Xp what is trying to connect to netfirms?

[theequalizer]

Ok this is driving me nuts for two days!

I had a folder disappear on me, totally vanish!

I tried the usual but it had gone.
Tried testdisk and it said both MFT and MFT mirror are bad.

This was a spare drive and not my xp drive.

I have managed to get most of it off the disk and curiously getdatback couldn't find the deleted files.
I have now reformated the disk and am yet to try it.

So i'm thinking virus or malware, (or bad disk) but at the same time something new at startup tried using rundll32.exe and is trying to ftp netfims.com.

I have looked though everything and cant find a virus or malware.

I have used Kaspersky, MalwareBytes, Ad-Aware, Trend Micro (online), sfc tool, spybot and I can't find what the hell is trying to ftp at startup.

Anyone got any ideas?

I have attached a copy of hijack this file, as I can't see the wood for the trees now!

You don't have permission to view the code content. Log in or register now.

 

[Dazza]

Nothing obvious jumping out at me, but I'm no expert...!

It does seem suspicious though, TBH.

You could try ComboFix, but I'd be more inclined to submit your log on a specialised HJT/CF site, where they know how to read the logs properly. (Some stuff gets hidden very well these days!) I can point you to a site if you want, or with your permission, I can ask a guy I know to look at the log, who is a qualified malware reader etc...

Good luck whatever you do. We may have someone properly qualified here, I don't know...?!

 

[theequalizer]

Well any help would be appreciated.

I am one step from doing a full format!

 

[techquest]

My guess would be malware as netfirms.com is a hosting site & domain names supplier. Not sure if it is a serious concern but its on your pc and should not be, if you did'nt put it there.

 

[Captin]

From what I've read on other forums, some toolbars use netfirms hosting.

You could run a packet sniffer to see what, if any, data is being sent.

Also the correct way to use the ftp login to netfirms is like this -

ftp://username:[email protected]

That IP address traces back to Netfirms, Van Nuys, California.

 

[wiz569]

I took the liberty of pasting your logfile on this website HijackThis Logfileauswertung and this is the only thing that came back as "nasty"


O4 - HKLM\..\Policies\Explorer\Run: [Update Check] rundll32.exe whtlmsis.dll,LoadProfile32 vista

Dont know exactly what that means but maybe point you in the right direction.

 

[theequalizer]

Thanks for all your help guys, but I was getting balder and madder trying to work it out.

So i'm doing a reformat.

I've just got firefox back on, so I thought I'd check in.

My ultimate nightmare is I install a app and It starts again.

But I suppose a clean install every so often probably does your system some good.

I'll keep you posted!