Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spydawn Popup Window


  • This topic is locked This topic is locked
15 replies to this topic

#1 birdman2314

birdman2314

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 11 July 2008 - 09:57 PM

Well today I was looking for "skins" for my Counter-Strike: Source game. Came upon this site from Google, clicked on it and was taken to the page. Looked like a pretty alright site. Navigated the page for a bit and found a nice skin. Proceeded to download it and then I get a bunch of popups from McAfee saying that it blocked Trojans. I can remember one entitled "Zlob" and one entitled "General". There was one other but I forget what it was called. Then the icon in the taskbar showed up. And every 10 minutes or so it flashes a message saying that it is infected and I need to download software. I have had this exact same problem in the past on this computer, and it was fixed by the SmitFraudFix. That is why I need your help. Don't know what to do next.

Have one question and is that, is this thing just an annoyance or does it work as a keylogger too :X.

The following is the logs:

Deckard's System Scanner v20071014.68
Run by Chris on 2008-07-11 19:49:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-07-12 02:49:31 UTC - RP2 - Deckard's System Scanner Restore Point
1: 2008-07-12 02:38:01 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Chris.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:50:24 PM, on 7/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:Program FilesBonjourmDNSResponder.exe
C:PROGRA~1McAfeeMSCmcmscsvc.exe
C:Program FilesAlienGUIsewbload.exe
c:PROGRA~1COMMON~1mcafeemnamcnasvc.exe
c:PROGRA~1COMMON~1mcafeemcproxymcproxy.exe
C:PROGRA~1McAfeeVIRUSS~1mcshield.exe
C:WINDOWSsystem32nvsvc32.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesViewpointCommonViewpointService.exe
C:WINDOWSExplorer.EXE
C:PROGRA~1McAfee.comAgentmcagent.exe
C:WINDOWSsystem32RUNDLL32.EXE
C:WINDOWSmHotkey.exe
C:Program FilesMicrosoft IntelliPointipoint.exe
C:WINDOWSsystem32dlatfswctrl.exe
C:Program FilesAIM6aim6.exe
C:Program FilesCommon FilesAOLLoaderaolload.exe
C:Program FilesWindows LiveMessengerMsnMsgr.Exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesAlienGUIseAlienwareDockObjectDock.exe
C:Program FilesAIM6aolsoftware.exe
C:Program FilesWindows LiveMessengerusnsvc.exe
C:WINDOWSsystem32wuauclt.exe
C:PROGRA~1McAfeeVIRUSS~1mcsysmon.exe
C:Documents and SettingsChrisDesktopdss.exe
C:PROGRA~1TRENDM~1HIJACK~1Chris.exe

R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:Program FilesYahoo!CompanionInstallscpnycomp5_6_0_1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: (no name) - {0F9251C8-92FF-46ED-8DFC-CBCD99A658AF} - C:WINDOWSsystem32rqRJYPFv.dll (file missing)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:PROGRA~1FlashGetjccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:Program FilesSpybot - Search & DestroySDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:WINDOWSsystem32dlatfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_03binssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:Program FilesMcAfeeVirusScanscriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:Program FilesCommon FilesMicrosoft SharedWindows LiveWindowsLiveLogin.dll
O2 - BHO: (no name) - {D2376FB3-3D0D-414D-83AA-3AD6AD6B111F} - C:WINDOWSsystem32geBqRjhe.dll (file missing)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:Program FilesFlashGetgetflash.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:Program FilesYahoo!CompanionInstallscpnycomp5_6_0_1.dll
O3 - Toolbar: Internet Service - {65742936-8079-408B-9F3C-874B78030A72} - C:Program FilesWeb Technologiesiebr.dll (file missing)
O4 - HKLM..Run: [GBB36X Configure] C:WINDOWSsystem32JMRaidTool.exe boot
O4 - HKLM..Run: [nwiz] nwiz.exe /install
O4 - HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit
O4 - HKLM..Run: [CHotkey] mHotkey.exe
O4 - HKLM..Run: [IntelliPoint] "c:Program FilesMicrosoft IntelliPointipoint.exe"
O4 - HKLM..Run: [IMJPMIG8.1] "C:WINDOWSIMEimjp8_1IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM..Run: [MSPY2002] C:WINDOWSsystem32IMEPINTLGNTImScInst.exe /SYNC
O4 - HKLM..Run: [PHIME2002ASync] C:WINDOWSsystem32IMETINTLGNTTINTSETP.EXE /SYNC
O4 - HKLM..Run: [PHIME2002A] C:WINDOWSsystem32IMETINTLGNTTINTSETP.EXE /IMEName
O4 - HKLM..Run: [mcagent_exe] C:Program FilesMcAfee.comAgentmcagent.exe /runkey
O4 - HKLM..Run: [dla] C:WINDOWSsystem32dlatfswctrl.exe
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKCU..Run: [Aim6] "C:Program FilesAIM6aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU..Run: [msnmsgr] "C:Program FilesWindows LiveMessengerMsnMsgr.Exe" /background
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - Startup: Alienware Dock.lnk = C:Program FilesAlienGUIseAlienwareDockObjectDock.exe
O4 - Startup: MEMonitor.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O8 - Extra context menu item: &Download All with FlashGet - C:PROGRA~1FlashGetjc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:PROGRA~1FlashGetjc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_03binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_03binssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:Program FilesFlashGetFlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:Program FilesFlashGetFlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:Program FilesSpybot - Search & DestroySDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:Program FilesSpybot - Search & DestroySDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: geBqRjhe - geBqRjhe.dll (file missing)
O20 - Winlogon Notify: moblex - moblex.dll (file missing)
O21 - SSODL: Canoxker - {B80E2D43-80E1-42EA-920C-36D1D05E8E42} - C:WINDOWSsystem32excadime.dll
O22 - SharedTaskScheduler: enation - {629340b5-8df6-4211-9245-a86563a35792} - C:WINDOWSsystem32gnmguxh.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:Program FilesBonjourmDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:Program FilesCommon FilesMacrovision SharedFLEXnet PublisherFNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:Program FilesiPodbiniPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:PROGRA~1McAfeeMSCmcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:PROGRA~1COMMON~1mcafeemnamcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:PROGRA~1McAfeeVIRUSS~1mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:PROGRA~1COMMON~1mcafeemcproxymcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:PROGRA~1McAfeeVIRUSS~1mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:PROGRA~1McAfeeVIRUSS~1mcsysmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:Program FilesViewpointCommonViewpointService.exe

--
End of file - 8722 bytes

-- File Associations -----------------------------------------------------------

.bat - batfile - DefaultIcon - C:WINDOWSsystem32shell32.dll,71
.inf - inffile - DefaultIcon - C:WINDOWSsystem32shell32.dll,69
.ini - inifile - DefaultIcon - C:WINDOWSsystem32shell32.dll,69
.js - jsfile - DefaultIcon - "C:Program FilesAdobeAdobe Dreamweaver CS3Dreamweaver.exe",7
.js - jsfile - shellopencommand - "C:Program FilesAdobeAdobe Dreamweaver CS3Dreamweaver.exe","%1"
.reg - regfile - shellopencommand - "regedit.exe" "%1"
.txt - txtfile - DefaultIcon - C:WINDOWSsystem32shell32.dll,70


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 giveio - c:windowssystem32giveio.sys
R0 speedfan - c:windowssystem32speedfan.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>

S3 NSNDIS5 (NSNDIS5 NDIS Protocol Driver) - c:windowssystem32nsndis5.sys (file missing)
S3 pcouffin (VSO Software pcouffin) - c:windowssystem32driverspcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
S3 SCREAMINGBDRIVER (Screaming Bee Audio) - c:windowssystem32driversscreamingbaudio.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:program filescommon filesapplemobile device supportbinapplemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:program filesbonjourmdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 Viewpoint Manager Service - "c:program filesviewpointcommonviewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S3 FLEXnet Licensing Service - "c:program filescommon filesmacrovision sharedflexnet publisherfnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-11 11:34:01 284 --a------ C:WINDOWSTasksAppleSoftwareUpdate.job
2007-12-07 19:09:35 340 --a------ C:WINDOWSTasksMcDefragTask.job
2007-12-07 19:09:34 332 --a------ C:WINDOWSTasksMcQcTask.job
2007-03-18 13:20:17 290 --ah----- C:WINDOWSTasksMicrosoft_Hardware_Launch_IPoint_exe.job


-- Files created between 2008-06-11 and 2008-07-11 -----------------------------

2008-07-11 18:59:35 552 --a------ C:WINDOWSsystem32d3d8caps.dat
2008-07-11 17:42:44 0 d--h----- C:Documents and SettingsAdministratorTemplates <TEMPLA~1>
2008-07-11 17:42:44 0 dr------- C:Documents and SettingsAdministratorStart Menu <STARTM~1>
2008-07-11 17:42:44 0 dr-h----- C:Documents and SettingsAdministratorSendTo
2008-07-11 17:42:44 0 d--h----- C:Documents and SettingsAdministratorRecent
2008-07-11 17:42:44 0 d--h----- C:Documents and SettingsAdministratorPrintHood <PRINTH~1>
2008-07-11 17:42:44 786432 --ah----- C:Documents and SettingsAdministratorNTUSER.DAT
2008-07-11 17:42:44 0 d--h----- C:Documents and SettingsAdministratorNetHood
2008-07-11 17:42:44 0 d-------- C:Documents and SettingsAdministratorMy Documents <MYDOCU~1>
2008-07-11 17:42:44 0 d--h----- C:Documents and SettingsAdministratorLocal Settings <LOCALS~1>
2008-07-11 17:42:44 0 d-------- C:Documents and SettingsAdministratorFavorites <FAVORI~1>
2008-07-11 17:42:44 0 d-------- C:Documents and SettingsAdministratorDesktop
2008-07-11 17:42:44 0 d--hs---- C:Documents and SettingsAdministratorCookies
2008-07-11 17:42:44 0 dr-h----- C:Documents and SettingsAdministratorApplication Data <APPLIC~1>
2008-07-11 17:42:44 0 d---s---- C:Documents and SettingsAdministratorApplication DataMicrosoft
2008-07-11 17:40:54 0 d-------- C:WINDOWSpss
2008-07-05 18:46:54 0 d-------- C:Program FilesFileZilla FTP Client
2008-07-05 18:40:53 0 d-------- C:Documents and SettingsChrisApplication DataFileZilla
2008-07-05 18:36:24 0 d-------- C:Documents and SettingsChris.unlimitedftp <UNLIMI~1>
2008-07-04 17:27:54 0 d-------- C:Program FilesIrfanView
2008-07-04 16:27:05 0 d--h----- C:WINDOWSPIF
2008-07-01 15:25:36 23 --a------ C:Documents and SettingsChrisjagex_runescape_preferences.dat <JAGEX_~1.DAT>
2008-06-29 11:50:17 33292288 --a------ C:Documents and SettingsChrisntuser.dat
2008-06-24 18:17:33 0 d-------- C:Program FilesGameGuardian


-- Find3M Report ---------------------------------------------------------------

2008-07-11 18:53:24 3020 --a------ C:WINDOWSsystem32tmp.reg
2008-07-11 15:44:54 0 d-------- C:Program FilesSteam
2008-07-11 14:05:16 0 d-------- C:Program FilesmIRC
2008-07-09 10:27:16 13312 --a-s---- C:WINDOWSsystem32gnmguxh.dll
2008-07-05 10:57:22 0 d-------- C:Program FilesSony
2008-07-04 13:52:18 0 d-------- C:Program FilesMixxx
2008-07-02 18:30:42 0 d-------- C:Documents and SettingsChrisApplication DataAdobe
2008-07-02 18:29:58 0 d-------- C:Program FilesCommon FilesAdobe
2008-06-27 20:35:50 0 d-------- C:Program FilesFlashGet
2008-06-01 16:52:34 0 d-------- C:Documents and SettingsChrisApplication DataPublish Providers
2008-05-31 22:11:07 131072 --a------ C:WINDOWSsystem32SpoonUninstall.exe
2008-05-30 17:30:43 109984 --ah----- C:WINDOWSsystem32mlfcache.dat
2008-05-26 14:49:54 0 d-------- C:Program FilesVentrilo
2008-05-26 14:49:42 0 d-------- C:Program FilesCommon FilesWise Installation Wizard
2008-05-20 18:04:10 0 d-------- C:Program FilesLG Electronics
2008-05-20 18:04:09 0 d--h----- C:Program FilesInstallShield Installation Information
2008-05-20 18:03:48 0 d-------- C:Program FilesVerizon Wireless
2008-05-16 19:24:42 1347165 --ahs---- C:WINDOWSsystem32vFPYJRqr.ini2
2008-05-16 18:57:48 1354382 --ahs---- C:WINDOWSsystem32xEKSCfhk.ini2
2008-05-15 19:27:49 0 d-------- C:Documents and SettingsChrisApplication DataLeadertech
2008-05-15 19:15:14 1219554 --ahs---- C:WINDOWSsystem32utDKlnmp.ini2
2008-05-14 22:01:10 1202359 --ahs---- C:WINDOWSsystem32klUBayay.ini2
2008-05-13 16:07:40 0 d-------- C:Documents and SettingsChrisApplication DataSony
2008-04-29 17:13:19 918 --a------ C:WINDOWSmozver.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE~Browser Helper Objects{0F9251C8-92FF-46ED-8DFC-CBCD99A658AF}]
C:WINDOWSsystem32rqRJYPFv.dll

[HKEY_LOCAL_MACHINE~Browser Helper Objects{D2376FB3-3D0D-414D-83AA-3AD6AD6B111F}]
C:WINDOWSsystem32geBqRjhe.dll

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"GBB36X Configure"="C:WINDOWSsystem32JMRaidTool.exe" [07/12/2006 02:58 AM]
"nwiz"="nwiz.exe" [03/09/2006 12:29 AM C:WINDOWSsystem32nwiz.exe]
"NvMediaCenter"="C:WINDOWSsystem32NvMcTray.dll" [03/09/2006 12:29 AM]
"CHotkey"="mHotkey.exe" [12/08/2004 06:57 PM C:WINDOWSmHotkey.exe]
"IntelliPoint"="c:Program FilesMicrosoft IntelliPointipoint.exe" [02/05/2007 04:52 PM]
"IMJPMIG8.1"="C:WINDOWSIMEimjp8_1IMJPMIG.exe" [08/03/2004 03:32 PM]
"MSPY2002"="C:WINDOWSsystem32IMEPINTLGNTImScInst.exe" [08/03/2004 03:31 PM]
"PHIME2002ASync"="C:WINDOWSsystem32IMETINTLGNTTINTSETP.exe" [08/03/2004 03:32 PM]
"PHIME2002A"="C:WINDOWSsystem32IMETINTLGNTTINTSETP.exe" [08/03/2004 03:32 PM]
"mcagent_exe"="C:Program FilesMcAfee.comAgentmcagent.exe" [08/03/2007 11:33 PM]
"dla"="C:WINDOWSsystem32dlatfswctrl.exe" [03/15/2004 02:04 AM]
"NvCplDaemon"="C:WINDOWSsystem32NvCpl.dll" [03/09/2006 12:29 AM]
"QuickTime Task"="C:Program FilesQuickTimeqttask.exe" [03/28/2008 11:37 PM]

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"Aim6"="C:Program FilesAIM6aim6.exe" [01/03/2008 09:15 AM]
"msnmsgr"="C:Program FilesWindows LiveMessengerMsnMsgr.exe" [10/18/2007 12:34 PM]
"ctfmon.exe"="C:WINDOWSsystem32ctfmon.exe" [08/03/2004 05:56 PM]

C:Documents and SettingsChrisStart MenuProgramsStartup
Alienware Dock.lnk - C:Program FilesAlienGUIseAlienwareDockObjectDock.exe [9/18/2007 5:38:11 PM]
MEMonitor.lnk.disabled [5/20/2008 6:03:57 PM]

C:Documents and SettingsAll UsersStart MenuProgramsStartup
Adobe Gamma Loader.lnk.disabled [4/13/2007 7:11:02 PM]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler]
"{629340b5-8df6-4211-9245-a86563a35792}"= C:WINDOWSsystem32gnmguxh.dll [07/09/2008 10:27 AM 13312]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks]
"{D2376FB3-3D0D-414D-83AA-3AD6AD6B111F}"= C:WINDOWSsystem32geBqRjhe.dll [ ]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad]
"Canoxker"= {B80E2D43-80E1-42EA-920C-36D1D05E8E42} - C:WINDOWSsystem32excadime.dll [04/16/2007 08:52 AM 774144]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotifygeBqRjhe]
geBqRjhe.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotifymoblex]
moblex.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotifyWB]
C:Program FilesAlienGUIsefastload.dll 12/21/2001 12:34 AM 24576 C:Program FilesAlienGUIsefastload.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwindows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetcontrollsa]
"Authentication Packages"= msv1_0 C:WINDOWSsystem32rqRJYPFv

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalmcmscsvc]
@=""

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalMCODS]
@=""

[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionrun-]
"Aim6"="C:Program FilesAIM6aim6.exe" /d locale=en-US ee://aol/imApp
"Steam"="c:program filessteamsteam.exe" -silent
"msnmsgr"="C:Program FilesMSN Messengermsnmsgr.exe" /background
"MSMSGS"="C:Program FilesMessengermsmsgs.exe" /background
"SpybotSD TeaTimer"=C:Program FilesSpybot - Search & DestroyTeaTimer.exe
"ctfmon.exe"=C:WINDOWSsystem32ctfmon.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionrun-]
"SkyTel"=SkyTel.EXE
"RTHDCPL"=RTHDCPL.EXE
"Alcmtr"=ALCMTR.EXE
"Adobe Reader Speed Launcher"="C:Program FilesAdobeReader 8.0ReaderReader_sl.exe"
"iTunesHelper"="C:Program FilesiTunesiTunesHelper.exe"
"NvCplDaemon"=RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8754 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-11 19:51:01 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 CPU 6300 @ 1.86GHz
CPU 1: Intel® Core™2 CPU 6300 @ 1.86GHz
Percentage of Memory in Use: 28%
Physical Memory (total/avail): 2046.42 MiB / 1469.36 MiB
Pagefile Memory (total/avail): 3429.41 MiB / 2964.09 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1912.48 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 232.88 GiB total, 137.47 GiB free.
D: is CDROM (No Media)

.PHYSICALDRIVE0 - SATA WD C WD2500 SCSI Disk Device - 232.88 GiB - 1 partition
PARTITION0 (bootable) - Installable File System - 232.88 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: McAfee VirusScan v (McAfee)

[HKLMSystemCurrentControlSetServicesSharedAccessParametersFirewallPolicyDomainProfileAuthorizedApplicationsList]
"%windir%system32sessmgr.exe"="%windir%system32sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%Network Diagnosticxpnetdiag.exe"="%windir%Network Diagnosticxpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:Program FilesWindows LiveMessengermsnmsgr.exe"="C:Program FilesWindows LiveMessengermsnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:Program FilesWindows LiveMessengerlivecall.exe"="C:Program FilesWindows LiveMessengerlivecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLMSystemCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList]
"%windir%system32sessmgr.exe"="%windir%system32sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:Program FilesSierra On-LineSIGSPat.exe"="C:Program FilesSierra On-LineSIGSPat.exe:*:Enabled:SIGSPat"
"C:Program FilesSteamsteamappsbirdman2314counter-strikehl.exe"="C:Program FilesSteamsteamappsbirdman2314counter-strikehl.exe:*:Enabled:Half-Life Launcher"
"C:Program FilesMessengermsmsgs.exe"="C:Program FilesMessengermsmsgs.exe:*:Enabled:Windows Messenger"
"C:Program FilesLimeWireLimeWire.exe"="C:Program FilesLimeWireLimeWire.exe:*:Enabled:LimeWire"
"%windir%Network Diagnosticxpnetdiag.exe"="%windir%Network Diagnosticxpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:WINDOWSpchealthhelpctrbinariesHelpCtr.exe"="C:WINDOWSpchealthhelpctrbinariesHelpCtr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:Program FilesFlashGetflashget.exe"="C:Program FilesFlashGetflashget.exe:*:Enabled:Flashget"
"C:Program FilesTHQTitan QuestTitan Quest.exe"="C:Program FilesTHQTitan QuestTitan Quest.exe:*:Enabled:Titan Quest"
"C:Program FilesmIRCmirc.exe"="C:Program FilesmIRCmirc.exe:*:Disabled:mIRC"
"C:Program FilesXfirexfire.exe"="C:Program FilesXfirexfire.exe:*:Enabled:Xfire"
"C:Program FilesJavajre1.5.0_11binjavaw.exe"="C:Program FilesJavajre1.5.0_11binjavaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:SoldatSoldat.exe"="C:SoldatSoldat.exe:*:Enabled:Soldat"
"C:Documents and SettingsChrisDesktopwowclient-downloader.exe"="C:Documents and SettingsChrisDesktopwowclient-downloader.exe:*:Enabled:Blizzard Downloader"
"C:Program FilesMozilla Firefoxfirefox.exe"="C:Program FilesMozilla Firefoxfirefox.exe:*:Disabled:Firefox"
"C:UT2004SystemUT2004.exe"="C:UT2004SystemUT2004.exe:*:Enabled:UT2004"
"C:Program FilesJavajre1.6.0_01binjavaw.exe"="C:Program FilesJavajre1.6.0_01binjavaw.exe:*:Enabled:Java™ Platform SE binary"
"C:Program FilesSteamsteamappsbirdman2314dedicated serverhltv.exe"="C:Program FilesSteamsteamappsbirdman2314dedicated serverhltv.exe:*:Enabled:HLTV Launcher"
"C:Program FilesBonjourmDNSResponder.exe"="C:Program FilesBonjourmDNSResponder.exe:*:Enabled:Bonjour"
"C:Program FilesCommon FilesAOLLoaderaolload.exe"="C:Program FilesCommon FilesAOLLoaderaolload.exe:*:Enabled:AOL Loader"
"C:Program FilesSteamsteamappsbirdman2314day of defeathl.exe"="C:Program FilesSteamsteamappsbirdman2314day of defeathl.exe:*:Enabled:Half-Life Launcher"
"C:Program FilesSteamSteam.exe"="C:Program FilesSteamSteam.exe:*:Enabled:Steam"
"C:Program FilesAIM6aim6.exe"="C:Program FilesAIM6aim6.exe:*:Enabled:AIM"
"C:Program FilesJavajre1.6.0_03binjavaw.exe"="C:Program FilesJavajre1.6.0_03binjavaw.exe:*:Enabled:Java™ Platform SE binary"
"C:Program FilesSteamsteamappsbirdman2314dedicated serverhlds.exe"="C:Program FilesSteamsteamappsbirdman2314dedicated serverhlds.exe:*:Enabled:HLDS Launcher"
"C:Program FilesWindows LiveMessengermsnmsgr.exe"="C:Program FilesWindows LiveMessengermsnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:Program FilesWindows LiveMessengerlivecall.exe"="C:Program FilesWindows LiveMessengerlivecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:Program FilesiTunesiTunes.exe"="C:Program FilesiTunesiTunes.exe:*:Enabled:iTunes"
"C:Program FilesCommon FilesMcAfeeMNAMcNASvc.exe"="C:Program FilesCommon FilesMcAfeeMNAMcNASvc.exe:*:Enabled:McAfee Network Agent"
"C:Program FilesFrostWireFrostWire.exe"="C:Program FilesFrostWireFrostWire.exe:*:Enabled:LimeWire"
"C:Program FilesSteamsteamappsbirdman2314counter-strike sourcehl2.exe"="C:Program FilesSteamsteamappsbirdman2314counter-strike sourcehl2.exe:*:Enabled:hl2"
"C:Program FilesASC 2.1asc 2.1.exe"="C:Program FilesASC 2.1asc 2.1.exe:*:Enabled:AntiSpyCheck"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:Documents and SettingsAll Users
APPDATA=C:Documents and SettingsChrisApplication Data
CLASSPATH=.;C:Program FilesJavajre1.6.0_03libextQTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:Program FilesCommon Files
COMPUTERNAME=GAMINGCOMPUTER
ComSpec=C:WINDOWSsystem32cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=Documents and SettingsChris
LOGONSERVER=GAMINGCOMPUTER
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:Program FilesMozilla Firefox;C:WINDOWSsystem32;C:WINDOWS;C:WINDOWSSystem32Wbem;C:Program FilesMicrosoft SQL Server80ToolsBinn;C:Program FilesQuickTimeQTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f02
ProgramFiles=C:Program Files
PROMPT=$P$G
QTJAVA=C:Program FilesJavajre1.6.0_03libextQTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:WINDOWS
TEMP=C:DOCUME~1ChrisLOCALS~1Temp
TMP=C:DOCUME~1ChrisLOCALS~1Temp
USERDOMAIN=GAMINGCOMPUTER
USERNAME=Chris
USERPROFILE=C:Documents and SettingsChris
windir=C:WINDOWS


-- User Profiles ---------------------------------------------------------------

Chris (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
--> C:WINDOWSsystem32MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:WINDOWSsystem32MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:WINDOWSINFPCHealth.inf
Active@ ISO Burner v 1.1 --> "C:Program FilesLSoft TechnologiesActive ISO BurnerUNWISE.EXE" "C:Program FilesLSoft TechnologiesActive ISO BurnerINSTALL.LOG"
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings --> C:Program FilesCommon FilesAdobeInstallers6c8e2cb4fd241c55406016127a6ab2eSetup.exe
Adobe Color Common Settings --> MsiExec.exe /I{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe Dreamweaver CS3 --> C:Program FilesCommon FilesAdobeInstallers7328fdfcb73660ec8b11d5a3d5c6232Setup.exe
Adobe Dreamweaver CS3 --> MsiExec.exe /I{7C10F5C7-F00F-4BD3-A110-C7D240D2DD25}
Adobe ExtendScript Toolkit 2 --> C:Program FilesCommon FilesAdobeInstallers3e054d2218e7aa282c2369d939e58ffSetup.exe
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{77D2A9D3-5800-43E3-B274-87841BC87DB2}
Adobe Extension Manager CS3 --> MsiExec.exe /I{BE5F3842-8309-4754-92D5-83E02E6077A3}
Adobe Flash CS3 --> MsiExec.exe /I{6B52140A-F189-4945-BFFC-DB3F00B8C589}
Adobe Flash CS3 Professional --> C:Program FilesCommon FilesAdobeInstallersc3c7fe8b09d497ab2b3fd91c9353390Setup.exe
Adobe Flash Player 9 ActiveX --> C:WINDOWSsystem32MacromedFlashFlashUtil9c.exe -uninstallUnlock
Adobe Flash Player 9 ActiveX --> MsiExec.exe /X{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C}
Adobe Flash Player Plugin --> C:WINDOWSsystem32MacromedFlashuninstall_plugin.exe
Adobe Flash Video Encoder --> MsiExec.exe /I{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}
Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Illustrator CS3 --> C:Program FilesCommon FilesAdobeInstallersa04a925a57548091300ada368235fc6Setup.exe
Adobe Illustrator CS3 --> MsiExec.exe /I{F08E8D2E-F132-4742-9C87-D5FF223A016A}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop 7.0 --> C:WINDOWSISUNINST.EXE -f"C:Program FilesAdobePhotoshop 7.0Uninst.isu" -c"C:Program FilesAdobePhotoshop 7.0Uninst.dll"
Adobe Photoshop CS3 --> C:Program FilesCommon FilesAdobeInstallers2ac78060bc5856b0c1cf873bb919b58Setup.exe
Adobe Photoshop CS3 --> MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81100000003}
Adobe Setup --> MsiExec.exe /I{0650BB10-BCF4-400A-85EE-04097E3046C6}
Adobe Setup --> MsiExec.exe /I{4F3E17F8-F1C8-4A4B-9EB8-1EE2D190CDA9}
Adobe Setup --> MsiExec.exe /I{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}
Adobe Setup --> MsiExec.exe /I{8AE03988-8C8C-40EE-BDC7-76781BEF1B1D}
Adobe Setup --> MsiExec.exe /I{D1BB4446-AE9C-4256-9A7F-4D46604D2462}
Adobe Setup --> MsiExec.exe /I{FFC1ADE3-944B-4231-894E-3903C37271D2}
Adobe Shockwave Player --> C:WINDOWSsystem32MacromedSHOCKW~1UNWISE.EXE C:WINDOWSsystem32MacromedSHOCKW~1Install.log
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3 --> MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
AIM 6 --> C:Program FilesAIM6uninst.exe
AlienGUIse Theme Manager --> C:PROGRA~1ALIENG~1thememgr.exe /uninstallwise
Apophysis 2.0 --> "C:Program FilesApophysis 2.0uninstall.exe"
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
ASIO4ALL --> C:Program FilesASIO4ALL v2uninstall.exe
Audacity 1.2.6 --> "C:Program FilesAudacityunins000.exe"
BIOSTAR VGA Ocer Clock --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1engine6INTEL3~1ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{B7975F6B-420D-40CA-A58C-AE6A604E2C00}setup.exe"
CMN3 --> C:Program FilesCEVOCMN3Uninstall.exe
Collab --> C:Program FilesImage-LineCollabuninstall.exe
Counter-Strike --> "C:program filessteamsteam.exe" steam://uninstall/10
Counter-Strike: Source --> "C:Program FilesSteamsteam.exe" steam://uninstall/240
Day of Defeat --> "C:Program FilesSteamsteam.exe" steam://uninstall/30
Dedicated Server --> "C:Program FilesSteamsteam.exe" steam://uninstall/5
DivX Codec --> C:Program FilesDivXDivXCodecUninstall.exe /CODEC
DVD Decrypter (Remove Only) --> "C:Program FilesDVD Decrypteruninstall.exe"
FileZilla Client 3.0.11 --> C:Program FilesFileZilla FTP Clientuninstall.exe
FL Studio 7 --> C:Program FilesImage-LineFL Studio 7uninstall.exe
FL Studio v7.0 --> "C:Program FilesImage-LineFL Studio 7unins000.exe"
FlashGet 1.8.2.1003 --> C:Program FilesFlashGetuninst.exe
Fraps --> "C:Frapsuninstall.exe"
Free iPod Video Converter 1.26 --> "C:Program FilesFree iPod Video Converterunins000.exe"
FrostWire 4.13.5 --> C:Program FilesFrostWireUninstall.exe
GameGuardian Twilight RC2 --> "C:Program FilesGameGuardianunins000.exe"
Gigabyte Raid Configurer --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1PROFES~1RunTime1100Intel32Ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}SETUP.EXE" -l0x9 -removeonly
Half-Life: Counter-Strike --> C:SierraCOUNTE~1UNWISE.EXE C:SierraCOUNTE~1INSTALL.LOG
High Definition Audio Driver Package - KB888111 --> "C:WINDOWS$NtUninstallKB888111WXPSP2$spuninstspuninst.exe"
HijackThis 2.0.2 --> "C:Program FilesTrend MicroHijackThisHijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:WINDOWS$NtUninstallKB929399$spuninstspuninst.exe"
HyperCam 2 --> "C:Program FilesHyCam2UnHyCam2.exe"
HyperStudio 4 Player --> C:WINDOWSUnwise32.exe C:WINDOWSHSPLAYER.LOG
i-Cool --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1PROFES~1RunTime1100Intel32Ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{28184E01-D57A-4933-A09B-F65403F16D82}setup.exe" -l0x9 -uninst -removeonly
IL Download Manager --> C:Program FilesImage-LineDownloaderuninstall.exe
IrfanView (remove only) --> C:Program FilesIrfanViewiv_uninstall.exe
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
K-Lite Mega Codec Pack 2.01 --> "C:Program FilesK-Lite Codec Packunins000.exe"
LG USB Modem driver --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1engine6INTEL3~1Ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{C3ABE126-2BB2-4246-BFE1-6797679B3579}Setup.exe" -l0x9 LG
LimeWire 4.14.12 --> "C:Program FilesLimeWireuninstall.exe"
McAfee SecurityCenter --> C:Program FilesMcAfeeMSCmcuninst.exe
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:WINDOWS$NtUninstallbasecsp$spuninstspuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:WINDOWS$NtUninstallMSCompPackV1$spuninstspuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:WINDOWS$NtUninstallWdf01005$spuninstspuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91E30409-6000-11D3-8CFE-0150048383C9}
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR) --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:WINDOWS$NtUninstallWudf01000$spuninstspuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
mIRC --> "C:Program FilesmIRCmirc.exe" -uninstall
Morrowind --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1engine6INTEL3~1Ctor.dll,LaunchSetup "C:Program FilesBethesda SoftworksMorrowindMWUninstallSetup.exe" -l0x9
Mozilla Firefox (2.0.0.15) --> C:PROGRA~1Mozilla Firefoxuninstallhelper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
NVIDIA Drivers --> C:WINDOWSsystem32nvudisp.exe UninstallGUI
PageTutor HTML Tutorial --> C:Program FilesPageTutor.comPageTutorUninstal.exe
Painter --> C:PROGRA~1PainterUNWISE.EXE C:PROGRA~1PainterINSTALL.LOG
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
project dogwaffle --> C:WINDOWSST5UNST.EXE -n "C:Program Filesproject dogwaffleST5UNST.LOG"
PSL2 Plugin --> C:Program FilesPgcEditUninstal.exe
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Realtek High Definition Audio Driver --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1PROFES~1RunTime1150Intel32Ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}setup.exe" -l0x9 -removeonly
Safari --> MsiExec.exe /I{40589552-3892-409E-B92C-9F5032A4B2F0}
Soldat 1.4.1 --> "C:Soldatunins000.exe"
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sony Media Manager 2.2 --> MsiExec.exe /X{47AA42FD-0450-4CB4-ADAF-B6E770AA7B2F}
Sony Vegas Pro 8.0 --> MsiExec.exe /X{1246FF64-3035-4A92-8FE6-A968275495EB}
SpeechRedist --> MsiExec.exe /X{8795CBED-55E2-4693-9F14-84EC446935BE}
SpeedFan (remove only) --> "C:Program FilesSpeedFanuninstall.exe"
Spybot - Search & Destroy --> "C:Program FilesSpybot - Search & Destroyunins000.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:WINDOWSunins000.exe"
Steam --> C:PROGRA~1SteamUNWISE.EXE C:PROGRA~1SteamINSTALL.LOG
Storybook Weaver Deluxe --> C:WINDOWSuninst.exe -fC:MECCSBWDLXDeIsL1.isu
System Requirements Lab --> C:Program FilesSystemRequirementsLabUninstall.exe
TeamSpeak 2 RC2 --> "C:Program FilesTeamspeak2_RC2unins000.exe"
TES Construction Set --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1engine6INTEL3~1Ctor.dll,LaunchSetup "C:Program FilesBethesda SoftworksMorrowindCSUninstallSetup.exe" -l0x9
Titan Quest --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1PROFES~1RunTime1150Intel32Ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{412B69AF-C352-4F6F-A318-B92B3CB9ACC6}setup.exe" -l0x9 -removeonly
Unreal Tournament 2004 --> C:UT2004SystemSetup.exe uninstall "UT2004"
USB Multimedia Keyboard Driver --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1engine6INTEL3~1Ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{F040F938-6F98-46CB-9E1D-D38178A8025E}Setup.exe" -l0x9
UT2004 Editor's Choice Edition Mod Installer --> MsiExec.exe /I{88D5B052-13BF-44FE-8C17-AC416B323BFE}
V CAST Music Manager --> C:PROGRA~1VERIZO~1VCASTM~1Setup.exe /remove /q0
Valve Hammer Editor --> C:PROGRA~1VALVEH~1UNWISE.EXE C:PROGRA~1VALVEH~1INSTALL.LOG
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
VideoLAN VLC media player 0.8.6b --> C:Program FilesVideoLANVLCuninstall.exe
Viewpoint Media Player --> C:Program FilesViewpointViewpoint Experience TechnologymtsAxInstaller.exe /u
WebFldrs XP -->
Windows Imaging Component --> "C:WINDOWS$NtUninstallWIC$spuninstspuninst.exe"
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime --> "C:WINDOWS$NtUninstallWMFDist11$spuninstspuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:WINDOWS$NtUninstallKB891122$spuninstspuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
WinFlyer --> "rundll32.exe" C:WINDOWSsystem32WinFlyer32.dll,UnInstall
WinRAR archiver --> C:Program FilesWinRARuninstall.exe
Xfire (remove only) --> "C:Program FilesXfireuninst.exe"
XML Paper Specification Shared Components Pack 1.0 -->
Yahoo! Companion --> rundll32.exe C:PROGRA~1Yahoo!COMPAN~1InstallscpnYCOMP5~1.DLL,DllCommand ui


-- Application Event Log -------------------------------------------------------

Event Record #/Type400 / Success
Event Submitted/Written: 07/11/2008 07:22:43 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type395 / Warning
Event Submitted/Written: 07/11/2008 06:39:34 PM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x8007043C

Event Record #/Type394 / Warning
Event Submitted/Written: 07/11/2008 06:39:34 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{91E30409-6000-11D3-8CFE-0150048383C9}', feature 'OfficeUserData', component '{4A31E933-6F67-11D2-AAA2-00A0C90F57B0}' failed. The resource 'HKEY_CURRENT_USERSoftwareODBCODBC.INIMS Access Database' does not exist.

Event Record #/Type387 / Success
Event Submitted/Written: 07/11/2008 06:32:24 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type382 / Error
Event Submitted/Written: 07/11/2008 06:23:48 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application rundll32.exe, version 5.1.2600.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type24948 / Error
Event Submitted/Written: 07/11/2008 07:21:21 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type24947 / Error
Event Submitted/Written: 07/11/2008 07:20:32 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type24946 / Error
Event Submitted/Written: 07/11/2008 06:53:10 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service McNASvc with arguments ""
in order to run the server:
{24F616A1-B755-4053-8018-C3425DC8B68A}

Event Record #/Type24945 / Error
Event Submitted/Written: 07/11/2008 06:53:09 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service McNASvc with arguments ""
in order to run the server:
{24F616A1-B755-4053-8018-C3425DC8B68A}

Event Record #/Type24944 / Error
Event Submitted/Written: 07/11/2008 06:52:02 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
Fips
intelppm
IPSec
mfehidk
MPFP
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
Tcpip



-- End of Deckard's System Scanner: finished at 2008-07-11 19:51:01 ------------

Oh and is this virus malicious in any way??? I really need to know before I start entering passwords in places :/


-bird

Merged posts. ~ OB

Edited by Orange Blossom, 12 July 2008 - 09:25 PM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:16 AM

Posted 13 July 2008 - 05:45 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:
From what I can see, you don't have a keylogger. But anytime you have a malware infection you should take normal precautions and change passwords. It's much to better to have done it and not needed to than the other way around.



Please visit this page for instructions to download and use Combofix.

How to use Combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.
Please post the log from Combofix here in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 birdman2314

birdman2314
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 14 July 2008 - 11:51 AM

When I dragged the Boot thing from the supportMicrosoft site over the ComboFix it seemed to be working okay. But after it completed that, I got a popup saying a PUP had been found by McAfee. The PUP was entitled RemAdm ProcLaunch. Please advice me on what to do next.

Thanks,

Chris


Oh and by the way. I don't know if this is related or not, but since last night, I haven't been able to go online on that computer. So I am on my other one for now.

#4 birdman2314

birdman2314
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 14 July 2008 - 12:31 PM

ComboFix 08-07-13.14 - Chris 2008-07-14 10:02:56.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1548 [GMT -7:00]
Running from: C:\Documents and Settings\Chris\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Chris\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\klUBayay.ini2
C:\WINDOWS\system32\utDKlnmp.ini2
C:\WINDOWS\system32\vFPYJRqr.ini
C:\WINDOWS\system32\vFPYJRqr.ini2
C:\WINDOWS\system32\xEKSCfhk.ini2

.
((((((((((((((((((((((((( Files Created from 2008-06-14 to 2008-07-14 )))))))))))))))))))))))))))))))
.

2008-07-11 19:49 . 2008-07-11 19:49 <DIR> d-------- C:\Deckard
2008-07-11 18:59 . 2008-07-11 18:59 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-07-11 17:42 . 2008-07-11 17:44 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-05 18:46 . 2008-07-05 18:46 <DIR> d-------- C:\Program Files\FileZilla FTP Client
2008-07-05 18:40 . 2008-07-05 18:49 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\FileZilla
2008-07-05 18:36 . 2008-07-05 18:36 <DIR> d-------- C:\Documents and Settings\Chris\.unlimitedftp
2008-07-04 17:27 . 2008-07-04 17:27 <DIR> d-------- C:\Program Files\IrfanView
2008-07-04 16:27 . 2008-07-04 16:27 <DIR> d--h----- C:\WINDOWS\PIF
2008-06-24 18:17 . 2008-06-24 18:17 <DIR> d-------- C:\Program Files\GameGuardian

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-14 05:47 --------- d-----w C:\Program Files\mIRC
2008-07-14 02:34 --------- d-----w C:\Program Files\Steam
2008-07-05 17:57 --------- d-----w C:\Program Files\Sony
2008-07-05 17:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony
2008-07-05 17:56 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-04 20:52 --------- d-----w C:\Program Files\Mixxx
2008-07-03 01:29 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-28 03:35 --------- d-----w C:\Program Files\FlashGet
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-01 23:52 --------- d-----w C:\Documents and Settings\Chris\Application Data\Publish Providers
2008-05-26 21:49 --------- d-----w C:\Program Files\Ventrilo
2008-05-26 21:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-21 01:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-21 01:04 --------- d-----w C:\Program Files\LG Electronics
2008-05-21 01:03 --------- d-----w C:\Program Files\Verizon Wireless
2008-05-16 02:27 --------- d-----w C:\Documents and Settings\Chris\Application Data\Leadertech
2007-09-21 01:39 81,920 ----a-w C:\Documents and Settings\Chris\Application Data\ezpinst.exe
2007-09-21 01:39 47,360 ----a-w C:\Documents and Settings\Chris\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 09:15 50528]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 17:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GBB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-07-12 02:58 356352]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-03-09 00:29 86016]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 16:52 849280]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 15:32 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 15:31 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 15:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 15:32 455168]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 02:04 122933]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-09 00:29 7561216]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"nwiz"="nwiz.exe" [2006-03-09 00:29 1519616 C:\WINDOWS\system32\nwiz.exe]
"CHotkey"="mHotkey.exe" [2004-12-08 18:57 550912 C:\WINDOWS\mHotkey.exe]

C:\Documents and Settings\Chris\Start Menu\Programs\Startup\
Alienware Dock.lnk - C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe [2007-09-18 17:38:11 2074360]
MEMonitor.lnk.disabled [2008-05-20 18:03:57 872]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk.disabled [2007-04-13 19:11:02 986]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{629340b5-8df6-4211-9245-a86563a35792}"= "C:\WINDOWS\system32\gnmguxh.dll" [2008-07-09 10:27 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Canoxker"= {B80E2D43-80E1-42EA-920C-36D1D05E8E42} - C:\WINDOWS\system32\excadime.dll [2007-04-16 08:52 774144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 00:34 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"="C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
"Steam"="c:\program files\steam\steam.exe" -silent
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SkyTel"=SkyTel.EXE
"RTHDCPL"=RTHDCPL.EXE
"Alcmtr"=ALCMTR.EXE
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Sierra On-Line\\SIGSPat.exe"=
"C:\\Program Files\\Steam\\steamapps\\birdman2314\\counter-strike\\hl.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"C:\\Program Files\\THQ\\Titan Quest\\Titan Quest.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\javaw.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\UT2004\\System\\UT2004.exe"=
"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"C:\\Program Files\\Steam\\steamapps\\birdman2314\\dedicated server\\hltv.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Steam\\steamapps\\birdman2314\\day of defeat\\hl.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"C:\\Program Files\\Steam\\steamapps\\birdman2314\\dedicated server\\hlds.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\Program Files\\Steam\\steamapps\\birdman2314\\counter-strike source\\hl2.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 14:38]
R3 LinksysFVNETusbl(AR)®;Linksys FVNETusbl(AR)® Service for Instant Wireless USB Network Adapter ver.2.6;C:\WINDOWS\system32\DRIVERS\vnetusbl.sys [2004-03-09 20:48]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS []
S3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\WINDOWS\system32\drivers\ScreamingBAudio.sys []
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;C:\WINDOWS\system32\DRIVERS\netusbxp.sys [2002-02-19 11:34]

.
Contents of the 'Scheduled Tasks' folder
"2008-07-11 18:34:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-08 02:09:35 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2007-12-08 02:09:34 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2007-03-18 20:20:17 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job"
- c:\Program Files\Microsoft IntelliPoint\ipoint.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{0F9251C8-92FF-46ED-8DFC-CBCD99A658AF} - C:\WINDOWS\system32\rqRJYPFv.dll
Toolbar-{65742936-8079-408B-9F3C-874B78030A72} - C:\Program Files\Web Technologies\iebr.dll
Notify-geBqRjhe - geBqRjhe.dll
Notify-moblex - moblex.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-14 10:08:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2008-07-14 10:21:59 - machine was rebooted [Chris]
ComboFix-quarantined-files.txt 2008-07-14 17:21:54

Pre-Run: 147,358,134,272 bytes free
Post-Run: 147,685,715,968 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

194 --- E O F --- 2008-07-09 06:01:18








----------------------------------------------------------------

I am still getting the popup saying that I am infected and that I should download an up-to-date antivirus solution.

-chris

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:16 AM

Posted 14 July 2008 - 02:53 PM

I am still getting the popup saying that I am infected and that I should download an up-to-date antivirus solution.

:thumbsup:
Don't do it!

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\gnmguxh.dll
C:\WINDOWS\system32\excadime.dll

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{629340b5-8df6-4211-9245-a86563a35792}"= -
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Canoxker"= -
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 birdman2314

birdman2314
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 14 July 2008 - 02:57 PM

Thanks for the reply.

Before I ran ComboFix before I tried to disable my McAfee according to the link you gave me. However, what they claimed to be there, wasn't. Is there any other way to disable it?

-chris

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:16 AM

Posted 14 July 2008 - 03:03 PM

Go ahead and run it with Mcafee enabled. It didn't look like there was any problem the first time you ran it, so it should be ok.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 birdman2314

birdman2314
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 14 July 2008 - 03:05 PM

Alright, I will post the log in a few minutes.

-chris

#9 birdman2314

birdman2314
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 14 July 2008 - 03:16 PM

Do I restart after it is done? The log file popped up, but my desktop is gone. It just shows the background.

-chris

#10 birdman2314

birdman2314
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 14 July 2008 - 03:19 PM

Nevermind, I clicked around and everything popped up. Here is the log.

-------


ComboFix 08-07-13.14 - Chris 2008-07-14 13:06:30.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1558 [GMT -7:00]
Running from: C:\Documents and Settings\Chris\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Chris\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\WINDOWS\system32\excadime.dll
C:\WINDOWS\system32\gnmguxh.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\excadime.dll
C:\WINDOWS\system32\gnmguxh.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-14 to 2008-07-14 )))))))))))))))))))))))))))))))
.

2008-07-14 11:29 . 2008-07-14 11:29 <DIR> d-------- C:\Program Files\WUSB11 WLAN Monitor
2008-07-14 11:29 . 2001-04-19 22:56 61,440 --a------ C:\WINDOWS\system32\W32N50.DLL
2008-07-14 11:29 . 2002-09-27 16:31 40,960 --a------ C:\WINDOWS\system32\IsUser11b.dll
2008-07-14 11:29 . 2001-04-18 12:27 16,292 --a------ C:\WINDOWS\system32\PCANDIS5.SYS
2008-07-14 11:29 . 2001-04-18 13:26 16,112 --a------ C:\WINDOWS\system32\PCANDIS4.SYS
2008-07-14 11:29 . 2002-04-11 07:40 16,089 --a------ C:\WINDOWS\system32\PCANDIS3.VXD
2008-07-11 19:49 . 2008-07-11 19:49 <DIR> d-------- C:\Deckard
2008-07-11 18:59 . 2008-07-11 18:59 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-07-11 17:42 . 2008-07-11 17:44 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-05 18:46 . 2008-07-05 18:46 <DIR> d-------- C:\Program Files\FileZilla FTP Client
2008-07-05 18:40 . 2008-07-05 18:49 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\FileZilla
2008-07-05 18:36 . 2008-07-05 18:36 <DIR> d-------- C:\Documents and Settings\Chris\.unlimitedftp
2008-07-04 17:27 . 2008-07-04 17:27 <DIR> d-------- C:\Program Files\IrfanView
2008-07-04 16:27 . 2008-07-04 16:27 <DIR> d--h----- C:\WINDOWS\PIF
2008-06-24 18:17 . 2008-06-24 18:17 <DIR> d-------- C:\Program Files\GameGuardian

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-14 18:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-14 05:47 --------- d-----w C:\Program Files\mIRC
2008-07-14 02:34 --------- d-----w C:\Program Files\Steam
2008-07-12 01:53 3,020 ----a-w C:\WINDOWS\system32\tmp.reg
2008-07-05 17:57 --------- d-----w C:\Program Files\Sony
2008-07-05 17:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony
2008-07-05 17:56 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-04 20:52 --------- d-----w C:\Program Files\Mixxx
2008-07-03 01:29 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-28 03:35 --------- d-----w C:\Program Files\FlashGet
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-01 23:52 --------- d-----w C:\Documents and Settings\Chris\Application Data\Publish Providers
2008-06-01 05:11 131,072 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
2008-05-26 21:49 --------- d-----w C:\Program Files\Ventrilo
2008-05-26 21:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-21 01:04 --------- d-----w C:\Program Files\LG Electronics
2008-05-21 01:03 --------- d-----w C:\Program Files\Verizon Wireless
2008-05-16 02:27 --------- d-----w C:\Documents and Settings\Chris\Application Data\Leadertech
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2007-09-21 01:39 81,920 ----a-w C:\Documents and Settings\Chris\Application Data\ezpinst.exe
2007-09-21 01:39 47,360 ----a-w C:\Documents and Settings\Chris\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 09:15 50528]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 17:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GBB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-07-12 02:58 356352]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-03-09 00:29 86016]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 16:52 849280]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 15:32 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 15:31 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 15:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 15:32 455168]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 02:04 122933]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-09 00:29 7561216]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"nwiz"="nwiz.exe" [2006-03-09 00:29 1519616 C:\WINDOWS\system32\nwiz.exe]
"CHotkey"="mHotkey.exe" [2004-12-08 18:57 550912 C:\WINDOWS\mHotkey.exe]

C:\Documents and Settings\Chris\Start Menu\Programs\Startup\
Alienware Dock.lnk - C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe [2007-09-18 17:38:11 2074360]
MEMonitor.lnk.disabled [2008-05-20 18:03:57 872]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk.disabled [2007-04-13 19:11:02 986]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 00:34 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"="C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
"Steam"="c:\program files\steam\steam.exe" -silent
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SkyTel"=SkyTel.EXE
"RTHDCPL"=RTHDCPL.EXE
"Alcmtr"=ALCMTR.EXE
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Sierra On-Line\\SIGSPat.exe"=
"C:\\Program Files\\Steam\\steamapps\\birdman2314\\counter-strike\\hl.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"C:\\Program Files\\THQ\\Titan Quest\\Titan Quest.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\javaw.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\UT2004\\System\\UT2004.exe"=
"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"C:\\Program Files\\Steam\\steamapps\\birdman2314\\dedicated server\\hltv.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Steam\\steamapps\\birdman2314\\day of defeat\\hl.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"C:\\Program Files\\Steam\\steamapps\\birdman2314\\dedicated server\\hlds.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\Program Files\\Steam\\steamapps\\birdman2314\\counter-strike source\\hl2.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 14:38]
S3 LinksysFVNETusbl(AR)®;Linksys FVNETusbl(AR)® Service for Instant Wireless USB Network Adapter ver.2.6;C:\WINDOWS\system32\DRIVERS\vnetusbl.sys [2004-03-09 20:48]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS []
S3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\WINDOWS\system32\drivers\ScreamingBAudio.sys []
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;C:\WINDOWS\system32\DRIVERS\netusbxp.sys [2002-02-19 11:34]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-07-11 18:34:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-08 02:09:35 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2007-12-08 02:09:34 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2007-03-18 20:20:17 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job"
- c:\Program Files\Microsoft IntelliPoint\ipoint.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-14 13:10:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-14 13:14:45
ComboFix-quarantined-files.txt 2008-07-14 20:14:36
ComboFix2.txt 2008-07-14 17:22:00

Pre-Run: 147,663,314,944 bytes free
Post-Run: 147,649,314,816 bytes free

175 --- E O F --- 2008-07-09 06:01:18



-----------------------------------------------------------------------------

The computer is running a lot smoother and the popup is gone!

Thanks a bunch Sam!

Should I post another HijackThis log?

-chris

Edited by birdman2314, 14 July 2008 - 03:21 PM.


#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:16 AM

Posted 15 July 2008 - 09:10 AM

Yes, please post a new Hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 birdman2314

birdman2314
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 15 July 2008 - 11:27 AM

Here you are:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:06 AM, on 7/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Alienware Dock.lnk = C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe
O4 - Startup: MEMonitor.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O8 - Extra context menu item: &Download All with FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8219 bytes

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:16 AM

Posted 15 July 2008 - 03:08 PM

You are running an older version of Java. This can be a security risk so let's get you the latest version.
Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u7-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.

Aside from that, your log is clean!

Let's get rid of Combofix now that we're done with it.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

    • Posted Image
  • When shown the disclaimer, Select "2"


===================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup: :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 birdman2314

birdman2314
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 15 July 2008 - 04:36 PM

Hey Sam,

I will look into all of these programs.

Thanks for helping me ! :D

-chris

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:16 AM

Posted 15 July 2008 - 05:27 PM

Glad I could help you out! :thumbsup:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users