last night i posted about being hagged, and yeoldstonecat replied to me, thanks bud, i did everything that you said to do, the problem is that it is the wdmaud.sys that is redirecting my browser firefox. and I cannot get rid of it, any ideas how to get rid of the wdmaud.sys as it keeps comming back after i delete it
thanks guys
now my sg posts are missing
-
slacker361
- Posts: 359
- Joined: Mon Feb 18, 2002 7:55 pm
now my sg posts are missing
this equipment list isnt current please ignore MSI kt7 133amobo,AMD Athalon 1Ghz g3Ti200 Pro td 128, 1gig pc133, 2 40gig hd, wireless network,dlink,HP Photsmart 7150,Kodak easyshare ls433 camera,Dazzle dvd creation station 200...... windows XP sp1+more to follow
-
YeOldeStonecat
- SG VIP
- Posts: 51171
- Joined: Mon Jan 15, 2001 12:00 pm
- Location: Somewhere along the shoreline in New England
Yeah the old server starting having massive issues....I guess it knew it was being replaced very soon, and it got jealous and decided to jump off the cliff before Philip was done (was going to be more slowly phased over in the next couple of weeks)...so Philip had to rush things last night. The new server was being tested with some databases that were a day or two old...he was going to attempt to bring the current database over from the old server last night...but apparently it didn't make it. He might give it one more try...so this most might disappear and last nights thread may come back.
Anyways, I had gone back and edited my post with several more tools...so which tools did you actually run?
Anyways, I had gone back and edited my post with several more tools...so which tools did you actually run?
MORNING WOOD Lumber Company
Guinness for Strength!!!
Guinness for Strength!!!
-
YeOldeStonecat
- SG VIP
- Posts: 51171
- Joined: Mon Jan 15, 2001 12:00 pm
- Location: Somewhere along the shoreline in New England
Just to ad, wdmaud.sys is a legitimate Windows system file related to sound, and the normal one will live at C:\Windows\system32\drivers\
There's a browser redirect trojan that copies that name, and it will be installed into C:\Windows\system32\
So you may want to bounce into safe mode, delete the one you find in system32, and ensure the legit one still lives in system32\drivers
There's a browser redirect trojan that copies that name, and it will be installed into C:\Windows\system32\
So you may want to bounce into safe mode, delete the one you find in system32, and ensure the legit one still lives in system32\drivers
MORNING WOOD Lumber Company
Guinness for Strength!!!
Guinness for Strength!!!
-
slacker361
- Posts: 359
- Joined: Mon Feb 18, 2002 7:55 pm
Well if the driver wdmaud is a good one. Then that isn't my problem I have some sort of browser highjack going on and all the suggestions haven't fixed it
this equipment list isnt current please ignore MSI kt7 133amobo,AMD Athalon 1Ghz g3Ti200 Pro td 128, 1gig pc133, 2 40gig hd, wireless network,dlink,HP Photsmart 7150,Kodak easyshare ls433 camera,Dazzle dvd creation station 200...... windows XP sp1+more to follow
-
YeOldeStonecat
- SG VIP
- Posts: 51171
- Joined: Mon Jan 15, 2001 12:00 pm
- Location: Somewhere along the shoreline in New England
Did you find which file it is? Read my 2nd sentence in the prior post about a common browser redirect trojan that mimics that legit file..but it's installed in a different directory.
And to be able to futher help...which tools did you run last night? Remembering that I edited my post and added a few more tools..so I don't know which version of the post you read last night and tried.
When you download and install the removal tools...are they able to successfully update their databases? NEED TO ensure that...often you can download a removal tool, but the infection blocks you from updating them, so they'll scan with like...ancient 6 months old definitions which may be useless. Need to ensure they get updated, there are often manual update tools avail for some tools to ensure this.
And to be able to futher help...which tools did you run last night? Remembering that I edited my post and added a few more tools..so I don't know which version of the post you read last night and tried.
When you download and install the removal tools...are they able to successfully update their databases? NEED TO ensure that...often you can download a removal tool, but the infection blocks you from updating them, so they'll scan with like...ancient 6 months old definitions which may be useless. Need to ensure they get updated, there are often manual update tools avail for some tools to ensure this.
MORNING WOOD Lumber Company
Guinness for Strength!!!
Guinness for Strength!!!
-
slacker361
- Posts: 359
- Joined: Mon Feb 18, 2002 7:55 pm
well i ran all that you told me too unfortunately i dont remember all of them, they all seemed to update ok. some were the spybot sd cc cleaner the norton cleaner, and i cant remember all the others you had me do but i did them all.
