Author Topic: [Resolved K] got something going on, what do you think?  (Read 7532 times)

0 Members and 1 Guest are viewing this topic.

Offline ngt

  • Bronze Member
  • Posts: 104
[Resolved K] got something going on, what do you think?
« on: March 07, 2012, 02:42:32 am »
here's my hijack this log...notice anything?? I'm new to this and a friend said join here and cut/paste the log.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:41:34 AM, on 3/7/2012
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Norton AntiVirus\Engine\18.7.0.13\ccSvcHst.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AMT Media Manager\AMTDeviceService.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Norton AntiVirus\Engine\18.7.0.13\ccSvcHst.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\TEMP\LOCALS~1\Temp\vcheck.exe
C:\Program Files\Opera\opera.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6453
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe" //mailurl:mailto:bassdlr@sonic.net
R3 - URLSearchHook: (no name) -  - (no file)
O2 - BHO: (no name) - MRI_DISABLED - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\18.7.0.13\IPS\IPSBHO.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" /uninstall
O4 - HKLM\..\Run: [AMTDeviceService] "C:\Program Files\AMT Media Manager\AMTDeviceService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Anti-phishing Domain Advisor] "C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [vcheck] C:\DOCUME~1\TEMP\LOCALS~1\Temp\vcheck.exe
O4 - HKUS\S-1-5-19\..\Run: [morayepeja] Rundll32.exe "C:\WINDOWS\system32\susalade.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [morayepeja] Rundll32.exe "C:\WINDOWS\system32\susalade.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: MRI_DISABLED
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1291905780484
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Norton AntiVirus (NAV) - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\18.7.0.13\ccSvcHst.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7406 bytes




thanks for your time and help!!

Eric
« Last Edit: March 30, 2012, 02:24:15 pm by kevinf80 »



Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • Posts: 2724
Re: [Resolved K] got something going on, what do you think?
« Reply #1 on: March 07, 2012, 03:03:32 am »
Hi ngt

We have a new protocol here at SpywareHammer.  We no longer use HijackThis as a first post.  We use DDS.  Also please post the symptoms your PC is exhibiting.

Directions for posting are here:  http://spywarehammer.com/simplemachinesforum/index.php?topic=12262.0
Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

Offline ngt

  • Bronze Member
  • Posts: 104
Re: [Resolved K] got something going on, what do you think?
« Reply #2 on: March 07, 2012, 04:08:48 am »
Sorry, here are the DDS files. I didn't see a way to edit my post or I would have. Again, sorry for not following the rules. Totally unintentional, as my friend just said to post that here. No hard feelings I hope :)

DDS:  notepad:


DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 1.6.0_23
Run by Owner at 2:01:03 on 2012-03-07
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1918.1025 [GMT -8:00]
.
FW:  *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Norton AntiVirus\Engine\18.7.0.13\ccSvcHst.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Norton AntiVirus\Engine\18.7.0.13\ccSvcHst.exe
C:\Program Files\AMT Media Manager\AMTDeviceService.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\TEMP\LOCALS~1\Temp\vcheck.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar =
uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6453
uSearch Page =
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe" //mailurl:mailto:bassdlr@sonic.net
mSearchAssistant =
uURLSearchHooks: H - No File
BHO: MRI_DISABLED - No File
BHO: Browser Address Error Redirector - No File
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\18.7.0.13\ips\IPSBHO.DLL
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: MRI_DISABLED - No File
uRun: [Power2GoExpress] NA
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [vcheck] c:\docume~1\temp\locals~1\temp\vcheck.exe
mRun: [MSKDetectorExe] "c:\program files\mcafee\spamkiller\MSKDetct.exe" /uninstall
mRun: [AMTDeviceService] "c:\program files\amt media manager\AMTDeviceService.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe"  -osboot
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Anti-phishing Domain Advisor] "c:\documents and settings\all users\application data\anti-phishing domain advisor\visicom_antiphishing.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mri_di~1\bigfix.lnk - c:\program files\bigfix\bigfix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mri_di~1\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mri_di~1\realte~1.lnk - c:\program files\realtek rtl8187 wireless lan driver and utility\RtWLan.exe
dPolicies-explorer: NoSMMyDocs = 1 (0x1)
dPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1291905780484
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{ADD9E16C-F24E-4958-8A3F-E087FF04C80A} : DhcpNameServer = 192.168.1.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli c:\windows\system32\volorume.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\temp\application data\mozilla\firefox\profiles\ti4hxa6l.default\
FF - prefs.js: browser.search.selectedEngine - Blekko
FF - plugin: c:\documents and settings\owner.eric2\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\owner.eric2\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvsharetvplg.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1207000.00d\symds.sys [2012-1-31 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1207000.00d\symefa.sys [2012-1-31 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\bashdefs\20120302.001\BHDrvx86.sys [2012-3-2 820856]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1207000.00d\ironx86.sys [2012-1-31 136312]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-5-28 652360]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\18.7.0.13\ccsvchst.exe [2012-1-31 130008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-2-4 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\ipsdefs\20120306.002\IDSXpx86.sys [2012-3-6 356280]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-5-28 20464]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\virusdefs\20120306.003\NAVENG.SYS [2012-3-6 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\virusdefs\20120306.003\NAVEX15.SYS [2012-3-6 1576312]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2006-11-22 180480]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-31 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-31 135664]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2006-11-22 13532]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
.
=============== Created Last 30 ================
.
2012-03-07 01:54:14   388096   ----a-r-   c:\documents and settings\temp\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-03-06 15:34:41   400   ----a-w-   c:\documents and settings\temp\IMInstaller.exe
2012-03-05 15:52:05   392   ----a-w-   c:\documents and settings\temp\GCK.exe
2012-03-05 14:17:23   0   ----a-w-   c:\documents and settings\temp\NDKF.exe
2012-03-05 01:32:37   1409   ----a-w-   c:\windows\QTFont.for
2012-03-04 23:22:13   400   ----a-w-   c:\documents and settings\temp\WFInstaller.exe
2012-03-04 23:21:37   --------   d-----w-   c:\documents and settings\temp\application data\Malwarebytes
2012-03-04 19:29:28   --------   d-----w-   C:\neogeo
2012-03-04 18:35:18   --------   d-----w-   c:\documents and settings\all users\application data\Premium
2012-03-04 18:34:23   --------   d-----w-   c:\documents and settings\all users\application data\InstallMate
2012-03-03 14:53:13   --------   d-----w-   c:\program files\BitPim
2012-03-01 01:40:02   --------   d-----w-   c:\program files\common files\FreeCause
2012-03-01 01:40:01   --------   d-----w-   c:\documents and settings\temp\local settings\application data\blekkotb
2012-03-01 01:40:00   --------   d-----w-   c:\documents and settings\all users\application data\Anti-phishing Domain Advisor
2012-02-22 02:08:35   --------   d-----w-   c:\program files\MSXML 6.0
2012-02-21 06:19:52   5632   ----a-w-   c:\windows\system32\ptpusb.dll
2012-02-21 06:19:52   159232   ----a-w-   c:\windows\system32\ptpusd.dll
.
==================== Find3M  ====================
.
2011-12-10 23:24:06   20464   ----a-w-   c:\windows\system32\drivers\mbam.sys
.
============= FINISH:  2:01:55.12 ===============



