Solved I think I have infostealer.gamepass

[Resolved] I think I have infostealer.gamepass

This is my first time here, but I believe I start by posting my HJT log file?

If so:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:42:19 PM, on 9/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
G:\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
G:\Winamp\winampa.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
G:\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Autodesk\Data Management Server 2008\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe
C:\Program Files\Autodesk\Data Management Server 2008\Server\Webserver\Connectivity.EDMWS.Server.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TinyProxy\TinyProxy.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
G:\Steam\steam.exe
G:\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
G:\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
G:\Symantec AntiVirus\vptray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
G:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8181
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - G:\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - G:\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [servcrypt] C:\WINDOWS\system32\svchost.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [GrooveMonitor] "G:\Microsoft Office\Office12\GrooveMonitor.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [GamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] G:\Winamp\winampa.exe
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe "
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] G:\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [DAEMON Tools] "G:\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "g:\steam\steam.exe" -silent
O8 - Extra context menu item: &D&ownload &with BitComet - res://G:\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://G:\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://G:\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - G:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - G:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://G:\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - G:\MICROS~1\Office12\GR99D3~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Autodesk Data Management Job Dispatch - Autodesk - C:\Program Files\Autodesk\Data Management Server 2008\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe
O23 - Service: Autodesk EDM Server - Autodesk - C:\Program Files\Autodesk\Data Management Server 2008\Server\Webserver\Connectivity.EDMWS.Server.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - G:\Symantec AntiVirus\DefWatch.exe
O23 - Service: DHCP Client (Dhcp) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - G:\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SAVRoam (SavRoam) - symantec - G:\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - G:\Symantec AntiVirus\Rtvscan.exe

--
End of file - 9085 bytes

 

If it helps, I got this virus from a downloader on facebook. I was prompted to update my flash player, which obviously was a dupe looking back now. Otherwise, most things run normally. If I click a link, it goes to a spam ad, but if I manually type in address in the address bar, it works fine. Otherwise, from what I understand, it is a password logger, so I have made sure not to enter any sensitive passwords on my home computer, and use computers at my schools lab.

 

Well, I guess ya'll are busy. So, can I just copy the instructions here?

http://www.windowsbbs.com/malware-virus-removal/63751-remove-infostealer-gampass-malware.html

 

Thanks christer.

Hi Toba

That would not be a good idea. every system is different.

Please tell me where Norton is finding the infostealer file.

Thanks
Geri

 

Sorry, I do not use norton. And Symantec did not find the virus. I was going off of researching the symptoms of the virus, and also how I got the virus.

What do you recommend?

 

Hi
Symantec = Norton.
http://www.google.com/search?client...channel=s&hl=en&q=Symantec&btnG=Google+Search
http://www.symantec.com/security_response/index.jsp

Not sure I understand here?
What makes you think you have the virus? were you alerted by a program?

Geri

 

Sorry about being so vague. I assumed it to be a virus when, as I posted above, I downloaded what I thought was an update to flash player. Afterwords, I could not use anything that used flash, and whenever I clicked links on websites, it would take to random spam ads instead of the site I wanted.

So, I googled the way the "virus" was downloaded by me, and what my symptoms were, and all the searches mentioned infostealer.gamepass, and many people had stated on various forums that they had received the same problem through facebook that I had.

Again, I apologize for not knowing much about computers, and thank you for your responses.

I will try and run Symantec again to see if anything comes up.

 

Ok, had outdated Definitions, that might help.

Had infostealer.gamepass in:

C:\Documents and Settings\Eric Moberg\Local Settings\Temp\IXP000.TMP\scvhost.exe
C:\Documents and Settings\Eric Moberg\Local Settings\Temp\IXP001.TMP\scvhost.exe
C:\Documents and Settings\Eric Moberg\Local Settings\Temp\IXP002.TMP\scvhost.exe
C:\Documents and Settings\Eric Moberg\Local Settings\Temp\IXP003.TMP\scvhost.exe
C:\Documents and Settings\Eric Moberg\Local Settings\Temp\IXP004.TMP\scvhost.exe

Others:

Backdoor.Trojan
C:\Program Files\tinyproxy\tinyproxy.exe



Would you like another log after Norton finishes up?

 

Hi

OK please do this.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post the Combofix log

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

Please post the Combofix log.

Thanks
Geri

 

Combofix Log

ComboFix 08-09-24.08 - Eric Moberg 2008-09-24 23:48:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.900 [GMT -5:00]
Running from: C:\Documents and Settings\Eric Moberg\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Eric Moberg\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML

.
((((((((((((((((((((((((( Files Created from 2008-08-25 to 2008-09-25 )))))))))))))))))))))))))))))))
.

2008-09-22 08:26 . 2008-09-22 08:26 <DIR> d--h----- C:\WINDOWS\PIF
2008-09-22 08:23 . 2006-09-18 17:55 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-09-22 08:23 . 2006-09-18 17:55 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-09-19 13:29 . 2008-09-24 17:59 <DIR> d-------- C:\Program Files\TinyProxy
2008-09-11 21:41 . 2008-09-11 21:41 <DIR> d-------- C:\Program Files\VideoLAN

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-24 23:26 --------- d-----w C:\Documents and Settings\Eric Moberg\Application Data\.purple
2008-09-24 15:14 196,608 ----a-w C:\WINDOWS\system32\drivers\nStandard.bin
2008-09-22 13:24 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-22 13:23 --------- d-----w C:\Program Files\Symantec
2008-09-22 13:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-08 05:19 --------- d-----w C:\Program Files\DivX
2008-07-25 08:36 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-07-23 16:50 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-07-23 16:48 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-07-23 16:48 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-07-23 16:46 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-01 18:47 21,840 ----a-w C:\WINDOWS\system32\SIntfNT.dll
2008-07-01 18:47 17,212 ----a-w C:\WINDOWS\system32\SIntf32.dll
2008-07-01 18:47 12,067 ----a-w C:\WINDOWS\system32\SIntf16.dll
2007-10-26 15:49 22,328 ----a-w C:\Documents and Settings\Eric Moberg\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 147456]
"DAEMON Tools "= "G:\DAEMON Tools\daemon.exe" [2007-04-03 165784]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"Steam "= "g:\steam\steam.exe" [2008-06-12 1271032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 7700480]
"servcrypt "= "C:\WINDOWS\system32\svchost.exe" [2008-04-13 14336]
"NeroFilterCheck "= "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"GrooveMonitor "= "G:\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"GamerOSD "= "C:\Program Files\ASUS\GamerOSD\GamerOSD.exe" [2007-02-14 380928]
"QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 385024]
"WinampAgent "= "G:\Winamp\winampa.exe" [2008-04-01 36352]
"Lexmark 1200 Series "= "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [2006-07-13 57344]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 86016]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray "= "G:\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"SoundMan "= "SOUNDMAN.EXE" [2006-11-17 C:\WINDOWS\SOUNDMAN.EXE]
"nwiz "= "nwiz.exe" [2007-04-19 C:\WINDOWS\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\WINDOWS\\system32\\dpvsetup.exe "=
"G:\\Nero\\Nero 7\\Nero Home\\NeroHome.exe "=
"G:\\Starcraft\\StarCraft.exe "=
"G:\\mIRC\\mirc.exe "=
"G:\\Pigeon\\pidgin.exe "=
"G:\\Warcraft III\\Frozen Throne.exe "=
"C:\\WINDOWS\\system32\\PnkBstrA.exe "=
"C:\\WINDOWS\\system32\\PnkBstrB.exe "=
"G:\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"G:\\Microsoft Office\\Office12\\GROOVE.EXE "=
"G:\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"G:\\Program Files\\Magic\\Program\\Manalink.exe "=
"G:\\NeverwinterNights\\NWN\\nwmain.exe "=
"G:\\BitComet\\BitComet.exe "=
"G:\\Neverwinter Nights 2\\nwn2main.exe "=
"G:\\Neverwinter Nights 2\\nwn2main_amdxp.exe "=
"G:\\Neverwinter Nights 2\\nwupdate.exe "=
"G:\\Neverwinter Nights 2\\nwn2server.exe "=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"G:\\Steam\\steamapps\\toba_wareho\\team fortress 2\\hl2.exe "=
"G:\\Warcraft III\\Warcraft III.exe "=
"C:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"G:\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP "= 6112:TCP:War3
"3724:TCP "= 3724:TCP:Blizzard Downloader: 3724
"19441:TCP "= 19441:TCP:BitComet 19441 TCP
"19441:UDP "= 19441:UDP:BitComet 19441 UDP

R1 asusgsb;ASUS Virtual Video Capture Device Driver;C:\WINDOWS\system32\drivers\asusgsb32.sys [2005-10-20 12416]
R2 MSSQL$AUTODESKVAULT;SQL Server (AUTODESKVAULT);C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-13 28933976]
R3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D32.sys [2006-09-29 10752]

*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BitTorrent - C:\Program Files\BitTorrent\bittorrent.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Eric Moberg\Application Data\Mozilla\Firefox\Profiles\cdb7accl.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.iastate.edu/
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - G:\DivX\DivX Player\npDivxPlayerPlugin.dll
FF -: plugin - G:\DivX\DivX Web Player\npdivx32.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-24 23:51:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\xfire_lsp_10908.dll
.
Completion time: 2008-09-24 23:54:25
ComboFix-quarantined-files.txt 2008-09-25 04:53:59

Pre-Run: 6,015,213,568 bytes free
Post-Run: 8,950,829,056 bytes free

141 --- E O F --- 2008-09-11 08:03:04

 

Hi
Do you know what this is?
C:\Documents and Settings\Eric Moberg\Application Data\.purple


Please do this.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

Folder::
C:\Program Files\TinyProxy

DirLook::
C:\Documents and Settings\Eric Moberg\Application Data\.purple 

Please post the combofix log.

Thanks
Geri

 

Combofix:

ComboFix 08-09-24.08 - Eric Moberg 2008-09-26 0:41:12.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.929 [GMT -5:00]
Running from: C:\Documents and Settings\Eric Moberg\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Eric Moberg\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\TinyProxy

.
((((((((((((((((((((((((( Files Created from 2008-08-26 to 2008-09-26 )))))))))))))))))))))))))))))))
.

2008-09-22 08:26 . 2008-09-22 08:26 <DIR> d--h----- C:\WINDOWS\PIF
2008-09-22 08:23 . 2006-09-18 17:55 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-09-22 08:23 . 2006-09-18 17:55 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-09-11 21:41 . 2008-09-11 21:41 <DIR> d-------- C:\Program Files\VideoLAN

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-24 23:26 --------- d-----w C:\Documents and Settings\Eric Moberg\Application Data\.purple
2008-09-24 15:14 196,608 ----a-w C:\WINDOWS\system32\drivers\nStandard.bin
2008-09-22 13:24 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-22 13:23 --------- d-----w C:\Program Files\Symantec
2008-09-22 13:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-08 05:19 --------- d-----w C:\Program Files\DivX
2008-07-25 08:36 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-07-23 16:50 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-07-23 16:48 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-07-23 16:48 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-07-23 16:46 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-01 18:47 21,840 ----a-w C:\WINDOWS\system32\SIntfNT.dll
2008-07-01 18:47 17,212 ----a-w C:\WINDOWS\system32\SIntf32.dll
2008-07-01 18:47 12,067 ----a-w C:\WINDOWS\system32\SIntf16.dll
2007-10-26 15:49 22,328 ----a-w C:\Documents and Settings\Eric Moberg\Application Data\PnkBstrK.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\Eric Moberg\Application Data\.purple ----

2008-09-24 18:26 6172 --a------ C:\Documents and Settings\Eric Moberg\Application Data\.purple\blist.xml
2008-09-24 18:26 1989 --a------ C:\Documents and Settings\Eric Moberg\Application Data\.purple\status.xml
2008-09-24 18:26 16261 --a------ C:\Documents and Settings\Eric Moberg\Application Data\.purple\prefs.xml
2008-09-24 18:26 1513 --a------ C:\Documents and Settings\Eric Moberg\Application Data\.purple\accounts.xml
2008-07-22 19:08 5028 --a------ C:\Documents and Settings\Eric Moberg\Application Data\.purple\accels
2008-05-20 19:14 6907 --a------ C:\Documents and Settings\Eric Moberg\Application Data\.purple\icons\eafe34409acb25b75e50fc7bd5e903d902af1c18.gif
2008-05-20 19:14 6132 --a------ C:\Documents and Settings\Eric Moberg\Application Data\.purple\icons\3748a571a6513242157f1a4231db03ca46913d7c.gif
2008-05-20 19:14 1815 --a------ C:\Documents and Settings\Eric Moberg\Application Data\.purple\icons\04673c3fd5940d798a5d2aaca06f9916b77d34bb.jpg
2008-04-20 22:52 6079 --a------ C:\Documents and Settings\Eric Moberg\Application Data\.purple\icons\0f8566af3173f2f2b944496ef4a3e4d16d1e72e8.jpg
2008-03-11 21:25 2305 --a------ C:\Documents and Settings\Eric Moberg\Application Data\.purple\icons\bf870ed485acbb716742db981764c6cc31347d61.jpg
2008-01-31 18:16 708 --a------ C:\Documents and Settings\Eric Moberg\Application Data\.purple\icons\b38c73991c1a95a37d876d69c998cf83ac036127.gif
2008-01-02 04:04 1391 --a------ C:\Documents and Settings\Eric Moberg\Application Data\.purple\icons\ce7317affc82572a753d6457ca0341daa495d44d.jpg
2007-12-05 01:57 5611 --a------ C:\Documents and Settings\Eric Moberg\Application Data\.purple\icons\6d1b71b4447fda914d77fbdb76680f807c5acaa3.jpg
2007-10-24 15:07 6904 --a------ C:\Documents and Settings\Eric Moberg\Application Data\.purple\icons\78eeb8da69e55e50107a84b704cdfc61043c0911.gif
2007-10-19 00:28 4967 --a------ C:\Documents and Settings\Eric Moberg\Application Data\.purple\icons\5bcb547d9f356b134bcd34a9a5b15830400fa747.gif
2007-09-27 20:31 3408 --a------ C:\Documents and Settings\Eric Moberg\Application Data\.purple\icons\a8a9761cf2d061229291d558c8384a4d2442a9ba.jpg
2007-09-25 21:07 3613 --a------ C:\Documents and Settings\Eric Moberg\Application Data\.purple\icons\ff6b77844a9fdd5f5a0cb581d8602b008398f64b.gif
2007-08-02 15:32 5911 --a------ C:\Documents and Settings\Eric Moberg\Application Data\.purple\icons\dc15f8a18365649fbc53939552a4d861cd91bdd9.gif
2007-07-31 21:24 4724 --a------ C:\Documents and Settings\Eric Moberg\Application Data\.purple\icons\5822bddd73107ed7f804b77499012fcf0a3e0057.gif
2007-07-31 20:46 2437 --a------ C:\Documents and Settings\Eric Moberg\Application Data\.purple\icons\1e5161c1b3a131f86ecd02b9504b5c777e897d14.gif
2007-07-31 19:18 2759 --a------ C:\Documents and Settings\Eric Moberg\Application Data\.purple\icons\2fcd6134dba9fc40912ca5ce35cc6368e737f480.gif
2007-07-29 15:24 2370 --a------ C:\Documents and Settings\Eric Moberg\Application Data\.purple\icons\619ebcb33eb36933dd704b4b4c18a9424797472a.jpg
2007-07-27 20:27 2664 --a------ C:\Documents and Settings\Eric Moberg\Application Data\.purple\icons\20b57251d3682ba8d156fd212a9cf89f0e963394.jpg


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 147456]
"DAEMON Tools "= "G:\DAEMON Tools\daemon.exe" [2007-04-03 165784]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"Steam "= "g:\steam\steam.exe" [2008-06-12 1271032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 7700480]
"servcrypt "= "C:\WINDOWS\system32\svchost.exe" [2008-04-13 14336]
"NeroFilterCheck "= "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"GrooveMonitor "= "G:\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"GamerOSD "= "C:\Program Files\ASUS\GamerOSD\GamerOSD.exe" [2007-02-14 380928]
"QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 385024]
"WinampAgent "= "G:\Winamp\winampa.exe" [2008-04-01 36352]
"Lexmark 1200 Series "= "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [2006-07-13 57344]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 86016]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray "= "G:\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"SoundMan "= "SOUNDMAN.EXE" [2006-11-17 C:\WINDOWS\SOUNDMAN.EXE]
"nwiz "= "nwiz.exe" [2007-04-19 C:\WINDOWS\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\WINDOWS\\system32\\dpvsetup.exe "=
"G:\\Nero\\Nero 7\\Nero Home\\NeroHome.exe "=
"G:\\Starcraft\\StarCraft.exe "=
"G:\\mIRC\\mirc.exe "=
"G:\\Pigeon\\pidgin.exe "=
"G:\\Warcraft III\\Frozen Throne.exe "=
"C:\\WINDOWS\\system32\\PnkBstrA.exe "=
"C:\\WINDOWS\\system32\\PnkBstrB.exe "=
"G:\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"G:\\Microsoft Office\\Office12\\GROOVE.EXE "=
"G:\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"G:\\Program Files\\Magic\\Program\\Manalink.exe "=
"G:\\NeverwinterNights\\NWN\\nwmain.exe "=
"G:\\BitComet\\BitComet.exe "=
"G:\\Neverwinter Nights 2\\nwn2main.exe "=
"G:\\Neverwinter Nights 2\\nwn2main_amdxp.exe "=
"G:\\Neverwinter Nights 2\\nwupdate.exe "=
"G:\\Neverwinter Nights 2\\nwn2server.exe "=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"G:\\Steam\\steamapps\\toba_wareho\\team fortress 2\\hl2.exe "=
"G:\\Warcraft III\\Warcraft III.exe "=
"C:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"G:\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP "= 6112:TCP:War3
"3724:TCP "= 3724:TCP:Blizzard Downloader: 3724
"19441:TCP "= 19441:TCP:BitComet 19441 TCP
"19441:UDP "= 19441:UDP:BitComet 19441 UDP

R1 asusgsb;ASUS Virtual Video Capture Device Driver;C:\WINDOWS\system32\drivers\asusgsb32.sys [2005-10-20 12416]
R2 MSSQL$AUTODESKVAULT;SQL Server (AUTODESKVAULT);C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-13 28933976]
R3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D32.sys [2006-09-29 10752]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-26 00:43:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\xfire_lsp_10908.dll
.
Completion time: 2008-09-26 0:45:21
ComboFix-quarantined-files.txt 2008-09-26 05:45:14
ComboFix2.txt 2008-09-25 04:54:26

Pre-Run: 8,891,031,552 bytes free
Post-Run: 8,879,292,416 bytes free

158 --- E O F --- 2008-09-11 08:03:04

 

HiJack This

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47:04 AM, on 9/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
G:\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
G:\Winamp\winampa.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
G:\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Autodesk\Data Management Server 2008\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe
C:\Program Files\Autodesk\Data Management Server 2008\Server\Webserver\Connectivity.EDMWS.Server.exe
C:\Program Files\Bonjour\mDNSResponder.exe
G:\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
G:\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
G:\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8181
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - G:\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - G:\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [servcrypt] C:\WINDOWS\system32\svchost.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [GrooveMonitor] "G:\Microsoft Office\Office12\GrooveMonitor.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [GamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] G:\Winamp\winampa.exe
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe "
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] G:\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [DAEMON Tools] "G:\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "g:\steam\steam.exe" -silent
O8 - Extra context menu item: &D&ownload &with BitComet - res://G:\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://G:\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://G:\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - G:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - G:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://G:\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - G:\MICROS~1\Office12\GR99D3~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Autodesk Data Management Job Dispatch - Autodesk - C:\Program Files\Autodesk\Data Management Server 2008\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe
O23 - Service: Autodesk EDM Server - Autodesk - C:\Program Files\Autodesk\Data Management Server 2008\Server\Webserver\Connectivity.EDMWS.Server.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - G:\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - G:\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SAVRoam (SavRoam) - symantec - G:\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - G:\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8890 bytes

 

Hi
You did not answer my question.
Do you know what this is?
C:\Documents and Settings\Eric Moberg\Application Data\.purple

OK please do this.

Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [servcrypt] C:\WINDOWS\system32\svchost.exe

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.

Please answer my question and post a new HJT log.

Thanks
Geri

 

I have no idea what that .purple file was.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:02:57 PM, on 9/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
G:\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
G:\Winamp\winampa.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
G:\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Autodesk\Data Management Server 2008\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe
C:\Program Files\Autodesk\Data Management Server 2008\Server\Webserver\Connectivity.EDMWS.Server.exe
C:\Program Files\Bonjour\mDNSResponder.exe
G:\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
G:\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
G:\Steam\steam.exe
G:\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8181
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - G:\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - G:\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [GrooveMonitor] "G:\Microsoft Office\Office12\GrooveMonitor.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [GamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] G:\Winamp\winampa.exe
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe "
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] G:\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [DAEMON Tools] "G:\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "g:\steam\steam.exe" -silent
O8 - Extra context menu item: &D&ownload &with BitComet - res://G:\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://G:\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://G:\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - G:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - G:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://G:\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - G:\MICROS~1\Office12\GR99D3~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Autodesk Data Management Job Dispatch - Autodesk - C:\Program Files\Autodesk\Data Management Server 2008\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe
O23 - Service: Autodesk EDM Server - Autodesk - C:\Program Files\Autodesk\Data Management Server 2008\Server\Webserver\Connectivity.EDMWS.Server.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - G:\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - G:\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SAVRoam (SavRoam) - symantec - G:\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - G:\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8767 bytes

 

Hi
OK lets get a on line scan.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Now a scan.

Please do an online scan with Kaspersky WebScanner

Click on “Accept” If your pop –up blocker blocks any windows from opening.

Click Run on the window that opens.
Windows Vista users you must open the web browser using the Run as Administrator command.

• The program will launch and then begin downloading the latest definition files:
• Under Scan on the left side.Click on My Computer
• This will start the program and scan your system.
• Click the “Scan Report” On the left side.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
• Save the text file to your desktop.
• Copy and paste that information in your next post.

Please post the Kaspersky results.

Thanks
Geri

 

Sorry it took me so long to reply. School has been very busy. Here is the Kaspersky log:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, October 5, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, October 05, 2008 23:49:40
Records in database: 1293766
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 96167
Threat name: 2
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 03:54:12


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\10900001.VBN Infected: Packed.Win32.Black.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\10900002.VBN Infected: Packed.Win32.Black.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\10900003.VBN Infected: Packed.Win32.Black.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\10900004.VBN Infected: Packed.Win32.Black.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\10900005.VBN Infected: Packed.Win32.Black.a 1
G:\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.63 1

The selected area was scanned.

 

Hi
OK, Delete everything in your Symantec AntiVirus Corporate Edition 7.5 Quarantine folder.

This seems to be a torrent download and is infected. Delete it.

G:\Antivirus\McAfee Total Protection - 2008 (No Key Needed)\CDSetup.exe

We DO NOT approve of cracked or hacked software and it could prevent future help here on WindowsBBS Malware and Virus removal.

mIRC is OK,
If you happen to not use it, it can be deleted.

Let me know how things are running.

Thanks
Geri

 

Thank you for your help.

As to that cracked file, I believe that was on there from when a friend tried to fix my computer before I found your site. I have cleaned that off.

Once again, thank you for your help.