Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Bad computer vibes

Started by Sherri37 , Apr 28 2008 07:14 PM

  • This topic is locked This topic is locked
26 replies to this topic

#16 mschroe919

mschroe919

    basic

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,825 posts

Posted 06 May 2008 - 09:30 PM

Hi Sherri37,
sorry got back late

Download ComboFix from HERE or HERE to your Desktop.

**Note: In the event you already have Combofix, please delete it from your desktop and download this new version . It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
Please do not re-connect your machine back to the Internet until Combofix has completely finished.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new HijackThis log for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Give it atleast 20-30 minutes to finish

Edited by mschroe919, 06 May 2008 - 09:33 PM.

"The most important thing about goals is having one."

"It is never too soon to be kind, for we never know how soon it will be too late. "

No Man Ever Stands So Tall As When He Stoops To Help A Child

If you wish to show your appreciation, please consider a donation to help keep us online
[url="http://"%20%20<a%20href="http://www.whatthetech.com/donate/""%20target="_blank">http://www.whatthetech.com/donate/"</a>"]Donate Here Please[/url]
Thank You

    Advertisements

Register to Remove

#17 Sherri37

Sherri37

    Authentic Member

  • Authentic Member
  • PipPip
  • 51 posts

Posted 07 May 2008 - 05:11 PM

Grandchildren come first....I know first hand i have a grandson and would move the earth and sun for him. I will wait for your response. And again....thanks so much for all of your help.

#18 Sherri37

Sherri37

    Authentic Member

  • Authentic Member
  • PipPip
  • 51 posts

Posted 07 May 2008 - 05:48 PM

Alright....... I completed combofix....It deleted out quite a few files. here are the logs:

Combo fix:

ComboFix 08-05-01.3 - temp 2008-05-07 18:23:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.54 [GMT -5:00]
Running from: C:\Documents and Settings\temp\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\temp\Start Menu\Programs\AntiSpywareShield
C:\Documents and Settings\temp\Start Menu\Programs\AntiSpywareShield\AntiSpywareShield.lnk
C:\Documents and Settings\temp\Start Menu\Programs\AntiSpywareShield\Uninstall.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\adeeg.ini
C:\WINDOWS\SYSTEM32\adeeg.ini2
C:\WINDOWS\system32\beycnpvj.ini
C:\WINDOWS\system32\cavdtref.ini
C:\WINDOWS\system32\ctxslqhh.ini
C:\WINDOWS\system32\dotwlsus.dll
C:\WINDOWS\system32\dqxipdmv.dll
C:\WINDOWS\SYSTEM32\etntadpm.ini
C:\WINDOWS\system32\geeda.dll
C:\WINDOWS\system32\jmavsbev.dll
C:\WINDOWS\system32\kbipeejl.dll
C:\WINDOWS\system32\lmqcoqlh.dll
C:\WINDOWS\system32\lxcvkppx.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mjhkxhfn.dll
C:\WINDOWS\system32\mtjhfmli.dll
C:\WINDOWS\system32\nqmayjrm.dll
C:\WINDOWS\system32\qmeeclkl.dll
C:\WINDOWS\system32\qmgqmcmq.dll
C:\WINDOWS\SYSTEM32\rdjfjbex.ini
C:\WINDOWS\system32\ssqnopp.dll
C:\WINDOWS\system32\syadajnn.dll
C:\WINDOWS\system32\tascixkq.ini
C:\WINDOWS\system32\tglfffww.ini
C:\WINDOWS\SYSTEM32\tsrepyyx.ini
C:\WINDOWS\system32\uarsduhm.dll
C:\WINDOWS\system32\ugvbwxkk.ini
C:\WINDOWS\system32\veyfvksw.dll
C:\WINDOWS\system32\vnurdsxt.ini
C:\WINDOWS\system32\wgejjhrd.ini
C:\WINDOWS\system32\xdkwmllc.dll
C:\WINDOWS\system32\xebjfjdr.dll
C:\WINDOWS\system32\xyyperst.dll
C:\WINDOWS\system32\ymueyilm.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-07 to 2008-05-07 )))))))))))))))))))))))))))))))
.

