Really wierd problem with browsers and other things.

[rabidGopher]

First off, Firefox won't respond to any methods to run it (double click, right click-open, etc.). It shows the little hour glass like it's about to but then nothing happens. Also, whenever my computer is turned on, as soon as windows starts up, I get a couple error messages that I can just click exit or ok and they go away. Theres also one about do you want to keep running scripts on this page, like some wierd IExplore error message I used to see. Lastly, the wierdest thing. At random, seems to be at night though, I'll start hearing what sounds like a Japanese commercial start playing. It plays the whole thing, then stops, then a minute later it repeats. In my processes, iexplore.exe is running, even though I don't have it open. When I end process, the sound immediately stops, but it comes back after a minute or two. Also, it says it's taking up about 5 times the RAM that I know iexplore.exe should normally be taking. When I restart my computer, it sometimes stops for a couple hours, but sometimes it doesn't fix it. This site is my last hope, lol.

One more thing. I tried following the instructions on the first sticky about the logs and stuff, but dds doesn't come up with another prompt to do optional scan, it just shows the first one and the dos window closes and the notepad window is up. That's why there's only 1 attached file.


DDS (Version 1.0) - NTFSx86
Run by Owner at 4:15:55.85 on Wed 12/03/2008

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5058
uStart Page = about:blank
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - c:\program files\flashget\jccatch.dll
BHO: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\progra~1\mcafee\spamki~1\mcapfbho.dll
BHO: {C672F4AB-780B-45C0-BAEC-91F455C86F8D} - c:\program files\cole2k media toolbar\v3.2.0.0\Cole2k_Media_Toolbar.dll
BHO: {F156768E-81EF-470C-9057-481BA8380DBA} - c:\program files\flashget\getflash.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
TB: {2D2DE234-AB9F-4345-9D17-94FA78BA37E3} - c:\program files\cole2k media toolbar\v3.2.0.0\Cole2k_Media_Toolbar.dll
TB: {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - c:\program files\canon\easy-webprint\Toolband.dll
TB: {2D2DE234-AB9F-4345-9D17-94FA78BA37E3} - c:\program files\cole2k media toolbar\v3.2.0.0\Cole2k_Media_Toolbar.dll
uRun: [ResChanger 2005] c:\program files\reschanger 2005\ResChanger2005.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
mRun: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [OASClnt] c:\program files\mcafee.com\vso\oasclnt.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~1\bar\1.bin\mwsoemon.exe
mRun: [My Web Search Bar] rundll32 c:\progra~1\mywebs~1\bar\1.bin\MWSBAR.DLL,S
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [MSKDetectorExe] c:\progra~1\mcafee\spamki~1\MSKDetct.exe /startup
mRun: [MSKAGENTEXE] c:\progra~1\mcafee\spamki~1\MSKAgent.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [McRegWiz] c:\progra~1\mcafee.com\agent\mcregwiz.exe /autorun
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [Power2GoExpress] NA
mExplorerRun: [kernel32.dll] c:\windows\system32\atmclk.exe
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\owner\start menu\programs\imvu\Run IMVU.lnk
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - {7DD73374-7187-4103-8F29-622AA25E7C40} - c:\progra~1\mcafee\spamki~1\mcapfbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\owner\start menu\programs\imvu\Run IMVU.lnk
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
SSODL: fairydom - {5839511e-ec1b-4f91-ace3-fb88e52f5239} - c:\windows\system32\jevtxpg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {05a91164-3c96-47d6-aa74-2c855791b2d0} - c:\windows\system32\ofcukiz.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2008-12-03 03:53 250 a------- c:\windows\gmer.ini
2008-12-02 22:00 <DIR> --d----- c:\program files\Trend Micro
2008-12-02 15:59 129,784 -------- c:\windows\system32\pxafs.dll
2008-11-23 23:33 0 a------- c:\windows\1.ini
2008-11-23 23:29 98,304 a------- c:\windows\system32\wow71_724.dll
2008-11-23 23:29 20 a------- c:\windows\syscheck
2008-11-11 19:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Blizzard

==================== Find3M ====================

2008-12-03 03:51 <DIR> --d----- c:\program files\FlashGet
2008-12-03 03:49 <DIR> --d----- c:\docume~1\owner\applic~1\uTorrent
2008-12-02 15:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\WildTangent
2008-11-26 12:14 76,787 a------- c:\windows\War3Unin.dat
2008-11-11 18:05 <DIR> --d----- c:\program files\Steam
2008-11-11 17:10 <DIR> --d----- c:\program files\Starcraft
2008-11-06 20:17 <DIR> --d----- c:\docume~1\owner\applic~1\mIRC
2008-11-06 20:05 <DIR> --d----- c:\program files\mIRC
2008-11-03 20:49 183,120 a------- c:\windows\system32\PnkBstrB.exe
2008-11-01 20:44 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-11-01 20:07 <DIR> --d----- c:\docume~1\owner\applic~1\HamachiBackup
2008-11-01 20:03 <DIR> --d----- c:\program files\Hamachi
2008-11-01 20:00 <DIR> --d----- c:\docume~1\owner\applic~1\Red Alert 3
2008-10-13 20:05 32,660 a------- c:\windows\scunin.dat
2008-10-13 20:05 94,208 a------- c:\windows\ScUnin.exe
2008-10-08 19:03 <DIR> --d----- c:\docume~1\owner\applic~1\GarageGames
2008-10-02 10:07 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-09-28 02:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\GRETECH
2008-09-11 23:54 152,920 a------- c:\windows\system32\vghd.scr
2008-09-11 23:49 <DIR> --d----- c:\docume~1\owner\applic~1\vghd
2008-09-04 09:31 288,024 a------- c:\windows\system32\PhysXCplUI.exe
2008-08-24 19:15 <DIR> --d----- c:\docume~1\owner\applic~1\Red Alert 3 Beta
2008-08-22 23:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
2008-08-04 21:53 <DIR> --d----- c:\docume~1\owner\applic~1\EmailNotifier
2008-08-04 21:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Megaupload
2008-08-04 21:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\EmailNotifier
2008-07-21 18:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NexonUS
2008-05-19 16:56 <DIR> --d----- c:\docume~1\owner\applic~1\McAfee.com Personal Firewall
2008-05-07 23:11 <DIR> --d----- c:\docume~1\owner\applic~1\DAEMON Tools Pro
2008-05-07 23:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Pro
2008-04-22 17:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Age of Empires 3
2008-04-19 17:23 <DIR> --d----- c:\docume~1\owner\applic~1\HTML Executable
2008-04-18 22:20 <DIR> --d----- c:\docume~1\owner\applic~1\LimeWire
2008-04-08 18:47 <DIR> --d----- c:\docume~1\owner\applic~1\Nexon
2008-04-02 18:47 <DIR> --d----- c:\docume~1\owner\applic~1\Turbine
2008-04-02 18:27 <DIR> --d----- c:\docume~1\owner\applic~1\GetRightToGo
2008-03-29 17:09 <DIR> --d----- c:\docume~1\owner\applic~1\Acreon
2008-02-18 14:28 <DIR> --d----- c:\docume~1\owner\applic~1\Microsoft Games
2007-11-09 15:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SSScanWizard
2007-11-09 15:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SSScanAppDataDir
2007-11-04 17:36 <DIR> --d----- c:\docume~1\owner\applic~1\Azureus
2007-10-29 12:45 <DIR> --d----- c:\docume~1\owner\applic~1\My The Lord of the Rings, The Rise of the Witch-king Files
2007-03-01 06:57 <DIR> --d----- c:\docume~1\owner\applic~1\Bersirc
2007-01-12 01:53 <DIR> --d----- c:\docume~1\owner\applic~1\LucasArts
2006-11-02 04:30 <DIR> --d----- c:\docume~1\owner\applic~1\IMVU
2006-10-04 13:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\McAfee.com Personal Firewall
2006-06-03 09:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\McAfee.com
2006-05-30 20:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Napster
2006-05-30 20:33 <DIR> --d----- c:\docume~1\owner\applic~1\AOL
2006-02-07 14:19 <DIR> --d----- c:\docume~1\owner\applic~1\You've Got Pictures Screensaver
2006-02-07 14:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2006-02-07 14:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Pure Networks
2006-02-07 14:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Prism Deploy

============= FINISH: 4:16:03.51 ===============

[sUBs]

You do not appear to have just malware issues. There is a possibilty of OS corruption. Have you tried System Restore yet? If not so, please do that & then post fresh copies of the requested logs.

[rabidGopher]

I tried to do a system restore, and the farthest back I could go was Nov. 14th, unless I was doing it wrong. When I tried going back that far, it went through the whole process, but then when windows was restarted it said that the restore failed because nothing had changed since then.

[sUBs]

Please show me fresh logs.

[rabidGopher]

Sorry assumed since it said it didn't do the restore that nothing changed but you know better than I do that's why I'm here :)

Edit: It did the same thing as before: when I run the DDS thing it doesn't ever come up with a prompt for an optional scan, so I don't have an attach.txt in with the gmer.txt.

DDS (Version 1.0) - NTFSx86
Run by Owner at 17:02:54.84 on Sat 12/06/2008

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5058
uStart Page = about:blank
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - c:\program files\flashget\jccatch.dll
BHO: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\progra~1\mcafee\spamki~1\mcapfbho.dll
BHO: {C672F4AB-780B-45C0-BAEC-91F455C86F8D} - c:\program files\cole2k media toolbar\v3.2.0.0\Cole2k_Media_Toolbar.dll
BHO: {F156768E-81EF-470C-9057-481BA8380DBA} - c:\program files\flashget\getflash.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
TB: {2D2DE234-AB9F-4345-9D17-94FA78BA37E3} - c:\program files\cole2k media toolbar\v3.2.0.0\Cole2k_Media_Toolbar.dll
TB: {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - c:\program files\canon\easy-webprint\Toolband.dll
TB: {2D2DE234-AB9F-4345-9D17-94FA78BA37E3} - c:\program files\cole2k media toolbar\v3.2.0.0\Cole2k_Media_Toolbar.dll
uRun: [ResChanger 2005] c:\program files\reschanger 2005\ResChanger2005.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
mRun: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [OASClnt] c:\program files\mcafee.com\vso\oasclnt.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~1\bar\1.bin\mwsoemon.exe
mRun: [My Web Search Bar] rundll32 c:\progra~1\mywebs~1\bar\1.bin\MWSBAR.DLL,S
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [MSKDetectorExe] c:\progra~1\mcafee\spamki~1\MSKDetct.exe /startup
mRun: [MSKAGENTEXE] c:\progra~1\mcafee\spamki~1\MSKAgent.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [McRegWiz] c:\progra~1\mcafee.com\agent\mcregwiz.exe /autorun
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [Power2GoExpress] NA
mExplorerRun: [kernel32.dll] c:\windows\system32\atmclk.exe
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\owner\start menu\programs\imvu\Run IMVU.lnk
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - {7DD73374-7187-4103-8F29-622AA25E7C40} - c:\progra~1\mcafee\spamki~1\mcapfbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\owner\start menu\programs\imvu\Run IMVU.lnk
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
SSODL: fairydom - {5839511e-ec1b-4f91-ace3-fb88e52f5239} - c:\windows\system32\jevtxpg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {05a91164-3c96-47d6-aa74-2c855791b2d0} - c:\windows\system32\ofcukiz.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2008-12-03 03:53 250 a------- c:\windows\gmer.ini
2008-12-02 22:00 <DIR> --d----- c:\program files\Trend Micro
2008-12-02 15:59 129,784 -------- c:\windows\system32\pxafs.dll
2008-11-23 23:33 73 a------- c:\windows\1.ini
2008-11-23 23:29 98,304 a------- c:\windows\system32\wow71_724.dll
2008-11-23 23:29 20 a------- c:\windows\syscheck
2008-11-11 19:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Blizzard

==================== Find3M ====================

2008-11-26 12:14 76,787 a------- c:\windows\War3Unin.dat
2008-11-03 20:49 137,480 a------- c:\windows\system32\drivers\PnkBstrK.sys
2008-11-03 20:49 183,120 a------- c:\windows\system32\PnkBstrB.exe
2008-11-01 20:02 25,280 a------- c:\windows\system32\drivers\hamachi.sys
2008-10-13 20:05 32,660 a------- c:\windows\scunin.dat
2008-10-13 20:05 94,208 a------- c:\windows\ScUnin.exe
2008-10-02 10:07 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-09-11 23:54 152,920 a------- c:\windows\system32\vghd.scr
2008-05-19 05:54 22,328 a------- c:\docume~1\owner\applic~1\PnkBstrK.sys
2008-05-19 05:52 103,736 a------- c:\docume~1\owner\applic~1\PnkBstrB.exe
2008-05-11 18:55 5,919 a------- c:\program files\install.log
2008-04-13 15:38 456,416 a----r-- c:\documents and settings\owner\.exe
2006-06-05 23:44 0 a------- c:\docume~1\owner\applic~1\wklnhst.dat

============= FINISH: 17:03:15.46 ===============

[sUBs]

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Download & save ComboFix to your Desktop but don't run it yet
Open NOTEPAD and copy/paste the text in the quotebox below into it:

Code:

DDS::
mRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~1\bar\1.bin\mwsoemon.exe
mRun: [My Web Search Bar] rundll32 c:\progra~1\mywebs~1\bar\1.bin\MWSBAR.DLL,S
dRun: [Power2GoExpress] NA
mExplorerRun: [kernel32.dll] c:\windows\system32\atmclk.exe
IE: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
SSODL: fairydom - {5839511e-ec1b-4f91-ace3-fb88e52f5239} - c:\windows\system32\jevtxpg.dll
STS: {05a91164-3c96-47d6-aa74-2c855791b2d0} - c:\windows\system32\ofcukiz.dll
File::
c:\windows\1.ini
c:\windows\system32\wow71_724.dll
c:\windows\syscheck
c:\documents and settings\owner\.exe

Save this as "CFScript"





Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt.

[rabidGopher]

Here's the ComboFix log.


ComboFix 08-12-06.04 - Owner 2008-12-06 21:02:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1543 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

FILE ::
c:\documents and settings\owner\.exe
c:\windows\1.ini
c:\windows\syscheck
c:\windows\system32\wow71_724.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
c:\documents and settings\owner\.exe
c:\documents and settings\Owner\Favorites\Online Security Test.url
c:\program files\Cole2k Media Toolbar\v3.2.0.0\Cole2k_Media_Toolbar.dll
c:\program files\INSTALL.LOG
c:\program files\Need2Find
c:\program files\Need2Find\bar\1.bin\PARTNER.DAT
c:\program files\Need2Find\bar\Cache\020C657B
c:\program files\Need2Find\bar\Cache\files.ini
c:\program files\Need2Find\bar\History\search
c:\program files\Need2Find\bar\Settings\prevcfg.htm
c:\windows\1.ini
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\Fonts\acrsecB.fon
c:\windows\Fonts\acrsecI.fon
c:\windows\IE4 Error Log.txt
c:\windows\syscheck
c:\windows\system32\209789
c:\windows\system32\AdCache
c:\windows\system32\cache329
c:\windows\system32\drivers\npf.sys
c:\windows\system32\packet.dll
c:\windows\system32\regperf.exe
c:\windows\system32\taskmagr.exe
c:\windows\system32\tIVqt6m1.exe.a_a
c:\windows\system32\wmdmpmsvc.dll
c:\windows\system32\wow71_724.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-03 03:53 . 2008-12-06 17:05 250 --a------ c:\windows\gmer.ini
2008-12-02 22:00 . 2008-12-02 22:00 <DIR> d-------- c:\program files\Trend Micro
2008-12-02 15:59 . 2007-03-07 17:51 129,784 --------- c:\windows\system32\pxafs.dll
2008-12-02 15:58 . 2008-12-06 13:41 <DIR> d-------- c:\program files\Winamp
2008-12-02 15:58 . 2008-12-06 13:40 <DIR> d-------- c:\documents and settings\Owner\Application Data\Winamp
2008-12-01 04:58 . 2008-12-01 04:58 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\EmailNotifier
2008-11-11 19:02 . 2008-11-11 19:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 19:41 --------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2008-12-06 19:41 --------- d-----w c:\documents and settings\All Users\Application Data\WildTangent
2008-12-05 21:02 --------- d-----w c:\program files\FlashGet
2008-12-05 07:00 --------- d-----w c:\program files\Warcraft III
2008-12-03 09:43 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-02 21:55 --------- d-----w c:\documents and settings\Owner\Application Data\InstallShield Installation Information
2008-11-21 01:25 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-12 00:05 --------- d-----w c:\program files\Steam
2008-11-11 23:10 --------- d-----w c:\program files\Starcraft
2008-11-07 02:17 --------- d-----w c:\documents and settings\Owner\Application Data\mIRC
2008-11-07 02:05 --------- d-----w c:\program files\mIRC
2008-11-04 03:34 --------- d-----w c:\program files\QuickTime
2008-11-04 03:34 --------- d-----w c:\program files\Apple Software Update
2008-11-04 03:34 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-04 03:34 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-11-04 02:49 137,480 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-11-02 02:44 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-02 02:43 --------- d-----w c:\program files\AGEIA Technologies
2008-11-02 02:25 --------- d-----w c:\documents and settings\Owner\Application Data\Hamachi
2008-11-02 02:07 --------- d-----w c:\documents and settings\Owner\Application Data\HamachiBackup
2008-11-02 02:03 --------- d-----w c:\program files\Hamachi
2008-11-02 02:02 25,280 ----a-w c:\windows\system32\drivers\hamachi.sys
2008-11-02 02:00 --------- d-----w c:\documents and settings\Owner\Application Data\Red Alert 3
2008-10-14 02:05 94,208 ----a-w c:\windows\ScUnin.exe
2008-10-09 01:03 --------- d-----w c:\documents and settings\Owner\Application Data\GarageGames
2008-10-07 19:33 6,133,856 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2008-05-19 11:54 22,328 ----a-w c:\documents and settings\Owner\Application Data\PnkBstrK.sys
2008-05-19 11:52 103,736 ----a-w c:\documents and settings\Owner\Application Data\PnkBstrB.exe
2006-06-06 05:44 0 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MSKAgent.exe" [2005-09-26 110592]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-18 185896]
"McRegWiz"="c:\progra~1\mcafee.com\agent\mcregwiz.exe" [2005-06-01 368714]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-03 413696]
"SoundMan"="SOUNDMAN.EXE" [2005-09-26 c:\windows\soundman.exe]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
VirtuaGirl HD.LNK - c:\program files\vghd\vghd.exe [2008-09-11 11875648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-07-11 692224]
NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\wpn111.exe [2007-09-19 884838]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"VIDC.WMV3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
--a------ 2005-11-11 16:00 1005096 c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Cyanide\\GameCenter\\GameCenter.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Windows NT\\Accessories\\bin.dll\\CoD4\\iw3mp.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Sega\\Gas Powered Games\\Space Siege Demo\\SpaceSiege.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=

S2 wowsystemcode123;Remote TCP/IP;c:\windows\System32\svchost.exe -k netsvcs [2005-01-09 14336]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\c:\windows\system32\DNINDIS5.SYS [2007-09-05 17149]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\DRIVERS\WPN111.sys [2007-09-19 362944]
S3 XDva037;XDva037;\??\c:\windows\system32\XDva037.sys []
S3 XDva052;XDva052;\??\c:\windows\system32\XDva052.sys []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
wowsystemcode123

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\Shell\AutoRun\command - L:\autoplay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\N]
\Shell\AutoRun\command - N:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\P]
\Shell\AutoRun\command - P:\autorun.exe
\Shell\readit\command - notepad readme.doc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Q]
\Shell\AutoRun\command - Q:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\R]
\Shell\AutoRun\command - R:\autoplay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7855b9a1-9814-11da-9eba-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3053969-9822-11da-b84e-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2008-12-06 c:\windows\Tasks\At25.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At26.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At27.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At28.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At29.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At30.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At31.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At32.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At33.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At34.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At35.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At36.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At37.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At38.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At39.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At40.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At41.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At42.job
- c:\windows\system32\763KIsN3.exe []

2008-12-07 c:\windows\Tasks\At43.job
- c:\windows\system32\763KIsN3.exe []

2008-12-07 c:\windows\Tasks\At44.job
- c:\windows\system32\763KIsN3.exe []

2008-12-07 c:\windows\Tasks\At45.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At46.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At47.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At48.job
- c:\windows\system32\763KIsN3.exe []

2006-05-30 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 13:00]
.
- - - - ORPHANS REMOVED - - - -

BHO-{C672F4AB-780B-45C0-BAEC-91F455C86F8D} - c:\program files\Cole2k Media Toolbar\v3.2.0.0\Cole2k_Media_Toolbar.dll
Toolbar-{2D2DE234-AB9F-4345-9D17-94FA78BA37E3} - c:\program files\Cole2k Media Toolbar\v3.2.0.0\Cole2k_Media_Toolbar.dll
WebBrowser-{2D2DE234-AB9F-4345-9D17-94FA78BA37E3} - c:\program files\Cole2k Media Toolbar\v3.2.0.0\Cole2k_Media_Toolbar.dll
WebBrowser-{A057A204-BACC-4D26-C39E-35F1D2A32EC8} - (no file)
HKCU-Run-ResChanger 2005 - c:\program files\ResChanger 2005\ResChanger2005.exe
HKLM-Run-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe
HKLM-Run-VirusScan Online - c:\program files\McAfee.com\VSO\mcvsshld.exe
HKLM-Run-MSKDetectorExe - c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe
SharedTaskScheduler-fairydom - (no file)
MSConfigStartUp-MCAgentExe - c:\progra~1\mcafee.com\agent\mcagent.exe
MSConfigStartUp-MCUpdateExe - c:\progra~1\McAfee.com\Agent\McUpdate.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk -
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\as87lwi1.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT693181&SearchSource=3&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.gamefaqs.com/boards/genmessage.php?board=945075&topic=45164388
FF -: plugin - c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF -: plugin - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\as87lwi1.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npff_gdm.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 21:05:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\program files\McAfee.com\Agent\mcregwiz.exe
c:\windows\system32\rundll32.exe
c:\program files\McAfee.com\Shared\mghtml.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\progra~1\McAfee.com\PERSON~1\MpfService.exe
c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\vghd\VirtuaGirl_Downloader.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-06 21:08:16 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-12-07 03:08:14

Pre-Run: 35,514,687,488 bytes free
Post-Run: 47,114,698,752 bytes free

301

[sUBs]

Open NOTEPAD and copy/paste the text in the quotebox below into it:

Code:

File::
c:\windows\Tasks\*.job
Driver::
wowsystemcode123
XDva037
XDva052
Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
"wowsystemcode123"=-

Save this as "CFScript"





Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.


---------------


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------


In your next post, please include fresh logs from:

1. Online scan
2. ComboFix's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[rabidGopher]

When I try to do the Kasper thing it keeps doing the activex control beep thing where you have to click on the flashing bar on top and allow it to install, but when I do that it keeps saying that windows just flat out won't install it because it can't verify the publisher. Firefox just crashes when I try it in that, but I guess that's why you said run it in IE.

Here's the new combofix log though.

Edit: Oh yeah, computer behavior update. One of the error messages from when windows first boots is gone, and the other disappears by itself immediately. Firefox started working on it's own again yesterday, I'm guessing because there was some big update recently and I installed that. Haven't heard the weird sounds either, but I haven't spent as much time on my computer lately. One other thing I should mention, my World of Warcraft account has been hacked twice in the past month, so I'm pretty sure there's a keylogger somewhere, or at least there was.


ComboFix 08-12-06.04 - Owner 2008-12-06 21:27:08.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1547 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WOWSYSTEMCODE123
-------\Legacy_XDVA037
-------\Legacy_XDVA052
-------\Service_wowsystemcode123
-------\Service_XDva037
-------\Service_XDva052


((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-03 03:53 . 2008-12-06 17:05 250 --a------ c:\windows\gmer.ini
2008-12-02 22:00 . 2008-12-02 22:00 <DIR> d-------- c:\program files\Trend Micro
2008-12-02 15:59 . 2007-03-07 17:51 129,784 --------- c:\windows\system32\pxafs.dll
2008-12-02 15:58 . 2008-12-06 13:41 <DIR> d-------- c:\program files\Winamp
2008-12-02 15:58 . 2008-12-06 13:40 <DIR> d-------- c:\documents and settings\Owner\Application Data\Winamp
2008-12-01 04:58 . 2008-12-01 04:58 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\EmailNotifier
2008-11-11 19:02 . 2008-11-11 19:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 19:41 --------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2008-12-06 19:41 --------- d-----w c:\documents and settings\All Users\Application Data\WildTangent
2008-12-05 21:02 --------- d-----w c:\program files\FlashGet
2008-12-05 07:00 --------- d-----w c:\program files\Warcraft III
2008-12-03 09:43 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-02 21:55 --------- d-----w c:\documents and settings\Owner\Application Data\InstallShield Installation Information
2008-11-21 01:25 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-12 00:05 --------- d-----w c:\program files\Steam
2008-11-11 23:10 --------- d-----w c:\program files\Starcraft
2008-11-07 02:17 --------- d-----w c:\documents and settings\Owner\Application Data\mIRC
2008-11-07 02:05 --------- d-----w c:\program files\mIRC
2008-11-04 03:34 --------- d-----w c:\program files\QuickTime
2008-11-04 03:34 --------- d-----w c:\program files\Apple Software Update
2008-11-04 03:34 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-04 03:34 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-11-04 02:49 137,480 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-11-02 02:44 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-02 02:43 --------- d-----w c:\program files\AGEIA Technologies
2008-11-02 02:25 --------- d-----w c:\documents and settings\Owner\Application Data\Hamachi
2008-11-02 02:07 --------- d-----w c:\documents and settings\Owner\Application Data\HamachiBackup
2008-11-02 02:03 --------- d-----w c:\program files\Hamachi
2008-11-02 02:02 25,280 ----a-w c:\windows\system32\drivers\hamachi.sys
2008-11-02 02:00 --------- d-----w c:\documents and settings\Owner\Application Data\Red Alert 3
2008-10-14 02:05 94,208 ----a-w c:\windows\ScUnin.exe
2008-10-09 01:03 --------- d-----w c:\documents and settings\Owner\Application Data\GarageGames
2008-10-07 19:33 6,133,856 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2008-05-19 11:54 22,328 ----a-w c:\documents and settings\Owner\Application Data\PnkBstrK.sys
2008-05-19 11:52 103,736 ----a-w c:\documents and settings\Owner\Application Data\PnkBstrB.exe
2006-06-06 05:44 0 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MSKAgent.exe" [2005-09-26 110592]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-18 185896]
"McRegWiz"="c:\progra~1\mcafee.com\agent\mcregwiz.exe" [2005-06-01 368714]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-03 413696]
"SoundMan"="SOUNDMAN.EXE" [2005-09-26 c:\windows\soundman.exe]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 c:\windows\KHALMNPR.Exe]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
VirtuaGirl HD.LNK - c:\program files\vghd\vghd.exe [2008-09-11 11875648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-07-11 692224]
NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\wpn111.exe [2007-09-19 884838]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"VIDC.WMV3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
--a------ 2005-11-11 16:00 1005096 c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Cyanide\\GameCenter\\GameCenter.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Windows NT\\Accessories\\bin.dll\\CoD4\\iw3mp.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Sega\\Gas Powered Games\\Space Siege Demo\\SpaceSiege.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\c:\windows\system32\DNINDIS5.SYS [2007-09-05 17149]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\DRIVERS\WPN111.sys [2007-09-19 362944]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\Shell\AutoRun\command - L:\autoplay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\N]
\Shell\AutoRun\command - N:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\P]
\Shell\AutoRun\command - P:\autorun.exe
\Shell\readit\command - notepad readme.doc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Q]
\Shell\AutoRun\command - Q:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\R]
\Shell\AutoRun\command - R:\autoplay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7855b9a1-9814-11da-9eba-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3053969-9822-11da-b84e-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2008-12-06 c:\windows\Tasks\At25.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At26.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At27.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At28.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At29.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At30.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At31.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At32.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At33.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At34.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At35.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At36.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At37.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At38.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At39.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At40.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At41.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At42.job
- c:\windows\system32\763KIsN3.exe []

2008-12-07 c:\windows\Tasks\At43.job
- c:\windows\system32\763KIsN3.exe []

2008-12-07 c:\windows\Tasks\At44.job
- c:\windows\system32\763KIsN3.exe []

2008-12-07 c:\windows\Tasks\At45.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At46.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At47.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At48.job
- c:\windows\system32\763KIsN3.exe []

2006-05-30 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 13:00]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk -
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\as87lwi1.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT693181&SearchSource=3&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.gamefaqs.com/boards/genmessage.php?board=945075&topic=45164388
FF -: plugin - c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF -: plugin - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\as87lwi1.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npff_gdm.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 21:29:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\McAfee.com\Agent\mcregwiz.exe
c:\windows\system32\rundll32.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\program files\McAfee.com\Shared\mghtml.exe
c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.exe
c:\program files\vghd\VirtuaGirl_Downloader.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\progra~1\McAfee.com\PERSON~1\MpfService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2008-12-06 21:32:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-07 03:32:54
ComboFix2.txt 2008-12-07 03:08:17

Pre-Run: 47,095,734,272 bytes free
Post-Run: 47,079,260,160 bytes free

256

[sUBs]

ESET Online Scanner

• Please go to the following link ESET Online Scanner Link
• Tick the box YES, I accept the Terms Of Use
• Click the Start button
• Now click the Install button
• Click Start
  
  The scanner engine will initialise and update
  
• Do Not tick the box Remove found threats
• Click the Scan button
  
  The scan will now run, please be patient
  
• When the scan finishes click the Details tab
• Copy and paste the contents of the C:\Program Files\EsetOnlineScanner\log.txt back here.

[rabidGopher]

Wow you weren't kidding when you said be patient lol.

Here's the log.

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3668 (20081206)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=dcfd7773b189524eb0752af44b71b390
# end=finished
# remove_checked=false
# unwanted_checked=false
# utc_time=2008-12-07 05:10:48
# local_time=2008-12-06 11:10:48 (-0600, Central Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=485322
# found=9
# scan_time=3388
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\game.class-61c915b-6e03d5be.class Java/Exploit.Gimsh.A trojan 16C6A17DB69A395AFB875BD63369E8D1
C:\Program Files\DAEMON Tools Pro\daemon.tools.pro.patch.exe probably a variant of Win32/Agent trojan 841E9211B1112287DF77F95D2A3F4FCB
C:\Qoobox\Quarantine\C\WINDOWS\system32\regperf.exe.vir Win32/TrojanDownloader.Zlob.RR trojan 6CB0E5CA33AB404228086F2F9F7A1A29
C:\Qoobox\Quarantine\C\WINDOWS\system32\taskmagr.exe.vir probably a variant of Win32/Agent.OKM trojan F1C04AAB085E43CDD78FE002803A0EEC
C:\Qoobox\Quarantine\C\WINDOWS\system32\wow71_724.dll.vir Win32/PSW.WOW.NGG trojan 4752DA6A012322952F14C7CD40F2C32A
C:\WINDOWS\system32\dmserv.dll a variant of Win32/Agent.THO trojan E1E59EA32F8ABA09506599E63ACE3722
C:\WINDOWS\system32\dmserver.dll Win32/Patched.BU virus 00000000000000000000000000000000
C:\WINDOWS\system32\1024\ld58B6.tmp Win32/Hoax.Renos application 637C2AD661F51536C307986F40AD4415
C:\WINDOWS\system32\1024\ld5971.tmp probably a variant of Win32/Genetik trojan 467A94E3D137EDF5539DD46DB60B14B2

[sUBs]

Quote:

C:\WINDOWS\system32\dmserv.dll a variant of Win32/Agent.THO trojan E1E59EA32F8ABA09506599E63ACE3722
C:\WINDOWS\system32\dmserver.dll Win32/Patched.BU virus 00000000000000000000000000000000

Bit doubtful about these. Please zip/upload the files to this website: http://www.bleepingcomputer.com/subm....php?channel=4

Kindly include a link to this topic in the message.

[rabidGopher]

OK files submitted.

[sUBs]

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Code:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (
"C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\game.class-61c915b-6e03d5be.class Java"
"C:\Program Files\DAEMON Tools Pro\daemon.tools.pro.patch.exe"
"C:\WINDOWS\system32\dmserv.dll"
"C:\WINDOWS\system32\1024\ld58B6.tmp"
"C:\WINDOWS\system32\1024\ld5971.tmp"
) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
attrib -h -r -s -a "C:\WINDOWS\system32\dmserver.dll"
move /y "C:\WINDOWS\system32\dmserver.dll" C:\QooBox\Quarantine\C\Windows\System32\dmserver.dll.vir
nircmd wait 5000
If not exist "C:\WINDOWS\system32\dmserver.dll" (
copy /y C:\QooBox\Quarantine\C\Windows\System32\dmserver.dll.vir "C:\WINDOWS\system32\dmserver.dll"
echo.C:\WINDOWS\system32\dmserver.dll>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!
nircmd wait 7000
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says

[rabidGopher]

.txt popped up with 1 line in it

C:\WINDOWS\system32\dmserver.dll

[sUBs]

That's not good. We'll need to do some digging now


Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Code:

@echo off
Vfind -ltf %systemroot%\dmserver.dl* >log.txt
Start Log.txt

Save this as Look.bat Choose to "Save type as - All Files"
It should look like this:
Double click on look.bat & allow it to run

Post back to tell me what it says

[rabidGopher]

------w 9,073 2004-08-10 19:00:00 C:\WINDOWS\I386\DMSERVER.DL_
----a-w 23,552 2004-08-10 19:00:00 C:\WINDOWS\LastGood\system32\dmserver.dll
----a-w 23,552 2004-08-10 19:00:00 C:\WINDOWS\system32\dmserver.dll
-c--a-w 23,552 2004-08-10 19:00:00 C:\WINDOWS\system32\dllcach \dmserver.dll

It cut out a bunch of spaces.

[sUBs]

One more ...


Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Code:

@echo off
@(
FDSV C:\WINDOWS\LastGood\system32\dmserver.dll
FDSV C:\WINDOWS\system32\dmserver.dll
FDSV C:\WINDOWS\system32\dllcache\dmserver.dll
)>LogB.txt
Start LogB.txt

Save this as LookB.bat Choose to "Save type as - All Files"
It should look like this:
Double click on LookB.bat & allow it to run

Post back to tell me what it says

[rabidGopher]

FileDigitalSignVerify 1.2

Copyright (C) 2007-2008 Smallfrogs

KZTechs.COM - www.KZTechs.com



FileDigitalSignVerify is used to verify digital signatures on specified files.



Status Name of signer File Path

-----------------------------------------------------------

0x800b0100 - C:\WINDOWS\LastGood\system32\dmserver.dll



FileDigitalSignVerify 1.2

Copyright (C) 2007-2008 Smallfrogs

KZTechs.COM - www.KZTechs.com



FileDigitalSignVerify is used to verify digital signatures on specified files.



Status Name of signer File Path

-----------------------------------------------------------

0x00000000 Microsoft Windows Publisher C:\WINDOWS\system32\dmserver.dll



FileDigitalSignVerify 1.2

Copyright (C) 2007-2008 Smallfrogs

KZTechs.COM - www.KZTechs.com



FileDigitalSignVerify is used to verify digital signatures on specified files.



Status Name of signer File Path

-----------------------------------------------------------

0x00000000 Microsoft Windows Publisher C:\WINDOWS\system32\dllcache\dmserver.dll

[sUBs]

That's good. Reboot now
After rebooting, delete this file - C:\WINDOWS\LastGood\system32\dmserver.dll

Llet me know how that went