Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Log Posted For Possible Spyware/malware Removal


  • This topic is locked This topic is locked
3 replies to this topic

#1 chriscross50

chriscross50

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 27 April 2008 - 08:28 AM

Computer is having problems. When I run an "superantivirus" scan computer reboots itself before completing. I also ran the "advanced windows cleaner", and it detects and can resolve problems, except when it gets to the registry. It stays ther for over 30min and never finishes. I closed it, reboot, and it does the same thing again. It never finishes. I'm thinking my problem is possible malware, could maybe also be something going on in the registry or the operating system. I hope I didn't have something deleted incorrectly...Scan is below:

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-04-27 00:36:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:37, on 2008-04-27
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINNT\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINNT\system32\S3apphk.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dss(2).exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wistv.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 168.94.74.68:8080
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 3819 bytes

-- Files created between 2008-03-27 and 2008-04-27 -----------------------------

2008-04-26 21:25:42 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_4fc.dat
2008-04-26 16:46:28 53248 --a------ C:\WINNT\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-26 14:55:11 68096 --a------ C:\WINNT\zip.exe
2008-04-26 14:55:11 49152 --a------ C:\WINNT\VFind.exe
2008-04-26 14:55:11 212480 --a------ C:\WINNT\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-26 14:55:11 136704 --a------ C:\WINNT\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-26 14:55:11 161792 --a------ C:\WINNT\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-26 14:55:11 98816 --a------ C:\WINNT\sed.exe
2008-04-26 14:55:11 80412 --a------ C:\WINNT\grep.exe
2008-04-26 14:55:11 73728 --a------ C:\WINNT\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-26 12:12:51 11632 --a------ C:\WINNT\system32\drivers\mouhid.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-04-26 12:12:51 21776 --a------ C:\WINNT\system32\drivers\mouclass.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-04-26 12:12:42 30480 --a------ C:\WINNT\system32\pid.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-04-26 12:12:42 13904 --a------ C:\WINNT\system32\drivers\hidusb.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-04-26 12:12:41 18192 --a------ C:\WINNT\system32\hid.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-04-26 12:12:41 23056 --a------ C:\WINNT\system32\drivers\hidparse.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-04-26 12:12:41 24752 --a------ C:\WINNT\system32\drivers\hidclass.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-04-24 06:54:43 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-24 06:54:24 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-24 06:54:23 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-04-22 16:07:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-04-22 16:07:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-22 16:07:18 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-22 12:20:15 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_240.dat
2008-04-22 11:54:45 0 d-------- C:\Program Files\Alwil Software
2008-04-20 15:29:29 0 d-------- C:\WINNT\ERUNT
2008-04-20 11:51:09 3284 --a------ C:\WINNT\system32\ANIWZCS{E870496D-E5C8-45C9-83F3-7E070E1F5E64}
2008-04-19 22:46:17 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_2b8.dat
2008-04-19 22:42:00 0 d-------- C:\Program Files\IObit
2008-04-19 22:22:18 0 d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-04-19 18:32:35 0 d-------- C:\Program Files\SpywareGuard
2008-04-19 18:13:40 0 d-------- C:\Program Files\SpywareBlaster
2008-04-19 16:02:28 0 d-------- C:\Program Files\Trend Micro
2008-04-19 15:05:07 40176 --a------ C:\WINNT\system32\drivers\usbhub.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>


-- Find3M Report ---------------------------------------------------------------

2008-04-26 16:36:20 1013886 ---h----- C:\WINNT\ShellIconCache
2008-04-24 06:53:59 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-20 22:22:30 0 d-------- C:\Program Files\Java
2008-04-19 19:32:45 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-04-17 08:14:09 0 d-------- C:\Program Files\Accessories
2008-04-17 08:09:55 0 d-------- C:\Program Files\CreditCure


-- Registry Dump ---------------------------------------------------------------



-- End of Deckard's System Scanner: finished at 2008-04-27 00:38:43 ------------

BC AdBot (Login to Remove)

 


#2 chriscross50

chriscross50
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 28 April 2008 - 01:18 PM

May need to install the recovery console too. Anyone have a suggestion?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:26 PM

Posted 13 May 2008 - 04:08 PM

Hello chriscross50,

Welcome back to Bleeping Computer :blink:

Sorry about the delay.:thumbsup: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:26 PM

Posted 23 May 2008 - 07:56 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users