Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjk This Log Whaledude


  • Please log in to reply
16 replies to this topic

#1 whaledude

whaledude

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 08 September 2008 - 04:10 PM

I believe that I have some sort of infection. When connected to the Internet my C: drive is going crazy with activity as if someone else or something else is using my computer. I have run a Norton virus scan which found nothing. The same thing with Spy Bot Search and Destroy and Ad Aware.

Below is my HJK this log.

I would greatly appreciate assistance determining if I am infected and if yes how can I clean my system

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:14:06 PM, on 9/8/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ThrustTSR] C:\Program Files\ThrustMaster\ThrustMapper\TMTMTSR.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\.DEFAULT\..\Run: [azafy] etyz.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Configuration Loader] systrey.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Synchronization Manager] svshost.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Instant Update Reminder.lnk.disabled
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A103F153-25B4-4BC1-BC85-36493347387D}: NameServer = 207.164.234.129 207.164.234.193
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 4369 bytes

Thank you

Whaledude

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:15 PM

Posted 23 September 2008 - 04:19 PM

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:

Preparation Guide For Use Before Posting A Hijackthis Log

Please also post the problems you are having.

#3 whaledude

whaledude
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 14 October 2008 - 01:33 PM

Sorry for the delay. I just returned from vacation.

OK I followed all of the steps in the " Preparation Guide for use before posting a Hijack This log" and the only thing that turned up was Ad Aware found and corrected 1 problem and Spybot S&D found and corrected 6 problems. All other scans were clean. My Window 2000 is updated and I am running Zone Alarm for a firewall. My Norton Anti Virus did not find anything.

As mentioned in my previous post my problem was when connected to the Internet my C: drive was going crazy with activity as if someone else or something else was using my computer. It seems to be fixed after I ran cleanmgr.

I use Firefox.

Here is my new Hijack This log. Please advise if I need to do something else.

Thanks, Whaledude

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:15:16 PM, on 10/14/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ThrustTSR] C:\Program Files\ThrustMaster\ThrustMapper\TMTMTSR.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [azafy] etyz.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Configuration Loader] systrey.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Synchronization Manager] svshost.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Instant Update Reminder.lnk.disabled
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 4887 bytes

#4 whaledude

whaledude
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 31 October 2008 - 01:05 PM

Hi David,

Did you forget me? I have not receive a response to my Oct. 14th post.

Thanks,

Whaledude

#5 whaledude

whaledude
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 12 November 2008 - 02:46 PM

I am still having problems when connected to the Internet, in that my C: drive is going crazy with activity as if someone else or something else was using my computer.

I followed all of the steps in the " Preparation Guide for use before posting a Hijack This log" and the only thing that turned up was Ad Aware found and corrected 1 problem and Spybot S&D found and corrected 6 problems. All other scans were clean. My Window 2000 is updated and I am running Zone Alarm for a firewall. My Norton Anti Virus did not find anything.

As requested here is my new Hijack This log. Please advise if I must do something else to clean my system.

Thanks,

Whaledude

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:46:18 PM, on 11/12/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ThrustTSR] C:\Program Files\ThrustMaster\ThrustMapper\TMTMTSR.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Instant Update Reminder.lnk.disabled
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A103F153-25B4-4BC1-BC85-36493347387D}: NameServer = 207.164.234.129 207.164.234.193
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 4685 bytes

#6 whaledude

whaledude
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 18 November 2008 - 12:12 PM

Hi,

As requested I have posted 2 Hijack This Logs for evaluation since Oct 14th but have never received a reply. Can I expect a response soon as I am still having the same problems as originally posted?
i.e. my C: drive is going crazy with activity as if someone else or something else was using my computer.
Thank you
Whaledude

#7 whaledude

whaledude
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 04 December 2008 - 07:18 AM

I would like to know why I am am not getting a reply?
As requested I have posted 2 Hijack This Logs for evaluation since Oct 14th but have never received a reply.
If I am doing something wrong then please let me know.
I followed the instructions that were sent to me by David on Sept. 23rd but still have had no response.
What gives?
Thank you

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:15 PM

Posted 29 December 2008 - 10:47 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Thanks and again sorry for the delay.

First,

Download GMER Rootkit Scanner from here.
  • Extract the contents of the zipped file to the desktop.
  • Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
  • In the right panel you will see several boxes that have been checked. Uncheck the following the following checkboxes:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Now click on the Scan button and wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop
Please note that rootkit scans often produce false positives. Do not take actionon any of the files found in this log without my supervision

Next,

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Please save the DDS.txt and the Attach.txt file to your desktop. Then post the contents of the DDS.txt file as a reply to this topic, and in the same reply attach the Attach.txt and the Ark.txt, from the previous gmer run, to your reply. More information on how to attach a file can be found here.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

If I do not hear back from you within 5 days, I will unfortunately need to close this topic. You are more than welcome to open a new topic if you continue to have problems.

#9 whaledude

whaledude
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 30 December 2008 - 07:45 AM

Thank you for the quick reply, I was beginning to lose faith in Bleeping Computer as a reliable source of assistance for not so savvy computer users like me.

My problem is my C: drive is going crazy with activity as if someone else or something else was using my computer and I do not know if it is and intruder or a valid program running in the back ground when I am connected to the internet.

As requested here is the DDS.txt file and attached are the Attach.txt and ARK.txt files


DDS (Version 1.1.0) - NTFSx86
Run by user at 7:30:23.12 on Tue 12/30/2008
Internet Explorer: 6.0.2800.1106 BrowserJavaVersion: 1.6.0_05
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.510.299 [GMT -5:00]


============== Running Processes ===============

C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\user\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {6F4F95AF-1647-4B72-A632-055405455423} - No File
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\winnt\system32\igfxtray.exe
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [NeroFilterCheck] c:\winnt\system32\NeroCheck.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [ThrustTSR] c:\program files\thrustmaster\thrustmapper\TMTMTSR.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [CARPService] carpserv.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Instant Update Reminder.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Notify: NavLogon - c:\winnt\system32\NavLogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\d4ou3hik.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\sympatico\communicator\program\plugins\np32asw.dll
FF - plugin: c:\program files\sympatico\communicator\program\plugins\NP32DSW.DLL
FF - plugin: c:\program files\sympatico\communicator\program\plugins\npaudio.dll
FF - plugin: c:\program files\sympatico\communicator\program\plugins\npavi32.dll
FF - plugin: c:\program files\sympatico\communicator\program\plugins\NPBeatSP.dll
FF - plugin: c:\program files\sympatico\communicator\program\plugins\npdrmv2.dll
FF - plugin: c:\program files\sympatico\communicator\program\plugins\npdsplay.dll
FF - plugin: c:\program files\sympatico\communicator\program\plugins\Npindeo.dll
FF - plugin: c:\program files\sympatico\communicator\program\plugins\npnul32.dll
FF - plugin: c:\program files\sympatico\communicator\program\plugins\nppdf32.dll
FF - plugin: c:\program files\sympatico\communicator\program\plugins\nppl3260.dll
FF - plugin: c:\program files\sympatico\communicator\program\plugins\npqtplugin.dll
FF - plugin: c:\program files\sympatico\communicator\program\plugins\npqtplugin2.dll
FF - plugin: c:\program files\sympatico\communicator\program\plugins\npqtplugin3.dll
FF - plugin: c:\program files\sympatico\communicator\program\plugins\npqtplugin4.dll
FF - plugin: c:\program files\sympatico\communicator\program\plugins\npqtplugin5.dll
FF - plugin: c:\program files\sympatico\communicator\program\plugins\npqtplugin6.dll
FF - plugin: c:\program files\sympatico\communicator\program\plugins\npswf32.dll
FF - plugin: c:\program files\sympatico\communicator\program\plugins\npwmsdrm.dll

============= SERVICES / DRIVERS ===============

R1 vsdatant;vsdatant;c:\winnt\system32\vsdatant.sys [2006-4-13 394952]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-5-12 611664]
R2 NAVAPEL;NAVAPEL;\??\c:\program files\symantec_client_security\symantec antivirus\NAVAPEL.SYS [2003-5-2 30208]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2003-5-21 610304]
R2 vsmon;TrueVector Internet Monitor;c:\winnt\system32\zonelabs\vsmon.exe -service []
R3 HSFHWCD2;HSFHWCD2;c:\winnt\system32\drivers\HSFHWCD2.sys [2007-6-8 153984]
S3 NAVAP;NAVAP;\??\c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-5-2 224256]
S3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081204.003\NAVENG.sys [2008-12-5 89104]
S3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081204.003\NAVEX15.sys [2008-12-5 876112]
S3 TGFoxPro;TM Top Gun Fox Pro;c:\winnt\system32\drivers\TGFoxPro.sys [2005-7-22 25504]
S4 ptssvc;ptssvc;c:\program files\kodak\kodak picture transfer software\PTSsvc.exe []

=============== Created Last 30 ================

2008-12-30 07:27 16,384 a------t c:\winnt\system32\Perflib_Perfdata_44c.dat
2008-12-30 07:16 250 a------- c:\winnt\gmer.ini
2008-12-29 21:37 32,768 a------- c:\winnt\_ds3.tmp
2008-12-13 06:43 <DIR> --d----- c:\program files\MSXML 4.0

==================== Find3M ====================

2008-12-29 21:21 4,212 ----h--- c:\winnt\system32\zllictbl.dat
2008-11-14 05:35 16,384 a------t c:\winnt\system32\Perflib_Perfdata_1e0.dat
2008-10-31 18:21 32,768 a------- c:\winnt\_ds2.tmp
2008-10-23 00:27 237,840 a------- c:\winnt\system32\GDI32.DLL
2008-10-15 13:53 575,488 a------- c:\winnt\system32\WININET.DLL
2008-10-14 10:12 16,384 a------t c:\winnt\system32\Perflib_Perfdata_588.dat
2004-08-03 11:10 21,952 -c--h--- c:\program files\folder.htt
2004-08-03 11:10 271 -c--h--- c:\program files\desktop.ini
1999-12-07 03:00 32,528 ac------ c:\winnt\inf\wbfirdma.sys

============= FINISH: 7:31:23.84 ===============


Again thanks and I look forward to you reply

Whaledude

Attached Files



#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:15 PM

Posted 01 January 2009 - 10:55 PM

Not seeing anything. Let's dig deeper.

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

When following the instructions please install the Windows XP Recovery Console if you are using XP.

After running ComboFix, please post the ComboFix log as well as a brand new HijackThis as a reply to this topic.

#11 whaledude

whaledude
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 02 January 2009 - 12:07 PM

OK ran ComboFix. Here is the Combofix log followed by the new HijackThis.

ComboFix 09-01-01.02 - user 01/02/2009 11:54:21.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.510.388 [GMT -5:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2008-12-02 to 2009-01-02 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-01 21:07 32,768 ----a-w c:\winnt\_ds25.tmp
2008-12-30 02:37 32,768 ----a-w c:\winnt\_ds3.tmp
2008-12-13 11:43 --------- d-----w c:\program files\MSXML 4.0
2008-11-19 11:14 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-15 22:09 129,418 ----a-w c:\winnt\Internet Logs\vsmon_2nd_2008_11_15_16_21_28_small.dmp.zip
2008-11-14 11:18 3,710,976 ----a-w c:\winnt\Internet Logs\xDB1F.tmp
2008-11-06 11:24 --------- d-----w c:\program files\TrojanHunter 5.0
2008-10-31 23:21 32,768 ----a-w c:\winnt\_ds2.tmp
2008-10-23 05:27 237,840 ----a-w c:\winnt\system32\GDI32.DLL
2008-10-16 19:13 202,776 ----a-w c:\winnt\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\winnt\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\winnt\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\winnt\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\winnt\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\winnt\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\winnt\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\winnt\system32\wups.dll
2008-10-15 18:53 575,488 ----a-w c:\winnt\system32\WININET.DLL
2004-08-03 16:10 271 -c-h--w c:\program files\desktop.ini
2004-08-03 16:10 21,952 -c-h--w c:\program files\folder.htt
1999-12-07 08:00 32,528 -c--a-w c:\winnt\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [09/16/08 11:16a 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\winnt\system32\igfxtray.exe" [10/12/01 08:34p 143360]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [05/21/03 12:21a 90112]
"NeroFilterCheck"="c:\winnt\system32\NeroCheck.exe" [07/09/01 05:50a 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [11/25/03 11:36a 1232946]
"ThrustTSR"="c:\program files\ThrustMaster\ThrustMapper\TMTMTSR.exe" [10/11/00 11:15p 151552]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [03/12/06 07:52a 17408]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [07/09/08 08:05a 919016]
"Synchronization Manager"="mobsync.exe" [06/19/03 07:05a 111376 c:\winnt\system32\mobsync.exe]
"CARPService"="carpserv.exe" [12/18/02 04:15a 4608 c:\winnt\system32\carpserv.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [06/19/03 07:05a 186640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Instant Update Reminder.lnk.disabled [2004-08-05 716]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 176128]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe"
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Synchronization Manager"=mobsync.exe /logon
"HotKeysCmds"=c:\winnt\system32\hkcmd.exe
"Smapp"=c:\program files\Analog Devices\SoundMAX\Smtray.exe
"RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

R3 HSFHWCD2;HSFHWCD2;c:\winnt\system32\DRIVERS\HSFHWCD2.sys [2007-06-08 153984]
S3 TGFoxPro;TM Top Gun Fox Pro;c:\winnt\system32\DRIVERS\TGFoxPro.sys [2005-07-22 25504]
S4 ptssvc;ptssvc;c:\program files\Kodak\KODAK Picture Transfer Software\PTSsvc.exe []

*Newly Created Service* - GMER
*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
LSP: %SystemRoot%\system32\msafd.dll
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\d4ou3hik.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\Sympatico\Communicator\Program\Plugins\np32asw.dll
FF - plugin: c:\program files\Sympatico\Communicator\Program\Plugins\NP32DSW.DLL
FF - plugin: c:\program files\Sympatico\Communicator\Program\Plugins\npaudio.dll
FF - plugin: c:\program files\Sympatico\Communicator\Program\Plugins\npavi32.dll
FF - plugin: c:\program files\Sympatico\Communicator\Program\Plugins\NPBeatSP.dll
FF - plugin: c:\program files\Sympatico\Communicator\Program\Plugins\npdrmv2.dll
FF - plugin: c:\program files\Sympatico\Communicator\Program\Plugins\npdsplay.dll
FF - plugin: c:\program files\Sympatico\Communicator\Program\Plugins\Npindeo.dll
FF - plugin: c:\program files\Sympatico\Communicator\Program\Plugins\npnul32.dll
FF - plugin: c:\program files\Sympatico\Communicator\Program\Plugins\nppdf32.dll
FF - plugin: c:\program files\Sympatico\Communicator\Program\Plugins\nppl3260.dll
FF - plugin: c:\program files\Sympatico\Communicator\Program\Plugins\npqtplugin.dll
FF - plugin: c:\program files\Sympatico\Communicator\Program\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\Sympatico\Communicator\Program\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\Sympatico\Communicator\Program\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\Sympatico\Communicator\Program\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\Sympatico\Communicator\Program\Plugins\npqtplugin6.dll
FF - plugin: c:\program files\Sympatico\Communicator\Program\Plugins\npswf32.dll
FF - plugin: c:\program files\Sympatico\Communicator\Program\Plugins\npwmsdrm.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-02 11:57:21
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(192)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
.
Completion time: 01/02/2009 11:59:07
ComboFix-quarantined-files.txt 2009-01-02 16:59:03

Pre-Run: 3,214,082,048 bytes free
Post-Run: 3,204,853,760 bytes free

125 --- E O F --- 2008-12-30 02:33:49


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03:43 PM, on 1/2/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINNT\system32\carpserv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ThrustTSR] C:\Program Files\ThrustMaster\ThrustMapper\TMTMTSR.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Instant Update Reminder.lnk.disabled
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 4556 bytes


Look forward to your reply,

Whaledude

#12 whaledude

whaledude
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 03 January 2009 - 06:11 AM

Further to my last post I forgot to mention that after ComboFix, finished running Spybot-SD Resident popped up with some changes, which I accepted. Here is the Resident log covering the changes. Perhaps I should not have accepted these changes?

1/2/2009 12:00:06 PM Allowed (based on user decision) value "{6F4F95AF-1647-4B72-A632-055405455423}" (new data: "") deleted in User-specific browser toolbar!
1/2/2009 12:00:08 PM Allowed (based on user decision) value "Search Bar" (new data: "") deleted in Browser page!
1/2/2009 12:00:19 PM Allowed (based on user decision) value "Search Page" (new data: "http://go.microsoft.com/fwlink/?LinkId=54896") changed in Browser page!
1/2/2009 12:00:21 PM Allowed (based on user decision) value "Default_Page_URL" (new data: "http://go.microsoft.com/fwlink/?LinkId=69157") changed in Browser page!
1/2/2009 12:00:22 PM Allowed (based on user decision) value "Default_Search_URL" (new data: "http://go.microsoft.com/fwlink/?LinkId=54896") changed in Browser page!
1/2/2009 12:00:24 PM Allowed (based on user decision) value "SearchAssistant" (new data: "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm") changed in Browser page!
1/2/2009 12:00:25 PM Allowed (based on user decision) value "CustomizeSearch" (new data: "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm") changed in Browser page!
1/2/2009 12:00:32 PM Allowed (based on user decision) value "AutoRun" (new data: "") deleted in Command processor!
1/2/2009 12:00:35 PM Allowed (based on user decision) value "load" (new data: "") deleted in NT startup!
1/2/2009 12:00:54 PM Allowed (based on user decision) value "Shell" (new data: "Explorer.exe") changed in Winlogon!

Thanks,
Whaledude

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:15 PM

Posted 04 January 2009 - 11:28 AM

Those are not infections, just informational messages.

I do not see anything at all in yours logs.

How much memory do you have? This could be an issue of your memory being used up and then windows writes it to a pagefile. This would cause the disk thrashing that you are seeing.

#14 whaledude

whaledude
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 05 January 2009 - 10:22 AM

I have 522,672 KB of RAM.

Since my last post I ran the spyware scan that is part of my Zone Alarm firewall and it found and deleted 2 Trojans which were; "Kazaa Lite goop 28" and "P2P-Worm.Win32 Logpole.c"

With the deletion of these 2 Trojans my problem seems to have disappeared so I assume these caused my problem. Have you any info on these Trojans?

If something returns I will get back to you with a new post.

Thanks for all of the help.

Whaledude

#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:15 PM

Posted 07 January 2009 - 07:15 PM

Nope . Do you remember the file names?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users