Go Back   Computer Forums > General Computing > Cyber Safety and Computer Security
Click Here to Login
Join Computer forums Today


Reply
 
Thread Tools Search this Thread Display Modes
 
Old 01-20-2010, 11:22 PM   #1
Solid State Member
 
Join Date: Oct 2009
Posts: 17
Default Need help please!

System:
Microsoft Windows XP Professional Version 2002
Service Pack 3

IntelŪ PentiumŪ 4
CPU 2.40 GHz
1.00 GB RAM

Other Info:

Turn off System Restore on all drives has been checked.

Symptons:

My router has to be manually reset to default everyonce in awhile due to "a page cannot be dispalyed error." The first several times it detects my connection as "static" even though under TCP/IP properties I have it set to DHCP. I also noticed that the page kept refreshing and under mozilla firefox navigation toolbar, the "X" or "stop loading this page" kept reapting while at the bottom it was saying "Done". After being very persistent and many attempts it finally detected DHCP. Another problem I notcied mozilla keeps stopping the page from being redirected. Also gmer.exe keeps crashing within several seconds of opening application. I also ran ATF Cleaner.

Hidden Object
C:\DOCUMENTS AND SETTINGS\STEVE.SLS_COMP\LOCAL SETTINGS\TEMP\RARSFX0\K643DXP.EXE

LOGS:

================================================== ====================


Kaspersky Anti-Virus

1/19/2010 1:15:30 PM Task started File Anti-Virus Kaspersky Anti-Virus
1/19/2010 1:28:23 PM Task started File Anti-Virus Kaspersky Anti-Virus
1/19/2010 3:55:38 PM Detected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1604\A0199174.exe Generic Host Process for Win32 Services
1/19/2010 5:25:24 PM Deleted: not-a-virus:RemoteAdmin.Win32.WinVNC.4 C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1604\A0199174.exe Generic Host Process for Win32 Services
1/19/2010 5:25:24 PM Detected: not-a-virus:RiskTool.Win32.PsExec.123 C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1604\A0199175.exe Generic Host Process for Win32 Services
1/19/2010 6:22:57 PM Deleted: not-a-virus:RiskTool.Win32.PsExec.123 C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1604\A0199175.exe Generic Host Process for Win32 Services
1/19/2010 6:22:57 PM Detected: not-a-virus:NetTool.Win32.PsKill.a C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1604\A0199177.exe Generic Host Process for Win32 Services
1/19/2010 6:30:00 PM Untreated: not-a-virus:NetTool.Win32.PsKill.a C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1604\A0199177.exe Skipped by user Generic Host Process for Win32 Services
1/19/2010 6:32:04 PM Detected: not-a-virus:NetTool.Win32.PsKill.a C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1604\A0199177.exe Windows Explorer
1/19/2010 6:32:39 PM Untreated: not-a-virus:NetTool.Win32.PsKill.a C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1604\A0199177.exe Skipped by user Windows Explorer
1/19/2010 6:32:42 PM Detected: not-a-virus:NetTool.Win32.PsKill.a C:\RECYCLER\S-1-5-21-936119014-1497507713-1777090905-1002\Dc35.exe Windows Explorer
1/19/2010 6:32:54 PM Untreated: not-a-virus:NetTool.Win32.PsKill.a C:\RECYCLER\S-1-5-21-936119014-1497507713-1777090905-1002\Dc35.exe Skipped by user Windows Explorer
1/19/2010 6:33:26 PM Detected: not-a-virus:Client-IRC.Win32.mIRC.g C:\Program Files\mIRC\mirc.exe Windows Explorer
1/19/2010 6:36:41 PM Deleted: not-a-virus:Client-IRC.Win32.mIRC.g C:\Program Files\mIRC\mirc.exe Windows Explorer
1/19/2010 6:38:19 PM Detected: not-a-virus:NetTool.Win32.PsKill.a C:\RECYCLER\S-1-5-21-936119014-1497507713-1777090905-1002\Dc35.exe Windows Explorer
1/19/2010 6:38:56 PM Untreated: not-a-virus:NetTool.Win32.PsKill.a C:\RECYCLER\S-1-5-21-936119014-1497507713-1777090905-1002\Dc35.exe Skipped by user Windows Explorer


================================================== ====================

Malwarebytes' Anti-Malware 1.44
Database version: 3597
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

1/19/2010 2:12:27 AM
mbam-log-2010-01-19 (02-12-27).txt

Scan type: Full Scan (C:\|G:\|)
Objects scanned: 245444
Time elapsed: 49 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 23

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\huwebijum (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\yowujeje.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\fefiweta.d ll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hutoziyo.d ll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\juviyame.d ll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\yagerumu.d ll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1572\A0186205.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1572\A0186221.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1572\A0186222.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1572\A0186223.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1573\A0191319.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1573\A0191352.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1573\A0191604.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1573\A0191674.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1579\A0193853.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1589\A0196158.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1589\A0196333.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1600\A0198506.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1600\A0198742.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1601\A0198831.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1601\A0199005.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bilayupa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fejepena.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tepepife.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.


================================================== ====================
__________________

gschum is offline   Reply With Quote
Old 01-21-2010, 12:49 AM   #2
Solid State Member
 
Join Date: Oct 2009
Posts: 17
Default Re: Need help please!

================================================== ====================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:41:09 AM, on 1/21/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ESET\ESET Online Scanner\OnlineScannerApp.exe
C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\steve.SLS_COMP\Desktop\OTL.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CTCheck] C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
O4 - HKLM\..\Run: [HitmanPro35] "C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe"
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: spywareblaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: symsupportutil - https://www-secure.symantec.com/tech...upportutil.CAB
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Programs\pcAnywhere10.5\awhost32.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Communications Ltd. - C:\WINDOWS\System32\Hummbird\inetd32.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7217 bytes
__________________

gschum is offline   Reply With Quote
Old 01-21-2010, 06:16 AM   #3
BSOD
 
Join Date: Dec 2009
Posts: 100
Default Re: Need help please!

You have so much crap on your PC it beggars disbelief.
All the remnants of security programs on your PC are: Eset, Nortons, spyware blaster, Trend Micro, Hijack, Malwarebytes Super Anti spyware and I presume you are running Kaspersky at present, have not seen the kitchen sink yet.

When you have old traces of security suits on your PC they can impede the operation of your present security suit and cause wonderful problems and conflicts.

Sort which Security suit you want to use, add Malwarebytes to the list and you should be right, then I recommend you to reformat and reload your PC and start from scratch.
officemanager is offline   Reply With Quote
Old 01-21-2010, 09:10 AM   #4
Solid State Member
 
Join Date: Oct 2009
Posts: 17
Default Re: Need help please!

"add Malwarebytes to the list and you should be right"

I already have "Malwarebytes" , the log was in my first post, but you must have over looked that. And Norton Antivirus was unistalled last year when my my subscription ran up (wasn't satisfied with their software).

"You have so much crap on your PC it beggars disbelief."

I didn't know Anti-virus/anti-malware software was crap. Each software seems to detect malware that the other ones don't.

But Thanks, you were real helpful...

Cheers
__________________
Sometimes you got to learn to read the entire post!
gschum is offline   Reply With Quote
Old 01-23-2010, 02:27 AM   #5
Solid State Member
 
Join Date: Oct 2009
Posts: 17
Default Re: Need help please!

Issue resolved! Thanks for your criticism, real helpful!!!! You were almost as useful as a History Major/Art Major!

Got to go, time for tea and krumpets!!

Cheers Mate
__________________
Sometimes you got to learn to read the entire post!
gschum is offline   Reply With Quote
Old 01-23-2010, 03:24 AM   #6
Fully Optimized
 
~Darkseeker~'s Avatar
 
Join Date: Jan 2010
Location: Welwyn Garden City, United Kingdom
Posts: 2,494
Default Re: Need help please!

before you go further, get CCleaner and clear up those useless registry keys.
__________________

__________________
EVGA SLI Micro Z68 // Intel i5-2500k @ 4.4GHz // 8GB Corsair Vengeance 1866MHz // Overclocked ASUS GTX 660 Ti // Corsair Carbide SPEC-03 // Kingston Hyper-X 120GB // 2TB WD Green + 500GB WD Black
#JC4PM
~Darkseeker~ is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off



All times are GMT -5. The time now is 12:21 PM.


Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Search Engine Friendly URLs by vBSEO 3.6.0