Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Need help removing annoying malware popups [RESOLVED]


  • This topic is locked This topic is locked

#1
marlagx

marlagx

    Member

  • Member
  • PipPip
  • 34 posts
I purchased a used pc from a friend and it has been giving me problems with malware popups when I go online. Such as ( em.pc-on-internet, deucleaneronline, scanner2.malware-scan) have been popping up every few minutes while I am online wanting me to download their spyware removal programs. I do not have much experience with computers , so please bare with me. I downloaded required updates from Microsoft. I have read the required steps that must be completed before posting this Hijackthis log. I have deleted temporary and internet files. I have scanned with Superanti Spyware multiple times but it has been only finding tracking cookies. I have tried to scan with Panda active online scanner but am unable to complete download?. I have scanned with Avast but nothing is found and also it shows a log page of many items that cannot be scanned?. I scanned with Hijack this, please tell me what I need to fix, thank you:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:19:37 PM, on 2/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\logonmgr.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\msncc.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\MSNAccel.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=msgr
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [KEMailKb] C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Registration .LNK = C:\Program Files\UBISOFT\Prince of Persia The Sands of Time\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Update Page Content - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\refreshpage.htm
O8 - Extra context menu item: View All Originals On Page - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O8 - Extra context menu item: View Original Image - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: KenoPop! by pogo - http://game3.pogo.co...dkeno-en_US.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.co...date/EARTPX.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.co...ty4LotTeleX.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.co...ty4PatcherX.cab
O16 - DPF: {DF1C8E21-4045-4D67-B528-335F1A4F0DE9} - http://us2-scripts.d..._1073_em_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = HEH
O17 - HKLM\Software\..\Telephony: DomainName = HEH
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A67EF18-1627-4B59-8E01-DCA48074082B}: NameServer = 209.244.0.3 209.244.0.4
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = HEH
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O24 - Desktop Component 0: (no name) - http://us.f524.mail....e...ead=b&Idx=0

--
End of file - 6487 bytes
  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello marlagx

Welcome to G2Go. :)
=====================
Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm
  • 0

#3
marlagx

marlagx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
SmitFraudFix v2.294

Scan done at 23:05:39.68, Fri 02/22/2008
Run from C:\Documents and Settings\Owner\My Documents\My Downloads\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\windows\system32\cxrcsyq.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\logonmgr.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\msncc.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\owner\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://us.f524.mail....a&head=b&Idx=0"
"SubscribedURL"="http://us.f524.mail....a&head=b&Idx=0"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{68399839-845F-4070-95AC-E0633DD6EA48}: DhcpNameServer=24.217.0.55 24.217.0.5 24.217.1.162
HKLM\SYSTEM\CS1\Services\Tcpip\..\{68399839-845F-4070-95AC-E0633DD6EA48}: DhcpNameServer=24.217.0.55 24.217.0.5 24.217.1.162
HKLM\SYSTEM\CS3\Services\Tcpip\..\{68399839-845F-4070-95AC-E0633DD6EA48}: DhcpNameServer=24.217.0.55 24.217.0.5 24.217.1.162


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Download the HostsXpert 4.2 - Hosts File Manager Here
Unzip HostsXpert 4.2 - Hosts File Manager to your desktop

Open up the HostsXpert 4.2 - Hosts File Manager program.
  • Click on Make Writable at the top left hand corner.
  • Then click on Restore MS Hosts File
  • then click on Make Host File read only
  • close program
===================
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#5
marlagx

marlagx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
I downloaded HostXpert 4.2, and followed directions with no problems. I downloaded Deckards System Scanner and I believe I closed all windows but am unsure exactly what that envolves. ( I signed out of my MSN internet provider before continuing with the Deckards System Scanner, but if I was suppose to close windows differently please let me know) Much appreciated for all the help so far. I still have popups.



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 1.80GHz
Percentage of Memory in Use: 41%
Physical Memory (total/avail): 766.48 MiB / 447.33 MiB
Pagefile Memory (total/avail): 1108.13 MiB / 836.34 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1950.71 MiB

A: is Removable (Unformatted)
C: is Fixed (NTFS) - 27.91 GiB total, 20.62 GiB free.
D: is CDROM (No Media)
E: is CDROM (CDFS)
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD300BB-75DEA0 - 27.94 GiB - 2 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Installable File System - 27.91 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.
AntivirusOverride is set.

