|
|
|||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
| Spyware/Malware Removal NutnWorks, does not take responsibility for actions you may take or the results from following the instructions/directions given here. This forum is for assistance with the removal of Adware, Malware, Spyware, Viruses and Trojans. along with some RootKits ;) |
 |
|
|
Thread Tools | Display Modes |
|
#1
November 13th, 2009
|
|||
|
|||
Hijack This log
My PC has been running slow, behaving strangely and now I'm getting some hard disk errors and lost some files. I am suspicious of some malware but I am running Avira free & it hasn't detected anything (I keep it updated and occasionally run scans in Safe Mode).
My HijackThis logs and detailed problem description are below... thanks ---------------------------------------- System info (if this is TMI sorry, just trying to give a full picture) ---------------------------------------- HP Mini 1010NR XP Home SP3 2 GB RAM C: drive = 8 GB SSD (NTFS, virtual memory 3025 MB, 979 MB free on C:, hibernation disabled) D: drive = 16 GB micro jump drive in the internal storage slot Note that the D: drive holds My Documents, apps such as MS Office, and iPhone backup (I created some NTFS junction points using MS's Junction utility (see http://technet.microsoft.com/en-us/s.../bb896768.aspx) which lets you point a folder on one drive to a physical location somewhere else (in the case of the iPhone cuz it takes so much space it would fill up my netbook's c: drive) ---------------------------------------- ISSUE #1: Excel slowdowns ---------------------------------------- While running Excel 2003 editing a VBA macro (all my own code, I didn't just download some module and run it), suddenly Excel just stops responding (and it is not doing autosave) for 3-5 minutes as though the CPU usage is 100%, but task manager doesn't show it. After a few minutes I can use Excel again like nothing happened. Also while the Excel slowdown happened, in the system tray I thought I saw an icon pop up for a split second and then disappear. If I remember correctly, the icon looks like a red triangle or maybe similar to the "javascript error" icon from IE? The slowdown has happened constantly, maybe every 20 minutes when I'm using Excel, and I have noticed the icon 3 or 4 times. I didn't notice the Excel slowdown until after I installed iTunes/etc, so I could sync my iPhone. Note I'm not 100% sure if it's the iTunes though, I have a lot of stuff installed. But I'm pretty sure it started happening sometime after iTunes. Out of desperation a couple times I tried killing certain processes such as the iPhone related ones (AppleMobileDeviceService.exe, iPodService.exe, iTunesHelper.exe) and once or twice I thought the slowdown ended after this, but this doesn't work most of the time. Once time I saw an icon in the system tray that was Adobe Acrobat complaining that it couldn't download an update (it nags me there is an update every now and then) cuz I had the wifi turned off, and I killed it and the slowdown ended instantly. But I haven't seen the Adobe icon again & not recognizing any Adobe updater in Task Mgr. ---------------------------------------- ISSUE #2: Hard drive issues & weirdness ---------------------------------------- Hard drive issue 1 is that I have an external USB drive (formatted NTFS) that I started seeing some file errors when I tried copying or reading a file. I did a chkdsk /f x: on the drive and it deleted a bunch of invalid clusters or links, and I thought (hoped) it fixed the problem but a few files were gone. I hoped this was a freak occurrence but then I saw a similar error again within a day. I'm not sure if this is just bad luck, or the drive going bad, or if the file system is being corrupted by some malware. Hard drive issue 2 is I ran into some file errors for the first time today while backing it up to a jump drive. I ran chkdsk and saw similar invalid clusters issues as above. This has never happened before, and I've been using this system in this config. since Aug, so I am suspicious that it's related to above. Hard drive issue 3 is when I try safely remove hardware on the jump drive, I get: The device 'Generic volume' cannot be stopped because a program is still accessing it. However, Unlocker (see http://ccollomb.free.fr/unlocker) is not seeing any process that might be using the jump drive (usually it is Explorer or some app such as Word/Excel that previously had a file open on the drive). I'm usually able to free the drive & remove safely, so this is strange. ---------------------------------------- ISSUE #3: Service Host ---------------------------------------- To find out what might have a lock on the jump drive, I opened Process Explorer and am seeing 7(!) instances of Service Host and a red flag went up. I usually don't see that many. I hate that damned "service host", is there any utility that tells you what these actually are? So below are my HijackThis system & startup scan logs. If anyone can see any problems please let me know it would be much appreciated... ------------------------------------------------------------------------------- hijackthis.log ------------------------------------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:34:29 PM, on 11/12/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16915) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\system32\spoolsv.exe c:\windows\softwaredistribution\download\install\S TacSV.