Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kesenjangansosial.exe


  • Please log in to reply
15 replies to this topic

#1 rm_-rf_windows

rm_-rf_windows

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 03 September 2008 - 06:21 AM

I recently bought a used computer with WindowsXP (the person who sold the computer to me lost all of the installation disks).

When the computer boots, I always get this message (by the way, everything is in French on this version of WindowsXP, 'France' French):

Windows ne trouve pas "'C:\WINDOWS\KesenjanganSosial.exe'". Vérifiez que vous avez entré le nom correctement et essayez à nouveau. Pour rechercher un fichier, cliquez sur le bouton Démarrer, puis sur Rechercher.


Before I get into the HiJackThis log file, I would like to mention that the computer sometimes shuts off inadvertently. This is the message I get when it shuts off (blue screen...):

Un problème a été détecté et Windows a été arrêté afin de prévenir tout dommage sur votre ordinateur.

PAGE_FAULT_IN_NONPAGED_AREA

Si vous voyez cet écran d'erreur d'arrêt pour la première fois, redémarrez votre ordinateur. Si cet écran apparaît encore, suivez ces étapes :

Assurez-vous que tout nouveau matériel ou logiciel est installé correctement.
S'il s'agit d'une nouvelle installation, consultez votre fabrican de matériel ou de logiciel
afin d'obtenir les mises à jour windows dont vous avez besoin.

Si les problèmes persistent, désactivez ou supprimez tout matériel ou tout logiciel nouvellement installé. Désactivez les options de mémoire du BIOS telles que la mise en cache ou l'ombrage.
Si vous êtes obligé d'utiliser le Mode sans échec pour supprimer ou désactiver des composants, redémarrez votre ordinateur, appuyez sur F8 pour sélectionner les options de démarrage avancées, puis
sélectionnez le mode sans échec.

Information techniques :

*** STOP: 0x00000050 (0xC0911764, 0x00000000, 0x804E70D5, 0x00000002)

Début du vidage de la mémoire physique.
Vidage de la mémoire physique terminée.
Contactez votre administrateur système ou votre groupe de support technique pour plus...



I had a look on the Net and found a similar message (i.e., the "KesenjanganSosial.exe" one) with suggestions to use various known anti-spyware programs, etc. Also recommended where HiJackThis and CleanUp. I ran CleanUp. I also ran HiJackThis and compared the results with others on the Net having the same or a similar problem. Unfortunately, the information in the hijackthis.log file wasn't the same, and so I couldn't simply follow the instructions on the Net. The message still appears when booting.

Here are the contents of the hijackthis.log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:15:09, on 27/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Documents and Settings\Administrateur\Bureau\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\KesenjanganSosial.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [MemoryCardManager] C:\Program Files\Lexmark\Lexmark Precision Photo\MemCard.exe -startup
O4 - HKLM\..\Run: [Bron-Spizaetus] "C:\WINDOWS\ShellNew\RakyatKelaparan.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB002" /M "Stylus C64"
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 6033 bytes


I'd like to clean up this computer as I cannot depend on it for the time being. It could just shut off at any moment and I'd lose all of my data!

Many thanks, and I'd appreciate any help you can offer.

BC AdBot (Login to Remove)

 


#2 rm_-rf_windows

rm_-rf_windows
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 13 September 2008 - 06:10 PM

It's been almost two weeks and I haven't had any response to my post. I have included a good amount of information, there must be someone out there that can give me a hand...

Many thanks.

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:38 PM

Posted 21 September 2008 - 08:43 PM

I apologize for the very long delay. We have a huge backlog of HijackThis Logs to handle and it has been taking us greater time than normal to get caught up. If you are still having a problem, and want us to analyze your information, please reply to this topic stating that you still need help and I will work with you on resolving your computer problems.

Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, feel free to create a new one.

Once again, I apologize for the delay in responding to this topic.

#4 rm_-rf_windows

rm_-rf_windows
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 06 November 2008 - 09:32 PM

I just received your message. I had lost hope and therefore had not checked to see if anybody had answered. I would appreciate a response if you think you could help me.

Many thanks.

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:38 PM

Posted 07 November 2008 - 01:38 PM

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

When following the instructions please install the Windows XP Recovery Console if you are using XP.

After running ComboFix, please post the ComboFix log as well as a brand new HijackThis as a reply to this topic.

#6 rm_-rf_windows

rm_-rf_windows
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 14 November 2008 - 02:46 PM

Hiya !

I've done what you said to do. My Internet connection failed at one point (during the installation of the Windows Recovery installation process or something like that, Windows XP Family Edition SP2, French... that is, that's what I THINK was happening at the time...). The program continued nevertheless afterwards and I also got another notice saying "continue", "cancel" or "???" (don't remember).

ComboFix then did its thing and ended gracefully leaving the log report which I've included at the end of this message.

However, one good thing, when I rebooted, I no longer got the message "15 messages" before signing in and the Kesenjangansosial.exe "OK" message window did not appear on reboot. Your program therefore did some cleaning up, however time will tell how much cleaning up has been done. Many thanks, things look rather good.

The blue screen with error message that I get, well, it only happens once every 2 or 3 months, however, it usually happens when I've used my computers for many hours. I'll try to report back even if everything's all fixed up to let you know... It's the least I can do, it looks to me that you've fixed things up for me.

Many thanks,

rm_-rf_-windows


ComboBox log:

ComboFix 08-11-12.02 - sarah 2008-11-14 20:28:24.1 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.2.1252.1.1036.18.43 [GMT 1:00]
Lancé depuis: c:\documents and settings\sarah\Bureau\ComboFix.exe
Commutateurs utilisés :: c:\documents and settings\sarah\Bureau\WindowsXP-KB310994-SP2-Home-BootDisk-FRA.exe
* Un nouveau point de restauration a été créé
.

((((((((((((((((((((((((((((( Fichiers créés du 2008-10-14 au 2008-11-14 ))))))))))))))))))))))))))))))))))))
.

2008-11-07 03:02 . 2008-11-07 03:02 <REP> d-------- c:\program files\MSXML 4.0
2008-11-06 16:38 . 2008-11-07 05:39 <REP> d-------- c:\windows\system32\CatRoot_bak
2008-11-06 16:33 . 2008-06-14 18:59 272,768 --------- c:\windows\system32\drivers\bthport.sys
2008-11-06 16:33 . 2008-06-14 18:59 272,768 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-11-06 16:19 . 2008-11-06 16:19 <REP> d-------- c:\program files\Fichiers communs\xing shared

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-14 19:21 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-11-06 15:19 --------- d-----w c:\program files\Fichiers communs\Real
2008-11-06 15:17 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-09-15 15:39 1,846,144 ----a-w c:\windows\system32\win32k.sys
2008-09-01 21:51 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2008-08-26 08:11 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-14 13:44 2,182,400 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 13:44 2,059,776 ----a-w c:\windows\system32\ntkrnlpa.exe
2007-04-17 14:14 696,814 -c--a-w c:\program files\uTorrent-1.6.1-install.exe
2007-03-10 13:15 4,909,120 -c--a-w c:\program files\picasa2Setup.exe
2004-08-05 12:00 1,392,671 --sh--r c:\windows\system32\msvbvm60.dll
.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-05 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-21 335872]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2002-11-08 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"EPSON Stylus C64 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE" [2003-05-27 99840]
"USB Storage Toolbox"="c:\program files\USB Disk Win98 Driver\Res.EXE" [2005-09-14 65536]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-07-29 1177368]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-10-19 286720]
"TkBellExe"="c:\program files\Fichiers communs\Real\Update_OB\realsched.exe" [2008-11-06 185872]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-05 15360]
"DWQueuedReporting"="c:\progra~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Nikon Monitor.lnk - c:\program files\Fichiers communs\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Java\\jre1.6.0_06\\bin\\java.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_06\\jre\\bin\\java.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8441:TCP"= 8441:TCP:BitComet 8441 TCP
"8441:UDP"= 8441:UDP:BitComet 8441 UDP
"13883:TCP"= 13883:TCP:NortonAV
"16927:TCP"= 16927:TCP:NortonAV
"15459:TCP"= 15459:TCP:NortonAV
"13964:TCP"= 13964:TCP:NortonAV
"13151:TCP"= 13151:TCP:NortonAV
"17112:TCP"= 17112:TCP:NortonAV
"16515:TCP"= 16515:TCP:NortonAV
"14385:TCP"= 14385:TCP:NortonAV
"13783:TCP"= 13783:TCP:NortonAV
"15138:TCP"= 15138:TCP:NortonAV
"12941:TCP"= 12941:TCP:NortonAV
"14705:TCP"= 14705:TCP:NortonAV
"18642:TCP"= 18642:TCP:NortonAV
"16475:TCP"= 16475:TCP:NortonAV
"12599:TCP"= 12599:TCP:NortonAV
"18811:TCP"= 18811:TCP:NortonAV
"13380:TCP"= 13380:TCP:NortonAV
"18023:TCP"= 18023:TCP:NortonAV
"16635:TCP"= 16635:TCP:NortonAV
"15088:TCP"= 15088:TCP:NortonAV
"16574:TCP"= 16574:TCP:NortonAV
"16589:TCP"= 16589:TCP:NortonAV
"13024:TCP"= 13024:TCP:NortonAV
"13126:TCP"= 13126:TCP:NortonAV
"17361:TCP"= 17361:TCP:NortonAV
"17890:TCP"= 17890:TCP:NortonAV
"12130:TCP"= 12130:TCP:NortonAV
"16254:TCP"= 16254:TCP:NortonAV
"16176:TCP"= 16176:TCP:NortonAV
"17914:TCP"= 17914:TCP:NortonAV
"12632:TCP"= 12632:TCP:NortonAV
"18990:TCP"= 18990:TCP:NortonAV
"13035:TCP"= 13035:TCP:NortonAV

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-07-29 96520]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-29 902424]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-29 282904]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-07-29 75272]
R3 WLAN(WLAN);802.11g USB 2.0 WLAN Dongle(WLAN);c:\windows\system32\DRIVERS\zd1211u.sys [2004-08-09 237568]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d24e194c-6ca6-11dd-8cc4-000ea6382208}]
\Shell\AutoRun\command - J:\podcastready.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ec88942e-0baa-11db-ac33-000ea6382208}]
\Shell\AutoRun\command - J:\ntde1ect.com
\Shell\explore\Command - J:\ntde1ect.com
\Shell\open\Command - J:\ntde1ect.com

*Newly Created Service* - PROCEXP90
.
Contenu du dossier 'Tâches planifiées'

2008-11-11 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE []
.
- - - - ORPHELINS SUPPRIMES - - - -

HKCU-Run-WhenUSave - c:\program files\Save\Save.exe
HKCU-Run-Tok-Cirrhatus-2124 - c:\documents and settings\sarah\Local Settings\Application Data\br5271on.exe


.
------- Examen supplémentaire -------
.
FireFox -: Profile - c:\documents and settings\sarah\Application Data\Mozilla\Firefox\Profiles\bs5de7qv.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.co.uk
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-14 20:31:35
Windows 5.1.2600 Service Pack 2 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
--------------------- DLLs chargées dans les processus actifs ---------------------

PROCESSUS: c:\windows\system32\winlogon.exe
-> c:\windows\system32\Ati2evxx.dll
.
Heure de fin: 2008-11-14 20:35:33
ComboFix-quarantined-files.txt 2008-11-14 19:35:29

Avant-CF: 11 134 566 400 octets libres
Après-CF: 11,157,102,592 octets libres

WindowsXP-KB310994-SP2-Home-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP dition familiale" /noexecute=optin /fastdetect

150 --- E O F --- 2008-11-07 02:11:21

Edited by rm_-rf_windows, 14 November 2008 - 02:55 PM.


#7 rm_-rf_windows

rm_-rf_windows
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 15 November 2008 - 02:39 AM

Hi again!

I just restarted my computer and still have two small problems:

1/ My clock resets to 1 January 2002 everytime I restart my computer
2/ The message when booting and before signing in as a user still shows "15 unread messages"

However, the Kesenjangansosial.exe window no longer appears when opening a session/booting, which is wonderful.

Why is the clock acting up? Could this have something to do with the problems I'm having?

Many thanks.

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:38 PM

Posted 15 November 2008 - 10:26 PM

Download Flash_Disinfector from HERE and save it to your Desktop.
Doubleclick on Flash_Disinfector.exe to run it and follow the prompts.
Wait until it has finished scanning and then exit the program.
The utility may ask you to insert your flash drive and/or other removable drives. This may include your mobile phone.
Please do so and allow the utility to clean up those drives as well.

Note: This utility will create a file "Autorun.inf" on all removable storage devices, and protect the file with attributes making it a System, Hidden, Read-only file. You would be best served to leave these files be. They are designed to prevent commont Autorun malware infections from using this same file to launch repeated infections. This is a protection mechanism and the file should be left alone.

When this is all done, reboot, and go on with the the rest of the instructions.

Then,

Click on start, settings, control panel and double-click on add/remove programs. From with add/remove program uninstall the following if they exist:

WhenU Save or any WhenU related programs.
Save

Then,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Folder::
c:\program files\Save\

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ec88942e-0baa-11db-ac33-000ea6382208}]


Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

#9 rm_-rf_windows

rm_-rf_windows
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 16 November 2008 - 05:26 PM

I reset the clock using the setup menu prior to doing what you said to do in your previous post.

I then did exactly what you said in your post.

There were no "WhenYou" programs installed on my box.

log.txt

ComboFix 08-11-12.02 - sarah 2008-11-16 22:57:58.2 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.2.1252.1.1036.18.48 [GMT 1:00]
Lancé depuis: c:\documents and settings\sarah\Bureau\ComboFix.exe
Commutateurs utilisés :: c:\documents and settings\sarah\Bureau\CFScript
* Un nouveau point de restauration a été créé
.

((((((((((((((((((((((((((((( Fichiers créés du 2008-10-16 au 2008-11-16 ))))))))))))))))))))))))))))))))))))
.

2008-11-07 03:02 . 2008-11-07 03:02 <REP> d-------- c:\program files\MSXML 4.0
2008-11-06 16:38 . 2002-01-01 00:16 <REP> d-------- c:\windows\system32\CatRoot_bak
2008-11-06 16:33 . 2008-06-14 18:59 272,768 --------- c:\windows\system32\drivers\bthport.sys
2008-11-06 16:33 . 2008-06-14 18:59 272,768 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-11-06 16:19 . 2008-11-06 16:19 <REP> d-------- c:\program files\Fichiers communs\xing shared

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-14 19:21 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-11-06 15:19 --------- d-----w c:\program files\Fichiers communs\Real
2008-11-06 15:17 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-09-15 15:39 1,846,144 ----a-w c:\windows\system32\win32k.sys
2008-09-01 21:51 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2008-08-26 08:11 826,368 ----a-w c:\windows\system32\wininet.dll
2007-04-17 14:14 696,814 -c--a-w c:\program files\uTorrent-1.6.1-install.exe
2007-03-10 13:15 4,909,120 -c--a-w c:\program files\picasa2Setup.exe
2004-08-05 12:00 1,392,671 --sh--r c:\windows\system32\msvbvm60.dll
.

