Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Porn/Virus taking over computer....Please Help [RESOLVED]


  • This topic is locked This topic is locked

#1
mjclark55

mjclark55

    New Member

  • Member
  • Pip
  • 6 posts
HELLO! MY COMPUTER KEEPS GETTTING TONS OF PORN POPUPS OR WEB ADDRESS WILL REDIRECT TO PORN SITES. RUN TIME ERRORS A LOT AND POP UPS SAYING MY COMPUTER IS INFECTED, MUST FIX PROBLEM.....IM CLUELESS ON HOW TO FIX ANY OF THIS.....CAN SOMEONE PLEASE HELP ME OUT?

ANY HELP IS GREATLY APPRECIATED, I TAKE CLASSES ON-LINE ONLY AND RIGHT NOW IM NOT ABLE TO DO THEM.....MUST HAVE MY COMP! THANKS


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:46:58 AM, on 5/17/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Martha\AppData\Local\Temp\ms1210250883.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Registry Defender Platinum\RegistryDefender.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! ¤u¨ă¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! ¤u¨ă¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NeroCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [InetChk] C:\Users\Martha\AppData\Local\Temp\ms1210250883.exe work
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: RegistryDefender.lnk = C:\Program Files\Registry Defender Platinum\RegistryDefender.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxba_device - - C:\Windows\system32\lxbacoms.exe

--
End of file - 6798 bytes

Edited by mjclark55, 17 May 2008 - 08:09 AM.

  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please do not type in ALL CAPS next time. It's harder to read and is a form of yelling when you use it online.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Download ATF Cleaner at http://www.atribune..../click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O4 - HKCU\..\Run: [InetChk] C:\Users\Martha\AppData\Local\Temp\ms1210250883.exe work

1. Download combofix at http://www.techsuppo...Bs/ComboFix.exe or http://download.blee...Bs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#3
mjclark55

mjclark55

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thank you so much for the help :) And my apologies on the all caps! I have a question, I notice after running all this that my Automatic Updates on my computer are turned "off". Can I turn this back on now??? And under Malware Protection it says : Windows did not find Antivirus software on this computer.....Okay, here is my log for you:

ComboFix 08-05-15.3 - Martha 2008-05-18 13:25:13.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.419 [GMT -4:00]
Running from: C:\Users\Martha\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\AntiSpywareMaster
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat
C:\Users\Martha\FAVORI~1\Online Security Test.url
C:\Users\Martha\Favorites\Online Security Test.url
C:\Windows\system32\AutoRun.inf

----- BITS: Possible infected sites -----

hxxp://h30155.www3.hp.com
.
((((((((((((((((((((((((( Files Created from 2008-04-18 to 2008-05-18 )))))))))))))))))))))))))))))))
.

2008-05-17 07:46 . 2008-05-17 07:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-17 00:10 . 2008-05-17 00:10 197 --a------ C:\Windows\System32\MRT.INI
2008-05-16 18:14 . 2008-05-16 18:15 <DIR> d-------- C:\Program Files\Registry Defender Platinum
2008-05-11 15:24 . 2008-05-11 15:24 <DIR> d-------- C:\Users\All Users\HP Product Assistant
2008-05-11 15:24 . 2008-05-11 15:24 <DIR> d-------- C:\ProgramData\HP Product Assistant
2008-05-11 15:21 . 2008-05-11 15:21 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-05-11 14:57 . 2008-05-11 15:42 141,162 --a------ C:\Windows\hpoins14.dat
2008-05-11 14:57 . 2007-09-19 21:14 2,000 --------- C:\Windows\hpomdl14.dat
2008-05-07 19:36 . 2008-05-07 19:36 <DIR> dr------- C:\Windows\System32\config\systemprofile\Documents
2008-05-04 14:55 . 2008-05-04 15:41 <DIR> d-------- C:\Users\Martha\AppData\Roaming\ICAClient
2008-05-04 10:32 . 2008-05-04 16:13 <DIR> d-------- C:\Users\Martha\AppData\Roaming\SmartDraw
2008-05-04 10:30 . 2008-05-04 10:32 <DIR> d-------- C:\Program Files\SmartDraw 2008
2008-05-03 20:39 . 2008-05-16 07:54 <DIR> d-------- C:\Users\Martha\New Folder
2008-04-28 11:35 . 2008-04-28 11:35 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-04-28 11:35 . 2008-04-28 11:35 <DIR> d-------- C:\Program Files\Windows Live Favorites
2008-04-28 11:26 . 2008-04-28 11:33 <DIR> d-------- C:\Program Files\Windows Live
2008-04-28 11:26 . 2008-04-28 11:32 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-28 11:25 . 2008-04-28 11:33 <DIR> d-------- C:\Users\All Users\WLInstaller
2008-04-28 11:25 . 2008-04-28 11:33 <DIR> d-------- C:\ProgramData\WLInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-17 00:16 --------- d---a-w C:\ProgramData\TEMP
2008-05-17 00:15 --------- d-----w C:\Program Files\SpywareBlaster
2008-05-14 00:01 --------- d-----w C:\Program Files\Windows Mail
2008-05-11 19:24 --------- d-----w C:\ProgramData\HP
2008-05-11 09:17 --------- d-----w C:\Users\Martha\AppData\Roaming\LimeWire
2008-04-27 21:50 --------- d-----w C:\Users\Martha\AppData\Roaming\HP
2008-04-05 18:11 --------- d-----w C:\ProgramData\WEBREG
2008-04-05 18:10 --------- d-----w C:\Users\Martha\AppData\Roaming\HPAppData
2008-04-05 18:10 --------- d-----w C:\ProgramData\HPSSUPPLY
2008-04-05 18:10 --------- d-----w C:\Program Files\HP
2008-04-05 18:08 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-04-05 18:05 --------- d-----w C:\ProgramData\Hewlett-Packard
2008-04-02 02:52 --------- d-----w C:\Program Files\MSECache
2008-03-29 14:31 --------- d-----w C:\Users\Martha\AppData\Roaming\Yahoo!
2008-03-28 00:28 --------- d-----w C:\Users\Martha\AppData\Roaming\Elluminate
2008-03-20 04:26 --------- d-----w C:\Program Files\Common Files\HP
2008-03-14 20:31 174 --sha-w C:\Program Files\desktop.ini
2008-03-14 20:23 87,040 ----a-w C:\Windows\System32\msoert2.dll
2008-03-14 20:23 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2008-03-14 20:23 39,424 ----a-w C:\Windows\System32\ACCTRES.dll
2008-03-14 20:23 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2008-03-14 20:23 205,824 ----a-w C:\Windows\System32\msoeacct.dll
2008-03-14 20:22 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2008-03-14 20:22 542,720 ----a-w C:\Windows\System32\sysmain.dll
2008-03-14 20:22 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2008-03-14 20:22 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2008-03-14 20:22 297,984 ----a-w C:\Windows\System32\wlansec.dll
2008-03-14 20:22 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2008-03-14 20:22 2,923,520 ----a-w C:\Windows\explorer.exe
2008-03-14 20:21 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-03-14 20:20 49,664 ----a-w C:\Windows\System32\csrsrv.dll
2008-03-14 20:20 376,320 ----a-w C:\Windows\System32\winsrv.dll
2008-03-14 20:14 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
2008-03-14 20:14 7,680 ----a-w C:\Windows\System32\spwmp.dll
2008-03-14 20:14 414,208 ----a-w C:\Windows\System32\msscp.dll
2008-03-14 20:14 4,096 ----a-w C:\Windows\System32\dxmasf.dll
2008-03-14 20:14 356,864 ----a-w C:\Windows\System32\MediaMetadataHandler.dll
2008-03-14 20:13 86,016 ----a-w C:\Windows\System32\icfupgd.dll
2008-03-14 20:13 61,952 ----a-w C:\Windows\System32\cmifw.dll
2008-03-14 20:13 396,800 ----a-w C:\Windows\System32\MPSSVC.dll
2008-03-14 20:13 392,192 ----a-w C:\Windows\System32\FirewallAPI.dll
2008-03-14 20:13 178,688 ----a-w C:\Windows\System32\iphlpsvc.dll
2008-03-14 20:13 16,896 ----a-w C:\Windows\System32\wfapigp.dll
2008-03-14 20:12 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-03-14 20:12 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-03-14 20:11 2,048 ----a-w C:\Windows\System32\msxml3r.dll
2008-03-14 20:11 104,448 ----a-w C:\Windows\System32\DWWIN.EXE
2008-03-14 20:11 1,191,936 ----a-w C:\Windows\System32\msxml3.dll
2008-03-14 20:09 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-03-14 20:09 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-03-14 20:09 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-03-14 20:09 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2008-03-14 20:07 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2008-03-14 20:07 57,856 ----a-w C:\Windows\System32\SLUINotify.dll
2008-03-14 20:07 566,784 ----a-w C:\Windows\System32\SLCommDlg.dll
2008-03-14 20:07 39,936 ----a-w C:\Windows\System32\slcinst.dll
2008-03-14 20:07 351,232 ----a-w C:\Windows\System32\SLUI.exe
2008-03-14 20:07 33,280 ----a-w C:\Windows\System32\slwmi.dll
2008-03-14 20:07 268,288 ----a-w C:\Windows\System32\mcbuilder.exe
2008-03-14 20:07 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2008-03-14 20:07 223,232 ----a-w C:\Windows\System32\SLC.dll
2008-03-14 20:07 2,605,568 ----a-w C:\Windows\System32\SLsvc.exe
2008-03-14 20:07 2,048 ----a-w C:\Windows\System32\asferror.dll
2008-03-14 20:07 186,368 ----a-w C:\Windows\System32\SLLUA.exe
2008-03-14 20:06 2,048 ----a-w C:\Windows\System32\msxml6r.dll
2008-03-14 20:06 1,335,296 ----a-w C:\Windows\System32\msxml6.dll
2008-03-14 20:04 84,480 ----a-w C:\Windows\System32\INETRES.dll
2008-03-14 20:04 737,792 ----a-w C:\Windows\System32\inetcomm.dll
2008-03-14 20:04 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-03-14 20:04 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-03-14 20:04 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-03-14 20:04 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-03-14 20:04 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-03-14 20:04 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-03-14 20:04 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-03-14 20:04 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-03-14 20:02 788,992 ----a-w C:\Windows\System32\rpcrt4.dll
2008-03-14 20:01 974,336 ----a-w C:\Windows\System32\crypt32.dll
2008-03-14 20:01 5,120 ----a-w C:\Windows\System32\wmi.dll
2008-03-14 20:01 152,576 ----a-w C:\Windows\System32\imagehlp.dll
2008-03-14 20:00 2,048 ----a-w C:\Windows\System32\tzres.dll
2008-03-14 19:58 633,856 ----a-w C:\Windows\System32\user32.dll
2008-03-14 19:56 750,080 ----a-w C:\Windows\System32\qmgr.dll
2008-03-14 19:36 53,080 ----a-w C:\Windows\System32\wuauclt.exe
2008-03-14 19:36 43,352 ----a-w C:\Windows\System32\wups2.dll
2008-03-14 19:36 1,712,984 ----a-w C:\Windows\System32\wuaueng.dll
2008-03-14 19:36 1,524,224 ----a-w C:\Windows\System32\wucltux.dll
2008-03-14 19:35 80,896 ----a-w C:\Windows\System32\wudriver.dll
2008-03-14 19:35 549,720 ----a-w C:\Windows\System32\wuapi.dll
2008-03-14 19:35 33,624 ----a-w C:\Windows\System32\wups.dll
2008-03-14 19:34 31,232 ----a-w C:\Windows\System32\wuapp.exe
2008-03-14 19:34 163,000 ----a-w C:\Windows\System32\wuwebv.dll
2008-02-29 06:51 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-02-29 06:39 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-02-29 06:39 371,712 ----a-w C:\Windows\System32\srcore.dll
2008-02-29 06:38 313,856 ----a-w C:\Windows\System32\rstrui.exe
2008-02-29 06:38 16,384 ----a-w C:\Windows\System32\srdelayed.exe
2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-29 06:34 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll
2008-02-29 04:16 2,027,008 ----a-w C:\Windows\System32\win32k.sys
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-03-14 16:04 1232896]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 08:34 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-03-14 16:16 1006264]
"NeroCheck"="C:\Windows\system32\NeroCheck.exe" [2001-07-09 04:50 155648]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2002-09-12 13:13 1101824]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 49152]

C:\Users\Martha\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
RegistryDefender.lnk - C:\Program Files\Registry Defender Platinum\RegistryDefender.exe [2008-04-21 07:03:36 1126400]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{494C4DB4-E602-4003-A6DE-CF1A36D9B3B4}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{BCF5C4AB-EFA2-49CF-B7EC-AEEE3574E0FA}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{33007F5B-FAD1-499C-A05B-959A5A0A963A}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{EDFD6145-0AFA-4F21-BED1-592BC279AFFA}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{F4DCCC5B-521C-49E4-ADD1-37441E792D21}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{720B23D7-A05F-45F8-A90D-94C607502DFF}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{41A3831A-B6A9-466A-9EC9-0A9CCAF599C7}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{8AA016DA-4D6F-4108-8E45-2898ABD6EF28}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{850C19C4-10CB-4F64-BAF7-1B078CD84954}"= UDP:C:\Windows\System32\lxbacoms.exe:Lexmark Communications System
"{D48E1DC6-FF80-463B-B718-3AF098CFD7FD}"= TCP:C:\Windows\System32\lxbacoms.exe:Lexmark Communications System
"{62CCD235-E3A0-48B6-8B5C-6658AD93DACE}"= UDP:C:\Windows\System32\spool\drivers\w32x86\3\lxbapswx.exe:Printer Status Window
"{3584B247-BC1C-4A69-AF0B-EC244D356744}"= TCP:C:\Windows\System32\spool\drivers\w32x86\3\lxbapswx.exe:Printer Status Window
"TCP Query User{F70B7500-0BFF-440C-AB3B-278BBCD768B0}C:\\program files\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{C5401096-063B-4920-AD9E-B3A01701EC10}C:\\program files\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{A93B3189-765A-4035-89FC-43BD310FF46A}C:\\program files\\windows live\\messenger\\msnmsgr.exe"= UDP:C:\program files\windows live\messenger\msnmsgr.exe:Windows Live Messenger
"UDP Query User{8B748D8B-C63B-4963-A5A6-C951D5BF5DD5}C:\\program files\\windows live\\messenger\\msnmsgr.exe"= TCP:C:\program files\windows live\messenger\msnmsgr.exe:Windows Live Messenger

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R0 BsStor;InCD Storage Helper Driver;C:\Windows\system32\DRIVERS\bsstor.sys [2002-06-05 19:07]
R2 BsUDF;InCD UDF Driver;C:\Windows\system32\drivers\BsUDF.sys [2002-09-13 08:35]
R2 lxba_device;lxba_device;C:\Windows\system32\lxbacoms.exe [2007-04-24 19:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-28 15:35:48 C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-04-26 23:55:03 C:\Windows\Tasks\EasyShare Registration Task.job"
- C:\Windows\system32\rundll32.exeZC:\PROGRA~2\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt [email protected]
"2008-05-17 09:31:28 C:\Windows\Tasks\SDMsgUpdate (TE).job"
- C:\PROGRA~1\SMARTD~1\Messages\SDNotify.exeW-PTE -V900 -SSDU.ini -A -Mhttp://www.smartdraw.com/msgs/messagecheck.aspx -D0 -T -N -X
"2008-05-18 10:17:32 C:\Windows\Tasks\User_Feed_Synchronization-{579E8DBC-AE66-489C-9ADE-2E56E1CBF6CE}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 13:28:29
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-05-18 13:30:28
ComboFix-quarantined-files.txt 2008-05-18 17:29:26

Pre-Run: 118,401,896,448 bytes free
Post-Run: 118,393,393,152 bytes free

217 --- E O F --- 2008-05-17 04:10:45

Edited by mjclark55, 18 May 2008 - 12:37 PM.

  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
You may leave those settings alone for now. Once we are done, we will remove Combofix. You may change the settings back to how they were before if they don't change back.

Download Malwarebytes ' Anti-Malware at http://www.besttechi.../mbam-setup.exe or http://www.majorgeek...ware_d5756.html Double-click on mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Is there still any problems remaining?
  • 0

#5
mjclark55

mjclark55

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Here is my log from the scan. U asked if there were anymore problems. Well I dont know what this means but when I clicked on yahoo mail and went to read a msg a box popped up with "Runtime Error, do u wish to debug? Yes or No but u have to click either several times to make the box go away. It also says Line: 1 Error: Yahoo.util is null or not an object. This box has been doing this on this site before I tried any of your advice.....Is it bad? Thanks!



Malwarebytes' Anti-Malware 1.12
Database version: 768

Scan type: Full Scan (C:\|)
Objects scanned: 133431
Time elapsed: 21 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.AntiMalwareGuard) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0d987fb6-2cb1-4189-b6a1-5e8185e9a899} (Rogue.Registry.Defender) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\AntiSpywareMaster (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Registry Defender (Rogue.Registry.Defender) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AntiSpywareMaster (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.

Files Infected:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AntiSpywareMaster\AntiSpywareMaster.lnk (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AntiSpywareMaster\Uninstall AntiSpywareMaster.lnk (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.
C:\Users\Martha\Desktop\Registry Defender.lnk (Rogue.Registry.Defender) -> Quarantined and deleted successfully.
C:\Users\Martha\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegistryDefender.lnk (Rogue.Registry.Defender) -> Quarantined and deleted successfully.
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Go into Internet Explorer->Tools->Internet Options->Advanced tab and set the following options:

Disable script debugging (both Internet Explorer and others) - CHECKED
Display a notification about every script error - UNCHECKED

If you have those set already, it's something else causing the problems. You might want to uncheck the box for browser add-ons to see if it helps.
  • 0

#7
mjclark55

mjclark55

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Okay thank you I changed those settings and it fixed the problem. After running the last log posted does my computer look good/fixed to you? I can tell you it runs a lot better and so far all the problems I was having seem to be gone and fixed.......
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yep, looks good :)

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#9
mjclark55

mjclark55

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
When I type combofix/u in I get a window that says: Open File-Security Warning. Publisher could not be verified. Sure u want to run this software?

Am I supposed to run it? I know u said to click on delete it and so far I dont have that option.....
  • 0

#10
mjclark55

mjclark55

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Just reading over the Anti-Spyware Tutorial and it clearly states:

Please follow ALL the instructions in the order listed below. They are all required to be ran unless it specifically says Optional next to them.

I have done several of these steps via your help to get to this point so I dont need to do any of that, correct? I need to focus more on the Spyware Prevention section or no?
  • 0

#11
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yes, please run it. Allow it to continue in order to remove ComboFix.

If you have all the recommend programs installed, then you should be fine. You may install the optional ones also if you like.
  • 0

#12
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP