joe9000 Posted October 23, 2008 ID:31977 Share Posted October 23, 2008 Have removed clone cd and tune up utilities 08,heres m ylogs thanks::log file from hjt:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:03:37, on 23/10/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exeC:\Program Files\SiteAdvisor\6145\SiteAdv.exeC:\Program Files\McAfee.com\Agent\mcagent.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\program files\common files\mcafee\mna\mcnasvc.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeC:\Program Files\McAfee\MPF\MPFSrv.exeC:\Program Files\McAfee\MSK\MskSrver.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\SiteAdvisor\6145\SAService.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exeC:\WINDOWS\system32\wscntfy.exeC:\DOCUME~1\joe\LOCALS~1\Temp\sft_ver1.1454.0.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeC:\DOCUME~1\joe\LOCALS~1\Temp\sft_ver1.1454.0.exeC:\DOCUME~1\joe\LOCALS~1\Temp\sft_ver1.1454.0.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\msiexec.exeC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6145\SiteAdv.dllO2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dllO3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6145\SiteAdv.dllO4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exeO4 - HKLM\..\Run: [siteAdvisor] C:\Program Files\SiteAdvisor\6145\SiteAdv.exeO4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hideO4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkeyO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscriptO4 - HKCU\..\Run: [Player] C:\Documents and Settings\joe\Application Data\Adobe\Player.exeO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exeO23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exeO23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exeO23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exeO23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeO23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeO23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeO23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exeO23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exeO23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exeO23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6145\SAService.exe--End of file - 6381 byteslog from malwarebytes:Malwarebytes' Anti-Malware 1.29Database version: 1306Windows 5.1.2600 Service Pack 323/10/2008 11:05:23mbam-log-2008-10-23 (11-05-23).txtScan type: Quick ScanObjects scanned: 41929Time elapsed: 1 minute(s), 46 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Documents and Settings\joe\Local Settings\Temp\sft_ver1.1454.0.exe (Trojan.FakeAlert) -> Delete on reboot.and from panda:;***********************************************************************************************************************************************************************************ANALYSIS: 2008-10-23 11:20:55PROTECTIONS: 2MALWARE: 2SUSPECTS: 0;***********************************************************************************************************************************************************************************PROTECTIONSDescription Version Active Updated;===================================================================================================================================================================================McAfee Internet Security Suite 2007 9.0 No YesMcAfee VirusScan Plus 13.0 No No;===================================================================================================================================================================================MALWAREId Description Type Active Severity Disinfectable Disinfected Location;===================================================================================================================================================================================00122168 Application/Restart HackTools No 0 Yes No C:\WINDOWS\system32\Tools\Restart.exe03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\WINDOWS\system32\drivers\mnbvo.sys;===================================================================================================================================================================================SUSPECTSSent Location o;===================================================================================================================================================================================;===================================================================================================================================================================================VULNERABILITIESId Severity Description o;===================================================================================================================================================================================;=================================================================================================================================================================================== Link to post Share on other sites More sharing options...
