1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Windows URGENT: Security being compromised

Discussion in 'Tech Support' started by ou7blaze, 27 Jul 2009.

  1. ou7blaze

    ou7blaze sensational.

    Joined:
    5 May 2003
    Posts:
    2,653
    Likes Received:
    2
    Ages ago some one compromised my Steam account and because of that I lost all my games. That was a long while back.

    Now more recently let's say 2 months ago, I had some one gain access to my Facebook and change my comment so that it said "I like Phallus". Obviously someone felt like screwing around with me.

    Luckily they did not change my password, I did and forgot about it.

    Stupidly I did not take the hint that THERE IS A TROJAN AND/OR SOME ONE LOGGING ALL MY PASSWORD DETAILS, PERSONAL FILES on my HD, anything and everything. Now TODAY my ex calls me and tell me some one has sent their email of an old email I sent her ages ago. It obviously wasn't me and my ex was worried other people were being sent this so I want to clean my pc.

    Basically I'm in paranoid mode now and really worried. It's very disconcerting to know some one could be looking at all my private documents like this. I mean I've got my CV with my address, telephone number the whole lot on it in my email FFS. I want to get rid of this Trojan once and for all. I'll also be honest and say that in the past year I have downloaded 2 cracked files which I'm pretty damned sure is the root cause of all this. Apart from that I'm not sure what else could've possibly done this. I scan all files I download and I'm very careful with computer security, obviously not enough though...

    I know the fail proof way to get rid of a Trojan is to do a format and wipe my PC. Unfortunately I have files that I need to backup which are quite large and I can't because I'm broke and with out a job and can't even afford a cheap small thumb drive. My thumb drive right now is absolutely useless and only has a capacity of 256MB :rolleyes:

    So in the mean time I need to remove as many malicious files as I can from my computer right now before I can figure out a long term solution. I'm going to need some help from you guys. What information does some one need to help me identify where the problem is, a hijack this log?

    What else should I do? I've tightened up all my security settings on my COMODO firewall. I've done scans with the free version of AVG and Spybot Search and Destroy in safe mode. Both have come up with nothing. What are free powerful anti-virus, adware and trojan programs?

    What are all my options now?


    Thank you in advance,
    a very worried ou7blaze
     
    Last edited: 27 Jul 2009
  2. Ryu_ookami

    Ryu_ookami I write therefore I suffer.

    Joined:
    11 Mar 2004
    Posts:
    3,330
    Likes Received:
    128
    post the entire hijack this log.
     
  3. ou7blaze

    ou7blaze sensational.

    Joined:
    5 May 2003
    Posts:
    2,653
    Likes Received:
    2
    Here is my Hijackthis logfile:

    Code:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 02:17:38, on 28/07/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal
    
