Content Top
DAL Computer Help » Internet Security Help » Spyware, Adware, Viruses and HijackThis Logs » [Active] Big problem with malware again. Fast reply needed.

Recommended Fix

Click here to fix Windows Errors and Optimize Windows Performance

Need Computer Help?
Register Now for FREE

[Active] Big problem with malware again. Fast reply needed.

Reply
Page 1 of 2 1 2
Thread Tools
Spyware, Adware, Viruses and HijackThis Logs
  #1 (permalink)  
Old 12-07-2009, 09:01 PM
Anti's Avatar
Valued Member
New Recruit
  
Join Date: Aug 2007
Posts: 111
Anti Helps others at D-A-LAnti Helps others at D-A-LAnti Helps others at D-A-L
Exclamation [Active] Big problem with malware again. Fast reply needed.
So i log on today nothing wrong at all yesterday and when my windows loads up the first thing i get is Google Installer has encountered a problem and needs to close.

So i hit ok thinking nothing of it since I just assumed it had crashed or something and then spybot s&d hits me with alerts saying IE explorer registry has been changed etc and last time i got that i had malware on my computer so i instantly went to run malwarebytes to scan my computer.

Mbam didnt open, only a timer then after 5 seconds nothing, i checked task manager and it was there. just not physically open for me. So i tried again but still nothing. Went to open S&D and that refused to load itself aswell, same process as mbam, the ONLY thing that opens is AVG but when i scan with that it finds nothing.

Now also my GUI is screwing up aswell, say i hit start and hit firefox from the programs there, the start menu dissappears as it should but the button will still show where i clicked...for example the firefox button still displays and is 'engraved' on my screen. happens alot with other things that show up like say i right click something on my system tray the menu engraves itself to the desktop background.

Now also i cannot google search as all clicks redirect to random sites (and i mean random it even takes me to ebay) so i gotta copy n paste the links from google to actually get places now.

So i thought to myself. right i cant do anything and tried the last resort by trying combo fix. But oh no! the malware/spyware has also disabled access to that and will not allow me to run that program.

My CD/DVD burner programs no longer recognise drives either so cannot backup anything but im gonna try backup on my iphone.

Now im posting this here to try get a reply within say 5 hours because i will be reformatting then as i see no way out of this problem. I will try safemode in a minute JUST to see if i can get anywhere with that but i doubt it.

Im just surprised as to how one restart of my computer has allowed no protection programs to load, search redirects, weird GUI problems, and other small but strange problems has occured.

Heres my hijack this log. (yes this still runs thankfully) I DO NOT USE IE FOR BROWSING JUST TO NOTE

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:59:12, on 12/07/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\nHancer\nHancerService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\nHancer\nHancer.exe
C:\Program Files\Logitech\SetPoint II\SetpointII.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = GameRenders
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\explorer.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [nHancer] "C:\Program Files\nHancer\nHancer.exe" /tray
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: SetPointII.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c98ba08cd46ce) (gupdate1c98ba08cd46ce) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - C:\Program Files\nHancer\nHancerService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 8068 bytes
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #2 (permalink)  
Old 12-07-2009, 11:42 PM
broni's Avatar
Senior Member
  
Join Date: Nov 2004
Posts: 2,272
broni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniture
re: [Active] Big problem with malware again. Fast reply needed.
Delete your Combofix file.
Download it from HERE

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.
__________________
My Home Page
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #3 (permalink)  
Old 13-07-2009, 04:21 AM
Anti's Avatar
Valued Member
New Recruit
  
Join Date: Aug 2007
Posts: 111
Anti Helps others at D-A-LAnti Helps others at D-A-LAnti Helps others at D-A-L
re: [Active] Big problem with malware again. Fast reply needed.
I need links man, i cant click that. takes me to a random site and the link itself is changed from the malware i have.

i need the actual www. to download or go places
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #4 (permalink)  
Old 13-07-2009, 04:50 AM
Anti's Avatar
Valued Member
New Recruit
  
Join Date: Aug 2007
Posts: 111
Anti Helps others at D-A-LAnti Helps others at D-A-LAnti Helps others at D-A-L
re: [Active] Big problem with malware again. Fast reply needed.
Ok I downloaded combofix again from bleeping computer as I thought that's where u would link to. And yet again it still doesn't work
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #5 (permalink)  
Old 13-07-2009, 05:02 AM
broni's Avatar
Senior Member
  
Join Date: Nov 2004
Posts: 2,272
broni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniture
re: [Active] Big problem with malware again. Fast reply needed.
I just sent you PM with new instructions.
__________________
My Home Page
Last edited by broni; 14-07-2009 at 12:09 AM.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #6 (permalink)  
Old 13-07-2009, 11:59 PM
Anti's Avatar
Valued Member
New Recruit
  
Join Date: Aug 2007
Posts: 111
Anti Helps others at D-A-LAnti Helps others at D-A-LAnti Helps others at D-A-L
Re: [Active] Big problem with malware again. Fast reply needed.
Right seems like we are getting somewhere atleast. Had a tough time getting the bad boy to run because it started up, found rootkits then rebooted my computer before the scan but when the computer loaded back up. nothing would load on the account profile. Just the desktop so i was stuck. Could still open task manager so i waited for around 30 minutes incase it was combo fix doing anything but after i seen no activity from my HDD i rebooted. Still the same problem so I used the run tool on task manager and ran C:/ which then instantly opened up combo fix and it got to work thankfully.

Bad news is it never produced a log as when i came back after the reboot from combo fix i BSOD'ed logging into my profile... and when i came back on combo fix popped up for about half a second then closed again. No log anywhere.

But it did delete alot of items and i also do not get redirected anymore and google updater no longer crashes at launch so just now im having no problems but i can tell the malware is still lurking around my computer just from that BSOD i got, but it was just one and didnt repeat itself so yeah.

Im going to try run malwarebytes now so ill edit this post in a second
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #7 (permalink)  
Old 14-07-2009, 12:11 AM
broni's Avatar
Senior Member
  
Join Date: Nov 2004
Posts: 2,272
broni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniture
Re: [Active] Big problem with malware again. Fast reply needed.
Leave MBAM alone for now.
If C:\ComboFix.txt file is not present, re-run Combofix.
__________________
My Home Page
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #8 (permalink)  
Old 14-07-2009, 01:23 AM
Anti's Avatar
Valued Member
New Recruit
  
Join Date: Aug 2007
Posts: 111
Anti Helps others at D-A-LAnti Helps others at D-A-LAnti Helps others at D-A-L
Re: [Active] Big problem with malware again. Fast reply needed.
Aight i ran it again heres the combofix log

ComboFix 09-07-13.01 - Dean 14/07/2009 0:56.4.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1629 [GMT 1:00]
Running from: c:\tools-av\32095\32095.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\hjgruiotpmdhcy.sys
c:\windows\system32\drivers\str.sys
c:\windows\system32\hjgruiicipkecr.dll
c:\windows\system32\hjgruilwafxfeo.dll
c:\windows\system32\hjgruipgtohedh.dat
c:\windows\system32\hjgruisdonobnr.dat
.
---- Previous Run -------
.
c:\documents and settings\LocalService\Application Data\sysproc64
c:\documents and settings\LocalService\Application Data\sysproc64\sysproc32.sys
c:\program files\Mozilla Firefox\extensions\{B31D99DC-400C-4FC0-8827-8E3FF84271DE}
c:\program files\Mozilla Firefox\extensions\{B31D99DC-400C-4FC0-8827-8E3FF84271DE}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{B31D99DC-400C-4FC0-8827-8E3FF84271DE}\chrome\content\overlay.xul
c:\program files\Mozilla Firefox\extensions\{B31D99DC-400C-4FC0-8827-8E3FF84271DE}\install.rdf
c:\windows\Installer\6f849e2.msp
c:\windows\Installer\6f84a41.msp
c:\windows\Installer\6f84a48.msp
c:\windows\Installer\6f84a5e.msp
c:\windows\Installer\6f84a6f.msp
c:\windows\Installer\6f84a7e.msp
c:\windows\Installer\6f84a84.msp
c:\windows\system32\drivers\UACcmyjepsseabaqwnsy.s ys
c:\windows\system32\net.net
c:\windows\system32\oembios.exe
c:\windows\system32\sysproc64
c:\windows\system32\sysproc64\sysproc32.sys
c:\windows\system32\sysproc64\sysproc86.sys
c:\windows\system32\UACeaypxigjfwqlbtjde.db
c:\windows\system32\UACelddulvpkraunlmlv.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACkwowkytrppownbcan.dat
c:\windows\system32\UACoruoxrkrfmmnqogtx.dll
c:\windows\system32\UACpsmhgppmsljipurfw.dll
c:\windows\system32\uactmp.db
c:\windows\system32\UACtptumragviwaqundx.dll
c:\windows\system32\UACwkefdqskggvostdot.dll
c:\windows\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job





.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-06-14 to 2009-07-14 )))))))))))))))))))))))))))))))
.

2009-07-13 23:00 . 2009-07-13 23:00 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-13 23:00 . 2009-07-13 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 23:00 . 2009-07-13 23:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-13 23:00 . 2009-07-13 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-13 21:48 . 2009-07-13 21:48 -------- d-----w- C:\Tools-AV
2009-07-13 15:32 . 2007-11-29 11:52 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-07-13 13:17 . 2009-07-13 13:17 71808 ----a-w- c:\windows\system32\drivers\oreghvd.sys
2009-07-12 02:02 . 2009-07-12 02:02 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-09 23:06 . 2009-07-09 23:06 21840 ----a-w- c:\windows\system32\SIntfNT.dll
2009-07-09 23:06 . 2009-07-09 23:06 17212 ----a-w- c:\windows\system32\SIntf32.dll
2009-07-09 23:06 . 2009-07-09 23:06 12067 ----a-w- c:\windows\system32\SIntf16.dll
2009-07-09 23:04 . 2009-07-11 01:47 18243 ----a-w- c:\windows\DIIUnin.dat
2009-07-09 23:04 . 2009-07-09 23:04 94208 ----a-w- c:\windows\DIIUnin.exe
2009-07-09 23:04 . 2009-07-09 23:04 2829 ----a-w- c:\windows\DIIUnin.pif
2009-07-09 22:52 . 2009-07-11 01:50 -------- d-----w- c:\program files\Diablo II
2009-07-09 10:03 . 2009-07-04 13:06 2054424 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-07-04 13:07 . 2009-06-26 09:09 327688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2009-07-04 13:07 . 2009-06-26 09:09 337176 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglogx.dll
2009-07-04 13:07 . 2009-06-26 09:09 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-07-04 13:07 . 2009-06-26 09:08 3402008 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-07-04 13:07 . 2009-06-26 09:08 1204504 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll
2009-07-04 13:07 . 2009-06-26 09:08 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-07-04 13:07 . 2009-07-04 13:06 2167576 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-07-04 13:06 . 2009-06-26 09:07 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-07-04 13:06 . 2009-06-26 09:07 1454360 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-07-02 18:55 . 2009-07-02 18:55 41808 ----a-w- c:\windows\system32\xfcodec.dll
2009-06-28 13:29 . 2009-06-14 15:07 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-26 21:40 . 2009-06-26 21:40 -------- d-----w- c:\documents and settings\Dean\Local Settings\Application Data\AVG Security Toolbar
2009-06-26 10:19 . 2009-06-26 10:19 -------- d-----w- c:\documents and settings\Grant\Local Settings\Application Data\AVG Security Toolbar
2009-06-26 09:09 . 2009-06-26 09:09 832144 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\AVGToolbarInstall.exe
2009-06-26 09:09 . 2009-06-28 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-26 09:09 . 2009-06-26 09:09 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-14 23:37 . 2009-06-14 23:37 -------- d-----w- C:\EQG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-07-14 00:13 . 2008-04-28 15:03 -------- d-----w- c:\documents and settings\Dean\Application Data\Skype
2009-07-14 00:10 . 2008-04-30 18:02 -------- d-----w- c:\program files\Steam
2009-07-13 23:50 . 2008-02-20 16:32 -------- d-----w- c:\documents and settings\Dean\Application Data\Xfire
2009-07-13 23:32 . 2008-03-06 21:03 -------- d-----w- c:\program files\Common Files\Apple
2009-07-13 21:32 . 2008-04-28 15:10 -------- d-----w- c:\documents and settings\Dean\Application Data\skypePM
2009-07-13 19:22 . 2008-02-25 23:14 -------- d-----w- c:\documents and settings\Grant\Application Data\uTorrent
2009-07-13 15:32 . 2008-12-14 15:38 -------- d-----w- c:\program files\TVersity Codec Pack
2009-07-12 19:59 . 2008-12-26 20:14 8069 ----a-w- c:\program files\hijackthis.log
2009-07-12 19:41 . 2008-02-28 23:25 -------- d-----w- c:\documents and settings\Grant\Application Data\FinalBurner DATA
2009-07-12 18:55 . 2008-12-26 20:10 -------- d-----w- c:\program files\backups
2009-07-12 18:39 . 2008-07-03 21:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-08 23:41 . 2008-02-20 16:32 -------- d-----w- c:\program files\Xfire
2009-07-04 13:06 . 2008-08-10 19:11 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-27 13:39 . 2008-03-18 14:38 -------- d-----w- c:\documents and settings\Grant\Application Data\LimeWire
2009-06-26 09:09 . 2008-08-10 19:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-26 09:09 . 2008-08-10 19:11 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-25 17:52 . 2008-09-08 22:53 -------- d-----w- c:\documents and settings\Dean\Application Data\uTorrent
2009-06-15 02:00 . 2008-03-04 14:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-14 20:25 . 2009-05-20 23:37 41 ----a-w- c:\windows\popcinfot.dat
2009-06-13 23:54 . 2009-06-13 23:54 -------- d-----w- c:\program files\Softnyx
2009-06-12 20:42 . 2008-05-07 19:12 189072 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-06-12 20:37 . 2008-05-07 19:12 138920 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-08 11:58 . 2008-03-04 14:27 25144 ----a-w- c:\documents and settings\Grant\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-28 22:38 . 2009-05-28 22:38 -------- d-----w- c:\program files\Games-Masters.com
2009-05-28 19:21 . 2009-05-28 19:21 -------- d-----w- c:\windows\system32\config\systemprofile\Applicati on Data\Xfire
2009-05-26 19:00 . 2008-05-07 19:12 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-05-23 22:05 . 2009-05-23 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2009-05-23 22:05 . 2009-05-23 21:29 -------- d-----w- c:\documents and settings\All Users\Application Data\nHancer
2009-05-23 22:03 . 2009-05-23 22:03 -------- d-----w- c:\documents and settings\Dean\Application Data\nHancer
2009-05-23 21:55 . 2008-02-20 16:31 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-23 21:55 . 2008-11-13 13:18 -------- d-----w- c:\program files\AGEIA Technologies
2009-05-23 21:32 . 2008-02-20 22:30 25144 ----a-w- c:\documents and settings\Dean\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-23 21:29 . 2009-05-23 21:29 -------- d-----w- c:\program files\nHancer
2009-05-23 21:28 . 2008-11-06 03:23 117944 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-05-21 18:16 . 2009-05-21 18:16 -------- d-----w- c:\program files\CCP
2009-05-21 18:16 . 2009-05-21 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\CCP
2009-05-21 00:37 . 2008-08-11 17:15 -------- d-----w- c:\documents and settings\Grant\Application Data\AVGTOOLBAR
2009-05-20 14:45 . 2008-08-10 19:11 -------- d-----w- c:\documents and settings\Dean\Application Data\AVGTOOLBAR
2009-05-07 15:44 . 2006-02-28 12:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-30 23:31 . 2009-04-30 23:31 1657376 ----a-w- c:\windows\system32\nwiz.exe
2009-04-30 23:31 . 2009-04-30 23:31 449056 ----a-w- c:\windows\system32\nvappbar.exe
2009-04-30 23:31 . 2009-04-30 23:31 436768 ----a-w- c:\windows\system32\keystone.exe
2009-04-30 23:31 . 2009-04-30 23:31 466944 ----a-w- c:\windows\system32\nvshell.dll
2009-04-30 23:31 . 2009-04-30 23:31 1724416 ----a-w- c:\windows\system32\nvwdmcpl.dll
2009-04-30 23:31 . 2009-04-30 23:31 1507328 ----a-w- c:\windows\system32\nview.dll
2009-04-30 23:31 . 2009-04-30 23:31 1101824 ----a-w- c:\windows\system32\nvwimg.dll
2009-04-30 21:02 . 2009-04-30 21:02 663552 ----a-w- c:\windows\system32\nvcuvid.dll
2009-04-30 21:02 . 2009-04-30 21:02 1579630 ----a-w- c:\windows\system32\nvdata.bin
2009-04-30 21:02 . 2009-04-30 21:02 1314816 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-04-30 21:02 . 2008-07-01 12:42 457248 ----a-w- c:\windows\system32\nvudisp.exe
2009-04-30 21:02 . 2008-05-02 21:46 9994240 ----a-w- c:\windows\system32\nvoglnt.dll
2009-04-30 21:02 . 2008-05-02 21:46 806912 ----a-w- c:\windows\system32\nvapi.dll
2009-04-30 21:02 . 2008-05-02 21:46 1720320 ----a-w- c:\windows\system32\nvcuda.dll
2009-04-30 21:02 . 2008-05-02 21:46 143360 ----a-w- c:\windows\system32\nvcodins.dll
2009-04-30 21:02 . 2008-05-02 21:46 143360 ----a-w- c:\windows\system32\nvcod.dll
2009-04-30 21:02 . 2007-04-13 06:44 8055584 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-04-30 21:02 . 2007-04-13 06:44 5896320 ----a-w- c:\windows\system32\nv4_disp.dll
2009-04-29 04:56 . 2006-02-28 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-26 23:42 . 2008-07-01 12:42 457248 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-04-21 23:20 . 2009-04-21 23:20 14311680 ----a-w- c:\windows\system32\xlive.dll
2009-04-21 23:20 . 2009-04-21 23:20 13642496 ----a-w- c:\windows\system32\xlivefnt.dll
2009-04-17 09:58 . 2006-02-28 12:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2006-02-28 12:00 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2008-12-26 20:07 . 2008-12-26 20:07 413 ----a-w- c:\program files\Shortcut to HijackThis.lnk
2008-08-14 01:00 . 2008-08-14 01:00 396288 ----a-w- c:\program files\HijackThis.exe
2009-06-12 19:57 . 2008-07-16 19:19 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

------- Sigcheck -------

[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\SoftwareDistribution\Download\dd9ab5193 501484cf5e6884fa1d22f9e\userinit.exe
[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\SoftwareDistribution\Download\e9500597a 78495f397efb821e37bf356\userinit.exe
[-] 2009-03-03 18:45 104960 F4E1DA840459088599F05D5BC3D1F689 c:\windows\system32\userinit.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-04-03 21898024]
"Steam"="c:\program files\steam\steam.exe" [2009-06-10 1217784]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-24 490952]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 2097488]
"nHancer"="c:\program files\nHancer\nHancer.exe" [2009-04-26 1300480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"Launch LGDCore"="c:\program files\Logitech\G-series Software\LGDCore.exe" [2006-03-06 1122304]
"Launch LCDMon"="c:\program files\Logitech\G-series Software\LCDMon.exe" [2006-03-06 497152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-26 1948440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-30 13750272]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2009-04-30 86016]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-03-21 16126464]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-07-17 55824]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-04-30 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-02-28 15360]

c:\documents and settings\Dean\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\xfire.exe [2009-7-2 3190096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SetPointII.lnk - c:\program files\Logitech\SetPoint II\SetpointII.exe [2007-8-30 319488]

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-26 09:09 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Dean\\Desktop\\glider\\hfymaipugz.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\d3ath1234\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\d3ath1234\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\d3ath1234\\garrysmod\\hl2 .exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Steam\\steamapps\\d3ath1234\\source sdk base\\hl2.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr .exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\RndLabs\\BaboViolent 2\\bv2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\d3ath1234\\zombie panic! source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\d3ath1234\\diprip warm up\\hl2.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Dean\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty 4\\iw3sp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty 4\\iw3mp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\trackmania united\\TmForever.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\trackmania united\\TmForeverLauncher.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonEU\\NGM\\NGM.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\fallout 3\\FalloutLauncher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\plants vs zombies\\PlantsVsZombies.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\unreal tournament 2004\\System\\UT2004.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\killingfloor\\Sys tem\\KillingFloor.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\peggle deluxe\\Peggle.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"32937:TCP"= 32937:TCP:u
"32937:UDP"= 32937:UDP:uu
"41431:TCP"= 41431:TCP:utorrent
"41431:UDP"= 41431:UDP:utorrent
"3074:UDP"= 3074:UDP:Xbox
"3074:TCP"= 3074:TCP:Xbox
"29101:TCP"= 29101:TCP:*isabled:???? ??

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/08/2008 20:11 335752]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/08/2008 20:11 298776]
S0 NVStrap;NVStrap;c:\windows\system32\drivers\NVStra p.sys [22/02/2008 21:30 4224]
S2 gupdate1c98ba08cd46ce;Google Update Service (gupdate1c98ba08cd46ce);c:\program files\Google\Update\GoogleUpdate.exe [10/02/2009 17:53 133104]
S2 ygjdx;ygjdx;c:\windows\system32\drivers\oreghvd.sy s [13/07/2009 14:17 71808]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [13/09/2008 17:09 20608]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 XDva145;XDva145;\??\c:\windows\system32\XDva145.sy s --> c:\windows\system32\XDva145.sys [?]
S3 ZDCNDIS5;ZDCNDIS5 NDIS Protocol Driver;c:\windows\system32\ZDCndis5.sys [13/09/2008 17:09 19072]
.
Contents of the 'Scheduled Tasks' folder

2009-07-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]

2009-07-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-07-03 14:44]

2009-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-10 16:52]

2009-07-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-10 16:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gamerenders.com/forum/
IE: &Clean Traces
FF - ProfilePath - c:\documents and settings\Dean\Application Data\Mozilla\Firefox\Profiles\cxabp3a8.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.mmorpg.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\compone nts\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\compone nts\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\compone nts\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\compone nts\xpavgtbapi.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonEU\NGM\npNxGameeu.dll
FF - plugin: c:\documents and settings\Dean\Application Data\Mozilla\Firefox\Profiles\cxabp3a8.default\ext ensions\NPDyyno@dyyno.com\plugins\npDyyno.dll
FF - plugin: c:\program files\Dyyno\Dyyno Player\npvlc.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dl l
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-07-14 01:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\n pggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1140)
c:\program files\Xfire\xfire_toucan_37857.dll
c:\program files\TortoiseSVN\bin\tortoisesvn.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
c:\program files\TortoiseSVN\bin\intl3_svn.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\nHancer\nHancerService.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\TVersity\Media Server\MediaServer.exe
c:\windows\system32\rundll32.exe
c:\program files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe
c:\program files\Logitech\G-series Software\Applets\LCDClock.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\wscntfy.exe
c:\program files\Windows Live\Messenger\usnsvc.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
.
************************************************** ************************
.
Completion time: 2009-07-14 1:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-14 00:21
ComboFix2.txt 2009-03-04 01:01
ComboFix3.txt 2008-12-28 00:31

Pre-Run: 9,084,723,200 bytes free
Post-Run: 9,072,300,032 bytes free

345 --- E O F --- 2009-07-12 05:17
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #9 (permalink)  
Old 14-07-2009, 01:36 AM
broni's Avatar
Senior Member
  
Join Date: Nov 2004
Posts: 2,272
broni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniture
Re: [Active] Big problem with malware again. Fast reply needed.
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.


2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
File::
c:\windows\system32\drivers\oreghvd.sys
c:\windows\system32\XDva145.sys


Folder::

Driver::
ygjdx
XDva145

Registry::

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
__________________
My Home Page
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #10 (permalink)  
Old 14-07-2009, 02:10 AM
Anti's Avatar
Valued Member
New Recruit
  
Join Date: Aug 2007
Posts: 111
Anti Helps others at D-A-LAnti Helps others at D-A-LAnti Helps others at D-A-L
Re: [Active] Big problem with malware again. Fast reply needed.
Aight here ya go man

ComboFix 09-07-13.01 - Dean 14/07/2009 1:43.5.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1404 [GMT 1:00]
Running from: c:\tools-av\32095\32095.exe
Command switches used :: c:\documents and settings\Dean\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point

FILE ::
"c:\windows\system32\drivers\oreghvd.sys"
"c:\windows\system32\XDva145.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\oreghvd.sys



.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_XDVA145
-------\Legacy_YGJDX
-------\Service_XDva145
-------\Service_ygjdx


((((((((((((((((((((((((( Files Created from 2009-06-14 to 2009-07-14 )))))))))))))))))))))))))))))))
.

2009-07-13 23:00 . 2009-07-13 23:00 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-13 23:00 . 2009-07-13 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 23:00 . 2009-07-13 23:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-13 23:00 . 2009-07-13 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-13 21:48 . 2009-07-13 21:48 -------- d-----w- C:\Tools-AV
2009-07-13 15:32 . 2007-11-29 11:52 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-07-12 02:02 . 2009-07-12 02:02 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-09 23:06 . 2009-07-09 23:06 21840 ----a-w- c:\windows\system32\SIntfNT.dll
2009-07-09 23:06 . 2009-07-09 23:06 17212 ----a-w- c:\windows\system32\SIntf32.dll
2009-07-09 23:06 . 2009-07-09 23:06 12067 ----a-w- c:\windows\system32\SIntf16.dll
2009-07-09 23:04 . 2009-07-11 01:47 18243 ----a-w- c:\windows\DIIUnin.dat
2009-07-09 23:04 . 2009-07-09 23:04 94208 ----a-w- c:\windows\DIIUnin.exe
2009-07-09 23:04 . 2009-07-09 23:04 2829 ----a-w- c:\windows\DIIUnin.pif
2009-07-09 22:52 . 2009-07-11 01:50 -------- d-----w- c:\program files\Diablo II
2009-07-09 10:03 . 2009-07-04 13:06 2054424 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-07-04 13:07 . 2009-06-26 09:09 327688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2009-07-04 13:07 . 2009-06-26 09:09 337176 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglogx.dll
2009-07-04 13:07 . 2009-06-26 09:09 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-07-04 13:07 . 2009-06-26 09:08 3402008 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-07-04 13:07 . 2009-06-26 09:08 1204504 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll
2009-07-04 13:07 . 2009-06-26 09:08 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-07-04 13:07 . 2009-07-04 13:06 2167576 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-07-04 13:06 . 2009-06-26 09:07 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-07-04 13:06 . 2009-06-26 09:07 1454360 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-07-02 18:55 . 2009-07-02 18:55 41808 ----a-w- c:\windows\system32\xfcodec.dll
2009-06-28 13:29 . 2009-06-14 15:07 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-26 21:40 . 2009-06-26 21:40 -------- d-----w- c:\documents and settings\Dean\Local Settings\Application Data\AVG Security Toolbar
2009-06-26 10:19 . 2009-06-26 10:19 -------- d-----w- c:\documents and settings\Grant\Local Settings\Application Data\AVG Security Toolbar
2009-06-26 09:09 . 2009-06-26 09:09 832144 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\AVGToolbarInstall.exe
2009-06-26 09:09 . 2009-06-28 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-26 09:09 . 2009-06-26 09:09 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-14 23:37 . 2009-06-14 23:37 -------- d-----w- C:\EQG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-07-14 01:03 . 2008-04-28 15:03 -------- d-----w- c:\documents and settings\Dean\Application Data\Skype
2009-07-14 00:58 . 2008-04-30 18:02 -------- d-----w- c:\program files\Steam
2009-07-14 00:41 . 2008-02-20 16:32 -------- d-----w- c:\documents and settings\Dean\Application Data\Xfire
2009-07-13 23:32 . 2008-03-06 21:03 -------- d-----w- c:\program files\Common Files\Apple
2009-07-13 21:32 . 2008-04-28 15:10 -------- d-----w- c:\documents and settings\Dean\Application Data\skypePM
2009-07-13 19:22 . 2008-02-25 23:14 -------- d-----w- c:\documents and settings\Grant\Application Data\uTorrent
2009-07-13 15:32 . 2008-12-14 15:38 -------- d-----w- c:\program files\TVersity Codec Pack
2009-07-12 19:59 . 2008-12-26 20:14 8069 ----a-w- c:\program files\hijackthis.log
2009-07-12 19:41 . 2008-02-28 23:25 -------- d-----w- c:\documents and settings\Grant\Application Data\FinalBurner DATA
2009-07-12 18:55 . 2008-12-26 20:10 -------- d-----w- c:\program files\backups
2009-07-12 18:39 . 2008-07-03 21:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-08 23:41 . 2008-02-20 16:32 -------- d-----w- c:\program files\Xfire
2009-07-04 13:06 . 2008-08-10 19:11 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-27 13:39 . 2008-03-18 14:38 -------- d-----w- c:\documents and settings\Grant\Application Data\LimeWire
2009-06-26 09:09 . 2008-08-10 19:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-26 09:09 . 2008-08-10 19:11 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-25 17:52 . 2008-09-08 22:53 -------- d-----w- c:\documents and settings\Dean\Application Data\uTorrent
2009-06-15 02:00 . 2008-03-04 14:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-14 20:25 . 2009-05-20 23:37 41 ----a-w- c:\windows\popcinfot.dat
2009-06-13 23:54 . 2009-06-13 23:54 -------- d-----w- c:\program files\Softnyx
2009-06-12 20:42 . 2008-05-07 19:12 189072 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-06-12 20:37 . 2008-05-07 19:12 138920 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-08 11:58 . 2008-03-04 14:27 25144 ----a-w- c:\documents and settings\Grant\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-28 22:38 . 2009-05-28 22:38 -------- d-----w- c:\program files\Games-Masters.com
2009-05-28 19:21 . 2009-05-28 19:21 -------- d-----w- c:\windows\system32\config\systemprofile\Applicati on Data\Xfire
2009-05-26 19:00 . 2008-05-07 19:12 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-05-23 22:05 . 2009-05-23 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2009-05-23 22:05 . 2009-05-23 21:29 -------- d-----w- c:\documents and settings\All Users\Application Data\nHancer
2009-05-23 22:03 . 2009-05-23 22:03 -------- d-----w- c:\documents and settings\Dean\Application Data\nHancer
2009-05-23 21:55 . 2008-02-20 16:31 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-23 21:55 . 2008-11-13 13:18 -------- d-----w- c:\program files\AGEIA Technologies
2009-05-23 21:32 . 2008-02-20 22:30 25144 ----a-w- c:\documents and settings\Dean\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-23 21:29 . 2009-05-23 21:29 -------- d-----w- c:\program files\nHancer
2009-05-23 21:28 . 2008-11-06 03:23 117944 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-05-21 18:16 . 2009-05-21 18:16 -------- d-----w- c:\program files\CCP
2009-05-21 18:16 . 2009-05-21 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\CCP
2009-05-21 00:37 . 2008-08-11 17:15 -------- d-----w- c:\documents and settings\Grant\Application Data\AVGTOOLBAR
2009-05-20 14:45 . 2008-08-10 19:11 -------- d-----w- c:\documents and settings\Dean\Application Data\AVGTOOLBAR
2009-05-07 15:44 . 2006-02-28 12:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-30 23:31 . 2009-04-30 23:31 1657376 ----a-w- c:\windows\system32\nwiz.exe
2009-04-30 23:31 . 2009-04-30 23:31 449056 ----a-w- c:\windows\system32\nvappbar.exe
2009-04-30 23:31 . 2009-04-30 23:31 436768 ----a-w- c:\windows\system32\keystone.exe
2009-04-30 23:31 . 2009-04-30 23:31 466944 ----a-w- c:\windows\system32\nvshell.dll
2009-04-30 23:31 . 2009-04-30 23:31 1724416 ----a-w- c:\windows\system32\nvwdmcpl.dll
2009-04-30 23:31 . 2009-04-30 23:31 1507328 ----a-w- c:\windows\system32\nview.dll
2009-04-30 23:31 . 2009-04-30 23:31 1101824 ----a-w- c:\windows\system32\nvwimg.dll
2009-04-30 21:02 . 2009-04-30 21:02 663552 ----a-w- c:\windows\system32\nvcuvid.dll
2009-04-30 21:02 . 2009-04-30 21:02 1579630 ----a-w- c:\windows\system32\nvdata.bin
2009-04-30 21:02 . 2009-04-30 21:02 1314816 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-04-30 21:02 . 2008-07-01 12:42 457248 ----a-w- c:\windows\system32\nvudisp.exe
2009-04-30 21:02 . 2008-05-02 21:46 9994240 ----a-w- c:\windows\system32\nvoglnt.dll
2009-04-30 21:02 . 2008-05-02 21:46 806912 ----a-w- c:\windows\system32\nvapi.dll
2009-04-30 21:02 . 2008-05-02 21:46 1720320 ----a-w- c:\windows\system32\nvcuda.dll
2009-04-30 21:02 . 2008-05-02 21:46 143360 ----a-w- c:\windows\system32\nvcodins.dll
2009-04-30 21:02 . 2008-05-02 21:46 143360 ----a-w- c:\windows\system32\nvcod.dll
2009-04-30 21:02 . 2007-04-13 06:44 8055584 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-04-30 21:02 . 2007-04-13 06:44 5896320 ----a-w- c:\windows\system32\nv4_disp.dll
2009-04-29 04:56 . 2006-02-28 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-26 23:42 . 2008-07-01 12:42 457248 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-04-21 23:20 . 2009-04-21 23:20 14311680 ----a-w- c:\windows\system32\xlive.dll
2009-04-21 23:20 . 2009-04-21 23:20 13642496 ----a-w- c:\windows\system32\xlivefnt.dll
2009-04-17 09:58 . 2006-02-28 12:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2006-02-28 12:00 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2008-12-26 20:07 . 2008-12-26 20:07 413 ----a-w- c:\program files\Shortcut to HijackThis.lnk
2008-08-14 01:00 . 2008-08-14 01:00 396288 ----a-w- c:\program files\HijackThis.exe
2009-06-12 19:57 . 2008-07-16 19:19 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

------- Sigcheck -------

[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\SoftwareDistribution\Download\dd9ab5193 501484cf5e6884fa1d22f9e\userinit.exe
[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\SoftwareDistribution\Download\e9500597a 78495f397efb821e37bf356\userinit.exe
[-] 2009-03-03 18:45 104960 F4E1DA840459088599F05D5BC3D1F689 c:\windows\system32\userinit.exe

.
((((((((((((((((((((((((((((( SnapShot@2009-07-14_00.12.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 00:56 . 2009-07-14 00:56 16384 c:\windows\Temp\Perflib_Perfdata_1ac.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-04-03 21898024]
"Steam"="c:\program files\steam\steam.exe" [2009-06-10 1217784]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-24 490952]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 2097488]
"nHancer"="c:\program files\nHancer\nHancer.exe" [2009-04-26 1300480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"Launch LGDCore"="c:\program files\Logitech\G-series Software\LGDCore.exe" [2006-03-06 1122304]
"Launch LCDMon"="c:\program files\Logitech\G-series Software\LCDMon.exe" [2006-03-06 497152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-26 1948440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-30 13750272]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2009-04-30 86016]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-03-21 16126464]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-07-17 55824]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-04-30 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-02-28 15360]

c:\documents and settings\Dean\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\xfire.exe [2009-7-2 3190096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SetPointII.lnk - c:\program files\Logitech\SetPoint II\SetpointII.exe [2007-8-30 319488]

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-26 09:09 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Dean\\Desktop\\glider\\hfymaipugz.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\d3ath1234\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\d3ath1234\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\d3ath1234\\garrysmod\\hl2 .exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Steam\\steamapps\\d3ath1234\\source sdk base\\hl2.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr .exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\RndLabs\\BaboViolent 2\\bv2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\d3ath1234\\zombie panic! source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\d3ath1234\\diprip warm up\\hl2.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Dean\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty 4\\iw3sp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty 4\\iw3mp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\trackmania united\\TmForever.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\trackmania united\\TmForeverLauncher.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonEU\\NGM\\NGM.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\fallout 3\\FalloutLauncher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\plants vs zombies\\PlantsVsZombies.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\unreal tournament 2004\\System\\UT2004.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\peggle deluxe\\Peggle.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\killingfloor\\Sys tem\\KillingFloor.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"32937:TCP"= 32937:TCP:u
"32937:UDP"= 32937:UDP:uu
"41431:TCP"= 41431:TCP:utorrent
"41431:UDP"= 41431:UDP:utorrent
"3074:UDP"= 3074:UDP:Xbox
"3074:TCP"= 3074:TCP:Xbox
"29101:TCP"= 29101:TCP:*isabled:???? ??

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/08/2008 20:11 335752]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/08/2008 20:11 298776]
S0 NVStrap;NVStrap;c:\windows\system32\drivers\NVStra p.sys [22/02/2008 21:30 4224]
S2 gupdate1c98ba08cd46ce;Google Update Service (gupdate1c98ba08cd46ce);c:\program files\Google\Update\GoogleUpdate.exe [10/02/2009 17:53 133104]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [13/09/2008 17:09 20608]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 ZDCNDIS5;ZDCNDIS5 NDIS Protocol Driver;c:\windows\system32\ZDCndis5.sys [13/09/2008 17:09 19072]
.
Contents of the 'Scheduled Tasks' folder

2009-07-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]

2009-07-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-07-03 14:44]

2009-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-10 16:52]

2009-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-10 16:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gamerenders.com/forum/
IE: &Clean Traces
FF - ProfilePath - c:\documents and settings\Dean\Application Data\Mozilla\Firefox\Profiles\cxabp3a8.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.mmorpg.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\compone nts\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\compone nts\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\compone nts\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\compone nts\xpavgtbapi.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonEU\NGM\npNxGameeu.dll
FF - plugin: c:\documents and settings\Dean\Application Data\Mozilla\Firefox\Profiles\cxabp3a8.default\ext ensions\NPDyyno@dyyno.com\plugins\npDyyno.dll
FF - plugin: c:\program files\Dyyno\Dyyno Player\npvlc.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dl l
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-07-14 01:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\n pggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3336)
c:\program files\Xfire\xfire_toucan_37857.dll
c:\program files\TortoiseSVN\bin\tortoisesvn.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
c:\program files\TortoiseSVN\bin\intl3_svn.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\nHancer\nHancerService.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\TVersity\Media Server\MediaServer.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe
c:\program files\Logitech\G-series Software\Applets\LCDClock.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\Windows Live\Messenger\usnsvc.exe
.
************************************************** ************************
.
Completion time: 2009-07-14 2:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-14 01:06
ComboFix2.txt 2009-07-14 00:21
ComboFix3.txt 2009-03-04 01:01
ComboFix4.txt 2008-12-28 00:31

Pre-Run: 9,082,134,528 bytes free
Post-Run: 8,943,521,792 bytes free

316 --- E O F --- 2009-07-12 05:17

__________________________________________________ ________________________

And heres the hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:10:01, on 14/07/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\nHancer\nHancerService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\nHancer\nHancer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Logitech\SetPoint II\SetpointII.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = GameRenders
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\explorer.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [nHancer] "C:\Program Files\nHancer\nHancer.exe" /tray
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: SetPointII.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c98ba08cd46ce) (gupdate1c98ba08cd46ce) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - C:\Program Files\nHancer\nHancerService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 7635 bytes
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
[Resolved] Hijack Log - Malware?? Injigo Spyware, Adware, Viruses and HijackThis Logs 14 16-09-2009 11:54 PM
[Active] Malware, Help? Dujane Spyware, Adware, Viruses and HijackThis Logs 1 30-08-2009 04:53 PM
[Active] Despeartely need help removing malware ssahakian Spyware, Adware, Viruses and HijackThis Logs 1 28-08-2009 04:34 AM
[Active] malware and hijacked stuff slm7rjm Spyware, Adware, Viruses and HijackThis Logs 5 10-08-2009 07:27 PM


All times are GMT +1. The time now is 02:27 PM.
Member Login
Remember me ?
Forgot password?
Ads

Want to Advertise? Click Here
Help Categories
Desktop / Server Apps
Drivers
Firewalls and Networks
Games
General Internet Issues
Hardware
Linux
MAC OS
Modding / Overclocking
Search Engines
Spyware and Security
Web Development
Windows 2000
Windows 7
Windows 98
Windows ME
Windows Vista
Windows XP

Computer Repair Companies
Bottom Corner Bottom Nav