HKLM\Software\..\Telephony: DomainName = orcmacro.orc.wan
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = orcmacro.orc.wan
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = orcmacro.orc.wan,orcmacro.com,calverton.orc.wan,ma croint.com,atlanta.orc.wan,burlington.orc.wan,orc. wan,rockville.orc.wan,bethesda.orc.wan
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = orcmacro.orc.wan,orcmacro.com,calverton.orc.wan,ma croint.com,atlanta.orc.wan,burlington.orc.wan,orc. wan,rockville.orc.wan,bethesda.orc.wan

_______________________________

O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe (file missing)
_______________________________

O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe

~Did you install "sprint utility service?

You could ask yourself the same question for some of the other applications, Do you use the google toolbar? howabout ipod music device or iTunes? There's some things that can be turned off and set to manual via; control panel | administrative tools | computer management | services, or something like that, would you like to do this as well? or do you want to just focus on the malware.

[Sick&Tired]

Anything that speeds up my machine is welcome too.

I use a Sprint PCS card from time to time...so that one is good. I also use i-tunes, but I never use the google bar. So yes, anything that would speed me up would be appreciated.

AG

[cauzomb]

OK, you want to check your C: drive for any of the following files:

C:\Program Files\PCHealthCenter\0.exe
C:\Program Files\PCHealthCenter\1.exe
C:\Program Files\PCHealthCenter\2.exe
C:\Program Files\PCHealthCenter\3.exe
C:\Program Files\PCHealthCenter\4.exe
C:\Program Files\PCHealthCenter\5.exe
C:\Program Files\PCHealthCenter\7.exe
C:\Program Files\PCHealthCenter\0.gif
C:\Program Files\PCHealthCenter\1.gif
C:\Program Files\PCHealthCenter\2.gif
C:\Program Files\PCHealthCenter\3.gif
C:\Program Files\PCHealthCenter\sc.html
C:\Program Files\PCHealthCenter\sex1.ico
C:\Program Files\PCHealthCenter\sex2.ico
C:\Program Files\AV9\av2009.exe ~(Rogue.Antivirus2009)
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080811205939687.log ~(Rogue.Multiple)
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080811212255390.log ~(Rogue.Multiple)
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080811214330109.log ~(Rogue.Multiple)
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080812102404093.log ~(Rogue.Multiple)
C:\WINDOWS\system32\tdssadw.dll ~(Trojan.Agent)
C:\WINDOWS\system32\tdssmain.dll ~(Trojan.Agent)
C:\WINDOWS\system32\tdssinit.dll ~(Trojan.Agent)
C:\WINDOWS\system32\tdsslog.dll ~(Trojan.Agent)
C:\WINDOWS\system32\tdssservers.dat ~(Trojan.Agent)
C:\WINDOWS\system32\drivers\tdssserv.sys ~(Trojan.Agent)
C:\WINDOWS\system32\avm.cpl ~(Trojan.FakeAlert)
C:\Documents and Settings\Denton\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk ~(Rogue.Antivirus2008)

If you find any of the above listed files, anywhere on your hard drive; Let me know which ones and where you found them, for example, if you open my computer | drive C |the windows folder | system32 sub folder | drivers sub folder and see a file named tdssserv.sys, you would type it out as C:\windows\system32\drivers\tdsserv.sys

Best bet is to do the search from the start menu "files and folders" all, something something, on ALL local drives, for any one of those files listed above//

Have you used an up to date anti-virus application? besides Mbam? other antivirus software that lists a full log of what it removed? Maybe some of the steps you've already done have not been documented as to what happened, or what was removed, cause there's usually more listed in MBam log for this malware infection..

[Sick&Tired]

The 1st 3 items in your response I do not recognize
The 2nd set of Trusted Zone were all added by the company I work for...
The 3rd set - fpass - looks like settings I need to log into the Dept of ED, one of my clients
The 4th set - is all orcmacro settings - that's a former name of the company I work for
The 023 NTRU Hybrid is a mystery
The 023 Sprint is ok
C:\Program Files\PCHealthCenter -does not appear on my C drive
Program Files\AV9\av2009.exe ~(Rogue.Antivirus2009) does not appear on my C drive
C:\Documents and Settings\All Users\Application Data\Secure Solutions does not appear on my C drive
C:\WINDOWS\system32\td...does not appear on my C drive
C:\WINDOWS\system32\drivers\tdssserv.sys ~(Trojan.Agent) is not on my C drive
C:\WINDOWS\system32\avm.cpl ~(Trojan.FakeAlert) is not on my C Drive
C:\Documents and Settings\Denton\ is not on my C drive

[cauzomb]

Thanks, it looks Good to me, but I'm a novice at these logs, I have asked the other staff members to take a look for other stuff, but for now:

Ensure that spybot search and destroy resident helper/teatimer is not running, then
ensure that NONE of these applications are running in the background, by either exiting out of them, closing all open windows, and or killing their processes via task manager; if exiting the applications and closing the windows still will not allow you to uninstall and you need help figuring out how to kill their processes via task manager, let us know.