2008-04-30 17:19 . 2008-04-30 17:28 <DIR> d-------- C:\fixwareout
2008-04-29 17:52 . 2008-04-29 17:52 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-29 17:52 . 2008-04-29 17:52 <DIR> d-------- C:\Documents and Settings\temp\Application Data\Malwarebytes
2008-04-29 17:52 . 2008-04-29 17:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-19 09:52 . 2008-04-19 09:52 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-04-19 09:02 . 2008-04-29 18:21 109,738 --a------ C:\WINDOWS\BMbf329f67.xml

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-07 23:17 --------- d-----w C:\Program Files\McAfee
2008-05-04 15:51 --------- d-----w C:\Program Files\Common Files\McAfee
2008-04-30 16:04 --------- d-----w C:\Documents and Settings\temp\Application Data\SiteAdvisor
2008-04-30 00:33 13,312 ------w C:\WINDOWS\SYSTEM32\guadq.dll
2008-04-09 22:29 --------- d-----w C:\Program Files\SiteAdvisor
2008-04-06 20:05 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-04-05 19:04 --------- d-----w C:\Program Files\Common Files\Real
2008-04-05 17:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-05 17:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-04-05 17:30 --------- d-----w C:\Program Files\McAfee.com
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2008-03-13 01:04 --------- d-----w C:\Program Files\Yahoo!
2008-03-13 00:20 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-01 23:36 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-26 20:08 155648]
"Broadcom Wireless Manager"="C:\WINDOWS\system32\wltray.exe" [2007-06-14 16:48 1282048]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-06-21 15:06 36640]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 05:42 1164576]
"SBI"="C:\Documents and Settings\temp\Local Settings\Temporary Internet Files\Content.IE5\YHV4EEZD\setup_sbd_en[1].exe" [ ]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Dynex Wireless Networking Utility.lnk - C:\Program Files\Dynex G USB Network Adapter\DynexWCUI.exe [2008-02-22 17:17:28 1458176]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-02 05:29:26 180224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
"aux1"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AHQInit]
--a------ 2001-03-28 02:00 102400 C:\Program Files\Creative\SBLive\Program\AHQInit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Antivirus AV]
C:\WINDOWS\FVProtect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBCD Autorun]
D:\autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient 2.6]
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCASUTIEXE]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup 2.5]
C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--a------ 2000-05-11 02:00 90112 C:\WINDOWS\Updreg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winshost.exe]
C:\WINDOWS\system32\winshost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 Nhksrv;Netropa NHK Server;C:\WINDOWS\Nhksrv.exe [2001-08-06 14:41]
R2 tcaicchg;tcaicchg;C:\WINDOWS\System32\tcaicchg.sys [2000-06-06 19:08]
R2 TCAITDI;TCAITDI Protocol;C:\WINDOWS\system32\DRIVERS\TCAITDI.sys [2001-09-04 12:22]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2001-08-31 01:40]
R3 Msikbd2k;DellTouch;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2000-10-03 16:18]
S3 ati2mpaa;ati2mpaa;C:\WINDOWS\system32\DRIVERS\ati2mpaa.sys [2001-08-17 13:48]
S3 NdisWDM;Dynex Wireless G USB Network Adapter Service;C:\WINDOWS\system32\DRIVERS\ndiswdm.sys [2007-08-31 16:20]
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 14:52]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-05 23:00:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\SYSTEM32\CLEANMGR.EXE
"2008-04-05 17:30:41 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-04-05 17:30:39 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2006-12-27 15:21:27 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-07 18:31:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\wltrysvc.exe
C:\WINDOWS\SYSTEM32\devldr32.exe
C:\WINDOWS\SYSTEM32\bcmwltry.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2008-05-07 18:39:08 - machine was rebooted [temp]
ComboFix-quarantined-files.txt 2008-05-07 23:38:55

Pre-Run: 33,496,137,728 bytes free
Post-Run: 33,401,786,368 bytes free

198 --- E O F --- 2008-05-03 13:03:49


And Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:41:50 PM, on 5/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\wltray.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dynex G USB Network Adapter\DynexWCUI.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\explorer.exe
E:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Broadcom Wireless Manager] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\temp\Local Settings\Temporary Internet Files\Content.IE5\YHV4EEZD\setup_sbd_en[1].exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Dynex Wireless Networking Utility.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1144678304685
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

#19 mschroe919

mschroe919

    basic

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,825 posts

Posted 08 May 2008 - 11:56 AM

Hi Sherri37.
Your doing great just a little more after this, and your home free. Pat yoursef on the back.

NEXT:
1. Please open Notepad
Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\WINDOWS\BMbf329f67.xml

Folder::
C:\WINDOWS\SYSTEM32\guadq.dll

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBI"="
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Antivirus AV]
C:\WINDOWS\FVProtect.exe_MACHINE\software\microsoft\shared
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winshost.exe]
C:\WINDOWS\system32\winshost.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
Posted Image
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

6. ComboFix will automatically REBOOT your machine when the KillAll:: switch is used..

7. Next, re-enable all the programs that you disabled prior to running ComboFix.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

8. Post the following logs/Reports:
ComboFix.txt
Fresh HijackThis log

good luk mschroe919
"The most important thing about goals is having one."

"It is never too soon to be kind, for we never know how soon it will be too late. "

No Man Ever Stands So Tall As When He Stoops To Help A Child

If you wish to show your appreciation, please consider a donation to help keep us online
[url="http://"%20%20&lt;a%20href="http://www.whatthetech.com/donate/""%20target="_blank"&gt;http://www.whatthetech.com/donate/"&lt;/a&gt;"]Donate Here Please[/url]
Thank You

#20 mschroe919

mschroe919

    basic

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,825 posts

Posted 09 May 2008 - 09:52 AM

Good morning, Just wondering how your doing with your pc. We have more work to do if you want it cleaned. So please do the last request and posy back please. mschroe919
"The most important thing about goals is having one."

"It is never too soon to be kind, for we never know how soon it will be too late. "

No Man Ever Stands So Tall As When He Stoops To Help A Child

If you wish to show your appreciation, please consider a donation to help keep us online
[url="http://"%20%20&lt;a%20href="http://www.whatthetech.com/donate/""%20target="_blank"&gt;http://www.whatthetech.com/donate/"&lt;/a&gt;"]Donate Here Please[/url]
Thank You

#21 Sherri37

Sherri37

    Authentic Member

  • Authentic Member
  • PipPip
  • 51 posts

Posted 09 May 2008 - 03:19 PM

OK...just got here from work and followed the directions....Here is the combofix log:
ComboFix 08-05-01.3 - temp 2008-05-09 15:57:22.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.99 [GMT -5:00]
Running from: E:\ComboFix.exe
Command switches used :: E:\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\BMbf329f67.xml
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMbf329f67.xml
C:\WINDOWS\SYSTEM32\guadq.dll\

.
((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.

