Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

help D:


  • This topic is locked This topic is locked
2 replies to this topic

#1 riot

riot

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 06 July 2010 - 02:18 AM

i've never had any issues with removing malware or virus before, until now, this is driving me wacko.gif, and i need help.

First off let me tell you the issue, i can't visit certain sites that i can visit on any other computer in the house, im not sure if its a pattern of sites or if its just random, one thing is for sure, its hard to access anything to do with virus or malware removal.

I have been dealing with this for 3 days, i know i got the virus so i went to remove it right away, however i didn't have the time to test it, tooooo much working with my manager on vacation >.>.

the following keep popping up in my malwarebytles logs when it scanned and removed them

Trojan.Agent

I understand that be itself isn't that scary, but its being put on there from something worst and harder to find, which i have not been able to get rid of.

next i used SDFix, it removed the following

C:\Documents and Settings\Riot\Local Settings\Temp\NEW30E.tmp.exe

I will also post the logs of everything at the end of this post

the follow programs and games i have on my computer, which may or may not help, but i figured i provide that information to as much detailed information to be able to get rid of this thing asap.

CODE
uTorrent
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Reading 9.3.2
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Athens Luna Plus (server i run)
Athens Test Client 1.00 (server i run)
Audacity 1.2.6
BomberMan Collection
Bonjour
CA Internet Security Suite
CCleaner
Cross fire En
DivX Converter
DivX Plus DirectShow Fliter
DivX Setup
Dragon Age: Origins
EverQuest Titanium
GTK+ 2.10.13 runtime environment
HiJackThis 2.0.2
Install Creator Pro
iTunes
Java DB 10.5.3.0
Java(TM) 6 Update 20
Java(TM) SE Development Kit 6 Update 20
JavaFX(TM) 1.3 SDK
KVIrc
LibUSb-Win32-0.1.10.1
LogMeIn
Malwarebytes' Anti-Malware
Messenger Plus! Live
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office Enterprise 2007
Microsoft Silverlight
Microsoft Sync Framework 2.0 Core Components (x86) ENU
Microsoft Sync Framework 2.0 Provider Services (x86) ENU
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Journal Viewer
Molebox Pro 2.6.4 (2534)
Mozilla Firefox (3.6.6)
MP3MyMP3 3.0
Nero 8
Notepad++
NVIDIA Drivers
NVIDIA nView Desktop Manager
NVIDIA PhysX
ObjextDock Plus
PremiumSoft Navicat Lite 8.2
Quake 4(TM)
Quake 3 Area
Quake 3 AreaPoint Release1.32
QuickTime
RCT3 Soaked
REALTEK GbE & FE Ethernet PCI-E NIC Driver
S4 League_EU
SAMSUNG USB Driver for Mobile Phone VS 2.0.0
SamsungSimpleDL
SpeedFan (remove only)
Starcraft
Starcraft II Beta
Steam
Super © Version 2010.bld.31 (Jan 2, 2010)
TeamViewer 5
TuneUp Utilities 2009
Tweak UI
Ventrilo Client
VIA Platform Device Manager
VMware Workstation
Wild Tangent - Fate
WildGames
Winamp
Winamp Detector Plug-in
Windows Internet Explorer 8
Windows Live essentials
Windows Live ID Sign-in assistant
Windows Live Update Tool
WinRAR Archiver


The Following is My HiJackThis logs

CODE
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:07:40 AM, on 7/6/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\hijack\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Malwarebytes' Anti-Malware\asdfgasdf.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Riot\My Documents\Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [vmware-tray] "C:\Program Files\VMware\VMware Workstation\vmware-tray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Extract Flash Video with Bytescout... - {15BE481B-4180-45D2-9C41-342FBA314225} - C:\Program Files\Bytescout SWF To Video Scout\flashextract_ie.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/mjss/MJSS.cab109791.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1267149549906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1272116621890
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A6E0BF7-900C-4971-B367-94B652565501}: NameServer = 93.188.162.62,93.188.161.202
O17 - HKLM\System\CCS\Services\Tcpip\..\{73E7EF40-B4F5-4AA3-85AB-D9214B170304}: NameServer = 93.188.162.62,93.188.161.202
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB8819D0-1D10-4DB4-9124-50853459CF22}: NameServer = 93.188.162.62,93.188.161.202
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.62,93.188.161.202
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A6E0BF7-900C-4971-B367-94B652565501}: NameServer = 93.188.162.62,93.188.161.202
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.62,93.188.161.202
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - Unknown owner - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware USB Arbitration Service (VMUSBArbService) - VMware, Inc. - C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 11586 bytes


