Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Not sure whats wrong. [RESOLVED]


  • This topic is locked This topic is locked

#1
SillyWabbit

SillyWabbit

    Member

  • Member
  • PipPip
  • 12 posts
My computer is doing weird things. Sometimes it freezes, sometimes the internet does work, or just opening programs just freezes drwatson debugger thing and i have to manually reboot my comp. I reformatted to factory setting becuase i got a trojan. But apparantly theres still something wrong with my pc.
i have trend micro internet security 2008 and i ran a full system scan.

PAK_Generic.005
PAK_Generic.001
could not be quarantined. Can someone analyze my hijack this file. Thanks much appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:28 AM, on 4/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SPWLKNC7\HiJackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {F50B3F5E-856E-4757-9BB1-B35D46CA7719} - C:\WINDOWS\system32\mlJBQhIC.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1208847662810
O20 - Winlogon Notify: mlJBQhIC - C:\WINDOWS\SYSTEM32\mlJBQhIC.dll
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 6634 bytes

Edited by SillyWabbit, 22 April 2008 - 11:20 AM.

  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Before you do anything else, create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Temp folder. This is required because HijackThis will create backups and we don't want them to be deleted.

Download ATF Cleaner at http://www.atribune..../click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Go to My Computer->Tools->Folder Option->View and check 'Show hidden files and folders' and uncheck 'Hide protected operating system files'. Go to your c: drive. Right click on the boot.ini file and go to Properties. Uncheck the box that says Read-only and click OK. Then double click on the boot.ini file to open it. Change the line that says /NoExecute=OptIn and change it to /NoExecute=AlwaysOff. Now save the file and close it.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {F50B3F5E-856E-4757-9BB1-B35D46CA7719} - C:\WINDOWS\system32\mlJBQhIC.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O20 - Winlogon Notify: mlJBQhIC - C:\WINDOWS\SYSTEM32\mlJBQhIC.dll


Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\WINDOWS\system32\mlJBQhIC.dll

1. Download combofix at http://www.techsuppo...Bs/ComboFix.exe or http://download.blee...Bs/ComboFix.exe
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.

Edited by greyknight17, 23 April 2008 - 08:11 AM.

  • 0

#3
SillyWabbit

SillyWabbit

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
ok thanks for the response,

when try to delete
C:\WINDOWS\system32\mlJBQhIC.dll
says its in use by another program and it cannot delete it.

When i try to download combofix, i get a trend spyware warning.

FREELOADER_SMITFRAUD
freeloader Trojan-Spy.HTML.Smitfraud.a (Kaspersky), Phish-BankFraud.eml.a (NAI)
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Skip that file deletion...we'll take care of it later (remind me if I forget :)).

For combofix, tell TrendMicro to allow it. If it still doesn't, just turn it off for the time being and then disconnect from the internet once you get combofix downloaded.
  • 0

#5
SillyWabbit

SillyWabbit

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Error: You cannot rename combofix to combofix[1]
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
When do you get this error? Did you save it to your desktop and double click on it?
  • 0

#7
SillyWabbit

SillyWabbit

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
when i click the link, it gives me an option to run, so i click it.
  • 0

#8
SillyWabbit

SillyWabbit

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
hello,

got it.

ComboFix 08-04-22.5 - Owner 2008-04-23 14:30:51.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.117 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\17PHolmes572.exe
C:\WINDOWS\system32\mlJBQhIC.dll
C:\WINDOWS\system32\opnMgGxU.dll
C:\WINDOWS\system32\pac.txt

.
((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.

2008-04-22 22:18 . 2008-04-22 22:18 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-04-22 22:18 . 2008-04-22 22:18 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Apple Computer
2008-04-22 20:43 . 2008-04-22 20:43 <DIR> d-------- C:\WINDOWS\Sun
2008-04-22 20:11 . 2008-04-22 20:11 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-22 18:33 . 2008-04-22 18:33 <DIR> d-------- C:\Program Files\Growler Guncam
2008-04-22 18:33 . 2008-04-22 18:33 <DIR> d-------- C:\Program Files\Common Files\GC Install
2008-04-22 09:01 . 2008-04-22 09:02 <DIR> d-------- C:\Program Files\WinPcap
2008-04-22 08:53 . 2008-04-22 08:53 <DIR> d-------- C:\WINDOWS\system32\windows media
2008-04-22 08:52 . 2008-04-22 08:53 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-04-22 08:52 . 2008-04-22 08:52 <DIR> d-------- C:\Program Files\Windows Media Components
2008-04-22 08:51 . 2008-04-22 09:04 <DIR> d-------- C:\Program Files\MSN Webcam Recorder
2008-04-22 08:38 . 2008-04-22 18:42 <DIR> d-------- C:\Program Files\Knight Online
2008-04-22 03:06 . 2008-04-22 03:06 268 --ah----- C:\sqmdata01.sqm
2008-04-22 03:06 . 2008-04-22 03:06 244 --ah----- C:\sqmnoopt01.sqm
2008-04-22 00:40 . 2008-04-22 00:40 268 --ah----- C:\sqmdata00.sqm
2008-04-22 00:40 . 2008-04-22 00:40 244 --ah----- C:\sqmnoopt00.sqm
2008-04-22 00:32 . 2008-04-22 00:32 <DIR> d-------- C:\WINDOWS\system32\iTmp
2008-04-22 00:31 . 2008-04-22 00:31 209,031 --a------ C:\Temp\bPccE7001.exe
2008-04-22 00:30 . 2008-04-22 00:30 <DIR> d-------- C:\WINDOWS\system32\xcsDd01
2008-04-22 00:30 . 2008-04-22 00:30 <DIR> d-------- C:\Temp\berDrv11
2008-04-22 00:30 . 2008-04-22 00:31 <DIR> d-------- C:\Temp
2008-04-22 00:22 . 2008-04-22 00:22 4,020 -rahs---- C:\WINDOWS\system32\drivers\HP_PC136A-ABA SR1150NX NA430_YC_Pres_QMXK433_E43NAheRET3_4_IKelut_SASUSTek Computer INC._V2.02_B3.10_T040726_WXH1_L409_M448_J200_7AMD_8Athlon XP 3200+_92.2_111063044_N11063065_P_Z11C1048C_K_A11063059_U11063038_G11067205_O.MRK
2008-04-22 00:21 . 2004-04-02 15:38 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS
2008-04-22 00:21 . 2008-04-22 00:21 1,024 --ah----- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
2008-04-22 00:20 . 2004-08-03 23:15 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2008-04-22 00:20 . 2004-08-03 23:08 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2008-04-22 00:19 . 2004-04-02 15:38 <DIR> d-------- C:\Documents and Settings\Default User\WINDOWS
2008-04-22 00:19 . 2004-04-02 19:42 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Symantec
2008-04-22 00:19 . 2004-04-02 16:24 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\SampleView
2008-04-22 00:19 . 2008-04-22 00:21 1,024 --ah----- C:\Documents and Settings\Default User\ntuser.dat.LOG
2008-04-22 00:15 . 2008-04-22 09:42 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-22 00:08 . 2008-04-22 00:08 <DIR> d-------- C:\Program Files\Pando Networks
2008-04-22 00:08 . 2008-04-22 00:08 <DIR> d-------- C:\Documents and Settings\Owner\Contacts
2008-04-22 00:07 . 2008-04-22 00:07 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-22 00:07 . 2008-04-22 00:07 <DIR> d-------- C:\Program Files\MSN Messenger
2008-04-22 00:01 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-04-21 23:48 . 2008-04-21 23:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2008-04-21 23:48 . 2008-02-15 23:39 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-21 23:48 . 2008-02-15 23:39 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-04-21 23:48 . 2008-02-15 23:39 52,240 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-04-21 23:46 . 2008-04-23 07:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-21 23:39 . 2008-04-21 23:39 <DIR> d-------- C:\WINDOWS\provisioning
2008-04-21 23:38 . 2008-04-21 23:38 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-04-21 23:35 . 2005-02-24 20:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-21 23:35 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002252_.tmp
2008-04-21 23:33 . 2008-04-21 23:33 <DIR> d-------- C:\WINDOWS\EHome
2008-04-21 23:33 . 2008-04-21 23:33 24 --a------ C:\Documents and Settings\Owner\trend.txt
2008-04-21 23:27 . 2008-04-21 23:27 <DIR> d---s---- C:\Documents and Settings\Owner\UserData
2008-04-21 23:13 . 2008-04-22 21:23 250 --a------ C:\WINDOWS\system\hpsysdrv.dat
2008-04-21 23:12 . 2008-04-21 23:13 <DIR> d-------- C:\WINDOWS\I386
2008-04-21 23:07 . 2008-04-21 23:11 <DIR> dr------- C:\Documents and Settings\All Users\Documents
2008-04-21 23:06 . 2008-04-22 08:52 <DIR> dr-hsc--- C:\WINDOWS\system32\dllcache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 15:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-22 15:38 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-22 06:24 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJBQhIC]
mlJBQhIC.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2004-01-16 20:34 88363 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 17:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2003-02-11 20:02 61440 C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2003-09-12 20:13 98304 C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2004-04-02 14:11 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UfSeAgnt.exe]
--a------ 2008-02-16 00:56 1398024 C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2004-01-16 04:33 49152 C:\WINDOWS\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Pando Networks\\Pando\\pando.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56524:TCP"= 56524:TCP:Pando P2P TCP Listening Port
"56524:UDP"= 56524:UDP:Pando P2P UDP Listening Port

S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 13:22]
S3 XDva136;XDva136;C:\WINDOWS\system32\XDva136.sys []

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 02:36:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-04-23 2:38:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-23 09:38:29

Pre-Run: 185,193,459,712 bytes free
Post-Run: 185,246,126,080 bytes free

143 --- E O F --- 2008-04-22 10:01:38
  • 0

#9
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

File::
C:\Temp\bPccE7001.exe
C:\WINDOWS\002252_.tmp
Folder::
C:\WINDOWS\system32\xcsDd01
C:\Temp\berDrv11
C:\WINDOWS\system32\iTmp
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJBQhIC]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

How is the computer running so far?
  • 0

#10
SillyWabbit

SillyWabbit

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hello,
computer seems to be running better, but i play this game, which logs into a secure server running xtrap, a security module to ban cheaters or whatever, and when i log into the game now, my computer reboots. Is all this tied together?

ComboFix 08-04-22.5 - Owner 2008-04-23 10:17:35.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.232 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Temp\bPccE7001.exe
C:\WINDOWS\002252_.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\berDrv11
C:\Temp\berDrv11\fxpNbu.log
C:\Temp\bPccE7001.exe
C:\WINDOWS\002252_.tmp
C:\WINDOWS\system32\iTmp
C:\WINDOWS\system32\xcsDd01
C:\WINDOWS\system32\xcsDd01\xcsDd011065.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.

2008-04-22 22:18 . 2008-04-22 22:18 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-04-22 20:43 . 2008-04-22 20:43 <DIR> d-------- C:\WINDOWS\Sun
2008-04-22 20:11 . 2008-04-22 20:11 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-22 18:33 . 2008-04-22 18:33 <DIR> d-------- C:\Program Files\Growler Guncam
2008-04-22 18:33 . 2008-04-22 18:33 <DIR> d-------- C:\Program Files\Common Files\GC Install
2008-04-22 09:01 . 2008-04-22 09:02 <DIR> d-------- C:\Program Files\WinPcap
2008-04-22 08:53 . 2008-04-22 08:53 <DIR> d-------- C:\WINDOWS\system32\windows media
2008-04-22 08:52 . 2008-04-22 08:53 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-04-22 08:52 . 2008-04-22 08:52 <DIR> d-------- C:\Program Files\Windows Media Components
2008-04-22 08:51 . 2008-04-22 09:04 <DIR> d-------- C:\Program Files\MSN Webcam Recorder
2008-04-22 08:38 . 2008-04-23 03:22 <DIR> d-------- C:\Program Files\Knight Online
2008-04-22 03:06 . 2008-04-22 03:06 268 --ah----- C:\sqmdata01.sqm
2008-04-22 03:06 . 2008-04-22 03:06 244 --ah----- C:\sqmnoopt01.sqm
2008-04-22 00:40 . 2008-04-22 00:40 268 --ah----- C:\sqmdata00.sqm
2008-04-22 00:40 . 2008-04-22 00:40 244 --ah----- C:\sqmnoopt00.sqm
2008-04-22 00:30 . 2008-04-23 10:18 <DIR> d-------- C:\Temp
2008-04-22 00:22 . 2008-04-22 00:22 4,020 -rahs---- C:\WINDOWS\system32\drivers\HP_PC136A-ABA SR1150NX NA430_YC_Pres_QMXK433_E43NAheRET3_4_IKelut_SASUSTek Computer INC._V2.02_B3.10_T040726_WXH1_L409_M448_J200_7AMD_8Athlon XP 3200+_92.2_111063044_N11063065_P_Z11C1048C_K_A11063059_U11063038_G11067205_O.MRK
2008-04-22 00:21 . 2004-04-02 15:38 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS
2008-04-22 00:21 . 2008-04-22 00:21 1,024 --ah----- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
2008-04-22 00:20 . 2004-08-03 23:15 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2008-04-22 00:20 . 2004-08-03 23:08 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2008-04-22 00:19 . 2004-04-02 15:38 <DIR> d-------- C:\Documents and Settings\Default User\WINDOWS
2008-04-22 00:19 . 2004-04-02 19:42 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Symantec
2008-04-22 00:19 . 2004-04-02 16:24 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\SampleView
2008-04-22 00:19 . 2008-04-22 00:21 1,024 --ah----- C:\Documents and Settings\Default User\ntuser.dat.LOG
2008-04-22 00:15 . 2008-04-22 09:42 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-22 00:08 . 2008-04-22 00:08 <DIR> d-------- C:\Documents and Settings\Owner\Contacts
2008-04-22 00:07 . 2008-04-22 00:07 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-22 00:07 . 2008-04-22 00:07 <DIR> d-------- C:\Program Files\MSN Messenger
2008-04-22 00:01 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-04-21 23:48 . 2008-04-21 23:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2008-04-21 23:48 . 2008-02-15 23:39 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-21 23:48 . 2008-02-15 23:39 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-04-21 23:48 . 2008-02-15 23:39 52,240 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-04-21 23:46 . 2008-04-23 07:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-21 23:39 . 2008-04-21 23:39 <DIR> d-------- C:\WINDOWS\provisioning
2008-04-21 23:38 . 2008-04-21 23:38 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-04-21 23:35 . 2005-02-24 20:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-21 23:33 . 2008-04-21 23:33 <DIR> d-------- C:\WINDOWS\EHome
2008-04-21 23:33 . 2008-04-21 23:33 24 --a------ C:\Documents and Settings\Owner\trend.txt
2008-04-21 23:27 . 2008-04-21 23:27 <DIR> d---s---- C:\Documents and Settings\Owner\UserData
2008-04-21 23:13 . 2008-04-22 21:23 250 --a------ C:\WINDOWS\system\hpsysdrv.dat
2008-04-21 23:12 . 2008-04-21 23:13 <DIR> d-------- C:\WINDOWS\I386
2008-04-21 23:07 . 2008-04-21 23:11 <DIR> dr------- C:\Documents and Settings\All Users\Documents
2008-04-21 23:06 . 2008-04-22 08:52 <DIR> dr-hsc--- C:\WINDOWS\system32\dllcache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 15:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-22 15:38 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-22 06:24 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
.

((((((((((((((((((((((((((((( [email protected]_ 2.38.21.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-23 09:35:49 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-23 10:23:53 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2004-01-16 20:34 88363 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 17:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2003-02-11 20:02 61440 C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2003-09-12 20:13 98304 C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2004-04-02 14:11 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UfSeAgnt.exe]
--a------ 2008-02-16 00:56 1398024 C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2004-01-16 04:33 49152 C:\WINDOWS\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56524:TCP"= 56524:TCP:Pando P2P TCP Listening Port
"56524:UDP"= 56524:UDP:Pando P2P UDP Listening Port

S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 13:22]
S3 XDva136;XDva136;C:\WINDOWS\system32\XDva136.sys []

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 10:19:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-23 10:20:39
ComboFix-quarantined-files.txt 2008-04-23 17:20:36
ComboFix2.txt 2008-04-23 09:38:33

Pre-Run: 185,027,358,720 bytes free
Post-Run: 185,213,939,712 bytes free

140 --- E O F --- 2008-04-22 10:01:38
  • 0

Advertisements


#11
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I don't think it could be related if it's only happening to that module/program. Can you try reinstalling it to see if it helps?

Right click on My Computer and go to Properties. Then go to the Advanced tab and under Startup and Recovery, click on the Settings button. Make sure that Automatically restart is NOT checked.
  • 0

#12
SillyWabbit

SillyWabbit

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
there we go :), doesnt reboot, just goes to a black screen i cant get out of lol. WOnder what it could be.
so hows my comp look now doc?

Edited by SillyWabbit, 24 April 2008 - 08:58 AM.

  • 0

#13
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Just do a hard shutdown by holding onto the power button. You can set it back to automatically restart if you wish, but I usually leave it so I can see the error...which strangely does not show up in your case.

It's only happening when you launch this game correct? I could only think that it's some conflict with the software and not malware related anymore.
  • 0

#14
SillyWabbit

SillyWabbit

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
correct, while the game is loading, it use to reboot automatically. I changed it so it wouldn't, but now just goes to a black screen. Was just wondering becuase ever since i got this bug, it was doing this, never has, maybe malware messed up my hardware? ANd my computer cant take a game anymore? dont know.
  • 0

#15
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Just check that option back and it will restart automatically.

Is this happening to all your games or just this one? There is a error log that we can take a look at, but it's recommended that you post in the Windows board for this instead.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP