Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unusual Behavior Possible Rootkit


  • Please log in to reply
5 replies to this topic

#1 Beachy2000

Beachy2000

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 15 June 2012 - 02:03 PM

Strange entry under msconfig> Services
##Id_String1.6844f930_1628_4223_B5cc_5bb94b879762##

As well as losing internet connection at times while at other times some webpages do not respond. I tryed downloading Emsisoft Emergency Kit and the download showed strange characters as the file type.

Need help removing possible rootkits, possible windows service injections, and possible network driver viruses. This is probably as bad as it gets unfortunately. Though its not my computer, I have run panda online cloud scanner and emsisoft online scanner with no viruses detected. I would still like to double check to make sure.

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,710 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:06:30 AM

Posted 15 June 2012 - 05:37 PM

Welcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

====================================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices (do NOT change any settings here)
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 Beachy2000

Beachy2000
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 22 June 2012 - 12:55 PM

Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

CCleaner
Adobe Flash Player ( 10.1.102.64) Flash Player Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````



Farbar Service Scanner Version: 22-06-2012
Ran by Sales (administrator) on 22-06-2012 at 11:26:59
Running from "C:\Documents and Settings\Sales\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit


**** End of log ****


MiniToolBox by Farbar Version: 09-06-2012
Ran by Sales (administrator) on 22-06-2012 at 11:27:54
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

Broadcom NetXtreme 57xx Gigabit Controller = Local Area Connection (Connected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration


Windows IP Configuration Host Name . . . . . . . . . . . . : EBAY Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Broadcast IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : NoEthernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller Physical Address. . . . . . . . . : 00-1A-A0-C7-B4-5C Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 192.168.1.113 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.1 DHCP Server . . . . . . . . . . . : 192.168.1.1 DNS Servers . . . . . . . . . . . : 65.32.5.74 65.32.5.75 Lease Obtained. . . . . . . . . . : Friday, June 22, 2012 3:30:37 AM Lease Expires . . . . . . . . . . : Saturday, June 23, 2012 3:30:37 AMServer: dns-cac-lb-01.tampabay.rr.com
Address: 65.32.5.74

Name: google.com
Addresses: 74.125.139.113, 74.125.139.138, 74.125.139.139, 74.125.139.100
74.125.139.101, 74.125.139.102

Pinging google.com [74.125.139.102] with 32 bytes of data:Reply from 74.125.139.102: bytes=32 time=25ms TTL=45Reply from 74.125.139.102: bytes=32 time=26ms TTL=45Ping statistics for 74.125.139.102: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 25ms, Maximum = 26ms, Average = 25msServer: dns-cac-lb-01.tampabay.rr.com
Address: 65.32.5.74

Name: yahoo.com
Addresses: 209.191.122.70, 72.30.38.140, 98.139.183.24

Pinging yahoo.com [72.30.38.140] with 32 bytes of data:Reply from 72.30.38.140: bytes=32 time=184ms TTL=48Reply from 72.30.38.140: bytes=32 time=97ms TTL=48Ping statistics for 72.30.38.140: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 97ms, Maximum = 184ms, Average = 140msServer: dns-cac-lb-01.tampabay.rr.com
Address: 65.32.5.74

Name: bleepingcomputer.com
Address: 208.43.87.2

Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:Reply from 208.43.87.2: Destination host unreachable.Reply from 208.43.87.2: Destination host unreachable.Ping statistics for 208.43.87.2: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0msPinging 127.0.0.1 with 32 bytes of data:Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Ping statistics for 127.0.0.1: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1a a0 c7 b4 5c ...... Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.113 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.1.113 192.168.1.113 30
192.168.1.0 255.255.255.0 192.168.1.113 192.168.1.113 20
192.168.1.113 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.113 192.168.1.113 20
224.0.0.0 240.0.0.0 192.168.1.113 192.168.1.113 20
255.255.255.255 255.255.255.255 192.168.1.113 192.168.1.113 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [94208] (Apple Computer, Inc.)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================

System errors:
=============
Error: (06/22/2012 03:30:35 AM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.113 for the Network Card with network address 001AA0C7B45C has been
denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

Error: (06/21/2012 03:30:44 PM) (Source: NETLOGON) (User: )
Description: This computer is configured as a member of a workgroup, not as
a member of a domain. The Netlogon service does not need to run in this
configuration.

Error: (06/21/2012 11:29:36 AM) (Source: 0) (User: )
Description: \Device\Harddisk1\D

Error: (06/21/2012 11:20:35 AM) (Source: Removable Storage Service) (User: )
Description: RSM could not load media in drive Drive 0 of library USB Mass Storage Device USB Device.

Error: (06/21/2012 11:16:12 AM) (Source: Removable Storage Service) (User: )
Description: RSM could not load media in drive Drive 0 of library USB Mass Storage Device USB Device.

Error: (06/21/2012 11:16:11 AM) (Source: Removable Storage Service) (User: )
Description: RSM could not load media in drive Drive 0 of library USB Mass Storage Device USB Device.

Error: (06/21/2012 11:11:05 AM) (Source: Removable Storage Service) (User: )
Description: RSM could not load media in drive Drive 0 of library USB Mass Storage Device USB Device.

Error: (06/21/2012 11:08:53 AM) (Source: 0) (User: )
Description: \Device\Harddisk2\D

Error: (06/21/2012 11:07:51 AM) (Source: Removable Storage Service) (User: )
Description: RSM could not load media in drive Drive 0 of library USB Mass Storage Device USB Device.

Error: (06/19/2012 02:29:02 AM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.113 for the Network Card with network address 001AA0C7B45C has been
denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).


Microsoft Office Sessions:
=========================

=========================== Installed Programs ============================

32 Bit HP CIO Components Installer (Version: 3.1.1)
6500_E709_eDocs (Version: 1.00.0000)
6500_E709_Help (Version: 1.00.0000)
6500_E709a (Version: 50.0.165.000)
7-Zip 9.20
Adobe Acrobat 8 Professional - English, Franšais, Deutsch (Version: 8.1.3)
Adobe Acrobat 8.1.3 Professional (Version: 8.1.3)
Adobe AIR (Version: 1.5.3.9120)
Adobe Anchor Service CS3 (Version: 1.0)
Adobe Asset Services CS3 (Version: 3)
Adobe Bridge CS3 (Version: 2)
Adobe Bridge Start Meeting (Version: 1.0)
Adobe Camera Raw 4.0 (Version: 4.0)
Adobe CMaps (Version: 1.0)
Adobe Color - Photoshop Specific (Version: 1.0)
Adobe Color Common Settings (Version: 1.0.1)
Adobe Color EU Extra Settings (Version: 1.0)
Adobe Color JA Extra Settings (Version: 1.0)
Adobe Color NA Recommended Settings (Version: 1.0)
Adobe Contribute CS3 (Version: 4.1)
Adobe Default Language CS3 (Version: 1.0)
Adobe Device Central CS3 (Version: 1.0)
Adobe Dreamweaver CS3 (Version: 9)
Adobe Dreamweaver CS3 (Version: 9.0)
Adobe ExtendScript Toolkit 2 (Version: 2.0.2)
Adobe Extension Manager CS3 (Version: 1.8)
Adobe Fireworks CS3 (Version: 9.0)
Adobe Flash Player 10 Plugin (Version: 10.1.102.64)
Adobe Flash Player 11 ActiveX (Version: 11.3.300.257)
Adobe Fonts All (Version: 1.0)
Adobe Help Viewer CS3 (Version: 1)
Adobe Linguistics CS3 (Version: 3.0.0)
Adobe PDF Library Files (Version: 8.0)
Adobe Photoshop CS (Version: CS)
Adobe Photoshop CS3 (Version: 10)
Adobe Photoshop CS3 (Version: 10.0)
Adobe Setup (Version: 1.0)
Adobe Stock Photos CS3 (Version: 1.5)
Adobe Type Support (Version: 1.0)
Adobe Update Manager CS3 (Version: 5.1.0)
Adobe Version Cue CS3 Client (Version: 3)
Adobe WinSoft Linguistics Plugin (Version: 1.0)
Adobe XMP Panels CS3 (Version: 1.0)
bpd_scan (Version: 3.00.0000)
BPDSoftware (Version: 50.0.165.000)
BPDSoftware_Ini (Version: 1.00.0000)
Broadcom ASF Management Applications (Version: 8.18.14)
Broadcom Management Programs (Version: 9.03.02)
BufferChm (Version: 120.0.194.000)
CCleaner (Version: 3.19)
Dell ETS Factory Installation (Version: 1.0.0)
Destination Component (Version: 110.0.0.0)
DeviceDiscovery (Version: 120.0.194.000)
DeviceFunctionQFolder (Version: 1.00.0000)
DeviceManagementQFolder (Version: 1.00.0000)
DocMgr (Version: 120.0.000.000)
DocProc (Version: 12.0.0.0)
Edge Full Install Version 4.3.80820 (Version: 4.3.8233)
eSupportQFolder (Version: 1.00.0000)
Fax (Version: 120.0.194.000)
Google Update Helper (Version: 1.3.21.57)
GPBaseService2 (Version: 120.0.194.000)
HP Customer Participation Program 12.0 (Version: 12.0)
HP Document Manager 2.0 (Version: 2.0)
HP Imaging Device Functions 12.0 (Version: 12.0)
HP Officejet 6500 E709 Series (Version: 12.0)
HP Officejet 6500 E710a-f Basic Device Software (Version: 22.50.231.0)
HP Officejet 6500 E710a-f Help (Version: 140.0.2.2)
HP Smart Web Printing (Version: 4.05)
HP Solution Center 12.0 (Version: 12.0)
HP Update (Version: 4.000.011.006)
HPProductAssistant (Version: 120.0.194.000)
ImgBurn (Version: 2.5.7.0)
Java Auto Updater (Version: 2.0.2.4)
Lightroom (Version: 1.30.0000)
MarketResearch (Version: 120.0.226.000)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Web Components (Version: 11.0.8173.0)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office FrontPage 2003 (Version: 11.0.8173.0)
Microsoft Office Professional Edition 2003 (Version: 11.0.8173.0)
Microsoft Office Small Business Connectivity Components (Version: 2.0.7024.0)
Microsoft Picture It! Publishing Platinum 2002 (Version: 6.0.0.0000)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft XML Parser (Version: 8.70.1104.04)
mIRC (Version: 7.25)
MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP2 Parser and SDK (Version: 4.20.9818.0)
MSXML 6 Service Pack 2 (KB954459) (Version: 6.20.1099.0)
Nero 8 (Version: 8.10.214)
neroxml (Version: 1.0.0)
Network (Version: 120.0.194.000)
OCR Software by I.R.I.S. 12.0 (Version: 12.0)
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0)
PanoStandAlone (Version: 60.0.155.000)
PDF Settings (Version: 1.0)
Picture Control Utility (Version: 1.4.3)
ProductContext (Version: 50.0.165.000)
QuickBooks Basic 2005 (Version: )
Scan (Version: 12.0.0.0)
SmartWebPrinting (Version: 120.0.194.000)
SolutionCenter (Version: 120.0.194.000)
Status (Version: 120.0.194.000)
Toolbox (Version: 120.0.194.000)
TrayApp (Version: 120.0.194.000)
Ultimate Business Planner (Version: 5.0.71)
UnloadSupport (Version: 11.0.0)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Windows Internet Explorer 7 (KB976749) (Version: 1)
Update for Windows Internet Explorer 7 (KB980182) (Version: 1)
Update for Windows Internet Explorer 8 (KB2362765) (Version: 1)
Update for Windows Internet Explorer 8 (KB976662) (Version: 1)
Update Manager (Version: 4.60)
USB digital microscope (Version: 5.8.37100.102)
VCRedistSetup (Version: 1.0.0)
ViewNX 2 (Version: 2.3.1)
VLC media player 2.0.1 (Version: 2.0.1)
WebFldrs XP (Version: 9.50.7523)
WebReg (Version: 120.0.194.000)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0059.1)
Windows Imaging Component (Version: 3.0.0.0)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7 (Version: 20061107.210142)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Presentation Foundation (Version: 3.0.6920.0)
Windows XP Service Pack 3 (Version: 20080414.031525)
XML Paper Specification Shared Components Pack 1.0

