Amity help thread

[R-C]

Hey Corrine and team this person has some infections she will be needing help with.  She posted her mbam log over on garden web so I am going to copy and paste it here for her.

This is the log that Popped Up Automatically when I clicked "Remove Selected":

Malwarebytes' Anti-Malware 1.30
Database version: 1328
Windows 6.0.6001 Service Pack 1

10/27/2008 12:15:08 PM
mbam-log-2008-10-27 (12-14-53).txt

Scan type: Quick Scan
Objects scanned: 43155
Time elapsed: 4 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 6
Registry Data Items Infected: 14
Folders Infected: 1
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\(030a0f33-5b99-482e-83f5-2eeb8457878b) (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\(9034a523-d068-4be8-a284-9df278be776e) (Trojan.Zlob) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\(144a6b24-0ebc-4d89-bf09-a06a718e57b5) (Trojan.Zlob) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\(daed9266-8c28-4c1c-8b58-5c66eff1d302) (Search.Hijack) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\(144a6b24-0ebc-4d89-bf09-a06a718e57b5) (Trojan.Zlob) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securewebinfo.com (Trojan.Zlob) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.safetyincludes.com (Trojan.Zlob) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securemanaging.com (Trojan.Zlob) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wblogon (Trojan.Zlob) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\start (Trojan.Zlob) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar (Hijack.Search) -> Bad: (http://windiwsfsearch.com/ie6.html) Good: (http://www.google.com/) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar (Hijack.Search) -> Bad: (http://windiwsfsearch.com/ie6.html) Good: (http://www.google.com/) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://windiwsfsearch.com/search?q=(searchTerms)) Good: (http://www.google.com/) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://windiwsfsearch.com/search?q=(searchTerms)) Good: (http://www.google.com/) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://windiwsfsearch.com/search?q=%s) Good: (http://www.google.com/) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://windiwsfsearch.com/search?q=%s) Good: (http://www.google.com/) -> No action taken.

Folders Infected:
C:\Windows\System32\675873 (Trojan.BHO) -> No action taken.

Files Infected:
C:\Users\Lady\My Documents\My Music\My Music.url (Trojan.Zlob) -> No action taken.
C:\Users\Lady\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> No action taken.
C:\Users\Lady\My Documents\My Videos\My Video.url (Trojan.Zlob) -> No action taken.
C:\Users\Lady\My Documents\My Documents.url (Trojan.Zlob) -> No action taken.
C:\ProgramData\Microsoft\Windows\Start Menu\Antivirus Scan.url (Trojan.Zlob) -> No action taken.
C:\ProgramData\Microsoft\Windows\Start Menu\Online Spyware Test.url (Trojan.Zlob) -> No action taken.
C:\Users\Public\Desktop\Antivirus Scan.url (Rogue.Link) -> No action taken.
C:\Users\Public\Desktop\Online Spyware Test.url (Rogue.Link) -> No action taken.
C:\Users\Lady\Favorites\Antivirus Scan.url (Rogue.Link) -> No action taken.

Also, before reading your post I hand-copied some things that showed up in my Free AVG when it automatically scanned in the wee hours of this morning.

Trojan Fake Alfert - IEBT
" Media-Codec
" Media-Codec/V4
" SmitFraudVariant/IE Anti-Spyware
" Unclassified/ALGG
" Unclassified-Packed/Suspicious
" Downloader ZLOB_r.DE
" " " " DO
" " " " DF

" Generic7.BDKJ

Adware Media-Codec/ZLOB

And even though I thought the bad stuff was gone and I've started with a fresh reboot, when I am in IE7, it freezes and I get one of two messages:
APPCRASH
or
APPHANGB1

Of course I went to WebShots and sure 'nuff, there was the big box with the message "This page will not function properly without enabling Java".

she was having problems also getting java and flash updated and ended up with open office from the java update so we were trying to get that off of her pc too.

Her info from the other thread

Vista Home Premium - IE 7 - HP Pavilion A1710N - Verizon Fiber Optic Connection

Last week I got a message from Windows Defender that a Virus and Trojon were threatening. Message asked me to remove or quarantine.
I removed.

I then ran Super AntiSpyware Free Addition and Spybot S&D, shut down computer when the scans were done and rebooted.
Everything seemed fine.

That is where she is now.  I asked her to come here and register and come to this thread and follow the directions from the team.  This is a new pc and she is very upset that it is infected, I told her to take a deep breath and come on over.

[Corrine]

Thank you for the background information, R-C. 

Amity, in the event you register after I have gone off-line this evening, I'll extend a welcome now! 

With MBAM, it appears that something happened and the items for removal were not checked as the MBAM log shows "No action taken".  Please scan with MBAM again:

• Launch Malwarebytes' Anti-Malware then click the Update tab and "Check for Updates"
• Once the update has been installed and the program has loaded, select Perform full scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• --> Be sure that everything is checked <--, and click Remove Selected.
  
• When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  
• Please post contents of that file in your next reply and a fresh HijackThis log (instructions for HijackThis follow).

Please download HijackThis© from one of the following sites: 

• http://downloads.malwareremoval.com/HJTInstall.exe
• http://aumha.org/downloads/hijackthis.exe
• http://www.trendsecure.com/portal/en-US/threat_analytics/HiJackThis.exe

Note:  If you have used any anti-spyware applications, please shutdown/restart the computer before scanning with HijackThis©. 

At the download prompt, choose "Save" 

• Navigate to the saved file and double-click the installer, HJTsetup.exe
• By default, HijackThis© will be installed on your computer at C:\Program Files\Trend Micro\HijackThis, making an entry in the Start menu and also providing a Desktop shortcut
• When the installation is complete, double-click the HijackThis icon on your desktop
• Select "Do a system scan and save the Logfile"
• When the scan is completed, Notepad will launch with the log.   Please UNcheck Word Wrap in Notepad (Click Format > UNcheck Word Wrap)
• Do not fix anything that you see in the log. (Scanning will not make any changes to your computer.  Most of what is found is harmless or even required.)
• Copy/Paste the log as a reply  (Select Edit > Select All > Edit Copy)
• Close HijackThis and Notepad

[Amity]

R-C,
You are my Hero!

Corrine,
Thank you so much for the welcome, much appreciated!
OK, I will start with the Malwarebytes and run it again as per your instructions.
I'll get it started, go to bed and then see what I wake up to. LOL

Funny thing....I know exactly when/where this problem started. I was doing research for someone on a trucking company when all types of messages started popping up and I couldn't stop them so I shut down my computer, only to start it up again and have my home page changed, desktop color changed and all kinds of things no longer working the way they did.

I had an old clunker of a computer for 9.5 years with no problems.
When that computer finally booted it's last, I borrowed my son's computer for almost two years, nothing bad happened.
I get a new computer and three months later, here I am trying to repair it in the middle of the night so hubby doesn't get wind of what's happened.

Soon as I get up and get my first cuppa poured, I'll report in to you.
Browsing around here, this looks like a really helpful and friendly place...I'm gonna like it here!
  Many, many thanks again to you RC and to your Corrine.

   With much appreciation,
     Amity

[Corrine]

Good morning, Amity.

I know exactly when/where this problem started. I was doing research for someone on a trucking company when all types of messages started popping up and I couldn't stop them so I shut down my computer

Simply stated, what happened to you is what is referred to as a "drive-by install".  Although, with a new computer, I would expect the operating system is Windows Vista.  Unless it has been turned off, the there should have been a UAC (User Account Control) elevation prompt.

[Amity]

Goooooood Morning to you Corrine!

'Drive-by Install'  --- had never heard that before but it sure sounds perfect for my situation.

So I woke up to a message from MBAM stating I had no problems.
The first time I ran MBAM I used the quick scan. This time I used the deep scan.
Quick Scan=4 minutes.  Deep Scan= Almost an hour and a half.

When I saw MBAM didn't detect any malicious items I shut down my computer, restarted it and went straight to WebShots and PhotoBucket, sure that everything was fixed.
Sadly, nope.  I still have the messages about needing JavaScript and/or Flash.
I then went to a couple of my favorite places on IE and browsed around about 20 minutes when IE froze, just as it had been doing since the Trojans hopped on board. The only way to get out of  IE is to use the Task Manager and rid the screen of IE.

Since setting up this computer I did change the font size and switched font to Comic Sans. I changed the desktop picture and the colors.  Added Free AVG since I was very happy with it on my other computers.
I downloaded my Microsoft Digital Image Anniversary Edition and Screen Hunter 5.0.
Adobe PhotoShop CS and Adobe ImageReady CS were added about a week later.
I honestly don't remember if Java and Flash were added by me or by hubby within the first week of having this computer.
My computer is used for bill paying, almost all purchases are made online, email with family across the U.S.  and my photo obsession......all photos added to the computer come straight from my little ol' digital Kodak camera.
If any of these things sound like they could be problems, in your opinion, let me know and I'll remove them.

So here's the copy of the message from MBAM and I'm heading over to download the HijackThis.

 
Malwarebytes' Anti-Malware 1.30
Database version: 1331
Windows 6.0.6001 Service Pack 1

10/28/2008 7:21:22 AM
mbam-log-2008-10-28 (07-21-22).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 154444
Time elapsed: 1 hour(s), 20 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

[Amity]

Ok, Here it is. Hope I did this correctly.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:21:48 AM, on 10/28/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
 
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\aol\1210534979\ee\aolsoftware.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Program Files\NETGEAR\WN121T\wn121t.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1210534979\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O4 - Global Startup: NETGEAR WN121T Smart Wizard.lnk = C:\Program Files\NETGEAR\WN121T\wn121t.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm TaskBar Icon - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComTaskBarIcon.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: TaskBar - {320AF880-6646-11D3-ABEE-C5DBF3571F51} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComTaskBarIcon.html
O9 - Extra 'Tools' menuitem: RoboForm TaskBar Icon - {320AF880-6646-11D3-ABEE-C5DBF3571F51} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComTaskBarIcon.html
O13 - Gopher Prefix:
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DC11F230-5717-4C25-BAD7-37B879C19655} (MyPhotoAlbum Easy Upload Tool Combo Control) - http://ladyamity.myphotoalbum.com/ImageUploader4.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
 
--
End of file - 8547 bytes

[R-C]

You are doing everything exactly right Amity good for you! The first time you ran Mbam something had not set right and it did not delete the items but this time it looks better.
Corrine will be back with her follow up directions.

Did you have any type of antivirus that came with the new pc like Norton? did you fully remove it before installing your AVG?
I know you had said you got some toolbars accidentally with updates, did you purposefully get the roboform toolbars and stuff?

[Corrine]

Hi! Amity & R-C.

Just a quick glance while taking a break.  Yes, it looks like Norton is/was on the computer (Service: Symantec).  The link to the Norton removal tool is in a blog post.  It should be straight-forward to follow.  It is at  http://securitygarden.blogspot.com/2008/09/antivirus-product-removal-tools.html

Where did you get "Microsoft Digital Image Anniversary Edition" from?  According to Microsoft, this product has been discontinued because the features can be found in new Microsoft titles and services including Windows Vista.  See http://www.microsoft.com/products/imaging/default.mspx

With regard to Screen Hunter 5.0, if you are using the free version, note that Windows Vista (all except Home Basic) include the Snipping Tool.  Tutorial here:  http://www.vista4beginners.com/Snipping-Tool

Regarding Flash, please follow the link posted here and let us know what version of Adobe Flash is indicated.  http://www.adobe.com/products/flash/about/

Is it a Java or Javascript error?  Do you get a prompt to allow an Active X on IE?

There is still something strange with the MBAM logs unless AVG did removals in the interim. 

Also, before reading your post I hand-copied some things that showed up in my Free AVG when it automatically scanned in the wee hours of this morning.

The first MBAM log showed nothing was removed and the second one posted showed nothing detected.  Amity, did you run MBAM again after the first time in the log R-C posted and before the log you posted? Launch MBAM and look in logs.  We have mbam-log-2008-10-27 (12-14-53).txt and mbam-log-2008-10-28 (07-21-22).txt.  Are there any other logs dated October 27 or 28 or is it that AVG did an automatic removal? 

[Amity]

Oh my Corrine,
How in the world do you make heads or tails of all that stuff I copy/pasted for you from the log? Wow...very impressive!

Where did you get "Microsoft Digital Image Anniversary Edition" from?  According to Microsoft, this product has been discontinued because the features can be found in new Microsoft titles and services including Windows Vista.  See http://www.microsoft.com/products/imaging/default.mspx

For several years I had Microsoft Digital Image 9 on my old clunker computer.
When we decided to buy a new computer it took some time to save up the funds but in the meantime I read on C-Net (I believe or maybe it was another computer online magazine) that Microsoft was going to discontinue their Digital Image Pro and the last version that would be compatible with Vista would be their Anniversary Edition.
Since I learned on MDI9, I definitely wanted it on my new Vista (little did I know it would take almost 2 years to save up the funds for a new computer) so I purchased the last edition and just left it packaged until I got my Vista computer.
It was one of the very first programs I added to my new computer...I love it that much! lol
Has never caused any of my computers or borrowed computers a bit of trouble.

If we had Norton, it was removed the day we plugged in the new computer. At the time my son (computer wiz) was living at home and said he'd always had nothing but problems with Norton and the other one (can't remember the name). He told me the Free versions of AVG, etc. were just as good.  I am going to assume he is the one that uninstalled Norton.

I went to the link for the Norton Remove but it asks which Norton I have and I haven't a clue.

At the Flash site, the small message box states: Version Information: You have version 10,0,12,36 Installed.

As far as Java/JavaScript, whenever I go to my usual daily sites, since the Trojans, the sites tell me I need to Enable JavaScript.  Other sites tell me I have to allow Flash or download it in order to be able to see the site properly.
I've checked all my settings and JavaScript and Flash are loaded, no corrupt files, they are enabled and, well, that's where I'm stuck.  Since the Trojans I can't get sites to recognize my Flash or JavaScript. (I'll see if I can add pics to this post and show you the Screen Shot I took from the sites)

OH! and also the messages from IE when it freezes which never happened before the Trojans.
Messages:  APPHANGB1  & APPCRASH.

As far as MBAM....
While on Garden Web, a nice person told me about MBAM.  Told me to run it. I did.
The next day on the same site R-C sent me back to MBAM but directed me to a different version.
I downloaded and ran it.
Wee hours of this morning I did as you instructed in your earlier message to me and ran MBAM again.

After running the  MBAM this last time, my FREE AVG ran a scheduled scan at 5:30 a.m. this morning.

When the freezing of IE and the sites asking for JavaScript/Flash started showing up late last week, I couldn't get Windows Defender to get past the scan. I removed an earlier version of AVG hoping it would help Windows Defender remove/quarantine the Trojans.  I reinstalled this newer version of AVG yesterday or day before.

The Windows/Vista site you linked is fun!  I think I'll spend the rest of my computer time there because I didn't even know I had a snipping and I bet with more reading I'll find all kinds of neat things I can play with!
But I won't play with them now....I think I best get my mess cleaned up, THEN I'll think about playing again. lol

I hope I've answered all the questions and I'll try anything you think I need to do as long as you walk me through it and talk to me like I'm 5 years old. lol

I'll try and insert screen shots of the web site messages I get.

[Amity]

Obviously I messed that up!

I copy/pasted three different IMG and all the pics ended up the same.
No prob...I'll figure it out. lol

[R-C]

what she was referring to about the other malwarebytes program is rogue remover which another person had given the link to mistakenly instead of mbam.  But if I remember correctly I did not think she had been able to run it??? Amity had you run that one?

[Corrine]

(Amity, I fixed the images)

Yes, I like http://www.vista4beginners.com/ .  Ciprian (the site owner) had been doing all the tutorials himself but is getting some help these days.  (He does conduct the interviews himself though ).

I'm still looking for other people who have problems with Flash and Javascript.  So, although there really isn't anything showing up in your HijackThis log that I am concerned about, I would like an online scan to see if there is anything missed.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Note:

• This scan is best done from IE (Internet Explorer)
• Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin

Go Here:  http://www.kaspersky.com/kos/eng/partner/default/languages/english/check.html?n=1223851135704

• Read the Requirements and limitations before you click Accept.
  
• Once the database has downloaded, click My Computer in the left pane
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Note:  To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

=====================

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

=====================

Logs Required
Kaspersky Scan Log
Hijackthis Log

[Corrine]

Hi, Amity.

It just dawned on me that if you are having problems with JavaScript, the online scans will probably not work.  I can get a better picture of your ActiveX settings with WinPatrol -- a very safe program that I use on my home computer and will recommend you keep (and consider the Plus version).

Please download WinPatrol from http://www.winpatrol.com/download.html
Accept all the appropriate Windows Vista UAC prompts when installing.
When the installation is complete, launch WinPatrol (right-click on the Scotty dog in the system tray).

From the Options tab, select HijackLog.  It will open in Notepad.  Copy the results here as a reply.  That will show the ActiveX settings on your computer.

Other than JavaScript and Flash, is your computer back to "normal"?

[Amity]

LOOK What I've GOT!


 
 


Thank you, Thank you, Thank you for all your valuable time, your patience, your kindness.
This site is one in a million and I will be checking in weekly....I've learned so much about other computer stuff just reading through many of posts so for sure I will be checking in to make sure I'm 'In the Know' with the latest.

Again, Corrine and R-C, YOU ARE GREAT!

[Corrine]

Hi, Amity. What did you do to get JavaScript working and now that it is, would you like to proceed with the Kaspersky online scan so we can be sure your computer is clean?

In addition, you need a firewall.  The following are free for personal use:

Agnitum Outpost Firewall
Kerio Personal Firewall
Online Armor Free

 Did you install WinPatrol?