Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Hijackthis Log


  • This topic is locked This topic is locked
8 replies to this topic

#1 yoopergirl

yoopergirl

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 07 November 2006 - 02:46 AM

My daughter was logged into her "side" of the comp and the mouse started moving on it's own. We're thinking we have a hacker or something and I'm afraid of personal info, account numbers and the like getting into the wrong hands. Will this hijack this log include anything on her "side" of my comp as well? Anything else you notice in the log that can safely be deleted please let me know. I appreciate your taking the time to check it out. I should say that I use earthlink for internet and McAfee for firewall. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 2:29:03 AM, on 11/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\EarthLink TotalAccess\FastLane2\IPMon32.exe
C:\Program Files\EarthLink TotalAccess\FastLane2\IPClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\bwgo0000f0b9.exe
C:\WINDOWS\system32\spider.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\WINDOWS\ALCXMNTR.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - ~00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\EarthLink TotalAccess\FastLane2\IPMon32.exe"
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\EarthLink TotalAccess\FastLane2\IPClient.exe" -l
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZCxdm369YYUS
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1147387382421
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe

BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:36 AM

Posted 07 November 2006 - 12:06 PM

Hey there and welcome to BleepingComputer.
My name is David, i'll be taking your Hijackthis log.

Firstly let me start by saying I do see a few things in the log that [i]might[/b] be a problem.
I'll have a good look, see if there are any hidden processes/anything capable of hacking.
Secondly it's important to note that the mouse moving on its own can be the PC's fault.
Is it an optical mouse with a laser or one with a ball inside?
I have an optical mouse and sometimes find it crawls across the screen on its own.

I would like to take a look at two files first.

Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.

Paste the following bold part into the Suspicious File Packer window:

C:\Documents and Settings\HP_Owner\Local Settings\Temp\bwgo0000f0b9.exe
C:\WINDOWS\system32\spider.exe


Allow SFP to pack the file. This will generate a CAB archive on your desktop.
Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.
Please let me know when you have submitted the files.

By the way, do you have Dr-Web installed on your PC?

Download GMER from Here
Right Click the Zip and Select "Extract All"
Double Click gmer.exe to launch the program.
Click on the Rootkit Tab and then click Scan.
It takes a while to run, once complete, copy the results to notepad and save them somewhere safe.
Post those results in the next reply.

David

#3 yoopergirl

yoopergirl
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 08 November 2006 - 04:32 AM

Hi David, thanks so much for helping me out, I appreciate your taking the time.

Yes, we have an optical mouse.

I've downloaded the Suspicious File Packer, run it and copied the results to the site you linked to. I should add that the spider file you were sceptical of is probably the name of the spider solitaire game I was running at the time of the scan, I'm sorry.

I've never heard of Dr. Web, I don't believe it's on my comp unless it came pre-installed. I ran a search and nothing turned up.

I've downloaded GMER and here are the results:

GMER 1.0.12.11889 - http://www.gmer.net
Rootkit scan 2006-11-08 04:19:15
Windows 5.1.2600 Service Pack 2


---- User code sections - GMER 1.0.12 ----

.text C:\WINDOWS\system32\notepad.exe[364] kernel32.dll!FreeLibrary + 15

7C80ABF3 4 Bytes
.text C:\WINDOWS\system32\notepad.exe[364] WS2_32.dll!connect

71AB406A 5 Bytes JMP 00953E00

c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\WINDOWS\explorer.exe[396] WS2_32.dll!connect

71AB406A 5 Bytes JMP 00AB3E00

c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\WINDOWS\sm56hlpr.exe[1640] WS2_32.dll!connect

71AB406A 5 Bytes JMP 00BD3E00

c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2024] WS2_32.dll!connect

71AB406A 5 Bytes JMP 10003E00

c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe[2036] WS2_32.dll!connect

71AB406A 5 Bytes JMP 01D43E00

c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Temporary Directory 1 for

gmerbleepingcomp.zip\gmer.exe[2148] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes
.text C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Temporary Directory 1 for

gmerbleepingcomp.zip\gmer.exe[2148] WS2_32.dll!connect 71AB406A 5 Bytes JMP

00C83E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\Program Files\McAfee.com\VSO\mcvsshld.exe[2164] WS2_32.dll!connect

71AB406A 5 Bytes JMP 01483E00

c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\Program Files\McAfee.com\VSO\oasclnt.exe[2184] WS2_32.dll!connect

71AB406A 5 Bytes JMP 00D53E00

c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\Program Files\EarthLink TotalAccess\FastLane2\ipmon32.exe[2220] WS2_32.dll!connect

71AB406A 5 Bytes JMP 00C63E00

c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\Program Files\EarthLink TotalAccess\FastLane2\IPClient.exe[2232]

WS2_32.dll!connect 71AB406A 5 Bytes JMP 00AC3E00

c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text ...


