Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page definite virus
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 11-13-2008, 06:32 PM   #1 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 17
OS: windows xp home


definite virus
Well, there is certainly a virus... but every time I find the file in system32 and delete it... it regenerates itself as a new file with a different name...

I wasn't too worried about it until just a few minutes ago my computer wouldn't start up right away as it always has

constantly slows the pc down (but as soon as I disconnect the usb for the internet the system speeds up again)... its causing the motherboard to beep (a phaser like noise.. not a beep but a tone that goes down in pitch and lasts for just a second) which coincides with some glitching with the taskbar/buttons/title bars (turn black)

I'm attaching a hijackthis log... but it seems to be shorter than the other ones that I've looked at.. so if I missed a step I will do my best to correct it

and if you would like the names of the files the virus has made I will list them but I wasn't sure if it was actually relevant.

thank you!




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:27:22 PM, on 11/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\PROGRA~1\SPYWAR~2\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.myspace.com/index.cfm?fu...20050814140259
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.localnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by LocalNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\RunServices: [Windows Sound] exp2.60.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://wdownload.weatherbug.com/mini...ansporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5F8A33E7-6A32-4EE0-887A-134C627CB052} - http://angel1895.myphotoalbum.com/EasyUploadTool.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1205520923990
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1205520859256
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - http://cdn.digitalcity.com/radio/ampx2.6.1.7_en_dl.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_inst...syInstallX.CAB
O16 - DPF: {B9F3009B-976B-41C4-A992-229DCCF3367C} (CoAxTrack Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\PROGRA~1\SPYWAR~2\sp_rsser.exe
O23 - Service: WUSB54GSC - GEMTEKS - C:\Program Files\Linksys\WUSB54GSC\WLService.exe

--
End of file - 8660 bytes
Last edited by Sugar.Tears; 11-13-2008 at 06:34 PM.
Sugar.Tears is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 11-14-2008, 07:36 PM   #2 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,208
OS: 2000 Pro; XP Pro; XP Home


Re: definite virus
Hello -

HijackThis is somewhat limited for today's infections. Toward that end, we ask that every member perform the steps we have in this sticky topic, and post those logs.

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/secu...oval-help.html

After running through all the steps, please post the requested logs.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-16-2008, 11:41 AM   #3 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 17
OS: windows xp home


Re: definite virus
ok... sorry I didnt post sooner but my pc decided to not load up from the boot screen yesterday.

here are your logs... I know it shows what I removed in the last few days... I've already heard the lecture about p2p stuff... so I get it... its bad.. thanks :D (I wont do it again.. trust me!)

where it says "created last 30" these are the viruses file names I was telling you about in the OP that I have been deleting but it still continues to regenerate itself

Quote:
2008-11-13 09:11 832 ac-sh--- c:\windows\system32\GhhhgMoq.ini2
2008-11-13 09:11 832 ac-sh--- c:\windows\system32\GhhhgMoq.ini
2008-11-13 09:11 313,856 -c------ c:\windows\system32\qoMghhhG.dll
2008-11-13 01:11 524 ac-sh--- c:\windows\system32\CLlUuBeg.ini2
2008-11-13 01:11 524 ac-sh--- c:\windows\system32\CLlUuBeg.ini
2008-11-13 01:11 313,856 ac------ c:\windows\system32\geBuUlLC9.dll
2008-11-11 10:55 7,581 ac-sh--- c:\windows\system32\NmnUuBeg.ini2
2008-11-11 10:55 7,581 ac-sh--- c:\windows\system32\NmnUuBeg.ini
2008-11-11 10:55 313,856 ac------ c:\windows\system32\geBuUnmN1.gif
2008-11-10 22:07 29,696 ac------ c:\windows\system32\hgGyaYom.dll
2008-11-10 22:07 29,696 ac------ c:\windows\system32\qoMfffCt.dll
and here is the complete dds log


DDS (Version 1.0) - NTFSx86
Run by Owner at 13:12:32.50 on Sun 11/16/2008
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.959.602 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Owner\My Documents\internet-html stuff\dds.scr

============== Psuedo HJT Report ===============

uStart Page = hxxp://home.myspace.com/index.cfm?fuseaction=splash&Mytoken=20050814140259
uWindow Title = Microsoft Internet Explorer provided by LocalNet
uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms}
uDefault_Search_URL = hxxp://internetsearchservice.com
mDefault_Page_URL = hxxp://start.localnet.com/
mDefault_Search_URL = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
mStart Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
mSearch Page =
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = localhost
uSearchAssistant = hxxp://internetsearchservice.com
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
mSearchURL = hxxp://internetsearchservice.com
mSearchAssistant = hxxp://www.google.com/ie
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {4816822F-6BB2-4314-A4DA-D5909E06D766} - c:\windows\system32\wvUklJAS.dll
BHO: {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: {63499DDC-582C-4558-89FB-46A4579B8D3D} - c:\windows\system32\qoMghhhG.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRunServices: [Windows Sound] exp2.60.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\KEM.exe
uPolicies-explorer: EditLevel = 0 (0x0)
uPolicies-explorer: NoRun = 0 (0x0)
uPolicies-explorer: NoClose = 0 (0x0)
uPolicies-explorer: NoCommonGroups = 0 (0x0)
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\owner\start menu\programs\imvu\Run IMVU.lnk
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\MSMSGS.EXE
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\owner\start menu\programs\imvu\Run IMVU.lnk
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\MSMSGS.EXE
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: klogon - c:\windows\system32\klogon.dll
Notify: ljjhhii - ljjhhii.dll
Notify: rqRIaWMe - rqRIaWMe.dll
Notify: wvUklJAS - wvUklJAS.dll
Notify: yayxyvv - yayxyvv.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {4816822F-6BB2-4314-A4DA-D5909E06D766} - c:\windows\system32\wvUklJAS.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\qoMghhhG

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys
S2 WUSB54GSC;WUSB54GSC;"c:\program files\linksys\wusb54gsc\WLService.exe" "WUSB54GSC.exe"
S3 AdWatchDrv;AW Realtime Driver;\??\c:\windows\system32\drivers\AWRTPD.sys
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;\??\c:\windows\system32\NSNDIS5.SYS
S3 PRISM_USB;IEEE 802.11 Wireless USB Driver;c:\windows\system32\drivers\EXPSUSB.sys
S3 SUPERWEBCAM;SuperWebcam, WDM Virtual Video Capture Device;c:\windows\system32\drivers\superwebcam.sys

=============== Created Last 30 ================

2008-11-15 22:19 250 ac------ c:\windows\gmer.ini
2008-11-13 12:19 <DIR> --d----- c:\program files\Skype
2008-11-13 09:11 832 ac-sh--- c:\windows\system32\GhhhgMoq.ini2
2008-11-13 09:11 832 ac-sh--- c:\windows\system32\GhhhgMoq.ini
2008-11-13 09:11 313,856 -c------ c:\windows\system32\qoMghhhG.dll
2008-11-13 01:11 524 ac-sh--- c:\windows\system32\CLlUuBeg.ini2
2008-11-13 01:11 524 ac-sh--- c:\windows\system32\CLlUuBeg.ini
2008-11-13 01:11 313,856 ac------ c:\windows\system32\geBuUlLC9.dll
2008-11-11 10:55 7,581 ac-sh--- c:\windows\system32\NmnUuBeg.ini2
2008-11-11 10:55 7,581 ac-sh--- c:\windows\system32\NmnUuBeg.ini
2008-11-11 10:55 313,856 ac------ c:\windows\system32\geBuUnmN1.gif
2008-11-10 22:07 29,696 ac------ c:\windows\system32\hgGyaYom.dll
2008-11-10 22:07 29,696 ac------ c:\windows\system32\qoMfffCt.dll
2008-11-08 22:45 17,801 ac------ c:\windows\system32\drivers\AegisP.sys
2008-11-08 22:44 17,992 ac------ c:\windows\system32\bcm42rly.sys
2008-11-08 22:44 <DIR> --d----- c:\program files\Linksys
2008-11-08 22:44 670 ac------ c:\windows\system32\WLAN.INI
2008-11-07 19:29 <DIR> -cd----- c:\program files\common files\xing shared
2008-11-07 18:48 2,918 ac-sh--- c:\windows\system32\IQrtsBeg.ini2
2008-11-07 18:48 2,918 ac-sh--- c:\windows\system32\IQrtsBeg.ini
2008-11-07 17:22 54,156 ac--h--- c:\windows\QTFont.qfn
2008-11-07 17:22 1,409 ac------ c:\windows\QTFont.for
2008-11-06 19:12 96,976 ac------ c:\windows\system32\drivers\klin.dat
2008-11-06 19:12 87,855 ac------ c:\windows\system32\drivers\klick.dat
2008-11-06 19:09 <DIR> --d----- c:\program files\Kaspersky Lab
2008-11-06 19:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2008-11-06 19:08 4,877,856 ac-sh--- c:\windows\system32\drivers\fidbox.dat
2008-11-06 19:08 950,304 ac-sh--- c:\windows\system32\drivers\fidbox2.dat
2008-11-06 19:08 39,188 ac-sh--- c:\windows\system32\drivers\fidbox.idx
2008-11-06 19:08 4,328 ac-sh--- c:\windows\system32\drivers\fidbox2.idx
2008-11-06 18:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2008-11-06 10:21 410,976 ac------ c:\windows\system32\deploytk.dll
2008-11-05 11:54 <DIR> --d----- c:\program files\Trend Micro
2008-11-02 09:48 <DIR> --d----- c:\program files\Curse
2008-10-31 05:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Blizzard
2008-10-30 18:41 <DIR> --d----- C:\Logs
2008-10-30 10:14 <DIR> acd----- c:\program files\World of Warcraft
2008-10-29 19:30 <DIR> -cd----- c:\program files\common files\Blizzard Entertainment
2008-10-22 10:57 <DIR> --d----- c:\program files\Panda Security
2008-10-21 11:27 343 ac-sh--- c:\windows\system32\WEhjknpo.ini
2008-10-21 11:08 29,696 ac------ c:\windows\system32\opnkhebC.dll
2008-10-21 11:05 29,696 ac------ c:\windows\system32\wvUklJAS.dll
2008-10-21 11:04 38,912 ac------ c:\windows\system32\~.exe
2008-10-20 17:45 <DIR> --d----- c:\docume~1\owner\applic~1\.purple
2008-10-20 17:44 <DIR> --d----- c:\program files\Pidgin
2008-10-20 12:22 230 ac------ c:\windows\system32\spupdsvc.inf
2008-10-19 21:23 13,942 ac------ c:\windows\system32\c.ico
2008-10-19 21:23 7,662 ac------ c:\windows\system32\m.ico
2008-10-19 21:23 4,286 ac------ c:\windows\system32\s.ico

==================== Find3M ====================

2008-11-14 22:46 <DIR> acd----- c:\program files\Yahoo! Games
2008-11-14 22:39 <DIR> acd----- c:\program files\Color Schemer Studio
2008-11-14 22:27 <DIR> acd----- c:\program files\Microsoft Picture It! 7
2008-11-14 22:15 <DIR> acd----- c:\program files\Animated GIF producer 3.2 TRIAL
2008-11-14 21:56 <DIR> a-d----- c:\docume~1\owner\applic~1\uTorrent
2008-11-12 22:37 <DIR> acd----- c:\program files\SimPE
2008-11-12 22:36 <DIR> acd----- c:\program files\Paint.NET
2008-11-12 22:34 <DIR> acd----- c:\program files\Fish Tycoon
2008-11-08 20:06 438,652 ac------ c:\windows\pchealth\helpctr\config\cache\Personal_32_1033.dat
2008-11-08 18:35 <DIR> --d----- c:\program files\Network Stumbler
2008-11-07 19:26 348,160 ac------ c:\windows\system32\msvcr71.dll
2008-11-07 19:26 499,712 ac------ c:\windows\system32\msvcp71.dll
2008-11-06 19:03 <DIR> acd----- c:\docume~1\owner\applic~1\WeatherBug
2008-10-31 08:29 <DIR> acd----- c:\program files\Microsoft Games
2008-10-31 08:23 <DIR> acd----- c:\program files\Yahoo!
2008-10-31 08:22 <DIR> acd----- c:\program files\MySpace
2008-10-31 08:19 6,596 ac------ c:\windows\system32\ealregsnapshot1.reg
2008-10-31 06:48 <DIR> --d----- c:\program files\ICL-Icon Extractor(2)
2008-10-20 10:54 2,568 ac-sh--- c:\windows\system32\UEKjPXbc.ini2
2008-10-17 17:08 <DIR> acd----- c:\program files\The Game Of LIFE PTS
2008-10-13 08:14 <DIR> --d----- c:\program files\Neopets
2008-10-06 19:51 <DIR> --d----- c:\program files\Virtools
2008-10-06 11:55 <DIR> --d----- c:\program files\Hooked on Phonics Learning
2008-09-22 23:16 <DIR> --d----- c:\program files\Adobe Media Player
2008-09-22 15:47 <DIR> --d----- c:\docume~1\owner\applic~1\SPORE
2008-09-14 20:41 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-07-21 15:34 <DIR> a-d----- c:\docume~1\owner\applic~1\SoundSpectrum
2008-07-21 15:26 <DIR> a-d-h--- c:\docume~1\owner\applic~1\Move Networks
2008-06-26 11:09 <DIR> a-d----- c:\docume~1\owner\applic~1\Aveyond II
2008-06-17 06:39 <DIR> a-d----- c:\docume~1\owner\applic~1\Skinux
2008-06-11 21:43 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\HipSoft
2008-06-11 21:06 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\Escape From Paradise
2008-06-10 17:14 <DIR> a-d----- c:\docume~1\owner\applic~1\Neopets Toolbar
2008-05-19 09:14 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\Source
2008-05-18 15:22 <DIR> a-d----- c:\docume~1\owner\applic~1\Webcammax
2008-05-16 13:37 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\Trend Micro
2008-05-09 18:19 <DIR> a-d----- c:\docume~1\owner\applic~1\SystemRequirementsLab
2008-05-01 18:07 <DIR> a-d----- c:\docume~1\owner\applic~1\Windows Live Writer
2008-04-29 21:01 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\Kodak
2008-03-26 13:03 <DIR> a-d----- c:\docume~1\owner\applic~1\Feedreader
2008-03-23 18:45 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-03-23 18:45 <DIR> a-d----- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2008-03-22 15:42 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\Symantec
2008-03-18 18:51 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\Bin List Bait Real
2008-03-17 16:04 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\Lavasoft
2008-03-17 15:25 <DIR> a-d----- c:\docume~1\owner\applic~1\Uniblue
2008-03-15 20:02 <DIR> a-d----- c:\docume~1\owner\applic~1\SmartDraw
2008-03-14 16:31 <DIR> a-d----- c:\docume~1\owner\applic~1\MySpace
2008-02-27 11:35 <DIR> a-d----- c:\docume~1\owner\applic~1\School Zone Preferences
2008-01-26 09:35 <DIR> a-d----- c:\docume~1\owner\applic~1\Intuit
2007-09-13 07:28 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\U3
2007-06-12 14:31 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2007-05-16 18:49 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\espionServerData
2007-05-15 08:08 <DIR> a-d----- c:\docume~1\owner\applic~1\HoleHtmReadme
2007-04-29 20:03 <DIR> a-d----- c:\docume~1\owner\applic~1\PlayFirst
2007-04-29 20:03 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\PlayFirst
2007-03-09 15:35 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\Sandlot Games
2007-03-07 21:48 <DIR> a-d----- c:\docume~1\owner\applic~1\Ovusoft
2007-02-28 11:30 <DIR> a-d----- c:\docume~1\owner\applic~1\Flock
2006-12-27 21:27 <DIR> a-d----- c:\docume~1\owner\applic~1\MPEG Streamclip
2006-12-27 15:52 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\WhiteCap (Holiday Edition)
2006-12-23 11:03 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\SRS Labs
2006-10-03 16:33 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\Adobe(2)
2006-08-09 16:16 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\YAMAHA
2006-01-28 13:59 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\Intuit
2006-01-01 12:09 <DIR> a-d----- c:\docume~1\owner\applic~1\MSNInstaller
2005-12-31 15:32 <DIR> a-d----- c:\docume~1\owner\applic~1\Trend Micro
2005-10-30 23:01 <DIR> a-d----- c:\docume~1\owner\applic~1\Software602
2005-10-30 19:09 <DIR> a-d----- c:\docume~1\owner\applic~1\ACD Systems
2005-08-09 22:22 <DIR> a-d----- c:\docume~1\owner\applic~1\Webshots
2005-07-26 21:36 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\PopCap
2005-07-23 22:49 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\Trymedia
2005-04-19 21:31 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\XemiComputers
2005-04-11 15:20 <DIR> a-d----- c:\docume~1\owner\applic~1\Digital Album Organizer
2005-03-29 08:15 <DIR> a-d----- c:\docume~1\owner\applic~1\You've Got Pictures Screensaver
2005-03-25 11:27 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\Broderbund LLC
2005-03-25 11:27 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\Broderbund Software
2004-01-14 14:59 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\McAfee.com
2004-01-14 14:54 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\Pure Networks
2004-01-14 14:48 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\Prism Deploy
2004-08-04 14:00 94,784 ac-sh--- c:\windows\twain.dll
2004-08-04 14:00 50,688 ac-sh--- c:\windows\twain_32.dll
2008-03-19 09:50 1,307,297 ac-sh--- c:\windows\system32\anaxqqoe.ini2
2004-08-04 14:00 54,784 ac-sh--- c:\windows\system32\msvcirt.dll
2004-08-04 14:00 413,696 a--sh--- c:\windows\system32\msvcp60.dll
2004-08-04 14:00 11,776 ac-sh--- c:\windows\system32\regsvr32.exe

============= FINISH: 13:13:27.87 ===============


now I'm sorry if I've missed a step but the instructions didnt seem clear to me as far as the "attach.txt"... so if I needed to do it then I will try. I am truly not trying to waste your time. I just didnt understand it

thank you
Sugar.Tears is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-16-2008, 12:07 PM   #4 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,208
OS: 2000 Pro; XP Pro; XP Home


Re: definite virus
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, browse to where you saved the file, and
  2. Click Upload.

If you can't attach the Attach.txt, simply post it in your next reply.

There should also be a log from GMER. Attach that as well, or post it if you can't attach it.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-16-2008, 02:02 PM   #5 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 17
OS: windows xp home


Re: definite virus
ok.. a big oops on my part.. I DO have the gmer log... its the attach.txt that I was confused about because I dont know what program its coming from and what I was supposed to do to get it (my brain hasnt wanted to work lately...) I really dont know what I missed... sorry

heres the gmer.txt at least
Attached Files
File Type: txt gmer.txt (19.7 KB, 1 views)
Sugar.Tears is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-16-2008, 02:30 PM   #6 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,208
OS: 2000 Pro; XP Pro; XP Home


Re: definite virus
Attach.txt would have come from the secondary scan of DDS. If I need the information, I'll ask for it later. Moving forward, I need you to carefully read these instructions, and ask questions if you have them before beginning.


Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------
  1. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

    The Recovery Console was successfully installed.



    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.

  8. Please go to Start > Run and copy/paste the following, then press Enter:

    C:\QooBox\Add-Remove Programs.txt

    A text file should open. Please post the contents of that file in your next reply.

    ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-16-2008, 04:22 PM   #7 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 17
OS: windows xp home


Re: definite virus
just to warn you... when it automatically restarted there were programs that startup automatically that I couldnt stop right away... I dont know how it would have affected the combofix... but I thought I should give you a heads up if somehow it turns up to have messed up the log

sorry

a big ps... I would like to remove the links to my favorites asap I'm just not actually sure how that info is relevant.


~Combofix~

ComboFix 08-11-16.01 - Owner 2008-11-16 16:48:08.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.545 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Favorites\Cheap Pharmacy Online.url
c:\documents and settings\Owner\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
c:\documents and settings\Owner\My Documents\My Documents.url
c:\documents and settings\Owner\My Documents\My Music\My Music.url
c:\documents and settings\Owner\My Documents\My Pictures\My Pictures.url
c:\documents and settings\Owner\My Documents\My Videos\My Video.url
c:\windows\BM1b2fa640.txt
c:\windows\BM1b2fa640.xml
c:\windows\cookies.ini
c:\windows\k.txt
c:\windows\pskt.ini
c:\windows\system32\~.exe
c:\windows\system32\anaxqqoe.ini
c:\windows\system32\anaxqqoe.ini2
c:\windows\system32\anaxqqoe.tmp
c:\windows\system32\c.ico
c:\windows\system32\CLlUuBeg.ini
c:\windows\system32\CLlUuBeg.ini2
c:\windows\system32\drivers\npf.sys
c:\windows\system32\essrscuw.ini
c:\windows\system32\geBuUlLC9.dll
c:\windows\system32\GhhhgMoq.ini
c:\windows\system32\GhhhgMoq.ini2
c:\windows\system32\hgGyaYom.dll
c:\windows\system32\ieoctkqs.ini
c:\windows\system32\ikdntakt.ini
c:\windows\system32\IQrtsBeg.ini
c:\windows\system32\IQrtsBeg.ini2
c:\windows\system32\jruglbqf.ini
c:\windows\system32\ldpopvyv.ini
c:\windows\system32\m.ico
c:\windows\system32\mcrh.tmp
c:\windows\system32\NmnUuBeg.ini
c:\windows\system32\NmnUuBeg.ini2
c:\windows\system32\opnkhebC.dll
c:\windows\system32\owhwxopl.ini
c:\windows\system32\packet.dll
c:\windows\system32\qoMfffCt.dll
c:\windows\system32\qoMghhhG.dll
c:\windows\system32\s.ico
c:\windows\system32\UEKjPXbc.ini
c:\windows\system32\UEKjPXbc.ini2
c:\windows\system32\wpcap.dll
c:\windows\system32\wvUklJAS.dll
c:\windows\system32\yogmxoiw.ini
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FREEZESCREENSAVER
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-10-16 to 2008-11-16 )))))))))))))))))))))))))))))))
.

2008-11-15 22:19 . 2008-11-16 13:38 250 --a--c--- c:\windows\gmer.ini
2008-11-13 12:19 . 2008-11-13 12:19 <DIR> d-------- c:\program files\Skype
2008-11-13 12:19 . 2008-11-13 12:19 <DIR> d----c--- c:\program files\Common Files\Skype
2008-11-11 10:55 . 2008-11-11 10:55 313,856 --a--c--- c:\windows\system32\geBuUnmN1.gif
2008-11-08 22:45 . 2008-11-08 22:45 17,801 --a--c--- c:\windows\system32\drivers\AegisP.sys
2008-11-08 22:44 . 2008-11-08 22:44 <DIR> d-------- c:\program files\Linksys
2008-11-08 22:44 . 2005-02-01 18:18 17,992 --a--c--- c:\windows\system32\bcm42rly.sys
2008-11-08 22:44 . 2008-11-08 22:44 670 --a--c--- c:\windows\system32\WLAN.INI
2008-11-07 19:29 . 2008-11-07 19:29 <DIR> d----c--- c:\program files\Common Files\xing shared
2008-11-07 17:31 . 2008-11-07 17:31 <DIR> d----c--- c:\program files\Common Files\Apple
2008-11-07 17:22 . 2008-11-07 17:22 54,156 --ah-c--- c:\windows\QTFont.qfn
2008-11-07 17:22 . 2008-11-07 17:22 1,409 --a--c--- c:\windows\QTFont.for
2008-11-06 19:12 . 2008-11-07 08:49 96,976 --a--c--- c:\windows\system32\drivers\klin.dat
2008-11-06 19:12 . 2008-11-06 19:12 87,855 --a--c--- c:\windows\system32\drivers\klick.dat
2008-11-06 19:09 . 2008-11-06 19:09 <DIR> d-------- c:\program files\Kaspersky Lab
2008-11-06 19:09 . 2008-11-16 17:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-11-06 19:08 . 2008-11-16 16:57 4,877,856 --ahsc--- c:\windows\system32\drivers\fidbox.dat
2008-11-06 19:08 . 2008-11-16 16:57 950,304 --ahsc--- c:\windows\system32\drivers\fidbox2.dat
2008-11-06 19:08 . 2008-11-16 16:57 39,188 --ahsc--- c:\windows\system32\drivers\fidbox.idx
2008-11-06 19:08 . 2008-11-16 16:57 4,328 --ahsc--- c:\windows\system32\drivers\fidbox2.idx
2008-11-06 18:56 . 2008-11-06 18:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-11-06 18:22 . 2008-11-06 18:22 <DIR> d-------- c:\program files\Alwil Software
2008-11-06 10:21 . 2008-11-06 10:20 410,976 --a--c--- c:\windows\system32\deploytk.dll
2008-11-05 11:54 . 2008-11-05 11:54 <DIR> d-------- c:\program files\Trend Micro
2008-11-02 09:48 . 2008-11-02 09:48 <DIR> d-------- c:\program files\Curse
2008-10-31 05:44 . 2008-10-31 05:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard
2008-10-30 18:41 . 2008-10-30 18:41 <DIR> d-------- C:\Logs
2008-10-30 10:14 . 2008-11-16 12:34 <DIR> d-a--c--- c:\program files\World of Warcraft
2008-10-29 19:30 . 2008-10-30 10:46 <DIR> d----c--- c:\program files\Common Files\Blizzard Entertainment
2008-10-22 10:57 . 2008-10-22 10:57 <DIR> d-------- c:\program files\Panda Security
2008-10-21 11:27 . 2008-11-07 18:34 343 --ahsc--- c:\windows\system32\WEhjknpo.ini
2008-10-20 17:45 . 2008-11-11 11:08 <DIR> d-------- c:\documents and settings\Owner\Application Data\.purple
2008-10-20 17:44 . 2008-10-20 17:45 <DIR> d-------- c:\program files\Pidgin
2008-10-20 12:22 . 2008-10-20 12:22 230 --a--c--- c:\windows\system32\spupdsvc.inf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-16 20:57 --------- d---a-w c:\documents and settings\Owner\Application Data\Skype
2008-11-16 17:22 --------- d---a-w c:\documents and settings\Owner\Application Data\skypePM
2008-11-15 03:46 --------- dc--a-w c:\program files\Yahoo! Games
2008-11-15 03:39 --------- dc--a-w c:\program files\Color Schemer Studio
2008-11-15 03:36 --------- dc--a-w c:\program files\Microsoft Works
2008-11-15 03:27 --------- dc--a-w c:\program files\Microsoft Picture It! 7
2008-11-15 03:15 --------- dc--a-w c:\program files\Animated GIF producer 3.2 TRIAL
2008-11-15 03:13 --------- dc--a-w c:\program files\Common Files\Adobe
2008-11-15 02:56 --------- d---a-w c:\documents and settings\Owner\Application Data\uTorrent
2008-11-13 03:37 --------- dc--a-w c:\program files\SimPE
2008-11-13 03:36 --------- dc--a-w c:\program files\Paint.NET
2008-11-13 03:34 --------- dc--a-w c:\program files\Fish Tycoon
2008-11-08 23:35 --------- d-----w c:\program files\Network Stumbler
2008-11-08 23:20 --------- dc-h--w c:\program files\InstallShield Installation Information
2008-11-08 00:26 499,712 -c--a-w c:\windows\system32\msvcp71.dll
2008-11-08 00:26 348,160 -c--a-w c:\windows\system32\msvcr71.dll
2008-11-07 22:33 --------- dc--a-w c:\program files\QuickTime
2008-11-07 22:30 --------- d---a-w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-07 02:43 --------- dc--a-w c:\program files\Opera
2008-11-07 00:03 --------- dc--a-w c:\documents and settings\Owner\Application Data\WeatherBug
2008-11-06 15:20 --------- dc--a-w c:\program files\Java
2008-10-31 13:34 --------- d-----w c:\program files\Google
2008-10-31 13:29 --------- dc--a-w c:\program files\Microsoft Games
2008-10-31 13:23 --------- dc--a-w c:\program files\Yahoo!
2008-10-31 13:22 --------- dc--a-w c:\program files\MySpace
2008-10-31 13:19 6,596 -c--a-w c:\windows\system32\ealregsnapshot1.reg
2008-10-31 11:48 --------- d-----w c:\program files\ICL-Icon Extractor(2)
2008-10-30 15:53 --------- d---a-w c:\documents and settings\Owner\Application Data\U3
2008-10-22 14:12 --------- d---a-w c:\documents and settings\Owner\Application Data\gtk-2.0
2008-10-20 19:18 --------- dc--a-w c:\program files\Trillian
2008-10-17 22:08 --------- dc--a-w c:\program files\The Game Of LIFE PTS
2008-10-14 21:01 --------- d-----w c:\program files\Mozilla Thunderbird
2008-10-14 20:36 --------- d-----w c:\documents and settings\Owner\Application Data\Thunderbird
2008-10-13 13:14 --------- d-----w c:\program files\Neopets
2008-10-07 00:51 --------- d-----w c:\program files\Virtools
2008-10-06 16:55 --------- dc--a-w c:\program files\Common Files\InstallShield
2008-10-06 16:55 --------- d-----w c:\program files\Hooked on Phonics Learning
2008-09-29 15:40 --------- d-----w c:\documents and settings\Guest\Application Data\MySpace
2008-09-23 04:16 --------- dc----w c:\program files\Common Files\Adobe AIR
2008-09-23 04:16 --------- d-----w c:\program files\Adobe Media Player
2008-09-22 20:47 --------- d-----w c:\documents and settings\Owner\Application Data\SPORE
2008-09-15 01:41 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-09-03 22:54 6,144 --sha-w c:\program files\Thumbs.db
2008-07-19 16:46 197 -csha-w c:\program files\Common Files\maxtreme.dat
2008-05-19 14:12 315 ----a-w c:\documents and settings\All Users\Application Data\Setting.dat
2006-05-15 13:23 694 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2003-08-05 15:41 53,248 -c--a-w c:\windows\inf\ap561.exe
2002-11-26 20:24 32,768 -c--a-w c:\windows\inf\Remove561.exe
2002-11-22 19:56 118,784 -c--a-w c:\windows\inf\ShowBmp.exe
2002-10-29 22:07 36,864 -c--a-w c:\windows\inf\Setup8a.exe
2002-10-01 18:43 119,798 -c--a-w c:\windows\inf\spca561.sys
2004-08-04 19:00 94,784 -csha-w c:\windows\twain.dll
2004-08-04 19:00 50,688 -csha-w c:\windows\twain_32.dll
2004-08-04 19:00 54,784 -csha-w c:\windows\system32\msvcirt.dll
2004-08-04 19:00 413,696 --sha-w c:\windows\system32\msvcp60.dll
2004-08-04 19:00 11,776 -csha-w c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2006-04-07 1343488]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-29 21755688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-04-01 5562368]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-04-01 86016]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-07-29 206088]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 c:\windows\KHALMNPR.Exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2005-05-15 581632]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi2"= xgusb.cpl
"midi3"= xgusb.cpl

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LaunchU3.exe.lnk
backup=c:\windows\pss\LaunchU3.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Winter Fun Wallpaper Changer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Winter Fun Wallpaper Changer.lnk
backup=c:\windows\pss\Winter Fun Wallpaper Changer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\602PC SUITE PDF Saver]
--a--c--- 2005-08-31 15:00 49152 c:\program files\Common Files\soft602\pdfSaver.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a--c--- 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CurseClient]
--a------ 2008-10-10 14:56 4789760 c:\program files\Curse\CurseClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a--c--- 2002-06-17 07:41 188416 c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--ahsc--- 2003-04-14 20:05 1498032 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2001-07-09 14:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray]
--a--c--- 2004-06-03 23:51 131072 c:\program files\NVIDIA Corporation\NvMixer\NvMixerTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pdfSaver3]
--a--c--- 2004-05-19 13:29 385024 c:\program files\PDF\pdfSaver\pdfSaver3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a--c--- 2004-08-27 12:50 970752 c:\windows\creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a--c--- 2003-10-31 22:42 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-09-29 17:57 21755688 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2008-11-07 19:25 185872 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
--a------ 2006-04-07 14:02 1343488 c:\program files\AWS\WeatherBug\Weather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a--c--- 2007-08-30 16:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a--c--- 2005-04-01 15:16 1495040 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mcupdmgr.exe"=3 (0x3)
"McAfeeAntiSpyware"=2 (0x2)
"AOL ACS"=2 (0x2)
"AdobeActiveFileMonitor5.0"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\internet-html stuff\\wowclient-downloader.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2004-08-26 14336]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys [2008-01-14 21632]
S2 WUSB54GSC;WUSB54GSC;"c:\program files\Linksys\WUSB54GSC\WLService.exe" "WUSB54GSC.exe" [2008-11-08 53307]
S3 AdWatchDrv;AW Realtime Driver;\??\c:\windows\system32\drivers\AWRTPD.sys []
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;\??\c:\windows\system32\NSNDIS5.SYS [2004-03-23 17280]
S3 PRISM_USB;IEEE 802.11 Wireless USB Driver;c:\windows\system32\DRIVERS\EXPSUSB.sys [2005-12-06 626688]
S3 SUPERWEBCAM;SuperWebcam, WDM Virtual Video Capture Device;c:\windows\system32\DRIVERS\superwebcam.sys [2008-05-18 31872]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\Setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-07-02 c:\windows\Tasks\87D5C7B988D27B1D.job
- c:\docume~1\owner\applic~1\holeht~1\Balm Road Chin.exe []

2008-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe []

2008-11-15 c:\windows\Tasks\At25.job
- c:\windows\system32\LG40T3xr.exe []

2008-11-12 c:\windows\Tasks\At26.job
- c:\windows\system32\LG40T3xr.exe []

2008-11-13 c:\windows\Tasks\At27.job
- c:\windows\system32\LG40T3xr.exe []

2008-11-12 c:\windows\Tasks\At28.job
- c:\windows\system32\LG40T3xr.exe []

2008-11-12 c:\windows\Tasks\At29.job
- c:\windows\system32\LG40T3xr.exe []

2008-11-12 c:\windows\Tasks\At30.job
- c:\windows\system32\LG40T3xr.exe []

2008-11-12 c:\windows\Tasks\At31.job
- c:\windows\system32\LG40T3xr.exe []

2008-11-12 c:\windows\Tasks\At32.job
- c:\windows\system32\LG40T3xr.exe []

2008-11-12 c:\windows\Tasks\At33.job
- c:\windows\system32\LG40T3xr.exe []

2008-11-10 c:\windows\Tasks\At34.job
- c:\windows\system32\LG40T3xr.exe []

2008-11-14 c:\windows\Tasks\At35.job
- c:\windows\system32\LG40T3xr.exe []

2008-11-14 c:\windows\Tasks\At36.job
- c:\windows\system32\LG40T3xr.exe []

2008-11-14 c:\windows\Tasks\At37.job
- c:\windows\system32\LG40T3xr.exe []

2008-11-16 c:\windows\Tasks\At38.job
- c:\windows\system32\LG40T3xr.exe []

2008-11-16 c:\windows\Tasks\At39.job
- c:\windows\system32\LG40T3xr.exe []

2008-11-14 c:\windows\Tasks\At40.job
- c:\windows\system32\LG40T3xr.exe []

2008-11-16 c:\windows\Tasks\At41.job
- c:\windows\system32\LG40T3xr.exe []

2008-11-16 c:\windows\Tasks\At42.job
- c:\windows\system32\LG40T3xr.exe []

2008-11-14 c:\windows\Tasks\At43.job
- c:\windows\system32\LG40T3xr.exe []

2008-11-15 c:\windows\Tasks\At44.job
- c:\windows\system32\LG40T3xr.exe []

2008-11-15 c:\windows\Tasks\At45.job
- c:\windows\system32\LG40T3xr.exe []

2008-11-15 c:\windows\Tasks\At46.job
- c:\windows\system32\LG40T3xr.exe []

2008-11-16 c:\windows\Tasks\At47.job
- c:\windows\system32\LG40T3xr.exe []

2008-11-16 c:\windows\Tasks\At48.job
- c:\windows\system32\LG40T3xr.exe []

2008-07-01 c:\windows\Tasks\EasyShare Registration Task.job
- c:\windows\system32\rundll32.exe [2004-08-04 14:00]

2008-11-15 c:\windows\Tasks\{B3C9C5B3-74A9-4B50-8EE8-9B09412B6C63}_YOUR-A89364AE2A_Owner.job
- c:\windows\system32\mobsync.exe [2004-08-04 14:00]
.
- - - - ORPHANS REMOVED - - - -

BHO-{10EDED71-F637-4A0D-8215-0DD37D2DBA33} - (no file)
BHO-{1B217C1F-808C-4E4B-9406-2A0D0B82D71c} - (no file)
BHO-{20BA195A-CC9F-4758-9704-9A85B327FD92} - (no file)
BHO-{39D38EF7-8977-4D35-809F-D1F93B57A076} - (no file)
BHO-{3E57EDA7-E1A5-4596-A64C-588124F097C3} - c:\windows\system32\qoMghhhG.dll
BHO-{4816822F-6BB2-4314-A4DA-D5909E06D766} - c:\windows\system32\wvUklJAS.dll
BHO-{4DCCE285-A216-4688-9BEB-01DF350CB993} - (no file)
BHO-{586CF947-60B0-46F4-B0BC-263E62F9B027} - (no file)
BHO-{6821277A-8D7A-490D-B0B8-C726BAA392E6} - (no file)
BHO-{78D0109B-F26B-4DFD-84F2-D6241F83D3Bc} - (no file)
BHO-{7FA2C82D-45DB-44DA-AEA5-FCEF6B56B39B} - (no file)
BHO-{8309D49C-63EB-496E-B6DF-6EE841B429Db} - (no file)
BHO-{89EF8955-D3AE-4010-8B9C-DC2E1E006FF8} - (no file)
BHO-{8E6D4695-9AD1-4847-BF93-084596C19D07} - (no file)
BHO-{8F69D726-0E77-44AA-8D7F-A2FF3BA12499} - (no file)
BHO-{973C7FB1-0939-46C8-AFDC-16160AAFCE18} - (no file)
BHO-{A92B2F60-0796-47E9-8A74-981FECFF7D73} - (no file)
BHO-{AD26E570-06B8-4AA0-8284-00AF3CF238B3} - (no file)
BHO-{B1BED5D6-0377-427F-9E96-3C8B607E76B7} - (no file)
BHO-{C962F08E-E77D-48DF-909D-67624D30BD39} - (no file)
BHO-{DFA96F1D-B987-488E-870C-6E74211CE672} - (no file)
BHO-{F88079E3-C5CB-4B6E-9434-DFEDB2C44BEC} - (no file)
BHO-{FA31F019-8346-4E93-B6A5-3DAC97A360Fd} - (no file)
ShellExecuteHooks-{4816822F-6BB2-4314-A4DA-D5909E06D766} - c:\windows\system32\wvUklJAS.dll
Notify-ljjhhii - ljjhhii.dll
Notify-rqRIaWMe - rqRIaWMe.dll
Notify-yayxyvv - yayxyvv.dll
MSConfigStartUp-BM1b2fa640 - c:\windows\system32\mmsucbai.dll
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-CXMon - c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
MSConfigStartUp-MCAgentExe - c:\progra~1\mcafee.com\agent\mcagent.exe
MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\McUpdate.exe
MSConfigStartUp-NCLaunch - c:\windows\NCLAUNCH.EXe
MSConfigStartUp-Spyware Doctor - c:\progra~1\SPYWAR~1\swdoctor.exe
MSConfigStartUp-SpywareTerminator - c:\program files\Spyware Terminator\SpywareTerminatorShield.exe
MSConfigStartUp-WebcamMaxMoniter - c:\program files\WebcamMax\wcmmon.exe
MSConfigStartUp-{0228e555-4f9c-4e35-a3ec-b109a192b4c2} - c:\program files\Google\Gmail Notifier\gnotify.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\k5qjw712.default\
FF -: plugin - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\k5qjw712.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF -: plugin - c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-16 17:02:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\explorer.exe
-> c:\program files\Logitech\SetPoint\lgscroll.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\scardsvr.exe
c:\program files\Logitech\SetPoint\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2008-11-16 17:13:52 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-11-16 22:13:48

Pre-Run: 20,248,092,672 bytes free
Post-Run: 20,170,371,072 bytes free

400 --- E O F --- 2008-06-05 01:30:00



~Add-Remove Programs.txt~

Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Media Player
Adobe Reader 8.1.3
Adobe Shockwave Player 11
AMCap
American Greetings CreataCard Select 6
AnswerWorks 4.0 Runtime - English
Apple Software Update
Aspell English Dictionary-0.50-2
Caillou's Alphabet
Caillou's Colors Shapes
Caillou's Counting
Caillou's Thinking Skills
CCleaner (remove only)
CCScore
CEP - Color Enable Package
CiD Help
Colors, Shapes & More
Compact Wireless-G USB Network Adapter with SpeedBooster
Curse Client
Defraggler (remove only)
Digital Media Reader
DirectX for Managed Code Update (Summer 2004)
EA Download Manager
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSSONIC
ESSTOOLS
essvatgt
FeedReader
Flock (Photobucket Edition) 0.7
Gammadyne Spell Checking Module
GNU Aspell 0.50-3
GTK+ Runtime 2.12.12 rev a (remove only)
HijackThis 2.0.2
hp deskjet 3320 series (Remove only)
Insert Code for Windows Live Writer
Insert Emoticon Plugin
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 10
Java(TM) 6 Update 5
Kaspersky Internet Security 2009
kgcbase
Kodak EasyShare software
Kudos (remove only)
LAN-Express IEEE 802.11b WLAN
Logitech Desktop Messenger
Logitech SetPoint
ManyCam 2.2 (remove only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Calculator Plus
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Web Publishing Wizard 1.52
Microsoft Works 2000
Microsoft® Winter Fun Pack 2004 for Windows® XP
Mozilla Firefox (3.0.3)
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Nero BurnRights
Nero OEM
netbrdg
Network Stumbler 0.4.0 (remove only)
NVIDIA DDS Utilities
NVIDIA Drivers
NvMixer
Office Suite 2005
OfotoXMI
oobeFlagNetscape0
Opera 9.62
Panda ActiveScan
Philips PC Camera
Photo Story 3 for Windows
Pidgin
PowerDVD
PrintMaster 12
QuickTime
RealMedia (remove only)
RealPlayer
Recover Files 2.0
Recuva (remove only)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB929969)
SFR
SHASTA
Shockwave
skin0001
SKINXSDK
Skype™ 3.8
Smiley for WLW
Soft Data Fax Modem with SmartCP
Spelling Dictionaries Support For Adobe Reader 8
SPORE™
staticcr
System Requirements Lab
Taking Charge of Your Fertility Software
The Sims 2
The Sims 2 Family Fun Stuff
The Sims 2 Glamour Life Stuff
The Sims 2 HomeCrafter Plus
The Sims 2 Nightlife
The Sims 2 Open For Business
The Sims 2 Pets
The Sims 2 University
The Sims Complete Collection
The Sims™ 2 Apartment Life
The Sims™ 2 Bon Voyage
The Sims™ 2 FreeTime
The Sims™ 2 Seasons
tooltips
Trillian
TurboTax Deluxe 2005
TurboTax Deluxe 2007
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2005
TurboTax ItsDeductible 2006
U3Launcher
upapp
URGE
USB Driver
USB MassStorage CardReader
VPRINTOL
WebFldrs XP
WexTech AnswerWorks
WhiteCap
Windows Backup Utility
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Live installer
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Player 11
Windows Movie Maker 2.0
Windows XP Creativity Fun Packs - Windows Media Player 9 Series
Windows XP Creativity Fun Packs - Windows XP Power Toys
WinRAR archiver
WinZip
WIRELESS
Works Suite OS Pack
World of Warcraft
Yahoo! Browser Services
Yahoo! Messenger
YAMAHA Musicsoft Downloader 5
Last edited by tetonbob; 11-16-2008 at 06:54 PM. Reason: edited personal info per user request
Sugar.Tears is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-16-2008, 06:28 PM   #8 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,208
OS: 2000 Pro; XP Pro; XP Home


Re: definite virus
Hello -

We have more work to do, but before we continue, I need you to clarify something for me.

Quote:
I would like to remove the links to my favorites asap I'm just not actually sure how that info is relevant.
Please explain.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-16-2008, 06:52 PM   #9 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 17
OS: windows xp home


Re: definite virus
edit:
never mind... I guess its gone
sorry
Last edited by Sugar.Tears; 11-16-2008 at 06:57 PM.
Sugar.Tears is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-16-2008, 06:57 PM   #10 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,208
OS: 2000 Pro; XP Pro; XP Home


Re: definite virus
I see, ok. Supplementary scan reports non-standard entries, which can be malware, is why they get posted. I've removed them from your post per request.

I'll be back in a short while with the next instructions.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-16-2008, 07:17 PM   #11 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,208
OS: 2000 Pro; XP Pro; XP Home


Re: definite virus
Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 5

These are all outdated, and security risks by having them installed still. Unfortunately, Java does not uninstall previous version when you update, nor tell you that you should.

Leave Java(TM) 6 Update 10 alone, as it is the most recent.

