New Virus(es) B.exe, etc

wbutt · #1 (**permalink**) 20-07-2009, 05:53 AM

Family member was using computer, few days later i noticed my avira wasn't able on autoguard anymore, and it kept denying alot of random processes from running upon EVERY start up. Googled some of the exes i found in msconfig, the main one being b.exe and possibly others. decide to return here for expert advice and instructions.

Thank you for your time

Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:52:51 PM, on 7/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\arservice.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = AOL.com - Welcome to AOL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min /nosplash
O4 - HKLM\..\Run: [Launch LgDeviceAgent] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1242609946937
O20 - AppInit_DLLs: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\569302341756mmx .dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7126 bytes

Neal · #2 (**permalink**) 20-07-2009, 08:17 PM

Welcome,

Please download the tool below but run it from safe mode please(explained below) for possible better results.

To clean your temp folder, recycle bin, etc..please download this free tool:

CCleaner

Don't install any Toolbars, or other programs, should it ask you!Just uncheck the option of installing the Yahoo toolbar.
It will put a shortcut on your Desktop.

Uncheck cookies

Before first use:
Select Options then Advanced.
UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Click on CCleaner to start it. Then click "Run Cleaner", just use the windows tab up front by default.

Then Reboot (Exit)

Safe Mode explained:

Now reboot into safe mode( without networking support) by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Then...

Run hijackthis and click on "scan system only" button and put checks next to this if still there:

O20 - AppInit_DLLs: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\569302341756mmx .dll

Please close ALL browser windows (including this one).

Everything closed out but hijackthis and click on "fix checked"

Reboot your PC.

* Please download Malwarebytes' Anti-Malware from HERE or HERE

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and zLaunch Malwarebytes Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

wbutt · #3 (**permalink**) 21-07-2009, 05:18 AM

Thanks for the reply Neal, Hijack log did find 020-Appint_dlls was still there and hijack this has removed it.

Malwarebyte Log
Malwarebytes' Anti-Malware 1.39
Database version: 2465
Windows 5.1.2600 Service Pack 3

7/20/2009 9:15:22 PM
mbam-log-2009-07-20 (21-15-22).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 154616
Time elapsed: 20 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

wbutt · #4 (**permalink**) 21-07-2009, 05:39 AM

btw i keep getting this

---------------------------
wmiprvse.exe - Application Error
---------------------------
The instruction at "0x7c901e78" referenced memory at "0x7c9163c3". The memory could not be "written".

Click on OK to terminate the program
---------------------------
OK
---------------------------

anyclue how to remove it?

Neal · #5 (**permalink**) 21-07-2009, 07:24 PM

Good deal,

Go here BitDefender and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee.

When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All then copy/paste that log back here. Post back and let us know what it found (post the log).

And post a new HJT log also..

wbutt · #6 (**permalink**) 21-07-2009, 09:10 PM

Thanks for the reply Neal

I couldnt get bitdefender's scan working, it kept freezing up i gave up on it after a few hours (i would do the scan, leave to do some gardening and come back with it frozen at 93% and it stayed there for over an hour). I did this with no other windows/programs running. I even turned off my firewall for one attempt, no change.

Here is my hijack this log if it still helps
Thanks for your time

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:06:35 PM, on 7/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDRSS.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = AOL.com - Welcome to AOL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min /nosplash
O4 - HKLM\..\Run: [Launch LgDeviceAgent] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1242609946937
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7648 bytes

Neal · #7 (**permalink**) 22-07-2009, 05:30 AM

Ok, let's go a different route.

Visit this page below to familiarize yourself to the tool below and download from one of the links provided.

A guide and tutorial on using ComboFix

If you have previously downloaded ComboFix,please delete that version now.

It is IMPORTANT that it is saved directly to your desktop

Close any open browsers.

Disconnect from the Internet.

Please do not re-connect your machine back to the Internet until Combofix has completely finished.

Disable your antivirus program and any realtime malware scanners and script blockers now

How To Disable

Double click on combofix.exe and follow the prompts.

When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Note:
Do not mouseclick combofix's window while it's running.

That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Re-enable your anti-virus and re-connect back to the internet and post the combofix log.

*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

ComboFix SHOULD NOT be used unless requested by a forum helper.

wbutt · #8 (**permalink**) 22-07-2009, 01:16 PM

Thanks for the reply Neal

Im a little concerned, i followed the how to disable link to the T; i use avira and i had my active guard disabled + internet d/c.

