1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Possible Trojan..help please :)

Discussion in 'Virus & Other Malware Removal' started by MJT27, Nov 9, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. MJT27

    MJT27 Thread Starter

    Joined:
    Feb 1, 2004
    Messages:
    159
    Hi,

    Well I'm here because I have a rapidshare acct and today I couldnt log into it so I contacted rapidshare and this is what I got back from them....We have changed your password and restored your user-e-mailaddress to yoursignup-e-mailaddress because we think that someone hacked your account. Additional we suggest you to check your computer for viruses and trojanprograms.

    Well now Im freaking out...I have run a dozen scans and I cant seem to find anything...but to make sure I wanted you all to check my hijack scan and tell me what you think...thanks so much...would really put my mind at ease.




    Logfile of HijackThis v1.99.1
    Scan saved at 12:33:13 PM, on 11/9/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\MSN Messenger\livecall.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - Default URLSearchHook is missing
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: CreateRP.VBS
    O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
    O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
    O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://www.king.com/ctl/kingcomie.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1185683847109
    O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/229/webolr/OCX/FlashAX.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe




    Thanks,

    Mike
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,371
    First Name:
    Derek
    that is the old version of HJT

    uninstall it &
    go to here and download 'Hijack This!' self installer. Save it to the desktop or other suitable place. DO NOT just press run from the website Double click on the file and it will install to C:\program files\hijackthis and create an entry in the start menu.
    Click on the entry in start menu to run HijackThis
    Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
    so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.
     
  3. MJT27

    MJT27 Thread Starter

    Joined:
    Feb 1, 2004
    Messages:
    159
    OK thank you for the new link heres the newest scan results

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:31:44 PM, on 11/9/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\MSN Messenger\livecall.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - Default URLSearchHook is missing
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Startup: CreateRP.VBS
    O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
    O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
    O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://www.king.com/ctl/kingcomie.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1185683847109
    O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/229/webolr/OCX/FlashAX.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 6052 bytes
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,371
    First Name:
    Derek
    nothing showing there

    try

    download Sunbelt Counterspy Free trial

    Save the install file to desktop and double click it to install counterspy

    Once it has installed, follow the set up wizard which will automatically start, allow it to update itself

    It will take a few minutes to update to the latest definitions file versions

    run a full scan & when it finishes a window will open with all items found

    They should all be marked as quarantine or delete by default so scroll down & check that nothing you know to be good or want to keep is detected. Then just press the take action button & follow any prompts ( set anything you want to keep as ignore)

    post back with it's report ( on the scan page, press view details & copy that report & paste it back here )
     
  5. MJT27

    MJT27 Thread Starter

    Joined:
    Feb 1, 2004
    Messages:
    159
    OK well I ran a scan with counterspy but I guess I did something wrong to save the report so I just went into quarentine and copied the things it found and posted them below




    W32/MEWpacked.gen

    W32/MEWpacked.gen
    Type Malware
    Type Description Malware ("malicious software") consists of software with clearly malicious, hostile, or harmful functionality or behavior and that is used to compromise and endanger individual PCs as well as entire networks.
    Category Trojan
    Category Description Trojan is a general term for malicious software that is installed under false or deceptive pretenses or is installed without the user's full knowledge and consent. Most Trojans exhibit some form of malicious, hostile, or harmful functionality or behavior.
    Level High
    Level Description High risks are typically installed without user interaction through security exploits, and can severely compromise system security. Such risks may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These risks may also collect and transmit personally identifiable information (PII) without your consent and severely degrade the performance and stability of your computer.
    Advice Type Remove
    Release Date Nov 21 2006
    Last updated on Oct 12 2007
    File Traces