---------------------------------------------------------------------------------------------

  1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix. (what you did last time seemed to be fine)
  2. Open notepad and copy/paste the text in the quotebox below into it:

    Quote:
    http://www.techsupportforum.com/security-center/hijackthis-log-help/312646-definite-virus-post1807487.html#post1807487

    File::
    c:\windows\Tasks\87D5C7B988D27B1D.job
    c:\windows\system32\LG40T3xr.exe
    c:\windows\Tasks\At25.job
    c:\windows\Tasks\At26.job
    c:\windows\Tasks\At27.job
    c:\windows\Tasks\At28.job
    c:\windows\Tasks\At29.job
    c:\windows\Tasks\At30.job
    c:\windows\Tasks\At31.job
    c:\windows\Tasks\At32.job
    c:\windows\Tasks\At33.job
    c:\windows\Tasks\At34.job
    c:\windows\Tasks\At35.job
    c:\windows\Tasks\At36.job
    c:\windows\Tasks\At37.job
    c:\windows\Tasks\At38.job
    c:\windows\Tasks\At39.job
    c:\windows\Tasks\At40.job
    c:\windows\Tasks\At41.job
    c:\windows\Tasks\At42.job
    c:\windows\Tasks\At43.job
    c:\windows\Tasks\At44.job
    c:\windows\Tasks\At45.job
    c:\windows\Tasks\At46.job
    c:\windows\Tasks\At47.job
    c:\windows\Tasks\At48.job

    Folder::
    c:\docume~1\owner\applic~1\holeht~1

    Suspect::[28]
    c:\windows\system32\geBuUnmN1.gif

    Collect::[28]
    c:\windows\system32\WEhjknpo.ini
    Save this as CFScript.txt




    Referring to the picture above, drag CFScript.txt into ComboFix.exe


  3. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  4. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

    Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.
  5. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.

    ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-16-2008, 08:03 PM   #12 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 17
OS: windows xp home


Re: definite virus
its submitted... and thanks for deleting the stuff for me sorry for the confusion

ComboFix 08-11-16.01 - Owner 2008-11-16 21:45:09.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.655 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\LG40T3xr.exe
c:\windows\Tasks\87D5C7B988D27B1D.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\owner\applic~1\holeht~1
c:\windows\system32\WEhjknpo.ini
c:\windows\Tasks\87D5C7B988D27B1D.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job

.
((((((((((((((((((((((((( Files Created from 2008-10-17 to 2008-11-17 )))))))))))))))))))))))))))))))
.

2008-11-15 22:19 . 2008-11-16 13:38 250 --a--c--- C:\WINDOWS\gmer.ini
2008-11-13 12:19 . 2008-11-13 12:19 <DIR> d-------- C:\Program Files\Skype
2008-11-13 12:19 . 2008-11-13 12:19 <DIR> d----c--- C:\Program Files\Common Files\Skype
2008-11-11 10:55 . 2008-11-11 10:55 313,856 --a--c--- C:\WINDOWS\system32\geBuUnmN1.gif
2008-11-08 22:45 . 2008-11-08 22:45 17,801 --a--c--- C:\WINDOWS\system32\drivers\AegisP.sys
2008-11-08 22:44 . 2008-11-08 22:44 <DIR> d-------- C:\Program Files\Linksys
2008-11-08 22:44 . 2005-02-01 18:18 17,992 --a--c--- C:\WINDOWS\system32\bcm42rly.sys
2008-11-08 22:44 . 2008-11-08 22:44 670 --a--c--- C:\WINDOWS\system32\WLAN.INI
2008-11-07 19:29 . 2008-11-07 19:29 <DIR> d----c--- C:\Program Files\Common Files\xing shared
2008-11-07 17:31 . 2008-11-07 17:31 <DIR> d----c--- C:\Program Files\Common Files\Apple
2008-11-07 17:22 . 2008-11-07 17:22 54,156 --ah-c--- C:\WINDOWS\QTFont.qfn
2008-11-07 17:22 . 2008-11-07 17:22 1,409 --a--c--- C:\WINDOWS\QTFont.for
2008-11-06 19:12 . 2008-11-07 08:49 96,976 --a--c--- C:\WINDOWS\system32\drivers\klin.dat
2008-11-06 19:12 . 2008-11-06 19:12 87,855 --a--c--- C:\WINDOWS\system32\drivers\klick.dat
2008-11-06 19:09 . 2008-11-06 19:09 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-11-06 19:09 . 2008-11-16 21:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-11-06 19:08 . 2008-11-16 21:24 4,877,856 --ahsc--- C:\WINDOWS\system32\drivers\fidbox.dat
2008-11-06 19:08 . 2008-11-16 21:24 950,304 --ahsc--- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-11-06 19:08 . 2008-11-16 21:24 39,188 --ahsc--- C:\WINDOWS\system32\drivers\fidbox.idx
2008-11-06 19:08 . 2008-11-16 21:24 4,328 --ahsc--- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-11-06 18:56 . 2008-11-06 18:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-11-06 18:22 . 2008-11-06 18:22 <DIR> d-------- C:\Program Files\Alwil Software
2008-11-06 10:21 . 2008-11-06 10:20 410,976 --a--c--- C:\WINDOWS\system32\deploytk.dll
2008-11-05 11:54 . 2008-11-05 11:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-11-02 09:48 . 2008-11-02 09:48 <DIR> d-------- C:\Program Files\Curse
2008-10-31 05:44 . 2008-10-31 05:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Blizzard
2008-10-30 18:41 . 2008-10-30 18:41 <DIR> d-------- C:\Logs
2008-10-30 10:14 . 2008-11-16 21:29 <DIR> d-a--c--- C:\Program Files\World of Warcraft
2008-10-29 19:30 . 2008-10-30 10:46 <DIR> d----c--- C:\Program Files\Common Files\Blizzard Entertainment
2008-10-22 10:57 . 2008-10-22 10:57 <DIR> d-------- C:\Program Files\Panda Security
2008-10-20 17:45 . 2008-11-11 11:08 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\.purple
2008-10-20 17:44 . 2008-10-20 17:45 <DIR> d-------- C:\Program Files\Pidgin
2008-10-20 12:22 . 2008-10-20 12:22 230 --a--c--- C:\WINDOWS\system32\spupdsvc.inf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-17 02:41 --------- dc--a-w C:\Program Files\Java
2008-11-17 01:21 --------- d---a-w C:\Documents and Settings\Owner\Application Data\Skype
2008-11-16 22:05 --------- d---a-w C:\Documents and Settings\Owner\Application Data\skypePM
2008-11-15 03:46 --------- dc--a-w C:\Program Files\Yahoo! Games
2008-11-15 03:39 --------- dc--a-w C:\Program Files\Color Schemer Studio
2008-11-15 03:36 --------- dc--a-w C:\Program Files\Microsoft Works
2008-11-15 03:27 --------- dc--a-w C:\Program Files\Microsoft Picture It! 7
2008-11-15 03:15 --------- dc--a-w C:\Program Files\Animated GIF producer 3.2 TRIAL
2008-11-15 03:13 --------- dc--a-w C:\Program Files\Common Files\Adobe
2008-11-15 02:56 --------- d---a-w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-11-13 03:37 --------- dc--a-w C:\Program Files\SimPE
2008-11-13 03:36 --------- dc--a-w C:\Program Files\Paint.NET
2008-11-13 03:34 --------- dc--a-w C:\Program Files\Fish Tycoon
2008-11-08 23:35 --------- d-----w C:\Program Files\Network Stumbler
2008-11-08 23:20 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2008-11-08 00:26 499,712 -c--a-w C:\WINDOWS\system32\msvcp71.dll
2008-11-08 00:26 348,160 -c--a-w C:\WINDOWS\system32\msvcr71.dll
2008-11-07 22:33 --------- dc--a-w C:\Program Files\QuickTime
2008-11-07 22:30 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-11-07 02:43 --------- dc--a-w C:\Program Files\Opera
2008-11-07 00:03 --------- dc--a-w C:\Documents and Settings\Owner\Application Data\WeatherBug
2008-10-31 13:34 --------- d-----w C:\Program Files\Google
2008-10-31 13:29 --------- dc--a-w C:\Program Files\Microsoft Games
2008-10-31 13:23 --------- dc--a-w C:\Program Files\Yahoo!
2008-10-31 13:22 --------- dc--a-w C:\Program Files\MySpace
2008-10-31 13:19 6,596 -c--a-w C:\WINDOWS\system32\ealregsnapshot1.reg
2008-10-31 11:48 --------- d-----w C:\Program Files\ICL-Icon Extractor(2)
2008-10-30 15:53 --------- d---a-w C:\Documents and Settings\Owner\Application Data\U3
2008-10-22 14:12 --------- d---a-w C:\Documents and Settings\Owner\Application Data\gtk-2.0
2008-10-20 19:18 --------- dc--a-w C:\Program Files\Trillian
2008-10-17 22:08 --------- dc--a-w C:\Program Files\The Game Of LIFE PTS
2008-10-14 21:01 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-10-14 20:36 --------- d-----w C:\Documents and Settings\Owner\Application Data\Thunderbird
2008-10-13 13:14 --------- d-----w C:\Program Files\Neopets
2008-10-07 00:51 --------- d-----w C:\Program Files\Virtools
2008-10-06 16:55 --------- dc--a-w C:\Program Files\Common Files\InstallShield
2008-10-06 16:55 --------- d-----w C:\Program Files\Hooked on Phonics Learning
2008-09-29 15:40 --------- d-----w C:\Documents and Settings\Guest\Application Data\MySpace
2008-09-23 04:16 --------- dc----w C:\Program Files\Common Files\Adobe AIR
2008-09-23 04:16 --------- d-----w C:\Program Files\Adobe Media Player
2008-09-22 20:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\SPORE
2008-09-15 01:41 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-09-03 22:54 6,144 --sha-w C:\Program Files\Thumbs.db
2008-07-19 16:46 197 -csha-w C:\Program Files\Common Files\maxtreme.dat
2008-05-19 14:12 315 ----a-w C:\Documents and Settings\All Users\Application Data\Setting.dat
2006-05-15 13:23 694 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2003-08-05 15:41 53,248 -c--a-w C:\WINDOWS\inf\ap561.exe
2002-11-26 20:24 32,768 -c--a-w C:\WINDOWS\inf\Remove561.exe
2002-11-22 19:56 118,784 -c--a-w C:\WINDOWS\inf\ShowBmp.exe
2002-10-29 22:07 36,864 -c--a-w C:\WINDOWS\inf\Setup8a.exe
2002-10-01 18:43 119,798 -c--a-w C:\WINDOWS\inf\spca561.sys
2004-08-04 19:00 94,784 -csha-w C:\WINDOWS\twain.dll
2004-08-04 19:00 50,688 -csha-w C:\WINDOWS\twain_32.dll
2004-08-04 19:00 54,784 -csha-w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 19:00 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 19:00 11,776 -csha-w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2006-04-07 14:02 1343488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 15:42 212992]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 15:16 5562368]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-04-01 15:16 86016]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-07-29 20:20 206088]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-11-06 10:20 136600]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 12:28 29696 C:\WINDOWS\KHALMNPR.Exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\KEM.exe [2005-05-15 11:18:34 581632]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi2"= xgusb.cpl
"midi3"= xgusb.cpl

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LaunchU3.exe.lnk
backup=C:\WINDOWS\pss\LaunchU3.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Winter Fun Wallpaper Changer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Winter Fun Wallpaper Changer.lnk
backup=C:\WINDOWS\pss\Winter Fun Wallpaper Changer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\602PC SUITE PDF Saver]
--a--c--- 2005-08-31 15:00 49152 C:\Program Files\Common Files\soft602\pdfSaver.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a--c--- 2008-10-15 01:04 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CurseClient]
--a------ 2008-10-10 14:56 4789760 C:\Program Files\Curse\CurseClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a--c--- 2002-06-17 07:41 188416 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--ahsc--- 2003-04-14 20:05 1498032 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2001-07-09 14:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray]
--a--c--- 2004-06-03 23:51 131072 C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pdfSaver3]
--a--c--- 2004-05-19 13:29 385024 C:\Program Files\PDF\pdfSaver\pdfSaver3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2008-09-06 15:09 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a--c--- 2004-08-27 12:50 970752 C:\WINDOWS\creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a--c--- 2003-10-31 22:42 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-09-29 17:57 21755688 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2008-11-07 19:25 185872 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
--a------ 2006-04-07 14:02 1343488 C:\Program Files\AWS\WeatherBug\Weather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a--c--- 2007-08-30 16:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a--c--- 2005-04-01 15:16 1495040 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mcupdmgr.exe"=3 (0x3)
"McAfeeAntiSpyware"=2 (0x2)
"AOL ACS"=2 (0x2)
"AdobeActiveFileMonitor5.0"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"C:\\Documents and Settings\\Owner\\My Documents\\internet-html stuff\\wowclient-downloader.exe"=
"C:\\Program Files\\Curse\\CurseClient.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29:38 32784]
R2 NwSapAgent;SAP Agent;C:\WINDOWS\system32\svchost.exe -k netsvcs [2004-08-26 11:12:17 14336]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;C:\WINDOWS\system32\DRIVERS\klfltdev.sys [2008-03-13 19:02:46 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-04-30 1848 24592]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\WINDOWS\system32\DRIVERS\ManyCam.sys [2008-01-14 0532 21632]
S2 WUSB54GSC;WUSB54GSC;"C:\Program Files\Linksys\WUSB54GSC\WLService.exe" "WUSB54GSC.exe" [2008-11-08 22:44:57 53307]
S3 AdWatchDrv;AW Realtime Driver;\??\C:\WINDOWS\system32\drivers\AWRTPD.sys []
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\NSNDIS5.SYS [2004-03-23 21:12:34 17280]
S3 PRISM_USB;IEEE 802.11 Wireless USB Driver;C:\WINDOWS\system32\DRIVERS\EXPSUSB.sys [2005-12-06 08:30:57 626688]
S3 SUPERWEBCAM;SuperWebcam, WDM Virtual Video Capture Device;C:\WINDOWS\system32\DRIVERS\superwebcam.sys [2008-05-18 14:50:01 31872]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\Setup.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-11-11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe []

2008-07-01 C:\WINDOWS\Tasks\EasyShare Registration Task.job
- C:\WINDOWS\system32\rundll32.exe [2004-08-04 14:00]

2008-11-17 C:\WINDOWS\Tasks\{B3C9C5B3-74A9-4B50-8EE8-9B09412B6C63}_YOUR-A89364AE2A_Owner.job
- C:\WINDOWS\system32\mobsync.exe [2004-08-04 14:00]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-16 21:48:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-11-16 21:53:07
ComboFix-quarantined-files.txt 2008-11-17 02:52:04
ComboFix2.txt 2008-11-16 22:13:54

Pre-Run: 20,099,940,352 bytes free
Post-Run: 20,134,322,176 bytes free

293 --- E O F --- 2008-06-05 01:30:00
Last edited by tetonbob; 11-16-2008 at 10:54 PM.
Sugar.Tears is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-16-2008, 10:55 PM   #13 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,208
OS: 2000 Pro; XP Pro; XP Home


Re: definite virus
Thanks.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.


Using Windows Explorer, or Windows Search, locate and delete the following file:

c:\windows\system32\geBuUnmN1.gif

Let me know if you have any trouble with that.

---------------------------------------------------------------------------------------------

Please perform this online scan to help look for remnants

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on Settings. Uncheck Mail databases.
  • Next, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------

How is the machine behaving now?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-17-2008, 07:58 AM   #14 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 17
OS: windows xp home


Re: definite virus
I deleted the file (which went very smooth) and tried to run the scan. as soon as it finishes updating the computer shuts down and reboots itself... the screen pops up about recovering from a serious error and I copied the error thing for you just in case you might actually know what it means
Quote:
Restart 1
BCCode : 100000d4 BCP1 : F0597938 BCP2 : 000000FF BCP3 : 00000001
BCP4 : 804E2E41 OSVer : 5_1_2600 SP : 2_0 Product : 768_1

Restart 2
BCCode : 100000d4 BCP1 : F0FCB938 BCP2 : 000000FF BCP3 : 00000001
BCP4 : 804E2E41 OSVer : 5_1_2600 SP : 2_0 Product : 768_1

Restart 3
BCCode : 100000d4 BCP1 : F0CDF938 BCP2 : 000000FF BCP3 : 00000001
BCP4 : 804E2E41 OSVer : 5_1_2600 SP : 2_0 Product : 768_1
I tried the scan in IE, FF and FF in safe mode... and every time it shut down. and yes, I did shut down the antivirus.

sorry.
Sugar.Tears is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-17-2008, 09:01 AM   #15 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,208
OS: 2000 Pro; XP Pro; XP Home


Re: definite virus
I'd like you to run DDS once again, this time perform the secondary scan. I only require the log from that secondary scan, Attach.txt

You can simply post the information in a reply.

Also, try using this online scan instead.

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-17-2008, 10:21 AM   #16 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 17
OS: windows xp home


Re: definite virus
sys errors at the bottom are when the pc shutdown by itself

when I finish the scan I'll get back to you with the log

Attach.txt

DDS (Version 1.0)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 3/21/2005 8:32:07 PM
System Uptime: 11/17/2008 9:45:56 AM (3 hours ago)

Motherboard: First International Computer, Inc. | | K7MNF-64
Processor: AMD Sempron(tm) 3000+ | Socket A | 1991/166mhz
BIOS: Phoenix - AwardBIOS v6.00PG | FIC - 42302e31 | 6.00 PG | 12/1/2004 7:00:00 PM

==== Disk Partitions =========================

C: is FIXED (NTFS) - 71 GiB total, 14.798 GiB free.
D: is FIXED (FAT32) - 4 GiB total, 0.463 GiB free.
E: is CDROM ()
F: is CDROM (UDF)
G: is Removable
H: is Removable
I: is Removable
J: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 11/16/2008 4:43:32 PM - System Checkpoint
RP2: 11/16/2008 4:44:18 PM - ComboFix created restore point
RP3: 11/16/2008 9:32:24 PM - Removed J2SE Runtime Environment 5.0 Update 11
RP4: 11/16/2008 9:35:32 PM - Removed J2SE Runtime Environment 5.0 Update 2
RP5: 11/16/2008 9:39:51 PM - Removed J2SE Runtime Environment 5.0 Update 9
RP6: 11/16/2008 9:40:56 PM - Removed Java(TM) 6 Update 5
RP7: 11/16/2008 9:44:39 PM - ComboFix created restore point

==== Installed Programs ======================

Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Media Player
Adobe Reader 8.1.3
Adobe Shockwave Player 11
AMCap
American Greetings CreataCard Select 6
AnswerWorks 4.0 Runtime - English
Apple Software Update
Aspell English Dictionary-0.50-2
Caillou's Alphabet
Caillou's Colors Shapes
Caillou's Counting
Caillou's Thinking Skills
CCleaner (remove only)
CCScore
CEP - Color Enable Package
CiD Help
Colors, Shapes & More
Compact Wireless-G USB Network Adapter with SpeedBooster
Curse Client
Defraggler (remove only)
Digital Media Reader
DirectX for Managed Code Update (Summer 2004)
EA Download Manager
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSSONIC
ESSTOOLS
essvatgt
FeedReader
Flock (Photobucket Edition) 0.7
Gammadyne Spell Checking Module
GNU Aspell 0.50-3
GTK+ Runtime 2.12.12 rev a (remove only)
HijackThis 2.0.2
hp deskjet 3320 series (Remove only)
Insert Code for Windows Live Writer
Insert Emoticon Plugin
Java(TM) 6 Update 10
Kaspersky Internet Security 2009
kgcbase
Kodak EasyShare software
Kudos (remove only)
LAN-Express IEEE 802.11b WLAN
Logitech Desktop Messenger
Logitech SetPoint
ManyCam 2.2 (remove only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Calculator Plus
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Web Publishing Wizard 1.52
Microsoft Works 2000
Microsoft® Winter Fun Pack 2004 for Windows® XP
Mozilla Firefox (3.0.3)
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Nero BurnRights
Nero OEM
netbrdg
Network Stumbler 0.4.0 (remove only)
NVIDIA DDS Utilities
NVIDIA Drivers
NvMixer
Office Suite 2005
OfotoXMI
oobeFlagNetscape0
Opera 9.62
Panda ActiveScan
Philips PC Camera
Photo Story 3 for Windows
Pidgin
PowerDVD
PrintMaster 12
QuickTime
RealMedia (remove only)
RealPlayer
Recover Files 2.0
Recuva (remove only)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB929969)
SFR
SHASTA
Shockwave
skin0001
SKINXSDK
Skype™ 3.8
Smiley for WLW
Soft Data Fax Modem with SmartCP
Spelling Dictionaries Support For Adobe Reader 8
SPORE™
staticcr
System Requirements Lab
Taking Charge of Your Fertility Software
The Sims 2
The Sims 2 Family Fun Stuff
The Sims 2 Glamour Life Stuff
The Sims 2 HomeCrafter Plus
The Sims 2 Nightlife
The Sims 2 Open For Business
The Sims 2 Pets
The Sims 2 University
The Sims Complete Collection
The Sims™ 2 Apartment Life
The Sims™ 2 Bon Voyage
The Sims™ 2 FreeTime
The Sims™ 2 Seasons
tooltips
Trillian
TurboTax Deluxe 2005
TurboTax Deluxe 2007
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2005
TurboTax ItsDeductible 2006
U3Launcher
upapp
URGE
USB Driver
USB MassStorage CardReader
VPRINTOL
WebFldrs XP
WexTech AnswerWorks
WhiteCap
Windows Backup Utility
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Live installer
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Player 11
Windows Movie Maker 2.0
Windows XP Creativity Fun Packs - Windows Media Player 9 Series
Windows XP Creativity Fun Packs - Windows XP Power Toys
WinRAR archiver
WinZip
WIRELESS
Works Suite OS Pack
World of Warcraft
Yahoo! Browser Services
Yahoo! Messenger
YAMAHA Musicsoft Downloader 5

==== Event Viewer Messages ===================

11/16/2008 9:33:40 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
11/16/2008 9:29:27 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
11/16/2008 9:26:49 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SASDIFSV SASKUTIL
11/16/2008 9:00:00 PM, error: Schedule [7901] - The At46.job command failed to start due to the following error: %%2147942402
11/16/2008 8:00:03 PM, error: Schedule [7901] - The At45.job command failed to start due to the following error: %%2147942402
11/16/2008 7:00:00 PM, error: Schedule [7901] - The At44.job command failed to start due to the following error: %%2147942402
11/16/2008 6:00:00 PM, error: Schedule [7901] - The At43.job command failed to start due to the following error: %%2147942402
11/16/2008 5:20:57 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 00121773724F. The following error occurred: The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
11/16/2008 5:18:31 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 00121773724F. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
11/16/2008 5:04:33 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WUSB54GSC service.
11/16/2008 5:00:05 PM, error: Schedule [7901] - The At42.job command failed to start due to the following error: %%2147942402
11/16/2008 4:00:00 PM, error: Schedule [7901] - The At41.job command failed to start due to the following error: %%2147942402
11/16/2008 3:45:00 PM, error: Service Control Manager [7022] - The Kaspersky Internet Security service hung on starting.
11/16/2008 2:00:00 PM, error: Schedule [7901] - The At39.job command failed to start due to the following error: %%2147942402
11/16/2008 1:00:00 PM, error: Schedule [7901] - The At38.job command failed to start due to the following error: %%2147942402
11/16/2008 12:33:03 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the service.
11/15/2008 11:07:03 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
11/15/2008 11:00:00 PM, error: Schedule [7901] - The At48.job command failed to start due to the following error: %%2147942402
11/15/2008 10:45:37 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/15/2008 10:45:04 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
11/15/2008 10:13:49 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK7 Fips IPSec kl1 klbg KLIF MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip Tcpip6
11/15/2008 10:13:49 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/15/2008 10:13:49 PM, error: Service Control Manager [7001] - The IPv6 Helper Service service depends on the Microsoft IPv6 Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/15/2008 10:13:49 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
11/15/2008 10:13:49 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
11/15/2008 10:00:00 PM, error: Schedule [7901] - The At47.job command failed to start due to the following error: %%2147942402
11/15/2008 12:07:02 AM, error: Schedule [7901] - The At25.job command failed to start due to the following error: %%2147942402
11/14/2008 11:09:37 PM, error: ipnathlp [32003] - The Network Address Translator (NAT) was unable to request an operation of the kernel-mode translation module. This may indicate misconfiguration, insufficient resources, or an internal error. The data is the error code.
11/17/2008 9:27:23 AM, error: System Error [1003] - Error code 100000d4, parameter1 f0597938, parameter2 000000ff, parameter3 00000001, parameter4 804e2e41.
11/17/2008 9:33:22 AM, error: System Error [1003] - Error code 100000d4, parameter1 f0d7c938, parameter2 000000ff, parameter3 00000001, parameter4 804e2e41.
11/17/2008 9:40:28 AM, error: System Error [1003] - Error code 100000d4, parameter1 f0fcb938, parameter2 000000ff, parameter3 00000001, parameter4 804e2e41.
11/17/2008 9:47:40 AM, error: System Error [1003] - Error code 100000d4, parameter1 f0cdf938, parameter2 000000ff, parameter3 00000001, parameter4 804e2e41.

==== End Of File ===========================
Sugar.Tears is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-17-2008, 10:22 AM   #17 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 17
OS: windows xp home


Re: definite virus
double post

sorry
Last edited by Sugar.Tears; 11-17-2008 at 10:23 AM.
Sugar.Tears is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-17-2008, 12:08 PM   #18 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 17
OS: windows xp home


Re: definite virus
pc seems to be running good... but

remember when the scans for kaspersky didnt work and it restarted itself... now when it loads back up there is a boot screen that comes up and asks what I want to load from... theres two options, recovery disk (or console, cant remember) and windows (or something really similar to this)... it only lasts for a second, not really long enough to even make a decision (which I havent :D...) and still continues to come up when I restarts.


heres your log for ESET

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3619 (20081117)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=b3e2ae81c71c7a41aa946ff6845d7301
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-11-17 06:38:15
# local_time=2008-11-17 01:38:15 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=324821
# found=4
# scan_time=4101
C:\Qoobox\Quarantine\C\WINDOWS\system32\hgGyaYom.dll.vir a variant of Win32/Adware.Virtumonde.NCQ application CD389D89443CA90DA3C80A6DB8154FFA
C:\Qoobox\Quarantine\C\WINDOWS\system32\opnkhebC.dll.vir a variant of Win32/Adware.Virtumonde.NCQ application CD389D89443CA90DA3C80A6DB8154FFA
C:\Qoobox\Quarantine\C\WINDOWS\system32\qoMfffCt.dll.vir a variant of Win32/Adware.Virtumonde.NCQ application CD389D89443CA90DA3C80A6DB8154FFA
C:\Qoobox\Quarantine\C\WINDOWS\system32\wvUklJAS.dll.vir a variant of Win32/Adware.Virtumonde.NCQ application CD389D89443CA90DA3C80A6DB8154FFA
Sugar.Tears is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-17-2008, 12:33 PM   #19 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,208
OS: 2000 Pro; XP Pro; XP Home


Re: definite virus
Hi -

Quote:
theres two options, recovery disk (or console, cant remember) and windows (or something really similar to this)
That's not from Kaspersky scan failure.

This is from installing Recovery Console with ComboFix. There will be an extra 2 seconds in your boottime now, while that screen is displayed. It will automatically boot to Windows if left alone. Recovery Console is a very useful tool for any tech who might work on the machine in the future.

Eset has found only items in ComboFix quarantine. We will address those by uninstalling ComboFix shortly. Just want to be sure you're ok with the explanation above.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-17-2008, 12:35 PM   #20 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 17
OS: windows xp home


Re: definite virus
oh yeah! I'm fine.. I just wanted to point it out just in case there was something else going on that was potentially harmful... I trust what you say... not a problem!
Sugar.Tears is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 02:58 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85