Possible Virus/Trojan???

Well, i was trying to find a way to stop programs at start up because my comp would start slow, so i found msconfig and noticed at the "startup" tab, an exe called "GetScreen" i googled this and said it was a trojan. I dont know how it got on there when i have AVG up and running at all times, but maybe it was there before i got AVG. Any who, i would appreciate if someone could help me remove it, or any other virus or trojan or w/e i might have off my computer. Thanks alot. Here's my HJT Log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:32:21 PM, on 5/31/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O1 - Hosts: Code:
O1 - Hosts: 195.8.214.192 www.neufstream.com
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SandboxieControl] C:\Program Files\Sandboxie\Control.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\ralph\Start Menu\Programs\IMVU\Run IMVU.lnk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168479101718
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168479038015
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe

--
End of file - 7605 bytes

 

Hi Thisman.

As for GetScreen, it can either be a trojan or a legitimate software. To prove whether or not it is one, please find the file, and then upload it to www.virustotal.com for analysis. Please post the results here. Also, if you wish to see if your computer is infected, please download a antimalware like A-squared and scan with it, but do remove anything, only post the results here.

Best Regards

 

see, thats the problem, im thinking its a trojan because i cannot locate the file nor folder. When i looked at the files that in msconfig that started up on boot, it says the directory is C:\Program Files\GetScreen\GetScreen.exe, exactly like that, except no comma :]. So yeah....im not sure what's going on, ill repost after a A-Squared scan. Thanks.

 

Hi Thisman. It can be that the entry in msconfig is a old one, which was not deleted when GetScreen was uninsatlled. Can you possibly delete the entry using msconfig or some other startup manager?

Best Regards

 

dont know about any other starup manager, but it cannot be deleted via msconfig. Here's the A-Squared Log.

a-squared Anti-Malware - Version 3.5
Last update: 6/1/2008 1:42:12 AM

Scan settings:

Objects: Memory, Traces, Cookies, C:\WINDOWS\, C:\Program Files
Scan archives: On
Heuristics: On
ADS Scan: On

Scan start: 6/1/2008 1:42:44 AM

C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:58 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:59 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:60 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:61 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:62 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:63 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:64 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:65 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:66 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:67 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:68 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:69 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:70 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:71 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:72 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:73 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:74 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:75 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:76 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:114 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:154 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:212 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:395 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:396 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:397 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:398 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:425 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:462 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:560 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:568 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:569 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:570 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:571 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:572 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:573 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:604 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:606 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:655 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:755 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:766 detected: Trace.TrackingCookie
C:\Documents and Settings\ralph\Application Data\Mozilla\Firefox\Profiles\09zez7a0.default\cookies.txt:897 detected: Trace.TrackingCookie

Scanned

Files: 118400
Traces: 411427
Cookies: 990
Processes: 35

Found

Files: 0
Traces: 0
Cookies: 41
Processes: 0
Registry keys: 0

Scan end: 6/1/2008 3:17:48 AM
Scan time: 1:35:04

 

Hi Thisman.

And yes, your a-squared log does not reveal any malware except for cookies, which you can delete safely. I believe that there are many good free startup manager programs which you can use to delete obselete startup entries, such as yours. I would recommend searching in download.com or softpedia so as to not get an infected startup manager program.

And to entertain me, could you possibly download GMER, which is a rootkit scanner, and then post the log here? I just have a suspicion.

Best Regards

 

Ill take a look at that later, but here's the GMER. Thanks for all your help btw.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-06-01 04:17:55
Windows 5.1.2600


---- System - GMER 1.0.14 ----

SSDT sptd.sys ZwEnumerateKey [0xF772AFB2]
SSDT sptd.sys ZwEnumerateValueKey [0xF772B340]

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 867DA1E8

AttachedDevice \FileSystem\Ntfs \Ntfs avg7rsw.sys (AVG Resident Shield Unload Helper/GRISOFT, s.r.o.)

Device \FileSystem\Fastfat \Fat 861775F8

AttachedDevice \FileSystem\Fastfat \Fat avg7rsw.sys (AVG Resident Shield Unload Helper/GRISOFT, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)

---- EOF - GMER 1.0.14 ----

 

Hi Thisman. And no, your GMER log does not reveal anything bad. It means that you are officially clean. All you have to do is get a startup manager, delete the startup reference, and you're done! I can recommend one: Autoruns, from Sysinternals. It's very powerful and detailed, so you should be careful. Just play around with it, but do not uncheck unnecessarily, because it shows everything which starts when windows starts. I mean everything everything everything.

Best Regards

 

Thank You Very very much for the help. :]