How does this look?

[Amethyst]

Hello folks!

My son's new Alienware laptop has some stuff going on and I would appreciate an expert taking a closer look. We really don't know what to think at this point. I can see, however, that his security needs are going to be pretty high, as he does a lot of downloading of games and trailers. These are from what I think are probably OK sites, like Blizzard and Steam. Nonetheless, there are a few things that need looking into.

He has Virusscan Plus which came preinstalled on the system, and that has a firewall with it as well as 'antimalware'. He uses IE 8. Windows is up to date. He installed WOT for IE.

He ran a complete system scan on Nov 6th, and McAfee found and quarantined the following:

Adware-GameSpyarcade--Registry key HKU\S-15-21 9 (plus a whole bunch of other numbers I won't bother copying here)\Software\Gamespy

C:\Windows\Syswow64\OEM\oscust.exe, which it said was "Generic.dx!dsg", a trojan.

I did some research online, and the information on this oscust.exe is mixed, and even on this board there was a thread about Avast having tagged it as a false positive. I also spoke to an Alienware tech on the phone, and from all indications I thought this was an Alienware file that had come preinstalled on the system, a lot of antivirus softwares have been complaining about it, but it is a false positive, I figured. The Alienware tech I spoke to Nov 7 indicated that this was a clean file. I restored it. One other Alienware user on the Dell message board says his McAfee has quarantined this file repeatedly and he would keep restoring it, and he finally had left it in quarantine for the past month and had had no adverse effects on his system. The Alienware tech said it was a file that had to do with the onscreen display. We did decide, however, to copy the .exe to a CD and if McAfee quarantined it again, we would leave it in quarantine and see what happened.

Fast forward to last night. My son was away from the laptop most of the day on the 7th, so it wasn't being used. It was used yesterday, and he was home but I wasn't until late last night. When I got home, he had a download of a video from Blizzard on the go, and I noticed a red 'x' through the McAfee icon. I opened the interface and noticed the e-mail protection was in red, but I honestly don't remember if the real time protection part was red, so I don't know if the real time protection was off or not--it was late and I was tired. (He doesn't use the e-mail protection anyway). I had McAfee 'fix' what was wrong and made a mental note to tell my son to watch for this behavior in the future. He didn't remember turning off McAfee, it had been activated at some point during the day and there was nothing in the logs about it having been shut off. I also did some poking around and realized that the oscust.exe had completely vanished from the laptop. It was not in McAfee's quarantine either. I ran a search of the laptop, not anywhere to be found.

So...wondering now if this file would be needed for the laptop's graphics to work correctly. This is an expensive gaming unit and the high end graphics is a big part of it.

So I got on the phone to Dell tech support and this time the tech I spoke to said no, this oscust.exe is NOT an alienware file, what made me think it was? Well, I said, it was in a folder with other Alienware files and it had an Alienware icon (but McAfee's quarantining it had altered its creation date so I had no way of checking that, and there was nothing helpful in the properties). So this guy figured the file was a trojan after all, not one of theirs. I told him I had done a lot of research on this--other alienware users had had this happen to them, on a message board someone claiming to be an alienware rep had said it was clean (don't know how credible that was, however), and a little over 24 hours ago , an alienware tech had just told me the file is theirs and is not infected.

Sorry for the long post, but I thought some background would be helpful.

We ran another full scan with McAfee, and it comes up clean. This morning we installed Malwarebytes and ran it, and here is the log:

Malwarebytes' Anti-Malware 1.41

Database version: 3133

Windows 6.0.6001 Service Pack 1

09/11/2009 10:17:22 AM

mbam-log-2009-11-09 (10-17-22).txt

Scan type: Quick Scan

Objects scanned: 82357

Time elapsed: 3 minute(s), 7 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

We had Malwarebytes fix this, and the laptop had to be restarted to complete the process. Naturally, McAfee protested to the registry changes that Malwarebytes wanted to make, but we told McAfee to allow it and things seemed to go smoothly. The system has been rebooted a total of twice now, and everything looks fine. Ran Malwarebytes again, and this time it's clean. I won't bother copying the log here.

I ran Hijack This on the laptop, and here is the log--This is the first time for this laptop, so I don't know what's normal and what shouldn't be there. Thanks so much, I would appreciate you checking this over.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:42:56 AM, on 09/11/2009

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v8.00 (8.00.6001.18828)

Boot mode: Normal

Running processes:

c:\PROGRA~2\mcafee.com\agent\mcagent.exe

C:\Program Files\Alienware\Command Center\AlienwareAlienFXController.exe

C:\Program Files\OSD\Launch_CC.exe

C:\Program Files (x86)\Steam\steam.exe

C:\Program Files\Alienware\Command Center\AlienFusionController.exe

C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe

C:\Program Files (x86)\CyberLink\Shared Files\brs.exe

C:\Program Files\Alienware\Command Center\AlienSense\FATrayMon.exe

C:\Program Files (x86)\Java\jre6\bin\jusched.exe

C:\Program Files\Alienware\Command Center\AlienSense\FATrayAlert.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe

C:\Program Files\Alienware\Command Center\AlienFXHook32Mngr.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\McAfee\VirusScan\scriptsn.dll

O2 - BHO: FAIESSO Helper Object - {A2F122DA-055F-4df7-8F24-7354DBDBA85B} - C:\Program Files\Alienware\Command Center\AlienSense\FAIESSO.dll

O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files (x86)\WOT\WOT.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll

O4 - HKLM\..\Run: [OSD] c:\Program Files\OSD\Launch.exe

O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe"

O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD8\Language\Language.exe"

O4 - HKLM\..\Run: [bDRegion] "C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe"

O4 - HKLM\..\Run: [FATrayAlert] C:\Program Files\Alienware\Command Center\AlienSense\FATrayMon.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files (x86)\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter

O4 - HKCU\..\Run: [steam] "c:\program files (x86)\steam\steam.exe" -silent

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - Global Startup: Bluetooth.lnk = ?

O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: Send To Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: Send to &Bluetooth Device... - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O13 - Gopher Prefix:

O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files (x86)\WOT\WOT.dll

O20 - Winlogon Notify: FastAccess - C:\Program Files\Alienware\Command Center\AlienSense\FALogNot.dll

O23 - Service: Andrea ST Filters Service (AESTFilters) - Unknown owner - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_61047ba1\AESTSr64.exe (file missing)

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)

O23 - Service: Alienware Fusion Service (AlienFusionService) - Alienware - C:\Program Files\Alienware\Command Center\AlienFusionService.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Vista Session Launcher Service (CustomSvc) - Unknown owner - C:\Program Files\OSD\Service1.exe

O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)

O23 - Service: FAService - Sensible Vision - C:\Program Files\Alienware\Command Center\AlienSense\FAService.exe

O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~2\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~2\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~2\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~2\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files (x86)\McAfee\MPF\MPFSrv.exe

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)

O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe

O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)

O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)

O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)

O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

O23 - Service: Audio Service (STacSV) - Unknown owner - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_61047ba1\STacSV64.exe (file missing)

O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe

O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)

O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)

O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--

End of file - 9267 bytes

Thanks, you guys are the best!

P.S. Unfortunately, my son went out on a social engagement on Nov 7th and shut the laptop down before he left, and we never did get that file copied. So it is permanently lost. I actually phoned Dell last night to see if we could get a replacement if necessary!

[Amethyst]

Just giving this a little bump.

I understand the MWB result was a false positive. Haven't restored it yet, but we intend to do so. Ran a MWB scan last night and nothing came up. No noticeable problems with this system, but would just like to confirm with a hjt log check. We're running out of time with the McAfee subscription, as it's only a trial. My son isn't sure he wants to keep it, since there is no way to whitelist a file. He's concerned about McAfee permanently deleting something more critical than the one that was lost.

Thanks for your time. Hopefully this won't take long.