========================= Memory info: ===================================

Percentage of memory in use: 29%
Total physical RAM: 2045.54 MB
Available physical RAM: 1443.58 MB
Total Pagefile: 3938.05 MB
Available Pagefile: 3506.45 MB
Total Virtual: 2047.88 MB
Available Virtual: 1972.35 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:232.77 GB) (Free:163.33 GB) NTFS
3 Drive d: (Adobe) (CDROM) (Total:0.64 GB) (Free:0 GB) UDF

========================= Users: ========================================

User accounts for \\EBAY

Administrator ASPNET Guest
HelpAssistant IUSR_BRANDON-OFFICE IWAM_BRANDON-OFFICE
Sales SUPPORT_388945a0


**** End of log ****

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.22.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Sales :: EBAY [administrator]

6/22/2012 11:32:30 AM
mbam-log-2012-06-22 (11-32-30).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 403734
Time elapsed: 2 hour(s), 15 minute(s), 3 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\Sales\Application Data\Thinstall\Program Data\4000006800002i\HPZSTC12.exe (Trojan.IRCBot) -> Quarantined and deleted successfully.

(end)




11:40:32.140 OS Version: Windows 5.1.2600 Service Pack 3
11:40:32.140 Number of processors: 2 586 0x605
11:40:32.140 ComputerName: EBAY UserName:
11:40:50.062 Initialize success
11:41:20.437 AVAST engine defs: 12062200
11:41:23.640 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
11:41:23.656 Disk 0 Vendor: SAMSUNG_SP2504C VT100-52 Size: 238418MB BusType: 3
11:41:23.687 Disk 0 MBR read successfully
11:41:23.703 Disk 0 MBR scan
11:41:23.828 Disk 0 Windows XP default MBR code
11:41:23.859 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 47 MB offset 63
11:41:23.906 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 238355 MB offset 96390
11:41:23.921 Disk 0 scanning sectors +488247480
11:41:24.093 Disk 0 scanning C:\WINDOWS\system32\drivers
11:42:11.578 Service scanning
11:43:33.156 Modules scanning
11:44:26.843 Disk 0 trace - called modules:
11:44:26.890 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys
11:44:26.921 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a9c4ab8]
11:44:26.968 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a961b00]
11:45:05.062 AVAST engine scan C:\WINDOWS
11:46:11.640 AVAST engine scan C:\WINDOWS\system32
11:59:13.796 AVAST engine scan C:\WINDOWS\system32\drivers
12:00:50.859 AVAST engine scan C:\Documents and Settings\Sales
12:50:46.046 AVAST engine scan C:\Documents and Settings\All Users
13:00:24.031 Scan finished successfully
13:07:43.140 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Sales\Desktop\MBR.dat"
13:07:43.203 The log file has been saved successfully to "C:\Documents and Settings\Sales\Desktop\aswMBR.txt"

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,710 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:06:30 AM

Posted 22 June 2012 - 07:51 PM

I don't see anything malicious there.

Are you experiencing some particular issues?

You're nor running any AV program.
Install ONE of these:
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- free Microsoft Security Essentials: http://windows.microsoft.com/en-GB/windows/products/security-essentials
- free Comodo Antivirus: http://www.comodo.com/home/internet-security/antivirus.php
Update, run full scan, report on any findings.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 Beachy2000

Beachy2000
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 25 June 2012 - 10:18 AM

I only see strange entries such as, when I right click Open With> choose program. it shows an application with no name and its the first choice available. I also stated the strange services id string thing that is under my services. I scanned and found an ircBot with malwarebytes.

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,710 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:06:30 AM

Posted 25 June 2012 - 06:01 PM

For now...

You're nor running any AV program.
Install ONE of these:
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- free Microsoft Security Essentials: http://windows.microsoft.com/en-GB/windows/products/security-essentials
- free Comodo Antivirus: http://www.comodo.com/home/internet-security/antivirus.php
Update, run full scan, report on any findings.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users