Thread: Really wierd problem with browsers and other things.
View Single Post
Old 12-06-2008, 08:42 PM   #9 (permalink)
rabidGopher
Registered User
 
Join Date: Dec 2008
Posts: 14
OS: xp service pack 2


Re: Really wierd problem with browsers and other things.
When I try to do the Kasper thing it keeps doing the activex control beep thing where you have to click on the flashing bar on top and allow it to install, but when I do that it keeps saying that windows just flat out won't install it because it can't verify the publisher. Firefox just crashes when I try it in that, but I guess that's why you said run it in IE.

Here's the new combofix log though.

Edit: Oh yeah, computer behavior update. One of the error messages from when windows first boots is gone, and the other disappears by itself immediately. Firefox started working on it's own again yesterday, I'm guessing because there was some big update recently and I installed that. Haven't heard the weird sounds either, but I haven't spent as much time on my computer lately. One other thing I should mention, my World of Warcraft account has been hacked twice in the past month, so I'm pretty sure there's a keylogger somewhere, or at least there was.


ComboFix 08-12-06.04 - Owner 2008-12-06 21:27:08.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1547 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WOWSYSTEMCODE123
-------\Legacy_XDVA037
-------\Legacy_XDVA052
-------\Service_wowsystemcode123
-------\Service_XDva037
-------\Service_XDva052


((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-03 03:53 . 2008-12-06 17:05 250 --a------ c:\windows\gmer.ini
2008-12-02 22:00 . 2008-12-02 22:00 <DIR> d-------- c:\program files\Trend Micro
2008-12-02 15:59 . 2007-03-07 17:51 129,784 --------- c:\windows\system32\pxafs.dll
2008-12-02 15:58 . 2008-12-06 13:41 <DIR> d-------- c:\program files\Winamp
2008-12-02 15:58 . 2008-12-06 13:40 <DIR> d-------- c:\documents and settings\Owner\Application Data\Winamp
2008-12-01 04:58 . 2008-12-01 04:58 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\EmailNotifier
2008-11-11 19:02 . 2008-11-11 19:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 19:41 --------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2008-12-06 19:41 --------- d-----w c:\documents and settings\All Users\Application Data\WildTangent
2008-12-05 21:02 --------- d-----w c:\program files\FlashGet
2008-12-05 07:00 --------- d-----w c:\program files\Warcraft III
2008-12-03 09:43 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-02 21:55 --------- d-----w c:\documents and settings\Owner\Application Data\InstallShield Installation Information
2008-11-21 01:25 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-12 00:05 --------- d-----w c:\program files\Steam
2008-11-11 23:10 --------- d-----w c:\program files\Starcraft
2008-11-07 02:17 --------- d-----w c:\documents and settings\Owner\Application Data\mIRC
2008-11-07 02:05 --------- d-----w c:\program files\mIRC
2008-11-04 03:34 --------- d-----w c:\program files\QuickTime
2008-11-04 03:34 --------- d-----w c:\program files\Apple Software Update
2008-11-04 03:34 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-04 03:34 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-11-04 02:49 137,480 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-11-02 02:44 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-02 02:43 --------- d-----w c:\program files\AGEIA Technologies
2008-11-02 02:25 --------- d-----w c:\documents and settings\Owner\Application Data\Hamachi
2008-11-02 02:07 --------- d-----w c:\documents and settings\Owner\Application Data\HamachiBackup
2008-11-02 02:03 --------- d-----w c:\program files\Hamachi
2008-11-02 02:02 25,280 ----a-w c:\windows\system32\drivers\hamachi.sys
2008-11-02 02:00 --------- d-----w c:\documents and settings\Owner\Application Data\Red Alert 3
2008-10-14 02:05 94,208 ----a-w c:\windows\ScUnin.exe
2008-10-09 01:03 --------- d-----w c:\documents and settings\Owner\Application Data\GarageGames
2008-10-07 19:33 6,133,856 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2008-05-19 11:54 22,328 ----a-w c:\documents and settings\Owner\Application Data\PnkBstrK.sys
2008-05-19 11:52 103,736 ----a-w c:\documents and settings\Owner\Application Data\PnkBstrB.exe
2006-06-06 05:44 0 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MSKAgent.exe" [2005-09-26 110592]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-18 185896]
"McRegWiz"="c:\progra~1\mcafee.com\agent\mcregwiz.exe" [2005-06-01 368714]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-03 413696]
"SoundMan"="SOUNDMAN.EXE" [2005-09-26 c:\windows\soundman.exe]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 c:\windows\KHALMNPR.Exe]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
VirtuaGirl HD.LNK - c:\program files\vghd\vghd.exe [2008-09-11 11875648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-07-11 692224]
NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\wpn111.exe [2007-09-19 884838]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"VIDC.WMV3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
--a------ 2005-11-11 16:00 1005096 c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Cyanide\\GameCenter\\GameCenter.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Windows NT\\Accessories\\bin.dll\\CoD4\\iw3mp.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Sega\\Gas Powered Games\\Space Siege Demo\\SpaceSiege.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\c:\windows\system32\DNINDIS5.SYS [2007-09-05 17149]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\DRIVERS\WPN111.sys [2007-09-19 362944]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\Shell\AutoRun\command - L:\autoplay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\N]
\Shell\AutoRun\command - N:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\P]
\Shell\AutoRun\command - P:\autorun.exe
\Shell\readit\command - notepad readme.doc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Q]
\Shell\AutoRun\command - Q:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\R]
\Shell\AutoRun\command - R:\autoplay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7855b9a1-9814-11da-9eba-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3053969-9822-11da-b84e-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2008-12-06 c:\windows\Tasks\At25.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At26.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At27.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At28.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At29.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At30.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At31.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At32.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At33.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At34.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At35.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At36.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At37.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At38.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At39.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At40.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At41.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At42.job
- c:\windows\system32\763KIsN3.exe []

2008-12-07 c:\windows\Tasks\At43.job
- c:\windows\system32\763KIsN3.exe []

2008-12-07 c:\windows\Tasks\At44.job
- c:\windows\system32\763KIsN3.exe []

2008-12-07 c:\windows\Tasks\At45.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At46.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At47.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At48.job
- c:\windows\system32\763KIsN3.exe []

2006-05-30 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 13:00]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk -
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\as87lwi1.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT693181&SearchSource=3&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.gamefaqs.com/boards/genmessage.php?board=945075&topic=45164388
FF -: plugin - c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF -: plugin - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\as87lwi1.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npff_gdm.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 21:29:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\McAfee.com\Agent\mcregwiz.exe
c:\windows\system32\rundll32.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\program files\McAfee.com\Shared\mghtml.exe
c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.exe
c:\program files\vghd\VirtuaGirl_Downloader.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\progra~1\McAfee.com\PERSON~1\MpfService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2008-12-06 21:32:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-07 03:32:54
ComboFix2.txt 2008-12-07 03:08:17

Pre-Run: 47,095,734,272 bytes free
Post-Run: 47,079,260,160 bytes free

256
Attached Files
File Type: txt ComboFix.txt (15.0 KB, 1 views)
Last edited by sUBs; 12-06-2008 at 08:50 PM.
rabidGopher is offline