    Running processes:
    C:\windows\System32\smss.exe
    C:\windows\system32\winlogon.exe
    C:\windows\system32\services.exe
    C:\windows\system32\lsass.exe
    C:\windows\system32\nvsvc32.exe
    C:\windows\system32\svchost.exe
    C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    C:\windows\system32\svchost.exe
    C:\windows\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Hotspot Shield\bin\openvpnas.exe
    C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\windows\system32\PnkBstrA.exe
    C:\windows\system32\PnkBstrB.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    C:\windows\Explorer.EXE
    C:\windows\system32\wscntfy.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\windows\system32\CTHELPER.EXE
    C:\Program Files\RivaTuner v2.24\RivaTuner.exe
    C:\windows\system32\RUNDLL32.EXE
    C:\Program Files\RocketDock\RocketDock.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Ventrilo\Ventrilo.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Steam\steam.exe
    C:\windows\system32\svchost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\HLSW\hlsw.exe
    C:\windows\system32\SNDVOL32.EXE
    C:\windows\system32\rundll32.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://uk.rd.yahoo.com/customize/ycomp/defaults/sb/*http://uk.yahoo.com/search/ie.html[/url]
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://uk.rd.yahoo.com/customize/ycomp/defaults/sp/*http://uk.yahoo.com[/url]
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com[/url]
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
    O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll
    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\windows\inf\unregmp2.exe /EnsureFileVersions
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\windows\UpdReg.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.24\RivaTuner.exe" /T
    O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.24\RivaTuner.exe" /S
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
    O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
    O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
    O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [url]http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab[/url]
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - [url]http://go.divx.com/plugin/DivXBrowserPlugin.cab[/url]
    O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - devel.cab[/url]
    O17 - HKLM\System\CCS\Services\Tcpip\..\{36A42F66-6A59-4ABF-BD29-EB4C4D494BAA}: NameServer = 218.102.62.71 203.198.23.208
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
    O20 - Winlogon Notify: avgrsstarter - C:\windows\SYSTEM32\avgrsstx.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (file missing)
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (file missing)
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
    O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
    O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
    O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: iRacing helper service (iRacingService) - iRacing.com Motorsport Simulations, LLC
    Bedford, MA 01730 - C:\Documents and Settings\Administrator\My Documents\Downloads\iRacing_torrent\iRacingService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Network Connection Manager (NetCM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Speech\svchost.exe (file missing)
    O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\windows\system32\PnkBstrA.exe
    O23 - Service: PnkBstrB - Unknown owner - C:\windows\system32\PnkBstrB.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)
    
    --
    End of file - 12044 bytes
     
    Last edited: 27 Jul 2009
  4. tictactoe

    tictactoe New Member

    Joined:
    8 Sep 2007
    Posts:
    60
    Likes Received:
    1
  5. ZoFreX

    ZoFreX New Member

    Joined:
    21 Jul 2009
    Posts:
    54
    Likes Received:
    1
    Remember that most of these programs, HijackThis! included, will get better results if run in safe mode (less chance that the malware is running, then). Also, Avast! has an offline scan option (where it scans the HD at boot time, before startup programs have run) which in theory should even catch very advanced viruses such as rootkits.
     
  6. ou7blaze

    ou7blaze sensational.

    Joined:
    5 May 2003
    Posts:
    2,653
    Likes Received:
    2
    *Sigh*

    Looks like the *******s have just compromised my Steam account. If I log out now from it I guarantee you it's gone.

    Don't be suprised if I lose this bit-tech account which I've had for 3 years now.

    Seriously this is the worst thing that can happen to anyone being keylogged. I have so many important files on this computer. And at least 20GB of music and yes I did actually BUY that. You know what just to make it worse my iPod HD crashed the other day so I lost all my songs. Is it still OK to redownload them or not they're really hard to find electronic songs.

    I'll run these programs right now, as I'm trying to keep my Steam account logged in until I can do something about retrieving it. You see the problem is if I made a steam support page you guessed it, they'll log the keys for that as well.

    What do I do ...? This is one terrible day for me.

    Has anyone checked out my hijackthis log?
     
    Last edited: 27 Jul 2009
  7. ZoFreX

    ZoFreX New Member

    Joined:
    21 Jul 2009
    Posts:
    54
    Likes Received:
    1
    1) You can defeat a lot of keyloggers by using the on-screen keyboard built into Windows

    2) Use LastPass (http://www.lastpass.com) to generate and save new, random passwords for the websites you use - this way you'll never even type your passwords in, making it very difficult for an attacker to compromise them.

    3) Assuming you've paid for something on your Steam account, and I don't see why you'd be worried if you haven't, you can always reclaim it. Valve keep on file which credit card was used to make purchases, so you can prove you are the owner of the account. They have a decent track record on issues like this.

    That said the only sure-fire way to fix this is to stop running an OS off that drive. You need to get it into a new computer and do an offline backup. At this point I guess you need to figure out what's worth more to you, your data and accounts, or other things.

    I've taken a look at your HJT! log and left in everything that it's safe for you to remove (I think! Your own risk, no warranty, etc). Rather than look up anything suspicious I've taken the heavy-handed approach of recommending you disable everything that isn't vital, because a) the situation is dire and b) I'm lazy.

    So to clarify, these are all entries that can be removed.

    Code:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
    O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll
    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\windows\inf\unregmp2.exe /EnsureFileVersions
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\windows\UpdReg.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.24\RivaTuner.exe" /T
    O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.24\RivaTuner.exe" /S
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
    O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
    O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
    O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [url]http://gfx2.hotmail.com/mail/w3/pr01...s/MSNPUpld.cab[/url]
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - [url]http://go.divx.com/plugin/DivXBrowserPlugin.cab[/url]
    O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - devel.cab[/url]
    O17 - HKLM\System\CCS\Services\Tcpip\..\{36A42F66-6A59-4ABF-BD29-EB4C4D494BAA}: NameServer = 218.102.62.71 203.198.23.208
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
    O20 - Winlogon Notify: avgrsstarter - C:\windows\SYSTEM32\avgrsstx.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (file missing)
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (file missing)
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
    O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
    O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
    O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: iRacing helper service (iRacingService) - iRacing.com Motorsport Simulations, LLC
    Bedford, MA 01730 - C:\Documents and Settings\Administrator\My Documents\Downloads\iRacing_torrent\iRacingService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Network Connection Manager (NetCM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Speech\svchost.exe (file missing)
    O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)
    
    --
    End of file - 12044 bytes
    
    This entry:
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    If I remember correctly is a sign of the "SASSER" worm, you should be able to find a fix on Google (it might not be though.. it's just a sign, it's not definite)

    Definitely suspicious:
    O17 - HKLM\System\CCS\Services\Tcpip\..\{36A42F66-6A59-4ABF-BD29-EB4C4D494BAA}: NameServer = 218.102.62.71 203.198.23.208

    O20 - Winlogon Notify: avgrsstarter - C:\windows\SYSTEM32\avgrsstx.dll
    I left this in on purpose... I don't know AVG so maybe it does but it seems odd that an antivirus program would need to start something from %SYSTEM%

    Most of the entries are probably fine but you don't reeeally need them and it's better safe than sorry. As I said earlier you should really run a scan, and do the fixes, while in safe mode. It'll catch extra stuff.
     
    Last edited: 28 Jul 2009
  8. andrew8200m

    andrew8200m Well-Known Member

    Joined:
    4 May 2009
    Posts:
    2,238
    Likes Received:
    134
    I would log on to another PC and change every password you can think of to ensure they cannot regain access. facebook etc etc. I would then create a fresh windows install on another hdd if you have one. Run a virus scanner on the drive this way and try to remove any infections that way whilst being disconnected from the net. You can also extract your music etc this way by exploring the drive. Once you have all of your date, run a virus scanner again over the files to ensure you are free of all unwanted trojans etc.

    Use windows to then format the drive and start fresh from there.

    Its a pain in the back side but probably the safest way of recovering all of your files and also accounts etc.


    Andy
     
  9. B3CK

    B3CK Member

    Joined:
    14 Jun 2004
    Posts:
    402
    Likes Received:
    3
    Both of those ip address are asian ip address, no reason you should have name server set to asian, defiantly compromised there.

    My advise, take your HD out, put it into a pc that does have good AV, and no autorun, or usb enclosure, and run some virus scans and copy personal docs over, then wipe it and re-install.
    Will ultimately give you better peace of mind, and may be faster in the long run.

    Also, a bit on the same paranoid side, get your ip changed. Your router cable/dsl/adsl ip. I had huge issues with running a ftp from home with tons of ip ranges locked out on my router from asia-nic. I found that after I traded in my router, which took me offline for a while, I got a new ip address and new mac for my (outside) cable modem.
     
  10. tictactoe

    tictactoe New Member

    Joined:
    8 Sep 2007
    Posts:
    60
    Likes Received:
    1
    Except perhaps, that the OP's location is Hong Kong
     
  11. BentAnat

    BentAnat Software Dev

    Joined:
    26 Jun 2008
    Posts:
    7,231
    Likes Received:
    219
    I'd agree with that.
    Change ALL online passwords from a separate machine. Change all passwords on your router. Reinstall windows on a separate HDD (if possible), and then copy over very carefully, and only the stuff you need and know is safe... preferably DON'T put the HDD into the new machine unless you have pretty serious on access scanning.
    Do all of this in offline mode as well... don't want anyone going through there while you're nto tightened up yet.
    Also, it might be that your router is compromised, and not your PC itself... intercepting traffic could give people access to all passwords, etc as well.
     
  12. mm vr

    mm vr The cheesecake is a lie

    Joined:
    18 Nov 2007
    Posts:
    2,968
    Likes Received:
    84
    These sound like drive-by downloaded trojans:

    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
     
  13. ZoFreX

    ZoFreX New Member

    Joined:
    21 Jul 2009
    Posts:
    54
    Likes Received:
    1
    More options for you, given the limited funds:

    Reinstall Windows on the same drive. You will keep all your files, and the virus will no longer be loading (unless it's boot sector... but this is unlikely). Bear in mind that ANY executable files should be untrusted! The virus may have infiltrated every single one of them.

    Backup files online - GMail has 7 gigabytes of storage, DropBox has 2 gigabytes, so you can backup quite a lot if you have the patience.

    Also in the mean time try to be online with that computer as little as possible. Access the internet on another computer, change all your passwords on another computer... if you don't have access to one, go to a library or cyber cafe.
     
  14. ou7blaze

    ou7blaze sensational.

    Joined:
    5 May 2003
    Posts:
    2,653
    Likes Received:
    2
    What do you mean by drive-by trojans? I recognise that application as being party poker's game client which I personally downloaded.

    I live in Hong Kong if that makes a difference. I googled that IP and it seems a few people have posted Hijackthis log with the same problem. Also people from Hong Kong, any connection there? What's a name server, googled it and I'm still confused.

    I use the main ISP here called PCCW and it seems to offer all connections a dynamic IP so I don't think I've got a problem there.

    I've run malwarebyes on normal mode and it picked up 8 problems. 2 worms in IE and a few malicious entries. I'm going to run on safe mode now.

    I think I'm going to run as many anti virus, spyware, malware etc. programs in safe mode and salvage what I can with a portable HD I'm going to borrow from my friend.

    Now that an entire wipe of the HD must be done will that remove ALL traces of the problem?

    EDIT: Strangely after the malware scan my enter key doesn't work in firefox. :confused:

    EDIT:
    If I decide to remove those entries how would I go about removing them? Go to the shown location and simply delete it in safe mode or by killing the process in the task manager?

    UPDATE: I'm currently in the process of doing all the above mentioned steps plus stripping down my Windows to the bare minimum and running scans in safe mode. Once I'm down to all but my most important files I'll repost a fresh Hijackthis log.


    Thanks for all the suggestions so far every one. :clap:
     
    Last edited: 28 Jul 2009
  15. ZoFreX

    ZoFreX New Member

    Joined:
    21 Jul 2009
    Posts:
    54
    Likes Received:
    1
    You fix them by checking their checkbox in hijackthis and hitting "fix", if I remember correctly.
     
  16. ou7blaze

    ou7blaze sensational.

    Joined:
    5 May 2003
    Posts:
    2,653
    Likes Received:
    2
    OK, so I spent the better part of 5 hours doing scans with the trial version of the Avira Antivirus. I also used free versions of The Cleaner 2010, CCleaner, RUbotted and Rooktkitbuster. I managed to get rid of about 8-9 malicious "files". I've now stripped down my system to the bare bones. AVG might have been compromised but I got rid of it in safe mode along with a whole host of things in the HTJ log.

    Luckily I was able to get rid of this entry:
    Code:
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    But for some reason I couldn't get rid of this entry, it keeps coming back despite me deleting it in safe mode. However after speaking to a guy in my clan who works for a network company he found out this was from a DNS server from my ISP in HK so that probably explains why it keeps coming back. According to him this is not a bad thing, correct?:
    Code:
    O17 - HKLM\System\CCS\Services\Tcpip\..\{36A42F66-6A59-4ABF-BD29-EB4C4D494BAA}: NameServer = 218.102.62.71 203.198.23.208

    So here's my latest HJT log I've made in normal Windows XP mode:

    Code:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 01:01:50, on 29/07/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal
    
    Running processes:
    C:\windows\System32\smss.exe
    C:\windows\system32\csrss.exe
    C:\windows\system32\winlogon.exe
    C:\windows\system32\services.exe
    C:\windows\system32\lsass.exe
    C:\windows\system32\nvsvc32.exe
    C:\windows\system32\svchost.exe
    C:\windows\system32\svchost.exe
    C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    C:\windows\system32\svchost.exe
    C:\windows\system32\svchost.exe
    C:\windows\system32\svchost.exe
    C:\windows\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
    C:\Program Files\Spyware Doctor\pctsAuxs.exe
    C:\Program Files\Spyware Doctor\pctsSvc.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    C:\windows\System32\alg.exe
    C:\windows\system32\wscntfy.exe
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\windows\Explorer.EXE
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
    C:\windows\system32\CTHELPER.EXE
    C:\windows\system32\RUNDLL32.EXE
    C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\PeerGuardian2\pg2.exe
    C:\Program Files\RocketDock\RocketDock.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.rd.yahoo.com/customize/ycomp/defaults/sb/*http://uk.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ycomp/defaults/sp/*http://uk.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: (no name) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - (no file)
    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\windows\inf\unregmp2.exe /EnsureFileVersions
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\windows\UpdReg.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
    O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
    O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
    O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - 
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - 
    O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} - 
    O17 - HKLM\System\CCS\Services\Tcpip\..\{36A42F66-6A59-4ABF-BD29-EB4C4D494BAA}: NameServer = 218.102.62.71 203.198.23.208
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (file missing)
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: iRacing helper service (iRacingService) - Unknown owner - C:\Documents and Settings\Administrator\My Documents\Downloads\iRacing_torrent\iRacingService.exe (file missing)
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Network Connection Manager (NetCM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Speech\svchost.exe (file missing)
    O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
    O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)
    
    --
    End of file - 9132 bytes
    
    Anyway, I'm hoping my system is now safe enough so I can transfer my files to a spare HD. I'll scan that HD with a spare laptop because putting my files back onto a fresh format of Windows XP. So really I'm hoping you guys can tell me everything is safe and good to go. :)

    Thanks for reading.
     
    Last edited: 28 Jul 2009
  17. ZoFreX

    ZoFreX New Member

    Joined:
    21 Jul 2009
    Posts:
    54
    Likes Received:
    1
    As long as you don't copy any .exe or .scr files, I see no problem with your plan.
     
  18. Golygus

    Golygus New Member

    Joined:
    9 Oct 2003
    Posts:
    678
    Likes Received:
    12
    218.102.62.71 is indeed owned by PCCW.

    AVG is hopeless, get rid.

    Avira Personal edition is free and ok, but its annoying every time it updates as it trys to sell you the full version.

    Avast has a free version and is ok, but slow.

    ESET have a free "online scanner" - they have 2 versions, this one and an actual online one. I prefer this one - which you can use to scan for viruses. Just in case the other apps have missed something.

    Spybot S&D and Spyware blaster are both helpful to have install as they help to prevent spyware etc infections. The systems are not infalible, but its better than nothing!

    +1 For Malwarebytes and SAS
     
  19. mm vr

    mm vr The cheesecake is a lie

    Joined:
    18 Nov 2007
    Posts:
    2,968
    Likes Received:
    84
    Oops, sorry! I thought PartyPoker was something malicious. I class everything that I get popup ads for as malware.


    The ad is too easy to get rid of, it shouldn't be a deciding factor.
     
  20. Golygus

    Golygus New Member

    Joined:
    9 Oct 2003
    Posts:
    678
    Likes Received:
    12
    instructions can be found here. Its still annoying, but I guess your right.
     

Share This Page