Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

** Hijack This Log**


  • This topic is locked This topic is locked
31 replies to this topic

#1 chriscross50

chriscross50

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 20 April 2008 - 05:08 PM

Hello, I've just stumbled across this website recently, by way of me purchasing computer items from a guy at the local flea market. He suggested 2 programs "Nod32" and "hijack this". So by way of me using hijack this, I came across this website....Anyway, I'm having computer problems on another desktop. Things it does...At the beginning, it loads up a white screen w/an hour glass in bottom left corner. It has never done this before. Then when my regular windows "blue windows XP screen" loads up, It loads up AGAIN. That's right, a second "Blue Windows XP screen" with a name in the bottom left corner. Obviously something is going on that's not right!!!!. I can access files, get on internet, and everything else, but the scenario above is not right. Please offer any assistance to help resolve..LOGFILE is below

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:59 PM, on 4/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1178210048856
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 4660 bytes

BC AdBot (Login to Remove)

 


#2 chriscross50

chriscross50
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 20 April 2008 - 10:55 PM

Any assistance Please..

#3 chriscross50

chriscross50
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 24 April 2008 - 10:00 PM

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-04-24 22:48:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49:23 PM, on 4/24/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:WINNTSystem32smss.exe
C:WINNTsystem32winlogon.exe
C:WINNTsystem32services.exe
C:WINNTsystem32lsass.exe
C:WINNTsystem32svchost.exe
C:WINNTSystem32svchost.exe
C:WINNTsystem32spoolsv.exe
C:WINNTsystem32pctspk.exe
C:WINNTsystem32MSTask.exe
C:WINNTSystem32WBEMWinMgmt.exe
C:WINNTsystem32svchost.exe
C:Program FilesLinksys Wireless-G USB Wireless Network MonitorWLService.exe
C:Program FilesLinksys Wireless-G USB Wireless Network MonitorWUSB54Gv42.exe
C:WINNTExplorer.EXE
C:Program FilesBroadJumpClient FoundationCFD.exe
C:WINNTsystem32S3apphk.exe
C:Program FilesANIANIWZCS2 ServiceWZCSLDR2.exe
C:Program FilesD-LinkAirPlus GAirGCFG.exe
C:Program FilesSpybot - Search & DestroyTeaTimer.exe
C:Program FilesJavajre1.6.0_03binjusched.exe
C:Program FilesSpywareGuardsgbhp.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Documents and SettingsAdministratorDesktopdss(2).exe
C:PROGRA~1TRENDM~1HIJACK~1Administrator.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.wistv.com
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyServer = 24.31.103.50:1096
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:Program FilesSpywareGuarddlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_05binssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINNTsystem32msdxm.ocx
O4 - HKLM..Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM..Run: [CountrySelection] pctptt.exe
O4 - HKLM..Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM..Run: [BJCFD] C:Program FilesBroadJumpClient FoundationCFD.exe
O4 - HKLM..Run: [S3apphk] S3apphk.exe
O4 - HKLM..Run: [ANIWZCS2Service] C:Program FilesANIANIWZCS2 ServiceWZCSLDR2.exe
O4 - HKCU..Run: [SpybotSD TeaTimer] C:Program FilesSpybot - Search & DestroyTeaTimer.exe
O4 - HKCU..Run: [D-Link AirPlus G] C:Program FilesD-LinkAirPlus GAirGCFG.exe
O4 - HKUS.DEFAULT..RunOnce: [^SetupICWDesktop] C:Program FilesInternet ExplorerConnection Wizardicwconn1.exe /desktop (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:Program FilesSpywareGuardsgmain.exe
O6 - HKCUSoftwarePoliciesMicrosoftInternet ExplorerRestrictions present
O6 - HKCUSoftwarePoliciesMicrosoftInternet ExplorerControl Panel present
O6 - HKLMSoftwarePoliciesMicrosoftInternet ExplorerRestrictions present
O6 - HKLMSoftwarePoliciesMicrosoftInternet ExplorerControl Panel present
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:Program FilesSpybot - Search & DestroySDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:Program FilesSpybot - Search & DestroySDHelper.dll
O10 - Unknown file in Winsock LSP: c:winntsystem32nwprovau.dll
O20 - Winlogon Notify: !SASWinLogon - C:Program FilesSUPERAntiSpywareSASWINLO.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:Program FilesANIANIWZCS2 ServiceANIWZCSdS.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:WINNTSystem32dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:WINNTsystem32pctspk.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:Program FilesLinksys Wireless-G USB Wireless Network MonitorWLService.exe