However before starting combofix it stated that it was active, i closed it quickly and checked again, and confirmed that the active guard was indeed inactive. However combofix made my system reboot for an earlier stage, and because aviria has auto-enable active guard enabled it was technically running during combo log (i didnt get an option to disable, combofix ran immediately after the force reboot. When avira popped up i told it to ignore combo log letting it run. I hope that it didnt drastically effect this scan result :/

Heres my combofix log

ComboFix 09-07-21.03 - HP_Administrator 07/22/2009 4:58.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1644 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Administrator\Application Data\inst.exe
c:\windows\Install.txt
c:\windows\system32\drivers\geyekrreaoykyj.sys
c:\windows\system32\geyekrhsdsngqp.dll
c:\windows\system32\geyekrlnoedgio.dat
c:\windows\system32\geyekrodvppfcp.dat
c:\windows\system32\geyekrpufhygpw.dll
c:\windows\system32\Install.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_geyekrxddlsvif
-------\Legacy_6TO4
-------\Service_6to4

((((((((((((((((((((((((( Files Created from 2009-06-22 to 2009-07-22 )))))))))))))))))))))))))))))))
.

2009-07-21 18:43 . 2009-07-21 18:56 -------- d-----w- c:\windows\BDOSCAN8
2009-07-17 16:39 . 2009-07-17 16:41 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\19377654
2009-07-14 10:14 . 2009-07-14 10:14 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\DragonicaSCB
2009-07-14 07:30 . 2009-07-14 07:30 -------- d-----w- c:\program files\IAHGames
2009-07-14 02:14 . 2009-07-14 06:40 -------- d-----w- c:\program files\Dragonica Online - Closed Beta Test
2009-07-13 10:31 . 2005-01-04 00:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2009-07-13 10:31 . 2009-07-13 10:31 -------- d-----w- c:\program files\Common Files\INCA Shared
2009-07-13 10:18 . 2009-07-13 10:18 -------- d-----w- c:\program files\GALA-NET
2009-07-11 06:24 . 2009-07-11 06:38 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-07-06 10:39 . 2009-07-06 10:39 -------- d-----w- c:\windows\Sun
2009-07-05 06:27 . 2009-07-05 06:27 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\vsosdk
2009-07-05 06:03 . 2009-07-05 06:03 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Vso
2009-07-05 06:03 . 2009-07-05 06:03 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-07-05 06:03 . 2009-07-05 06:03 47360 ----a-w- c:\documents and settings\HP_Administrator\Application Data\pcouffin.sys
2009-07-05 06:03 . 2009-07-05 06:35 -------- d-----w- c:\program files\DVDFab 6
2009-07-05 06:01 . 2009-07-05 06:01 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\ImgBurn
2009-07-05 05:59 . 2009-07-05 06:01 -------- d-----w- c:\program files\ImgBurn
2009-07-03 12:06 . 2009-07-05 10:37 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2009-07-03 12:06 . 2009-07-05 10:37 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2009-07-03 12:06 . 2009-07-05 10:37 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL
2009-07-03 12:06 . 2009-07-03 12:06 -------- d-----w- c:\windows\Replay Media Catcher
2009-07-03 07:59 . 2009-07-03 07:59 -------- d-----w- c:\program files\Common Files\DirectX
2009-07-03 07:52 . 2009-07-03 07:52 -------- d-----w- c:\windows\system32\AGEIA
2009-07-03 07:52 . 2009-07-03 07:52 -------- d-----w- c:\program files\AGEIA Technologies
2009-07-03 07:39 . 2009-07-03 07:39 -------- d-----w- C:\NVIDIA
2009-07-03 06:58 . 2009-07-14 11:31 -------- d-----w- c:\program files\Codemasters
2009-07-01 21:14 . 2009-07-07 21:10 35 ----a-w- c:\windows\popcinfo.dat
2009-06-24 10:11 . 2009-06-24 10:11 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-06-24 09:58 . 2009-06-24 09:58 -------- d-----w- c:\program files\TeamViewer
2009-06-24 00:07 . 2009-06-24 00:07 -------- d-----w- c:\program files\Common Files\Creative Labs Shared
2009-06-23 23:39 . 2009-06-23 23:39 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-23 22:58 . 2008-10-16 21:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-06-23 22:58 . 2008-10-16 21:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-06-23 02:33 . 2009-06-23 02:33 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\teamspeak2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-07-22 11:48 . 2009-05-18 06:02 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\uTorrent
2009-07-20 07:52 . 2009-06-20 22:52 117760 ----a-w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ UIREPAIR.DLL
2009-07-20 06:06 . 2009-06-20 22:51 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-17 22:28 . 2009-06-19 07:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-16 23:44 . 2009-06-03 01:12 41 ----a-w- c:\windows\popcinfot.dat
2009-07-14 21:39 . 2009-05-18 02:52 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft Help
2009-07-13 20:36 . 2009-06-19 07:51 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 20:36 . 2009-06-19 07:51 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-03 08:05 . 2009-05-18 02:33 8 ----a-w- c:\windows\system32\nvModes.dat
2009-07-03 07:52 . 2009-05-26 23:10 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-03 07:43 . 2009-05-18 06:03 -------- d-----w- c:\program files\uTorrent
2009-07-03 06:58 . 2006-05-24 03:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-27 21:31 . 2006-05-24 03:29 84976 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-24 00:08 . 2009-05-18 02:30 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2009-06-24 00:08 . 2009-05-18 02:30 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2009-06-24 00:06 . 2009-05-18 02:29 -------- d-----w- c:\program files\Creative
2009-06-23 23:39 . 2006-05-24 02:59 -------- d-----w- c:\program files\Java
2009-06-21 15:46 . 2009-05-18 02:25 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-06-20 22:55 . 2009-06-20 07:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-20 22:51 . 2009-06-20 22:51 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2009-06-20 22:51 . 2009-06-20 22:51 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2009-06-20 08:36 . 2009-06-19 07:07 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-06-20 08:06 . 2009-06-20 08:06 -------- d-----w- c:\program files\Trend Micro
2009-06-19 08:57 . 2009-06-19 08:57 -------- d-----w- c:\program files\CCleaner
2009-06-19 07:54 . 2009-06-19 07:14 -------- d-----w- c:\program files\Lavasoft
2009-06-19 07:54 . 2009-06-19 07:14 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Lavasoft
2009-06-19 07:54 . 2009-06-19 07:54 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-06-19 07:51 . 2009-06-19 07:51 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-06-18 06:19 . 2009-05-18 06:31 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\DAEMON Tools Lite
2009-06-16 14:36 . 2004-08-10 04:00 81920 ------w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-10 04:00 119808 ------w- c:\windows\system32\t2embed.dll
2009-06-10 15:28 . 2009-06-10 15:28 3510272 ----a-w- c:\windows\system32\nvgames.dll
2009-06-10 15:28 . 2009-06-10 15:28 4022272 ----a-w- c:\windows\system32\nvdisps.dll
2009-06-10 15:28 . 2009-06-10 15:28 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-06-10 15:28 . 2009-06-10 15:28 168004 ----a-w- c:\windows\system32\nvsvc32.exe
2009-06-10 15:28 . 2009-06-10 15:28 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-06-10 15:28 . 2009-06-10 15:28 13758464 ----a-w- c:\windows\system32\nvcpl.dll
2009-06-10 15:28 . 2009-06-10 15:28 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-06-10 13:03 . 2009-05-18 02:25 457248 ----a-w- c:\windows\system32\nvudisp.exe
2009-06-10 13:03 . 2009-05-01 05:02 9998336 ----a-w- c:\windows\system32\nvoglnt.dll
2009-06-10 13:03 . 2009-05-01 05:02 815104 ----a-w- c:\windows\system32\nvapi.dll
2009-06-10 13:03 . 2009-05-01 05:02 671744 ----a-w- c:\windows\system32\nvcuvid.dll
2009-06-10 13:03 . 2009-05-01 05:02 1720320 ----a-w- c:\windows\system32\nvcuda.dll
2009-06-10 13:03 . 2009-05-01 05:02 1580550 ----a-w- c:\windows\system32\nvdata.bin
2009-06-10 13:03 . 2009-05-01 05:02 151552 ----a-w- c:\windows\system32\nvcodins.dll
2009-06-10 13:03 . 2009-05-01 05:02 151552 ----a-w- c:\windows\system32\nvcod.dll
2009-06-10 13:03 . 2009-05-01 05:02 1310720 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-06-10 13:03 . 2006-05-24 03:13 8087712 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-06-10 13:03 . 2006-05-24 03:13 5908608 ----a-w- c:\windows\system32\nv4_disp.dll
2009-06-06 04:11 . 2009-06-06 04:11 -------- d-----w- c:\program files\Xvid
2009-06-06 04:09 . 2009-05-18 06:22 -------- d-----w- c:\program files\DivX
2009-06-06 04:09 . 2009-05-18 06:22 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-03 19:09 . 2004-08-10 04:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 22:51 . 2009-06-02 22:51 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\PopCap Games
2009-06-01 12:04 . 2009-05-18 06:27 -------- d-----w- c:\program files\CDisplay
2009-06-01 05:36 . 2009-06-01 05:36 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\HPQ
2009-05-31 22:42 . 2009-05-31 22:42 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\AdobeUM
2009-05-28 04:55 . 2009-05-26 23:11 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Ventrilo
2009-05-26 23:11 . 2009-05-26 23:11 -------- d-----w- c:\program files\Ventrilo
2009-05-18 06:31 . 2009-05-18 06:31 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-18 02:38 . 2009-05-18 02:38 0 ----a-w- c:\windows\nsreg.dat
2009-05-18 02:11 . 2005-08-31 04:01 92947 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-18 02:11 . 2009-05-18 02:11 45056 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSet up.exe
2009-05-18 02:11 . 2009-05-18 02:11 61440 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2009-05-18 02:11 . 2009-05-18 02:11 44032 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2009-05-18 02:11 . 2009-05-18 02:11 40960 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2009-05-18 02:11 . 2009-05-18 02:11 341048 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetect ion3.dll
2009-05-18 02:11 . 2009-05-18 02:11 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2009-05-18 02:11 . 2009-05-18 02:11 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2009-05-18 02:11 . 2009-05-18 02:11 217088 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
2009-05-18 02:11 . 2009-05-18 02:11 163840 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dl l
2009-05-07 15:32 . 2004-08-10 04:00 345600 ------w- c:\windows\system32\localspl.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-05-01 21:02 . 2009-05-01 21:02 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-05-01 21:02 . 2009-05-01 21:02 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-05-01 21:02 . 2009-05-01 21:02 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-05-01 21:02 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\DivX.dll
2009-04-29 04:46 . 2004-08-10 04:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2004-08-10 04:00 81920 ------w- c:\windows\system32\ieencode.dll
2009-04-28 16:55 . 2009-04-28 16:55 70936 ----a-w- c:\windows\system32\PhysXLoader.dll
2009-07-22 11:50 . 2009-05-18 02:38 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2009-05-04 354312]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2009-05-04 1572872]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2009-05-04 2817544]
"UltraMon"="c:\program files\UltraMon\UltraMon.exe" [2006-10-13 304640]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-23 148888]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2009-06-10 86016]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-03-08 16010240]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\Ctxfihlp.exe [2008-10-08 23552]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-06-10 1657376]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-5-23 27136]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"58162:TCP"= 58162:TCP:Pando Media Booster
"58162:UDP"= 58162:UDP:Pando Media Booster

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/17/2009 7:41 PM 108289]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [9/24/2006 9:22 PM 11776]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\driver s\CT20XUT.sys [10/8/2008 1:21 AM 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\driv ers\CTEXFIFX.sys [10/8/2008 1:21 AM 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\driver s\CTHWIUT.sys [10/8/2008 1:21 AM 72728]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\ drivers\UltraMonMirror.sys [9/24/2006 9:23 PM 3584]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [6/23/2009 5:07 PM 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XU T.sys [10/8/2008 1:21 AM 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEX FIFX.sys [10/8/2008 1:21 AM 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIU T.sys [10/8/2008 1:21 AM 72728]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILI ON&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION &pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILI ON&pf=desktop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\docume~1\HP_ADM~1\APPLIC~1\Mozilla\Firefox\Prof iles\c23yrm5a.default\
FF - prefs.js: browser.startup.homepage - Google
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-07-22 05:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\n pggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3080)
c:\program files\UltraMon\RTSUltraMonHook.dll
c:\program files\UltraMon\Resources\en\RTSUltraMonHookRes.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\arservice.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
c:\program files\Logitech\GamePanel Software\Applets\LCDClock.exe
c:\windows\system32\rundll32.exe
c:\program files\UltraMon\UltraMonTaskbar.exe
.
************************************************** ************************
.
Completion time: 2009-07-22 5:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-22 12:10
ComboFix2.txt 2009-06-23 23:00

Pre-Run: 18,778,501,120 bytes free
Post-Run: 18,722,447,360 bytes free

261 --- E O F --- 2009-07-14 21:39

Neal · #9 (**permalink**) 22-07-2009, 08:20 PM

Go here to learn how to show hidden files/folders:

http://www.microsoft.com/windowsxp/u...ddenfiles.mspx

Re-hide after we are done

Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

c:\windows\system32\rmc_fixasf.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.

If that one is to busy here is another option:

http://virusscan.jotti.org

And

http://www.kaspersky.com/scanforvirus.html

also scan this one please:

c:\windows\popcinfo.dat

Find folder:

c:\document and settings\ALLUSERS\APPLICATION DATA\19377654

And tell me what is in it please.

wbutt · #10 (**permalink**) 23-07-2009, 01:11 AM

Thanks for the reply Neal

1. Virustotal scan of c:\windows\system32\rmc_fixasf.exe

File has already been analysed:
MD5: 2cc31cec30a431848310dfe3031d4c59
First received: 2008.09.04 21:09:32 UTC
Date: 2009.07.20 05:38:06 UTC [>2D]
Results: 2/40
Permalink: analisis/eeb5d8733b225913ba90624f951214c73a603ebd991fc39888 47c5c7e3926299-1248068286

2. Virustotal scan of c:\windows\popcinfo.dat
VirusTotal - Free Online Virus and Malware Scan - Result

3. contents of c:\document and settings\ALLUSERS\APPLICATION DATA\19377654

Just a file called 19377654
l