joe9000 Posted October 23, 2008 Author ID:31979 Share Posted October 23, 2008 Have removed clone cd and tune up utilities 08,heres my logs thanks::log file from hjt:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:03:37, on 23/10/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exeC:\Program Files\SiteAdvisor\6145\SiteAdv.exeC:\Program Files\McAfee.com\Agent\mcagent.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\program files\common files\mcafee\mna\mcnasvc.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeC:\Program Files\McAfee\MPF\MPFSrv.exeC:\Program Files\McAfee\MSK\MskSrver.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\SiteAdvisor\6145\SAService.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exeC:\WINDOWS\system32\wscntfy.exeC:\DOCUME~1\joe\LOCALS~1\Temp\sft_ver1.1454.0.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeC:\DOCUME~1\joe\LOCALS~1\Temp\sft_ver1.1454.0.exeC:\DOCUME~1\joe\LOCALS~1\Temp\sft_ver1.1454.0.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\msiexec.exeC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6145\SiteAdv.dllO2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dllO3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6145\SiteAdv.dllO4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exeO4 - HKLM\..\Run: [siteAdvisor] C:\Program Files\SiteAdvisor\6145\SiteAdv.exeO4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hideO4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkeyO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscriptO4 - HKCU\..\Run: [Player] C:\Documents and Settings\joe\Application Data\Adobe\Player.exeO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exeO23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exeO23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exeO23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exeO23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeO23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeO23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeO23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exeO23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exeO23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exeO23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6145\SAService.exe--End of file - 6381 byteslog from malwarebytes:Malwarebytes' Anti-Malware 1.29Database version: 1306Windows 5.1.2600 Service Pack 323/10/2008 11:05:23mbam-log-2008-10-23 (11-05-23).txtScan type: Quick ScanObjects scanned: 41929Time elapsed: 1 minute(s), 46 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Documents and Settings\joe\Local Settings\Temp\sft_ver1.1454.0.exe (Trojan.FakeAlert) -> Delete on reboot.and from panda:;***********************************************************************************************************************************************************************************ANALYSIS: 2008-10-23 11:20:55PROTECTIONS: 2MALWARE: 2SUSPECTS: 0;***********************************************************************************************************************************************************************************PROTECTIONSDescription Version Active Updated;===================================================================================================================================================================================McAfee Internet Security Suite 2007 9.0 No YesMcAfee VirusScan Plus 13.0 No No;===================================================================================================================================================================================MALWAREId Description Type Active Severity Disinfectable Disinfected Location;===================================================================================================================================================================================00122168 Application/Restart HackTools No 0 Yes No C:\WINDOWS\system32\Tools\Restart.exe03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\WINDOWS\system32\drivers\mnbvo.sys;===================================================================================================================================================================================SUSPECTSSent Location o;===================================================================================================================================================================================;===================================================================================================================================================================================VULNERABILITIESId Severity Description o;===================================================================================================================================================================================;===================================================================================================================================================================================Have also cleaned using panda the infected files,but the restart exe thing appeared when i installed auio drivers on motherboard disc!!!! Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 23, 2008 Root Admin ID:31986 Share Posted October 23, 2008 Well I've been up all night so I'm off to get some shut eye.You're running the tools in the wrong order.MBAM First, Update, Quick Scan, Fix, RebootAfter reboot, HJT, Scan, save logPlease run the following routines to help us track down what might be causing this. Click on START - RUN and type in SIGVERIF and click OKThis is a Microsoft File Signature Verification program that will check some file status for us.Click on the START button and let it run. It will popup a box when it's done to show the status, you can close that box.Close the File Signature Verification application.Find and attach the file C:\WINDOWS\SIGVERIF.TXT to your reply. DO NOT post the log directly into your reply, attach the file please.Important!All of the following instructions must be run on the affected computer. Logs from a different computer will not help me help you. So, if you need to download all of this and then copy it to CD or memory stick and take it to the other computer, please do so. Either way, it's important. The logs have to be made by the computer with the problem.I also need for you to download this program OTListIt.exe to your desktop.Close all applications and windows so that you have nothing open and are at your DesktopDouble-click on the OTListIt.exe file to start OTListIt. OK any warning about running OTListIt.Place a checkmark in the "Scan All Users" checkbox (Leave the 'Use Whitelist' checked' and the 'File Age:' at 30 days)Click the Run Scan buttonNOTE: Please be patient and let the scan run without using the computerWhen the scan is complete, a text file (OTListIt.Txt) will open in Notepad (if not, it can be found on your Desktop)In Notepad, click Edit, Select all then Edit, CopyReply to this topic, click in the topic reply window, and press Ctrl+V to paste the log or Righ click paste.Submit your reply and close the Notepad window with OTList.txtAlso OTListIt's Extras.txt log file will be minimized in the Taskbar (and located on your Desktop) - click on this and maximize the windowIn Notepad, click Edit, Select all then Edit, CopyReply to this topic again, click in the topic reply window, and press Ctrl+V to paste the extras log or Right click paste.NOTE: If the files (OTListIt.txt, Extras.txt) do not appear in your taskbar, just open the files in notepad from your desktop.Please allow me time to analyze your post. If you don't see a reply from me after 24 hours, feel free to PM me.Post back all logs and I'll check it later tonight. Link to post Share on other sites More sharing options...
joe9000 Posted October 23, 2008 Author ID:31999 Share Posted October 23, 2008 malwarebyte log:Malwarebytes' Anti-Malware 1.30Database version: 1308Windows 5.1.2600 Service Pack 323/10/2008 14:08:48mbam-log-2008-10-23 (14-08-48).txtScan type: Quick ScanObjects scanned: 41782Time elapsed: 2 minute(s), 0 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)hjt log files:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 14:11:21, on 23/10/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exeC:\Program Files\SiteAdvisor\6145\SiteAdv.exeC:\Program Files\McAfee.com\Agent\mcagent.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\program files\common files\mcafee\mna\mcnasvc.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeC:\Program Files\McAfee\MPF\MPFSrv.exeC:\Program Files\McAfee\MSK\MskSrver.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\SiteAdvisor\6145\SAService.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6145\SiteAdv.dllO2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dllO3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6145\SiteAdv.dllO4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exeO4 - HKLM\..\Run: [siteAdvisor] C:\Program Files\SiteAdvisor\6145\SiteAdv.exeO4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hideO4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkeyO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKCU\..\Run: [Player] C:\Documents and Settings\joe\Application Data\Adobe\Player.exeO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cabO23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exeO23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exeO23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exeO23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exeO23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeO23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeO23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeO23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exeO23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exeO23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exeO23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6145\SAService.exe--End of file - 6006 bytes Link to post Share on other sites More sharing options...
joe9000 Posted October 23, 2008 Author ID:32003 Share Posted October 23, 2008 OTLIST attached as it wouldnt let me paste it too long,ill do the same for extras.OTListIt.TxtOTListIt.Txt Link to post Share on other sites More sharing options...
joe9000 Posted October 23, 2008 Author ID:32004 Share Posted October 23, 2008 Here is the extras file from OTLIST!!Thanks for any help u can give me!!Extras.TxtExtras.Txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 23, 2008 Root Admin ID:32041 Share Posted October 23, 2008 Joe,Please run a disk check on your system.Click on START - RUN and type or copy / paste the following. Then reboot the computer and make sure it does run the Disk check.CMD /K ECHO Y|CHKDSK C: /FAfter the disk check run this.Please download the following scanning tool. GMEROpen the zip file and copy the file gmer.exe to your Desktop.Double click on gmer.exe and run it.It may take a minute to load and become available.Do not make any changes. Click on the SCAN button and DO NOT use the computer while it's scanning.Once the scan is done click on the SAVE button and browse to your Desktop and save the file as GMER.LOGZip up the GMER.LOG file and save it as gmerlog.zip and attach it to your reply post.DO NOT directly post this log into a reply. You MUST attach it as a .ZIP file.Click OK and quit the GMER program.How To Use Compressed (Zipped) Folders in Windows XPCompress and uncompress files (zip files) in VistaThen run this Click on START - RUN and type in SIGVERIF and click OKThis is a Microsoft File Signature Verification program that will check some file status for us.Click on the START button and let it run. It will popup a box when it's done to show the status, you can close that box.Close the File Signature Verification application.Find and attach the file C:\WINDOWS\SIGVERIF.TXT to your reply. DO NOT post the log directly into your reply, attach the file please.Post back all logs. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 25, 2008 Root Admin ID:32206 Share Posted October 25, 2008 Please upload the logs so that we can continue and finish this up for you.Thanks Link to post Share on other sites More sharing options...
OwenMurderTheViruses Posted October 25, 2008 ID:32234 Share Posted October 25, 2008 Joe,Please run a disk check on your system.Click on START - RUN and type or copy / paste the following. Then reboot the computer and make sure it does run the Disk check.CMD /K ECHO Y|CHKDSK C: /FAfter the disk check run this.Please download the following scanning tool. GMEROpen the zip file and copy the file gmer.exe to your Desktop.Double click on gmer.exe and run it.It may take a minute to load and become available.Do not make any changes. Click on the SCAN button and DO NOT use the computer while it's scanning.Once the scan is done click on the SAVE button and browse to your Desktop and save the file as GMER.LOGZip up the GMER.LOG file and save it as gmerlog.zip and attach it to your reply post.DO NOT directly post this log into a reply. You MUST attach it as a .ZIP file.Click OK and quit the GMER program.How To Use Compressed (Zipped) Folders in Windows XPCompress and uncompress files (zip files) in Vistahttp://windowshelp.microsoft.com/windows/en-us/help/7050d809-c761-43d4-aae7-587550cd341a1033.mspx' rel="external nofollow">Then run this Click on START - RUN and type in SIGVERIF and click OKThis is a Microsoft File Signature Verification program that will check some file status for us.Click on the START button and let it run. It will popup a box when it's done to show the status, you can close that box.Close the File Signature Verification application.Find and attach the file C:\WINDOWS\SIGVERIF.TXT to your reply. DO NOT post the log directly into your reply, attach the file please.Post back all logs. Link to post Share on other sites More sharing options...
OwenMurderTheViruses Posted October 25, 2008 ID:32237 Share Posted October 25, 2008 Here is the second part! Link to post Share on other sites More sharing options...
OwenMurderTheViruses Posted October 25, 2008 ID:32238 Share Posted October 25, 2008 No idea what happend there sorry!SIGVERIF.TXT.zipSIGVERIF.TXT.zip Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 25, 2008 Root Admin ID:32291 Share Posted October 25, 2008 Why do we have a different username and IP posting to this topic?Please clarify or I will close this thread. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 26, 2008 Root Admin ID:32328 Share Posted October 26, 2008 Sorry, was i not ment to? I thought i was?You still have not answered the question. This is NOT the user name of the person that started this post and the IP is not the same. If you are not the same person then NO you're not supposed to be posting in this thread. If you ARE the same person then why did you create a second account name, that is frowned upon from most sites. Why is your IP not the same any more? Link to post Share on other sites More sharing options...
joe9000 Posted October 26, 2008 Author ID:32343 Share Posted October 26, 2008 ive been away for a couple of days,so that poster was not me,any way i downloaded all updates from microsoft and the file has disappeared for some reason.WHAT I CANNOT UNDERSTAND IS THAT IT WAS A FRESH INSTLL OF WINDOWS XP!! but as i said after windows updating the file is not there anymore,so obviously an update helped get rid of this problem.I am gratefull for all ur help that was given and a point in the direction of some good programs to keep my computer clean,and sorry for any inconveniance or time wasted on me,but i assure you that last poster was not me!!!! Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 26, 2008 Root Admin ID:32346 Share Posted October 26, 2008 The Microsoft Malicious Software Removal Tool was probably run during the update process and may have removed any remnants of it.The Firewall is typically not on initially on a fresh build which could easily be how you were attacked. Could also be media, or other old software you have that is infected that you're not aware of.At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:Disable and Enable System Restore-WINDOWS XPThis is a good time to clear your existing system restore points and establish a new clean restore point:Turn off System RestoreOn the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.Check Turn off System Restore.Click Apply, and then click OK. Reboot.Turn ON System RestoreOn the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.UN-Check *Turn off System Restore*.Click Apply, and then click OK.This will remove all restore points except the new one you just created.Here are some free programs I recommend that could help you improve your computer's security.Spybot Search and DestroyDownload it from here. Just choose a mirror and off you go.Find here the tutorial on how to use Spybot properly hereInstall SpyWare BlasterDownload it from hereFind here the tutorial on how to use Spyware Blaster here Install WinPatrolDownload it from hereHere you can find information about how WinPatrol works hereInstall FireTrust SiteHoundYou can find information and download it from hereInstall hpHosts Download it from herehpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad, tracking and malicious websites. This prevents your computer from connecting to these untrusted sites by redirecting them to 127.0.0.1 which is your own local computer.hpHosts Support ForumUpdate your Antivirus programs and other security products regularly to avoid new threats that could infect your system.You can use one of these sites to check if any updates are needed for your pc.Secunia Software InspectorF-secure Health CheckVisit Microsoft often to get the latest updates for your computer.http://www.update.microsoft.comNote 1: If you are running Windows XP SP2, you should upgrade to SP3.Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.The security suite can then be reinstalled afterwards.The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must. I recommend Online Armor FreeA little outdated but good reading on how to prevent MalwareKeep safe online and happy surfing.Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post InstructionsAlso don't forget that we offer FREE assistance with General PC questions and repair here PC Help If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org. Link to post Share on other sites More sharing options...
Recommended Posts