Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help Diagnose


  • This topic is locked This topic is locked
14 replies to this topic

#1 melissasusan

melissasusan

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Washington State
  • Local time:06:26 AM

Posted 09 August 2010 - 06:20 PM

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:18:50 PM, on 8/9/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1256914378910
O16 - DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} (WorldWinner ActiveX Launcher Control) - http://www.worldwinner.com/games/launcher/....0/iewwload.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 4558 bytes


BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:26 AM

Posted 16 August 2010 - 07:12 PM

Hello melissasusan smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.



In order to better assist you I will need the following:




Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop, post the DDS.txt in the reply window and attach the Attach.txt









  • If you have any CD emulation software such as Daemon or Alcohol please run the following before you run GMER. If you do not skip DeFogger and go right on to GMER. If you do use it let me know so we can reenable when we finish up.



    Disable:


    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers.
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

    Do not re-enable these drivers until otherwise instructed.



    Disable your antivirus along with other security programs such as Windows Defender or TeaTimer before running the following. Instructions can be found Here.



    Download GMER Rootkit Scanner from here to your desktop.
    • Double click the exe file.
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.



      Click the image to enlarge it


    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • Sections
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
    Save it where you can easily find it, such as your desktop, and post it in reply.

    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries




    If GMER does not want to run add the following to those that you unchecked and try it again:

    • Registry
    • Files












    Note: Please make only the Attach.txt from DDS an attachment, post the other logs directly into the reply window.



    Thanks,



    thewall



    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #3 melissasusan

    melissasusan
    • Topic Starter

    • Members
    • 9 posts
    • OFFLINE
    •  
    • Gender:Female
    • Location:Washington State
    • Local time:06:26 AM

    Posted 17 August 2010 - 11:31 AM


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Melissa at 9:24:14.81 on Tue 08/17/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.237 [GMT -7:00]

    AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\BCMSMMSG.exe
    C:\WINDOWS\system32\ctfmon.exe
    svchost.exe
    C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Melissa\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [BCMSMMSG] BCMSMMSG.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    Trusted Zone: microsoft.com\office
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1256914378910
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} - hxxp://www.worldwinner.com/games/launcher/ie/v2.22.01.0/iewwload.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ============= SERVICES / DRIVERS ===============

    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 151216]
    S1 SAVRT;SAVRT;\??\c:\program files\norton internet security\norton antivirus\savrt.sys --> c:\program files\norton internet security\norton antivirus\SAVRT.SYS [?]
    S1 SAVRTPEL;SAVRTPEL;\??\c:\program files\norton internet security\norton antivirus\savrtpel.sys --> c:\program files\norton internet security\norton antivirus\SAVRTPEL.SYS [?]
    S3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20080820.016\naveng.sys --> c:\progra~1\common~1\symant~1\virusd~1\20080820.016\NAVENG.Sys [?]
    S3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20080820.016\navex15.sys --> c:\progra~1\common~1\symant~1\virusd~1\20080820.016\NavEx15.Sys [?]
    S4 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccevtmgr.exe" --> c:\program files\common files\symantec shared\ccEvtMgr.exe [?]
    S4 ccProxy;Symantec Network Proxy;"c:\program files\common files\symantec shared\ccproxy.exe" --> c:\program files\common files\symantec shared\ccProxy.exe [?]
    S4 ccPwdSvc;Symantec Password Validation;"c:\program files\common files\symantec shared\ccpwdsvc.exe" --> c:\program files\common files\symantec shared\ccPwdSvc.exe [?]
    S4 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccsetmgr.exe" --> c:\program files\common files\symantec shared\ccSetMgr.exe [?]
    S4 navapsvc;Norton AntiVirus Auto Protect Service;"c:\program files\norton internet security\norton antivirus\navapsvc.exe" --> c:\program files\norton internet security\norton antivirus\navapsvc.exe [?]
    S4 SAVScan;SAVScan;c:\program files\norton internet security\norton antivirus\savscan.exe --> c:\program files\norton internet security\norton antivirus\SAVScan.exe [?]
    S4 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\sbserv.exe --> c:\progra~1\common~1\symant~1\script~1\SBServ.exe [?]
    S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe --> c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [?]