    RiverBelleCasino

    RiverBelleCasino
    Type Low Risk Software
    Type Description Low Risk Software should not harm your machine or compromise your privacy and security unless it has been installed without your knowledge and consent. A Low Risk Software application may be a program that you knowingly and deliberately installed and that you wish to keep. Although some Low Risk Software programs may track online habits -- as provided for in a privacy policy or End User License Agreement (EULA) -- or display advertising within the applications themselves, these programs have only vague, minimal or negligible effects on your privacy.
    Category Potentially Unwanted Program
    Category Description Potentially Unwanted Programs include software that does not fit into another category (such as Low Risk Adware or Potential Privacy Risk) that users might want detected because the software includes some form of potentially objectionable functionality.
    Level Low
    Level Description Low risks should not harm your machine or compromise your privacy and security unless they have been installed without your knowledge and consent. A low risk may be a program, network tool, or system utility that you knowingly and deliberately installed and that you wish to keep. Although some low risk programs may track online habits -- as provided for in a privacy policy or End User License Agreement (EULA) -- or display advertising within the applications themselves, these programs have only vague, minimal or negligible effects on your privacy. Low risks may also be cookies, which can be used to track your online activities, though without identifying you personally.
    Advice Type Ignore
    Description RiverBelleCasino is an online casino gambling application that requires software to be downloaded to the user's machine in order to play.
    Add. Description The privacy and security policy posted on the website does not state what information is collected and how the information will be used. (www.riverbelle.com/casino/security-privacy.asp) While on the website, the user is prompted to download the software on nearly every page.
    Author Belle Rock Entertainment
    Author Description "With over 160 realistic, interactive games, online gaming has never been better. River Belle has something for everyone to appreciate, including exciting monthly promotions, an exclusive loyalty program, safe and secure deposit options and 24/7 customer support."
    Author URL riverbelle.com/casino
    Release Date Sep 14 2006
    Last updated on Jul 24 2006
    File Traces
    %DESKTOPDIRECTORY%\ getriverbellecasino.exe
    %LOCAL_SETTINGS%\ temp\ riverbelle.exe
    %PROGRAM_FILES%\ nyoko.dll
    %PROGRAM_FILES%\ riverbelle\ casino.dll
    %PROGRAM_FILES%\ riverbelle\ casinogame.exe
    %PROGRAM_FILES%\ riverbelle\ fdi.dll
    %PROGRAM_FILES%\ riverbelle\ mcrypt.dll
    %PROGRAM_FILES%\ riverbelle\ mgscomms.dll
    %PROGRAM_FILES%\ riverbelle\ mupp.dll
    %PROGRAM_FILES%\ riverbelle\ olr.dll
    %PROGRAM_FILES%\ riverbelle\ res.dll
    %PROGRAM_FILES%\ riverbelle\ riverbelle\ _uninstall\ viperkeyrem.exe
    %PROGRAM_FILES%\ riverbelle\ riverbelle\ bigkahunacommon\ bigkahuna.dll
    %PROGRAM_FILES%\ riverbelle\ riverbelle\ menu\ casinolobby.dll
    %PROGRAM_FILES%\ riverbelle\ riverbelle\ menu\ menucore.dll
    %PROGRAM_FILES%\ riverbelle\ riverbelle\ tikimaskbonus\ tikimaskbonusgame.dll
    %PROGRAM_FILES%\ riverbelle\ riverbelle\ type_3reelnormal1_2\ type_3reelnormal1_2.dll
    %PROGRAM_FILES%\ riverbelle\ riverbelle\ voidcommon\ void.dll
    %PROGRAM_FILES%\ riverbelle\ riverbelle\ volcanobonus\ volcanobonusgame.dll
    %PROGRAM_FILES%\ riverbelle\ riverbelle\ xml\ xmlparserplugin.dll
    %PROGRAM_FILES%\ riverbelle\ vclient.dll
    %PROGRAM_FILES%\ riverbelle\ vcore.dll
    %PROGRAM_FILES%\ riverbelle\ vpac.dll



    CasinoOnNet

    Type Low Risk Software
    Type Description Low Risk Software should not harm your machine or compromise your privacy and security unless it has been installed without your knowledge and consent. A Low Risk Software application may be a program that you knowingly and deliberately installed and that you wish to keep. Although some Low Risk Software programs may track online habits -- as provided for in a privacy policy or End User License Agreement (EULA) -- or display advertising within the applications themselves, these programs have only vague, minimal or negligible effects on your privacy.
    Category Potentially Unwanted Program
    Category Description Potentially Unwanted Programs include software that does not fit into another category (such as Low Risk Adware or Potential Privacy Risk) that users might want detected because the software includes some form of potentially objectionable functionality.
    Level Low
    Level Description Low risks should not harm your machine or compromise your privacy and security unless they have been installed without your knowledge and consent. A low risk may be a program, network tool, or system utility that you knowingly and deliberately installed and that you wish to keep. Although some low risk programs may track online habits -- as provided for in a privacy policy or End User License Agreement (EULA) -- or display advertising within the applications themselves, these programs have only vague, minimal or negligible effects on your privacy. Low risks may also be cookies, which can be used to track your online activities, though without identifying you personally.
    Advice Type Ignore
    Description CasinoOnNet is an online gambling application that requires users to download software in order to play.
    Add. Description CasinoOnNet is primarily distributed at Cassava's own websites. When landing on the site, the user is immediately confronted with an aggressive prompt to download the software. When the user clicks yes, a stub installer is downloaded and, when run, subsequently downloads additional software. The user is not shown an End User License Agreement (EULA) or privacy policy during the download and installation process. CasinoOnNet is marketed through aggressive advertising with pop-ups on websites and in adware applications that may have been installed on the users machine through exploits without notice and consent. CasinoOnNet does not display third-party advertising on the user's desktop and is no longer known to be bundled with P2P application Grokster. If the user registers to play online, the user must volunteer personally identifying iinformation (PII) that will be transmitted to Cassava's servers. No PII is known to be collected and tranmistted surreptitiously .
    Author Cassava Enterprises (Gibraltar) Limited
    Author Description Casino-on-Net Online Casino provides, since 1997, the very best in safe, fun and fair Online Casino gambling entertainment. Casino-on-Net, No.1 Online Casino, offers you a 100% match Up Bonus, up to $200, on your first Online Casino deposit, superior 24/7 Customer Support and fast Cash Outs.
    Author URL Casino-on-net.com
    Release Date Sep 14 2006
    Last updated on Oct 15 2007
    File Traces
    %DESKTOPDIRECTORY%\ installcasino.exe
    %DESKTOPDIRECTORY%\ pacificpoker.exe
    %DESKTOPDIRECTORY%\ setupcasino.exe
    %LOCAL_SETTINGS%\ temp\ casinonet.exe
    %LOCAL_SETTINGS%\ temp\ casinonetsetup.exe
    %LOCAL_SETTINGS%\ temp\ pacificpokersetup.exe
    %program_files%\ casino~1\ utils\ casinoonnet.exe
    %PROGRAM_FILES%\ casinoonnet\ casino.exe
    %PROGRAM_FILES%\ casinoonnet\ downloadinstaller.exe
    %PROGRAM_FILES%\ casinoonnet\ shared_.dll
    %PROGRAM_FILES%\ casinoonnet\ utils\ casinoonnet.exe
    %program_files%\ cdpoker\ casino.exe
    %PROGRAM_FILES%\ common files\ ca shared\ biuninst.exe
    %program_files%\ noble poker\ casino.exe
    %PROGRAM_FILES%\ pacificpoker\ listproc.exe
    %PROGRAM_FILES%\ pacificpoker\ shared_.dll
    %PROGRAM_FILES%\ pacificpoker\ utils\ poker.exe
    %PROGRAM_FILES%\ reef club casino\ downloadinstaller.exe
    %PROGRAM_FILES%\ reef club casino\ reef.exe
    %system%\ {bde90b86-6978-4b17-a1fe-5d86bb6446ae}.exe
    %windows%\ monaco gold casino setup.exe
    c:\ casino-on-net.exe
    c:\ casino\ baraka casino online\ casino.exe
    c:\ casino\ carnival casino\ casino.exe
    c:\ casino\ casino del rio\ casino.exe
    c:\ casino\ club dice casino\ casino.exe
    c:\ casino\ goldgate casino\ casino.exe
    c:\ casino\ monaco gold casino\ cactivex.dll
    c:\ casino\ monaco gold casino\ casino.exe
    c:\ casino\ monaco gold casino\ data\ aroundtheworld.dll
    c:\ casino\ monaco gold casino\ data\ baccarat.dll
    c:\ casino\ monaco gold casino\ data\ baccaratlive.dll
    c:\ casino\ monaco gold casino\ data\ balls.dll
    c:\ casino\ monaco gold casino\ data\ cashier.dll
    c:\ casino\ monaco gold casino\ data\ common.dll
    c:\ casino\ monaco gold casino\ data\ loader.dll
    c:\ casino\ monaco gold casino\ data\ lobby.dll
    c:\ casino\ monaco gold casino\ gdigraphdriver.dll
    c:\ casino\ monaco gold casino\ replace.exe
    c:\ casino\ vegas red casino\ casino.exe
    casino.exe
    casinoonnet.exe
    dlhelperexe.exe
    installcasino.exe
    pacificpokersetup.exe


    all 3 are sitting in quarentine....should I leave them there or should I have them permenantly deleted ?


    Thanks,

    Mike
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,371
    First Name:
    Derek
    leave them in quarantine

    they are safe there

    lets see what else might be lurking. the mewpacked one can be very dangerous and if CS only found one there might be more of its partners

    Download Combofix to your desktop:

    * Double-click combofix.exe & follow the prompts.
    * When finished, it shall produce a log for you. Post that log in your next reply.


    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
     
  7. MJT27

    MJT27 Thread Starter

    Joined:
    Feb 1, 2004
    Messages:
    159
    Ok heres my combofix log


    ComboFix 07-11-08.1 - MJT 2007-11-11 19:22:24.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.103 [GMT -8:00]
    Running from: C:\Documents and Settings\MJT\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\1187309321.exe

    .
    ((((((((((((((((((((((((( Files Created from 2007-10-12 to 2007-11-12 )))))))))))))))))))))))))))))))
    .

    2007-11-11 19:20 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-11-11 14:43 <DIR> d-------- C:\Program Files\Common Files\CA Shared
    2007-11-11 09:17 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
    2007-11-11 07:34 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
    2007-11-10 23:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
    2007-11-10 23:35 <DIR> d-------- C:\Program Files\Sunbelt Software
    2007-11-10 20:30 0 --a------ C:\WINDOWS\system32\SBRC.dat
    2007-11-10 20:30 0 --a------ C:\WINDOWS\system32\SBFC.dat
    2007-11-10 20:19 <DIR> d-------- C:\Documents and Settings\MJT\Application Data\Sunbelt Software
    2007-11-10 19:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-11-09 22:31 <DIR> d-------- C:\Program Files\Trend Micro - Hijackthis
    2007-11-09 00:32 <DIR> d-------- C:\Program Files\Common Files\Adobe
    2007-11-08 01:42 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
    2007-11-08 01:42 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
    2007-11-08 01:42 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
    2007-11-08 01:42 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
    2007-11-08 01:42 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
    2007-11-08 01:41 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
    2007-11-08 01:41 19,455 --a--c--- C:\WINDOWS\system32\dllcache\wvchntxx.sys
    2007-11-08 01:41 19,328 --a--c--- C:\WINDOWS\system32\dllcache\wstcodec.sys
    2007-11-08 01:41 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
    2007-11-08 01:41 12,063 --a--c--- C:\WINDOWS\system32\dllcache\wsiintxx.sys
    2007-11-08 01:41 8,192 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll
    2007-11-08 01:40 771,581 --a--c--- C:\WINDOWS\system32\dllcache\winacisa.sys
    2007-11-08 01:40 701,386 --a--c--- C:\WINDOWS\system32\dllcache\wdhaalba.sys
    2007-11-08 01:40 154,624 --a--c--- C:\WINDOWS\system32\dllcache\wlluc48.sys
    2007-11-08 01:40 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
    2007-11-08 01:40 53,760 --a--c--- C:\WINDOWS\system32\dllcache\wiamsmud.dll
    2007-11-08 01:40 34,890 --a--c--- C:\WINDOWS\system32\dllcache\wlandrv2.sys
    2007-11-08 01:40 23,615 --a--c--- C:\WINDOWS\system32\dllcache\wch7xxnt.sys
    2007-11-08 01:40 8,832 --a--c--- C:\WINDOWS\system32\dllcache\wmiacpi.sys
    2007-11-08 01:32 106,584 --a--c--- C:\WINDOWS\system32\dllcache\spdports.dll
    2007-11-08 01:32 99,328 --a--c--- C:\WINDOWS\system32\dllcache\srusd.dll
    2007-11-08 01:32 61,824 --a--c--- C:\WINDOWS\system32\dllcache\speed.sys
    2007-11-08 01:32 48,736 --a--c--- C:\WINDOWS\system32\dllcache\srwlnd5.sys
    2007-11-08 01:32 24,660 --a--c--- C:\WINDOWS\system32\dllcache\spxupchk.dll
    2007-11-08 01:31 114,688 --a--c--- C:\WINDOWS\system32\dllcache\sonypi.dll
    2007-11-08 01:31 37,040 --a--c--- C:\WINDOWS\system32\dllcache\sonypi.sys
    2007-11-08 01:31 20,752 --a--c--- C:\WINDOWS\system32\dllcache\sonync.sys
    2007-11-08 01:31 19,072 --a--c--- C:\WINDOWS\system32\dllcache\sparrow.sys
    2007-11-08 01:31 9,600 --a--c--- C:\WINDOWS\system32\dllcache\sonymc.sys
    2007-11-08 01:31 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
    2007-11-08 01:31 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonyait.sys
    2007-11-08 01:31 7,040 --a--c--- C:\WINDOWS\system32\dllcache\snyaitmc.sys
    2007-11-08 01:30 58,368 --a--c--- C:\WINDOWS\system32\dllcache\smiminib.sys
    2007-11-08 01:27 386,560 --a--c--- C:\WINDOWS\system32\dllcache\sgiul50.dll
    2007-11-08 01:27 36,480 --a--c--- C:\WINDOWS\system32\dllcache\sfmanm.sys
    2007-11-08 01:27 17,664 --a--c--- C:\WINDOWS\system32\dllcache\sermouse.sys
    2007-11-08 01:27 11,648 --a--c--- C:\WINDOWS\system32\dllcache\scsiprnt.sys
    2007-11-08 01:27 10,880 --a--c--- C:\WINDOWS\system32\dllcache\scsiscan.sys
    2007-11-08 01:27 6,912 --a--c--- C:\WINDOWS\system32\dllcache\seaddsmc.sys
    2007-11-08 01:27 6,784 --a--c--- C:\WINDOWS\system32\dllcache\serscan.sys
    2007-11-08 01:26 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
    2007-11-08 01:26 245,632 --a--c--- C:\WINDOWS\system32\dllcache\s3savmx.dll
    2007-11-08 01:26 75,392 --a--c--- C:\WINDOWS\system32\dllcache\s3savmxm.sys
    2007-11-08 01:26 43,136 --a--c--- C:\WINDOWS\system32\dllcache\sbp2port.sys
    2007-11-08 01:26 23,936 --a--c--- C:\WINDOWS\system32\dllcache\sccmusbm.sys
    2007-11-08 01:26 23,936 --a--c--- C:\WINDOWS\system32\dllcache\sccmn50m.sys
    2007-11-08 01:26 17,280 --a--c--- C:\WINDOWS\system32\dllcache\scr111.sys
    2007-11-08 01:26 16,640 --a--c--- C:\WINDOWS\system32\dllcache\scmstcs.sys
    2007-11-08 01:19 198,144 --a--c--- C:\WINDOWS\system32\dllcache\nv3.sys
    2007-11-08 01:19 180,360 --a--c--- C:\WINDOWS\system32\dllcache\ntmtlfax.sys
    2007-11-08 01:19 123,776 --a--c--- C:\WINDOWS\system32\dllcache\nv3.dll
    2007-11-08 01:19 61,056 --a--c--- C:\WINDOWS\system32\dllcache\ohci1394.sys
    2007-11-08 01:19 51,552 --a--c--- C:\WINDOWS\system32\dllcache\ntgrip.sys
    2007-11-08 01:18 132,695 --a--c--- C:\WINDOWS\system32\dllcache\netwlan5.sys
    2007-11-08 01:18 126,080 --a--c--- C:\WINDOWS\system32\dllcache\nm5a2wdm.sys
    2007-11-08 01:18 87,040 --a--c--- C:\WINDOWS\system32\dllcache\nm6wdm.sys
    2007-11-08 01:18 65,278 --a--c--- C:\WINDOWS\system32\dllcache\netflx3.sys
    2007-11-08 01:18 32,840 --a--c--- C:\WINDOWS\system32\dllcache\ngrpci.sys
    2007-11-08 01:18 28,672 --a--c--- C:\WINDOWS\system32\dllcache\nscirda.sys
    2007-11-08 01:18 9,344 --a--c--- C:\WINDOWS\system32\dllcache\ntapm.sys
    2007-11-08 01:18 7,552 --a--c--- C:\WINDOWS\system32\dllcache\nsmmc.sys
    2007-11-08 01:15 35,200 --a--c--- C:\WINDOWS\system32\dllcache\msgame.sys
    2007-11-08 01:15 22,016 --a--c--- C:\WINDOWS\system32\dllcache\msircomm.sys
    2007-11-08 01:15 12,416 --a--c--- C:\WINDOWS\system32\dllcache\msriffwv.sys
    2007-11-08 01:15 2,944 --a--c--- C:\WINDOWS\system32\dllcache\msmpu401.sys
    2007-11-08 01:14 51,328 --a--c--- C:\WINDOWS\system32\dllcache\msdv.sys
    2007-11-08 01:14 17,280 --a--c--- C:\WINDOWS\system32\dllcache\mraid35x.sys
    2007-11-08 01:14 15,360 --a--c--- C:\WINDOWS\system32\dllcache\mpe.sys
    2007-11-08 01:14 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
    2007-11-08 01:14 6,528 --a--c--- C:\WINDOWS\system32\dllcache\miniqic.sys
    2007-11-08 01:14 6,016 --a--c--- C:\WINDOWS\system32\dllcache\msfsio.sys
    2007-11-08 01:11 242,176 --a--c--- C:\WINDOWS\system32\dllcache\kdsusd.dll
    2007-11-08 01:11 45,568 --a--c--- C:\WINDOWS\system32\dllcache\kdsui.dll
    2007-11-08 01:11 37,376 --a--c--- C:\WINDOWS\system32\dllcache\kousd.dll
    2007-11-08 01:11 26,442 --a--c--- C:\WINDOWS\system32\dllcache\lanepic5.sys
    2007-11-08 01:11 19,016 --a--c--- C:\WINDOWS\system32\dllcache\ktc111.sys
    2007-11-08 01:11 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
    2007-11-08 01:11 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll
    2007-11-08 01:10 27,136 --a--c--- C:\WINDOWS\system32\dllcache\irmon.dll
    2007-11-08 01:10 26,624 --a--c--- C:\WINDOWS\system32\dllcache\irstusb.sys
    2007-11-08 01:10 18,688 --a--c--- C:\WINDOWS\system32\dllcache\irsir.sys
    2007-11-08 01:10 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
    2007-11-08 01:10 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll
    2007-11-08 01:10 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll
    2007-11-08 01:10 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll
    2007-11-08 01:10 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll
    2007-11-08 01:09 152,576 --a--c--- C:\WINDOWS\system32\dllcache\irftp.exe
    2007-11-08 01:09 90,200 --a--c--- C:\WINDOWS\system32\dllcache\io8ports.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-11 22:12 --------- d-----w C:\Program Files\FlashGet
    2007-11-11 06:56 --------- d-----w C:\Documents and Settings\MJT\Application Data\AVG7
    2007-11-11 04:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-11-11 03:32 --------- d-----w C:\Program Files\Lavasoft
    2007-11-09 15:05 --------- d-----w C:\Program Files\SpywareBlaster
    2007-11-09 08:43 --------- d-----w C:\Program Files\Java
    2007-11-08 20:28 --------- d-----w C:\Program Files\PestPatrol
    2007-11-06 00:32 --------- d-----w C:\Documents and Settings\MJT\Application Data\LimeWire
    2007-11-05 11:38 --------- d-----w C:\Program Files\Ashampoo
    2007-10-20 22:13 --------- d-----w C:\Program Files\RenGames
    2007-10-13 09:51 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2007-10-13 09:51 --------- d-----w C:\Documents and Settings\MJT\Application Data\Pogo Games
    2007-10-05 08:22 --------- d-----w C:\Program Files\SBC Self Support Tool
    2007-09-30 05:09 --------- d-----w C:\Program Files\MSN Messenger
    2007-09-28 02:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\MGS
    2007-09-27 05:54 --------- d-----w C:\Documents and Settings\MJT\Application Data\LimeWireTurbo
    2007-09-25 06:54 --------- d-----w C:\Program Files\Yahoo!
    2007-09-25 06:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo
    2007-09-20 04:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\WindowsLiveInstaller
    2007-09-20 02:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
    2007-09-17 18:01 --------- d-----w C:\Documents and Settings\MJT\Application Data\Lavasoft
    2007-09-15 20:32 --------- d-----w C:\Program Files\Wild Side Radio
    2007-08-27 19:26 27,120 ----a-w C:\WINDOWS\system32\SBBD.exe
    2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 13:16]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-25 07:06]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 04:00]
    "Yahoo! Pager"="1" []

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
    backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
    backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^MJT^Start Menu^Programs^Startup^AntiCrash.lnk]
    path=C:\Documents and Settings\MJT\Start Menu\Programs\Startup\AntiCrash.lnk
    backup=C:\WINDOWS\pss\AntiCrash.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^MJT^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
    path=C:\Documents and Settings\MJT\Start Menu\Programs\Startup\LimeWire On Startup.lnk
    backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
    BCMSMMSG.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
    "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
    C:\Program Files\BroadJump\Client Foundation\CFD.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CookiePatrol]
    c:\PROGRA~1\PESTPA~1\CookiePatrol.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
    "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
    C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
    "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
    C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    nwiz.exe /install

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PestPatrol Control Center]
    c:\PROGRA~1\PESTPA~1\PPControl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PestPatrolCL]


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPMemCheck]
    c:\PROGRA~1\PESTPA~1\PPMemCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBCSTray]
    C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
    C:\WINDOWS\UpdReg.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
    "C:\Program Files\Save\Save.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    1

    R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys
    R3 SBAPIFS;SBAPIFS;\??\C:\WINDOWS\system32\drivers\sbapifs.sys

    *Newly Created Service* - CATCHME
    *Newly Created Service* - SBAPIFS
    .
    Contents of the 'Scheduled Tasks' folder
    "2007-11-12 00:16:23 C:\WINDOWS\Tasks\User_Feed_Synchronization-{05335C7F-3F49-4075-94C8-3EE93C418FBA}.job"
    - C:\WINDOWS\system32\msfeedssync.exe
    .
    **************************************************************************

    catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-11 19:29:02
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-11-11 19:31:11
    .
    --- E O F ---



    Thank you
     
  8. MJT27

    MJT27 Thread Starter

    Joined:
    Feb 1, 2004
    Messages:
    159
    HOW DOES THIS LOOK IS IT CLEAN ?


    Ok heres my combofix log


    ComboFix 07-11-08.1 - MJT 2007-11-11 19:22:24.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.103 [GMT -8:00]
    Running from: C:\Documents and Settings\MJT\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\1187309321.exe

    .
    ((((((((((((((((((((((((( Files Created from 2007-10-12 to 2007-11-12 )))))))))))))))))))))))))))))))
    .

    2007-11-11 19:20 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-11-11 14:43 <DIR> d-------- C:\Program Files\Common Files\CA Shared
    2007-11-11 09:17 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
    2007-11-11 07:34 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
    2007-11-10 23:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
    2007-11-10 23:35 <DIR> d-------- C:\Program Files\Sunbelt Software
    2007-11-10 20:30 0 --a------ C:\WINDOWS\system32\SBRC.dat
    2007-11-10 20:30 0 --a------ C:\WINDOWS\system32\SBFC.dat
    2007-11-10 20:19 <DIR> d-------- C:\Documents and Settings\MJT\Application Data\Sunbelt Software
    2007-11-10 19:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-11-09 22:31 <DIR> d-------- C:\Program Files\Trend Micro - Hijackthis
    2007-11-09 00:32 <DIR> d-------- C:\Program Files\Common Files\Adobe
    2007-11-08 01:42 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
    2007-11-08 01:42 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
    2007-11-08 01:42 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
    2007-11-08 01:42 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
    2007-11-08 01:42 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
    2007-11-08 01:41 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
    2007-11-08 01:41 19,455 --a--c--- C:\WINDOWS\system32\dllcache\wvchntxx.sys
    2007-11-08 01:41 19,328 --a--c--- C:\WINDOWS\system32\dllcache\wstcodec.sys
    2007-11-08 01:41 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
    2007-11-08 01:41 12,063 --a--c--- C:\WINDOWS\system32\dllcache\wsiintxx.sys
    2007-11-08 01:41 8,192 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll
    2007-11-08 01:40 771,581 --a--c--- C:\WINDOWS\system32\dllcache\winacisa.sys
    2007-11-08 01:40 701,386 --a--c--- C:\WINDOWS\system32\dllcache\wdhaalba.sys
    2007-11-08 01:40 154,624 --a--c--- C:\WINDOWS\system32\dllcache\wlluc48.sys
    2007-11-08 01:40 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
    2007-11-08 01:40 53,760 --a--c--- C:\WINDOWS\system32\dllcache\wiamsmud.dll
    2007-11-08 01:40 34,890 --a--c--- C:\WINDOWS\system32\dllcache\wlandrv2.sys
    2007-11-08 01:40 23,615 --a--c--- C:\WINDOWS\system32\dllcache\wch7xxnt.sys
    2007-11-08 01:40 8,832 --a--c--- C:\WINDOWS\system32\dllcache\wmiacpi.sys
    2007-11-08 01:32 106,584 --a--c--- C:\WINDOWS\system32\dllcache\spdports.dll
    2007-11-08 01:32 99,328 --a--c--- C:\WINDOWS\system32\dllcache\srusd.dll
    2007-11-08 01:32 61,824 --a--c--- C:\WINDOWS\system32\dllcache\speed.sys
    2007-11-08 01:32 48,736 --a--c--- C:\WINDOWS\system32\dllcache\srwlnd5.sys
    2007-11-08 01:32 24,660 --a--c--- C:\WINDOWS\system32\dllcache\spxupchk.dll
    2007-11-08 01:31 114,688 --a--c--- C:\WINDOWS\system32\dllcache\sonypi.dll
    2007-11-08 01:31 37,040 --a--c--- C:\WINDOWS\system32\dllcache\sonypi.sys
    2007-11-08 01:31 20,752 --a--c--- C:\WINDOWS\system32\dllcache\sonync.sys
    2007-11-08 01:31 19,072 --a--c--- C:\WINDOWS\system32\dllcache\sparrow.sys
    2007-11-08 01:31 9,600 --a--c--- C:\WINDOWS\system32\dllcache\sonymc.sys
    2007-11-08 01:31 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
    2007-11-08 01:31 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonyait.sys
    2007-11-08 01:31 7,040 --a--c--- C:\WINDOWS\system32\dllcache\snyaitmc.sys
    2007-11-08 01:30 58,368 --a--c--- C:\WINDOWS\system32\dllcache\smiminib.sys
    2007-11-08 01:27 386,560 --a--c--- C:\WINDOWS\system32\dllcache\sgiul50.dll
    2007-11-08 01:27 36,480 --a--c--- C:\WINDOWS\system32\dllcache\sfmanm.sys
    2007-11-08 01:27 17,664 --a--c--- C:\WINDOWS\system32\dllcache\sermouse.sys
    2007-11-08 01:27 11,648 --a--c--- C:\WINDOWS\system32\dllcache\scsiprnt.sys
    2007-11-08 01:27 10,880 --a--c--- C:\WINDOWS\system32\dllcache\scsiscan.sys
    2007-11-08 01:27 6,912 --a--c--- C:\WINDOWS\system32\dllcache\seaddsmc.sys
    2007-11-08 01:27 6,784 --a--c--- C:\WINDOWS\system32\dllcache\serscan.sys
    2007-11-08 01:26 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
    2007-11-08 01:26 245,632 --a--c--- C:\WINDOWS\system32\dllcache\s3savmx.dll
    2007-11-08 01:26 75,392 --a--c--- C:\WINDOWS\system32\dllcache\s3savmxm.sys
    2007-11-08 01:26 43,136 --a--c--- C:\WINDOWS\system32\dllcache\sbp2port.sys
    2007-11-08 01:26 23,936 --a--c--- C:\WINDOWS\system32\dllcache\sccmusbm.sys
    2007-11-08 01:26 23,936 --a--c--- C:\WINDOWS\system32\dllcache\sccmn50m.sys
    2007-11-08 01:26 17,280 --a--c--- C:\WINDOWS\system32\dllcache\scr111.sys
    2007-11-08 01:26 16,640 --a--c--- C:\WINDOWS\system32\dllcache\scmstcs.sys
    2007-11-08 01:19 198,144 --a--c--- C:\WINDOWS\system32\dllcache\nv3.sys
    2007-11-08 01:19 180,360 --a--c--- C:\WINDOWS\system32\dllcache\ntmtlfax.sys
    2007-11-08 01:19 123,776 --a--c--- C:\WINDOWS\system32\dllcache\nv3.dll
    2007-11-08 01:19 61,056 --a--c--- C:\WINDOWS\system32\dllcache\ohci1394.sys
    2007-11-08 01:19 51,552 --a--c--- C:\WINDOWS\system32\dllcache\ntgrip.sys
    2007-11-08 01:18 132,695 --a--c--- C:\WINDOWS\system32\dllcache\netwlan5.sys
    2007-11-08 01:18 126,080 --a--c--- C:\WINDOWS\system32\dllcache\nm5a2wdm.sys
    2007-11-08 01:18 87,040 --a--c--- C:\WINDOWS\system32\dllcache\nm6wdm.sys
    2007-11-08 01:18 65,278 --a--c--- C:\WINDOWS\system32\dllcache\netflx3.sys
    2007-11-08 01:18 32,840 --a--c--- C:\WINDOWS\system32\dllcache\ngrpci.sys
    2007-11-08 01:18 28,672 --a--c--- C:\WINDOWS\system32\dllcache\nscirda.sys
    2007-11-08 01:18 9,344 --a--c--- C:\WINDOWS\system32\dllcache\ntapm.sys
    2007-11-08 01:18 7,552 --a--c--- C:\WINDOWS\system32\dllcache\nsmmc.sys
    2007-11-08 01:15 35,200 --a--c--- C:\WINDOWS\system32\dllcache\msgame.sys
    2007-11-08 01:15 22,016 --a--c--- C:\WINDOWS\system32\dllcache\msircomm.sys
    2007-11-08 01:15 12,416 --a--c--- C:\WINDOWS\system32\dllcache\msriffwv.sys
    2007-11-08 01:15 2,944 --a--c--- C:\WINDOWS\system32\dllcache\msmpu401.sys
    2007-11-08 01:14 51,328 --a--c--- C:\WINDOWS\system32\dllcache\msdv.sys
    2007-11-08 01:14 17,280 --a--c--- C:\WINDOWS\system32\dllcache\mraid35x.sys
    2007-11-08 01:14 15,360 --a--c--- C:\WINDOWS\system32\dllcache\mpe.sys
    2007-11-08 01:14 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
    2007-11-08 01:14 6,528 --a--c--- C:\WINDOWS\system32\dllcache\miniqic.sys
    2007-11-08 01:14 6,016 --a--c--- C:\WINDOWS\system32\dllcache\msfsio.sys
    2007-11-08 01:11 242,176 --a--c--- C:\WINDOWS\system32\dllcache\kdsusd.dll
    2007-11-08 01:11 45,568 --a--c--- C:\WINDOWS\system32\dllcache\kdsui.dll
    2007-11-08 01:11 37,376 --a--c--- C:\WINDOWS\system32\dllcache\kousd.dll
    2007-11-08 01:11 26,442 --a--c--- C:\WINDOWS\system32\dllcache\lanepic5.sys
    2007-11-08 01:11 19,016 --a--c--- C:\WINDOWS\system32\dllcache\ktc111.sys
    2007-11-08 01:11 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
    2007-11-08 01:11 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll
    2007-11-08 01:10 27,136 --a--c--- C:\WINDOWS\system32\dllcache\irmon.dll
    2007-11-08 01:10 26,624 --a--c--- C:\WINDOWS\system32\dllcache\irstusb.sys
    2007-11-08 01:10 18,688 --a--c--- C:\WINDOWS\system32\dllcache\irsir.sys
    2007-11-08 01:10 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
    2007-11-08 01:10 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll
    2007-11-08 01:10 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll
    2007-11-08 01:10 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll
    2007-11-08 01:10 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll
    2007-11-08 01:09 152,576 --a--c--- C:\WINDOWS\system32\dllcache\irftp.exe
    2007-11-08 01:09 90,200 --a--c--- C:\WINDOWS\system32\dllcache\io8ports.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-11 22:12 --------- d-----w C:\Program Files\FlashGet
    2007-11-11 06:56 --------- d-----w C:\Documents and Settings\MJT\Application Data\AVG7
    2007-11-11 04:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-11-11 03:32 --------- d-----w C:\Program Files\Lavasoft
    2007-11-09 15:05 --------- d-----w C:\Program Files\SpywareBlaster
    2007-11-09 08:43 --------- d-----w C:\Program Files\Java
    2007-11-08 20:28 --------- d-----w C:\Program Files\PestPatrol
    2007-11-06 00:32 --------- d-----w C:\Documents and Settings\MJT\Application Data\LimeWire
    2007-11-05 11:38 --------- d-----w C:\Program Files\Ashampoo
    2007-10-20 22:13 --------- d-----w C:\Program Files\RenGames
    2007-10-13 09:51 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2007-10-13 09:51 --------- d-----w C:\Documents and Settings\MJT\Application Data\Pogo Games
    2007-10-05 08:22 --------- d-----w C:\Program Files\SBC Self Support Tool
    2007-09-30 05:09 --------- d-----w C:\Program Files\MSN Messenger
    2007-09-28 02:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\MGS
    2007-09-27 05:54 --------- d-----w C:\Documents and Settings\MJT\Application Data\LimeWireTurbo
    2007-09-25 06:54 --------- d-----w C:\Program Files\Yahoo!
    2007-09-25 06:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo
    2007-09-20 04:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\WindowsLiveInstaller
    2007-09-20 02:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
    2007-09-17 18:01 --------- d-----w C:\Documents and Settings\MJT\Application Data\Lavasoft
    2007-09-15 20:32 --------- d-----w C:\Program Files\Wild Side Radio
    2007-08-27 19:26 27,120 ----a-w C:\WINDOWS\system32\SBBD.exe
    2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 13:16]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-25 07:06]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 04:00]
    "Yahoo! Pager"="1" []

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
    backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
    backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^MJT^Start Menu^Programs^Startup^AntiCrash.lnk]
    path=C:\Documents and Settings\MJT\Start Menu\Programs\Startup\AntiCrash.lnk
    backup=C:\WINDOWS\pss\AntiCrash.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^MJT^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
    path=C:\Documents and Settings\MJT\Start Menu\Programs\Startup\LimeWire On Startup.lnk
    backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
    BCMSMMSG.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
    "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
    C:\Program Files\BroadJump\Client Foundation\CFD.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CookiePatrol]
    c:\PROGRA~1\PESTPA~1\CookiePatrol.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
    "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
    C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
    "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
    C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    nwiz.exe /install

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PestPatrol Control Center]
    c:\PROGRA~1\PESTPA~1\PPControl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PestPatrolCL]


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPMemCheck]
    c:\PROGRA~1\PESTPA~1\PPMemCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBCSTray]
    C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
    C:\WINDOWS\UpdReg.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
    "C:\Program Files\Save\Save.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    1

    R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys
    R3 SBAPIFS;SBAPIFS;\??\C:\WINDOWS\system32\drivers\sbapifs.sys

    *Newly Created Service* - CATCHME
    *Newly Created Service* - SBAPIFS
    .
    Contents of the 'Scheduled Tasks' folder
    "2007-11-12 00:16:23 C:\WINDOWS\Tasks\User_Feed_Synchronization-{05335C7F-3F49-4075-94C8-3EE93C418FBA}.job"
    - C:\WINDOWS\system32\msfeedssync.exe
    .
    **************************************************************************

    catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-11 19:29:02
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-11-11 19:31:11
    .
    --- E O F ---
     
  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,371
    First Name:
    Derek
    I can't see anything bad left there

    BUT while you use limewire & other P2P programs you are severely at risk and will be constantly infected

    Turn off system restore by following instructions here
    http://www.thespykiller.co.uk/index.php?page=8
    That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point. Now Empty Recycle bin on desktop

    go here http://www.thespykiller.co.uk/index.php?page=3 for info on how to tighten your security settings and how to help prevent future attacks.

    and scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

    Then pay an urgent visit to windows update & make sure you are fully updated & get the bunch of new updates that are alleged to plug the security holes that let these pests on in the first place
     
  10. MJT27

    MJT27 Thread Starter

    Joined:
    Feb 1, 2004
    Messages:
    159
    Ok thanks so much...and I will follow up on these suggestions as well...I do run secunia, in fact I ran it earlier today and
    fixed my java update and the missing windows update...so all should be well there

    I appreciate your time and help

    Mike
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/649878

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice