Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Ad.Yieldmanager.com Removal [RESOLVED]


  • This topic is locked This topic is locked

#16
bsketlady

bsketlady

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
A window pops up and it looks like it's a message from windows firewall. It says:

The current web page is trying to open a site in your Trusted sites list. Do you want to allow this? Current site: http://ad.yieldmgr.com
trusted site: res/ie.dll

and there is a yes/no block to choose

choosing either yields the same result

thanks
  • 0

Advertisements


#17
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi bsketlady,

Let's try a couple of other things:
Please download the following and save to your Desktop:
RegSearch
HostsXpert 4.2 - Hosts File Manager

Delete Hidden Data Streams:
  • Open HiJackThis.
  • Click on the Open Misc Tools Section button.
  • Click on Open ADS Spy..
  • Uncheck the Quick Scan ... box
  • Click on Scan.
  • Right click in the Results window & click on select all.
  • Click Remove Selected.
  • Close the HijackThis window.



Run HijackThis.
  • Click the Do a system scan only button.
  • Check the boxes for the all the entries listed below:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...vilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =http://us.rd.yahoo.com/customize/ie/defaul...m/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O15 - Trusted Zone: http://*.mcafee.com
O20 - Winlogon Notify: efcDUlLD - efcDUlLD.dll (file missing)

  • Now close all windows other than HijackThis and click Fix Checked.
  • Close HijackThis.


Install & Run HostsXpert:
  • Unzip HostsXpert 4.2 to a convenient folder such as C:\Progam Files\HostsXpert
  • Run HostsXpert from its new home.
  • Click on File Handling.
  • Click on Restore MS Hosts File.
  • Click OK on the Confirmation box.
  • Click on Make Read Only?
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Run Regsearch: RegSearch and save it to your Desktop.
  • Extract the regsearch.zip file to its own folder, like C:\RegSearch
  • Double click on regsearch.exe
  • Copy the following to the upper input box, 1 entry per line:
    yieldmanager
  • Leave the lower input box empty
  • Leave the ticks in there default configurations & click OK
  • The scan will appear to pause and then open a Notepad file.
  • This file is C:\RegSearch\RegSearch.txt


Post me back the text from C:\RegSearch\RegSearch.txt as your next reply
  • 0

#18
bsketlady

bsketlady

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
When I ran the HostsXpert I got this error"

Error: cannot create file c:\\windows\system32\drivers\etc\hosts

so i was unable to do that one

Here's the Reg Search


Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman 2005
; Version: 2.0.5.0

; Results at 8/18/2008 6:56:07 PM for strings:
; 'yield manager'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...



Thanks so much
  • 0

#19
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Can you do the following, to check the contents of the hosts file:
Make sure Windows XP is set to show all files:
  • Click Start > My Computer.
  • On the Tools menu, click Folder Options.
  • On the View tab:
    • Uncheck Hide extensions for known file types.
    • Uncheck Hide protected operating system files.
    • Under Hidden files and folders click Show hidden files and folders.
  • You will see a warning message, click Yes.
  • Click Apply.
  • Click OK.


Now browse to the c:\windows\system32\drivers\etc folder & see if you have a file called hosts
If so, continue on below:

Clean up your Hosts file:
  • Make a backup copy of your hosts file
    • Browse to the C:\Windows\System 32\drivers\etc folder
    • Right click on the hosts file and select Copy
    • Paste the file back as Copy of hosts, then rename it to hosts.bak
  • Now edit the original
    • Open the original hosts file in Notepad
    • There may be a lot of text at the top of the page with each line beginning with a # symbol. These can be ignored
    • The first line without the # symbol should be 127.0.0.1 localhost. Leave that one as well.
    • Delete all the other lines below that entry.
  • Save the file & close Notepad

  • 0

#20
bsketlady

bsketlady

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Okie dokie-- here ya go! thanks
# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1 007guard.com
# This list is Copyright 2000-2007 Safer Networking Limited
# End of entries inserted by Spybot - Search & Destroy
  • 0

#21
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
That looks OK.

Download the following & save to your Desktop:
ComboFix


Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.

Posted Image

Download the setup package & save it as originally named, next to ComboFix.exe.
Close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it.

Posted Image

  • Follow the prompts to start ComboFix and agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • Click Yes at the window labelled What's next ? to continue with the scan.
  • When complete, a log named C:\Combofix.txt will open.
  • Please post the entire contents of that log as your next reply.

  • 0

#22
bsketlady

bsketlady

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Thank you -- few questions

1 -- how do I tell what version of XP I have (home vs prof) I think it's home but want to be correct
2 -- those instructions for a boot disk were for a floppy and I only have a CD drive

I also need to tell you that my computer in extremely slow now and almost every page comes up (done, but with errors)....I went to many random sites, like news and game sites and I am seriously able to count to 45 or more before the page comes up, IF it does come up.

Edited by bsketlady, 20 August 2008 - 03:00 AM.

  • 0

#23
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
You only need to get the right Service Pack number, in your case SP3.
So as per the instructions, you download the SP2 file.

You are not using the file for making discs, you are saving it to the desktop, then dragging the file onto the ComboFix.exe file as in the graphic above.
Then complete the steps above to produce & post that log.

Try to keep the random surfing to a minimum until we get this done.
  • 0

#24
bsketlady

bsketlady

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Here's the combofix text also i noted that my time changed from regular to military during this scan....
ComboFix 08-08-18.05 - HP_Administrator 2008-08-20 16:33:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.459 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Administrator\Favorites\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\Administrator\UserData
C:\Documents and Settings\Administrator\UserData\index.dat
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\#SharedObjects\R2QPT72E\interclick.com
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\#SharedObjects\R2QPT72E\interclick.com\ud.sol
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\HP_Administrator\UserData
C:\Documents and Settings\HP_Administrator\UserData\CP238DUJ\oXMLStoreUnit[1].xml
C:\Documents and Settings\HP_Administrator\UserData\index.dat
C:\Documents and Settings\HP_Administrator\UserData\O92NC9AR\dmtstore[2].xml
C:\Documents and Settings\HP_Administrator\UserData\ODANSTIJ\IsOnIE6tbPromo[1].xml
C:\Documents and Settings\HP_Administrator\UserData\W12V81MF\oWindowsUpdate[2].xml
C:\Documents and Settings\The Kids\Application Data\macromedia\Flash Player\#SharedObjects\38UEABLR\interclick.com
C:\Documents and Settings\The Kids\Application Data\macromedia\Flash Player\#SharedObjects\38UEABLR\interclick.com\ud.sol
C:\Documents and Settings\The Kids\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\The Kids\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\The Kids\UserData
C:\Documents and Settings\The Kids\UserData\8PM7CXA3\YL[1].xml
C:\Documents and Settings\The Kids\UserData\index.dat
C:\WINDOWS\system32\actskn43.ocx
C:\WINDOWS\system32\bxcmtemg.ini
C:\WINDOWS\system32\psDKkRqr.ini
C:\WINDOWS\system32\psDKkRqr.ini2

.
((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))
.

2008-08-19 15:20 . 2008-08-19 15:20 <DIR> d-------- C:\Program Files\MahJGar Buddy Pogo
2008-08-19 15:14 . 2008-08-19 15:15 <DIR> d-------- C:\Program Files\BadgeHelp
2008-08-19 15:14 . 2008-08-19 15:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\EURRNRCPBH
2008-08-18 18:55 . 2008-08-18 19:01 <DIR> d-------- C:\RegSearch
2008-08-18 18:53 . 2008-08-18 18:53 <DIR> d-------- C:\Program Files\HostsXpert
2008-08-15 13:02 . 2008-08-15 13:03 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Go-Go Gourmet Chef of the Year
2008-08-13 07:21 . 2008-04-11 15:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-12 18:18 . 2008-04-13 15:24 2,145,280 --a------ C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-08-08 20:14 . 2008-08-08 20:14 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-08-08 17:58 . 2008-08-08 17:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-08 14:34 . 2008-08-08 14:34 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\GTek
2008-08-08 12:47 . 2008-08-08 13:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RTFWCVROBH
2008-08-07 21:14 . 2008-08-07 21:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\McAfee
2008-08-07 21:06 . 2008-08-07 21:06 <DIR> d-------- C:\Documents and Settings\The Kids\Application Data\McAfee
2008-08-07 21:05 . 2008-08-07 21:05 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\McAfee
2008-08-06 20:48 . 2008-08-06 21:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\JFQVRCDPBH
2008-08-03 18:45 . 2008-08-03 18:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NYEIFSVOBH
2008-08-02 21:43 . 2008-08-02 22:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PYEIFSVOBH
2008-08-01 12:38 . 2008-08-01 13:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BZJYVUROBH
2008-08-01 08:29 . 2008-08-01 08:29 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\IObit
2008-08-01 08:28 . 2008-08-01 08:28 <DIR> d-------- C:\Program Files\IObit
2008-07-31 22:31 . 2008-08-08 20:15 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-31 22:31 . 2008-08-14 20:37 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Malwarebytes
2008-07-31 22:31 . 2008-07-31 22:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-31 22:31 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-31 22:31 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-31 21:34 . 2008-07-31 21:40 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\McAfee
2008-07-31 21:31 . 2008-08-20 16:39 15,033 --a------ C:\WINDOWS\system32\Config.MPF
2008-07-31 21:30 . 2006-03-03 08:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-07-31 21:28 . 2008-07-31 21:28 <DIR> d-------- C:\Program Files\McAfee.com
2008-07-31 21:28 . 2008-07-31 21:28 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-07-31 21:28 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-07-31 21:28 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-07-31 21:28 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-07-31 21:28 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-07-31 21:28 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-07-31 21:28 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-07-31 21:27 . 2008-08-07 21:03 <DIR> d-------- C:\Program Files\McAfee
2008-07-31 21:22 . 2008-08-05 20:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-30 17:26 . 2008-07-30 17:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ORFHKNTOBH
2008-07-30 17:26 . 2008-07-30 17:27 796 --a------ C:\Backgammon.Dat
2008-07-27 19:51 . 2008-07-27 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir
2008-07-27 19:48 . 2008-07-27 19:48 <DIR> d-------- C:\WINDOWS\Cache
2008-07-27 19:48 . 2008-07-30 21:50 <DIR> d-------- C:\Program Files\Coupons
2008-07-27 14:15 . 2008-08-19 14:52 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-07-27 09:23 . 2008-07-27 13:04 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-07-26 08:31 . 2008-08-01 15:35 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\U3
2008-07-26 07:43 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-26 07:42 . 2008-07-26 07:42 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-25 12:21 . 2008-07-25 13:40 <DIR> d-------- C:\Program Files\Panda Security
2008-07-24 18:37 . 2008-08-17 07:58 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-24 18:37 . 2008-07-24 18:37 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-23 20:19 . 2008-07-23 20:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GWOICMAPBH
2008-07-20 16:11 . 2008-07-20 16:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\EscapeTheMuseum
2008-07-20 10:20 . 2008-07-20 10:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\YKIQKCDPBH
2008-07-20 09:17 . 2008-07-20 09:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SLIQKCDPBH

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-19 23:16 --------- d-----w C:\Program Files\Hidden Expedition Titanic
2008-08-19 21:01 34,304 ----a-w C:\WINDOWS\system32\drivers\CO_Mon.sys
2008-08-19 19:20 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-17 23:20 --------- d-----w C:\Program Files\Mystery Case Files - Prime Suspects
2008-08-17 19:24 --------- d-----w C:\Program Files\Mystery Case Files - Huntsville
2008-08-15 17:02 --------- d-----w C:\Program Files\Oberon Media
2008-08-12 09:52 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Juniper Networks
2008-08-09 16:28 --------- d-----w C:\Program Files\Enigma Software Group
2008-08-09 15:38 --------- d-----w C:\Program Files\a-squared Free
2008-08-08 18:34 --------- d--ha-w C:\Documents and Settings\All Users\Application Data\GTek
2008-08-01 01:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-26 15:46 --------- d-----w C:\Program Files\RegScrubVistaXP
2008-07-26 11:43 --------- d-----w C:\Program Files\Java
2008-07-25 17:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-25 15:37 --------- d-----w C:\Program Files\AIM
2008-07-22 23:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\SpinTop Games
2008-07-18 00:43 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Flood Light Games
2008-07-18 00:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Flood Light Games
2008-07-16 22:21 25 ----a-w C:\Board.Dat
2008-07-16 22:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\GDYJUHYOBH
2008-07-11 13:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\WKLOCDDPBH
2008-07-09 16:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\URLOCDDPBH
2008-07-09 01:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\SKUMRUROBH
2008-07-07 21:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\CELTXDWOBH
2008-07-06 16:54 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\GetRightToGo
2008-07-06 15:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-07-06 14:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\BEAYCWUOBH
2008-07-05 18:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\EBAYCWUOBH
2008-07-05 14:36 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2008-07-05 13:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\UFKQEEWOBH
2008-07-04 23:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZYJQEEWOBH
2008-07-04 13:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\KTKYDYQOBH
2008-07-01 17:32 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\WholeSecurity
2008-06-28 19:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\ELJQEMAPBH
2008-06-28 17:34 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Costco Photo Organizer
2008-06-26 21:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\LSTFVAAPBH
2008-06-25 17:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\OPTFVAAPBH
2008-06-25 00:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\RBUFVAAPBH
2008-06-20 22:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\WGNERNTOBH
2008-06-20 16:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\BMNERNTOBH
2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-05-13 23:06 0 ----a-w C:\Program Files\temp01
2006-07-14 18:57 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-06-04 10:11 1506544]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-03 11:22 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-03 11:26 118784]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 19:35 49152]
"DMAScheduler"="c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe" [2005-11-01 06:01 90112]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-22 19:14 237568]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 13:29 249856]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44 61440]
"ISUSPM Startup"="c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 20:50 221184]
"ISUSScheduler"="c:\progra~1\common~1\instal~1\update~1\issch.exe" [2004-07-27 20:50 81920]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 19:52 849280]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 15:13 988584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 13:59 4838952]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22 20480]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-06-01 19:47 413696]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 20:19 77312 C:\WINDOWS\arpwrmsg.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 06:24 86016 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
"DisableCAD"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-22 20:59 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 22:49 4662776 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"\\\\ROBYN\\C\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=

R3 actccid;ActivCard USB Reader V2;C:\WINDOWS\system32\DRIVERS\actccid.sys [2002-08-02 14:41]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2008-02-08 19:11]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f39b135-5b0a-11dd-8e3a-00173124921d}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{963dccf6-fa8a-11db-8d38-00173124921d}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-08-20 C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job
- C:\Program Files\ErrorSmart\ErrorSmart.exe []

2008-08-20 C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job
- C:\Program Files\ErrorSmart []

2008-08-15 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-08-18 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-08-20 C:\WINDOWS\Tasks\SpyHunter Scanner.job
- C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe []
.
- - - - ORPHANS REMOVED - - - -

Notify-avldr - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O16 -: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
C:\WINDOWS\Downloaded Program Files\PogoWebLauncher.ocx

O16 -: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://131.158.223.3/dana-cached/setup/JuniperSetupSP1.cab
C:\WINDOWS\Downloaded Program Files\JuniperSetup.INF
C:\WINDOWS\Downloaded Program Files\string_zh_cn.properties
C:\WINDOWS\Downloaded Program Files\string_zh.properties
C:\WINDOWS\Downloaded Program Files\string_ko.properties
C:\WINDOWS\Downloaded Program Files\string_ja.properties
C:\WINDOWS\Downloaded Program Files\string_fr.properties
C:\WINDOWS\Downloaded Program Files\string_es.properties
C:\WINDOWS\Downloaded Program Files\string_de.properties
C:\WINDOWS\Downloaded Program Files\string_en.properties
C:\WINDOWS\Downloaded Program Files\JuniperSetup.ocx
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-20 16:40:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2008-08-20 16:49:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-20 20:48:48

Pre-Run: 205,202,501,632 bytes free
Post-Run: 205,299,613,696 bytes free

302 --- E O F --- 2008-08-19 18:52:47
  • 0

#25
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
What can you tell me about the following folders?

C:\Documents and Settings\All Users\Application Data\JFQVRCDPBH
C:\Documents and Settings\All Users\Application Data\NYEIFSVOBH
C:\Documents and Settings\All Users\Application Data\PYEIFSVOBH
C:\Documents and Settings\All Users\Application Data\BZJYVUROBH
C:\Documents and Settings\All Users\Application Data\ORFHKNTOBH
C:\Documents and Settings\All Users\Application Data\GWOICMAPBH
C:\Documents and Settings\All Users\Application Data\YKIQKCDPBH
C:\Documents and Settings\All Users\Application Data\SLIQKCDPBH
C:\Documents and Settings\All Users\Application Data\GDYJUHYOBH
C:\Documents and Settings\All Users\Application Data\WKLOCDDPBH
C:\Documents and Settings\All Users\Application Data\URLOCDDPBH
C:\Documents and Settings\All Users\Application Data\SKUMRUROBH
C:\Documents and Settings\All Users\Application Data\CELTXDWOBH
C:\Documents and Settings\All Users\Application Data\BEAYCWUOBH
C:\Documents and Settings\All Users\Application Data\EBAYCWUOBH
C:\Documents and Settings\All Users\Application Data\UFKQEEWOBH
C:\Documents and Settings\All Users\Application Data\ZYJQEEWOBH
C:\Documents and Settings\All Users\Application Data\KTKYDYQOBH
C:\Documents and Settings\All Users\Application Data\ELJQEMAPBH
C:\Documents and Settings\All Users\Application Data\LSTFVAAPBH
C:\Documents and Settings\All Users\Application Data\OPTFVAAPBH
C:\Documents and Settings\All Users\Application Data\RBUFVAAPBH
C:\Documents and Settings\All Users\Application Data\WGNERNTOBH
C:\Documents and Settings\All Users\Application Data\BMNERNTOBH


They all appear to be random names.
Can you check to see if they are empty for me?
  • 0

Advertisements


#26
bsketlady

bsketlady

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
They are all 1KB .dat files and they have titles like 2218 or some 3 digit number and when I opened a few files this is what it said:

?&<uqoiex;lQ4T

IW%=w}{uqoieXQeK

The .dat file has the little icon of the windows movie thingy with a little notepad behind it...i wish i could describe it better sorry

There sure are a lot of the folders and I never noticed them before. Maybe it has something to do with the games? My husband downloads a lot of free games that have like a 1 hr expiration and then he removes it from the add/remove side, maybe this is a remnant of that?

thanks
  • 0

#27
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
I think that we might just delete them, to be sure that we got everyting.

Please download the following & save to your Desktop:
OTMoveIt2 by OldTimer.


I see you have LimeWire installed on your system.
While the program itself is legal, most of the files downloaded with it, are not.
These programs can also be one of the major infection routes for an otherwise secure PC, because you might be unknowingly downloading infected files.
I highly recommend uninstalling LimeWire as outlined below.


Remove folders & files:
  • Please go to Start > Control Panel > Add/Remove Programs and remove the following, (if present):
    LimeWire 4.14.10
    Please take note of any other programs that you don't recognise in that list, and include them in your next response


Run HijackThis.
  • Click the Do a system scan only button.
  • Check the boxes for the all the entries listed below:
O20 - Winlogon Notify: efcDUlLD - efcDUlLD.dll (file missing)
  • Now close all windows other than HijackThis and click Fix Checked.
  • Close HijackThis.


