Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

hijack this log. rundll mwsbar.dll error [RESOLVED]


  • This topic is locked This topic is locked

#16
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

Folder::
C:\PROGRA~1\MYWEBS~1\
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

How is the computer running so far?
  • 0

Advertisements


#17
msenvelopelady

msenvelopelady

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
ok.. don't know if I'm doing something wrong,,I don't think so. but... I can't drop the file into the Combofix.exe because you sent it to me in a direct link and it doesn't actually load onto my system. What now?
  • 0

#18
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Did you save the ComboFix tool to the desktop? If not, save it to your desktop now. It should NOT be anywhere else or ran directly from a temp folder...that's a big no-no. So once you have it on the desktop, just drag that CFScript.txt file into the Combofix tool.
  • 0

#19
msenvelopelady

msenvelopelady

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
ok, it's saved on the desktop, but it's a zipped file... the one you sent me. do I unzip it first?
  • 0

#20
msenvelopelady

msenvelopelady

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
after I thought about it,, it only made sense to unzip it..

ComboFix 08-05-09.1 - Sidera 2008-05-12 21:54:36.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1455 [GMT -5:00]
Running from: C:\Documents and Settings\Sidera\Desktop\ComboFix\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sidera\Desktop\ComboFix\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-13 to 2008-05-13 )))))))))))))))))))))))))))))))
.

2008-05-04 16:53 . 2008-05-04 16:55 <DIR> d-------- C:\sUBs
2008-05-04 11:54 . 2008-05-04 11:54 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-04 11:54 . 2008-05-04 11:54 <DIR> d-------- C:\Documents and Settings\Sidera\Application Data\Malwarebytes
2008-05-04 11:54 . 2008-05-04 11:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-29 21:02 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-29 21:02 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-29 21:02 . 2008-03-28 23:19 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-29 21:02 . 2008-03-26 08:50 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-29 21:02 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-29 21:02 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-29 21:02 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-29 17:20 . 2008-04-29 17:20 <DIR> d-------- C:\PSFONTS
2008-04-27 13:28 . 2008-04-27 13:28 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-23 21:42 . 2008-04-24 06:56 <DIR> d-------- C:\Documents and Settings\Sidera\Application Data\AVG7
2008-04-23 21:42 . 2008-04-23 21:42 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-23 21:42 . 2008-04-24 08:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-04-22 18:12 . 2008-04-29 17:10 <DIR> d-------- C:\Program Files\Amazon
2008-04-22 07:34 . 2008-04-22 07:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-04-22 07:31 . 2008-04-22 07:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-04-21 07:27 . 2008-04-21 07:28 <DIR> d-------- C:\Documents and Settings\Sidera\Application Data\Smart PC Solutions

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 22:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-29 03:23 --------- d-----w C:\Program Files\Common Files\AOL
2008-04-22 12:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-04-07 02:15 --------- d-----w C:\Program Files\Enigma Software Group
2008-04-04 11:46 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-04 11:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-03 02:30 --------- d-----w C:\Program Files\Google
2008-04-03 00:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-03 00:34 --------- d-----w C:\Program Files\Lavasoft
2008-04-03 00:33 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-02 17:20 --------- d-----w C:\Documents and Settings\Sidera\Application Data\Apple Computer
2008-04-02 11:47 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-01 18:10 1,404 ----a-w C:\Documents and Settings\Sidera\Application Data\wklnhst.dat
2008-03-23 19:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\PopCap
2008-03-21 19:59 --------- d-----w C:\Documents and Settings\Sidera\Application Data\Yahoo!
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-16 16:24 61,440 ----a-w C:\WINDOWS\uninstall.exe
2008-02-15 09:07 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
.

((((((((((((((((((((((((((((( [email protected]_12.05.26.42 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-11 16:40:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-13 01:37:39 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-23 11:12 7630848]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-23 11:12 86016]
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 16:46 61440]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-02-22 18:26 360448]
"HostManager"="C:\Program Files\Common Files\AOL\1208867628\ee\AOLSoftware.exe" [2007-10-08 16:50 41824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 20:47 8720384]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 04:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Sidera\Start Menu\Programs\Startup\
News 7 Live Online.lnk - C:\Program Files\News 7 Live Online\liveonline_3102360.exe [2008-02-16 11:24:56 454656]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-06-22 13:02:55 24576]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-06-21 23:56:14 282624]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Sidera^Start Menu^Programs^Startup^IMVU.lnk]
path=C:\Documents and Settings\Sidera\Start Menu\Programs\Startup\IMVU.lnk
backup=C:\WINDOWS\pss\IMVU.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdwareAlert]
C:\Program Files\AdwareAlert\AdwareAlert.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
--a------ 2004-04-07 11:07 496752 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2006-08-28 20:57 395776 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a------ 2005-09-08 04:20 122940 C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2005-10-05 02:12 94208 C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 15:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 15:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-08-23 11:12 1617920 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-01 16:57 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2007-11-15 22:38]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-12 23:48:04 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt [email protected]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 21:56:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-12 21:56:47
ComboFix-quarantined-files.txt 2008-05-13 02:56:30
ComboFix2.txt 2008-05-12 13:26:02
ComboFix3.txt 2008-05-12 13:17:59
ComboFix4.txt 2008-05-11 17:05:36

Pre-Run: 231,645,782,016 bytes free
Post-Run: 231,641,374,720 bytes free

159 --- E O F --- 2008-04-09 03:13:24
  • 0

#21
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yes, try not to run anything when it's in a zip file. Always extract them first before running to ensure that it works properly. I had to use a zip file since the forum won't allow exe files to be attached...

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#22
msenvelopelady

msenvelopelady

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
The error message is gone.... Your the best!! Thank you so much!!
  • 0

#23
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP