Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Data Stream Exploit?


  • This topic is locked This topic is locked
57 replies to this topic

#31 watcherduck

watcherduck

    Authentic Member

  • Authentic Member
  • PipPip
  • 116 posts

Posted 30 November 2005 - 08:44 PM

okay I saved the log in my documents as a text file, which opens in Notepad. all 27657 objects. I used the Find thingy(Ctrl+F), and here is what it found:

Tue Nov 29 19:56:13 2005 => Object "win32.passma Virus" found in File System! Action Taken: No Action Taken.

I tried the find next button, and it said,"Cannot find win32.passma".
I tried just passma, and got the same"cannot find passma".

I read where it sometimes changes it's name to director, so I searched director. Found lots of directory, but no director.

    Advertisements

Register to Remove


#32 daparker

daparker

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 779 posts

Posted 30 November 2005 - 09:47 PM

It would be a good idea to run an online virus scan now.

#33 watcherduck

watcherduck

    Authentic Member

  • Authentic Member
  • PipPip
  • 116 posts

Posted 30 November 2005 - 09:52 PM

Okay, I'll do both. I'll let you know.

#34 daparker

daparker

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 779 posts

Posted 30 November 2005 - 11:38 PM

Ok, I will continue to monitor your thread.

#35 watcherduck

watcherduck

    Authentic Member

  • Authentic Member
  • PipPip
  • 116 posts

Posted 01 December 2005 - 12:22 AM

nothing from either one.

#36 daparker

daparker

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 779 posts

Posted 01 December 2005 - 09:37 AM

Ok, I think the MWav item was probably a false positive then. I have one final scan to try. Please download RootKitRevealer from here. Unzip it to the desktop, run it, and click Scan. This will generate a log file; please post the entire contents of the log file here for me to see.

#37 watcherduck

watcherduck

    Authentic Member

  • Authentic Member
  • PipPip
  • 116 posts

Posted 01 December 2005 - 12:17 PM

It took an hour and a half to scan. It found 115 discrepancies. When I was saving it to file, so I could copy and paste it, rootkitrevealer encountered a problem and had to close. All the data was lost, so I will have to rescan. However, right now, I have to go work, so it will be this evening when I can rescan. Thanks for your patience.

#38 daparker

daparker

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 779 posts

Posted 01 December 2005 - 12:25 PM

Ok, I'll be monitoring your thread.

#39 watcherduck

watcherduck

    Authentic Member

  • Authentic Member
  • PipPip
  • 116 posts

Posted 01 December 2005 - 02:11 PM

I found the saved log from the first scan: HKLM\SOFTWARE\Zone Labs\ZoneAlarm\IncomingCount 12/1/2005 6:55 AM 4 bytes Data mismatch between Windows API and raw hive data. HKLM\SOFTWARE\Zone Labs\ZoneAlarm\BlockCount 12/1/2005 6:55 AM 4 bytes Data mismatch between Windows API and raw hive data. HKLM\SOFTWARE\Zone Labs\ZoneAlarm\HackCount 12/1/2005 6:55 AM 4 bytes Data mismatch between Windows API and raw hive data. C:\Documents and Settings\Don\Desktop\rootkitrevealer.zip 12/1/2005 5:54 AM 182.21 KB Visible in Windows API, but not in MFT or directory index. C:\Documents and Settings\Don\Desktop\rootkitrevealer.zip:Zone.Identifier 12/1/2005 5:54 AM 26 bytes Visible in Windows API, but not in MFT or directory index. C:\Documents and Settings\Don\Desktop\rootkitrevealer\rootkitrevealer.zip 12/1/2005 7:34 AM 182.21 KB Hidden from Windows API. C:\Documents and Settings\Don\Desktop\rootkitrevealer\rootkitrevealer.zip:Zone.Identifier 12/1/2005 7:34 AM 26 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Identities\{55B86A30-0076-4076-A24F-256C2D47522F}\Message Store\_#im_TemporaryEml_#im_.imh 12/1/2005 7:18 AM 165 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Identities\{55B86A30-0076-4076-A24F-256C2D47522F}\Message Store\_#im_TemporaryEml_#im_.imm 12/1/2005 7:18 AM 5.38 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Identities\{55B86A30-0076-4076-A24F-256C2D47522F}\Message Store\_#im_TemporaryEml_#im_1.imh 12/1/2005 7:20 AM 157 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Identities\{55B86A30-0076-4076-A24F-256C2D47522F}\Message Store\_#im_TemporaryEml_#im_1.imm 12/1/2005 7:20 AM 1.37 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Identities\{55B86A30-0076-4076-A24F-256C2D47522F}\Message Store\Attachments\bestscreensavereverforguy_1.pps 12/1/2005 7:20 AM 423.00 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Identities\{55B86A30-0076-4076-A24F-256C2D47522F}\Message Store\Deleted Items.imh 12/1/2005 7:20 AM 1.60 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Identities\{55B86A30-0076-4076-A24F-256C2D47522F}\Message Store\Deleted Items.imm 12/1/2005 7:20 AM 361.10 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{11916CDE-DFE9-4052-BC27-FE9F52AFD25A} 12/1/2005 7:18 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{11916CDE-DFE9-4052-BC27-FE9F52AFD25A}\Show 12/1/2005 7:18 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{11916CDE-DFE9-4052-BC27-FE9F52AFD25A}\Show\textPartPrev.html 12/1/2005 7:18 AM 5.26 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{353CA6F7-17FA-4A34-9582-F7F5213E12F0} 12/1/2005 7:16 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{353CA6F7-17FA-4A34-9582-F7F5213E12F0}\Show 12/1/2005 7:16 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{353CA6F7-17FA-4A34-9582-F7F5213E12F0}\Show\textPart.html 12/1/2005 7:16 AM 3.18 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{5055543F-A732-4246-9BB3-4E405915BA22} 12/1/2005 7:20 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{5055543F-A732-4246-9BB3-4E405915BA22}\Show 12/1/2005 7:20 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{5055543F-A732-4246-9BB3-4E405915BA22}\Show\ATT1.txt 12/1/2005 7:20 AM 153 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{5055543F-A732-4246-9BB3-4E405915BA22}\Show\textPart.html 12/1/2005 7:20 AM 413 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{578E20D6-7349-4399-91AB-FED1C1B1F517} 12/1/2005 7:21 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{578E20D6-7349-4399-91AB-FED1C1B1F517}\Show 12/1/2005 7:21 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{578E20D6-7349-4399-91AB-FED1C1B1F517}\Show\textPart.html 12/1/2005 7:21 AM 1.39 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{5C3238B0-F294-444A-8F0F-FF10CC6145BE} 12/1/2005 7:16 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{5C3238B0-F294-444A-8F0F-FF10CC6145BE}\Show 12/1/2005 7:16 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{5C3238B0-F294-444A-8F0F-FF10CC6145BE}\Show\htmlStr_Prev.htm 12/1/2005 7:16 AM 76.60 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{65A2A3D2-0E00-450F-AC0B-530FA9016E3E} 12/1/2005 7:17 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{65A2A3D2-0E00-450F-AC0B-530FA9016E3E}\Show 12/1/2005 7:17 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{65A2A3D2-0E00-450F-AC0B-530FA9016E3E}\Show\A Harvest Celebration1.JPG 12/1/2005 7:17 AM 184.55 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{65A2A3D2-0E00-450F-AC0B-530FA9016E3E}\Show\htmlStr_Prev.htm 12/1/2005 7:17 AM 1.37 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{7206CB11-AE7D-42BE-9313-B10A8E9A70A6} 12/1/2005 7:15 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{7206CB11-AE7D-42BE-9313-B10A8E9A70A6}\Show 12/1/2005 7:15 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{7206CB11-AE7D-42BE-9313-B10A8E9A70A6}\Show\htmlStr_Prev.htm 12/1/2005 7:15 AM 4.00 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{858D19BF-5CA5-4799-BDF3-097B1972671A} 12/1/2005 7:17 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{858D19BF-5CA5-4799-BDF3-097B1972671A}\Show 12/1/2005 7:17 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{858D19BF-5CA5-4799-BDF3-097B1972671A}\Show\htmlStr_Prev.htm 12/1/2005 7:20 AM 719 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{912780EB-298D-4224-A73E-95D3E234836A} 12/1/2005 7:27 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{912780EB-298D-4224-A73E-95D3E234836A}\Show 12/1/2005 7:27 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{912780EB-298D-4224-A73E-95D3E234836A}\Show\ATT1.gif 12/1/2005 7:27 AM 12.33 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{912780EB-298D-4224-A73E-95D3E234836A}\Show\htmlStr_Prev.htm 12/1/2005 7:27 AM 5.33 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{9878A44A-C426-4B22-8FA0-BBC2B9031303} 12/1/2005 7:16 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{9878A44A-C426-4B22-8FA0-BBC2B9031303}\Show 12/1/2005 7:16 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{9878A44A-C426-4B22-8FA0-BBC2B9031303}\Show\0footer16.gif 12/1/2005 7:16 AM 2.07 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{9878A44A-C426-4B22-8FA0-BBC2B9031303}\Show\0footer27.gif 12/1/2005 7:16 AM 1.03 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{9878A44A-C426-4B22-8FA0-BBC2B9031303}\Show\flashclips-layout_01-a1.jpg 12/1/2005 7:16 AM 19.65 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{9878A44A-C426-4B22-8FA0-BBC2B9031303}\Show\flashclips-layout_02-a2.jpg 12/1/2005 7:16 AM 3.87 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{9878A44A-C426-4B22-8FA0-BBC2B9031303}\Show\flashclips-layout_04-a5.jpg 12/1/2005 7:16 AM 30.52 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{9878A44A-C426-4B22-8FA0-BBC2B9031303}\Show\flashclips-layout_05-a4.jpg 12/1/2005 7:16 AM 13.11 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{9878A44A-C426-4B22-8FA0-BBC2B9031303}\Show\gear-with-monitor3.gif 12/1/2005 7:16 AM 104.43 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{9878A44A-C426-4B22-8FA0-BBC2B9031303}\Show\htmlStr_Prev.htm 12/1/2005 7:16 AM 4.04 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{A93BC006-E351-40D7-A09A-D69DF2687C01} 12/1/2005 7:20 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{A93BC006-E351-40D7-A09A-D69DF2687C01}\Show 12/1/2005 7:20 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{A93BC006-E351-40D7-A09A-D69DF2687C01}\Show\textPartPrev.html 12/1/2005 7:20 AM 868 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{B4DB5AB2-49B5-47F4-834A-F7DC5E47B9FF} 12/1/2005 7:20 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{B4DB5AB2-49B5-47F4-834A-F7DC5E47B9FF}\Show 12/1/2005 7:20 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{B4DB5AB2-49B5-47F4-834A-F7DC5E47B9FF}\Show\htmlStr_Prev.htm 12/1/2005 7:20 AM 51.06 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{C1DA7CEC-6241-4BDF-B95B-91E1160F7D8F} 12/1/2005 7:19 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{C1DA7CEC-6241-4BDF-B95B-91E1160F7D8F}\Show 12/1/2005 7:19 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{C1DA7CEC-6241-4BDF-B95B-91E1160F7D8F}\Show\htmlStr_Prev.htm 12/1/2005 7:19 AM 719 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{E0E288F3-CAD2-485E-A6F2-0AD8096E9AF8} 12/1/2005 7:22 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{E0E288F3-CAD2-485E-A6F2-0AD8096E9AF8}\Reply 12/1/2005 7:22 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{E0E288F3-CAD2-485E-A6F2-0AD8096E9AF8}\Reply\ATT5.txt 12/1/2005 7:22 AM 153 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{E0E288F3-CAD2-485E-A6F2-0AD8096E9AF8}\Reply\c7a5091.jpg 12/1/2005 7:22 AM 18.46 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{E0E288F3-CAD2-485E-A6F2-0AD8096E9AF8}\Reply\c7a51d2.gif 12/1/2005 7:22 AM 19.09 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{E0E288F3-CAD2-485E-A6F2-0AD8096E9AF8}\Reply\c7a5313.gif 12/1/2005 7:22 AM 12.33 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{E0E288F3-CAD2-485E-A6F2-0AD8096E9AF8}\Reply\c7a53b4.gif 12/1/2005 7:22 AM 12.33 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{E0E288F3-CAD2-485E-A6F2-0AD8096E9AF8}\Show 12/1/2005 7:22 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{E0E288F3-CAD2-485E-A6F2-0AD8096E9AF8}\Show\ATT5.txt 12/1/2005 7:22 AM 153 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{E0E288F3-CAD2-485E-A6F2-0AD8096E9AF8}\Show\c7a5091.jpg 12/1/2005 7:22 AM 18.46 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{E0E288F3-CAD2-485E-A6F2-0AD8096E9AF8}\Show\c7a51d2.gif 12/1/2005 7:22 AM 19.09 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{E0E288F3-CAD2-485E-A6F2-0AD8096E9AF8}\Show\c7a5313.gif 12/1/2005 7:22 AM 12.33 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{E0E288F3-CAD2-485E-A6F2-0AD8096E9AF8}\Show\c7a53b4.gif 12/1/2005 7:22 AM 12.33 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{E0E288F3-CAD2-485E-A6F2-0AD8096E9AF8}\Show\htmlStr_Prev.htm 12/1/2005 7:22 AM 4.84 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{E61F52AC-29E5-4FB3-BEE5-EBAFFC7B62D2} 12/1/2005 7:16 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{E61F52AC-29E5-4FB3-BEE5-EBAFFC7B62D2}\Show 12/1/2005 7:16 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{E61F52AC-29E5-4FB3-BEE5-EBAFFC7B62D2}\Show\htmlStr_Prev.htm 12/1/2005 7:16 AM 1.38 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{E94B1DD8-EEEE-4F14-9344-45095D6CEF57} 12/1/2005 7:16 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{E94B1DD8-EEEE-4F14-9344-45095D6CEF57}\Show 12/1/2005 7:16 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{E94B1DD8-EEEE-4F14-9344-45095D6CEF57}\Show\textPart.html 12/1/2005 7:16 AM 15.59 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{EF96BE6D-7DCE-405E-8CB7-4E4823FE22DD} 12/1/2005 7:16 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{EF96BE6D-7DCE-405E-8CB7-4E4823FE22DD}\Show 12/1/2005 7:16 AM 0 bytes Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Application Data\IM\Runtime\Message\{EF96BE6D-7DCE-405E-8CB7-4E4823FE22DD}\Show\htmlStr_Prev.htm 12/1/2005 7:16 AM 13.57 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Temp\IncrediMail\ATT16116.jpg 12/1/2005 5:52 AM 33.74 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Temp\IncrediMail\ATT16117.jpg 12/1/2005 5:52 AM 20.55 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Temp\IncrediMail\ATT291.eml 12/1/2005 5:52 AM 580.15 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Temp\IncrediMail\ATT295.eml 12/1/2005 5:52 AM 5.38 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Temp\IncrediMail\bestscreensavereverforguy_1.pps 12/1/2005 7:20 AM 423.00 KB Hidden from Windows API. C:\Documents and Settings\Don\Local Settings\Temp\IncrediMail\CMD4F3.tmp 12/1/2005 7:17 AM 92 bytes

#40 daparker

daparker

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 779 posts

Posted 03 December 2005 - 11:56 PM

watcherduck, I am checking with some of the site experts on your log. It appears suspicious to me.

    Advertisements

Register to Remove


#41 watcherduck

watcherduck

    Authentic Member

  • Authentic Member
  • PipPip
  • 116 posts

Posted 04 December 2005 - 12:04 AM

My computer acts funny sometimes, like it's doing more than the tasks I have set for it. Not all the time, though. Thank You very Much. I am subscribed to notification should you post another reply.

#42 daparker

daparker

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 779 posts

Posted 04 December 2005 - 08:39 PM

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix from here:
http://swandog46.gee.../aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.

#43 watcherduck

watcherduck

    Authentic Member

  • Authentic Member
  • PipPip
  • 116 posts

Posted 04 December 2005 - 09:10 PM

Okay, Here's my HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 5:06:45 PM, on 12/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\iISystem Wiper\SystemWiper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\INCRED~1\bin\IncMail.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.n....5&bm=ho_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: PopThis BHO - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [iIWiper] C:\Program Files\iISystem Wiper\SystemWiper.exe m
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: MS-KB - {8b2d996f-b7d1-4961-a929-414d9cf5ba7b} - http://support.micro...H;EN-US;KBHOWTO (file missing)
O9 - Extra 'Tools' menuitem: MS-KB - {8b2d996f-b7d1-4961-a929-414d9cf5ba7b} - http://support.micro...H;EN-US;KBHOWTO (file missing)
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} (CamfrogWEB Advanced Unicode Control) - http://activex.camfr..._instmodule.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akam...loadManager.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay10...es/MsnPUpld.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust...er/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119676769326
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1122529267078
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone...canner37240.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysme...sCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.n...tivePreQual.cab
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {DB0474CC-8EF6-47FC-905B-23FC58A70817} (RegPropsCtrl Class) - https://help.verizon...tWebInstall.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://us.i1.yimg.co...110/yvwrctl.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: QXCX - Unknown owner - C:\DOCUME~1\Don\LOCALS~1\Temp\QXCX.exe (file missing)
O23 - Service: VBXEC - Unknown owner - C:\DOCUME~1\Don\LOCALS~1\Temp\VBXEC.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O23 - Service: XN - Unknown owner - C:\DOCUME~1\Don\LOCALS~1\Temp\XN.exe (file missing)

And here's the AproposFix Log:

Log of AproposFix v1

************

Running from directory:
C:\Documents and Settings\Don\Desktop\aproposfix

************

Registry entries found:


************

No service found!

Removing hidden folder:
No folder found!

Deleting files:


Backing up files:
Done!

Removing registry entries:

REGEDIT4


Done!

Finished!

#44 daparker

daparker

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 779 posts

Posted 04 December 2005 - 09:18 PM

Hmmm, some new O23s showed up there. Do you have anything disabled in the startup tab of msconfig?

#45 watcherduck

watcherduck

    Authentic Member

  • Authentic Member
  • PipPip
  • 116 posts

Posted 04 December 2005 - 09:28 PM

Not too long ago, Adobe Acrobat Reader updated. When it does that, it put's itself in the start-up list. Also, I downloaded Quicktime ipod, it likes to be in the start-up list, also. I use Start Up Cop, to monitor and edit my start up list. I have disabled both of them in the Start Up Cop. Other than that, the only new stuff are the utilities that you had me download, and the online scan cabs. Is there something I can do to better answer your question?

Related Topics



2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users