If you don't use google toolbar, open "start menu" "settings" "Control Panel" then open "add remove programs"
look for google toolbar and click add/remove, check the "uninstall" or "remove" not sure what it is.

Same goes for Uniblue registry booster, if you don't have the full version, all it does is make recommendations on what you can change, in order to change anything using the program you need the "full" version = buy it.. If you don't like what you see and don't plan on buying the full version; To un-install this application, you have to kill it's process, or turn it off, if it has a tray icon next to the clock/speaker icon in your start bar, click on this and look for an "exit" option, then go to the control panel, add remove programs and use it's uninstaller, as mentioned previously for google toolbar.

If you do not use synchronization software; to work offline, you can disable the mobsync.exe /boot synchronization manager!
To do this; open the start menu, programs, accessories, then run "synchronize" open the "setup" menu and uncheck the synchronization options,

Then deselect the option to synchronize your home page. Open internet explorer, in the top bar of internet explorer you should see a set of options, this is the toolbar, on the internet explorer toolbar select Tools, then select Folder Options, and offline files, deselect the "enable offline files" option. You will have to reboot for the changes to take effect. Once rebooted, you should no longer see the following entry in your hijack this log:
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
_________

There may be some residual "file missing" entries caused by the uninstal processes, but we'll get to those later.


You can have hijack this fix the following by checking the box next to their entries and clicking the "FIX CHECKED" button:



O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O24 - Desktop Component 0: Privacy Protection - (no file) !!~see if you have a file folder on your drive C in C:\windows named "privacy danger" If you find the "privacy danger" folder, delete it! this is related to a malware infection.


The internet settings "restrictions" is probly created by spybot search and destroy's
Resident helper. The other thing I noticed in your logs is that teatimer is enabled.

Teatimer protects your registry from changes by asking you "allow" "deny" changes that applications want to make to the registry, this is good if you know what you are installing, and will pop up if something that you were un-aware of is trying to make changes to the registry, alerting you of possilbe changes that would cause issues

It can also cause any malware or anti-virus application to not be able to remove registry problems when they find them.

it's recommended to turn off Teatimer, or even the whole spybot search and destroy application, before running the anti-virus/anti-malware applications.

To temporarily disable teatimer; run spybod search and destroy in "advanced mode". In the spybot search and destroy side bar, there's a "TOOLS" menu, in the tools menu there is an icon that says "resident", click on "resident" and you will find a couple of check boxes, one is to enable/disable "teatimer" the other is for internet explorer and is probly what creates the "restrictions" entry showing in your hijackthis log. Nothing to worry about. Turn them both off, but take good measure by disconnecting from the internet prior to disabling the internet explorer SDHELPER? Run your anti-virus/anti-malware, and hijack this without spybot search and destroy running. Then save the logs, and re-enable the resident settings and have spybot search and destroy running before you reconnect your internet connection. Compare the hijackthis logs, or post the logs for comparison.

There are some other things that I am unsure of just yet, but this is a good middle ground, once you have completed the above mentioned suggestions, run hijack this and repost another log and we can take a look at it to see how it's going, make further suggestions etc.

[cauzomb]

As per STEP ONE, You need to enable show hidden and system files from the folder options menu, prior to searching for these files, hope this helps...

Correction to post number 5, when I mentioned searching for "any one of those files" should read, "search for each one" and list each that you find.. Hope this isn't too much trouble. All of the files listed in the search list are associated with the malware infection that is indicated by what MBAM found in your registry.

:Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\tdssserv (Rootkit.Agent) -> Quarantined and deleted successfully.

There's record of that infection in the registry, but no other infected files showing in your Mbam log. It's GOOD that there's nothing showing as infected, but it's just a little odd, usually there's half a dozen or more files showing in the log.

Do you remember if you ran an antivirus application/ notice if it deleting/quarantine/disinfecting any files?

[jholland1964]

If I can jump in here also. Your Java as you are running an out of date version. Go HERE and download the Offline Install and save it to the desktop.
Then go to Add/Remove and Uninstall all previous versions showing;
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1
Once you have done the uninstall then reboot the computer and click that Java install file saved on the desktop. The newest version will install. Once it is complete then go HERE and on the Right Side of the page you will see Verify Now. Click that to verify that the installation was successful.
Judy