.text C:\PROGRA~1\McAfee.com\Agent\mcagent.exe[2664] kernel32.dll!FreeLibrary + 15

7C80ABF3 4 Bytes
.text C:\PROGRA~1\McAfee.com\Agent\mcagent.exe[2664] WS2_32.dll!connect

71AB406A 5 Bytes JMP 00F83E00

c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\Program Files\EarthLink TotalAccess\FastLane2\IPClient.exe[2672]

kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes
.text C:\Program Files\EarthLink TotalAccess\FastLane2\IPClient.exe[2672]

WS2_32.dll!connect 71AB406A 5 Bytes JMP 01013E00

c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\Program Files\EarthLink TotalAccess\TaskPanl.exe[2780] WS2_32.dll!connect

71AB406A 5 Bytes JMP 01853E00

c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\WINDOWS\ALCXMNTR.EXE[2876] WS2_32.dll!connect

71AB406A 5 Bytes JMP 00F43E00

c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\WINDOWS\system\hpsysdrv.exe[3148] WS2_32.dll!connect

71AB406A 5 Bytes JMP 00DA3E00

c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\Program Files\HijackThis\HijackThis.exe[3180] kernel32.dll!FreeLibrary + 15

7C80ABF3 4 Bytes
.text C:\Program Files\HijackThis\HijackThis.exe[3180] WS2_32.dll!connect

71AB406A 5 Bytes JMP 01513E00

c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3848] kernel32.dll!FreeLibrary + 15

7C80ABF3 4 Bytes
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3848] WS2_32.dll!connect

71AB406A 5 Bytes JMP 01853E00

c:\progra~1\mcafee.com\vso\McVSSkt.dll

---- EOF - GMER 1.0.12 ----

I hope I did everything right, I'm not too good with computers.

btw should I get Dr. Web?

Thanks again.

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:36 AM

Posted 10 November 2006 - 07:03 AM

Sorry for the delay in getting back to you, yoopergirl.

I've looked over the files that you uploaded and both of them are legitimate, although one was in the temporary folder. When we run a general cleaning tool a bit later it will most likely be removed with no harm to the system at all. The spider.exe file you uploaded was, as you suggested, the windows game that you had open at the time; the reason I wanted to check it out was simply because there are a lot of malware files that are able to hide under different names, and I've seen a malware spider.exe version before.

I have a feeling that the mouse problem is down to the fact it is optical.

I did a little research and was actually able to fix the same problem you had with my own mouse. I think it can be one of two relatively simple things, that can be easily fixed. Are you using a mouse mat? If not then, I recommend you do. If you are using a mouse mat then that could be the problem itself. Over time dirt builds up on the mat and makes the surface of the mat a bit bumpy, meaning the optical mouse does not work as efficiently. This might have caused the movement of the cursor across the screen when you were not touching the mouse. Secondly, it could be a build up of dirt on the optical mouse itself, underneath. I would recommend you have a good clean of both the mouse and the mat, and see if the problem happens again. I took a look at the GMER log you posted and it's fine, nothing capable of hacking your system and moving the cursor there. The entries in the GMER are all legitimate, for example some of the entries are related to your mcafee antivirus.

The reason i asked about Dr.Web was because there is a legitmate spider.exe that is related to the program.
I figured that if you had Dr.Web installed the file could have been related.
No worries though, and I don't want you to install it.
Let me know how the mouse cleaning went and see if the problem is resolved.
I did see a case where the mouse's drivers needed to be updating,
Old versions can cause the effect.
If you want I can have a deeper look into the PC and see if there is anything we can remove.
Let me know how you get on...

David

#5 yoopergirl

yoopergirl
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 11 November 2006 - 01:32 AM

Hey David, thanks a lot for the help. I have two more things to ask you about if you don't mind. The first part is that i read on someones hijack this topic that you should run those programs while in safe mode. So I tried it and my GMER report came back a lot BIGGER in length than the original one I posted. I can't even post it all here but heres a little section, I copied and pasted from the bottom up:


.text C:\WINDOWS\system32\userinit.exe[768] Secur32.dll!GetComputerObjectNameW + B 77FEBEB3 77 Bytes
.text C:\WINDOWS\system32\userinit.exe[768] Secur32.dll!GetComputerObjectNameW + 59 77FEBF01 74 Bytes
.text C:\WINDOWS\system32\userinit.exe[768] Secur32.dll!GetComputerObjectNameW + A4 77FEBF4C 107 Bytes
.text C:\WINDOWS\system32\userinit.exe[768] Secur32.dll!GetComputerObjectNameW + 110 77FEBFB8 1 Byte
.text C:\WINDOWS\system32\userinit.exe[768] Secur32.dll!GetComputerObjectNameW + 112 77FEBFBA 45 Bytes
.text ...
.text C:\WINDOWS\system32\userinit.exe[768] Secur32.dll!TranslateNameW + 9 77FEC048 30 Bytes
.text C:\WINDOWS\system32\userinit.exe[768] Secur32.dll!TranslateNameW + 28 77FEC067 33 Bytes
.text C:\WINDOWS\system32\userinit.exe[768] Secur32.dll!GetComputerObjectNameA + 11 77FEC08B 73 Bytes
.text C:\WINDOWS\system32\userinit.exe[768] Secur32.dll!GetComputerObjectNameA + 5D 77FEC0D7 147 Bytes
.text C:\WINDOWS\system32\userinit.exe[768] Secur32.dll!TranslateNameA + 40 77FEC16C 6 Bytes
.text C:\WINDOWS\system32\userinit.exe[768] Secur32.dll!TranslateNameA + 49 77FEC175 136 Bytes
.text C:\WINDOWS\system32\userinit.exe[768] Secur32.dll!TranslateNameA + D4 77FEC200 59 Bytes
.text C:\WINDOWS\system32\userinit.exe[768] Secur32.dll!TranslateNameA + 110 77FEC23C 17 Bytes
.text C:\WINDOWS\system32\userinit.exe[768] Secur32.dll!TranslateNameA + 123 77FEC24F 83 Bytes
.text ...

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE F7930400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE F7930400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ F7930400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION F7930400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION F7930400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION F7930400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL F7930400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL F7930400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL F7930400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN F7933C74
Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL F7930400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP F7930400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP F7930400
Device \FileSystem\Cdfs \Cdfs FastIoCheckIfPossible F7933BCE

---- EOF - GMER 1.0.12 ----

The most lengthy part of the report came before the first line I posted and had to do with userinit as well. Is the userinit.exe anything I should be concerned about?

Secondly, After running spybot search and destroy several times I keep coming up with these two entries:

Microsoft.WindowsSecurity.AntivirusDisableNotify
Settings:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword=0
Kind:
1 entries Regustry change


Microsoft.WindowsSecurity.FirewallDisableNotify
Settings:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword=0
Kind:
1 entries Regustry change

When I click to "fix the problem" the program says something like two problems fixed. I can run the scan again immediately after it tells me it's fixed and the same two entries appear again and again. Is this anything to worried about?

I'll check on things with the mouse, I just got the mouse a few weeks ago, It hasn't moved on it's own while I was using it but daughter said it did for her so I'll check into it. She also suspected the keylogger or some virus because it seems no matter where she go's to chat online a certain person shows up to bother her everytime. She doesn't know who the person is but she knows that they seem to find her everytime she chats.

Thanks again so much for your time

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:36 AM

Posted 12 November 2006 - 04:07 PM

Firstly, GMER is not meant to be run in safe mode.
If you do so you'll get a whole host of legitmate entries.
I can assure you there is nothing wrong with the log.

In regards to the spybot log, you shouldn't erase those.
These entries tell the Security Center not to warn you when your antivirus is turned off, and that's ok as long as your Mcafee protection notifies you instead. Anyway, in Spybot - Search & Destroy, if you select this entry and expand the tab on the right, you will get advice on this. If you are sure notification have NOT been disabled by mistake or evil software, it's a good idea to tell spybot not to show you these entries in the future. You can do that by right-clicking an entry, and selecting the appropriate option.

How is the PC running? :thumbsup:

#7 yoopergirl

yoopergirl
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 12 November 2006 - 07:22 PM

Hey there, I had a huge crash, my comp wouldn't load windows etc, every option I tried, including loading safe mode failed until the only option that worked was to run system recovery which I have done. I LOST EVERYTHING. :thumbsup: This could be my fault though cause I turned on my comp and it showed that my daughter, myself and the guest account were all logged on, that wasn't possible so I tried to log off and shut down the comp but it froze so I just unplugged it. When I restarted I got some kind of message saying roughly that windows wouldn't load to protect my computer. It then tried to open windows and my comp just kept starting over and over again ending finally on a black screen with options in white. As I said the only choice was to run system recovery, I tried every other choice and would just reload over and over like the first time. I don't know what the problem was but hopefully now it's gone. Could something (virus, etc) still
be on my comp after doing a system recovery (where everything was lost and all new factory files and programs are the only thing I have on it now)? Thanks for your help.

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:36 AM

Posted 18 November 2006 - 05:54 PM

I'm sorry to hear that you had to reformat the PC.
You can now be assured that the PC you are using is clean of malware.
If you like I can check a HJT from the newly formatted computer.

#9 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:36 AM

Posted 03 December 2006 - 01:11 PM

Since this issue appears resolved, this Topic is now closed.

If you need this topic reopened, please request this by sending me
a PM with the address of the thread using the link here. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users