here is the hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 7:31:16 AM, on 6/4/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\System Control Manager\MSIService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Livescribe\Livescribe Desktop\LDTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tracey Sherman\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.live.com/sphome.aspx
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IEPlugin Class - {11222041-111B-46E3-BD29-EFB2449479B1} - C:\PROGRA~1\ArcSoft\VIDEOD~1\ArcURLRecord.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Windows Live OneCare Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [LDTray] C:\Program Files\Livescribe\Livescribe Desktop\LDTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International
O14 - IERESET.INF: START_PAGE_URL=http://www.msi.com.tw
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: Micro Star SCM - Unknown owner - C:\Program Files\System Control Manager\MSIService.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Livescribe Pulse Smartpen Service (PenCommService) - Livescribe - C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
here is the hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 7:31:16 AM, on 6/4/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\System Control Manager\MSIService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Livescribe\Livescribe Desktop\LDTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tracey Sherman\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.live.com/sphome.aspx
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IEPlugin Class - {11222041-111B-46E3-BD29-EFB2449479B1} - C:\PROGRA~1\ArcSoft\VIDEOD~1\ArcURLRecord.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Windows Live OneCare Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [LDTray] C:\Program Files\Livescribe\Livescribe Desktop\LDTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International
O14 - IERESET.INF: START_PAGE_URL=http://www.msi.com.tw
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: Micro Star SCM - Unknown owner - C:\Program Files\System Control Manager\MSIService.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Livescribe Pulse Smartpen Service (PenCommService) - Livescribe - C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
this equipment list isnt current please ignore MSI kt7 133amobo,AMD Athalon 1Ghz g3Ti200 Pro td 128, 1gig pc133, 2 40gig hd, wireless network,dlink,HP Photsmart 7150,Kodak easyshare ls433 camera,Dazzle dvd creation station 200...... windows XP sp1+more to follow
-
YeOldeStonecat
- SG VIP
- Posts: 51171
- Joined: Mon Jan 15, 2001 12:00 pm
- Location: Somewhere along the shoreline in New England
I remember some steps...
Disable system restore (most likely your infected files were backed up the last time you rebooted, and if you spend alllll this time to clean your rig without turning off system restore, the next time you reboot...often malware will reinfect your system because it crawls out of system restore and bites your system again..so you just wasted all your time)
Run CCleaner
Update all malware cleaning programs
Run MalwareBytes
Run Spybot S&D (I see you have that)
Run SuperAntiSpyware
Eset Rogue AV Remover
http://kb.eset.com/esetkb/index?page=co ... d=SOLN2372
Sophos Rootkit Remover
http://www.sophos.com/products/free-too ... otkit.html
Norton Power Eraser
http://security.symantec.com/nbrt/npe.asp
A TCP/Winsock repair utility
And..McAfee is..yuck. Bogs down your system and cant find its way out of a paper bag. Practically all malware slips past that program. Get a GOOD AV program on there..there are several very good free ones, Microsoft Security Essentials, or Avast, or AntiVir, or Panda Cloud.
If your system is almost unworkable....cannot run apps because system shell extensions are tanked or the rogue changed security values preventing you from running things like regedit or taskman, there are tools like Symantecs UnhookExec.inf and FixWin
You need to find out if the wdm...sys file you have is the legit one..or the illegit one (mentioned in prior post..). It's all just guesswork until that answer is found.
Disable system restore (most likely your infected files were backed up the last time you rebooted, and if you spend alllll this time to clean your rig without turning off system restore, the next time you reboot...often malware will reinfect your system because it crawls out of system restore and bites your system again..so you just wasted all your time)
Run CCleaner
Update all malware cleaning programs
Run MalwareBytes
Run Spybot S&D (I see you have that)
Run SuperAntiSpyware
Eset Rogue AV Remover
http://kb.eset.com/esetkb/index?page=co ... d=SOLN2372
Sophos Rootkit Remover
http://www.sophos.com/products/free-too ... otkit.html
Norton Power Eraser
http://security.symantec.com/nbrt/npe.asp
A TCP/Winsock repair utility
And..McAfee is..yuck. Bogs down your system and cant find its way out of a paper bag. Practically all malware slips past that program. Get a GOOD AV program on there..there are several very good free ones, Microsoft Security Essentials, or Avast, or AntiVir, or Panda Cloud.
If your system is almost unworkable....cannot run apps because system shell extensions are tanked or the rogue changed security values preventing you from running things like regedit or taskman, there are tools like Symantecs UnhookExec.inf and FixWin
You need to find out if the wdm...sys file you have is the legit one..or the illegit one (mentioned in prior post..). It's all just guesswork until that answer is found.
MORNING WOOD Lumber Company
Guinness for Strength!!!
Guinness for Strength!!!
First is to run through your add/remove programs list and trash anything that looks like junk (just helps to clean the comp up) I remove all toolbars I find as I've seen some of the vundo variants attach to them for some reason. You can always install them again later so don't worry about it.
2nd thing is to TURN OFF System Restore!!!
3rd go to Start,Run, and type in msconfig and uncheck anything that looks funny from the Startup Tab including IM's for the time being as you will want to restart the computer fast and keep the variants from starting as well.
Load CCleaner (no need to install this, its portable!) and select everything to clean! - http://www.majorgeeks.com/CCleaner_Portable_d5735.html
Load/update Avast Home - http://www.avast.com
Load/update superantispyware - http://www.superantispyware.com
Load/update Malwarebytes - MalwareBytes
Load/update spybot Search & Destroy 1.6 - spybot
Download - msautoruns ms Autoruns
Boot into safemode and set Avast for a bootscan upon restart- preselect it to delete anything it finds etc but don't reboot the computer.
Run ccleaner to remove all junk and crap from your temp files etc.. you will still need to set hidden files/folders to show up in the folder options and browse to your Local folder within your user account and select all files in Temp and temp internet files folder and delete EVERYTHING!
Next run superantispyware full scan..if it finds major things mostly whats found in memory it will require reboot..thats fine reboot and then let avast run its scan and boot into windows normally.
Run MalwareBytes and remove whatever it finds.
Next run msautoruns and again check for anything odd usually not showing a publisher or a looks like this "jaleiwa.exe" etc you get the idea. Just right click on them and delete thats it. Close auto runs and then run spybot to finish up that last ditch scan clean up using it.
Run ccleaner once more then reboot and see where you stand after this point. Keep in mind this may take at least 4hours to complete but it should remove everything if you've done it right!
Good Luck!
2nd thing is to TURN OFF System Restore!!!
3rd go to Start,Run, and type in msconfig and uncheck anything that looks funny from the Startup Tab including IM's for the time being as you will want to restart the computer fast and keep the variants from starting as well.
Load CCleaner (no need to install this, its portable!) and select everything to clean! - http://www.majorgeeks.com/CCleaner_Portable_d5735.html
Load/update Avast Home - http://www.avast.com
Load/update superantispyware - http://www.superantispyware.com
Load/update Malwarebytes - MalwareBytes
Load/update spybot Search & Destroy 1.6 - spybot
Download - msautoruns ms Autoruns
Boot into safemode and set Avast for a bootscan upon restart- preselect it to delete anything it finds etc but don't reboot the computer.
Run ccleaner to remove all junk and crap from your temp files etc.. you will still need to set hidden files/folders to show up in the folder options and browse to your Local folder within your user account and select all files in Temp and temp internet files folder and delete EVERYTHING!
Next run superantispyware full scan..if it finds major things mostly whats found in memory it will require reboot..thats fine reboot and then let avast run its scan and boot into windows normally.
Run MalwareBytes and remove whatever it finds.
Next run msautoruns and again check for anything odd usually not showing a publisher or a looks like this "jaleiwa.exe" etc you get the idea. Just right click on them and delete thats it. Close auto runs and then run spybot to finish up that last ditch scan clean up using it.
Run ccleaner once more then reboot and see where you stand after this point. Keep in mind this may take at least 4hours to complete but it should remove everything if you've done it right!
Good Luck!
Follow Cats advice and then if the problems persist, have HJT remove these and reboot, clear out system restore and Windows Prefetch folder.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem
If you don't recognize this address, remove this entry also:
O14 - IERESET.INF: START_PAGE_URL=http://www.msi.com.tw
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem
If you don't recognize this address, remove this entry also:
O14 - IERESET.INF: START_PAGE_URL=http://www.msi.com.tw
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
Success is a lousy teacher. It seduces people into thinking they can't lose. -Bill Gates
Anyone use spyware doctor? http://www.pctools.com/spyware-doctor/
CableDude wrote:Anyone use spyware doctor? http://www.pctools.com/spyware-doctor/
-
slacker361
- Posts: 359
- Joined: Mon Feb 18, 2002 7:55 pm
Update
ok guys i have run everything known to man to get rid of this and it still is running. it is the top two returns from a google search that redirects to another website when you select it? ANY IDEAS? 
this equipment list isnt current please ignore MSI kt7 133amobo,AMD Athalon 1Ghz g3Ti200 Pro td 128, 1gig pc133, 2 40gig hd, wireless network,dlink,HP Photsmart 7150,Kodak easyshare ls433 camera,Dazzle dvd creation station 200...... windows XP sp1+more to follow
Back up data and format, the time your wasting trying to fix it is killing you and you may also be causing more harm than good.slacker361 wrote:ok guys i have run everything known to man to get rid of this and it still is running. it is the top two returns from a google search that redirects to another website when you select it? ANY IDEAS?
-
slacker361
- Posts: 359
- Joined: Mon Feb 18, 2002 7:55 pm
ok i think i got it fixed , i used the commy.exe to scan and fix the puter. combofix.exe and i had an infected file and two other files that needed deleted.
c:\windows\system32\FD.dll
c:\windows\system32\logs
Infected copy of c:\windows\system32\drivers\isapnp.sys was found and disinfected
Restored copy from - Kitty had a snack
I post this in case anyone else has the problem and so we all can learn from my stupid mistake
c:\windows\system32\FD.dll
c:\windows\system32\logs
Infected copy of c:\windows\system32\drivers\isapnp.sys was found and disinfected
Restored copy from - Kitty had a snack
I post this in case anyone else has the problem and so we all can learn from my stupid mistake
this equipment list isnt current please ignore MSI kt7 133amobo,AMD Athalon 1Ghz g3Ti200 Pro td 128, 1gig pc133, 2 40gig hd, wireless network,dlink,HP Photsmart 7150,Kodak easyshare ls433 camera,Dazzle dvd creation station 200...... windows XP sp1+more to follow