[Viileafclover]

Hi i was advised to post a log file from hijack this into this forum, to see about getting advice from an analyst on whether or not my memory is being eaten up by malware or just computer programs.

this is a link on cnet to my original post about memory issues:
http://forums.cnet.c...threadID=359922 &tag=unsubscribeForm;tracked-disc

and this is a 2nd thread i started about keylogger files, all pretaining to the same issue:
http://forums.cnet.c...threadID=359924 &tag=unsubscribeForm;tracked-disc

i have yet to find enough time where the computer is free to run anything in safe mode, yet alone get into safe mode >.> freakin laptop boots so daggone fast ive only managed to get to safe mode twice. started running AVG but had to be interupted for lame reasons.

so far, the links will tell what ive done and come across if anyone needs more information about this, and first link also has the information i know about the laptop.
in the 2nd link i was advised to show hidden folders (which i had totally forgotten was possible to hide folders and what not.) and the logfiles from SASFE.

and then run hijack this and post the logfile, which is further down.

so far ive downloaded:
Superanti-spyware (FE)
CCleaner
Hijackthis

AVG is already on this laptop, and theres basic windows vista protection but idk i dont use it. everytime someone uses something that came with the laptop something else wants to go wrong so im just trying to fix things one at a time. and no i do not have a firewall set up yet, but i fully intend to. every night i run ccleaner just because, and set the SAS to run over night. usually it comes back clean since the first time i ran it. i have not yet done everything as was advised on cnet, again time is an issue being that this is the main computer everyone uses. i know theres a program that will make a complete text document list of whats on the computer, but i cant remember the programs name, my own computer guru that built my computer put it on my computer for when i need help, but right now hes out of the country and inaccessable aside from email and i kinda want to learn how to handle it on my own, hence posting in forums. thanks so much to anyone able to help.

if you need more information please let me know im just not entirely sure what might be needed.
thanks so much to anyone and everyone for looking into this.

heres the log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:41:07 AM, on 9/24/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\Philips\SPC610NC\Monitor.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\keith\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SPC610NC_Monitor] C:\Windows\Philips\SPC610NC\Monitor.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O13 - Gopher Prefix:
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 6445 bytes

[Fred Flintstone]

Hi Viileafclover..
Apologies for the delay..

Lets try ComboFix..

This program is a powerful tool, intended by its creator, to be "used under the guidance and supervision of trained malware removers", NOT for general public use.
Using this tool incorrectly could cause problems with your operating system... preventing it from ever starting again!

You will not have Internet access when you execute ComboFix. All open windows will need to be closed!
If you previously downloaded ComboFix, please delete that version and download it again. This tool is frequently updated.

• Please download ComboFix.exe... © Copyrighted to sUBs
  You must rename it before saving it... See reference images below. Save it to your desktop.
  Alternate download sites: forospyware.com or geekstogo.com.
  
  
  
  
  --------------------------------------------------------------------
  
• Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
  *Only* when the 2 items above (Step 2) have been taken care of...
  
• Double click on Combo-Fix.exe & follow the prompts.
  Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
  Do Not touch your computer when ComboFix is running!
  ComboFix disables autorun of all CD, floppy and USB devices to assist with malware removal and increase security.
  When finished... Notepad will open ... ComboxFix will produce a log file called "log.txt".
  
• Please copy/paste the contents of log.txt... in your next reply.

** Enable your Antivirus and Firewall, before connecting to the Internet again! **

Then:
HJT - StartupList Log

Please run HijackThis

If you are on the "scan & fix stuff" page... Press the "Main Menu"...button.


• From the Main Menu...Press the "Open the Misc Tools"...button.
  
• In the next window, to the right of "StartupList (integrated v1.52)"... Check the boxes:
  • "List also minor sections (full)"
    
  • "List empty sections (complete)".
  
  
• Press the "Generate StartupList log"...button. Press Yes to the "Do you want to continue?" prompt
  A Notepad window will open...(titled "startuplist.txt")... when you close the file, it will be saved to your HJT folder.
  
• Copy and Paste the contents of the startuplist.txt in your next reply.

Please post back both logs for me to check out.

Thanks
Fred..

[Fred Flintstone]

Reopened at users request.

This post has been edited by Fred Flintstone: 11 October 2009 - 07:01 PM

[Viileafclover]

i actually have a weekend coming up sometime soon (next couple of weeks) where i should have total control of the laptop in question, assuming they leave it so i can fix it. hopefully ill be able to get everything taken care of then

[Fred Flintstone]

Hi Viileafclover..
I will leave this thread open to await your reply.
Please be aware that when you are ready, we will need to start from the beginning due to the time elapsed since the above log was generated (things change over time etc).

You have expressed concerns about using ComboFix due to all the warnings posted with it. These warnings are given to avoid damage to the computers of other people who tend to "follow along" on the threads of someone like yourself who is already being helped.
This is where the risk lies, using ComboFix in an Unsupervised environment.

Used properly, ComboFix is one of the safest and most effective tools available at the present time.

If you have any further concerns, please feel free to contact me either by posting in this thread, or send me a PM BEFORE we begin.

Thanks
Fred..

This post has been edited by Fred Flintstone: 18 October 2009 - 11:33 AM

[Viileafclover]

i totally understand waiting for the right time to start from the beginning, but being as its my fathers laptop, at the moment being that the laptop is working for the most part if a little sluggish at times, he doesnt want me to do anything >.< altogether its rather frustrating, especially when hes like "fix it!" then tells me not to mess with it lol. it "locks up" on him when in reality its just the computer "thinking" because if you just give it a moment or two it does what it is you wanted it to do, hes just impatient and keeps clicking which in turn is just creating a que (sp??) on the tasks its supposed to preform. and its only sluggish at times when adobe player is in use (facebook games) and sometimes when its loading the internet or certain pages, and in going through various folders and downloaded items it seems a lot of the memory is taken up simply from windows vista updates (the laptop was bought soon after the OS came out and was/is still quite buggy) in going through the computer i dont remember how i came across the items specifically, but i remember seeing them, and seeing that each update was almost Mbs if not Gbs large. And also when ill be able to handle this, is hard to tell since this laptop is the main computer since the others wireless adapter is screwed up (i havent been able to get to fixing that yet) Ill need my sisters laptop handy for internet connection so as to keep up with this and the directions ill receive from you. I should be getting my own tower shortly, its at my mothers house getting upgrades from my stepdad, hopefully if i let them use my computer for the interem, they will allow me to take over this one for however long neccesary to fix it properly and without interuption. but i cant honestly say when that will be, my stepdad is out of the country a lot recently and has limited time in making sure all the hardware/software is properly working but it should be ready within the month (hopefully)
thanks again for your patience, sorry it takes so long for a response i only check my email once in every couple of weeks because i dont really use it. unless im expecting something, again thanks

[Fred Flintstone]

Hi Viileafclover..
No problem if you can't continue at the moment.
But I would try to at least download and run MBAM to make sure that there's nothing bad on the computer.

Doesn't take long and clears out most crud in one sweep!

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

• Make sure you are connected to the Internet.
  
• Double-click on Download_mbam-setup.exe to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
  
• When installation has finished, make sure you leave both of these checked:
  
• Update Malwarebytes' Anti-Malware
  
• Launch Malwarebytes' Anti-Malware

• Then click Finish.
  
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  
• If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  
• On the Scanner tab:

• Make sure the "Perform Quick Acan" option is selected.
  
• Then click on the Scan button.

• The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.
  
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Worth giving it a quick "whirl" to be on the safe side IMHO..
Fred.

[Fred Flintstone]

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.