--
End of file - 3951 bytes

-- Files created between 2008-03-24 and 2008-04-24 -----------------------------

2008-04-24 22:47:57 16384 --a-----t C:WINNTsystem32Perflib_Perfdata_308.dat
2008-04-24 06:54:43 0 d-------- C:Documents and SettingsAll UsersApplication DataSUPERAntiSpyware.com
2008-04-24 06:54:24 0 d-------- C:Program FilesSUPERAntiSpyware
2008-04-24 06:54:23 0 d-------- C:Documents and SettingsAdministratorApplication DataSUPERAntiSpyware.com
2008-04-22 16:07:36 0 d-------- C:Documents and SettingsAdministratorApplication DataMalwarebytes
2008-04-22 16:07:26 0 d-------- C:Documents and SettingsAll UsersApplication DataMalwarebytes
2008-04-22 16:07:18 0 d-------- C:Program FilesMalwarebytes' Anti-Malware
2008-04-22 12:20:15 16384 --a-----t C:WINNTsystem32Perflib_Perfdata_240.dat
2008-04-22 11:54:45 0 d-------- C:Program FilesAlwil Software
2008-04-20 15:29:29 0 d-------- C:WINNTERUNT
2008-04-20 11:51:09 3284 --a------ C:WINNTsystem32ANIWZCS{E870496D-E5C8-45C9-83F3-7E070E1F5E64}
2008-04-19 22:46:17 16384 --a-----t C:WINNTsystem32Perflib_Perfdata_2b8.dat
2008-04-19 22:42:00 0 d-------- C:Program FilesIObit
2008-04-19 22:22:18 0 d-------- C:Documents and SettingsAdministratorApplication DataUniblue
2008-04-19 18:32:35 0 d-------- C:Program FilesSpywareGuard
2008-04-19 18:13:40 0 d-------- C:Program FilesSpywareBlaster
2008-04-19 16:02:28 0 d-------- C:Program FilesTrend Micro
2008-04-19 15:06:15 11632 --a------ C:WINNTsystem32driversmouhid.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-04-19 15:06:14 21776 --a------ C:WINNTsystem32driversmouclass.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-04-19 15:06:02 30480 --a------ C:WINNTsystem32pid.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-04-19 15:06:02 13904 --a------ C:WINNTsystem32drivershidusb.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-04-19 15:06:02 23056 --a------ C:WINNTsystem32drivershidparse.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-04-19 15:06:02 24752 --a------ C:WINNTsystem32drivershidclass.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-04-19 15:06:01 18192 --a------ C:WINNTsystem32hid.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-04-19 15:05:07 40176 --a------ C:WINNTsystem32driversusbhub.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>


-- Find3M Report ---------------------------------------------------------------

2008-04-24 13:18:39 1013680 ---h----- C:WINNTShellIconCache
2008-04-24 06:53:59 0 d-------- C:Program FilesCommon FilesWise Installation Wizard
2008-04-20 22:22:30 0 d-------- C:Program FilesJava
2008-04-19 19:32:45 0 d-------- C:Documents and SettingsAdministratorApplication DataAVG7
2008-04-17 08:14:09 0 d-------- C:Program FilesAccessories
2008-04-17 08:09:55 0 d-------- C:Program FilesCreditCure


-- Registry Dump ---------------------------------------------------------------



-- End of Deckard's System Scanner: finished at 2008-04-24 22:50:17 ------------

Edited by TMacK, 24 April 2008 - 10:37 PM.


#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:34 PM

Posted 25 April 2008 - 06:23 AM

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

When following the instructions please install the Windows XP Recovery Console if you are using XP.

After running ComboFix, please post the ComboFix log as well as a brand new HijackThis as a reply to this topic.

#5 chriscross50

chriscross50
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 25 April 2008 - 01:28 PM

ComboFix 08-04-24.1 - Admin 2008-04-25 13:03:39.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.98 [GMT -4:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 )))))))))))))))))))))))))))))))
.

2008-04-25 01:42 . 2005-11-01 08:00 388,608 --a------ C:\WINDOWS\system32\CF6026.exe
2008-04-22 23:43 . 2008-04-22 23:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-04-22 16:25 . 2008-04-22 16:25 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-22 16:25 . 2008-04-22 16:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-22 16:25 . 2008-04-22 16:25 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Malwarebytes
2008-04-22 00:30 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-22 00:30 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-04-21 12:41 . 2008-04-21 12:41 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-04-21 11:31 . 2008-04-21 11:32 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-21 10:48 . 2008-04-23 19:39 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-04-21 10:48 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-04-21 01:11 . 2008-04-23 05:06 <DIR> d-------- C:\SDFix
2008-04-21 00:37 . 2008-04-21 00:37 <DIR> d-------- C:\Program Files\IObit
2008-04-20 14:16 . 2008-04-20 14:16 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-17 04:33 . 2008-04-20 23:37 <DIR> d-------- C:\panzer2
2008-04-14 22:19 . 2008-04-14 22:19 <DIR> d-------- C:\Program Files\ESET
2008-04-14 22:19 . 2008-04-14 22:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-04-07 06:52 . 2008-04-07 06:52 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-21 16:41 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-21 16:40 --------- d-----w C:\Program Files\Common Files\Real
2008-04-21 16:37 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-04-21 16:37 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-04-21 16:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-17 10:56 --------- d-----w C:\Documents and Settings\Admin\Application Data\eBookPro6
2008-04-17 05:37 --------- d-----w C:\Program Files\Real
2008-04-17 05:35 --------- d-----w C:\Program Files\Citrix
2008-04-17 05:17 --------- d-----w C:\Program Files\Conference
2008-04-15 02:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-15 02:07 --------- d-----w C:\Documents and Settings\Admin\Application Data\PC Tools
2008-04-15 02:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-06 13:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-05 10:35 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-04 17:58 --------- d-----w C:\Documents and Settings\Admin\Application Data\AVG7
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2007-10-05 18:16 14 ----a-w C:\Documents and Settings\Admin\getfile.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2005-11-01 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 14:03 106544 C:\WINDOWS\system32\TWEAKUI.CPL]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 11:06 1443072]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-03-29 12:41 1245184]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 18:49 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Quake III Arena\\quake3.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 11:11]
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe" []
R3 G200;G200;C:\WINDOWS\system32\DRIVERS\G200m.sys [2001-08-17 08:49]
R3 wdm_au8810;Aureal Vortex 8810 Audio Driver (WDM);C:\WINDOWS\system32\drivers\adm8810.sys [2001-08-17 13:19]
S3 Aldebaran;Aldebaran - Storage Filter Drivers;C:\WINDOWS\system32\Drivers\Aldebaran.sys []
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2001-08-17 09:47]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-23 23:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-04-05 20:11:16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-25 13:14:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-25 13:18:58
ComboFix-quarantined-files.txt 2008-04-25 17:18:19
ComboFix2.txt 2008-04-25 05:52:26
ComboFix3.txt 2008-04-25 05:40:25
ComboFix4.txt 2008-04-23 15:22:45

Pre-Run: 501,293,056 bytes free
Post-Run: 474,681,344 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /TUTag=7OHJEB /Kernel=TUKernel.exe
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional (TuneUp Backup)" /noexecute=optin /fastdetect /TUTag=7OHJEB-BAK
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

113 --- E O F --- 2008-04-15 11:38:40

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:34 PM

Posted 25 April 2008 - 01:32 PM

Go here
and fill in the required fields and browse to this file on your desktop.

C:\WINDOWS\system32\CF6026.exe

Finally click on the Send File button.

#7 chriscross50

chriscross50
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 25 April 2008 - 01:42 PM

i see the file. It's a prompt screen, with a cursor. So what next?

#8 chriscross50

chriscross50
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 25 April 2008 - 01:51 PM

I got It...File already sent!!

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:34 PM

Posted 25 April 2008 - 04:54 PM

You can delete that file. Otherwise, I am not seeing anything at all wrong with the computer.

I am still a bit confused by the screens. Any chance of making a csreenshot of one, or are they happening before windows even starts?

#10 chriscross50

chriscross50
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 25 April 2008 - 07:25 PM

If you don't mind me asking, what bdid you see in the file....

This is the last few post from a thread that was closed earlier today??

chriscross50
View Member Profile
Add as Friend
Send Message
Find Member's Topics
Find Member's Posts

post Yesterday, 03:00 PM
Post #4


New Member
*

Group: Members
Posts: 9
Joined: 20-April 08
Member No.: 204,217




Let me try to clarify...
1) The first screen that appears is a "white" screen that has the Compaq logo w/the hourglass in bottom left corner.
2) Seconds later, the regular windows XP screen appears, with a name in the bottom left corner.
3) Then seconds later, another windows XP screen appears with the same name " |_| swissboy" in the bottom left hand corner.
4) Then computer starts to load programs and Icons.

Just yesterday while I was on, I had multiple screens open. Then all of a sudden, everything minimized on it's own, and it asked me to download some sort of virus protection. Obviously, I clicked cancel, then had to closed it.....Then all of a sudden It started downloading on it's own, so i QUICKLY PULLED THE PLUG; and haven't been on it since.

Hope that helps more.....
Go to the top of the page


+Quote Post
Grinler
View Member Profile
Add as Friend
Send Message
Find Member's Topics
Find Member's Posts

post Yesterday, 03:03 PM
Post #5


Bleep Bleep!
******

Group: Admin
Posts: 27,804
Joined: 24-January 04
From: USA
Member No.: 3




I advise you to post a log using these instructions.

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Something sounds strange and it is hard to diagnose this without a deeper look into your computers config.



--------------------
Lawrence
Go to the top of the page


+Quote Post
TMacK
View Member Profile
Add as Friend
Send Message
Find Member's Topics
Find Member's Posts

post Today, 01:14 AM
Post #6


Bleepin' Mod
******

Group: Moderator
Posts: 4,035
Joined: 18-March 06
From: B.C. Canada
Member No.: 59,826




Hello chriscross50,

I see you have an open HJT log posted in the HijackThis Logs and Malware Removal forum.
I have merged the DSS Log you had posted in this topic, with your original HijackThis Log.
You shouldn't make any changes to your system, while your HJT log is posted, as that could change the results of the posted log, making it difficult to properly clean your system.

At this point, the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

I'm closing this topic until you are cleared by the HJT Team.
If, after your log has been cleaned, you still need help, please PM a Moderator and we will re-open this topic.

If you have any questions, don't hesitate to send me a PM.



--------------------

Join Bleeping Computers Folding@home Team and Help find a cure.
I am thankful for laughter, except when milk comes out of my nose. ~Woody Allen

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:34 PM

Posted 27 April 2008 - 01:24 PM

Looks like someone changed the default boot screen of your computer. Read here:

http://themes.belchfire.net/index.php?showtopic=8800

This computer given to you by someone? Anyone else using it?

Did you ever change the boot screen?

#12 chriscross50

chriscross50
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 27 April 2008 - 02:28 PM

Lawrence,
I bought It 1.5 years ago, from a guy that builds/sells them. I never changed anything on it. I just plugged up and started using it. Noone else uses it but me. So, how could this happen?? Could it be done by e-mail, downloaded attachment, redirected website??How?? So, what type of issues would this cause?? What has been happenning?? It sounds a bit scary, as to what the possibilities are.....What's your assessment on it??
When I got it, the memory had been upgraded, as well as windows XP added. This is what was told to me. I don't know what operating system was on it previously..

Edited by chriscross50, 27 April 2008 - 05:56 PM.


#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:34 PM

Posted 27 April 2008 - 06:29 PM

Have you had these swissboy screens since you purchased the computer? Or did this start happening recently?

#14 chriscross50

chriscross50
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 27 April 2008 - 07:45 PM

Only started happening in the last 4-5 weeks. i don't use it often.

#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:34 PM

Posted 28 April 2008 - 06:45 AM

Any chance you can take a picture of the screens and upload them to photobucket.com so you can insert them into this topic? Would love to see exactly what we are looking at. If it is a situation where the boot screen has been changed, I will probably need to refer you to the XP forum here as it is out of my skillset.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users