attach Notepad:


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 1/15/2007 12:20:44 PM
System Uptime: 3/7/2012 1:50:46 AM (1 hours ago)
.
Motherboard: Gateway                          |  |                                 
Processor: AMD Turion(tm) 64 X2 Mobile Technology TL-52 | Socket M2/S1G1 | 1595/200mhz
Processor: AMD Turion(tm) 64 X2 Mobile Technology TL-52 | Socket M2/S1G1 | 1595/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 142 GiB total, 22.282 GiB free.
D: is FIXED (FAT32) - 7 GiB total, 4.699 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP984: 12/8/2011 3:41:54 PM - System Checkpoint
RP985: 12/9/2011 3:43:12 PM - System Checkpoint
RP986: 12/10/2011 10:58:20 PM - System Checkpoint
RP987: 12/12/2011 6:44:27 AM - System Checkpoint
RP988: 12/13/2011 7:00:24 AM - System Checkpoint
RP989: 12/14/2011 7:16:06 AM - System Checkpoint
RP990: 12/15/2011 7:56:33 AM - System Checkpoint
RP991: 12/16/2011 8:21:01 AM - System Checkpoint
RP992: 12/17/2011 8:43:59 AM - System Checkpoint
RP993: 12/18/2011 8:48:00 AM - System Checkpoint
RP994: 12/19/2011 10:46:19 AM - System Checkpoint
RP995: 12/20/2011 12:37:07 PM - System Checkpoint
RP996: 12/21/2011 3:33:27 PM - System Checkpoint
RP997: 12/22/2011 4:09:08 PM - System Checkpoint
RP998: 12/23/2011 4:25:32 PM - System Checkpoint
RP999: 12/24/2011 5:18:28 PM - System Checkpoint
RP1000: 12/25/2011 9:28:45 PM - System Checkpoint
RP1001: 12/27/2011 6:21:32 AM - System Checkpoint
RP1002: 12/28/2011 9:30:02 AM - System Checkpoint
RP1003: 12/29/2011 9:53:22 AM - System Checkpoint
RP1004: 12/30/2011 10:02:39 AM - System Checkpoint
RP1005: 12/31/2011 10:34:07 AM - System Checkpoint
RP1006: 1/1/2012 11:09:39 AM - System Checkpoint
RP1007: 1/2/2012 11:34:26 AM - System Checkpoint
RP1008: 1/3/2012 11:39:02 AM - System Checkpoint
RP1009: 1/4/2012 12:10:30 PM - System Checkpoint
RP1010: 1/5/2012 12:25:14 PM - System Checkpoint
RP1011: 1/6/2012 1:26:54 PM - System Checkpoint
RP1012: 1/7/2012 1:55:19 PM - System Checkpoint
RP1013: 1/8/2012 6:20:13 PM - System Checkpoint
RP1014: 1/10/2012 6:42:02 AM - System Checkpoint
RP1015: 1/11/2012 7:59:05 AM - System Checkpoint
RP1016: 1/12/2012 8:32:39 AM - System Checkpoint
RP1017: 1/13/2012 1:29:49 PM - System Checkpoint
RP1018: 1/14/2012 1:34:23 PM - System Checkpoint
RP1019: 1/15/2012 1:57:49 PM - System Checkpoint
RP1020: 1/16/2012 3:04:47 PM - System Checkpoint
RP1021: 1/17/2012 3:43:36 PM - System Checkpoint
RP1022: 1/18/2012 3:59:59 PM - System Checkpoint
RP1023: 1/19/2012 5:19:58 PM - System Checkpoint
RP1024: 1/20/2012 5:44:53 PM - System Checkpoint
RP1025: 1/21/2012 6:00:28 PM - System Checkpoint
RP1026: 1/22/2012 8:11:31 AM - Software Distribution Service 3.0
RP1027: 1/23/2012 10:07:07 AM - System Checkpoint
RP1028: 1/24/2012 10:31:50 AM - System Checkpoint
RP1029: 1/25/2012 10:56:52 AM - System Checkpoint
RP1030: 1/26/2012 11:37:45 AM - System Checkpoint
RP1031: 1/27/2012 12:12:53 PM - System Checkpoint
RP1032: 1/28/2012 12:34:45 PM - System Checkpoint
RP1033: 1/29/2012 12:58:27 PM - System Checkpoint
RP1034: 1/30/2012 1:54:18 PM - System Checkpoint
RP1035: 1/31/2012 7:14:55 PM - System Checkpoint
RP1036: 2/1/2012 7:46:53 PM - System Checkpoint
RP1037: 2/2/2012 8:26:12 PM - System Checkpoint
RP1038: 2/3/2012 10:42:14 PM - System Checkpoint
RP1039: 2/4/2012 10:51:56 PM - System Checkpoint
RP1040: 2/5/2012 11:44:02 PM - System Checkpoint
RP1041: 2/7/2012 12:09:25 AM - System Checkpoint
RP1042: 2/8/2012 12:15:18 AM - System Checkpoint
RP1043: 2/9/2012 1:29:47 PM - System Checkpoint
RP1044: 2/10/2012 1:38:55 PM - System Checkpoint
RP1045: 2/11/2012 3:59:44 PM - System Checkpoint
RP1046: 2/12/2012 4:31:08 PM - System Checkpoint
RP1047: 2/13/2012 6:45:43 PM - System Checkpoint
RP1048: 2/14/2012 8:48:51 PM - System Checkpoint
RP1049: 2/15/2012 9:00:45 PM - System Checkpoint
RP1050: 2/17/2012 8:10:49 AM - System Checkpoint
RP1051: 2/18/2012 9:34:55 AM - System Checkpoint
RP1052: 2/19/2012 10:09:16 AM - System Checkpoint
RP1053: 2/20/2012 12:18:27 PM - System Checkpoint
RP1054: 2/21/2012 12:24:48 PM - System Checkpoint
RP1055: 2/21/2012 6:09:17 PM - Installed Windows XP WIC.
RP1056: 2/21/2012 6:12:36 PM - Removed Microsoft .NET Framework 1.1
RP1057: 2/22/2012 6:40:26 PM - System Checkpoint
RP1058: 2/23/2012 9:46:38 PM - System Checkpoint
RP1059: 2/24/2012 10:39:31 PM - System Checkpoint
RP1060: 2/26/2012 8:42:30 AM - System Checkpoint
RP1061: 2/27/2012 9:13:08 AM - System Checkpoint
RP1062: 2/28/2012 9:59:41 AM - System Checkpoint
RP1063: 2/29/2012 10:38:49 AM - System Checkpoint
RP1064: 3/1/2012 11:00:05 AM - System Checkpoint
RP1065: 3/2/2012 1:35:31 PM - System Checkpoint
RP1066: 3/3/2012 4:36:40 PM - System Checkpoint
RP1067: 3/4/2012 11:34:16 PM - System Checkpoint
RP1068: 3/6/2012 7:23:29 AM - System Checkpoint
RP1069: 3/6/2012 5:54:12 PM - Installed HiJackThis
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0
AMT Media Manager
Anti-phishing Domain Advisor
Apple Software Update
ArcSoft PhotoImpression 5
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Audacity 1.2.6
BigFix
BitPim 1.0.7
Blackhawk Striker 2
Blasterball 2 Revolution
Broadcom 802.11 Network Adapter
Browser Address Error Redirector
Critical Update for Windows Media Player 11 (KB959772)
Diner Dash
DoremiSoft AVI to MP4 Converter 1.0
DVD Shrink 3.2
DVD Solution
EPSON Attach To Email
EPSON Copy Utility 3
EPSON Event Manager
EPSON File Manager
EPSON Perf 3490 3590 Guide
EPSON Scan Assistant
FATE
FormatFactory 1.70
Free File Opener v2011.7.0.1
Free FLV Converter V 7.1.0
Free Video to Mp3 Converter version 3.1
Gateway Game Console
GetGo YouTube Downloader
Google Earth
Google Update Helper
Google Updater
gtw_logo
High Definition Audio Driver Package - KB888111
HiJackThis
HijackThis 1.99.1
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB895953)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB909095)
Hotfix for Windows XP (KB910728)
Hotfix for Windows XP (KB912024)
Hotfix for Windows XP (KB914906)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
HP Deskjet 3740 Series
IDT Audio
iTunes
J2SE Runtime Environment 5.0 Update 2
Java Auto Updater
Java(TM) 6 Update 23
LG USB Modem driver
Malwarebytes Anti-Malware version 1.60.1.1000
Media Player Codec Pack 3.9.6
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Library 9 - Blocker
Microsoft Digital Image Starter Edition 2006
Microsoft Digital Image Starter Edition 2006 Editor
Microsoft Digital Image Starter Edition 2006 Library
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel Viewer 2003
Microsoft Office Standard Edition 2003
Microsoft Picture It! Photo 7.0
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C Runtime
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ Run Time  Lib Setup
Microsoft Word 2002
Microsoft Works
Microsoft Works 2003 Setup Launcher
Microsoft Works 7.0
Microsoft Works Suite Add-in for Microsoft Word
Motorola SM56 Speakerphone Modem
Mozilla Firefox 4.0.1 (x86 en-US)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
Napster
Napster Burn Engine
Nero PhotoShow Express
Nero Suite
Norton AntiVirus
Opera 11.61
ParetoLogic PC Health Advisor
Penguins!
Polar Bowler
Polar Golfer
Power2Go 4.0
PowerDVD
QuickTime
RealPlayer
REALTEK RTL8187 Wireless LAN Driver and Utility
Recovery Software Suite Gateway
SCRABBLE
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB963027)
SigmaTel Audio
Sonic Encoders
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
The Print Shop® 6.0 Deluxe
TIPCI
Tradewinds
TVUPlayer 2.4.9.1
Uninstall 1.0.0.1
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB953356)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
V CAST Music with Rhapsody
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
vShare.tv plugin 1.3
WAV to MP3 Encoder
WebFldrs XP
WildTangent Web Driver
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor  (05/27/2006 1.3.2.0)
Windows Genuine Advantage Validation Tool
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Media Center Edition 2005 KB925766
WinRAR archiver
Wise Registry Cleaner Free 5.33
Works Suite OS Pack
XviD MPEG-4 Codec
.
==== Event Viewer Messages From Past Week ========
.
3/4/2012 9:19:01 PM, error: SideBySide [61]  - Syntax error in manifest or policy file "C:\Program Files\Apple Software Update\Plugins\EXEInstallPlugin.dll.Manifest" on line 2. The required attribute version is missing from element assemblyIdentity.
3/2/2012 7:23:46 AM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  TfFsMon TfSysMon
3/2/2012 7:23:46 AM, error: Service Control Manager [7000]  - The MCSTRM service failed to start due to the following error:  The system cannot find the file specified.
3/2/2012 7:22:40 AM, error: Dhcp [1002]  - The IP address lease 192.168.1.4 for the Network Card with network address 00C0A8CA1278 has been denied by the DHCP server 192.168.33.1 (The DHCP Server sent a DHCPNACK message).
.
==== End Of File ===========================


thanks again for your help!!

If you can edit my post so this is in the first post, please do so. If it doesn't matter, cool. Again, sorry for not following the rules.

-Eric

Offline ngt

  • Bronze Member
  • Posts: 104
Re: [Resolved K] got something going on, what do you think?
« Reply #3 on: March 07, 2012, 04:33:28 am »
symptoms...computer locking up on boot up, freezing after going into sleep mode, running slowly, getting messages that "vcheck" and "ndkf" are running when I shut down my laptop and norton blocks them on occasion. I looked them up but wouldn't find much. again, new to this stuff. thanks!

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7342
Re: [Resolved K] got something going on, what do you think?
« Reply #4 on: March 07, 2012, 05:13:40 am »
Hello Eric and welcome to SpywareHammer,

I'm kevinf80 and I will be helping with any malware issues you may have with your system.

  • Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
  • Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
  • Either print or Save to Notepad all instructions and please follow them carefully, if there's something you don't understand or that will not work please let me know and we will go through it together.
  • Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin. Go Here and follow the instructions specific for your operating system.
  • If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.
  • If you have any P2P applications installed such as BitTorrent, uTorrent, Limewire etc etc, please uninstall them before we begin.
  • If you are using Cracked or Illegal software your thread will be locked and all help will cease.

Please proceed as follows :-

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

Link 1
Link 2

  • Ensure that Combofix is saved directly to the Desktop <--- Very important

  • Disable all security programs as they will have a negative effect on Combofix, instructions available Here if required. Be aware the list may not have all programs listed, if you need more help please ask.

  • Close any open browsers and any other programs you might have running
  • Double click the icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)

  • Instructions for running Combofix available Here if required.

  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read Here why  disabling autoruns is recommended.

*EXTRA NOTES*
  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...

Kevin


Offline ngt

  • Bronze Member
  • Posts: 104
Re: [Resolved K] got something going on, what do you think?
« Reply #5 on: March 10, 2012, 04:38:48 pm »
Sorry it took so long. Work, 5 week old Kid, etc....

ComboFix 12-03-10.02 - Owner 03/10/2012  14:00:02.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1918.1003 [GMT -8:00]
Running from: c:\documents and settings\TEMP\Desktop\ComboFix.exe
FW:  *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Owner.Eric2\.COMMgr
c:\documents and settings\Owner.Eric2\WINDOWS
c:\documents and settings\TEMP\CKT.exe
c:\documents and settings\TEMP\GCK.exe
c:\documents and settings\TEMP\IMInstaller.exe
c:\documents and settings\TEMP\NDKF.exe
c:\documents and settings\TEMP\WFInstaller.exe
c:\documents and settings\TEMP\WINDOWS
c:\windows\kb913800.exe
c:\windows\system32\20000.dll
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\SET4C6.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2012-02-10 to 2012-03-10  )))))))))))))))))))))))))))))))
.
.
2012-03-07 01:54 . 2012-03-07 01:54   388096   ----a-r-   c:\documents and settings\TEMP\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-03-05 01:32 . 2012-03-05 01:32   1409   ----a-w-   c:\windows\QTFont.for
2012-03-04 23:21 . 2012-03-04 23:21   --------   d-----w-   c:\documents and settings\TEMP\Application Data\Malwarebytes
2012-03-04 19:29 . 2012-03-04 20:58   --------   d-----w-   C:\neogeo
2012-03-04 18:35 . 2012-03-04 18:35   --------   d-----w-   c:\documents and settings\All Users\Application Data\Premium
2012-03-04 18:34 . 2012-03-04 18:35   --------   d-----w-   c:\documents and settings\All Users\Application Data\InstallMate
2012-03-03 14:53 . 2012-03-03 14:53   --------   d-----w-   c:\program files\BitPim
2012-03-01 01:40 . 2012-03-04 17:08   --------   d-----w-   c:\program files\Common Files\FreeCause
2012-03-01 01:40 . 2012-03-01 01:40   --------   d-----w-   c:\documents and settings\TEMP\Local Settings\Application Data\blekkotb
2012-03-01 01:40 . 2012-03-10 22:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\Anti-phishing Domain Advisor
2012-02-22 02:08 . 2012-02-22 02:08   --------   d-----w-   c:\program files\MSXML 6.0
2012-02-21 06:20 . 2012-02-21 06:20   --------   d-----w-   c:\documents and settings\TEMP\Application Data\EPSON
2012-02-21 06:19 . 2004-08-04 08:56   159232   ----a-w-   c:\windows\system32\ptpusd.dll
2012-02-21 06:19 . 2001-08-18 06:36   5632   ----a-w-   c:\windows\system32\ptpusb.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-01 13:07 . 2011-04-15 00:26   142296   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
Code: [Select]
<pre>
c:\program files\ATI Technologies\ATI.ACE\cli .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\Synaptics\SynTP\syntplpr .exe
c:\windows\ehome\ehtray .exe
</pre>
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-13 1121792]
"AMTDeviceService"="c:\program files\AMT Media Manager\AMTDeviceService.exe" [2009-01-21 184320]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2009-10-27 1458176]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2007-08-17 405504]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-26 185896]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-17 28672]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"Anti-phishing Domain Advisor"="c:\documents and settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe" [2012-01-17 232616]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-26 282624]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\MRI_DISABLED
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2006-11-22 2168360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
REALTEK RTL8187 Wireless LAN Utility.lnk - c:\program files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe [2006-11-22 749568]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ThreatFire
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2005-11-12 05:40   1236992   ----a-w-   c:\windows\system32\WLTRAY.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
2005-04-08 22:09   102400   ------w-   c:\program files\epson\Creativity Suite\Event Manager\EEventManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-10-30 17:36   256576   ----a-w-   c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2002-07-17 01:21   28672   ----a-w-   c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 18:50   155648   ----a-w-   c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-10-26 02:58   282624   ----a-w-   c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 07:42   212992   ----a-w-   c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2005-02-26 02:24   966656   ----a-w-   c:\windows\creator\Remind_XP.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2009-10-27 00:46   1458176   ----a-w-   c:\program files\Motorola\SMSERIAL\sm56hlpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 32 (0x20)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"c:\\WINDOWS\\system32\\BCMWLTRY.EXE"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1207000.00D\symds.sys [1/31/2012 6:46 AM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1207000.00D\symefa.sys [1/31/2012 6:46 AM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20120302.001\BHDrvx86.sys [3/2/2012 10:58 AM 820856]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1207000.00D\ironx86.sys [1/31/2012 6:46 AM 136312]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/28/2010 5:49 AM 652360]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\18.7.0.13\ccsvchst.exe [1/31/2012 6:46 AM 130008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/4/2012 2:05 PM 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20120309.002\IDSXpx86.sys [3/9/2012 4:26 PM 356280]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/28/2010 5:49 AM 20464]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [11/22/2006 6:11 PM 180480]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/31/2009 11:14 PM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/31/2009 11:14 PM 135664]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [11/22/2006 6:11 PM 13532]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-11 01:13]
.
2012-03-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-15 19:48]
.
2012-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-01 07:13]
.
2012-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-01 07:13]
.
2007-01-15 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 19:00]
.
2012-03-10 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2011-03-29 23:17]
.
2012-02-08 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2011-03-29 23:17]
.
2011-06-05 c:\windows\Tasks\PC Health Advisor Defrag.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2011-03-29 23:17]
.
2011-11-11 c:\windows\Tasks\PC Health Advisor.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2011-03-29 23:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6453
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe" //mailurl:mailto:bassdlr@sonic.net
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\TEMP\Application Data\Mozilla\Firefox\Profiles\ti4hxa6l.default\
FF - prefs.js: browser.search.selectedEngine - Blekko
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-10 14:09
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\18.7.0.13\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\18.7.0.13\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(876)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(1508)
c:\windows\system32\WININET.dll
c:\documents and settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\windows\stsystra.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-03-10  14:13:29 - machine was rebooted
ComboFix-quarantined-files.txt  2012-03-10 22:13
.
Pre-Run: 23,809,990,656 bytes free
Post-Run: 24,581,107,712 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - B73E289D49E4482077B13E0DC765866B



thanks!!

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7342
Re: [Resolved K] got something going on, what do you think?
« Reply #6 on: March 11, 2012, 10:59:23 am »
Thanks for the log, run the following :-

Step 1

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Codebox below into it:

Code: [Select]
KillAll::
ClearJavaCache::
RenV::
c:\program files\ATI Technologies\ATI.ACE\cli .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\Synaptics\SynTP\syntplpr .exe
c:\windows\ehome\ehtray .exe
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=-
"52344:TCP"=-
"3246:TCP"=-
"2479:TCP"=-
"3389:TCP"=-
File::
c:\windows\system32\drivers\TfFsMon.sys
c:\windows\system32\drivers\TfSysMon.sys
c:\windows\system32\drivers\TfNetMon.sys
Driver::
TfFsMon
TfSysMon
TfNetMon

Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 2

Run ESET Online Scan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Leave the tick out of remove found threats
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push
You can refer to this animation by neomage if needed.
Frequently asked questions available Here  Please read them before running the scan.

Also be aware this scan can take several hours to complete depending on the size of your system.

ESET log can be found here "C:\Program Files\ESET\EsetOnlineScanner\log.txt".

Step 3

Download Security Check by screen317 from HERE or HERE.
Save it to your Desktop.
Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me see those 3 logs in next reply, also give update on current issues...

Kevin




Offline ngt

  • Bronze Member
  • Posts: 104
Re: [Resolved K] got something going on, what do you think?
« Reply #7 on: March 11, 2012, 02:42:43 pm »
turned off nortons, turned off malwarebytes, made the txt file, rug it in, looked like it was working, sat on the "this will take less than 10 minutes" screen for 45 minutes and my mouse arrow froze and the laptop reset and would not come back on. The blue bar on the bottom during boot up gets about 3/4 of the way across and freezes.

ideas?

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7342
Re: [Resolved K] got something going on, what do you think?
« Reply #8 on: March 11, 2012, 02:56:24 pm »
What do you mean the laptop "reset" did you power it off? see if it will boot into safe mode with networking:

Re-boot and continuously tap the F8 key until you see the Windows Advanced Menu, from the options select Safe Mode with Networking...

Does it boot to that?

Offline ngt

  • Bronze Member
  • Posts: 104
Re: [Resolved K] got something going on, what do you think?
« Reply #9 on: March 11, 2012, 03:22:59 pm »
I didn't power it down. It just reset. I hit f8 and it went to a screen where I hit advanced something and it went through. (did that before I read your message). Now it's on fine. The first time I ran combo fix, I had malwarebytes and Nortons on, this time I turned them off and this happened. Maybe try dragging the file with those two things on still?

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7342
Re: [Resolved K] got something going on, what do you think?
« Reply #10 on: March 11, 2012, 03:56:35 pm »
The intial instructions I gave you for Combofix still apply even with a scriptfix run, if CF finds a rootkit it will re-boot your system, on re-boot your system may appear to freeze, could be a black screen for several minutes while CF kills the rootkit.

You definitely had a Vundo infection, maybe more as that was cleared with the script fix....

Can you see if there was a log produced. The log from the first run will have been move to here C:\Qoobox\Combofix2.txt and the scriptfix log would be here C:\Combofix.txt

What is happening with your system now, will it boot to normal mode?

Kevin

Offline ngt

  • Bronze Member
  • Posts: 104
Re: [Resolved K] got something going on, what do you think?
« Reply #11 on: March 11, 2012, 04:51:09 pm »
It never got to the black screen on boot up. Just where the blue bar runs along the bottom of the screen and it gets 3/4 of the way  and then stops.


Here's the combofix2 notepad txt in the QooBox folder:

ComboFix 12-03-10.02 - Owner 03/10/2012  14:00:02.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1918.1003 [GMT -8:00]
Running from: c:\documents and settings\TEMP\Desktop\ComboFix.exe
FW:  *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Owner.Eric2\.COMMgr
c:\documents and settings\Owner.Eric2\WINDOWS
c:\documents and settings\TEMP\CKT.exe
c:\documents and settings\TEMP\GCK.exe
c:\documents and settings\TEMP\IMInstaller.exe
c:\documents and settings\TEMP\NDKF.exe
c:\documents and settings\TEMP\WFInstaller.exe
c:\documents and settings\TEMP\WINDOWS
c:\windows\kb913800.exe
c:\windows\system32\20000.dll
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\SET4C6.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2012-02-10 to 2012-03-10  )))))))))))))))))))))))))))))))
.
.
2012-03-07 01:54 . 2012-03-07 01:54   388096   ----a-r-   c:\documents and settings\TEMP\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-03-05 01:32 . 2012-03-05 01:32   1409   ----a-w-   c:\windows\QTFont.for
2012-03-04 23:21 . 2012-03-04 23:21   --------   d-----w-   c:\documents and settings\TEMP\Application Data\Malwarebytes
2012-03-04 19:29 . 2012-03-04 20:58   --------   d-----w-   C:\neogeo
2012-03-04 18:35 . 2012-03-04 18:35   --------   d-----w-   c:\documents and settings\All Users\Application Data\Premium
2012-03-04 18:34 . 2012-03-04 18:35   --------   d-----w-   c:\documents and settings\All Users\Application Data\InstallMate
2012-03-03 14:53 . 2012-03-03 14:53   --------   d-----w-   c:\program files\BitPim
2012-03-01 01:40 . 2012-03-04 17:08   --------   d-----w-   c:\program files\Common Files\FreeCause
2012-03-01 01:40 . 2012-03-01 01:40   --------   d-----w-   c:\documents and settings\TEMP\Local Settings\Application Data\blekkotb
2012-03-01 01:40 . 2012-03-10 22:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\Anti-phishing Domain Advisor
2012-02-22 02:08 . 2012-02-22 02:08   --------   d-----w-   c:\program files\MSXML 6.0
2012-02-21 06:20 . 2012-02-21 06:20   --------   d-----w-   c:\documents and settings\TEMP\Application Data\EPSON
2012-02-21 06:19 . 2004-08-04 08:56   159232   ----a-w-   c:\windows\system32\ptpusd.dll
2012-02-21 06:19 . 2001-08-18 06:36   5632   ----a-w-   c:\windows\system32\ptpusb.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-01 13:07 . 2011-04-15 00:26   142296   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
Code: [Select]
<pre>
c:\program files\ATI Technologies\ATI.ACE\cli .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\Synaptics\SynTP\syntplpr .exe
c:\windows\ehome\ehtray .exe
</pre>
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-13 1121792]
"AMTDeviceService"="c:\program files\AMT Media Manager\AMTDeviceService.exe" [2009-01-21 184320]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2009-10-27 1458176]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2007-08-17 405504]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-26 185896]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-17 28672]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"Anti-phishing Domain Advisor"="c:\documents and settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe" [2012-01-17 232616]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-26 282624]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\MRI_DISABLED
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2006-11-22 2168360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
REALTEK RTL8187 Wireless LAN Utility.lnk - c:\program files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe [2006-11-22 749568]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ThreatFire
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2005-11-12 05:40   1236992   ----a-w-   c:\windows\system32\WLTRAY.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
2005-04-08 22:09   102400   ------w-   c:\program files\epson\Creativity Suite\Event Manager\EEventManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-10-30 17:36   256576   ----a-w-   c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2002-07-17 01:21   28672   ----a-w-   c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 18:50   155648   ----a-w-   c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-10-26 02:58   282624   ----a-w-   c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 07:42   212992   ----a-w-   c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2005-02-26 02:24   966656   ----a-w-   c:\windows\creator\Remind_XP.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2009-10-27 00:46   1458176   ----a-w-   c:\program files\Motorola\SMSERIAL\sm56hlpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 32 (0x20)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"c:\\WINDOWS\\system32\\BCMWLTRY.EXE"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1207000.00D\symds.sys [1/31/2012 6:46 AM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1207000.00D\symefa.sys [1/31/2012 6:46 AM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20120302.001\BHDrvx86.sys [3/2/2012 10:58 AM 820856]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1207000.00D\ironx86.sys [1/31/2012 6:46 AM 136312]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/28/2010 5:49 AM 652360]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\18.7.0.13\ccsvchst.exe [1/31/2012 6:46 AM 130008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/4/2012 2:05 PM 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20120309.002\IDSXpx86.sys [3/9/2012 4:26 PM 356280]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/28/2010 5:49 AM 20464]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [11/22/2006 6:11 PM 180480]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/31/2009 11:14 PM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/31/2009 11:14 PM 135664]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [11/22/2006 6:11 PM 13532]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-11 01:13]
.
2012-03-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-15 19:48]
.
2012-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-01 07:13]
.
2012-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-01 07:13]
.
2007-01-15 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 19:00]
.
2012-03-10 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2011-03-29 23:17]
.
2012-02-08 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2011-03-29 23:17]
.
2011-06-05 c:\windows\Tasks\PC Health Advisor Defrag.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2011-03-29 23:17]
.
2011-11-11 c:\windows\Tasks\PC Health Advisor.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2011-03-29 23:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6453
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe" //mailurl:mailto:bassdlr@sonic.net
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\TEMP\Application Data\Mozilla\Firefox\Profiles\ti4hxa6l.default\
FF - prefs.js: browser.search.selectedEngine - Blekko
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-10 14:09
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\18.7.0.13\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\18.7.0.13\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(876)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(1508)
c:\windows\system32\WININET.dll
c:\documents and settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\windows\stsystra.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-03-10  14:13:29 - machine was rebooted
ComboFix-quarantined-files.txt  2012-03-10 22:13
.




and here's the quarentined file txt

2012-03-10 22:03:46 . 2012-03-10 22:03:46            7,371 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2012-03-10 21:52:41 . 2012-03-10 21:55:34              102 ----a-w-  C:\Qoobox\Quarantine\catchme.log
2012-03-10 04:18:35 . 2012-03-10 14:53:31                0 ----a-w-  C:\Qoobox\Quarantine\C\Documents and Settings\TEMP\NDKF.exe.vir
2012-03-09 16:41:49 . 2012-03-09 16:41:49                0 ----a-w-  C:\Qoobox\Quarantine\C\Documents and Settings\TEMP\CKT.exe.vir
2012-03-06 15:34:41 . 2012-03-06 15:34:41              400 ----a-w-  C:\Qoobox\Quarantine\C\Documents and Settings\TEMP\IMInstaller.exe.vir
2012-03-05 15:52:05 . 2012-03-09 14:48:24              392 ----a-w-  C:\Qoobox\Quarantine\C\Documents and Settings\TEMP\GCK.exe.vir
2012-03-04 23:22:13 . 2012-03-04 23:22:13              400 ----a-w-  C:\Qoobox\Quarantine\C\Documents and Settings\TEMP\WFInstaller.exe.vir
2009-09-12 01:48:35 . 2009-09-12 01:43:24              251 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\system32\20000.dll.vir
2006-06-21 08:04:17 . 2006-03-21 10:23:12           23,040 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\kb913800.exe.vir
2006-06-19 04:36:57 . 2005-08-04 08:29:52          344,064 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\system32\SET4C6.tmp.vir

Pre-Run: 23,809,990,656 bytes free
Post-Run: 24,581,107,712 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - B73E289D49E4482077B13E0DC765866B


I couldn't find a combofit.txt file in "C", just the one on the desktop I had posted previously. I'm posting this and the I'll turn the laptop off and on...fingers crossed

Offline ngt

  • Bronze Member
  • Posts: 104
Re: [Resolved K] got something going on, what do you think?
« Reply #12 on: March 11, 2012, 04:59:50 pm »
It came back on without freezing, but instead on turning on like it used to, it took me to a screen that told me what edition of xp I am using, then to another screen that asked if I wanted to start the system normally with a 30 second count down on the bottom.I hit enter and it finished up booting fine from there

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7342
Re: [Resolved K] got something going on, what do you think?
« Reply #13 on: March 11, 2012, 05:40:28 pm »
The change in screen display is because Combofix installed the Recovery Console, on boot you will be given two options, either XP (your operating system or the recovery console) that will time out and default to your Operating System.

The recovery console is a very good option to have available and should be kept. This allows us to boot to that option and carry out essential fixes should the need arise.

Continue and run the ESET scan, i`ll give the instructions again:

Run ESET Online Scan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Leave the tick out of remove found threats
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push
You can refer to this animation by neomage if needed.
Frequently asked questions available Here  Please read them before running the scan.

Also be aware this scan can take several hours to complete depending on the size of your system.

ESET log can be found here "C:\Program Files\ESET\EsetOnlineScanner\log.txt".

Next,

Download Security Check by screen317 from HERE or HERE.
Save it to your Desktop.
Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me see the logs from ESET and Security Checks in your reply, also give an update on current issues. The current logs indicate you have not updated to Service Pack 3 (SP3) That will have to be done when your system is proven to be clean.....

Kevin



Offline ngt

  • Bronze Member
  • Posts: 104
Re: [Resolved K] got something going on, what do you think?
« Reply #14 on: March 11, 2012, 09:52:23 pm »
Checkup Log:

 Results of screen317's Security Check version 0.99.31 
 Windows XP Service Pack 2 x86   
 Out of date service pack!!
 Internet Explorer 8 
``````````````````````````````
Antivirus/Firewall Check:

 Windows Firewall Enabled! 
 ESET Online Scanner v3   
 Norton AntiVirus     
 Antivirus up to date! 
```````````````````````````````
Anti-malware/Other Utilities Check:

 Out of date HijackThis installed!
 HijackThis 1.99.1   
 Wise Registry Cleaner Free 5.33
 Java(TM) 6 Update 23 
 Java version out of date!
  Adobe Flash Player    10.2.153.1 Flash Player out of Date! 
 Mozilla Firefox (4.0.1)
````````````````````````````````
Process Check: 
objlist.exe by Laurent

 Norton ccSvcHst.exe
 Malwarebytes' Anti-Malware mbamservice.exe 
 Malwarebytes' Anti-Malware mbamgui.exe 
``````````End of Log````````````




ESET Results:



C:\Documents and Settings\TEMP\Local Settings\TempImages\UpdateInstaller.exe   a variant of Win32/Agent.SZW trojan
C:\Documents and Settings\TEMP\My Documents\FreeWAVToMP3ConverterSetup.exe   a variant of Win32/Agent.SZW trojan
C:\stuff\Setup_FreeFlvConverter.exe   Win32/Adware.Toolbar.Dealio application
C:\stuff\music\stuff\Setup_FreeFlvConverter.exe   Win32/Adware.Toolbar.Dealio application
C:\WINDOWS\system32\drivers\etc\HOSTS.MVP   Win32/Qhost trojan


ESET Log:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=9ad2f72c4b30a54290a3ca4c45aa8213
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-03-12 03:43:32
# local_time=2012-03-11 08:43:32 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1026 16777214 0 2 43573294 43573294 0 0
# compatibility_mode=3587 16777174 85 75 2326746 149585094 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=113677
# found=5
# cleaned=0
# scan_time=6504
C:\Documents and Settings\TEMP\Local Settings\TempImages\UpdateInstaller.exe   a variant of Win32/Agent.SZW trojan (unable to clean)   00000000000000000000000000000000   I
C:\Documents and Settings\TEMP\My Documents\FreeWAVToMP3ConverterSetup.exe   a variant of Win32/Agent.SZW trojan (unable to clean)   00000000000000000000000000000000   I
C:\stuff\Setup_FreeFlvConverter.exe   Win32/Adware.Toolbar.Dealio application (unable to clean)   00000000000000000000000000000000   I
C:\stuff\music\stuff\Setup_FreeFlvConverter.exe   Win32/Adware.Toolbar.Dealio application (unable to clean)   00000000000000000000000000000000   I
C:\WINDOWS\system32\drivers\etc\HOSTS.MVP   Win32/Qhost trojan (unable to clean)   00000000000000000000000000000000   I