AV: avast! antivirus 4.7.1098 [VPS 080222-0] v4.7.1098 (ALWIL Software) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Sierra\\SWAT3TGOTYDemo\\swat.exe"="C:\\Sierra\\SWAT3TGOTYDemo\\swat.exe:*:Enabled:Swat 3 : Close Quarters Battle"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\BitTorrent\\btdownloadgui.exe"="C:\\Program Files\\BitTorrent\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\Program Files\\m,m,nmn,\\Gunz\\GunzLauncher.exe"="C:\\Program Files\\m,m,nmn,\\Gunz\\GunzLauncher.exe:*:Enabled:NewApp MFC ?? ????"
"C:\\Program Files\\m,m,nmn,\\Gunz\\Gunz.exe"="C:\\Program Files\\m,m,nmn,\\Gunz\\Gunz.exe:*:Enabled:Gunz"
"C:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe"="C:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe:*:Enabled:NewApp MFC ?? ????"
"C:\\Program Files\\MAIET\\Gunz\\Gunz.exe"="C:\\Program Files\\MAIET\\Gunz\\Gunz.exe:*:Enabled:Gunz"
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"="C:\\Program Files\\BitTornado\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\Documents and Settings\\Owner\\Desktop\\c3po_2.02b\\Diablo II.exe"="C:\\Documents and Settings\\Owner\\Desktop\\c3po_2.02b\\Diablo II.exe:*:Disabled:Diablo II"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1135968032\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1135968032\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1135968032\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1135968032\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Documents and Settings\\Owner\\My Documents\\utorrent.exe"="C:\\Documents and Settings\\Owner\\My Documents\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Documents and Settings\\Owner\\My Documents\\New Folder\\LimeWire\\LimeWire.exe"="C:\\Documents and Settings\\Owner\\My Documents\\New Folder\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Documents and Settings\\Owner\\My Documents\\LimeWire\\LimeWire.exe"="C:\\Documents and Settings\\Owner\\My Documents\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=GOSSAUX
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\GOSSAUX
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Ulead Systems\MPEG
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=GOSSAUX
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (new local, admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
Chameleon Mega Camera Driver --> C:\WINDOWS\unsp1drv.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Homeschool Tracker Basic --> MsiExec.exe /I{AD528602-C32D-4E9B-A5A5-609F2A186808}
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Micro Innovations Internet Access Elite Keyboard --> C:\WINDOWS\UnInst32.exe KEMailKb.UNI
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Word 2002 --> MsiExec.exe /I{911B0409-6000-11D3-8CFE-0050048383C9}
Mozilla Firefox (2.0.0.3) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN --> C:\Program Files\MSN\MsnInstaller\msniadm.exe /Action:ARP
MSN Messenger 7.0 --> MsiExec.exe /I{ABEB838C-A1A7-4C5D-B7E1-8B4314600816}
nature_3120380 Screen Saver --> C:\WINDOWS\system32\nature_3120380.scr /u
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Railroad Tycoon II - Platinum --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BED27751-CD2A-4C2F-9813-00B9B60C76FE}\setup.exe" -l0x9
SimCity 4 Deluxe --> C:\Program Files\Maxis\SimCity 4 Deluxe\EAUninstall.exe
Snes9x --> C:\WINDOWS\iun3405.exe C:\Program Files\Snes9x
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
TeamSpeak 2 RC2 --> "C:\Program Files\Teamspeak2_RC2\unins000.exe"
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type1250 / Warning
Event Submitted/Written: 02/23/2008 07:23:07 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type1249 / Error
Event Submitted/Written: 02/23/2008 07:08:58 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application avast.setup, version 4.7.0.0, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x000105f8.
Processing media-specific event for [avast.setup!ws!]

Event Record #/Type1246 / Warning
Event Submitted/Written: 02/23/2008 02:57:42 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type1244 / Error
Event Submitted/Written: 02/23/2008 02:22:21 AM
Event ID/Source: 5000 / MPSampleSubmission
Event Description:
EventType mptelemetry, P1 80072ee2, P2 endsearch, P3 search, P4 1.1.1593.0, P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Event Record #/Type1241 / Warning
Event Submitted/Written: 02/22/2008 08:15:00 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type25269 / Warning
Event Submitted/Written: 02/23/2008 09:50:34 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%GOSSAUX27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %GOSSAUX27 can't undo changes that you allow.

For more information please see the following:
%GOSSAUX275

Scan ID: {4B35D356-7CC7-4345-977E-A69123E0D74E}

User: GOSSAUX\Owner

Name: %GOSSAUX271

ID: %GOSSAUX272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %GOSSAUX276

Alert Type: %GOSSAUX278

Detection Type: 1.1.1593.02

Event Record #/Type25268 / Warning
Event Submitted/Written: 02/23/2008 09:50:34 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%GOSSAUX27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %GOSSAUX27 can't undo changes that you allow.