Run OTMoveIt2:
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Documents and Settings\All Users\Application Data\JFQVRCDPBH
    C:\Documents and Settings\All Users\Application Data\NYEIFSVOBH
    C:\Documents and Settings\All Users\Application Data\PYEIFSVOBH
    C:\Documents and Settings\All Users\Application Data\BZJYVUROBH
    C:\Documents and Settings\All Users\Application Data\ORFHKNTOBH
    C:\Documents and Settings\All Users\Application Data\GWOICMAPBH
    C:\Documents and Settings\All Users\Application Data\YKIQKCDPBH
    C:\Documents and Settings\All Users\Application Data\SLIQKCDPBH
    C:\Documents and Settings\All Users\Application Data\GDYJUHYOBH
    C:\Documents and Settings\All Users\Application Data\WKLOCDDPBH
    C:\Documents and Settings\All Users\Application Data\URLOCDDPBH
    C:\Documents and Settings\All Users\Application Data\SKUMRUROBH
    C:\Documents and Settings\All Users\Application Data\CELTXDWOBH
    C:\Documents and Settings\All Users\Application Data\BEAYCWUOBH
    C:\Documents and Settings\All Users\Application Data\EBAYCWUOBH
    C:\Documents and Settings\All Users\Application Data\UFKQEEWOBH
    C:\Documents and Settings\All Users\Application Data\ZYJQEEWOBH
    C:\Documents and Settings\All Users\Application Data\KTKYDYQOBH
    C:\Documents and Settings\All Users\Application Data\ELJQEMAPBH
    C:\Documents and Settings\All Users\Application Data\LSTFVAAPBH
    C:\Documents and Settings\All Users\Application Data\OPTFVAAPBH
    C:\Documents and Settings\All Users\Application Data\RBUFVAAPBH
    C:\Documents and Settings\All Users\Application Data\WGNERNTOBH
    C:\Documents and Settings\All Users\Application Data\BMNERNTOBH
    C:\Program Files\ErrorSmart
    C:\Program Files\Enigma Software Group
    C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job
    C:\WINDOWS\Tasks\SpyHunter Scanner.job
  • Return to OTMoveIt, right click on the Paste list of Files/Folders to be moved window (under the Yellow bar) and choose Paste.
  • Make sure that there is a tick next to Unregister Dll's and OCX's
  • Click the red Moveit! button.
  • Open Notepad
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
  • Paste the text into the Notepad file, click in the window and press Ctrl + V.
  • Click "Exit" to close OTMoveIt.
  • Save the text file as C:\otmove.txt
(If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.)


Please paste me the text from C:\otmove.txt & a fresh HijackThis log as you next reply

Edited by sage5, 21 August 2008 - 08:26 AM.

  • 0

#28
bsketlady

bsketlady

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
C:\Documents and Settings\All Users\Application Data\JFQVRCDPBH moved successfully.
C:\Documents and Settings\All Users\Application Data\NYEIFSVOBH moved successfully.
C:\Documents and Settings\All Users\Application Data\PYEIFSVOBH moved successfully.
C:\Documents and Settings\All Users\Application Data\BZJYVUROBH moved successfully.
C:\Documents and Settings\All Users\Application Data\ORFHKNTOBH moved successfully.
C:\Documents and Settings\All Users\Application Data\GWOICMAPBH moved successfully.
C:\Documents and Settings\All Users\Application Data\YKIQKCDPBH moved successfully.
C:\Documents and Settings\All Users\Application Data\SLIQKCDPBH moved successfully.
C:\Documents and Settings\All Users\Application Data\GDYJUHYOBH moved successfully.
C:\Documents and Settings\All Users\Application Data\WKLOCDDPBH moved successfully.
C:\Documents and Settings\All Users\Application Data\URLOCDDPBH moved successfully.
C:\Documents and Settings\All Users\Application Data\SKUMRUROBH moved successfully.
C:\Documents and Settings\All Users\Application Data\CELTXDWOBH moved successfully.
C:\Documents and Settings\All Users\Application Data\BEAYCWUOBH moved successfully.
C:\Documents and Settings\All Users\Application Data\EBAYCWUOBH moved successfully.
C:\Documents and Settings\All Users\Application Data\UFKQEEWOBH moved successfully.
C:\Documents and Settings\All Users\Application Data\ZYJQEEWOBH moved successfully.
C:\Documents and Settings\All Users\Application Data\KTKYDYQOBH moved successfully.
C:\Documents and Settings\All Users\Application Data\ELJQEMAPBH moved successfully.
C:\Documents and Settings\All Users\Application Data\LSTFVAAPBH moved successfully.
C:\Documents and Settings\All Users\Application Data\OPTFVAAPBH moved successfully.
C:\Documents and Settings\All Users\Application Data\RBUFVAAPBH moved successfully.
C:\Documents and Settings\All Users\Application Data\WGNERNTOBH moved successfully.
C:\Documents and Settings\All Users\Application Data\BMNERNTOBH moved successfully.
File/Folder C:\Program Files\ErrorSmart not found.
C:\Program Files\Enigma Software Group moved successfully.
C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job moved successfully.
C:\WINDOWS\Tasks\SpyHunter Scanner.job moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08212008_171057

NOTE: I did not find that file you said to check on the hijack listing....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:12:24 PM, on 8/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\a-squared free\a2service.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\dllhost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\progra~1\common~1\instal~1\update~1\issch.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\ALCWZRD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DMAScheduler] c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\progra~1\common~1\instal~1\update~1\issch.exe" -start
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net/
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/...erInstaller.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://131.158.223....perSetupSP1.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7793 bytes
  • 0

#29
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi bsketlady

Congratulations, your new log looks clear, so we can now deal with some final clean up jobs.

Clean out cookies, temp files etc:
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.

      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.

      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Cleanup with OTMoveIt:
  • Please double-click OTMoveIt2.exe to run it.
  • Click the Clean up button
  • Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
  • Click Yes to the reboot.

To Clear Restore points, please do the following:
  • Go to Start > Control Panel.
  • Double-click the System icon.
    • NOTE: If the System icon is not visible, click "View all Control Panel options" to display it.
  • Click the System Restore tab.
  • Put a check by Disable System Restore.
  • Click Apply, OK, OK. Click Yes when you are prompted to restart Windows.
After reboot, you must turn System Restore back on:
  • Go back to the Troubleshooting tab.
  • UNcheck Disable System Restore.
  • Click Apply, OK, OK. Click Yes when you are prompted to restart Windows.

Lastly, some extra or better security for your PC:

The programs recommended below are freeware alternatives to some of your security software & might reduce the potential for spyware infection in the future:-

Spyware Prevention:
Spyware Blaster by JavaCool Software, prevents spyware installing and consumes no system resources.
IE/SpyAd, stops suspect sites loading ActiveX, popups etc onto your PC. An excellent tutorial is Here

Spyware Detection:
[url="http://"http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.htm"]Malwarebytes Anti-Malware[/url] is my favourite here.

Anti-Virus:
The first line of defence, especially since some will now detect trojans as well.
Avira's Antivir PersonalEdition Classic and Grisoft's Avast! Free Edition are among the best freebies.
*Please note* You should never install more than one anti-virus program on a PC, as it will cause conflicts.

Firewall:
A Firewall is an essential tool in the security of any PC connected to the Internet.
Sunbelt Personal Firewall and Comodo are both excellent freeware.

Alternate Browsers:
Thankfully, there are now some excellent alternatives to MS Internet Explorer. They offer better security, more stability, and better speed.
A couple of good examples are: Firefox and Opera

Other Updates:
Vital security patches and updates are available for Microsoft Windows and Internet Explorer at the Windows Update Site
It is equally important to update the other security software you use, on a regular basis.

Further reading about these issues is available in a very good article: How did I get infected in the first place ? (by Tony Klein and dvk01)

All the best & safe surfing in the future,

sage5
  • 0

#30
bsketlady

bsketlady

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Great! Thank you soooo much for your help, my husband is so much happier without that annoying pop up!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP