Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Superslow Pc And Problems With Internet Connectivity


  • Please log in to reply
11 replies to this topic

#1 Muhammad Shariq

Muhammad Shariq

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 07 November 2006 - 11:19 PM

Dear Team,

Please find below the hijackthis log of my PC. I hope you can help me out

Regards,

Shariq





Logfile of HijackThis v1.99.1
Scan saved at 9:09:13 AM, on 08/11/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Muhammad Shariq\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.debenhamsb2b.net/infoweb/prodst..._procedures.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Merriam-Webster Online BHO - {5ADA9CAC-04F9-4DD2-ABFD-74D673BE8624} - C:\WINDOWS\_MWOLTB.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINDOWS\_MWOLTB.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINDOWS\_MWOLTB.DLL/23/219
O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINDOWS\_MWOLTB.DLL/23/220
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SiteMinder Authentication Service (SmServAuth) - Unknown owner - d:\CFUSION\bin\Service_AuthSrvr.exe (file missing)
O23 - Service: SiteMinder Authorization Service (SmServAz) - Unknown owner - d:\CFUSION\bin\Service_AzSrvr.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


m

#2 Muhammad Shariq

Muhammad Shariq
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 13 November 2006 - 02:06 AM

Can I kindly have a reply to my hijackthis log posted above??????????

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:06 PM

Posted 16 November 2006 - 12:21 PM

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:

Preparation Guide For Use Before Posting A Hijackthis Log

#4 Muhammad Shariq

Muhammad Shariq
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 05 December 2006 - 11:35 PM

Please find below the most recent Hijackthis log:


Logfile of HijackThis v1.99.1
Scan saved at 9:22:26 AM, on 06/12/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Muhammad Shariq\Desktop\HijackThis.exe
%

#5 Muhammad Shariq

Muhammad Shariq
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 05 December 2006 - 11:40 PM

Please find below the most updated Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:22:26 AM, on 06/12/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Muhammad Shariq\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.debenhamsb2b.net/infoweb/prodst..._procedures.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Merriam-Webster Online BHO - {5ADA9CAC-04F9-4DD2-ABFD-74D673BE8624} - C:\WINDOWS\_MWOLTB.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINDOWS\_MWOLTB.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINDOWS\_MWOLTB.DLL/23/219
O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINDOWS\_MWOLTB.DLL/23/220
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{5109B14E-F137-479C-AB91-506287DC7A49}: NameServer = 202.87.109.10 202.87.80.10
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SiteMinder Authentication Service (SmServAuth) - Unknown owner - d:\CFUSION\bin\Service_AuthSrvr.exe (file missing)
O23 - Service: SiteMinder Authorization Service (SmServAz) - Unknown owner - d:\CFUSION\bin\Service_AzSrvr.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Regards,

Shariq

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:06 PM

Posted 11 December 2006 - 04:39 PM

Download and Save blacklite to your desktop.
F-Secure Blacklight: https://europe.f-secure.com/exclude/blacklight/blbeta.exe
Double-click blbeta.exe then accept the agreement.
leave [X]scan through windows explorer checked,
click > scan then > next,
You'll see a list of all items found.
Don't choose for rename yet! I want to see the log first, because legit items can also be present there... like "wbemtest.exe"
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).
Copy and paste this log along with the rootkit revealer log.

#7 Muhammad Shariq

Muhammad Shariq
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 12 December 2006 - 06:23 AM

Hi Grinler,

Please find below the blacklite log:

12/12/06 10:45:58 [Info]: BlackLight Engine 1.0.47 initialized
12/12/06 10:45:58 [Info]: OS: 5.1 build 2600 (Service Pack 2)
12/12/06 10:45:59 [Note]: 7019 4
12/12/06 10:45:59 [Note]: 7005 0
12/12/06 10:46:28 [Note]: 7006 0
12/12/06 10:46:29 [Note]: 7011 2224
12/12/06 10:46:29 [Note]: 7026 0
12/12/06 10:46:30 [Note]: 7026 0
12/12/06 10:46:52 [Note]: FSRAW library version 1.7.1020
12/12/06 10:48:14 [Note]: 7007 0


When I started blacklite and accepted the lisence, it didnt have any "[X]scan through windows explorer checked" option that i should have left checked.

Following is that log that I saved from RootKit Reveal:

C:\Documents and Settings\Muhammad Shariq\Cookies\muhammad shariq@as-eu.falkag[1].txt 12/12/2006 12:37 PM 730 bytes Hidden from Windows API.
C:\Documents and Settings\Muhammad Shariq\Cookies\muhammad shariq@as-eu.falkag[2].txt 12/12/2006 12:34 PM 743 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Muhammad Shariq\Cookies\muhammad shariq@Bet365[1].txt 12/12/2006 12:34 PM 92 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Muhammad Shariq\Cookies\muhammad shariq@Bet365[2].txt 12/12/2006 12:37 PM 92 bytes Hidden from Windows API.
C:\Documents and Settings\Muhammad Shariq\Local Settings\Temporary Internet Files\Content.IE5\2I7XXJTB\_;ord=1165908864598997[1] 12/12/2006 12:34 PM 1.54 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Muhammad Shariq\Local Settings\Temporary Internet Files\Content.IE5\2I7XXJTB\admsg[1].html 12/12/2006 12:32 PM 1009 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Muhammad Shariq\Local Settings\Temporary Internet Files\Content.IE5\2I7XXJTB\CAMJOFNW.GIF 12/12/2006 12:46 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Muhammad Shariq\Local Settings\Temporary Internet Files\Content.IE5\4BW18BIJ\controller[1] 12/12/2006 12:37 PM 1.14 KB Hidden from Windows API.
C:\Documents and Settings\Muhammad Shariq\Local Settings\Temporary Internet Files\Content.IE5\4L4LANOT\trpix[2].gif 12/12/2006 12:34 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Muhammad Shariq\Local Settings\Temporary Internet Files\Content.IE5\AG276J6B\CA67WD2V.swf 12/12/2006 12:34 PM 29.35 KB Hidden from Windows API.
C:\Documents and Settings\Muhammad Shariq\Local Settings\Temporary Internet Files\Content.IE5\ANURQDMJ\chat[1].html 12/12/2006 12:43 PM 694 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Muhammad Shariq\Local Settings\Temporary Internet Files\Content.IE5\AWX9VO6P\chat[1].html 12/12/2006 12:33 PM 694 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Muhammad Shariq\Local Settings\Temporary Internet Files\Content.IE5\JD2AABEA\272183[1].htm 12/12/2006 12:37 PM 54.65 KB Hidden from Windows API.
C:\Documents and Settings\Muhammad Shariq\Local Settings\Temporary Internet Files\Content.IE5\JD2AABEA\272183[1].html 12/12/2006 12:37 PM 12.63 KB Hidden from Windows API.
C:\Documents and Settings\Muhammad Shariq\Local Settings\Temporary Internet Files\Content.IE5\KTUZSLM7\_;ord=1165909504449142[1] 12/12/2006 12:45 PM 11 bytes Hidden from Windows API.
C:\Documents and Settings\Muhammad Shariq\Local Settings\Temporary Internet Files\Content.IE5\PDJZN6F6\64[2].js 12/1/2006 3:41 PM 3.69 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Muhammad Shariq\Local Settings\Temporary Internet Files\Content.IE5\PDJZN6F6\trpix[2].gif 12/12/2006 12:37 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Muhammad Shariq\Local Settings\Temporary Internet Files\Content.IE5\QGRWTRRU\CANI6PRZ.gif 12/12/2006 12:37 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Muhammad Shariq\Local Settings\Temporary Internet Files\Content.IE5\R30L8B0H\chat[1].htm 12/12/2006 12:33 PM 1.21 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Muhammad Shariq\Local Settings\Temporary Internet Files\Content.IE5\R30L8B0H\WI_IN_PAK[1] 12/12/2006 12:34 PM 12.58 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Muhammad Shariq\Local Settings\Temporary Internet Files\Content.IE5\RYT0DNRF\_;ord=1165909504449142[1].htm 12/12/2006 12:45 PM 4.59 KB Hidden from Windows API.
C:\Documents and Settings\Muhammad Shariq\Local Settings\Temporary Internet Files\Content.IE5\RYT0DNRF\trpix[2].gif 12/12/2006 12:34 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Muhammad Shariq\Local Settings\Temporary Internet Files\Content.IE5\S9Y34TU7\_;ord=1165908756251517[1] 12/12/2006 12:32 PM 1.54 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Muhammad Shariq\Local Settings\Temporary Internet Files\Content.IE5\S9Y34TU7\_;ord=1165908864598997[1].htm 12/12/2006 12:34 PM 4.61 KB Hidden from Windows API.
C:\Documents and Settings\Muhammad Shariq\Local Settings\Temporary Internet Files\Content.IE5\WHS1MVWD\chat[1].htm 12/12/2006 12:43 PM 1.21 KB Hidden from Windows API.
C:\Documents and Settings\Muhammad Shariq\Local Settings\Temporary Internet Files\Content.IE5\WHS1MVWD\controller[1] 12/12/2006 12:34 PM 1.13 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Muhammad Shariq\Local Settings\Temporary Internet Files\Content.IE5\XX42GNDN\admsg[1].html 12/12/2006 12:34 PM 1010 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Muhammad Shariq\Local Settings\Temporary Internet Files\Content.IE5\XX42GNDN\CATWID9J.SWF 12/12/2006 12:46 PM 28.52 KB Hidden from Windows API.
C:\Documents and Settings\Muhammad Shariq\Local Settings\Temporary Internet Files\Content.IE5\YDKAAEGU\CA05M3UJ.gif 12/12/2006 12:35 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Muhammad Shariq\Local Settings\Temporary Internet Files\Content.IE5\YPKNITU5\64[2].js 12/12/2006 12:34 PM 4.38 KB Hidden from Windows API.
C:\Program Files\Yahoo!\Messenger\cache\Avatars\1bxWf9pWDAAMD-IFDQItwETYA.full.swf 12/12/2006 12:35 PM 30.21 KB Hidden from Windows API.
C:\Program Files\Yahoo!\Messenger\cache\Avatars\1qGu9JoUYAAEDHcJufBMQBA==.full.swf 12/12/2006 12:45 PM 34.85 KB Hidden from Windows API.
C:\Program Files\Yahoo!\Messenger\Profiles\zafarkamal7\Archive\Messages\b_folashade 12/12/2006 12:49 PM 0 bytes Hidden from Windows API.
C:\Program Files\Yahoo!\Messenger\Profiles\zafarkamal7\Archive\Messages\b_folashade\20061212-jumpinjackonyaass.dat 12/12/2006 12:50 PM 100 bytes Hidden from Windows API.
C:\Program Files\Yahoo!\Messenger\Profiles\zafarkamal7\Archive\Messages\crystal_water73 12/12/2006 12:45 PM 0 bytes Hidden from Windows API.
C:\Program Files\Yahoo!\Messenger\Profiles\zafarkamal7\Archive\Messages\crystal_water73\20061212-jumpinjackonyaass.dat 12/12/2006 12:48 PM 311 bytes Hidden from Windows API.
C:\Recycled\NPROTECT\00006365 12/12/2006 12:35 PM 3.23 MB Hidden from Windows API.


However, during scanning when Rootkit Reveal started processing D: files, it showed the below mentioned error message and stopped.

"An error occured in CMD.EXE that prevents RootkitRevealer from accurately analyzing your system. If CMD.EXE is available on your system please report this failure."

Regards,

Shariq

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:06 PM

Posted 13 December 2006 - 03:30 PM

This appears to be a problem with RKR. Lets try this:


* Download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it and start GMER.exe
Click the rootkit-tab and click scan.

Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.

If you're having problems with running GMER.exe, try it in safe mode.
This tools works in safe mode.. other rootkitrevealers don't.

#9 Muhammad Shariq

Muhammad Shariq
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 16 December 2006 - 02:59 AM

Hi,

This site is down and the following link in unavailable:

http://www.gmer.net/gmer.zip

I;ve downloaded the file from http://www.sac.sk/files.php?d=1&l=G

Not sure how authentic the file is tough.

Any suggestions?

Regards,

Shariq

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:06 PM

Posted 17 December 2006 - 05:51 PM

Not sure myself. Try again tomorrow and see if the sit eis backup..in the meantime i will look for a trusted place for the download.

#11 Muhammad Shariq

Muhammad Shariq
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 18 December 2006 - 12:15 AM

Plz find below the gmer log:

---------------------------------------------------------------------------------


GMER 1.0.11.11390 - http://www.gmer.net
Rootkit 2006-12-16 16:20:34
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.11 ----

SSDT FFBCC138 ZwConnectPort

---- Devices - GMER 1.0.11 ----

Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_FILE_SYSTEM_CONTROL [F7C1A4AC] BsUDF.SYS
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_FILE_SYSTEM_CONTROL [F7C1A4AC] BsUDF.SYS
Device \FileSystem\Fs_Rec \FileSystem\NtfsRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [F7C1A7F0] BsUDF.SYS
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [F7C1A7F0] BsUDF.SYS
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [F7C1A7F0] BsUDF.SYS
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [F7C1A7F0] BsUDF.SYS
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [F7C1A7F0] BsUDF.SYS
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL [F7C1A4AC] BsUDF.SYS

---- EOF - GMER 1.0.11 ----


Regards,

Shariq

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:06 PM

Posted 19 December 2006 - 05:22 PM

Nothing bad here. I suggest you disable all your startups via msconfig and then reboot. If the speed is better than you need to enable each startup one at a time, rebooting in between each one, to determine which program is causing the slowdown.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users