Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:03:27, on 02/01/2010 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v8.00 (8.00.6001.18865) Boot mode: Normal
Memory Processes Infected: (No malicious items detected)
Memory Modules Infected: (No malicious items detected)
Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\update (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected: (No malicious items detected)
Folders Infected: C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files\MyWebSearch\bar\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files\MyWebSearch\bar\Avatar (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files\MyWebSearch\bar\Game (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files\MyWebSearch\bar\Message (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files\MyWebSearch\bar\Notifier (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Files Infected: C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files\MyWebSearch\bar\1.bin\FWPBUDDY.PNG (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Windows\System32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully. C:\Windows\System32\drmgs.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\Windows\fmark2.dat (Malware.Trace) -> Quarantined and deleted successfully.
DDS LOG
DDS (Ver_09-12-01.01) - NTFSx86 Run by Chloe at 20:50:15.40 on 02/01/2010 Internet Explorer: 8.0.6001.18865 Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.44.1033.18.1013.109 [GMT 0:00]
Sorry we overlooked your request thread panther, and welcome to BG forums. No infection showing here, but let's do a different check to see other files it might show.
To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.
Download RSIT (random's system information tool) from here to your desktop. Then click on the RSIT.exe to open the RSIT display, and click the Continue button.
If necessary allow it to locate or download a copy of HijackThis as needed.
Once the scan completes a textbox will open - copy/paste those contents here for review please. The log can also be found at C:\rsit\log.txt.
RSIT will also create a second log, info.txt, which will be minimized to your taskbar. Post that here as well please (it will also be stored at C:\rsit\info.txt).
You can break logs into parts and use separate posts here when replying and posting the log files, if needed.
In your next reply also post some details on what you see that suggests the drive is quickly accumulating files please.
When I go into my Computer the icon showing the C Drive is red and says that it is reaching its capacity. I deleted some restore points using the windows clean up thing which did the trick but then 2 days later it was back in the red again. I went through and deleted lots of documents and music, and also some programs I dont need and I freed up a lot of space, turned my laptop off and then didnt touch it for 2 days, and when I came back it had gone down 2 gb!! Also my laptop runs quite slowly compared to what it used to, sometimes taking about 20 mins to boot up and also 5 or so minutes if not more just to open internet explorer.
Also I can see from the log thing that I have 5 AV programs installed, I only want Zone Alarm as I unistalled the others in the control panel ages ago! Here are the logs requested:
LOG:
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 08:16:32, on 08/01/2010 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v8.00 (8.00.6001.18865) Boot mode: Normal
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe QuickSet.lnk - C:\Windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{057c464d-3ff7-11de-8961-806e6f6e6963}] shell\AutoRun\command - F:\LaunchU3.exe -a
info.txt logfile of random's system information tool 1.06 2010-01-08 08:16:47
======Uninstall list======
µTorrent-->"C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL Adobe AIR-->c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall Adobe AIR-->MsiExec.exe /I{197A3012-8C85-4FD3-AB66-9EC7E13DB92E} Adobe Download Manager-->"C:\Windows\system32\rundll32.exe" "C:\Program Files\NOS\bin\getPlus_Helper.dll",Uninstall /Get1 Adobe ExtendScript Toolkit 2-->C:\Program Files\Common Files\Adobe\Installers\3e054d2218e7aa282c2369d939e58ff\Setup.exe Adobe ExtendScript Toolkit 2-->MsiExec.exe /I{24D7346D-D4B4-45E8-98EA-75EC14B42DD8} Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe Adobe Photoshop CS4-->"C:\Program Files\Adobe\Photoshop CS4\unins000.exe" Adobe Reader 9.1.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001} Adobe Setup-->MsiExec.exe /I{8CE08C3C-8FF4-45D9-925E-4F3CE2D7FA7D} Adobe Setup-->MsiExec.exe /I{B3C02EC1-A7B0-4987-9A43-8789426AAA7D} Adobe Shockwave Player 11-->C:\Windows\system32\adobe\SHOCKW~1\UNWISE.EXE C:\Windows\system32\Adobe\SHOCKW~1\Install.log AOL Uninstaller (Choose which Products to Remove)-->C:\Program Files\Common Files\AOL\uninstaller.exe Apple Application Support-->MsiExec.exe /I{3FA365DF-2D68-45ED-8F83-8C8A33E65143} Apple Mobile Device Support-->MsiExec.exe /I{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE} Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033} AviSynth 2.5-->"C:\Program Files\AviSynth 2.5\Uninstall.exe" BlackBerry Desktop Software 5.0-->MsiExec.exe /i{EE59E3BD-6B7D-4BBB-B9CD-20EA7AEF1E10} BlackBerry Desktop Software 5.0-->MsiExec.exe /I{EE59E3BD-6B7D-4BBB-B9CD-20EA7AEF1E10} Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B} Broadcom Management Programs-->MsiExec.exe /I{C99C0593-3B48-41D9-B42F-6E035B320449} CCleaner-->"C:\Program Files\CCleaner\uninst.exe" Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE} Conexant HDA D330 MDC V.92 Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F\HXFSETUP.EXE -U -Idel000fz.inf Dell Support Center-->MsiExec.exe /X{B8C54AB1-7E1A-40E8-B794-EDB6E8921F3A} Dell System Customization Wizard-->MsiExec.exe /I{13BA7B44-B712-4DEE-A7B8-1DD564F37AE5} Dell Touchpad-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall Dell Wireless WLAN Card-->"C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe" verbose /rootkey="Software\Broadcom\802.11\UninstallInfo" /rootdir="C:\Program Files\Dell\Dell Wireless WLAN Card" DellSupport-->MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D} Digital Line Detect-->C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly ExtractNow-->"C:\Program Files\ExtractNow\unins000.exe" FLV Player 2.0 (build 25)-->C:\Program Files\FLV Player\uninst.exe Google Gmail Notifier-->"C:\Program Files\Google\Gmail Notifier\UninstallGmail.exe" Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_0E996B068B56FCA2.exe" /uninstall Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C} HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT="" Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT="" InterVideo DeviceService-->MsiExec.exe /I{521AAD14-5030-44BB-8B0E-5CE65FCE57E0} iTunes-->MsiExec.exe /I{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5} Java(TM) SE Runtime Environment 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000} MainType 2.1.1-->"C:\Program Files\High-Logic\MainType\unins000.exe" Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe" MediaDirect-->C:\Program Files\InstallShield Installation Information\{9C6978E8-B6D0-4AB7-A7A0-D81A74FBF745}\setup.exe -runfromtemp -l0x0009 -cluninstall Microsoft .NET Framework 3.5 SP1-->c:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9} Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00} Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118} Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d} Microsoft Works-->MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1} MobileMe Control Panel-->MsiExec.exe /I{3AC54383-31D1-4907-961B-B12CBB1D0AE8} Modem Diagnostic Tool-->MsiExec.exe /I{F63A3748-B93D-4360-9AD4-B064481A5C7B} MSVC80_x86-->MsiExec.exe /I{212748BB-0DA5-46DE-82A1-403736DC9F27} MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F} MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF} MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF} MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71} MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC} neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B} NetWaiting-->C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly OutlookAddinSetup-->MsiExec.exe /I{9BDEF074-020E-458D-ADC5-8FF68E0C9B56} PC Camera (6005 CIF)-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ABE6EF98-9D69-471F-A52D-CE5E86B84FFC}\setup.exe" -l0x9 QuickSet-->MsiExec.exe /I{7F0C4457-8E64-491B-8D7B-991504365D1E} QuickTime-->MsiExec.exe /I{1451DE6B-ABE1-4F62-BE9A-B363A17588A2} Roxio Media Manager-->MsiExec.exe /X{4D612FB2-1AE7-4E46-9377-35BB2F06A787} RTC Client API v1.2-->MsiExec.exe /X{44CDBD1B-89FB-4E02-8319-2A4C550F664A} SigmaTel Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly Sonic Activation Module-->MsiExec.exe /I{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0} Spelling Dictionaries Support For Adobe Reader 8-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003} TuneUp Utilities 2008-->MsiExec.exe /I{5888428E-699C-4E71-BF71-94EE06B497DA} Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT="" URL Assistant-->regsvr32 /u /s "C:\Program Files\BAE\BAE.dll" User's Guides-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}\setup.exe" VC 9.0 Runtime-->MsiExec.exe /I{02E89EFC-7B07-4D5A-AA03-9EC0902914EE} VC 9.0 Runtime-->MsiExec.exe /I{A040AC77-C1AA-4CC9-8931-9F648AF178F6} Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u Winamp-->"C:\Program Files\Winamp\UninstWA.exe" Window Washer-->C:\Windows\Unwash6.exe Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320} ZoneAlarm Security Suite-->C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe
======Hosts File======
82.98.86.175 vibepc.com
======Security center information======
AV: ZoneAlarm Security Suite Antivirus (disabled) AV: AVG 0.5.519 (outdated) AV: McAfee VirusScan FW: McAfee Personal Firewall (disabled) FW: ZoneAlarm Security Suite Firewall (disabled) AS: ZoneAlarm Security Suite Anti-Spyware AS: McAfee VirusScan AS: AVG Anti-Spyware (disabled) (outdated) AS: Windows Defender
======System event log======
Computer Name: Chloe-PC Event Code: 4001 Message: WLAN AutoConfig service has successfully stopped.
Record Number: 1175542 Source Name: Microsoft-Windows-WLAN-AutoConfig Time Written: 20100108080137.223600-000 Event Type: Warning User: NT AUTHORITY\SYSTEM
Computer Name: Chloe-PC Event Code: 15016 Message: Unable to initialize the security package Kerberos for server side authentication. The data field contains the error number. Record Number: 1175556 Source Name: Microsoft-Windows-HttpEvent Time Written: 20100108080439.785495-000 Event Type: Error User:
Computer Name: Chloe-PC Event Code: 7000 Message: The adfs service failed to start due to the following error: The system cannot find the file specified. Record Number: 1175594 Source Name: Service Control Manager Time Written: 20100108080615.000000-000 Event Type: Error User:
Computer Name: Chloe-PC Event Code: 7009 Message: A timeout was reached (30000 milliseconds) while waiting for the Roxio Hard Drive Watcher 9 service to connect. Record Number: 1175608 Source Name: Service Control Manager Time Written: 20100108080615.000000-000 Event Type: Error User:
Computer Name: Chloe-PC Event Code: 7026 Message: The following boot-start or system-start driver(s) failed to load: SASKUTIL Record Number: 1175627 Source Name: Service Control Manager Time Written: 20100108080820.000000-000 Event Type: Error User:
=====Application event log=====
Computer Name: Chloe-PC Event Code: 1530 Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL - 2 user registry handles leaked from \Registry\User\S-1-5-21-774873819-2361761717-3071640680-1000: Process 1492 (\Device\HarddiskVolume3\Windows\System32\ZoneLabs\vsmon.exe) has opened key \REGISTRY\USER\S-1-5-21-774873819-2361761717-3071640680-1000 Process 1492 (\Device\HarddiskVolume3\Windows\System32\ZoneLabs\vsmon.exe) has opened key \REGISTRY\USER\S-1-5-21-774873819-2361761717-3071640680-1000
Record Number: 31869 Source Name: Microsoft-Windows-User Profiles Service Time Written: 20100104221043.000000-000 Event Type: Warning User: NT AUTHORITY\SYSTEM
Computer Name: Chloe-PC Event Code: 1002 Message: The program QuickTimePlayer.exe version 7.65.17.80 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel. Process ID: 255c Start Time: 01ca8e381772b290 Termination Time: 1728 Record Number: 31913 Source Name: Application Hang Time Written: 20100105191416.000000-000 Event Type: Error User:
Computer Name: Chloe-PC Event Code: 508 Message: Windows (3168) Windows: A request to write to the file "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb" at offset 73596928 (0x0000000004630000) for 8192 (0x00002000) bytes succeeded, but took an abnormally long time (2266 seconds) to be serviced by the OS. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem. Record Number: 31918 Source Name: ESENT Time Written: 20100106093027.000000-000 Event Type: Warning User:
Computer Name: Chloe-PC Event Code: 1000 Message: Faulting application iexplore.exe, version 8.0.6001.18865, time stamp 0x4b077416, faulting module ntdll.dll, version 6.0.6001.18000, time stamp 0x4791a7a6, exception code 0xc0000374, fault offset 0x000b015d, process id 0x1058, application start time 0x01ca8f84cbfeaa00. Record Number: 31930 Source Name: Application Error Time Written: 20100107103559.000000-000 Event Type: Error User:
Computer Name: Chloe-PC Event Code: 1530 Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL - 4 user registry handles leaked from \Registry\User\S-1-5-21-774873819-2361761717-3071640680-1000: Process 1524 (\Device\HarddiskVolume3\Windows\System32\ZoneLabs\vsmon.exe) has opened key \REGISTRY\USER\S-1-5-21-774873819-2361761717-3071640680-1000 Process 1524 (\Device\HarddiskVolume3\Windows\System32\ZoneLabs\vsmon.exe) has opened key \REGISTRY\USER\S-1-5-21-774873819-2361761717-3071640680-1000 Process 1032 (\Device\HarddiskVolume3\Windows\System32\wuauclt.exe) has opened key \REGISTRY\USER\S-1-5-21-774873819-2361761717-3071640680-1000 Process 1032 (\Device\HarddiskVolume3\Windows\System32\wuauclt.exe) has opened key \REGISTRY\USER\S-1-5-21-774873819-2361761717-3071640680-1000\Software\Microsoft\Windows\CurrentVersion\Explorer
Record Number: 31946 Source Name: Microsoft-Windows-User Profiles Service Time Written: 20100108080010.000000-000 Event Type: Warning User: NT AUTHORITY\SYSTEM
=====Security event log=====
Computer Name: Chloe-PC Event Code: 5038 Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
File Name: \Device\HarddiskVolume3\Windows\System32\drivers\vsdatant.sys Record Number: 86539 Source Name: Microsoft-Windows-Security-Auditing Time Written: 20100108081630.073495-000 Event Type: Audit Failure User:
Computer Name: Chloe-PC Event Code: 5038 Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
File Name: \Device\HarddiskVolume3\Windows\System32\drivers\vsdatant.sys Record Number: 86540 Source Name: Microsoft-Windows-Security-Auditing Time Written: 20100108081630.167095-000 Event Type: Audit Failure User:
Computer Name: Chloe-PC Event Code: 4648 Message: A logon was attempted using explicit credentials.
Account Whose Credentials Were Used: Account Name: SYSTEM Account Domain: NT AUTHORITY Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server: Target Server Name: localhost Additional Information: localhost
Process Information: Process ID: 0x26c Process Name: C:\Windows\System32\services.exe
Network Information: Network Address: - Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. Record Number: 86541 Source Name: Microsoft-Windows-Security-Auditing Time Written: 20100108081801.629895-000 Event Type: Audit Success User:
Computer Name: Chloe-PC Event Code: 4624 Message: An account was successfully logged on.
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. Record Number: 86542 Source Name: Microsoft-Windows-Security-Auditing Time Written: 20100108081801.629895-000 Event Type: Audit Success User:
Computer Name: Chloe-PC Event Code: 4672 Message: Special privileges assigned to new logon.
Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7
The logs don't reflect the extra data issues. Malwarebytes removed some tough enough rootkit files, so let's see if something isn't creating it's own data files there. Then we need to have you run some uninstallers for the older security softwares still remaining.
To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.
Download ComboFix.exe from here to your desktop, but I would like you to rename the file as you download it (do not download it directly without renaming it - use right click "Save Target/Link As" ). For this, rename the downloading file to 456out.com, then click the renamed 456out.com to run that scan.
Be sure to install the Recovery Console if you are asked to do so. When the scan completes, a text window with your log will open. Please copy and paste that log back here.
A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.
Combofix is bringing up a warning box saying that antivirus are still running and that it can affect my system or the scan if I proceed. I have disabled Zone Alarm but it is saying AVG and McAfee are also running, but I have no details of them in my program list? How do I disable them or shall I just run the scan "at my own risk"?
ComboFix is reading their status using the WMI, so it isn't actually an indication that the softwares are still installed and active. Go ahead and agree and run the ComboFix scan please.
Some permissions restrictions on some Registry keys at the end of that log, but I read them as Bullguard created/use, and a dialer entry I am beginning to suspect is from some past or current AOL install.
I also think the items ComboFix removed were more due to their names, than actually identified infection files. But all those that are named similar to this:
c:\windows\system32\tmp0_xxxxxxxxxxxx.bk
Something appears to be creating and saving backup files, which could also be very large. Not right sure just what yet.
Go to Start Search, type cmd.exe in the Start Search box. Cmd.exe will appear at the top of the Menu. Rightclick on it and choose "Run as administrator". At the prompt copy/paste the following, pressing Enter after:
dir /s /a "c:\*tmp0_*.bk*.*" > c:\find.txt && notepad c:\find.txt
Your drive will be scanned and when finished, Notepad will pop up with some information. Copy and paste it in this thread. If it turns out to be a huge logfile, then just locate some of those similarly-named files from it, and see if you can determine what creates them (right click - select Properties, check the tabs).
The Hard drive seems to be filling up less quickly now, but is still going down? I'm rubbish with computers so I don't know whether this is because its normal to do so or whether there is still something wrong. Just so you have some more insight :)
Let's check one of those files to see if we can ID it.
Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"
Then just go here, press new topic, fill in the needed details and just give a link to your post back here (see the "Instructions for uploading files" there for help, if needed). Then press the browse button and then navigate to & select the following file on your computer.
Not quite sure what creates those files. Seems like files and version numbers, but "perfmonss.exe" has one too many "s"'s in it.
A web search of that file name and that number leads to a uTorrent forum page, where someone locates a performance monitor log that includes the info in your files, but not sure it was uTorrent related.
Go to Start > Run and type:
cmd.exe
and ok. At the prompt type or copy/paste each of the following, pressing Enter after each:
dir /s /a "c:\*perfmons*.*" > c:\find.txt && notepad c:\find.txt
Your drive will be scanned and when finished, Notepad will pop up with some information. Copy and paste it in this thread please.
Once that Notepad textbox opens, also click at the prompt in the still open command console window and type exit to close that.
Darn, I don't want to add delays to our work here, but what gave you access denied please? Opening the command window, or running that command line? Maybe it was my providing XP steps, and not Vista. Try this please:
Go to Start Search, type cmd.exe in the Start Search box. Cmd.exe will appear at the top of the Menu. Rightclick on it and choose "Run as administrator". At the prompt copy/paste the following, pressing Enter after:
dir /s /a "c:\*perfmons*.*" > c:\find.txt && notepad c:\find.txt
Your drive will be scanned and when finished, Notepad will pop up with some information. Copy and paste it in this thread.
Yes I still have the problem, roughly in the past 5 days my hard drive has increased by about 6 GB. Apart from the programmes that you have asked me to install and also a small program for my camera (400 KB) I have not added anything or created any files.
My partner uses my laptop to work on his pictures, but these are all stored on his memory stick, he never saves to my laptop. Coincedentally this morning when he tried to access his stick on Computer, the icon was showing as blank (not named as his stick is, just removable storage device) and was blank, saying "The request could not be performed due to an I O device error". He paniced because he thought he had lost everything but after we ejected it a few times is registered it and he could access everything. I don't know whether either of these things make any difference?
I only really use my laptop for the internet and the occasional document, listening to music and storing pictures and as I said my partner uses it for image manipulation and documents but always saves on his sticks so I don't know whether these things do take up space and whether I am over reacting to the problem?
Thank you for all your help with this, it's frustrating that everything doesn't reflect what is happening!
I am leaning towards your torrent software being responsible for this issue. I have had request threads in the past with a similar problem, and in those it was some altered Limewire swarm file saving method.
One other possible culprit is Zone Alarm, as it can save logs of it's monitoring that can stack up pretty quickly.
Currently it is Thursday, September 02, 2010 10:24 PM (GMT +2) There are a total of 79.571 posts in 17.981 threads. In the last 3 days there were 4 new threads and 20 reply posts. View Active Threads
Who's Online
This forum has 32134 registered members. Please welcome our newest member, goodlooking. 35 Guest(s), 0 Registered Member(s) are currently online. Details
|