For more information please see the following:
%GOSSAUX275

Scan ID: {57D83857-1414-4A9C-AC04-A4BC1F94C329}

User: GOSSAUX\Owner

Name: %GOSSAUX271

ID: %GOSSAUX272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %GOSSAUX276

Alert Type: %GOSSAUX278

Detection Type: 1.1.1593.02

Event Record #/Type25267 / Warning
Event Submitted/Written: 02/23/2008 09:50:34 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%GOSSAUX27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %GOSSAUX27 can't undo changes that you allow.

For more information please see the following:
%GOSSAUX275

Scan ID: {A5B0B12B-EF44-4146-BCB9-6BDF22FE87AD}

User: GOSSAUX\Owner

Name: %GOSSAUX271

ID: %GOSSAUX272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %GOSSAUX276

Alert Type: %GOSSAUX278

Detection Type: 1.1.1593.02

Event Record #/Type25266 / Warning
Event Submitted/Written: 02/23/2008 09:50:31 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%GOSSAUX27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %GOSSAUX27 can't undo changes that you allow.

For more information please see the following:
%GOSSAUX275

Scan ID: {4093105B-CA75-4B09-8131-E1CF36DA94CC}

User: GOSSAUX\Owner

Name: %GOSSAUX271

ID: %GOSSAUX272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %GOSSAUX276

Alert Type: %GOSSAUX278

Detection Type: 1.1.1593.02

Event Record #/Type25265 / Warning
Event Submitted/Written: 02/23/2008 09:50:31 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%GOSSAUX27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %GOSSAUX27 can't undo changes that you allow.

For more information please see the following:
%GOSSAUX275

Scan ID: {C21DD186-C074-45DB-8D87-A80FEB3117F5}

User: GOSSAUX\Owner

Name: %GOSSAUX271

ID: %GOSSAUX272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %GOSSAUX276

Alert Type: %GOSSAUX278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2008-02-23 09:51:17 ------------



Deckard's System Scanner v20071014.68
Run by Owner on 2008-02-23 09:49:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
16: 2008-02-23 15:49:07 UTC - RP853 - Deckard's System Scanner Restore Point
15: 2008-02-22 21:16:03 UTC - RP852 - Software Distribution Service 3.0
14: 2008-02-22 19:28:01 UTC - RP851 - Installed Windows Defender
13: 2008-02-22 19:25:09 UTC - RP850 - Removed Windows Defender
12: 2008-02-22 19:19:46 UTC - RP849 - Installed Windows Defender


-- First Restore Point --
1: 2008-02-14 23:17:38 UTC - RP838 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:24 AM, on 2/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\logonmgr.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\msncc.exe
C:\Documents and Settings\Owner\My Documents\My Downloads\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=msgr
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [KEMailKb] C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [cxrcsyq] c:\windows\system32\cxrcsyq.exe cxrcsyq
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Registration .LNK = C:\Program Files\UBISOFT\Prince of Persia The Sands of Time\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: KenoPop! by pogo - http://game3.pogo.co...dkeno-en_US.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.co...date/EARTPX.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.co...ty4LotTeleX.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.co...ty4PatcherX.cab
O16 - DPF: {DF1C8E21-4045-4D67-B528-335F1A4F0DE9} - http://us2-scripts.d..._1073_em_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = HEH
O17 - HKLM\Software\..\Telephony: DomainName = HEH
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = HEH
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O24 - Desktop Component 0: (no name) - http://us.f524.mail....e...ead=b&Idx=0

--
End of file - 5737 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R3 DKbFltr (Dritek HotKey Keyboard Filter Driver) - c:\windows\system32\drivers\dkbfltr.sys <Not Verified; Dritek System Inc.; Dritek Keyboard Filter>

S1 StarPortLite (StarPort Storage Controller (Lite)) - c:\windows\system32\drivers\starportlite.sys (file missing)
S2 P1100C_CT_CDI (Creative PD1100C HAL Service) - c:\windows\system32\drivers\p1100ccd.sys (file missing)
S2 PfModNT - c:\windows\system32\pfmodnt.sys (file missing)
S3 ADSFilter (ADSFilter - (Aluria Filter Driver)) - c:\windows\system32\drivers\adsfilter.sys (file missing)
S3 BW2NDIS5 - c:\windows\system32\drivers\bw2ndis5.sys (file missing)
S3 lac97inf - c:\docume~1\owner\locals~1\temp\lac97inf.sys (file missing)
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 XTrapD12 - c:\windows\system32\xtrapd12.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 iPod Service - "c:\program files\ipod\bin\ipodservice.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: Ethernet Controller
Device ID: PCI\VEN_14E4&DEV_4401&SUBSYS_81271028&REV_01\4&1A671D0C&0&48F0
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_14E4&DEV_4401&SUBSYS_81271028&REV_01\4&1A671D0C&0&48F0
Service:

Class GUID: {4D36E97B-E325-11CE-BFC1-08002BE10318}
Description: StarPort Storage Controller (Lite)
Device ID: ROOT\SCSIADAPTER\0000
Manufacturer: Rocket Division Software
Name: StarPort Storage Controller (Lite)
PNP Device ID: ROOT\SCSIADAPTER\0000
Service: StarPortLite


-- Scheduled Tasks -------------------------------------------------------------

2008-02-23 08:04:37 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job


-- Files created between 2008-01-23 and 2008-02-23 -----------------------------

2008-02-22 23:05:57 2204 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-22 23:03:43 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-22 23:03:43 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-02-22 23:03:43 86016 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-02-22 23:03:43 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-02-22 23:03:43 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-22 23:03:42 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-02-22 23:03:42 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-02-22 17:47:52 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-02-22 13:28:03 0 d-------- C:\Program Files\Windows Defender
2008-02-22 12:47:26 0 d-------- C:\!KillBox
2008-02-21 19:16:18 0 d-------- C:\Program Files\Trend Micro
2008-02-20 13:45:10 139264 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-02-20 13:45:10 524288 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-02-18 14:07:13 0 d-------- C:\Documents and Settings\Owner\DoctorWeb
2008-02-16 17:02:59 0 d-------- C:\Program Files\InterActual
2008-02-15 18:10:56 0 d-------- C:\Program Files\Railroad Tycoon II - Platinum
2008-02-15 12:50:28 0 d-------- C:\WINDOWS\pss
2008-02-15 09:21:25 0 d-------- C:\Documents and Settings\All Users\Application Data\TGHomeSoft
2008-02-15 09:20:51 0 d-------- C:\Program Files\TGHome
2008-02-14 17:06:55 0 d-------- C:\Program Files\Java
2008-02-14 13:11:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-14 09:40:38 94694 --a------ C:\WINDOWS\system32\uamhxaxvp.exe
2008-01-29 02:29:20 21696 --a------ C:\WINDOWS\system32\dgpibqg.exe
2008-01-23 22:11:03 0 d-------- C:\Documents and Settings\Owner\Application Data\Google


-- Find3M Report ---------------------------------------------------------------

2008-02-23 09:30:07 0 d-------- C:\Documents and Settings\Owner\Application Data\MSN6
2008-02-22 21:01:06 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-02-18 13:25:57 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-15 18:10:55 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-15 11:19:45 0 d-------- C:\Program Files\NCH Swift Sound
2008-02-14 10:05:19 0 d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-01-23 22:11:03 0 d-------- C:\Program Files\Google
2008-01-18 17:44:03 0 d-------- C:\Documents and Settings\Owner\Application Data\Petroglyph
2008-01-11 16:30:32 0 d-------- C:\Program Files\Common Files
2008-01-11 16:17:32 0 d-------- C:\Documents and Settings\Owner\Application Data\Atari
2008-01-06 18:13:59 0 d-------- C:\Program Files\EasyZip
2008-01-02 15:59:22 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-01-01 23:27:01 520192 --a------ C:\WINDOWS\system32\nature_3120380.scr <Not Verified; ScreenTime Media; ScreenTime For Flash>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [10/19/2005 06:59 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [10/19/2005 06:59 AM]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [12/10/2005 08:57 AM]
"KEMailKb"="C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE" [08/09/2005 02:27 AM]
"P17Helper"="P17.dll" [05/02/2005 09:38 PM C:\WINDOWS\system32\P17.dll]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 07:00 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"cxrcsyq"="c:\windows\system32\cxrcsyq.exe" [02/15/2008 12:13 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [06/14/2005 08:05 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 11:55 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 11:41 AM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\RunGame.exe




-- End of Deckard's System Scanner: finished at 2008-02-23 09:51:17 ------------
  • 0

#6
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#7
marlagx

marlagx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
ComboFix 08-02-23.2 - Owner 2008-02-23 10:39:19.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.419 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\My Documents\My Downloads\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\livestream
C:\Program Files\livestream\img\p2e_1_3.bmp
C:\Program Files\livestream\img\p2e_2_3.bmp
C:\Program Files\livestream\img\p2e_3_3.bmp
C:\Program Files\livestream\img\p2e_go_3.bmp
C:\Program Files\livestream\img\p2e_logo_2.bmp
C:\Program Files\livestream\p2e\p2e_1.206.1.htm
C:\Program Files\livestream\p2e\p2eredir.htm
C:\riched32.dll
C:\WINDOWS\Downloaded Program Files\syswbsvc32.inf
C:\WINDOWS\system32\cxrcsyq.dat
c:\windows\system32\cxrcsyq.exe
C:\WINDOWS\system32\cxrcsyq_nav.dat
c:\WINDOWS\system32\cxrcsyq_navps.dat
C:\WINDOWS\tmlpcert2007

.
((((((((((((((((((((((((( Files Created from 2008-01-23 to 2008-02-23 )))))))))))))))))))))))))))))))
.

2008-02-23 09:48 . 2008-02-23 09:48 <DIR> d-------- C:\Deckard
2008-02-22 23:05 . 2008-02-22 23:30 2,204 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-22 23:03 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-22 23:03 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-22 23:03 . 2008-02-22 18:44 86,016 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-22 23:03 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-22 23:03 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-22 23:03 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-22 23:03 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-22 17:48 . 2008-02-22 17:59 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-22 17:48 . 2008-02-22 17:59 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-22 17:47 . 2008-02-22 18:02 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-22 17:47 . 2008-02-22 17:59 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-22 13:28 . 2008-02-22 13:28 <DIR> d-------- C:\Program Files\Windows Defender
2008-02-21 19:16 . 2008-02-21 19:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-20 13:45 . 2004-07-03 07:59 524,288 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-02-20 13:45 . 2004-07-03 08:08 139,264 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-02-20 13:45 . 2004-09-06 03:06 53,248 --a------ C:\WINDOWS\system32\xvid.ax
2008-02-18 14:07 . 2008-02-18 14:07 <DIR> d-------- C:\Documents and Settings\Owner\DoctorWeb
2008-02-16 18:42 . 2008-02-16 18:42 0 --a------ C:\WINDOWS\iplayer.INI
2008-02-16 17:02 . 2008-02-16 17:03 <DIR> d-------- C:\Program Files\InterActual
2008-02-15 18:10 . 2008-02-15 18:13 <DIR> d-------- C:\Program Files\Railroad Tycoon II - Platinum
2008-02-15 11:59 . 2008-02-15 18:02 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-15 09:21 . 2008-02-15 09:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TGHomeSoft
2008-02-15 09:20 . 2008-02-15 09:20 <DIR> d-------- C:\Program Files\TGHome
2008-02-14 17:07 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-14 17:06 . 2008-02-14 17:07 <DIR> d-------- C:\Program Files\Java
2008-02-14 13:11 . 2008-02-18 13:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-14 09:40 . 2008-02-14 09:40 94,694 --a------ C:\WINDOWS\system32\uamhxaxvp.exe
2008-01-29 02:29 . 2008-01-29 02:29 21,696 --a------ C:\WINDOWS\system32\dgpibqg.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-23 16:27 --------- d-----w C:\Documents and Settings\Owner\Application Data\MSN6
2008-02-23 03:01 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-02-18 19:25 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-16 00:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-16 00:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-15 17:19 --------- d-----w C:\Program Files\NCH Swift Sound
2008-02-14 21:45 2,416,141 ----a-w C:\WINDOWS\java\Packages\8Y4VZNNX.ZIP
2008-02-14 16:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-01-24 17:13 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-01-24 04:11 --------- d-----w C:\Program Files\Google
2008-01-18 23:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\Petroglyph
2008-01-11 22:17 --------- d-----w C:\Documents and Settings\Owner\Application Data\Atari
2008-01-11 16:30 5,744,908 ----a-w C:\WINDOWS\java\Packages\LZJFZVDN.ZIP
2008-01-07 00:13 --------- d-----w C:\Program Files\EasyZip
2008-01-02 21:59 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-01-02 05:27 520,192 ----a-w C:\WINDOWS\system32\nature_3120380.scr
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-09-13 20:39 18,216 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2005-06-14 08:05 6856704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 06:59 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 06:59 126976]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 08:57 133016]
"KEMailKb"="C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE" [2005-08-09 02:27 401408]
"P17Helper"="P17.dll" [2005-05-02 21:38 64512 C:\WINDOWS\system32\P17.dll]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 07:00 79224]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 23:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 11:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 11:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\\system32\\sessmgr.exe:@xpsp2res.dll,-22019
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Sierra\\SWAT3TGOTYDemo\\swat.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\BitTorrent\\btdownloadgui.exe"=
"C:\\Program Files\\m,m,nmn,\\Gunz\\GunzLauncher.exe"=
"C:\\Program Files\\m,m,nmn,\\Gunz\\Gunz.exe"=
"C:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe"=
"C:\\Program Files\\MAIET\\Gunz\\Gunz.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Documents and Settings\\Owner\\Desktop\\c3po_2.02b\\Diablo II.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1135968032\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1135968032\\ee\\aim6.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Documents and Settings\\Owner\\My Documents\\utorrent.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Documents and Settings\\Owner\\My Documents\\New Folder\\LimeWire\\LimeWire.exe"=
"C:\\Documents and Settings\\Owner\\My Documents\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

S1 StarPortLite;StarPort Storage Controller (Lite);C:\WINDOWS\system32\DRIVERS\StarPortLite.sys []
S2 P1100C_CT_CDI;Creative PD1100C HAL Service;C:\WINDOWS\system32\DRIVERS\P1100cCd.sys []
S3 ADSFilter;ADSFilter - (Aluria Filter Driver);C:\WINDOWS\system32\DRIVERS\ADSFilter.sys []
S3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\WG11TND5.sys [2005-09-04 21:21]
S3 Bulk503;Chameleon Mega Digital Camera;C:\WINDOWS\system32\Drivers\Bulk503.sys [2001-10-14 21:45]
S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys []
S3 ISO503;Chameleon Mega Video Camera;C:\WINDOWS\system32\Drivers\ISO503.SYS [2002-04-08 19:49]
S3 lac97inf;lac97inf;C:\DOCUME~1\Owner\LOCALS~1\Temp\lac97inf.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\RunGame.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-23 14:04:37 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-23 10:41:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-23 10:42:32
ComboFix-quarantined-files.txt 2008-02-23 16:42:15
.
2008-02-15 06:33:13 --- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:34 AM, on 2/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\logonmgr.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\msncc.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\MSNAccel.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=msgr
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [KEMailKb] C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Registration .LNK = C:\Program Files\UBISOFT\Prince of Persia The Sands of Time\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Update Page Content - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\refreshpage.htm
O8 - Extra context menu item: View All Originals On Page - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O8 - Extra context menu item: View Original Image - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: KenoPop! by pogo - http://game3.pogo.co...dkeno-en_US.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.co...date/EARTPX.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.co...ty4LotTeleX.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.co...ty4PatcherX.cab
O16 - DPF: {DF1C8E21-4045-4D67-B528-335F1A4F0DE9} - http://us2-scripts.d..._1073_em_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = HEH
O17 - HKLM\Software\..\Telephony: DomainName = HEH
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A67EF18-1627-4B59-8E01-DCA48074082B}: NameServer = 209.244.0.3 209.244.0.4
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = HEH
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O24 - Desktop Component 0: (no name) - http://us.f524.mail....e...ead=b&Idx=0

--
End of file - 6224 bytes
  • 0

#8
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
  • 1 - Flash Drive Disinfector
    Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.
===================================
Then:
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\uamhxaxvp.exe
C:\WINDOWS\system32\dgpibqg.exe
E:\RunGame.exe
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#9
marlagx

marlagx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
ComboFix 08-02-23.2 - Owner 2008-02-23 12:02:23.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.474 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\My Documents\My Downloads\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\dgpibqg.exe
C:\WINDOWS\system32\uamhxaxvp.exe
E:\RunGame.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dgpibqg.exe
C:\WINDOWS\system32\uamhxaxvp.exe
E:\RunGame.exe . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-01-23 to 2008-02-23 )))))))))))))))))))))))))))))))
.

2008-02-23 09:48 . 2008-02-23 09:48 <DIR> d-------- C:\Deckard
2008-02-22 23:05 . 2008-02-22 23:30 2,204 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-22 23:03 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-22 23:03 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-22 23:03 . 2008-02-22 18:44 86,016 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-22 23:03 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-22 23:03 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-22 23:03 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-22 23:03 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-22 17:48 . 2008-02-22 17:59 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-22 17:48 . 2008-02-22 17:59 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-22 17:47 . 2008-02-22 18:02 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-22 17:47 . 2008-02-22 17:59 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-22 13:28 . 2008-02-22 13:28 <DIR> d-------- C:\Program Files\Windows Defender
2008-02-21 19:16 . 2008-02-21 19:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-20 13:45 . 2004-07-03 07:59 524,288 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-02-20 13:45 . 2004-07-03 08:08 139,264 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-02-20 13:45 . 2004-09-06 03:06 53,248 --a------ C:\WINDOWS\system32\xvid.ax
2008-02-18 14:07 . 2008-02-18 14:07 <DIR> d-------- C:\Documents and Settings\Owner\DoctorWeb
2008-02-16 18:42 . 2008-02-16 18:42 0 --a------ C:\WINDOWS\iplayer.INI
2008-02-16 17:02 . 2008-02-16 17:03 <DIR> d-------- C:\Program Files\InterActual
2008-02-15 18:10 . 2008-02-15 18:13 <DIR> d-------- C:\Program Files\Railroad Tycoon II - Platinum
2008-02-15 11:59 . 2008-02-15 18:02 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-15 09:21 . 2008-02-15 09:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TGHomeSoft
2008-02-15 09:20 . 2008-02-15 09:20 <DIR> d-------- C:\Program Files\TGHome
2008-02-14 17:07 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-14 17:06 . 2008-02-14 17:07 <DIR> d-------- C:\Program Files\Java
2008-02-14 13:11 . 2008-02-18 13:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-23 17:49 --------- d-----w C:\Documents and Settings\Owner\Application Data\MSN6
2008-02-23 03:01 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-02-18 19:25 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-16 00:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-16 00:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-15 17:19 --------- d-----w C:\Program Files\NCH Swift Sound
2008-02-14 16:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-01-24 17:13 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-01-24 04:11 --------- d-----w C:\Program Files\Google
2008-01-18 23:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\Petroglyph
2008-01-11 22:17 --------- d-----w C:\Documents and Settings\Owner\Application Data\Atari
2008-01-07 00:13 --------- d-----w C:\Program Files\EasyZip
2007-09-13 20:39 18,216 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2005-06-14 08:05 6856704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 06:59 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 06:59 126976]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 08:57 133016]
"KEMailKb"="C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE" [2005-08-09 02:27 401408]
"P17Helper"="P17.dll" [2005-05-02 21:38 64512 C:\WINDOWS\system32\P17.dll]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 07:00 79224]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 23:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 11:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 11:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\\system32\\sessmgr.exe:@xpsp2res.dll,-22019
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Sierra\\SWAT3TGOTYDemo\\swat.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\BitTorrent\\btdownloadgui.exe"=
"C:\\Program Files\\m,m,nmn,\\Gunz\\GunzLauncher.exe"=
"C:\\Program Files\\m,m,nmn,\\Gunz\\Gunz.exe"=
"C:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe"=
"C:\\Program Files\\MAIET\\Gunz\\Gunz.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Documents and Settings\\Owner\\Desktop\\c3po_2.02b\\Diablo II.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1135968032\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1135968032\\ee\\aim6.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Documents and Settings\\Owner\\My Documents\\utorrent.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Documents and Settings\\Owner\\My Documents\\New Folder\\LimeWire\\LimeWire.exe"=
"C:\\Documents and Settings\\Owner\\My Documents\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

S1 StarPortLite;StarPort Storage Controller (Lite);C:\WINDOWS\system32\DRIVERS\StarPortLite.sys []
S2 P1100C_CT_CDI;Creative PD1100C HAL Service;C:\WINDOWS\system32\DRIVERS\P1100cCd.sys []
S3 ADSFilter;ADSFilter - (Aluria Filter Driver);C:\WINDOWS\system32\DRIVERS\ADSFilter.sys []
S3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\WG11TND5.sys [2005-09-04 21:21]
S3 Bulk503;Chameleon Mega Digital Camera;C:\WINDOWS\system32\Drivers\Bulk503.sys [2001-10-14 21:45]
S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys []
S3 ISO503;Chameleon Mega Video Camera;C:\WINDOWS\system32\Drivers\ISO503.SYS [2002-04-08 19:49]
S3 lac97inf;lac97inf;C:\DOCUME~1\Owner\LOCALS~1\Temp\lac97inf.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\RunGame.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-23 18:10:58 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-23 12:08:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Rundll32.exe
.
**************************************************************************
.
Completion time: 2008-02-23 12:11:55 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-02-23 18:11:39
ComboFix2.txt 2008-02-23 16:42:33
.
2008-02-15 06:33:13 --- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:12:16 PM, on 2/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=msgr
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [KEMailKb] C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Registration .LNK = C:\Program Files\UBISOFT\Prince of Persia The Sands of Time\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: KenoPop! by pogo - http://game3.pogo.co...dkeno-en_US.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.co...date/EARTPX.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.co...ty4LotTeleX.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.co...ty4PatcherX.cab
O16 - DPF: {DF1C8E21-4045-4D67-B528-335F1A4F0DE9} - http://us2-scripts.d..._1073_em_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = HEH
O17 - HKLM\Software\..\Telephony: DomainName = HEH
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = HEH
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O24 - Desktop Component 0: (no name) - http://us.f524.mail....e...ead=b&Idx=0

--
End of file - 5531 bytes
  • 0

#10
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please submit the following file to one of these online file scanners.
(All you have to do is copy and paste it in)

E:\RunGame.exe

Jotti File Scan
VirusTotal File Scan

This will produce a report after the scan is complete, please copy and paste those results in your next post.
  • 0

Advertisements


#11
marlagx

marlagx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
File RunGame.exe received on 02.23.2008 19:31:08 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.2.22.0 2008.02.22 -
AntiVir 7.6.0.67 2008.02.22 -
Authentium 4.93.8 2008.02.23 -
Avast 4.7.1098.0 2008.02.22 -
AVG 7.5.0.516 2008.02.22 -
BitDefender 7.2 2008.02.23 -
CAT-QuickHeal 9.50 2008.02.22 -
ClamAV 0.92.1 2008.02.23 -
DrWeb 4.44.0.09170 2008.02.23 -
eSafe 7.0.15.0 2008.02.21 -
eTrust-Vet 31.3.5557 2008.02.23 -
Ewido 4.0 2008.02.23 -
FileAdvisor 1 2008.02.23 -
Fortinet 3.14.0.0 2008.02.23 -
F-Prot 4.4.2.54 2008.02.22 -
F-Secure 6.70.13260.0 2008.02.22 -
Ikarus T3.1.1.20 2008.02.23 -
Kaspersky 7.0.0.125 2008.02.23 -
McAfee 5236 2008.02.22 -
Microsoft 1.3204 2008.02.23 -
NOD32v2 2898 2008.02.23 -
Norman 5.80.02 2008.02.22 -
Panda 9.0.0.4 2008.02.23 -
Prevx1 V2 2008.02.23 -
Rising 20.32.52.00 2008.02.23 -
Sophos 4.26.0 2008.02.23 -
Sunbelt 3.0.893.0 2008.02.23 -
Symantec 10 2008.02.23 -
TheHacker 6.2.9.228 2008.02.23 -
VBA32 3.12.6.1 2008.02.21 -
VirusBuster 4.3.26:9 2008.02.23 -
Webwasher-Gateway 6.6.2 2008.02.23 -
Additional information
File size: 147456 bytes
MD5: bb6f091662da5be51c89568f4ade3c42
SHA1: be90953db55f0918ca8bd8681f7588d3e9dffe5c
PEiD: -
  • 0

#12
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    E:\RunGame.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=========================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
==================================================
Post the OTMove it 2 log the Malwarebytes and a new Hijackthis log.
  • 0

#13
marlagx

marlagx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
To:E:\\RunGame.exe;From:C:\_OTMoveIt\MovedFiles\02232008_145224\C:\\_OTMoveIt\\MovedFiles\\02232008_145224\\RunGame.exe


Malwarebytes' Anti-Malware 1.05
Database version: 397

Scan type: Full Scan (A:\|C:\|)
Objects scanned: 56730
Time elapsed: 15 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\UGES_0001_N122M2111NetInstaller.exe (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:42:38 PM, on 2/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=msgr
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [KEMailKb] C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Registration .LNK = C:\Program Files\UBISOFT\Prince of Persia The Sands of Time\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: KenoPop! by pogo - http://game3.pogo.co...dkeno-en_US.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.co...date/EARTPX.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.co...ty4LotTeleX.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.co...ty4PatcherX.cab
O16 - DPF: {DF1C8E21-4045-4D67-B528-335F1A4F0DE9} - http://us2-scripts.d..._1073_em_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = HEH
O17 - HKLM\Software\..\Telephony: DomainName = HEH
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = HEH
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O24 - Desktop Component 0: (no name) - http://us.f524.mail....e...ead=b&Idx=0

--
End of file - 5711 bytes
  • 0

#14
marlagx

marlagx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Hi Kahdah, thank you for all the help thus far. I don't know if I have any further steps to accomplish, but so far no popups. I love this site, and am very greatful for you help. :) Thank you! I was wondering if any of the downloads you recommended I should keep on my pc, and which ones I should use for further malware problems, such as; Malwarebyte's Anti-Malware. I also have an older windows 98 that is running terribly slow, which I'll do prerequisite steps and post Hijack logs in another topic. Thanks again
  • 0

#15
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You are welcome :) you can keep Malwarebyte's Anti-Malware if you wish but it offers only on demand scanning unless you purchase it.
===========
A little left to go:

Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP