« previous next »
Pages: 1 [2] 3   Go Down

Author Topic: Help on a possible virus!  (Read 5082 times)

0 Members and 1 Guest are viewing this topic.

Offline rockbeard

  • Newbie
  • *
  • Posts: 30
Re: Help on a possible virus!
« Reply #15 on: January 12, 2010, 03:55:34 AM »
ComboFix 10-01-11.03 - Jeff 01/11/2010  22:34:44.6.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1023.446 [GMT -6:00]
Running from: c:\documents and settings\Jeff\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jeff\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"C:\3f0f0eacb284af7222e02adc0cf5d609"
"C:\khkil.exe"
"c:\windows\system32\11478.exe"
"c:\windows\system32\11942.exe"
"c:\windows\system32\14604.exe"
"c:\windows\system32\153.exe"
"c:\windows\system32\15724.exe"
"c:\windows\system32\16827.exe"
"c:\windows\system32\19169.exe"
"c:\windows\system32\23281.exe"
"c:\windows\system32\24464.exe"
"c:\windows\system32\26500.exe"
"c:\windows\system32\26962.exe"
"c:\windows\system32\28145.exe"
"c:\windows\system32\29358.exe"
"c:\windows\system32\2995.exe"
"c:\windows\system32\32391.exe"
"c:\windows\system32\3902.exe"
"c:\windows\system32\4827.exe"
"c:\windows\system32\491.exe"
"c:\windows\system32\5436.exe"
"c:\windows\system32\5705.exe"
"c:\windows\system32\9961.exe"
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Jeff\LOCALS~1\Temp\mpengine.dll
c:\documents and settings\Jeff\Local Settings\temp\mpengine.dll
C:\khkil.exe
c:\windows\$NtUninstallKB922582$
c:\windows\$NtUninstallKB922582$\fltlib.dll
c:\windows\$NtUninstallKB922582$\fltmc.exe
c:\windows\$NtUninstallKB922582$\fltmgr.sys
c:\windows\$NtUninstallKB922582$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB922582$\spuninst\spuninst.inf
c:\windows\$NtUninstallKB922582$\spuninst\spuninst.txt
c:\windows\$NtUninstallKB922582$\spuninst\updspapi.dll

.
(((((((((((((((((((((((((   Files Created from 2009-12-12 to 2010-01-12  )))))))))))))))))))))))))))))))
.

2010-01-11 17:22 . 2009-03-06 14:22   284160   -c----w-   c:\windows\system32\dllcache\pdh.dll
2010-01-11 17:22 . 2009-02-09 12:10   473600   -c----w-   c:\windows\system32\dllcache\fastprox.dll
2010-01-11 17:22 . 2009-02-09 12:10   453120   -c----w-   c:\windows\system32\dllcache\wmiprvsd.dll
2010-01-11 17:22 . 2009-02-09 12:10   401408   -c----w-   c:\windows\system32\dllcache\rpcss.dll
2010-01-11 17:22 . 2009-02-06 11:11   110592   -c----w-   c:\windows\system32\dllcache\services.exe
2010-01-11 17:22 . 2009-02-06 10:10   227840   -c----w-   c:\windows\system32\dllcache\wmiprvse.exe
2010-01-11 17:22 . 2009-02-09 12:10   714752   -c----w-   c:\windows\system32\dllcache\ntdll.dll
2010-01-11 17:22 . 2009-02-09 12:10   617472   -c----w-   c:\windows\system32\dllcache\advapi32.dll
2010-01-11 17:22 . 2009-06-21 21:44   153088   -c----w-   c:\windows\system32\dllcache\triedit.dll
2010-01-11 17:21 . 2009-07-10 13:27   1315328   -c----w-   c:\windows\system32\dllcache\msoe.dll
2010-01-11 17:20 . 2008-05-03 11:55   2560   ------w-   c:\windows\system32\xpsp4res.dll
2010-01-11 17:20 . 2008-04-21 12:08   215552   -c----w-   c:\windows\system32\dllcache\wordpad.exe
2010-01-11 05:57 . 2010-01-11 05:57   --------   d-----w-   c:\program files\ERUNT
2010-01-09 04:45 . 2010-01-09 04:45   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-09 02:05 . 2010-01-11 05:58   --------   d-----w-   c:\program files\trend micro
2010-01-09 02:05 . 2010-01-09 02:05   --------   d-----w-   C:\rsit
2010-01-01 21:03 . 2010-01-01 21:03   --------   d-----w-   c:\documents and settings\Jeff\Local Settings\Application Data\WBFSManager
2010-01-01 08:19 . 2010-01-01 08:19   --------   d-----w-   c:\program files\WBFS
2009-12-25 23:43 . 2009-12-25 23:43   --------   d-----w-   c:\program files\iPod
2009-12-25 23:43 . 2009-12-25 23:43   --------   d-----w-   c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-25 23:41 . 2009-12-25 23:41   --------   d-----w-   c:\program files\QuickTime
2009-12-25 23:37 . 2009-12-25 23:37   --------   d-----w-   c:\program files\Bonjour

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-12 04:45 . 2008-09-01 05:46   --------   d-----w-   c:\documents and settings\Jeff\Application Data\uTorrent
2010-01-12 04:29 . 2004-09-12 18:35   13440   ----a-w-   c:\windows\system32\drivers\USBCRFT.SYS
2010-01-11 17:12 . 2009-02-09 04:05   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg8
2010-01-09 01:29 . 2004-12-29 23:54   36776   ----a-w-   c:\documents and settings\Jeff\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-01 08:16 . 2010-01-01 08:16   --------   d-----w-   c:\program files\MSBuild
2010-01-01 08:16 . 2010-01-01 08:16   --------   d-----w-   c:\program files\Reference Assemblies
2009-12-25 23:43 . 2004-12-30 02:27   --------   d-----w-   c:\program files\iTunes
2009-12-25 23:43 . 2007-09-24 08:36   --------   d-----w-   c:\program files\Common Files\Apple
2009-12-25 23:37 . 2009-12-25 23:37   79144   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-24 23:32 . 2005-09-14 02:42   --------   d-----w-   c:\program files\World of Warcraft
2009-12-22 04:52 . 2009-12-11 20:17   2066200   ----a-w-   c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-12-13 05:55 . 2007-03-06 04:50   --------   d-----w-   c:\program files\Firefly Studios
2009-12-13 05:55 . 2004-09-12 01:42   --------   d--h--w-   c:\program files\InstallShield Installation Information
2009-12-13 05:53 . 2009-03-14 19:53   --------   d-----w-   c:\program files\Celestia
2009-10-29 07:46 . 2004-09-11 15:29   832512   ----a-w-   c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-09-11 15:29   78336   ----a-w-   c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-09-11 15:29   17408   ----a-w-   c:\windows\system32\corpol.dll
.

((((((((((((((((((((((((((((((((((((((((((((   Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} ----

2009-12-25 23:43 . 2009-12-25 23:43   3654   ----a-w-   c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}\x86\DIFxInstallLog.txt
2009-06-03 16:32 . 2009-06-03 16:32   7994   ----a-w-   c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}\x86\gearaspiwdmx86.cat
2009-05-18 20:48 . 2009-05-18 20:48   2763   ----a-w-   c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}\x86\GEARAspiWDM.inf
2009-05-18 20:17 . 2009-05-18 20:17   26600   ----a-w-   c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}\x86\x86\GEARAspiWDM.sys
2009-02-04 20:56 . 2009-02-04 20:56   75112   ----a-w-   c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}\x86\DifXInstall32.exe
2008-04-17 19:12 . 2008-04-17 19:12   107368   ----a-w-   c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}\x86\x86\GEARAspi.dll
2006-11-02 13:21 . 2006-11-02 13:21   319456   ----a-w-   c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}\x86\DIFxAPI.dll


------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[-] 2008-04-13 18:40 . 76C9DE3C7D5A6C7A0A8ED96664C57378 . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0011\DriverFiles\i386\atapi.sys
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-03-09 270128]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952]
"Dit"="Dit.exe" [2004-04-02 86016]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 88209]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-09-12 180269]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-04-30 158624]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-09-19 333120]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-11 2043160]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-07 04:46   57344   ----a-w-   c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 05:08   417792   ----a-w-   c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%ProgramFiles%\\Messenger\\msmsgs.exe"=
"%ProgramFiles%\\America Online 8.0\\aol.exe"=
"%ProgramFiles%\\MUSICMATCH\\MUSICMATCH Jukebox\\mmjb.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.7.0-enUS-downloader.exe"=
"c:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader
"6881:TCP"= 6881:TCP:Azureus
"49458:TCP"= 49458:TCP:vuze
"49468:UDP"= 49468:UDP:vuze

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/8/2009 10:06 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/8/2009 10:06 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/8/2009 10:05 PM 297752]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/16/2008 10:30 PM 24652]
R3 CardReaderFilter;Card Reader Filter;c:\windows\system32\drivers\USBCRFT.SYS [9/12/2004 12:35 PM 13440]
R3 cmudax;C-Media High Definition Audio Interface;c:\windows\system32\drivers\cmudax.sys [9/12/2004 12:15 PM 1258432]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder

2010-01-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://interpunk.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-navapp - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-11 22:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4213282645-1556101-1523269211-1008\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]
"Name"="ActiveSync"
"DisplayName"="Microsoft ActiveSync"
"Param1"="ActiveSync"
"Type"="wellknown"
"Order"=dword:00000001
"State"=dword:00000007

[HKEY_USERS\S-1-5-21-4213282645-1556101-1523269211-1008\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings]
"Name"="IESettings"
"Type"="IESettings"
"Order"=dword:00000004
"State"=dword:00000003

[HKEY_USERS\S-1-5-21-4213282645-1556101-1523269211-1008\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles]
"Name"="MediaFiles"
"Type"="MediaFiles"
"Order"=dword:00000003
"State"=dword:00000003

[HKEY_USERS\S-1-5-21-4213282645-1556101-1523269211-1008\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW]
"Name"="NPW"
"Param1"="NPW"
"Type"="wellknown"
"Order"=dword:00000002
"State"=dword:00000003

[HKEY_USERS\S-1-5-21-4213282645-1556101-1523269211-1008\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\Outlook]
"Name"="Outlook"
"DisplayName"="Microsoft Outlook"
"Param1"="Outlook"
"Type"="wellknown"
"Order"=dword:00000000
"State"=dword:00000020
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3652)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\Dit.exe
c:\windows\AGRSMMSG.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\Zune\ZuneNss.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
.
**************************************************************************
.
Completion time: 2010-01-11  22:53:23 - machine was rebooted
ComboFix-quarantined-files.txt  2010-01-12 04:53
ComboFix2.txt  2010-01-11 18:18
ComboFix3.txt  2010-01-11 17:17

Pre-Run: 56,982,630,400 bytes free
Post-Run: 56,876,949,504 bytes free

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - F454180D330840ABAF88F1FF6658C16C



Computer is looking in a lot better shape than it was in a couple days ago. I'm able to get on the internet.
Logged

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11228
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: Help on a possible virus!
« Reply #16 on: January 12, 2010, 01:59:54 PM »
Quote
Computer is looking in a lot better shape than it was in a couple days ago. I'm able to get on the internet.
That's great news.

Now, let's take a look at your flash drives.  
USBNoRisk

Please download USBNoRisk to your Desktop
  • run it by double-clicking the program's icon
  • wait a couple of seconds for the initial scan to be done
  • connect all of your USB storage devices to the PC, one at a time, and keep each one connected at least for 10 seconds
  • if there are more USB storage devices to scan, please take a note about the order in which these were connected
  • after all the devices are scanned, choose "Save log" option from right-click menu on Monitor tab. That will open the log in Notepad. Please copy/paste the log in your next reply.
Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC, e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras, memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

In addition, Please go here to run an on-line scan from ESET.
  • Note: It is easiest if you use Internet explorer for this scan.  (If you use an alternate browser, it will be necessary to download the ESET Smart Installer)
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.

Please include the USBNoRisk log, the ESET log and a fresh HijackThis log in your next reply.  

Thank you.
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline rockbeard

  • Newbie
  • *
  • Posts: 30
Re: Help on a possible virus!
« Reply #17 on: January 13, 2010, 06:16:32 AM »
SBNoRisk 2.5 (26 July 2009) by bobby

Started at 1/12/2010 11:40:43 PM

Searching for connected USB Mass storage...
----------------------------------------
I:  {6110eaf8-59f4-11d9-a70d-806d6172696f}
========================================

Searching for other storage...
----------------------------------------
C:  {6110eaf2-59f4-11d9-a70d-806d6172696f}
D:  {6110eaf3-59f4-11d9-a70d-806d6172696f}
========================================

Scanning removable storage...
----------------------------------------

No blocked files found on I:
No Autorun.inf files found on I:
No mountpoint found for 6110eaf8-59f4-11d9-a70d-806d6172696f
No Desktop.ini files found on I:
No mimics found on drive I:
----------------------------------------


Scanning fixed storage...
----------------------------------------

No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for 6110eaf2-59f4-11d9-a70d-806d6172696f
No Desktop.ini files found on C:
----------------------------------------

No blocked files found on D:
No Autorun.inf files found on D:
No mountpoint found for D:
No mountpoint found for 6110eaf3-59f4-11d9-a70d-806d6172696f
----------------------------------------
Desktop.ini found at D:\Recycled\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
----------------------------------------
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip =  @%SystemRoot%\system32\SHELL32.dll,-22915
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText =  @%SystemRoot%\system32\SHELL32.dll,-31748
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString =  @%SystemRoot%\system32\SHELL32.dll,-8964
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ =  %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty =  %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full =  %SystemRoot%\System32\shell32.dll,32
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ =  shell32.dll
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip =  @%SystemRoot%\system32\SHELL32.dll,-22915
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText =  @%SystemRoot%\system32\SHELL32.dll,-31748
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString =  @%SystemRoot%\system32\SHELL32.dll,-8964
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ =  %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty =  %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full =  %SystemRoot%\System32\shell32.dll,32
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ =  shell32.dll
----------------------------------------

========================================
Initial scan finished!
========================================


New device connected at 1/12/2010 11:40:56 PM

Scanning for connected USB mass storage...
----------------------------------------
K:  {2858514d-8924-11dd-aeaa-00110975ee15}
Added K:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on K:
----------------------------------------
No Autorun.inf files found on K:
No mountpoint found for 2858514d-8924-11dd-aeaa-00110975ee15
----------------------------------------

No Desktop.ini files found on K:
----------------------------------------

No mimics found on drive K:
========================================




ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=848696a320abe949891afd233e4514fd
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-01-13 07:08:18
# local_time=2010-01-13 01:08:18 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777175 100 0 28291300 28291300 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=85524
# found=19
# cleaned=0
# scan_time=4881
C:\Documents and Settings\Jeff\My Documents\My Videos\Nero 7 Ultra Edition Enhanced XP & Vista + Keygen [ScottayB]\Nero-7.10.1.2_all_update.exe   Win32/Toolbar.AskSBar application   00000000000000000000000000000000   I
C:\Documents and Settings\Jeff\My Documents\My Videos\NERO 7.10.1.0 UltraEdition\Nero-7.10.1.0.exe   Win32/Toolbar.AskSBar application   00000000000000000000000000000000   I
C:\PeoplePC\Branding\ppcstub.exe   probably unknown NewHeur_PE virus   00000000000000000000000000000000   I
C:\Program Files\Common Files\fkwf\fkwfd\vocabulary   Win32/TrojanDownloader.TSUpdate.J trojan   00000000000000000000000000000000   I
C:\Qoobox\Quarantine\C\khkil.exe.vir   Win32/TrojanDownloader.FakeAlert.AED trojan   00000000000000000000000000000000   I
C:\Qoobox\Quarantine\C\Documents and Settings\Jeff\Local Settings\Application Data\xvlqdd\recqsysguard.exe.vir   a variant of Win32/Kryptik.BID trojan   00000000000000000000000000000000   I
C:\Qoobox\Quarantine\C\Program Files\InternetSecurity2010\IS2010.exe.vir   a variant of Win32/Kryptik.BQK trojan   00000000000000000000000000000000   I
C:\Qoobox\Quarantine\C\WINDOWS\default32.dll.vir   probably a variant of Win32/TrojanDownloader.Monkif.AA trojan   00000000000000000000000000000000   I
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbdsock.dll.vir   a variant of Win32/Bamital.B trojan   00000000000000000000000000000000   I
C:\Qoobox\Quarantine\C\WINDOWS\system32\smss32.exe.vir   Win32/TrojanDownloader.FakeAlert.AED trojan   00000000000000000000000000000000   I
C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon32.exe.vir   Win32/TrojanDownloader.FakeAlert.AED trojan   00000000000000000000000000000000   I
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\9.tmp.vir   a variant of Win32/Kryptik.BQU trojan   00000000000000000000000000000000   I
C:\System Volume Information\_restore{8F6CA863-4F79-4B8E-BF2F-E13F6FD46F34}\RP1\A0000028.exe   a variant of Win32/Kryptik.BQK trojan   00000000000000000000000000000000   I
C:\System Volume Information\_restore{8F6CA863-4F79-4B8E-BF2F-E13F6FD46F34}\RP1\A0000047.exe   Win32/TrojanDownloader.FakeAlert.AED trojan   00000000000000000000000000000000   I
C:\System Volume Information\_restore{8F6CA863-4F79-4B8E-BF2F-E13F6FD46F34}\RP1\A0001043.exe   Win32/TrojanDownloader.FakeAlert.AED trojan   00000000000000000000000000000000   I
C:\System Volume Information\_restore{8F6CA863-4F79-4B8E-BF2F-E13F6FD46F34}\RP1\A0001207.exe   Win32/TrojanDownloader.FakeAlert.AED trojan   00000000000000000000000000000000   I
C:\System Volume Information\_restore{8F6CA863-4F79-4B8E-BF2F-E13F6FD46F34}\RP2\A0002226.exe   Win32/TrojanDownloader.FakeAlert.AED trojan   00000000000000000000000000000000   I
C:\WINDOWS\system32\drivers\atapi.sys   Win32/Olmarik.SJ virus   00000000000000000000000000000000   I
D:\Tools\People PC\PeoplePC\Branding\ppcstub.exe   probably unknown NewHeur_PE virus   00000000000000000000000000000000   I





Logfile of HijackThis v1.99.1
Scan saved at 1:15:42 AM, on 1/13/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Jeff\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://interpunk.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk (file missing)
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International
O14 - IERESET.INF: START_PAGE_URL=http://www.medionusa.com
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://by12fd.bay12.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094995388640
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135829667562
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O18 - Protocol: asp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\Program Files\Common Files\EzTools\hsppp.dll
O18 - Protocol: ezstor - {6344A3A0-96A7-11D4-88CC-000000000000} - C:\WINDOWS\system32\viewers\ezspp.dll
O18 - Protocol: hsp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\Program Files\Common Files\EzTools\hsppp.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: x-asp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\Program Files\Common Files\EzTools\hsppp.dll
O18 - Protocol: x-cnote - {8D32BA61-D15B-11D4-894B-000000000000} - C:\Program Files\Common Files\EzTools\hsppp.dll
O18 - Protocol: x-hsp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\Program Files\Common Files\EzTools\hsppp.dll
O18 - Protocol: x-mem1 - {C3719F83-7EF8-4BA0-89B0-3360C7AFB7CC} - C:\Program Files\Common Files\EzTools\wowctl2.dll
O18 - Protocol: x-zip - {8D32BA61-D15B-11D4-894B-000000000000} - C:\Program Files\Common Files\EzTools\hsppp.dll
O18 - Protocol: zip - {8D32BA61-D15B-11D4-894B-000000000000} - C:\Program Files\Common Files\EzTools\hsppp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe" "WMP54GSv1_1.exe (file missing)



Logged

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11228
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: Help on a possible virus!
« Reply #18 on: January 13, 2010, 03:15:10 PM »
rockbeard:

C:\Documents and Settings\Jeff\My Documents\My Videos\Nero 7 Ultra Edition Enhanced XP & Vista + Keygen [ScottayB]\Nero-7.10.1.2_all_update.exe

As so eloquently stated:

Quote from: winchester73 on January 08, 2010, 10:07:48 PM
A reminder for anyone who comes along down the road and reads this thread ...

Cracked/warez versions of programs sound "good" and "cheap", but they can cause all sorts of headaches for you and damage to your computer.  No reputable forum will support any method of cracking, warez, workarounds, providing any methods, tools, or posting of links designed for this express purpose.

There are people who have spent a great deal of money on developing and testing hardware and software, marketing and distributing it, and then on education and support for it. They have spent long, tedious, difficult and brain-numbing days/nights on their endeavor. They are attempting to make an honest living and feed their families.

Let's not support the thieves who rip them off and cheat them out of the fruits of their labor.


Because we have gotten this far, I will provide you with the last bit of advice to get the computer cleaned and updated.  However, should you run into further problems, I advise you to break out your wallet and go to a computer repair shop to get cleaned as we will not volunteer our personal time to help someone steal others' property.  Using P2P/uTorrent is a common source of infection, as evidenced in this situation.

As you have apparently switched from Norton to AVG, I suggest you run the Norton Removal Tool to remove the remnants:
http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

You have an out-of-date and vulnerable version of Adobe Reader on your computer. 

1.  Go to add/remove programs and uninstall Adobe Reader
2.  Install the latest version of Adobe Reader from http://www.adobe.com/products/reader/
or
3.  Switch to an alternate PDF reader.  There are a number of open source readers available from http://pdfreaders.org/.

Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  • Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK).  Copy/Paste all of the text present inside the code box below:
Code: [Select]
FCOPY::
c:\windows\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys

Folder::
C:\Program Files\Common Files\fkwf
  • Save this as CFScript.txt and place it on your desktop.
  • Close any open browsers.
  • Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.




  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline rockbeard

  • Newbie
  • *
  • Posts: 30
Re: Help on a possible virus!
« Reply #19 on: January 13, 2010, 04:56:50 PM »
As an immediate response to the keygen I honestly thought I had deleted it for the same reasons you stated. I downloaded just trying to figure that stuff out but like I said I thought I deleted it. I dont try to steal any programs and I thank you for at least calling me out on the stupidity of the one time I did. I am sorry for offending you but if you knew me outside of this forum you would know I dont do that, and will be deleting Utorrent today. Thanks for the help from yourself and everyone.
Logged

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11228
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: Help on a possible virus!
« Reply #20 on: January 13, 2010, 05:04:01 PM »
Good.  Then I am happy you learned your lesson.

Please uninstall uTorrent first and then run ComboFix so it can pick up any remnants.  Then post the log as a reply so we can see where things stand.
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Paddy

  • LandzDown Team
  • Hero Member
  • *****
  • Posts: 1366
Re: Help on a possible virus!
« Reply #21 on: January 14, 2010, 11:38:55 AM »
Don't forget this also >>>  "c:\\Program Files\\LimeWire\\LimeWire.exe"=
Logged
This is one race of people for whom psychoanalysis is of no use whatsoever - Sigmund Freud (about the Irish)

Never argue with a fool, they will lower you to their level and then beat you with experience.

Offline rockbeard

  • Newbie
  • *
  • Posts: 30
Re: Help on a possible virus!
« Reply #22 on: January 26, 2010, 05:36:49 PM »
Sorry about the tardiness. I had to go out of town unexpectedly for business. I will finish up this stuff and get those logs posted within the next 24.
Logged

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11228
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: Help on a possible virus!
« Reply #23 on: January 26, 2010, 06:24:23 PM »
Thanks for the update. When prompted, please be sure to update ComboFix to the latest version.
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline rockbeard

  • Newbie
  • *
  • Posts: 30
Re: Help on a possible virus!
« Reply #24 on: January 31, 2010, 12:07:34 AM »
k here we go

ComboFix 10-01-29.09 - Jeff 01/30/2010  16:58:30.9.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1023.568 [GMT -6:00]
Running from: c:\documents and settings\Jeff\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jeff\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\temp
c:\program files\temp\lwspeedup.exe

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\System32\drivers\atapi.sys
.
(((((((((((((((((((((((((   Files Created from 2009-12-28 to 2010-01-30  )))))))))))))))))))))))))))))))
.

2010-01-18 03:11 . 2009-11-20 11:08   38784   ----a-w-   c:\documents and settings\Jeff\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-18 03:10 . 2010-01-18 03:10   --------   d-----w-   c:\program files\Common Files\Adobe AIR
2010-01-18 03:09 . 2010-01-18 03:09   86016   ----a-w-   c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-01-18 03:09 . 2010-01-18 03:15   --------   d-----w-   c:\documents and settings\All Users\Application Data\NOS
2010-01-13 16:45 . 2009-11-21 15:51   471552   -c----w-   c:\windows\system32\dllcache\aclayers.dll
2010-01-13 05:44 . 2010-01-13 05:44   --------   d-----w-   c:\program files\ESET
2010-01-13 05:41 . 2010-01-13 05:43   --------   d-----w-   C:\USBNoRisk
2010-01-13 05:38 . 2010-01-13 05:38   --------   d-sh--w-   c:\documents and settings\Jeff\PrivacIE
2010-01-13 05:37 . 2010-01-13 05:37   --------   d-sh--w-   c:\documents and settings\LocalService\IETldCache
2010-01-13 05:37 . 2010-01-13 05:37   --------   d-sh--w-   c:\documents and settings\Jeff\IETldCache
2010-01-13 05:34 . 2009-12-21 19:14   12800   -c----w-   c:\windows\system32\dllcache\xpshims.dll
2010-01-13 05:34 . 2009-12-21 19:14   246272   -c----w-   c:\windows\system32\dllcache\ieproxy.dll
2010-01-13 05:34 . 2010-01-13 05:34   --------   d-----w-   c:\windows\ie8updates
2010-01-13 05:33 . 2009-10-02 04:44   92160   -c----w-   c:\windows\system32\dllcache\iecompat.dll
2010-01-13 05:32 . 2010-01-13 05:33   --------   dc-h--w-   c:\windows\ie8
2010-01-11 17:22 . 2009-03-06 14:22   284160   -c----w-   c:\windows\system32\dllcache\pdh.dll
2010-01-11 17:22 . 2009-02-09 12:10   473600   -c----w-   c:\windows\system32\dllcache\fastprox.dll
2010-01-11 17:22 . 2009-02-09 12:10   453120   -c----w-   c:\windows\system32\dllcache\wmiprvsd.dll
2010-01-11 17:22 . 2009-02-09 12:10   401408   -c----w-   c:\windows\system32\dllcache\rpcss.dll
2010-01-11 17:22 . 2009-02-06 11:11   110592   -c----w-   c:\windows\system32\dllcache\services.exe
2010-01-11 17:22 . 2009-02-06 10:10   227840   -c----w-   c:\windows\system32\dllcache\wmiprvse.exe
2010-01-11 17:22 . 2009-02-09 12:10   714752   -c----w-   c:\windows\system32\dllcache\ntdll.dll
2010-01-11 17:22 . 2009-02-09 12:10   617472   -c----w-   c:\windows\system32\dllcache\advapi32.dll
2010-01-11 17:22 . 2009-06-21 21:44   153088   -c----w-   c:\windows\system32\dllcache\triedit.dll
2010-01-11 17:21 . 2009-07-10 13:27   1315328   -c----w-   c:\windows\system32\dllcache\msoe.dll
2010-01-11 17:20 . 2008-05-03 11:55   2560   ------w-   c:\windows\system32\xpsp4res.dll
2010-01-11 17:20 . 2008-04-21 12:08   215552   -c----w-   c:\windows\system32\dllcache\wordpad.exe
2010-01-11 05:57 . 2010-01-11 05:57   --------   d-----w-   c:\program files\ERUNT
2010-01-09 04:45 . 2010-01-09 04:45   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-09 02:05 . 2010-01-11 05:58   --------   d-----w-   c:\program files\trend micro
2010-01-09 02:05 . 2010-01-09 02:05   --------   d-----w-   C:\rsit
2010-01-01 21:03 . 2010-01-01 21:03   --------   d-----w-   c:\documents and settings\Jeff\Local Settings\Application Data\WBFSManager
2010-01-01 08:19 . 2010-01-01 08:19   --------   d-----w-   c:\program files\WBFS

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.




Logged

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11228
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: Help on a possible virus!
« Reply #25 on: January 31, 2010, 12:28:00 AM »
Hi, rockbeard.

Please return to the ComboFix.txt log please and copy the remainder of the log as a reply.

Thank you.
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline rockbeard

  • Newbie
  • *
  • Posts: 30
Re: Help on a possible virus!
« Reply #26 on: January 31, 2010, 01:32:03 AM »
I think this is it I've gotten lost and confused with this stuff as of late, I've deleted all that stuff I didnt need or use anymore and think I should be good.



ComboFix 10-01-29.09 - Jeff 01/30/2010  16:58:30.9.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1023.568 [GMT -6:00]
Running from: c:\documents and settings\Jeff\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jeff\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\temp
c:\program files\temp\lwspeedup.exe

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\System32\drivers\atapi.sys
.
(((((((((((((((((((((((((   Files Created from 2009-12-28 to 2010-01-30  )))))))))))))))))))))))))))))))
.

2010-01-18 03:11 . 2009-11-20 11:08   38784   ----a-w-   c:\documents and settings\Jeff\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-18 03:10 . 2010-01-18 03:10   --------   d-----w-   c:\program files\Common Files\Adobe AIR
2010-01-18 03:09 . 2010-01-18 03:09   86016   ----a-w-   c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-01-18 03:09 . 2010-01-18 03:15   --------   d-----w-   c:\documents and settings\All Users\Application Data\NOS
2010-01-13 16:45 . 2009-11-21 15:51   471552   -c----w-   c:\windows\system32\dllcache\aclayers.dll
2010-01-13 05:44 . 2010-01-13 05:44   --------   d-----w-   c:\program files\ESET
2010-01-13 05:41 . 2010-01-13 05:43   --------   d-----w-   C:\USBNoRisk
2010-01-13 05:38 . 2010-01-13 05:38   --------   d-sh--w-   c:\documents and settings\Jeff\PrivacIE
2010-01-13 05:37 . 2010-01-13 05:37   --------   d-sh--w-   c:\documents and settings\LocalService\IETldCache
2010-01-13 05:37 . 2010-01-13 05:37   --------   d-sh--w-   c:\documents and settings\Jeff\IETldCache
2010-01-13 05:34 . 2009-12-21 19:14   12800   -c----w-   c:\windows\system32\dllcache\xpshims.dll
2010-01-13 05:34 . 2009-12-21 19:14   246272   -c----w-   c:\windows\system32\dllcache\ieproxy.dll
2010-01-13 05:34 . 2010-01-13 05:34   --------   d-----w-   c:\windows\ie8updates
2010-01-13 05:33 . 2009-10-02 04:44   92160   -c----w-   c:\windows\system32\dllcache\iecompat.dll
2010-01-13 05:32 . 2010-01-13 05:33   --------   dc-h--w-   c:\windows\ie8
2010-01-11 17:22 . 2009-03-06 14:22   284160   -c----w-   c:\windows\system32\dllcache\pdh.dll
2010-01-11 17:22 . 2009-02-09 12:10   473600   -c----w-   c:\windows\system32\dllcache\fastprox.dll
2010-01-11 17:22 . 2009-02-09 12:10   453120   -c----w-   c:\windows\system32\dllcache\wmiprvsd.dll
2010-01-11 17:22 . 2009-02-09 12:10   401408   -c----w-   c:\windows\system32\dllcache\rpcss.dll
2010-01-11 17:22 . 2009-02-06 11:11   110592   -c----w-   c:\windows\system32\dllcache\services.exe
2010-01-11 17:22 . 2009-02-06 10:10   227840   -c----w-   c:\windows\system32\dllcache\wmiprvse.exe
2010-01-11 17:22 . 2009-02-09 12:10   714752   -c----w-   c:\windows\system32\dllcache\ntdll.dll
2010-01-11 17:22 . 2009-02-09 12:10   617472   -c----w-   c:\windows\system32\dllcache\advapi32.dll
2010-01-11 17:22 . 2009-06-21 21:44   153088   -c----w-   c:\windows\system32\dllcache\triedit.dll
2010-01-11 17:21 . 2009-07-10 13:27   1315328   -c----w-   c:\windows\system32\dllcache\msoe.dll
2010-01-11 17:20 . 2008-05-03 11:55   2560   ------w-   c:\windows\system32\xpsp4res.dll
2010-01-11 17:20 . 2008-04-21 12:08   215552   -c----w-   c:\windows\system32\dllcache\wordpad.exe
2010-01-11 05:57 . 2010-01-11 05:57   --------   d-----w-   c:\program files\ERUNT
2010-01-09 04:45 . 2010-01-09 04:45   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-09 02:05 . 2010-01-11 05:58   --------   d-----w-   c:\program files\trend micro
2010-01-09 02:05 . 2010-01-09 02:05   --------   d-----w-   C:\rsit
2010-01-01 21:03 . 2010-01-01 21:03   --------   d-----w-   c:\documents and settings\Jeff\Local Settings\Application Data\WBFSManager
2010-01-01 08:19 . 2010-01-01 08:19   --------   d-----w-   c:\program files\WBFS

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-30 21:42 . 2004-09-12 18:35   13440   ----a-w-   c:\windows\system32\drivers\USBCRFT.SYS
2010-01-18 03:10 . 2004-09-12 11:50   --------   d-----w-   c:\program files\Common Files\Adobe
2010-01-14 04:59 . 2009-04-05 22:55   --------   d-----w-   c:\program files\Common Files\Ahead
2010-01-14 04:59 . 2008-09-18 04:31   --------   d-----w-   c:\documents and settings\All Users\Application Data\Nero
2010-01-14 04:53 . 2004-09-12 19:58   --------   d-----w-   c:\program files\Common Files\Symantec Shared
2010-01-11 17:12 . 2009-02-09 04:05   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg8
2010-01-09 01:29 . 2004-12-29 23:54   36776   ----a-w-   c:\documents and settings\Jeff\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-01 08:16 . 2010-01-01 08:16   --------   d-----w-   c:\program files\MSBuild
2010-01-01 08:16 . 2010-01-01 08:16   --------   d-----w-   c:\program files\Reference Assemblies
2009-12-25 23:43 . 2009-12-25 23:43   --------   d-----w-   c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-25 23:43 . 2004-12-30 02:27   --------   d-----w-   c:\program files\iTunes
2009-12-25 23:43 . 2009-12-25 23:43   --------   d-----w-   c:\program files\iPod
2009-12-25 23:43 . 2007-09-24 08:36   --------   d-----w-   c:\program files\Common Files\Apple
2009-12-25 23:41 . 2009-12-25 23:41   --------   d-----w-   c:\program files\QuickTime
2009-12-25 23:37 . 2009-12-25 23:37   79144   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-25 23:37 . 2009-12-25 23:37   --------   d-----w-   c:\program files\Bonjour
2009-12-24 23:32 . 2005-09-14 02:42   --------   d-----w-   c:\program files\World of Warcraft
2009-12-21 19:14 . 2004-09-11 15:29   916480   ----a-w-   c:\windows\system32\wininet.dll
2009-12-13 05:55 . 2007-03-06 04:50   --------   d-----w-   c:\program files\Firefly Studios
2009-12-13 05:55 . 2004-09-12 01:42   --------   d--h--w-   c:\program files\InstallShield Installation Information
2009-12-13 05:53 . 2009-03-14 19:53   --------   d-----w-   c:\program files\Celestia
2009-11-21 15:51 . 2004-09-11 15:29   471552   ----a-w-   c:\windows\AppPatch\aclayers.dll
.

(((((((((((((((((((((((((((((   SnapShot_2010-01-18_03.22.20   )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-11-08 03:03 . 2009-12-21 19:14   55296              c:\windows\system32\msfeedsbs.dll
- 2006-11-08 03:03 . 2009-10-29 07:45   55296              c:\windows\system32\msfeedsbs.dll
- 2004-09-11 15:29 . 2009-10-29 07:45   25600              c:\windows\system32\jsproxy.dll
+ 2004-09-11 15:29 . 2009-12-21 19:14   25600              c:\windows\system32\jsproxy.dll
- 2007-05-10 03:46 . 2009-10-29 07:45   55296              c:\windows\system32\dllcache\msfeedsbs.dll
+ 2007-05-10 03:46 . 2009-12-21 19:14   55296              c:\windows\system32\dllcache\msfeedsbs.dll
- 2004-09-11 15:29 . 2009-10-29 07:45   25600              c:\windows\system32\dllcache\jsproxy.dll
+ 2004-09-11 15:29 . 2009-12-21 19:14   25600              c:\windows\system32\dllcache\jsproxy.dll
+ 2010-01-25 09:01 . 2009-10-29 07:45   12800              c:\windows\ie8updates\KB978207-IE8\xpshims.dll
+ 2010-01-25 09:01 . 2009-10-29 07:45   55296              c:\windows\ie8updates\KB978207-IE8\msfeedsbs.dll
+ 2010-01-25 09:01 . 2009-10-29 07:45   25600              c:\windows\ie8updates\KB978207-IE8\jsproxy.dll
+ 2007-05-10 03:46 . 2009-12-21 19:14   206848              c:\windows\system32\occache.dll
- 2007-05-10 03:46 . 2009-10-29 07:45   206848              c:\windows\system32\occache.dll
+ 2006-11-08 03:03 . 2009-12-21 19:14   594432              c:\windows\system32\msfeeds.dll
- 2006-11-08 03:03 . 2009-10-29 07:45   594432              c:\windows\system32\msfeeds.dll
- 2004-09-11 15:29 . 2009-10-29 07:45   184320              c:\windows\system32\iepeers.dll
+ 2004-09-11 15:29 . 2009-12-21 19:14   184320              c:\windows\system32\iepeers.dll
+ 2007-05-10 03:46 . 2009-12-21 19:14   387584              c:\windows\system32\iedkcs32.dll
- 2007-05-10 03:46 . 2009-10-29 07:45   387584              c:\windows\system32\iedkcs32.dll
- 2004-09-11 15:29 . 2009-10-28 14:40   173056              c:\windows\system32\ie4uinit.exe
+ 2004-09-11 15:29 . 2009-12-21 13:19   173056              c:\windows\system32\ie4uinit.exe
- 2004-09-11 15:29 . 2009-10-29 07:45   916480              c:\windows\system32\dllcache\wininet.dll
+ 2004-09-11 15:29 . 2009-12-21 19:14   916480              c:\windows\system32\dllcache\wininet.dll
+ 2004-09-11 15:29 . 2009-12-21 19:14   206848              c:\windows\system32\dllcache\occache.dll
- 2004-09-11 15:29 . 2009-10-29 07:45   206848              c:\windows\system32\dllcache\occache.dll
+ 2007-05-10 03:46 . 2009-12-21 19:14   594432              c:\windows\system32\dllcache\msfeeds.dll
- 2007-05-10 03:46 . 2009-10-29 07:45   594432              c:\windows\system32\dllcache\msfeeds.dll
- 2004-09-11 15:29 . 2009-10-29 07:45   184320              c:\windows\system32\dllcache\iepeers.dll
+ 2004-09-11 15:29 . 2009-12-21 19:14   184320              c:\windows\system32\dllcache\iepeers.dll
+ 2004-09-11 15:29 . 2009-12-21 19:14   387584              c:\windows\system32\dllcache\iedkcs32.dll
- 2004-09-11 15:29 . 2009-10-29 07:45   387584              c:\windows\system32\dllcache\iedkcs32.dll
+ 2004-09-11 15:29 . 2009-12-21 13:19   173056              c:\windows\system32\dllcache\ie4uinit.exe
- 2004-09-11 15:29 . 2009-10-28 14:40   173056              c:\windows\system32\dllcache\ie4uinit.exe
+ 2010-01-25 09:01 . 2009-10-29 07:45   916480              c:\windows\ie8updates\KB978207-IE8\wininet.dll
+ 2010-01-25 09:01 . 2009-05-26 11:40   382840              c:\windows\ie8updates\KB978207-IE8\spuninst\updspapi.dll
+ 2010-01-25 09:01 . 2008-07-08 13:02   231288              c:\windows\ie8updates\KB978207-IE8\spuninst\spuninst.exe
+ 2010-01-25 09:01 . 2009-10-29 07:45   206848              c:\windows\ie8updates\KB978207-IE8\occache.dll
+ 2010-01-25 09:01 . 2009-10-29 07:45   594432              c:\windows\ie8updates\KB978207-IE8\msfeeds.dll
+ 2010-01-25 09:01 . 2009-10-29 07:45   246272              c:\windows\ie8updates\KB978207-IE8\ieproxy.dll
+ 2010-01-25 09:01 . 2009-10-29 07:45   184320              c:\windows\ie8updates\KB978207-IE8\iepeers.dll
+ 2010-01-25 09:01 . 2009-10-29 07:45   387584              c:\windows\ie8updates\KB978207-IE8\iedkcs32.dll
+ 2010-01-25 09:01 . 2009-10-28 14:40   173056              c:\windows\ie8updates\KB978207-IE8\ie4uinit.exe
- 2004-09-11 15:29 . 2009-10-29 07:45   1208832              c:\windows\system32\urlmon.dll
+ 2004-09-11 15:29 . 2009-12-21 19:14   1208832              c:\windows\system32\urlmon.dll
+ 2004-09-11 15:29 . 2009-12-21 19:14   5942784              c:\windows\system32\mshtml.dll
- 2006-10-17 17:57 . 2009-10-29 07:45   1985536              c:\windows\system32\iertutil.dll
+ 2006-10-17 17:57 . 2009-12-21 19:14   1985536              c:\windows\system32\iertutil.dll
+ 2004-09-11 15:29 . 2009-12-21 19:14   1208832              c:\windows\system32\dllcache\urlmon.dll
- 2004-09-11 15:29 . 2009-10-29 07:45   1208832              c:\windows\system32\dllcache\urlmon.dll
+ 2004-09-11 15:29 . 2009-12-21 19:14   5942784              c:\windows\system32\dllcache\mshtml.dll
+ 2007-05-10 03:46 . 2009-12-21 19:14   1985536              c:\windows\system32\dllcache\iertutil.dll
- 2007-05-10 03:46 . 2009-10-29 07:45   1985536              c:\windows\system32\dllcache\iertutil.dll
+ 2010-01-25 09:01 . 2009-10-29 07:45   1208832              c:\windows\ie8updates\KB978207-IE8\urlmon.dll
+ 2010-01-25 09:01 . 2009-10-29 07:45   5940736              c:\windows\ie8updates\KB978207-IE8\mshtml.dll
+ 2010-01-25 09:01 . 2009-10-29 07:45   1985536              c:\windows\ie8updates\KB978207-IE8\iertutil.dll
+ 2006-11-08 03:03 . 2009-12-21 19:14   11070464              c:\windows\system32\ieframe.dll
+ 2007-05-10 03:46 . 2009-12-21 19:14   11070464              c:\windows\system32\dllcache\ieframe.dll
+ 2010-01-25 09:01 . 2009-10-29 07:45   11069952              c:\windows\ie8updates\KB978207-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952]
"Dit"="Dit.exe" [2004-04-02 86016]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 88209]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-09-12 180269]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-04-30 158624]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-09-19 333120]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-11 2043160]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-19 14:45   11952   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-07 04:46   57344   ----a-w-   c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 05:08   417792   ----a-w-   c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%ProgramFiles%\\Messenger\\msmsgs.exe"=
"%ProgramFiles%\\America Online 8.0\\aol.exe"=
"%ProgramFiles%\\MUSICMATCH\\MUSICMATCH Jukebox\\mmjb.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.7.0-enUS-downloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader
"6881:TCP"= 6881:TCP:Azureus
"49458:TCP"= 49458:TCP:vuze
"49468:UDP"= 49468:UDP:vuze

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/8/2009 10:06 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/8/2009 10:06 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/8/2009 10:05 PM 297752]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/16/2008 10:30 PM 24652]
R3 CardReaderFilter;Card Reader Filter;c:\windows\system32\drivers\USBCRFT.SYS [9/12/2004 12:35 PM 13440]
R3 cmudax;C-Media High Definition Audio Interface;c:\windows\system32\drivers\cmudax.sys [9/12/2004 12:15 PM 1258432]
.
Contents of the 'Scheduled Tasks' folder

2010-01-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://interpunk.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-navapp - (no file)



**************************************************************************
scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4213282645-1556101-1523269211-1008\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]
"Name"="ActiveSync"
"DisplayName"="Microsoft ActiveSync"
"Param1"="ActiveSync"
"Type"="wellknown"
"Order"=dword:00000001
"State"=dword:00000007

[HKEY_USERS\S-1-5-21-4213282645-1556101-1523269211-1008\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings]
"Name"="IESettings"
"Type"="IESettings"
"Order"=dword:00000004
"State"=dword:00000003

[HKEY_USERS\S-1-5-21-4213282645-1556101-1523269211-1008\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles]
"Name"="MediaFiles"
"Type"="MediaFiles"
"Order"=dword:00000003
"State"=dword:00000003

[HKEY_USERS\S-1-5-21-4213282645-1556101-1523269211-1008\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW]
"Name"="NPW"
"Param1"="NPW"
"Type"="wellknown"
"Order"=dword:00000002
"State"=dword:00000003

[HKEY_USERS\S-1-5-21-4213282645-1556101-1523269211-1008\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\Outlook]
"Name"="Outlook"
"DisplayName"="Microsoft Outlook"
"Param1"="Outlook"
"Type"="wellknown"
"Order"=dword:00000000
"State"=dword:00000020
.
Completion time: 2010-01-30  17:05:45
ComboFix-quarantined-files.txt  2010-01-30 23:05
ComboFix2.txt  2010-01-18 03:34
ComboFix3.txt  2010-01-18 03:23
ComboFix4.txt  2010-01-12 04:53
ComboFix5.txt  2010-01-30 22:57

Pre-Run: 67,815,837,696 bytes free
Post-Run: 67,868,078,080 bytes free

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - A1F378A01F261FDE45037A8E44B912AE
Logged

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11228
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: Help on a possible virus!
« Reply #27 on: January 31, 2010, 01:37:18 AM »
Seeing you have WinPatrol -- did you hear about the 99 cent special for WinPatrol PLUS?  Bill extended it though midnight tonight EST.  See this thread for information and links:  http://www.landzdown.com/index.php?topic=40061.msg122713;boardseen#new

No, I haven't looked at your log yet.  I'll do that later but wanted to tell you about the special in case you're interested.
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11228
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: Help on a possible virus!
« Reply #28 on: January 31, 2010, 05:17:18 PM »
Hi, rockbeard.

It looks like that took care of it! Is your computer back to normal now?

You still have a lot of Symantec/Norton remnants on your computer.  I suggest that you use the Norton Removal Tool located at http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

In addition, AVG is way out of date.  The current version is AVG 9.0.730. 

Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline rockbeard

  • Newbie
  • *
  • Posts: 30
Re: Help on a possible virus!
« Reply #29 on: February 03, 2010, 04:23:50 AM »
It looks like my computer is functioning normally now!!! I tried to use that removal tool before but I guess like you said I didnt get it all, will fix that immediately. I am also gonna update my AVG and winpatrol.  Thank you for all you have done  for me Corrine I really do appreciate that their is a website out there willing to help those in these situations. You all get a thumbs up in my book!!!
Logged
Pages: 1 [2] 3   Go Up
« previous next »