2008-04-30 17:19 . 2008-04-30 17:28 <DIR> d-------- C:\fixwareout
2008-04-29 17:52 . 2008-04-29 17:52 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-29 17:52 . 2008-04-29 17:52 <DIR> d-------- C:\Documents and Settings\temp\Application Data\Malwarebytes
2008-04-29 17:52 . 2008-04-29 17:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-19 09:52 . 2008-04-19 09:52 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-09 20:39 --------- d-----w C:\Program Files\McAfee
2008-05-09 15:09 --------- d-----w C:\Documents and Settings\temp\Application Data\SiteAdvisor
2008-05-04 15:51 --------- d-----w C:\Program Files\Common Files\McAfee
2008-04-30 00:33 13,312 ------w C:\WINDOWS\SYSTEM32\guadq.dll
2008-04-09 22:29 --------- d-----w C:\Program Files\SiteAdvisor
2008-04-06 20:05 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-04-05 19:04 --------- d-----w C:\Program Files\Common Files\Real
2008-04-05 17:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-05 17:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-04-05 17:30 --------- d-----w C:\Program Files\McAfee.com
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2008-03-13 01:04 --------- d-----w C:\Program Files\Yahoo!
2008-03-13 00:20 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-01 23:36 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-07_18.38.13.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-07 23:29:44 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-05-09 21:04:37 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
- 2008-05-07 23:22:25 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2008-05-09 20:49:35 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2008-05-07 23:22:25 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2008-05-09 20:49:35 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Dynex Wireless Networking Utility.lnk - C:\Program Files\Dynex G USB Network Adapter\DynexWCUI.exe [2008-02-22 17:17:28 1458176]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-02 05:29:26 180224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
"aux1"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AHQInit]
--a------ 2001-03-28 02:00 102400 C:\Program Files\Creative\SBLive\Program\AHQInit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBCD Autorun]
D:\autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient 2.6]
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCASUTIEXE]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup 2.5]
C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--a------ 2000-05-11 02:00 90112 C:\WINDOWS\Updreg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 Nhksrv;Netropa NHK Server;C:\WINDOWS\Nhksrv.exe [2001-08-06 14:41]
R2 tcaicchg;tcaicchg;C:\WINDOWS\System32\tcaicchg.sys [2000-06-06 19:08]
R2 TCAITDI;TCAITDI Protocol;C:\WINDOWS\system32\DRIVERS\TCAITDI.sys [2001-09-04 12:22]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2001-08-31 01:40]
R3 Msikbd2k;DellTouch;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2000-10-03 16:18]
S3 ati2mpaa;ati2mpaa;C:\WINDOWS\system32\DRIVERS\ati2mpaa.sys [2001-08-17 13:48]
S3 NdisWDM;Dynex Wireless G USB Network Adapter Service;C:\WINDOWS\system32\DRIVERS\ndiswdm.sys [2007-08-31 16:20]
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 14:52]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-05 23:00:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\SYSTEM32\CLEANMGR.EXE
"2008-04-05 17:30:41 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-04-05 17:30:39 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2006-12-27 15:21:27 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 16:06:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\devldr32.exe
C:\WINDOWS\SYSTEM32\wltrysvc.exe
C:\WINDOWS\SYSTEM32\bcmwltry.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-05-09 16:15:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-09 21:15:02
ComboFix2.txt 2008-05-07 23:39:11

Pre-Run: 33,439,395,840 bytes free
Post-Run: 33,427,357,696 bytes free

157 --- E O F --- 2008-05-03 13:03:49

And the Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 4:16:26 PM, on 5/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dynex G USB Network Adapter\DynexWCUI.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\explorer.exe
E:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Dynex Wireless Networking Utility.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1144678304685
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

#22 mschroe919

mschroe919

    basic

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,825 posts

Posted 09 May 2008 - 07:33 PM

Hi Sherri37.

Pat yourself on the back you have done well
Your log and pc are looking clean. Just a few things left to do

NEXT:
Make sure Internet Explorer isn't open

Run hijackthis again. Hit None of the above,
Click Do a System Scan Only.
Put a Check in the box on the left side on these: (Not to worry if not there)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896


Close ALL windows and browsers except HijackThis and click []b]Fix checked[/b]

do a search for the file in RED and delete it (not to worry if not found)

C:\WINDOWS\SYSTEM32\guadq.dll

Then reboot

NEXT:
no need for another log, just let me know how your PC is behaving.

I will post back some good things to do next
Good luck mschroe919
"The most important thing about goals is having one."

"It is never too soon to be kind, for we never know how soon it will be too late. "

No Man Ever Stands So Tall As When He Stoops To Help A Child

If you wish to show your appreciation, please consider a donation to help keep us online
[url="http://"%20%20&lt;a%20href="http://www.whatthetech.com/donate/""%20target="_blank"&gt;http://www.whatthetech.com/donate/"&lt;/a&gt;"]Donate Here Please[/url]
Thank You

#23 Sherri37

Sherri37

    Authentic Member

  • Authentic Member
  • PipPip
  • 51 posts

Posted 10 May 2008 - 01:34 PM

Hi there, Found all you listed and removed from the system. It seems to be running alot smoother now and no pop ups!!! yea!! Thank you so much for all of you help!!! Sherri

#24 mschroe919

mschroe919

    basic

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,825 posts

Posted 10 May 2008 - 02:09 PM

Hi Sherri37.

I see that your log is clean. You did great cleaning it up,
pat yourself on the back.
As I said there would be more .....here
this is my canned all clean speech.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Note you may have some of theses programs allready, if so just a reminder to keep updated.

FIRST:
You need to create a new Clean restore point.

Note: This will remove all previous Restore Points

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Remove the Check Turn off System Restore.
Click Apply, and then click OK.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.
===================================================================
NEXT:
Make your Internet Explorer more secure - This can be done by following these simple instructions:

1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.

1. Change the Download signed ActiveX controls to Prompt
2. Change theDownload unsigned ActiveX controls to Disable
3. Change the Initialise and script ActiveX controls not marked as safe to Disable
4. Change the Installation of desktop items to Prompt
5. Change the Launching programs and files in an IFRAME to Prompt
6. Change the Navigate sub-frames across different domains to Prompt
7. When all these settings have been made, click on the OK button.
8. If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.
====================================================================

Use an Anti Virus Software
It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See these links for a listing of some on line & their stand-alone anti virus programs:
If you don't have one here are some of the better AV products.

Symantec/Norton Antivirus: http://www.symantec.com/nav/nav_9xnt/
Kapersky AV: http://www.kaspersky...ne.html?info=25
Nod32 : http://www.nod32.com/home/home.htm
Panda AV: http://www.pandasoftware.com/
McAfee Virusscan: http://us.mcafee.com...e.asp?pkgid=100
AVG Anti-Virus (Free version available) http://www.grisoft.com/

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
============================================================
NEXT:

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.
If you don't have one see link below for a free firewall:

ZoneAlarm:
http://www.zonelabs.....jsp?lid=nav_za

Sunbelt Kerio:
http://www.sunbelt-s...e.com/Kerio.cfm

OutPost:
http://www.agnitum.c...ee/download.php
================================================================================

Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.

This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software

Get the download and tutorial for Spybot S&D here:
http://www.bleepingc...tutorial43.html
=========================================================================


Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A article on anti-malware products with links for this program and others can be found here:

http://www.javacools...areblaster.html
========================================================================

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Happy surfing the net

I only ask one thing....please
Please post back and let us know what you think about our forum, we are all volunteers and would like a little smile.

Good luck and happy net surfing
Mschroe919
"The most important thing about goals is having one."

"It is never too soon to be kind, for we never know how soon it will be too late. "

No Man Ever Stands So Tall As When He Stoops To Help A Child

If you wish to show your appreciation, please consider a donation to help keep us online
[url="http://"%20%20&lt;a%20href="http://www.whatthetech.com/donate/""%20target="_blank"&gt;http://www.whatthetech.com/donate/"&lt;/a&gt;"]Donate Here Please[/url]
Thank You

#25 Sherri37

Sherri37

    Authentic Member

  • Authentic Member
  • PipPip
  • 51 posts

Posted 10 May 2008 - 02:51 PM

I think this forum is awesome!!! You can't believe all of the headaches you have made disappear and it is very appreciated. Thank you so much for all of your help!!!

    Advertisements

Register to Remove

#26 mschroe919

mschroe919

    basic

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,825 posts

Posted 10 May 2008 - 03:25 PM

YOUR WELCOME & THANK YOU


"The most important thing about goals is having one."

"It is never too soon to be kind, for we never know how soon it will be too late. "

No Man Ever Stands So Tall As When He Stoops To Help A Child

If you wish to show your appreciation, please consider a donation to help keep us online
[url="http://"%20%20&lt;a%20href="http://www.whatthetech.com/donate/""%20target="_blank"&gt;http://www.whatthetech.com/donate/"&lt;/a&gt;"]Donate Here Please[/url]
Thank You

#27 mschroe919

mschroe919

    basic

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,825 posts

Posted 11 May 2008 - 07:04 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.
"The most important thing about goals is having one."

"It is never too soon to be kind, for we never know how soon it will be too late. "

No Man Ever Stands So Tall As When He Stoops To Help A Child

If you wish to show your appreciation, please consider a donation to help keep us online
[url="http://"%20%20&lt;a%20href="http://www.whatthetech.com/donate/""%20target="_blank"&gt;http://www.whatthetech.com/donate/"&lt;/a&gt;"]Donate Here Please[/url]
Thank You

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·