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\AESTFltr.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\IDT\WDM\sttray.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe D:\Program Files\Microsoft ActiveSync\Wcescomm.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe D:\PROGRA~1\MICROS~2\rapimgr.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\LMabcoms.exe C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\TextPad 5\TextPad.exe D:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\Wcescomm.exe" O4 - Global Startup: Bluetooth.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/F...ansferCtrl.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: lmab_device - Unknown owner - C:\WINDOWS\system32\LMabcoms.exe O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\windows\softwaredistribution\download\install\S TacSV.exe -- End of file - 8310 bytes ------------------------------------------------------------------------------- startuplist.txt ------------------------------------------------------------------------------- StartupList report, 11/12/2009, 9:35:15 PM StartupList version: 1.52.2 Started from : D:\Program Files\Trend Micro\HijackThis\HijackThis.EXE Detected: Windows XP SP3 (WinNT 5.01.2600) Detected: Internet Explorer v7.00 (7.00.6000.16915) * Using default options * Showing rarely important sections ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\system32\spoolsv.exe c:\windows\softwaredistribution\download\install\S TacSV.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\AESTFltr.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\IDT\WDM\sttray.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe D:\Program Files\Microsoft ActiveSync\Wcescomm.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe D:\PROGRA~1\MICROS~2\rapimgr.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\LMabcoms.exe C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\TextPad 5\TextPad.exe D:\Program Files\Trend Micro\HijackThis\HijackThis.exe -------------------------------------------------- Listing of startup folders: Shell folders Common Startup: [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] Bluetooth.lnk = ? -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 PHIME2002ASync = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC PHIME2002A = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName IgfxTray = C:\WINDOWS\system32\igfxtray.exe HotKeysCmds = C:\WINDOWS\system32\hkcmd.exe Persistence = C:\WINDOWS\system32\igfxpers.exe Adobe Reader Speed Launcher = "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" hpWirelessAssistant = C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" avgnt = "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe DVDTray = C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe QuickTime Task = "C:\Program Files\QuickTime\QTTask.exe" -atboottime iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe" -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe H/PC Connection Agent = "D:\Program Files\Microsoft ActiveSync\Wcescomm.exe" -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\Run [OptionalComponents] = -------------------------------------------------- File association entry for .TXT: HKEY_CLASSES_ROOT\TextPad.txt\shell\open\command (Default) = "C:\Program Files\TextPad 5\TextPad.exe" -s -------------------------------------------------- Enumerating Active Setup stub paths: HKLM\Software\Microsoft\Active Setup\Installed Components (* = disabled by HKCU twin) [<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] * StubPath = C:\WINDOWS\system32\ieudinit.exe [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP [>{26923b43-4d38-484f-9b9e-de460746276c}] * StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] * StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] * StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] * StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install [{7790769C-0471-11d2-AF11-00C04FA35D02}] * StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install [{89820200-ECBD-11cf-8B85-00AA005B4340}] * StubPath = regsvr32.exe /s /n /i:U shell32.dll [{89820200-ECBD-11cf-8B85-00AA005B4383}] * StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings [{89B4C1CD-B018-4511-B0A1-5476DBF70820}] * StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE=*Registry value not found* drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry key not found* HKLM\..\Policies: Shell=*Registry value not found* -------------------------------------------------- Checking for EXPLORER.EXE instances: C:\WINDOWS\Explorer.exe: PRESENT! C:\Explorer.exe: not present C:\WINDOWS\Explorer\Explorer.exe: not present C:\WINDOWS\System\Explorer.exe: not present C:\WINDOWS\System32\Explorer.exe: not present C:\WINDOWS\Command\Explorer.exe: not present C:\WINDOWS\Fonts\Explorer.exe: not present -------------------------------------------------- Checking for superhidden extensions: .lnk: HIDDEN! (arrow overlay: yes) .pif: HIDDEN! (arrow overlay: yes) .exe: not hidden .com: not hidden .bat: not hidden .hta: not hidden .scr: not hidden .shs: HIDDEN! .shb: HIDDEN! .vbs: not hidden .vbe: not hidden .wsh: not hidden .scf: HIDDEN! (arrow overlay: NO!) .url: HIDDEN! (arrow overlay: yes) .js: not hidden .jse: not hidden -------------------------------------------------- Enumerating Browser Helper Objects: Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} (no name) - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -------------------------------------------------- Enumerating Task Scheduler jobs: AppleSoftwareUpdate.job -------------------------------------------------- Enumerating Download Program Files: [DLC Class] InProcServer32 = C:\WINDOWS\Downloaded Program Files\grTransferCtrl.dll CODEBASE = https://transfers.ds.microsoft.com/F...ansferCtrl.cab [{E2883E8F-472F-4FB0-9522-AC9BF37916A7}] CODEBASE = http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab -------------------------------------------------- Enumerating Winsock LSP files: NameSpace #4: C:\Program Files\Bonjour\mdnsNSP.dll -------------------------------------------------- Enumerating Windows NT/2000/XP services Avira AntiVir Scheduler: "C:\Program Files\Avira\AntiVir Desktop\sched.exe" (autostart) Avira AntiVir Guard: "C:\Program Files\Avira\AntiVir Desktop\avguard.exe" (autostart) Apple Mobile Device: "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe" (autostart) Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) avgntflt: system32\DRIVERS\avgntflt.sys (autostart) Bonjour Service: "C:\Program Files\Bonjour\mDNSResponder.exe" (autostart) Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Bluetooth Service: C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (autostart) Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart) DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart) Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Event Log: %SystemRoot%\system32\services.exe (autostart) Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) LightScribeService Direct Disc Labeling Service: "C:\Program Files\Common Files\LightScribe\LSSrvc.exe" (autostart) TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart) Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" (autostart) Plug and Play: %SystemRoot%\system32\services.exe (autostart) IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart) Protected Storage: %SystemRoot%\system32\lsass.exe (autostart) Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart) Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart) Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart) System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Audio Service: c:\windows\softwaredistribution\download\install\S TacSV.exe (autostart) Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (autostart) Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart) Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart) Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart) Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: PostBootReminder: C:\WINDOWS\system32\SHELL32.dll CDBurn: C:\WINDOWS\system32\SHELL32.dll WebCheck: C:\WINDOWS\system32\webcheck.dll SysTray: C:\WINDOWS\system32\stobject.dll WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll -------------------------------------------------- End of report, 12,591 bytes Report generated in 0.188 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only 
|
|
#2
November 13th, 2009
|
||||
|
||||
|
Re: Hijack This log
Quote:
1. Click Start on the Windows taskbar, and then click Run. 2. In the Open box, type CMD, and then press ENTER. 3. Type Tasklist /SVC,note there is a space between the "t and /" and then press ENTER. Log looks fine. Then download Malwarebytes' Anti-Malware to your desktop. * Double-click mbam-setup.exe and follow the prompts to install the program. * Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select Perform FULL SCAN, then click Scan. * When the scan is complete, click OK, then Show Results to view the results. * Be sure that everything is checked, and click Remove Selected. * When completed, a log will open in Notepad. Please save it to a convenient location and post it here. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
__________________
 
|
|
#3
November 14th, 2009
|
|||
|
|||
|
Re: Hijack This log
Thanks for your reply and the info.
Further info on my system: I was running Firefox (don't remember if it was 2.x or 3.x) and IE 7, and saw a post on annoyances.org saying some Microsoft update recently opened up a vulnerability on not only IE but Firefox. Not sure if this would be where I got a virus. However now I have a bigger problem and am not sure if the issue was caused by some malware or if this is a hardware error. Here's what happened... Not 10 minutes after I posted the HijackThis log, my system started behaving even more strangely - I could no longer access the d:\ drive. I shut down and on reboot found my D: partition (the jump drive with My Documents) missing! (thankfully I had backed it up recently) I decided to just restore my last full system backup (from when I had just installed iTunes & MS Office) from an Acronis backup. I restored the c: drive, but then when it came to restore the d: drive (the thumb drive with My Documents & where my larger apps were installed to, the iPhone backup location, etc.) I found that I can't re-format it (see no media issue below). Could malware have been responsible for destroying the low-level format, or is this a hardware issue? The partition disappeared yesterday, so I'm wondering if this was some kind of timed "friday the 13th" virus. My current problem right now is getting the thumb drive to work again (per below). Any ideas? THUMB DRIVE "NO MEDIA" ISSUE: I took out the thumb drive (PNY micro attache) and plugged it into my desktop PC, and it shows up in My Computer as Removable Disk (E), however if I right click to format as I get an error "There is no disk in drive E. Insert a disk, and then try again.". In Computer Management > Disk Management, it shows up as Disk 1, Removable (E  but the entry says "No Media" and I can't click on it to create a partition. I googled the No Media problem and found a thread http://www.trap17.com/index.php/Form...ve_t38125.html discussing a similar problem for a diff. brand jump drive, and the answer was to low-level format the drive. They used a utility from http://www.apacer.com/en/support/dow...ity_Repair.zip but it didn't work for the PNY (said no drive found, it must be manufacturer-specific). I went to PNY's support page http://www3.pny.com/support/support_...SectionID=1057 and downloaded the Low Level Format Utility http://www3.pny.com/support/media//F...re-test_v1.zip and tried it. Per the directions: Step 1: Plug in the device to the USB port of a desktop / laptop Computer Step 2: Make sure the name shown in “Device manager” => “Disk drives” is in “swbn.inf” file. If not, Please add it in Step 3: Double click “Preformat.exe” file to begin. the PNY appears as "USBest USB2FlashStorage USB Device" in Device Manager and I tried adding it to the ini file. But when I run preformat.exe, I get the error: Preformat only supports IC 1006/1026, 2031, 2035, 2044, 2045, 2151, 2153 and 2154! So currently the PNY micro attache is out of commission. Does anyone know how to fix this problem? PS I tried looking up other low-level format utilities but am not sure if I need one that is hardware-specific to the thumb drive. There is a low-level format utility at softpedia http://www.softpedia.com/get/System/...mat-Tool.shtml but it costs $ and I'm not sure if it would work.
|
|
#4
November 15th, 2009
|
||||
|
||||
|
Re: Hijack This log
Sounds like you had a bad day.
It may be a hardware issue but might be a software problem so I PMed tallin.
__________________
|
|
#5
November 15th, 2009
|
||||
|
||||
|
Re: Hijack This log
I agree with Little Eagle, you have had a bad day....not all bad as LE has cleared you of any Malware.
You can run your hard drives manufacturers diagnostic tool found here. If that passes you can run Windows Check Disk. However neither of these can fix a mechanical problem. You have given so much information I would like to get an overview of your system by asking you to run a PCPitstop scan and post the URL back here for us to attempt to assist you. The link tells you how if you are not familiar with the site. Please do not access any of the paid advertisements on the pitstop link, we can assist you for free here where possible. This is really a hands on problem which means it maybe a thought for you to find a family friendly IT shop near to where you live to have a chat about your issues. We like to assist here if we can, so do post back with the results of the three ideas given above and let us take it from there. Best regards,
__________________
TallinŤ  Learning each day
|
|
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