The Following is my SDFix Log


CODE
[b]SDFix: Version 1.240 [/b]
Run by Riot on Tue 07/06/2010 at 12:55 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


[b]Checking Files [/b]:

Trojan Files Found:

C:\Documents and Settings\Riot\Local Settings\Temp\NEW30E.tmp.exe - Deleted





Removing Temp Files

[b]ADS Check [/b]:



                                 [b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-06 01:03:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:0c,39,89,bf,15,0c,bc,99,ad,85,b0,2d,da,de,3a,b8,61,10,a3,2d,12,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:0c,39,89,bf,15,0c,bc,99,ad,85,b0,2d,da,de,3a,b8,61,10,a3,2d,12,..

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6BBAC473-7C9E-AF8D-50C3-DFC0AF940C67}]
"oainodldghgncnefodhfeacheoamne"=hex:64,61,64,70,66,6f,67,6a,00,85
"oaeicghacgplhlphnmfilglahilhif"=hex:6a,61,64,70,66,6f,66,6b,6a,6a,61,65,6c,68,70,6a,70,6c,64,65,00,..
"nagiipbfkbenphgfpofmpkbeiiib"=hex:6a,61,64,70,66,6f,66,6b,6a,6a,61,65,6c,68,70,6a,70,6c,64,65,00,..

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


[b]Remaining Services [/b]:




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"="C:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe:*:Enabled:Dragon Age Origins Game"
"C:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"="C:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe:*:Enabled:Dragon Age Origins Launcher"
"C:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"="C:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe:*:Enabled:Dragon Age Origins Updater"
"C:\\Program Files\\StarCraft II Beta\\StarCraft II.exe"="C:\\Program Files\\StarCraft II Beta\\StarCraft II.exe:*:Enabled:Blizzard Launcher"
"C:\\Program Files\\StarCraft II Beta\\Versions\\Base13891\\SC2.exe"="C:\\Program Files\\StarCraft II Beta\\Versions\\Base13891\\SC2.exe:*:Enabled:StarCraft II"
"C:\\Program Files\\Ventrilo\\Ventrilo.exe"="C:\\Program Files\\Ventrilo\\Ventrilo.exe:*:Enabled:Ventrilo.exe"
"C:\\WINDOWS\\Temp\\~os2.tmp\\rlvknlg.exe"="C:\\WINDOWS\\Temp\\~os2.tmp\\rlvknlg.exe:*:Enabled:rlvknlg.exe"
"C:\\Program Files\\KVIrc\\kvirc.exe"="C:\\Program Files\\KVIrc\\kvirc.exe:*:Enabled:K Visual IRC Client Executable"
"C:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"="C:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe:*:Enabled:Teamviewer Remote Control Application"
"C:\\Program Files\\Java\\jre6\\bin\\java.exe"="C:\\Program Files\\Java\\jre6\\bin\\java.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\\Program Files\\Java\\jre6\\launch4j-tmp\\wowd.exe"="C:\\Program Files\\Java\\jre6\\launch4j-tmp\\wowd.exe:*:Enabled:Wowd"
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"="C:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"H:\\xampplite\\apache\\bin\\httpd.exe"="H:\\xampplite\\apache\\bin\\httpd.exe:*:Enabled:Apache HTTP Server"
"H:\\xampplite\\mysql\\bin\\mysqld.exe"="H:\\xampplite\\mysql\\bin\\mysqld.exe:*:Enabled:The MySQL Server"
"L:\\xampplite\\mysql\\bin\\mysqld.exe"="L:\\xampplite\\mysql\\bin\\mysqld.exe:*:Enabled:The MySQL Server"
"L:\\xampplite\\apache\\bin\\httpd.exe"="L:\\xampplite\\apache\\bin\\httpd.exe:*:Enabled:Apache HTTP Server"
"C:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe"="C:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe:*:Enabled:VMware Authd"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour Service"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"F:\\xampplite\\mysql\\bin\\mysqld.exe"="F:\\xampplite\\mysql\\bin\\mysqld.exe:*:Enabled:The MySQL Server"
"F:\\xampplite\\apache\\bin\\httpd.exe"="F:\\xampplite\\apache\\bin\\httpd.exe:*:Enabled:Apache HTTP Server"
"C:\\Program Files\\Quake III Arena\\quake3.exe"="C:\\Program Files\\Quake III Arena\\quake3.exe:*:Enabled:quake3"
"C:\\Program Files\\UnrealTournament\\System\\UnrealTournament.exe"="C:\\Program Files\\UnrealTournament\\System\\UnrealTournament.exe:*:Enabled:UnrealTournament"
"C:\\Program Files\\Steam\\Steam.exe"="C:\\Program Files\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\WINDOWS\\system32\\spoolsv.exe"="C:\\WINDOWS\\system32\\spoolsv.exe:*:Enabled:spoolsv.exe"
"C:\\Documents and Settings\\Riot\\Desktop\\android-sdk-windows\\eclipse\\eclipse.exe"="C:\\Documents and Settings\\Riot\\Desktop\\android-sdk-windows\\eclipse\\eclipse.exe:*:Enabled:eclipse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

[b]Remaining Files [/b]:


File Backups: - C:\SDFix\backups\backups.zip

[b]Files with Hidden Attributes [/b]:

Sun  8 Mar 2009       638,816 A.SH. --- "C:\Program Files\Internet Explorer\iexplore.exe"
Sun 13 Apr 2008        60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Wed  3 May 2006       163,328 ..SHR --- "C:\WINDOWS\system32\flvDX.dll"
Wed 21 Feb 2007        31,232 ..SHR --- "C:\WINDOWS\system32\msfDX.dll"
Sun 16 Mar 2008       216,064 ..SHR --- "C:\WINDOWS\system32\nbDX.dll"
Sun 26 Jun 2005       616,448 ..SHR --- "C:\Program Files\eRightSoft\SUPER\cygwin1.dll"
Tue 21 Jun 2005        45,568 ..SHR --- "C:\Program Files\eRightSoft\SUPER\cygz.dll"
Thu 22 Apr 2010        90,624 ..SHR --- "C:\Program Files\eRightSoft\SUPER\Setup.exe"
Tue  4 Jun 2002        84,992 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\14_43260.dll"
Tue  4 Jun 2002        44,032 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\28_83260.dll"
Mon  9 Dec 2002        73,766 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\atrc3260.dll"
Mon  9 Dec 2002        65,575 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\cook3260.dll"
Sun  9 Jun 2002        36,864 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\ddnt3260.dll"
Tue  4 Jun 2002        20,480 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\dnet3260.dll"
Mon  9 Dec 2002       102,437 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv13260.dll"
Mon  9 Dec 2002       176,165 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv23260.dll"
Mon  9 Dec 2002       208,935 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv33260.dll"
Mon  9 Dec 2002       217,127 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv43260.dll"
Sun  9 Jun 2002        40,448 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\dspr3260.dll"
Sat  3 Nov 2001       225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\ivvideo.dll"
Tue 10 Apr 2001       225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\qtmlClient.dll"
Fri 20 Feb 2004       232,960 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\raac.dll"
Sun  9 Jun 2002       525,824 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rnco3260.dll"
Mon  9 Dec 2002       245,805 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rnlt3260.dll"
Mon  9 Dec 2002        45,093 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv103260.dll"
Mon  9 Dec 2002        98,341 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv203260.dll"
Mon  9 Dec 2002        94,247 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv303260.dll"
Mon  9 Dec 2002        90,151 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv403260.dll"
Mon  9 Dec 2002       102,439 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\sipr3260.dll"
Sun  9 Jun 2002        49,152 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\tokr3260.dll"
Thu 20 Mar 2008         5,632 ..SHR --- "C:\Program Files\eRightSoft\SUPER\spk\1stRun.exe"
Mon 12 Feb 2007     3,096,576 A..H. --- "C:\Documents and Settings\Riot\Application Data\U3\temp\Launchpad Removal.exe"

[b]Finished![/b]


The Following is all my logs for the last week days from malwarebytes

CODE
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/1/2010 10:57:37 AM
mbam-log-2010-07-01 (10-57-37).txt

Scan type: Full scan (C:\|D:\|E:\|G:\|H:\|I:\|J:\|K:\|)
Objects scanned: 262154
Time elapsed: 2 hour(s), 8 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.62,93.188.161.202 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0a6e0bf7-900c-4971-b367-94b652565501}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.62,93.188.161.202 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{73e7ef40-b4f5-4aa3-85ab-d9214b170304}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.62,93.188.161.202 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{73e7ef40-b4f5-4aa3-85ab-d9214b170304}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.62,93.188.161.202 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{eb8819d0-1d10-4db4-9124-50853459cf22}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.62,93.188.161.202 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{eb8819d0-1d10-4db4-9124-50853459cf22}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.62,93.188.161.202 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.


------------------------------------------

CODE
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4264

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/2/2010 12:37:32 AM
mbam-log-2010-07-02 (00-37-32).txt

Scan type: Full scan (C:\|D:\|E:\|G:\|H:\|I:\|J:\|K:\|)
Objects scanned: 271352
Time elapsed: 55 minute(s), 25 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
C:\Documents and Settings\Riot\Local Settings\Temp\Ktl.exe (Trojan.FraudPack) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\QNB2EB90WX (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\RZDVL2F27W (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\mozillaps.dll (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qnb2eb90wx (Trojan.FraudPack) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Riot\Local Settings\Temp\Ktl.exe (Trojan.FraudPack) -> Quarantined and deleted successfully.
C:\Documents and Settings\Riot\Desktop\luna bleep\luna online\guides\Sothink SWF Quicker v5.0 Build 501 Portable\Portable Sothink SWF Quicker v5.0 Build 501.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Riot\Local Settings\Application Data\Mozilla\Firefox\Profiles\5brbl82x.default\Cache\55EA6413d01 (Trojan.FraudPack) -> Quarantined and deleted successfully.
C:\Documents and Settings\Riot\Local Settings\Application Data\Mozilla\Firefox\Profiles\5brbl82x.default\Cache\B90D9D1Cd01 (Trojan.FraudPack) -> Quarantined and deleted successfully.
C:\Documents and Settings\Riot\Local Settings\Temp\Ktk.exe (Trojan.FraudPack) -> Quarantined and deleted successfully.
C:\WINDOWS\Kmawea.exe (Trojan.FraudPack) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ernel32.dll (Trojan.Agent) -> Quarantined and deleted successfully.


------------------------------------------

CODE
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4276

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/5/2010 11:03:01 AM
mbam-log-2010-07-05 (11-03-01).txt

Scan type: Full scan (C:\|D:\|E:\|G:\|H:\|I:\|J:\|K:\|)
Objects scanned: 280516
Time elapsed: 3 hour(s), 18 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.62,93.188.161.202 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0a6e0bf7-900c-4971-b367-94b652565501}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.62,93.188.161.202 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{73e7ef40-b4f5-4aa3-85ab-d9214b170304}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.62,93.188.161.202 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{73e7ef40-b4f5-4aa3-85ab-d9214b170304}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.62,93.188.161.202 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{eb8819d0-1d10-4db4-9124-50853459cf22}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.62,93.188.161.202 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{eb8819d0-1d10-4db4-9124-50853459cf22}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.62,93.188.161.202 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ernel32.dll (Trojan.Agent) -> Delete on reboot.



Thank You for all the time and effort you guys spend helping others!!!



-- Riot smile.gif

p.s. i bookmarked this page to my phone and will periodically check and will be awaiting for further instructions from the pros smile.gif, until then my computer will be disconnected from the internet and will be shut down while I'm away.

Edited by riot, 06 July 2010 - 02:24 AM.


BC AdBot (Login to Remove)

 


#2 riot

riot
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 08 July 2010 - 03:39 AM

Well i got it figured out...

no thanks to any one of you >.<

this post was just a pointless waste of time, thanks for all the damn help.

100s of topics were replied to before mine, just ridiculous, would of been nice for a reply... even if it was to say "i don't know."



#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:35 AM

Posted 08 July 2010 - 06:02 PM

You need to be more patient. There are over 160 unanswered topics in this forum at present (with more than 20 people who posted before you) and the current average wait time to receive help is 4 days. You need to remember that the people who assist on this forum are all unpaid volunteers.

As this issue appears to be resolved I am closing the topic. Please send me (or any other Moderator) a Personal Message (PM) if you would like the topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users