((((((((((((((((((((((((((((( snapshot@2008-11-14_20.34.42,82 )))))))))))))))))))))))))))))))))))))))))
.
+ 2002-01-01 07:36:56 2,092 ----a-w c:\windows\SoftwareDistribution\EventCache\{7C01FEBE-8696-48C2-9007-8FD93598F40C}.bin
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-05 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-21 335872]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2002-11-08 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"EPSON Stylus C64 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE" [2003-05-27 99840]
"USB Storage Toolbox"="c:\program files\USB Disk Win98 Driver\Res.EXE" [2005-09-14 65536]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-07-29 1177368]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-10-19 286720]
"TkBellExe"="c:\program files\Fichiers communs\Real\Update_OB\realsched.exe" [2008-11-06 185872]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-05 15360]
"DWQueuedReporting"="c:\progra~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Nikon Monitor.lnk - c:\program files\Fichiers communs\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Java\\jre1.6.0_06\\bin\\java.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_06\\jre\\bin\\java.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8441:TCP"= 8441:TCP:BitComet 8441 TCP
"8441:UDP"= 8441:UDP:BitComet 8441 UDP
"13883:TCP"= 13883:TCP:NortonAV
"16927:TCP"= 16927:TCP:NortonAV
"15459:TCP"= 15459:TCP:NortonAV
"13964:TCP"= 13964:TCP:NortonAV
"13151:TCP"= 13151:TCP:NortonAV
"17112:TCP"= 17112:TCP:NortonAV
"16515:TCP"= 16515:TCP:NortonAV
"14385:TCP"= 14385:TCP:NortonAV
"13783:TCP"= 13783:TCP:NortonAV
"15138:TCP"= 15138:TCP:NortonAV
"12941:TCP"= 12941:TCP:NortonAV
"14705:TCP"= 14705:TCP:NortonAV
"18642:TCP"= 18642:TCP:NortonAV
"16475:TCP"= 16475:TCP:NortonAV
"12599:TCP"= 12599:TCP:NortonAV
"18811:TCP"= 18811:TCP:NortonAV
"13380:TCP"= 13380:TCP:NortonAV
"18023:TCP"= 18023:TCP:NortonAV
"16635:TCP"= 16635:TCP:NortonAV
"15088:TCP"= 15088:TCP:NortonAV
"16574:TCP"= 16574:TCP:NortonAV
"16589:TCP"= 16589:TCP:NortonAV
"13024:TCP"= 13024:TCP:NortonAV
"13126:TCP"= 13126:TCP:NortonAV
"17361:TCP"= 17361:TCP:NortonAV
"17890:TCP"= 17890:TCP:NortonAV
"12130:TCP"= 12130:TCP:NortonAV
"16254:TCP"= 16254:TCP:NortonAV
"16176:TCP"= 16176:TCP:NortonAV
"17914:TCP"= 17914:TCP:NortonAV
"12632:TCP"= 12632:TCP:NortonAV
"18990:TCP"= 18990:TCP:NortonAV
"13035:TCP"= 13035:TCP:NortonAV

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-07-29 96520]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-29 902424]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-29 282904]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-07-29 75272]
S3 WLAN(WLAN);802.11g USB 2.0 WLAN Dongle(WLAN);c:\windows\system32\DRIVERS\zd1211u.sys [2004-08-09 237568]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d24e194c-6ca6-11dd-8cc4-000ea6382208}]
\Shell\AutoRun\command - J:\podcastready.exe
.
Contenu du dossier 'Tâches planifiées'

2008-11-14 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE []
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-16 23:04:21
Windows 5.1.2600 Service Pack 2 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
--------------------- DLLs chargées dans les processus actifs ---------------------

PROCESSUS: c:\windows\system32\winlogon.exe
-> c:\windows\system32\Ati2evxx.dll
.
Heure de fin: 2008-11-16 23:09:43
ComboFix-quarantined-files.txt 2008-11-16 22:09:34
ComboFix2.txt 2008-11-14 19:35:35

Avant-CF: 11 318 767 616 octets libres
Après-CF: 11,305,512,960 octets libres

131 --- E O F --- 2008-11-07 02:11:21



hijackthis.log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:11:55, on 16/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Fichiers communs\Nikon\Monitor\NkMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Administrateur\Bureau\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.club-internet.fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB002" /M "Stylus C64"
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Fichiers communs\Nikon\Monitor\NkMonitor.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download all links using BitComet - res://D:\Mes Documents\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download link using &BitComet - res://D:\Mes Documents\BitComet\BitComet.exe/AddLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 6736 bytes


Many thanks,

rm_-rf_windows

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:38 PM

Posted 17 November 2008 - 04:52 PM

The time resetting looks like a battery issue on your motherboard. Does this happen each time you physically turn off your computer? If you go into your bios when you first turn on your computer does it show the wrong time? To get into bios you can do so by pressing F1, F2, or Del when you first start your comptuer. You should see a message stating to press a key to enter setup.

WHat mail program do you use?


Next,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Suspect::
c:\windows\system32\msvbvm60.dll
c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT


Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

#11 rm_-rf_windows

rm_-rf_windows
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 18 November 2008 - 05:48 PM

Hi again Grinler,

I don't use an email program (like Outlook...). In fact, I rarely connect to the Internet with the computer in question. I bought the thing used, so if it is infected with malware, it surely happened before I bought it.

I had the same thought regarding the clock (i.e., battery problem). I have a couple of old mother boards lying around with batteries in them, I could open the box up and replace the battery to see if it makes any difference.

At the end of the ComboFix scan, I got a message asking me to connect to the Internet to send a file to bleepingcomputer.com, which I did. The file was
"[4]-Submit_2008-11-18@23.16 (716 Ko)"

Cheers,

rm_-rf_windows


log.txt

ComboFix 08-11-12.02 - sarah 2008-11-18 23:16:37.3 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.2.1252.1.1036.18.50 [GMT 1:00]
Lancé depuis: c:\documents and settings\sarah\Bureau\ComboFix.exe
Commutateurs utilisés :: c:\documents and settings\sarah\Bureau\CFScript
* Un nouveau point de restauration a été créé
.

((((((((((((((((((((((((((((( Fichiers créés du 2008-10-18 au 2008-11-18 ))))))))))))))))))))))))))))))))))))
.

2008-11-17 00:14 . 2008-11-17 00:14 <REP> d--hs---- c:\documents and settings\sarah\UserData
2008-11-07 03:02 . 2008-11-07 03:02 <REP> d-------- c:\program files\MSXML 4.0
2008-11-06 16:38 . 2008-11-17 00:15 <REP> d-------- c:\windows\system32\CatRoot_bak
2008-11-06 16:33 . 2008-06-14 18:59 272,768 --------- c:\windows\system32\drivers\bthport.sys
2008-11-06 16:33 . 2008-06-14 18:59 272,768 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-11-06 16:19 . 2008-11-06 16:19 <REP> d-------- c:\program files\Fichiers communs\xing shared

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-16 23:19 --------- d-----w c:\documents and settings\sarah\Application Data\AVGTOOLBAR
2008-11-14 19:21 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-11-06 15:19 --------- d-----w c:\program files\Fichiers communs\Real
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-09-01 21:51 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2007-04-17 14:14 696,814 -c--a-w c:\program files\uTorrent-1.6.1-install.exe
2007-03-10 13:15 4,909,120 -c--a-w c:\program files\picasa2Setup.exe
2004-08-05 12:00 1,392,671 --sh--r c:\windows\system32\msvbvm60.dll
.

((((((((((((((((((((((((((((( snapshot@2008-11-14_20.34.42,82 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-05-05 09:41:45 453,120 -c----w c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2008-10-24 11:10:42 453,632 ------w c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2008-11-16 22:38:25 32,768 ----a-r c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe
+ 2008-11-16 21:41:10 4,762 ----a-w c:\windows\SoftwareDistribution\EventCache\{B4A9922F-8089-449C-899B-8DA60EAF287B}.bin
- 2006-05-05 09:41:45 453,120 -c----w c:\windows\system32\dllcache\mrxsmb.sys
+ 2008-10-24 11:10:42 453,632 -c----w c:\windows\system32\dllcache\mrxsmb.sys
- 2007-06-26 06:09:14 1,104,896 -c--a-w c:\windows\system32\dllcache\msxml3.dll
+ 2008-09-04 16:45:11 1,106,944 -c--a-w c:\windows\system32\dllcache\msxml3.dll
- 2007-06-26 06:09:14 1,104,896 ----a-w c:\windows\system32\msxml3.dll
+ 2008-09-04 16:45:11 1,106,944 ----a-w c:\windows\system32\msxml3.dll
- 2007-05-08 14:03:04 1,275,392 ----a-w c:\windows\system32\msxml4.dll
+ 2008-09-30 15:43:34 1,286,152 ----a-w c:\windows\system32\msxml4.dll
- 2007-05-15 13:43:10 1,320,800 ----a-w c:\windows\system32\msxml6.dll
+ 2008-08-29 19:06:44 1,350,664 ----a-w c:\windows\system32\msxml6.dll
- 2007-11-30 11:19:06 18,296 ------w c:\windows\system32\spmsg.dll
+ 2008-07-08 13:03:54 18,296 ------w c:\windows\system32\spmsg.dll
+ 2008-09-30 15:42:08 1,286,152 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll
+ 2008-09-30 15:45:12 91,656 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-05 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-21 335872]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2002-11-08 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"EPSON Stylus C64 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE" [2003-05-27 99840]
"USB Storage Toolbox"="c:\program files\USB Disk Win98 Driver\Res.EXE" [2005-09-14 65536]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-07-29 1177368]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-10-19 286720]
"TkBellExe"="c:\program files\Fichiers communs\Real\Update_OB\realsched.exe" [2008-11-06 185872]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-05 15360]
"DWQueuedReporting"="c:\progra~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Nikon Monitor.lnk - c:\program files\Fichiers communs\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Java\\jre1.6.0_06\\bin\\java.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_06\\jre\\bin\\java.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8441:TCP"= 8441:TCP:BitComet 8441 TCP
"8441:UDP"= 8441:UDP:BitComet 8441 UDP
"13883:TCP"= 13883:TCP:NortonAV
"16927:TCP"= 16927:TCP:NortonAV
"15459:TCP"= 15459:TCP:NortonAV
"13964:TCP"= 13964:TCP:NortonAV
"13151:TCP"= 13151:TCP:NortonAV
"17112:TCP"= 17112:TCP:NortonAV
"16515:TCP"= 16515:TCP:NortonAV
"14385:TCP"= 14385:TCP:NortonAV
"13783:TCP"= 13783:TCP:NortonAV
"15138:TCP"= 15138:TCP:NortonAV
"12941:TCP"= 12941:TCP:NortonAV
"14705:TCP"= 14705:TCP:NortonAV
"18642:TCP"= 18642:TCP:NortonAV
"16475:TCP"= 16475:TCP:NortonAV
"12599:TCP"= 12599:TCP:NortonAV
"18811:TCP"= 18811:TCP:NortonAV
"13380:TCP"= 13380:TCP:NortonAV
"18023:TCP"= 18023:TCP:NortonAV
"16635:TCP"= 16635:TCP:NortonAV
"15088:TCP"= 15088:TCP:NortonAV
"16574:TCP"= 16574:TCP:NortonAV
"16589:TCP"= 16589:TCP:NortonAV
"13024:TCP"= 13024:TCP:NortonAV
"13126:TCP"= 13126:TCP:NortonAV
"17361:TCP"= 17361:TCP:NortonAV
"17890:TCP"= 17890:TCP:NortonAV
"12130:TCP"= 12130:TCP:NortonAV
"16254:TCP"= 16254:TCP:NortonAV
"16176:TCP"= 16176:TCP:NortonAV
"17914:TCP"= 17914:TCP:NortonAV
"12632:TCP"= 12632:TCP:NortonAV
"18990:TCP"= 18990:TCP:NortonAV
"13035:TCP"= 13035:TCP:NortonAV

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-07-29 96520]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-29 902424]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-29 282904]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-07-29 75272]
S3 WLAN(WLAN);802.11g USB 2.0 WLAN Dongle(WLAN);c:\windows\system32\DRIVERS\zd1211u.sys [2004-08-09 237568]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d24e194c-6ca6-11dd-8cc4-000ea6382208}]
\Shell\AutoRun\command - J:\podcastready.exe

*Newly Created Service* - CATCHME
.
Contenu du dossier 'Tâches planifiées'

2008-11-16 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE []
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-18 23:22:28
Windows 5.1.2600 Service Pack 2 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
--------------------- DLLs chargées dans les processus actifs ---------------------

PROCESSUS: c:\windows\system32\winlogon.exe
-> c:\windows\system32\Ati2evxx.dll
.
Heure de fin: 2008-11-18 23:27:18
ComboFix-quarantined-files.txt 2008-11-18 22:27:09
ComboFix2.txt 2008-11-16 22:09:47
ComboFix3.txt 2008-11-14 19:35:35

Avant-CF: 11 201 794 048 octets libres
Après-CF: 11,189,256,192 octets libres

150 --- E O F --- 2008-11-16 23:27:46



hijackthis.log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:36:56, on 18/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Fichiers communs\Nikon\Monitor\NkMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrateur\Bureau\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.club-internet.fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB002" /M "Stylus C64"
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Fichiers communs\Nikon\Monitor\NkMonitor.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download all links using BitComet - res://D:\Mes Documents\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download link using &BitComet - res://D:\Mes Documents\BitComet\BitComet.exe/AddLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 6750 bytes

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:38 PM

Posted 21 November 2008 - 10:40 AM

Sorry for the delay. For the email counter on the logon screen, read this thread and see if it helps:

http://groups.google.com/group/microsoft.p...e+read+first%22

Let's check one last thing, but the logs are clean.

Download gmer from http://www.gmer.net & unzip it to desktop

Launch gmer.exe by double-clicking it. Select the rootkit tab & make sure the 'Show All' button is unticked.

Press scan & when it has finished press copy & paste the log back here

#13 rm_-rf_windows

rm_-rf_windows
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 21 November 2008 - 05:01 PM

Grinler,

I replaced the battery and the clock seems to be working properly. After replacing the battery, I no longer got the "unread messages" message.

I did nevertheless run a scan using TweakUI as well as GMER. I assume the GMER log you are talking about is what is in the Log tab (although it would have been impossible to copy and paste, or at least I couldn't figure out how one might do that). After the scan, the Log tab was empty. If there is another log somewhere, let me know where it is and I'll post it in this thread.

It looks as though the problem has been solved, the computer seems to be running better than ever. What was wrong in the first place? How malicious was the malware in my computer?

I do have one final question, regarding clocks/time... On two of my laptops, my clock runs one hour behind (British time? It's a French computer that's never been in the UK (laptop), but I often use google.co.uk...)... No matter what I do, the clock automatically sets back one hour earlier. I have made sure that the time zone is right (Brussels-Paris-Madrid, etc...). It's getting the time from time.windows.com (the other option is "time.nist.gov"), or at least that's what's listed in the last tab.

Many thanks for the excellent job in assisting me, and I hope my log files have been of some use to you as well.

rm_-rf_windows

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:38 PM

Posted 23 November 2008 - 10:42 PM

As for the time issue, I honestly do not know. I would suggest you ask about that in the Windows XP forum.

As for the malware, it was mostly a USB drive infection that spreads to other removable media and makes it so you cant see hidden files.

Other than that you are looking clean.

I would still like to see a gmer log. Once you run gmer, you should see a scan button. Click on that, let it go, and when its done, click on the copy button. Then you can do a control-v in a reply in this topic.

#15 rm_-rf_windows

rm_-rf_windows
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 03 December 2008 - 03:01 PM

Grinler,

Sorry about the delay. I didn't forget about you, I've simply been swamped with work...

By the way, the computer shut down inadvertently again since the last time I was in touch with you (blue screen with message described in one of my first posts (maybe it was the very first))...

Here's the gmer log:

gmer.log

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-03 20:52:29
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.14 ----

Device \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\IPMULTICAST avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.14 ----


Many thanks,

rm_-rf_windows




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users