Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

keep losing HD space


  • This topic is locked This topic is locked
26 replies to this topic

#1 bulboy

bulboy

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 15 June 2010 - 04:45 PM

hi,

well pretty have given up on my dwindling HD space. don't know what else to do. tried running hiacj this and got this...

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:40:18 AM, on 6/16/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
D:\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
D:\PeerGuardian2\pg2.exe
D:\skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
D:\removeit\InCode Solutions\RemoveIT Pro v7 Ultra\removeit.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
D:\Hijack\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\tbVuz1.dll
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: DWABrowserHlprObj Class - {2709D830-B643-4e72-9A1E-701CFFFCF30C} - C:\WINDOWS\system32\dwabho.dll
O2 - BHO: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\tbVuz1.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\tbVuz1.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [HP Software Update] D:\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [PeerGuardian] D:\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Skype] "D:\skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RemoveIT Pro v7Ultra] D:\removeit\InCode Solutions\RemoveIT Pro v7 Ultra\removeit.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Password.lnk = C:\Documents and Settings\Fied\Local Settings\temp\Password.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\OFFICE~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {09883431-7429-11D5-8B69-0050049F5256} (VBAuthentic.Authentic) - https://www.metrobankdirect.com/download/Au...VBAuthentic.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137725898781
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...rk.cab56649.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://domino.pna.ph/dwa7W.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BEEDCA7-A007-47D4-8370-7A1CF7D7651D}: NameServer = 58.69.254.70 58.69.254.137
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 9023 bytes

would greatly appreciate any help you can give me. thanks!

buboy

Edited by Budapest, 15 June 2010 - 04:49 PM.
Moved from AntiVirus, Firewall and Privacy Products and Protection Methods ~BP


BC AdBot (Login to Remove)

 


#2 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:06:38 PM

Posted 15 June 2010 - 05:33 PM

Greetings bulboy and Welcome to the forums,
Please do the following:

Step 1
Please download the free utility DDS.

Disable any script blocker you may have running, then double click dds.scr to run the tool.
  • When it completes, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop.

Step 2
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to your desktop
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please agree to do so
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  • In the right panel, you will see several boxes that, by default, have already been checked. Please uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All <--don't miss this one
  • Then click the Scan button & wait for it to finish
  • Once the scan completes, click on the [Save..] button, and in the File name area, type in "ark.txt"
  • Save it where you can easily find it, such as your desktop
**Caution**

Rootkit scans often produce false positives.

Do NOT take any action on any of these "<--- ROOKIT" entries without proper guidance from an expert user.

Please include the following logs in your next reply, Thanks!:
  • DDS.txt
  • Attach.txt
  • ark.txt
***Note***
Although the document itself may instruct you to zip and attach when posting, please ignore that and copy/paste instead...unless of course, your log is so large that the forum software tells you that it is too large for posting. Only in that case would you need to zip it and attach it. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#3 bulboy

bulboy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 16 June 2010 - 09:15 PM

Thanks! I'm about to start the process, will check back after completing your instructions...

#4 bulboy

bulboy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 16 June 2010 - 11:09 PM

hi,

just completed the tasks you put in your reply. as you've instructed, here the files that you wanted to look at:

DDS (Ver_10-03-17.01) - NTFSx86
Run by fontafe at 10:19:29.35 on Thu 06/17/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.309 [GMT 8:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
svchost.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
D:\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
D:\PeerGuardian2\pg2.exe
D:\skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
D:\removeit\InCode Solutions\RemoveIT Pro v7 Ultra\removeit.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Vuze\Azureus.exe
D:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuz1.dll
BHO: {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DWABrowserHlprObj Class: {2709d830-b643-4e72-9a1e-701cfffcf30c} - c:\windows\system32\dwabho.dll
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuz1.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuz1.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [PeerGuardian] d:\peerguardian2\pg2.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [Skype] "d:\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RemoveIT Pro v7Ultra] d:\removeit\incode solutions\removeit pro v7 ultra\removeit.exe
mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_01\bin\jusched.exe
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [HP Software Update] d:\hp\hp software update\HPWuSchd2.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\password.lnk - c:\documents and settings\fied\local settings\temp\Password.exe
IE: E&xport to Microsoft Excel - d:\office~1\office12\EXCEL.EXE/3000
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\\PkgMgr.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBC} - c:\program files\java\j2re1.4.2_01\bin\npjpi142_01.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {09883431-7429-11D5-8B69-0050049F5256} - hxxps://www.metrobankdirect.com/download/Authentic/VBAuthentic.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137725898781
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_01-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab56649.cab
DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_01-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://domino.pna.ph/dwa7W.cab
DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} - hxxp://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
TCP: {2BEEDCA7-A007-47D4-8370-7A1CF7D7651D} = 58.69.254.70 58.69.254.137
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\fied\applic~1\mozilla\firefox\profiles\n3zgc53o.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://domino.punongbayan-araullo.com/
FF - component: c:\documents and settings\fied\application data\mozilla\firefox\profiles\n3zgc53o.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\fied\application data\mozilla\firefox\profiles\n3zgc53o.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCore.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\java\j2re1.4.2_01\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2_01\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2_01\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2_01\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2_01\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2_01\bin\NPJPI142_01.dll
FF - plugin: c:\program files\java\j2re1.4.2_01\bin\NPOJI610.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [2005-10-11 14720]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-8-18 35168]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-10-7 472280]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2009-7-17 14976]
R3 i8042HDR;Keyboard Filter Driver;c:\windows\system32\drivers\i8042HDR.sys [2005-10-11 12600]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [2005-10-11 6400]
R3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [2005-4-21 14336]
S3 USBNUMP;USBNUMP;c:\windows\system32\drivers\USBNUMP.sys [2005-10-11 10760]

=============== Created Last 30 ================

2010-06-15 21:28:36 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2010-06-15 14:58:44 0 d-----w- c:\docume~1\fied\applic~1\Malwarebytes
2010-06-15 14:58:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-15 14:58:35 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-15 14:58:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-14 16:26:14 0 d-----w- c:\docume~1\fied\applic~1\GlarySoft
2010-06-14 16:23:27 0 d-----w- c:\program files\Ask.com
2010-06-10 15:50:08 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

==================== Find3M ====================

2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-26 07:58:12 256512 ----a-w- c:\windows\PEV.exe
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2008-10-31 05:44:55 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008103120081101\index.dat

============= FINISH: 10:20:23.23 ===============

thanks again!

Attached Files



#5 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:06:38 PM

Posted 17 June 2010 - 04:50 AM

Please uninstall the following software:
Adobe Flash Player 9 ActiveX <--out of date and exploited. Install the latest version Here
Adobe Reader 7.1.0 <--Out of date and exploited. Install the latest version Here
Ask Toolbar <--Privacy Issues
Java 2 Runtime Environment, SE v1.4.2_01 <--out of date by almost a decade...and of course, exploited. We will install the latest version when the system is cleaned
SoulSeek Client 156c <--These last three are file sharing programs. Click here for information regarding the risks of using File Sharing software. I should add to this for the benefit of those who HAVE BEEN using p2p programs to download copyrighted material, you should know that all torrents tell the BitTorrent client (and similar p2p programs) to report back to trackers (in order for BitTorrent clients to be able to know who is uploading and who they can connect to), it's actually pretty easy to keep tabs on torrents in real-time, and it has been done not only by law enforcement, but also by private firms for many many years. Read more about that Here.
Vuze
Vuze_Remote Toolbar

...when finished uninstalling, please reboot the computer.

Next, please reset your router:

1. Unplug or turn off your DSL/cable modem.
2. Locate the router's reset button. Some routers have just a tiny pin hole. For this type, you will need to straighten a paper clip or use something similarly small to insert into the tiny pin hole.
3. If yours is a button, press and hold, the Reset button down for 30 seconds.
4. Wait for your Power, WLAN and Internet light to turn on (On the router).
5. Plug in or turn on your modem if it is separate from the router).
6. Open your web browser to see if you have an internet connection. If you don't have an internet connection at this point, you may need to restart your computer.

Having reset the router, a default password will never do...please create a Strong Password now in order to strengthen security of your wireless connection.

Tips
  • When pressing the Reset button down make sure you don't release the button until you are sure it has been compressed for 30 seconds or more.
  • This will erase your configuration, so if you have previously opened ports for gaming, they will be blocked again. Try unplugging, then plugging the Linksys back in for the same effect without erasing the configuration.
  • Depending on what service provider you use, if your router's IP address has changed during the reset, it may take up to 24 hours for their servers to recognize this change and assign you a new IP address. During this time your connection will show as "limited or no connectivity."
  • On most Linksys routers your username/password combination becomes empty (no username) / with password "admin" (without the quotes).
  • The default settings for most routers is DHCP, NAT, or some other form of automatic IP addressing. Take this into consideration if you've changed your router's settings to assign static IP addresses.

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

If you have Windows Vista, you can skip the recovery console step...in Vista it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.


The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a log file for you. Please post that log back here on your next reply. Thanks!

Note:
Do not mouseclick combofix's window while it's running....that may cause the scan to stall


Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#6 bulboy

bulboy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 17 June 2010 - 10:02 AM

hi,

did not yet install the adobe reader 7.1.0 as my HD still doesn't have that space. anyway, was able to run combofix and got the report.

thanks again!!!

Attached Files



#7 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:06:38 PM

Posted 17 June 2010 - 10:50 AM

Did you create the batch file "mktlogon.bat"? Are you using a server located in the Philippians?

Please open a blank Notepad by clicking start-->run
Then, in the run box type Notepad.exe and click "OK".
Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



Folder::
c:\program files\Vuze
c:\documents and settings\Fied\Application Data\Azureus

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21095:TCP"=-
"9145:TCP"=-
"21095:UDP"=-
"19623:TCP"=-
"19623:UDP"=-



Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#8 bulboy

bulboy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 17 June 2010 - 11:41 AM

hi,

did not create mktlogon.bat but yes, the server i'm using is in the Philippines.

attached is the combofix log report.

thanks again!

Attached Files



#9 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:06:38 PM

Posted 17 June 2010 - 03:10 PM

Things running ok for you now?

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#10 bulboy

bulboy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 17 June 2010 - 04:20 PM

looks ok, but i noticed though that my IE loads really slow. is that something to do with java?

#11 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:06:38 PM

Posted 17 June 2010 - 05:15 PM

QUOTE
looks ok, but i noticed though that my IE loads really slow. is that something to do with java?

Most likely just needs a cleanup and empty temp files. Update your on board antivirus. Boot to safe mode and run a complete system scan. Allow the software to quarantine whatever it complains on, then boot back to your normal user mode and post back the log. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#12 bulboy

bulboy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 17 June 2010 - 09:24 PM

hi,

went to safe mode and scanned the drives. where would i find the log report though? sorry...

oh, my HD space hasn't gained that much.

thanks again for patience. =)

#13 bulboy

bulboy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 17 June 2010 - 10:15 PM

scanned again, but not in safe mode. here's the log, hope i did right.

thanks.

Attached Files

  • Attached File  scan.log   10.77KB   1 downloads


#14 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:06:38 PM

Posted 18 June 2010 - 06:59 AM

The files on your D:\ drive that eset didn't scan were password protected archives. Did you zip and password protect those?
Also, these are the few that you may want to delete:
D:\PERSONAL\Fied\others2\NH Files\DB\Zonal\do3095.zip ZIP do3095.xls - archive damaged
D:\PERSONAL\Fied\others2\NH Files\DB\Zonal\rd074_iloilo_2801.zip ZIP rd074_iloilo_2801.xls - archive damaged
D:\PERSONAL\Fied\others2\NH Files\DB\Zonal\rd086_barangan_1500.zip ZIP rd086_barangan_1500.xls - archive damaged
D:\PERSONAL\Fied\others2\NH Files\DB\Zonal\rd107_cotabato_6102.zip ZIP rd107_cotabato_6102.xls - archive damaged
D:\soul\charts\ChartBreakers Remix Series Vol. 1 -DJ BLOM-.rar RAR ChartBreakers Remix Series Vol. 1 -DJ BLOM-\12. Ludacris Feat. Shawnna - How Low Can You Go (72 BPM) Mixed By DJ Blom.mp3 - incorrect CRC checksum, the file may be damaged


Everything else seem to be working ok? Is IE still loading slowly? If so, is this something that occurred just since our troubleshooting session?

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#15 bulboy

bulboy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 18 June 2010 - 11:12 PM

hi,

yes those were my files when i was working on a project. can delete them as i really don't remember the password. =)

IE is running ok now. my daughter though used my PC and told me that FB's cafe world is not loading. it's not important whether it loads or not though, just wondering if there's some connection with the loading issues and the apps that we uninstalled.

partition C is still low on disk space though.

thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users