    =============== Created Last 30 ================

    2010-08-12 02:16:57 0 d-----w- c:\program files\Trend Micro
    2010-08-12 00:59:27 0 d-----w- c:\windows\system32\wbem\Repository
    2010-08-12 00:58:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Flip Video
    2010-08-12 00:58:29 0 d-----w- c:\program files\Flip Video
    2010-08-12 00:56:18 0 d-----w- c:\program files\MSECache
    2010-08-09 22:51:38 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
    2010-08-09 21:13:57 0 d--h--w- c:\documents and settings\melissa\Recent(2)
    2010-08-04 02:32:25 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
    2010-07-25 04:48:30 0 d-----w- c:\program files\Flip Video(3)
    2010-07-25 04:48:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Flip Video(3)

    ==================== Find3M ====================

    2010-07-27 06:30:35 8462336 ----a-w- c:\windows\system32\shell32(2)(2).dll
    2010-07-08 22:21:14 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-21 15:27:11 354304 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2010-06-01 17:37:48 221568 ------w- c:\windows\system32\MpSigStub.exe
    2008-02-05 20:26:14 0 -c-ha-w- c:\program files\Book.txt

    ============= FINISH: 9:24:40.84 ===============

    Attached Files



    #4 melissasusan

    melissasusan
    • Topic Starter

    • Members
    • 9 posts
    • OFFLINE
    •  
    • Gender:Female
    • Location:Washington State
    • Local time:06:26 AM

    Posted 17 August 2010 - 11:38 AM

    GMER found nothing

    #5 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:08:26 AM

    Posted 17 August 2010 - 03:15 PM

    Please give me a brief rundown of what brought you to our forums. In other words what kind of symptoms are you experiencing?
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #6 melissasusan

    melissasusan
    • Topic Starter

    • Members
    • 9 posts
    • OFFLINE
    •  
    • Gender:Female
    • Location:Washington State
    • Local time:06:26 AM

    Posted 17 August 2010 - 03:26 PM

    As my computer runs it gets slower and slower, and eventually just freezes. It has plenty of mempry , ect. I thought it might be some kind of "leak" if that makes any sense.

    #7 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:08:26 AM

    Posted 17 August 2010 - 04:30 PM

    That could be caused by several things. What we do here is look for infections mainly. Let's run MalwareBytes and see if it can find anything.


    Download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to the following:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform Quick scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. Save it to your desktop.
    Note: Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #8 melissasusan

    melissasusan
    • Topic Starter

    • Members
    • 9 posts
    • OFFLINE
    •  
    • Gender:Female
    • Location:Washington State
    • Local time:06:26 AM

    Posted 17 August 2010 - 04:56 PM

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4442

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    8/17/2010 2:54:22 PM
    mbam-log-2010-08-17 (14-54-22).txt

    Scan type: Quick scan
    Objects scanned: 152408
    Time elapsed: 11 minute(s), 0 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    #9 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:08:26 AM

    Posted 17 August 2010 - 05:14 PM

    Are you having any other symptoms such as being redirected to sites other than those you try to go to or pop-ups? Anything like that?
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #10 melissasusan

    melissasusan
    • Topic Starter

    • Members
    • 9 posts
    • OFFLINE
    •  
    • Gender:Female
    • Location:Washington State
    • Local time:06:26 AM

    Posted 17 August 2010 - 07:01 PM

    pop ups for sure

    #11 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:08:26 AM

    Posted 17 August 2010 - 07:48 PM

    OK, let's try to run something a little stronger.

    Please download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Save ComboFix.exe to your Desktop
    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





    Click on Yes, to continue scanning for malware.

    When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.





    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #12 melissasusan

    melissasusan
    • Topic Starter

    • Members
    • 9 posts
    • OFFLINE
    •  
    • Gender:Female
    • Location:Washington State
    • Local time:06:26 AM

    Posted 17 August 2010 - 10:25 PM

    ComboFix 10-08-17.02 - Melissa 08/17/2010 19:56:50.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.268 [GMT -7:00]
    Running from: c:\documents and settings\Melissa\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\SeekappSrch
    c:\program files\SeekappSrch
    c:\program files\SeekappSrch\uninstall.exe
    c:\windows\Downloaded Program Files\popcaploader.dll
    c:\windows\Downloaded Program Files\popcaploader.inf

    .
    ((((((((((((((((((((((((( Files Created from 2010-07-18 to 2010-08-18 )))))))))))))))))))))))))))))))
    .

    2010-08-17 21:42 . 2010-08-17 21:42 -------- d-----w- c:\documents and settings\Melissa\Application Data\Malwarebytes
    2010-08-17 21:41 . 2010-08-17 21:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-08-17 21:41 . 2010-08-17 21:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-12 00:59 . 2010-08-12 00:59 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-08-12 00:58 . 2010-08-12 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Flip Video
    2010-08-12 00:58 . 2010-08-12 01:25 -------- d-----w- c:\program files\Flip Video
    2010-08-12 00:56 . 2010-08-12 00:56 -------- d-----w- c:\windows\Sun
    2010-08-12 00:56 . 2010-08-12 00:56 -------- d-----w- c:\program files\MSECache
    2010-08-09 22:51 . 2010-08-09 22:51 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
    2010-08-09 22:49 . 2010-08-09 22:49 -------- d-----w- c:\documents and settings\Melissa\Local Settings\Application Data\Help
    2010-08-09 21:13 . 2010-08-12 00:53 -------- d--h--w- c:\documents and settings\Melissa\Recent(2)
    2010-08-04 02:32 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
    2010-07-25 04:48 . 2010-08-12 00:58 -------- d-----w- c:\program files\Flip Video(3)
    2010-07-25 04:48 . 2010-08-12 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Flip Video(3)

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-12 03:36 . 2009-10-31 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-08-12 00:56 . 2010-07-06 05:16 -------- d-----w- c:\program files\Mozilla Thunderbird
    2010-08-04 02:15 . 2010-07-06 04:59 -------- d-----w- c:\documents and settings\Melissa\Application Data\Thunderbird
    2010-07-28 05:01 . 2010-07-13 01:29 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-07-27 06:30 . 2006-07-13 13:46 8462336 ----a-w- c:\windows\system32\shell32(2)(2).dll
    2010-07-11 20:55 . 2010-07-11 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap
    2010-07-08 22:22 . 2010-07-08 22:22 -------- d-----w- c:\program files\Common Files\Java
    2010-07-08 22:22 . 2010-07-08 22:22 503808 ----a-w- c:\documents and settings\Melissa\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-475de3b7-n\msvcp71.dll
    2010-07-08 22:22 . 2010-07-08 22:22 499712 ----a-w- c:\documents and settings\Melissa\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-475de3b7-n\jmc.dll
    2010-07-08 22:22 . 2010-07-08 22:22 348160 ----a-w- c:\documents and settings\Melissa\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-475de3b7-n\msvcr71.dll
    2010-07-08 22:22 . 2010-07-08 22:22 61440 ----a-w- c:\documents and settings\Melissa\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-56ff0801-n\decora-sse.dll
    2010-07-08 22:22 . 2010-07-08 22:22 12800 ----a-w- c:\documents and settings\Melissa\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-56ff0801-n\decora-d3d.dll
    2010-07-08 22:21 . 2010-07-08 22:21 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-08 22:20 . 2008-07-04 22:09 -------- d-----w- c:\program files\Java
    2010-07-06 05:00 . 2010-07-06 05:00 0 ----a-w- c:\windows\nsreg.dat
    2010-07-03 17:28 . 2010-05-15 15:31 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-07-02 04:05 . 2009-10-30 17:56 -------- d-----w- c:\program files\Microsoft Security Essentials
    2010-06-30 12:31 . 2003-07-16 16:37 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-24 12:22 . 2006-06-23 18:33 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-23 13:44 . 2003-07-16 16:45 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-21 15:27 . 2003-07-16 16:40 354304 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-17 14:03 . 2003-07-16 16:24 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 14:31 . 2008-07-04 21:09 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
    2010-06-14 07:41 . 2006-09-13 05:09 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2010-06-01 17:37 . 2009-10-30 17:58 221568 ------w- c:\windows\system32\MpSigStub.exe
    2008-02-05 20:26 . 2008-02-05 20:26 0 -c-ha-w- c:\program files\Book.txt
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-02-16 417792]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
    2005-09-20 16:32 77824 ----a-w- c:\windows\system32\hkcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
    2005-09-20 16:36 114688 ----a-w- c:\windows\system32\igfxpers.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
    2005-09-20 16:35 94208 ----a-w- c:\windows\system32\igfxtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSSE]
    2010-06-01 21:53 1093208 ----a-w- c:\program files\Microsoft Security Essentials\msseces.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-02-16 01:50 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-02-18 18:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "Symantec Core LC"=2 (0x2)
    "Netlogon"=3 (0x3)
    "navapsvc"=2 (0x2)
    "ccSetMgr"=2 (0x2)
    "ccPwdSvc"=3 (0x3)
    "ccProxy"=2 (0x2)
    "ccEvtMgr"=2 (0x2)
    "WLTRYSVC"=2 (0x2)
    "SBService"=2 (0x2)
    "SAVScan"=2 (0x2)
    "MsMpSvc"=2 (0x2)
    "JavaQuickStarterService"=2 (0x2)
    "RDSessMgr"=3 (0x3)
    "mnmsrvc"=3 (0x3)
    "LmHosts"=2 (0x2)
    "FastUserSwitchingCompatibility"=3 (0x3)
    "ERSvc"=2 (0x2)
    "UPS"=3 (0x3)
    "SNDSrvc"=2 (0x2)
    "SCardSvr"=3 (0x3)
    "Browser"=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=

    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-18 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 04:40]

    2010-08-18 c:\windows\Tasks\Symantec NetDetect.job
    - c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2008-07-04 01:38]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Trusted Zone: microsoft.com\office
    .
    - - - - ORPHANS REMOVED - - - -

    AddRemove-SeekappSrch - c:\program files\SeekappSrch\uninstall.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-17 20:02
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(872)
    c:\windows\System32\BCMLogon.dll
    c:\windows\system32\igfxdev.dll
    .
    Completion time: 2010-08-17 20:04:24
    ComboFix-quarantined-files.txt 2010-08-18 03:04

    Pre-Run: 22,929,657,856 bytes free
    Post-Run: 23,021,015,040 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

    - - End Of File - - 1FEE592D629E8AF861325E49DD5DB711


    #13 melissasusan

    melissasusan
    • Topic Starter

    • Members
    • 9 posts
    • OFFLINE
    •  
    • Gender:Female
    • Location:Washington State
    • Local time:06:26 AM

    Posted 17 August 2010 - 10:34 PM

    So as I am using my computer right now with the microsoft security ess. turned off it runs pretty well. Would this program be the problem, and if it is can you recommend a different or better one that is free? By the way I seriuos can;t believe that you are spending so much of your time helping me. That is so amazing!! Thank you so much! I have never done anything like this before!

    #14 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:08:26 AM

    Posted 17 August 2010 - 11:31 PM

    Microsoft Security Essentials is a good program. Unless it somehow became corrupted it shouldn't be the problem. Although there are times when some programs just do not jibe with certain systems. We don't want you running without your security up though because that could lead to more issues. ComboFix (CF) found some things and removed them and that could very well made a difference in how the machine is functioning.

    Tell you what. First thing is go ahead and turn the MSSE back on and let me know if the computer starts misbehaving again. We'll go from there when you let me know one way or the other.

    I enjoy helping people although I haven't had as much time lately as I did have. Having an infected computer and receiving help is how I came to be on the site.
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #15 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:08:26 AM

    Posted 23 September 2010 - 07:55 PM

    Due to the lack of feedback This Topic is closed.

    Should you need it reopened, please contact my by PM. Include the address of this thread in your request.

    If you have a new issue, please start a New Topic.

    This applies only to the original poster. Everyone else please begin a New Topic.
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users