Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Suspected viruses, sluggish & erratic behaviour!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Suspected viruses, sluggish & erratic behaviour!

Unread postby DO498 » February 2nd, 2008, 8:32 am

Hi, Here's the H-j log for Toshiba Satellite A30, M/s XP Home, vers 2002, SP1, with additional 512Mb memory and Norton replaced by Kaspersky I'net Sec v7.0.I've tried downloading SP2 via m/s updates but it didn't work (although it has downloaded some SP2 patches - I've ordered an SP2 CD. Kas found some bugs, but Ithink there may be others. The machine seems to slow over time. Could you help me give this machine the once-over and get it bug-free and optimised? Thanks very much.....
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:03, on 02/02/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\D-Link RangeBooster N 650 DWA-645\acs.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\EzButton\CPLDBL10.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\qttask.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\D-Link\D-Link RangeBooster N 650 DWA-645\wirelesscm.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CPLDBL10] C:\Program Files\EzButton\CPLDBL10.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/servle ... f.0000004b
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link RangeBooster N 650 DWA-645\wirelesscm.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1122448515
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1123076500
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\Program Files\D-Link\D-Link RangeBooster N 650 DWA-645\acs.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 6275 bytes
DO498
Regular Member
 
Posts: 36
Joined: August 28th, 2007, 5:29 pm
Location: Dorset
Advertisement
Register to Remove

Re: Suspected viruses, sluggish & erratic behaviour!

Unread postby Katana » February 9th, 2008, 9:10 am

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

I apologize for the delay in responding, but as you can probably see the forums are quite busy
and sometimes a post manages to slip by us.
Unfortunately there are far more people needing help than there are helpers.

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.


Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.


Please post a fresh HJT log in your reply
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Suspected viruses, sluggish & erratic behaviour!

Unread postby DO498 » February 11th, 2008, 4:41 am

Hi Katana,
Thanks for letting me know that you've picked up my post. You guys do a great job, so I'm not surprised that you're "over-subscribed"! Will wait to hear from you when you're ready! Cheers, D.
DO498
Regular Member
 
Posts: 36
Joined: August 28th, 2007, 5:29 pm
Location: Dorset

Re: Suspected viruses, sluggish & erratic behaviour!

Unread postby Katana » February 11th, 2008, 8:20 am

katana wrote:Please post a fresh HJT log in your reply
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Suspected viruses, sluggish & erratic behaviour!

Unread postby DO498 » February 11th, 2008, 12:28 pm

Hi Katana, Here's the latest log for your perusal.... Thanks very much, D

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:49:40, on 11/02/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\D-Link RangeBooster N 650 DWA-645\acs.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\EzButton\CPLDBL10.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\qttask.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\D-Link\D-Link RangeBooster N 650 DWA-645\wirelesscm.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CPLDBL10] C:\Program Files\EzButton\CPLDBL10.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/servle ... f.0000004b
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link RangeBooster N 650 DWA-645\wirelesscm.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1122448515
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1123076500
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\Program Files\D-Link\D-Link RangeBooster N 650 DWA-645\acs.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 6283 bytes
DO498
Regular Member
 
Posts: 36
Joined: August 28th, 2007, 5:29 pm
Location: Dorset

Re: Suspected viruses, sluggish & erratic behaviour!

Unread postby Katana » February 11th, 2008, 1:09 pm

Installed Programs
Please could you give me a list of the programs that are installed.
  • Start HijackThis
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofi ... e-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.


TotalScan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Please go to this site Link >> TotalScan << LINK
  • Under Scan Now click the Full Scan button
  • Follow the prompts to install the Active X if necessary
  • Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
  • When the scan is finished, a report will be generated
  • Next to Scan Details click the small Save button and save the report to your desktop.
  • Please post the report in your reply.

Please post all the logs in reply
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Suspected viruses, sluggish & erratic behaviour!

Unread postby DO498 » February 13th, 2008, 10:24 am

Hello Katana,
Here are all the logs from the tasks you asked me to do... hj log, uninstall log, combifix log and totalscan log..... cheers, D

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:14:08, on 13/02/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\EzButton\CPLDBL10.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\qttask.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
C:\Program Files\D-Link\D-Link RangeBooster N 650 DWA-645\acs.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\D-Link\D-Link RangeBooster N 650 DWA-645\wirelesscm.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CPLDBL10] C:\Program Files\EzButton\CPLDBL10.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/servle ... f.0000004b
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link RangeBooster N 650 DWA-645\wirelesscm.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/cabs/ascstubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1122448515
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1123076500
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\Program Files\D-Link\D-Link RangeBooster N 650 DWA-645\acs.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 6565 bytes


UNINSTALL LOG:
Adobe Flash Player 9 ActiveX
ALPS Touch Pad Driver
ArcSoft PhotoStudio 5.5
Canon CanoScan Toolbox 4.5
Canon iP4200
Canon Setup Utility 2.0
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PrintToolBox
CD-LabelPrint
cia
D-Link RangeBooster N 650 DWA-645
DVD Solution
Easy Button
Easy-WebPrint
EndNote 8.0.2
EPSON PhotoQuicker3.5
EPSON Print CD
EPSON PRINT Image Framer Tool2.1
EPSON Printer Software
ESPR200 Reference Guide
ESPR200 Software Guide
FinePixViewer Resource
FinePixViewer Ver.5.1
FUJIFILM USB Driver
Google Earth
HijackThis 2.0.2
iKeyWorks 6.12
ImageMixer for Sony DVD Handycam
ImageMixer VCD for FinePix
ImageMixer VCD2 LE for FinePix
InCD
Intel(R) Extreme Graphics Driver
Internet Explorer Q831167
InterVideo WinDVD 4
ISI ResearchSoft - Export Helper
Java 2 Runtime Environment, SE v1.4.2
Kaspersky Internet Security 7.0
Kaspersky Internet Security 7.0
LG ODD Auto Firmware Update
Logitech Desktop Messenger
Logitech MouseWare 9.78
Logitech Print Service
Logitech QuickCam Software
Logitech Resource Center
Logitech® Camera Driver
Manual CanoScan 3200,3200F
Method Validator
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft Office XP Professional with FrontPage
MicroStaff WINASPI NT
Minitab Release 12
Multimedia Launcher
Nero OEM
NETGEAR 108 Mbps Wireless PC Card WG511T
OmniPage SE 2.0
Paint Shop Pro 7 Anniversary Edition
Panda TotalScan
PIF DESIGNER2.1
PowerDVD
PowerProducer
QuickTime
RAW FILE CONVERTER LE
Realtek AC'97 Audio
Realtek Fast Ethernet Adapter Driver
ScanToWeb
Sibelius Scorch (ActiveX Only)
SMSC IrCC Driver V5.1.2462.0 (WinXP)
Sony DVD Handycam USB Driver
TalkTalk Broadband
TOSHIBA ConfigFree
TOSHIBA Console
TOSHIBA Hotkey Utility
TOSHIBA Manuals
TOSHIBA Power Management Utility
Toshiba screensaver
TOSHIBA Software Modem
TouchPad On/Off Utility
Ulead DVD PictureShow 2 SE Basic
Update for Windows XP (KB898461)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows XP Hotfix - KB822603
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB823980
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP2) [See Q329048 for more information]
Windows XP Hotfix (SP2) [See q329112 for more information]
Windows XP Hotfix (SP2) [See Q329115 for more information]
Windows XP Hotfix (SP2) [See Q329390 for more information]
Windows XP Hotfix (SP2) Q327979
Windows XP Hotfix (SP2) Q329170
Windows XP Hotfix (SP2) q329623
Windows XP Hotfix (SP2) Q329834
Windows XP Hotfix (SP2) Q810565
Windows XP Hotfix (SP2) Q810577
Windows XP Hotfix (SP2) Q810583
Windows XP Hotfix (SP2) Q810833
Windows XP Hotfix (SP2) Q811048
Windows XP Hotfix (SP2) Q814033

===================
ComboFix 08-02-13.2 - David 2008-02-13 12:05:20.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.514 [GMT 0:00]
Running from: C:\Documents and Settings\David\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\SideFind
C:\RECYCLER\desktop.ini
C:\setup.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-13 to 2008-02-13 )))))))))))))))))))))))))))))))
.

2008-02-13 11:25 . 2008-02-13 11:25 68,456 --a------ C:\Documents and Settings\David\Application Data\GDIPFONTCACHEV1.DAT
2008-02-12 15:27 . 2008-02-12 15:27 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-02-12 15:26 . 2008-02-12 15:26 <DIR> d-------- C:\WINDOWS\ShellNew
2008-02-12 11:49 . 2008-02-12 11:49 <DIR> d-------- C:\Documents and Settings\David\Application Data\Microsoft Web Folders
2008-02-01 12:12 . 2008-02-01 12:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-01 11:51 . 2008-02-01 11:51 268 --ah-c--- C:\sqmdata01.sqm
2008-02-01 11:51 . 2008-02-01 11:51 244 --ah-c--- C:\sqmnoopt01.sqm
2008-02-01 10:07 . 2008-02-01 10:07 21,035 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-02-01 10:06 . 2006-05-26 15:29 999,808 -ra------ C:\WINDOWS\system32\drivers\ar5416.sys
2008-02-01 10:05 . 2008-02-01 10:05 <DIR> d-------- C:\WINDOWS\pcidevice
2008-02-01 10:05 . 2008-02-01 10:05 <DIR> d-------- C:\Program Files\D-Link
2008-01-27 11:16 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-27 11:16 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-27 11:15 . 2008-01-27 11:15 <DIR> d-------- C:\WINDOWS\system32\bits
2008-01-27 11:13 . 2008-01-28 15:05 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-27 11:13 . 2005-02-25 03:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-23 23:12 . 2008-02-01 08:46 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-01-23 23:12 . 2008-01-23 23:12 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-01-23 23:11 . 2008-01-23 23:11 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-23 23:11 . 2008-02-13 10:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-23 23:11 . 2008-02-13 12:08 3,168,288 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-23 23:11 . 2008-02-13 12:08 70,432 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-23 23:11 . 2008-02-13 10:55 44,144 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-23 23:11 . 2008-02-13 10:55 8,384 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-23 23:09 . 2008-01-23 23:09 <DIR> d-------- C:\kav
2008-01-23 22:33 . 2004-02-22 20:08 1,112,347 --a--c--- C:\Geoff & Lisa's Wedding 21st Sept 2002 038.jpg
2008-01-23 21:11 . 2004-07-01 22:08 361,984 --a--c--- C:\WINDOWS\system32\dllcache\qmgr.dll
2008-01-23 21:11 . 2004-07-01 22:08 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2008-01-23 21:11 . 2004-07-01 22:08 331,776 --a--c--- C:\WINDOWS\system32\dllcache\winhttp.dll
2008-01-23 21:11 . 2004-06-30 23:59 158,720 --------- C:\WINDOWS\system32\xpob2res.dll
2008-01-23 21:11 . 2004-07-01 22:08 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-01-23 21:11 . 2004-07-01 22:08 17,408 --a--c--- C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-01-23 21:11 . 2004-07-01 22:08 7,680 -----c--- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-01-23 21:11 . 2004-07-01 22:08 7,680 --------- C:\WINDOWS\system32\bitsprx2.dll
2008-01-23 21:11 . 2004-07-01 22:08 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-01-23 21:11 . 2004-07-01 22:08 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2008-01-23 21:08 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-01-23 21:08 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-23 21:08 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-23 21:08 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-23 21:08 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-23 19:54 . 2008-01-23 19:54 268 --ah-c--- C:\sqmdata00.sqm
2008-01-23 19:54 . 2008-01-23 19:54 244 --ah-c--- C:\sqmnoopt00.sqm
2008-01-23 19:47 . 2008-01-23 19:47 <DIR> d-------- C:\Documents and Settings\David\Application Data\Ulead Systems

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-13 10:56 --------- d-----w C:\Program Files\lg_fwupdate
2008-02-01 10:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-23 20:19 --------- d-----w C:\Program Files\Google
2008-01-23 19:30 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-23 19:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-17 12:40 --------- d-----w C:\Documents and Settings\Lisa\Application Data\Symantec
2008-01-06 20:52 1,409 ----a-w C:\WINDOWS\Fonts\RPRSTITL.FOT
2008-01-06 20:52 1,409 ----a-w C:\WINDOWS\Fonts\RPRSTEXT.FOT
2008-01-06 20:52 1,409 ----a-w C:\WINDOWS\Fonts\RPRSSTMP.FOT
2008-01-06 20:52 1,409 ----a-w C:\WINDOWS\Fonts\RPRSSPEC.FOT
2008-01-06 20:52 1,409 ----a-w C:\WINDOWS\Fonts\RPRSSCRP.FOT
2008-01-06 20:52 1,409 ----a-w C:\WINDOWS\Fonts\RPRSREH_.FOT
2008-01-06 20:52 1,409 ----a-w C:\WINDOWS\Fonts\RPRSMET_.FOT
2008-01-06 20:52 1,409 ----a-w C:\WINDOWS\Fonts\RPRSCHOR.FOT
2008-01-06 20:52 1,409 ----a-w C:\WINDOWS\Fonts\RPRS____.FOT
2008-01-06 20:52 1,409 ----a-w C:\WINDOWS\Fonts\OPUSTEXT.FOT
2008-01-06 20:52 1,409 ----a-w C:\WINDOWS\Fonts\OPUSSE__.FOT
2008-01-06 20:52 1,409 ----a-w C:\WINDOWS\Fonts\OPUSS___.FOT
2008-01-06 20:52 1,409 ----a-w C:\WINDOWS\Fonts\OPUSROMC.FOT
2008-01-06 20:52 1,409 ----a-w C:\WINDOWS\Fonts\OPUSPC__.FOT
2008-01-06 20:52 1,409 ----a-w C:\WINDOWS\Fonts\OPUSP___.FOT
2008-01-06 20:52 1,409 ----a-w C:\WINDOWS\Fonts\OPUSO___.FOT
2008-01-06 20:52 1,409 ----a-w C:\WINDOWS\Fonts\OPUSNN__.FOT
2008-01-06 20:52 1,409 ----a-w C:\WINDOWS\Fonts\OPUSM___.FOT
2008-01-06 20:52 1,409 ----a-w C:\WINDOWS\Fonts\OPUSJAPC.FOT
2008-01-06 20:52 1,409 ----a-w C:\WINDOWS\Fonts\OPUSFS__.FOT
2008-01-06 20:52 1,409 ----a-w C:\WINDOWS\Fonts\OPUSFBE_.FOT
2008-01-06 20:52 1,409 ----a-w C:\WINDOWS\Fonts\OPUSFB__.FOT
2008-01-06 20:52 1,409 ----a-w C:\WINDOWS\Fonts\OPUSCSC_.FOT
2008-01-06 20:52 1,409 ----a-w C:\WINDOWS\Fonts\OPUSCS__.FOT
2008-01-06 20:52 1,409 ----a-w C:\WINDOWS\Fonts\OPUSC___.FOT
2008-01-06 20:52 1,409 ----a-w C:\WINDOWS\Fonts\OPUS____.FOT
2008-01-06 20:52 1,409 ----a-w C:\WINDOWS\Fonts\INKPEN2_.FOT
2008-01-06 20:52 1,409 ----a-w C:\WINDOWS\Fonts\INK2TEXT.FOT
2008-01-06 20:52 1,409 ----a-w C:\WINDOWS\Fonts\INK2SPEC.FOT
2008-01-06 20:52 1,409 ----a-w C:\WINDOWS\Fonts\INK2SCRI.FOT
2008-01-06 20:52 1,409 ----a-w C:\WINDOWS\Fonts\INK2METR.FOT
2008-01-06 20:52 1,409 ----a-w C:\WINDOWS\Fonts\INK2CHOR.FOT
2008-01-06 20:52 1,409 ----a-w C:\WINDOWS\Fonts\HELST___.FOT
2008-01-06 20:52 1,409 ----a-w C:\WINDOWS\Fonts\HELSS___.FOT
2008-01-06 20:52 --------- d-----w C:\Documents and Settings\Lisa\Application Data\Sibelius Software
2008-01-06 20:51 1,409 ----a-w C:\WINDOWS\Fonts\HELSM___.FOT
2008-01-06 20:51 1,409 ----a-w C:\WINDOWS\Fonts\HELSINKI.FOT
2008-01-06 20:51 --------- d-----w C:\Program Files\Sibelius Software
2008-01-06 16:30 --------- d-----w C:\Documents and Settings\Lisa\Application Data\Lavasoft
2007-12-18 00:44 219,664 ----a-w C:\WINDOWS\system32\klogon.dll
2007-12-18 00:43 23,396 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
2007-12-13 13:28 24,592 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
2005-01-04 21:20 59,120 ----a-w C:\Documents and Settings\Lisa\Application Data\GDIPFONTCACHEV1.DAT
2004-11-13 21:30 99 ----a-w C:\Documents and Settings\Lisa\x.bat
2004-11-13 21:30 99 ----a-w C:\Documents and Settings\Geoff\x.bat
2004-10-01 15:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2001-04-01 03:00 26,538 -c--a-w C:\Program Files\EXACT2XK.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"@"="C:\Program Files\Internet Explorer\iexplore.exe" [2002-08-29 13:00 91136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-05-29 15:26 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-05-29 15:14 114688]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-06-18 12:44 151552]
"CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" [2003-07-23 17:03 135168]
"CPLDBL10"="C:\Program Files\EzButton\CPLDBL10.EXE" [2003-07-03 18:34 204800]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2003-07-29 15:19 638976]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2003-07-18 14:24 49152]
"QuickTime Task"="C:\WINDOWS\System32\qttask.exe" [2003-12-25 13:07 28672]
"Logitech Utility"="Logi_MwX.Exe" [2003-06-30 09:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.exe" [2003-09-11 03:00 99840]
"AS00_Gear511"="C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe" [2003-07-31 02:52 401408]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2005-04-12 10:11 229376]
"LVCOMSX"="C:\WINDOWS\System32\LVCOMSX.EXE" [2004-10-08 11:52 221184]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 21:32 53248]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-12-18 00:43 227856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
Wireless Connection Manager.lnk - C:\Program Files\D-Link\D-Link RangeBooster N 650 DWA-645\wirelesscm.exe [2008-02-01 10:05:46 5644288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DSLMON.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DSLMON.lnk
backup=C:\WINDOWS\pss\DSLMON.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
--a------ 2004-01-14 01:10 409600 C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iKeyWorks]
--a------ 2003-02-21 16:40 73728 C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--------- 2005-07-08 14:25 1397760 C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
--a------ 2005-01-18 17:07 196608 C:\Program Files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
--a------ 2005-01-18 17:47 458752 C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--a------ 2005-01-18 17:37 217088 C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--------- 2005-06-02 16:03 1957888 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
--a------ 2003-05-08 12:00 49152 C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerBar]
--------- 2004-04-21 10:26 86016 C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-12-08 17:35 32768 C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows ControlAd]
C:\Program Files\Windows ControlAd\WinCtlAd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XdPULD8]
C:\WINDOWS\tkliwfkt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­úü‰üžiC:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­úü‰üžiC:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­úü‰üžiC:\Program Files\ISTsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­úü‰üžiC:\Program Files\ISTsvc\istsvc.exe]
C:\WINDOWS\tkliwfkt.exe

R0 sonypvl2;sonypvl2;C:\WINDOWS\System32\drivers\sonypvl2.sys [2003-07-25 15:02]
R1 sonypvf2;sonypvf2;C:\WINDOWS\System32\drivers\sonypvf2.sys [2004-04-08 11:04]
R1 sonypvt2;sonypvt2;C:\WINDOWS\System32\drivers\sonypvt2.sys [2003-08-20 10:44]
R2 DPortIO;Dritek Port I/O Driver;C:\WINDOWS\System32\Drivers\DPortIO.sys [2001-04-12 14:04]
R3 AWINDIS5;AWINDIS5 Protocol Driver;C:\WINDOWS\System32\AWINDIS5.SYS [2002-04-11 17:43]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\System32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 TOSHIBASoftModem;TOSHIBA Software Modem;C:\WINDOWS\System32\DRIVERS\LTSM.sys [2002-09-17 14:12]
S1 sonypvd2;sonypvd2;C:\WINDOWS\System32\DRIVERS\sonypvd2.sys [2003-06-24 10:29]
S2 ISEXEng;ISEXEng;C:\WINDOWS\System32\angelex.exe []
S3 Amps2prt;A4Tech PS/2 Port Mouse Driver;C:\WINDOWS\System32\DRIVERS\Amps2prt.sys []
S3 NETGEAR_WG511_SERVICE;NETGEAR WG511T Wireless Adapter Service;C:\WINDOWS\System32\DRIVERS\wg511nd5.sys [2003-06-20 13:47]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-13 12:08:41
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-13 12:09:47
ComboFix-quarantined-files.txt 2008-02-13 12:09:32
.
2008-01-27 11:15:22 --- E O F ---

============================================

TOTALSCAN LOG:


;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-02-13 14:10:22
PROTECTIONS: 0
MALWARE: 99
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00000431 adware/ist.istbar Adware No 1 Yes No hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\istsvc
00001888 adware/dyfuca Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\internet optimizer
00020302 adware/ncase Adware No 0 Yes No c:\temp\salm_kyf.dat
00020302 adware/ncase Adware No 0 Yes No c:\temp\salmau.dat
00020302 adware/ncase Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\sais
00020302 adware/ncase Adware No 0 Yes No c:\temp\fleok
00020942 adware/exact.bargainbuddy Adware No 0 Yes No c:\windows\system32\vx1x.nls
00020942 adware/exact.bargainbuddy Adware No 0 Yes No c:\windows\system32\vx1.nls
00020942 adware/exact.bargainbuddy Adware No 0 Yes No c:\windows\system32\vx3.nls
00020942 adware/exact.bargainbuddy Adware No 0 Yes No c:\windows\system32\vx3x.nls
00020942 adware/exact.bargainbuddy Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\bargainbuddy
00020942 adware/exact.bargainbuddy Adware No 0 Yes No hkey_local_machine\system\controlset001\services\isexeng
00020942 adware/exact.bargainbuddy Adware No 0 Yes No hkey_local_machine\system\currentcontrolset\services\isexeng
00020942 adware/exact.bargainbuddy Adware No 0 Yes No c:\windows\system32\vx0.nls
00027660 adware/savenow Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{618be527-b7f5-417c-bc51-98fdc2d6de61}
00034463 adware/wupd Adware No 0 Yes No hkey_local_machine\software\windows controlad
00034463 adware/wupd Adware No 0 Yes No c:\program files\windows controlad
00035917 adware/ist.sidefind Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\sidefind
00039209 adware/virtualbouncer Adware No 0 Yes No c:\program files\vbouncer
00040415 adware/wintools Adware No 0 Yes No hkey_classes_root\clsid\{8b0fa130-0c3d-4cb1-aeb7-2c29da5509a3}
00040415 adware/wintools Adware No 0 Yes No hkey_classes_root\clsid\{310cc549-4541-46a9-940f-52b342a6e682}
00040415 adware/wintools Adware No 0 Yes No hkey_local_machine\system\controlset001\enum\root\legacy_wintoolssvc
00040415 adware/wintools Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{d1951679-1d52-43fc-9585-0737143585f5}
00040415 adware/wintools Adware No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{310cc549-4541-46a9-940f-52b342a6e682}
00040415 adware/wintools Adware No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{8b0fa130-0c3d-4cb1-aeb7-2c29da5509a3}
00040415 adware/wintools Adware No 0 Yes No c:\documents and settings\all users\start menu\programs\web search tools
00040415 adware/wintools Adware No 0 Yes No hkey_classes_root\tbps.plugininst
00040415 adware/wintools Adware No 0 Yes No hkey_local_machine\software\classes\tbps.plugindown
00040415 adware/wintools Adware No 0 Yes No hkey_local_machine\software\classes\tbps.plugininst
00040415 adware/wintools Adware No 0 Yes No hkey_classes_root\tbps.plugindown
00040467 adware/elitebar Adware No 1 Yes No hkey_local_machine\software\ohbbackup
00040467 adware/elitebar Adware No 1 Yes No c:\windows\downloaded program files\osdeb.osd
00045952 spyware/media-motor Spyware No 1 Yes No HKEY_CLASSES_ROOT\Interface\{ad29366c-63aa-4ff3-944f-91ad7193bca2}
00045952 spyware/media-motor Spyware No 1 Yes No HKEY_CLASSES_ROOT\Interface\{674A6BD5-317A-49CF-9647-1E085E660CE0}
00047660 adware/sqwire Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\tsa
00047993 adware/powerscan Adware No 0 Yes No c:\program files\power scan
00048498 adware/topconvert Adware No 1 Yes No c:\program files\topconverting
00048546 adware/searchrelevancy Adware No 0 Yes No hkey_local_machine\software\searchrelevancy
00125133 Spyware/Media-motor Spyware No 1 Yes No C:\WINDOWS\LastGood\Downloaded Program Files\mm21.INF
00125133 Spyware/Media-motor Spyware No 1 Yes No C:\WINDOWS\Downloaded Program Files\CONFLICT.1\mm21.INF
00132742 Adware/IST.ISTBar Adware No 1 Yes No C:\WINDOWS\LastGood\Downloaded Program Files\istactivex.inf
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Geoff\Cookies\geoff@trafficmp[1].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Geoff\Cookies\geoff@casalemedia[1].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@casalemedia[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Geoff\Cookies\geoff@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\David\Cookies\david@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\David\Cookies\david@atdmt[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Geoff\Cookies\geoff@atdmt[2].txt
00144497 Cookie/Intelli-tracker TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@www.intelli-tracker[1].txt
00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Documents and Settings\Geoff\Cookies\geoff@tradedoubler[1].txt
00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@tradedoubler[1].txt
00145396 Cookie/Slotch TrackingCookie No 0 Yes No C:\Documents and Settings\Geoff\Cookies\geoff@www.slotch[2].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Geoff\Cookies\geoff@247realmedia[1].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@247realmedia[1].txt
00145453 Cookie/Bfast TrackingCookie No 0 Yes No C:\Documents and Settings\Geoff\Cookies\geoff@bfast[2].txt
00145453 Cookie/Bfast TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@bfast[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@fastclick[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Geoff\Cookies\geoff@fastclick[2].txt
00145466 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Geoff\Cookies\geoff@servedby.advertising[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@tribalfusion[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Geoff\Cookies\geoff@tribalfusion[2].txt
00145732 Cookie/Falkag TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@as-eu.falkag[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Geoff\Cookies\geoff@mediaplex[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@mediaplex[1].txt
00147824 Cookie/Clickbank TrackingCookie No 0 Yes No C:\Documents and Settings\David\Cookies\david@clickbank[1].txt
00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@revenue[2].txt
00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\Geoff\Cookies\geoff@revenue[2].txt
00160284 Cookie/Findwhat TrackingCookie No 0 Yes No C:\Documents and Settings\Geoff\Cookies\geoff@findwhat[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@com[2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Geoff\Cookies\geoff@com[2].txt
00167670 Cookie/Seeq TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@seeq[1].txt
00167671 Cookie/DomainSponsor TrackingCookie No 0 Yes No C:\Documents and Settings\Geoff\Cookies\geoff@domainsponsor[1].txt
00167672 Cookie/DomainSponsor TrackingCookie No 0 Yes No C:\Documents and Settings\Geoff\Cookies\geoff@landing.domainsponsor[1].txt
00167672 Cookie/DomainSponsor TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@landing.domainsponsor[1].txt
00167690 Cookie/Rightmedia TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@rightmedia[2].txt
00167691 Cookie/ademails TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@www.ademails[1].txt
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@xiti[1].txt
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Geoff\Cookies\geoff@xiti[1].txt
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\David\Cookies\david@xiti[1].txt
00167733 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@z1.adserver[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Geoff\Cookies\geoff@statcounter[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@statcounter[2].txt
00167760 Cookie/Hitslink TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@counter.hitslink[2].txt
00167760 Cookie/Hitslink TrackingCookie No 0 Yes No C:\Documents and Settings\Geoff\Cookies\geoff@counter.hitslink[2].txt
00167765 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@hg1.hitbox[1].txt
00167774 Cookie/web-stat TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@www.web-stat[1].txt
00167774 Cookie/web-stat TrackingCookie No 0 Yes No C:\Documents and Settings\Geoff\Cookies\geoff@www.web-stat[1].txt
00167790 Cookie/Qsrch TrackingCookie No 0 Yes No C:\Documents and Settings\Geoff\Cookies\geoff@qsrch[2].txt
00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@perf.overture[1].txt
00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Geoff\Cookies\geoff@perf.overture[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@ad.yieldmanager[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@apmebf[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Geoff\Cookies\geoff@apmebf[1].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@burstnet[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\David\Cookies\david@serving-sys[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\David\Cookies\david@bs.serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@bs.serving-sys[1].txt
00168095 Cookie/888 TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@888[1].txt
00168102 Cookie/Falkag TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@as1.falkag[1].txt
00168106 Cookie/Weborama TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@weborama[1].txt
00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@adtech[2].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Geoff\Cookies\geoff@server.iad.liveperson[2].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@server.iad.liveperson[1].txt
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\Geoff\Cookies\geoff@stat.onestat[2].txt
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@stat.onestat[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Geoff\Cookies\geoff@advertising[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@advertising[1].txt
00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@adrevolver[2].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Geoff\Cookies\geoff@statse.webtrendslive[1].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@statse.webtrendslive[1].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@ads.pointroll[1].txt
00170550 Cookie/Humanclick TrackingCookie No 0 Yes No C:\Documents and Settings\Geoff\Cookies\geoff@hc2.humanclick[2].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Geoff\Cookies\geoff@overture[2].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@overture[1].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\David\Cookies\david@overture[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@realmedia[1].txt
00171633 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\Geoff\Cookies\geoff@cgi-bin[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@questionmarket[1].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\David\Cookies\david@zedo[1].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@zedo[2].txt
00172483 Cookie/888 TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@888[2].txt
00172484 Cookie/Cassava TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@cassava[1].txt
00173480 Adware/Exact.BargainBuddy Adware No 0 Yes No C:\RECYCLER\S-1-5-21-2517080302-2525449139-3568871726-1005\Dc4\bb_welcome.html
00173484 Adware/Exact.BargainBuddy Adware No 0 Yes No C:\RECYCLER\S-1-5-21-2517080302-2525449139-3568871726-1005\Dc4\icon.gif
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\Geoff\Cookies\geoff@bluestreak[2].txt
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@bluestreak[1].txt
00173905 Cookie/Xmts TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@xmts[1].txt
00182104 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\Geoff\Cookies\geoff@phg.hitbox[1].txt
00182104 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@phg.hitbox[1].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@adrevolver[3].txt
00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@bravenet[2].txt
00187951 Cookie/seeqA TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@www.seeq[1].txt
00199981 Cookie/Seeq TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@www48.seeq[1].txt
00199982 Cookie/Buydomains TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@www47.buydomains[1].txt
00199983 Cookie/Valueclick TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@valueclick[1].txt
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@searchportal.information[1].txt
00207712 Cookie/360i TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@ct.360i[2].txt
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Geoff\Cookies\geoff@did-it[2].txt
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@did-it[1].txt
00207936 Cookie/Adviva TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@adviva[1].txt
00207936 Cookie/Adviva TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@adviva[1].txt
00207936 Cookie/Adviva TrackingCookie No 0 Yes No C:\Documents and Settings\Geoff\Cookies\geoff@adviva[2].txt
00216065 Cookie/Screensavers TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@i.screensavers[2].txt
00239129 Bat/Ydos Virus/Trojan No 0 Yes No C:\WINDOWS\system32\x.bat
00239129 Bat/Ydos Virus/Trojan No 0 Yes No C:\Documents and Settings\Lisa\x.bat
00239129 Bat/Ydos Virus/Trojan No 0 Yes No C:\Documents and Settings\Geoff\x.bat
00249100 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@cgi-bin[3].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@atwola[2].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@ads.addynamix[2].txt
00783492 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP322\A0060010.exe
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP337\A0062944.EXE
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\David\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\David\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.com]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP337\A0062967.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\WINDOWS\Nircmd.exe
01606636 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\Lisa\Cookies\lisa@adserver.easyad[2].txt
02830496 Generic Malware Virus/Trojan No 0 Yes No C:\RECYCLER\S-1-5-21-2517080302-2525449139-3568871726-1005\Dc2\Sy1150\Html\f_popo1150c_ub.htm
02839209 Generic Malware Virus/Trojan No 0 Yes No C:\RECYCLER\S-1-5-21-2517080302-2525449139-3568871726-1005\Dc2\Sy1150\Html\popo1150c.htm
02839400 Generic Malware Virus/Trojan No 0 Yes No C:\RECYCLER\S-1-5-21-2517080302-2525449139-3568871726-1005\Dc2\Sy1150\Html\spec1150c.htm
02839485 Generic Malware Virus/Trojan No 0 Yes No C:\RECYCLER\S-1-5-21-2517080302-2525449139-3568871726-1005\Dc2\Sy1150\Html\foot1150c_ub.htm
;===================================================================================================================================================================================
SUSPECTS
Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================

------ end of Totalscan Report ----------
DO498
Regular Member
 
Posts: 36
Joined: August 28th, 2007, 5:29 pm
Location: Dorset

Re: Suspected viruses, sluggish & erratic behaviour!

Unread postby Katana » February 13th, 2008, 12:54 pm

Do you know what EXACT2XK.EXE is ?


Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    File::
    c:\windows\downloaded program files\osdeb.osd
    c:\windows\system32\vx1x.nls
    c:\windows\system32\vx1.nls
    c:\windows\system32\vx3.nls
    c:\windows\system32\vx3x.nls
    c:\windows\system32\vx0.nls
    c:\temp\salm_kyf.dat
    c:\temp\salmau.dat
    C:\WINDOWS\LastGood\Downloaded Program Files\mm21.INF
    C:\WINDOWS\Downloaded Program Files\CONFLICT.1\mm21.INF
    C:\WINDOWS\LastGood\Downloaded Program Files\istactivex.inf
    C:\WINDOWS\system32\x.bat
    C:\Documents and Settings\Lisa\x.bat
    C:\Documents and Settings\Geoff\x.bat
    Folder::
    C:\Program Files\ISTsvc
    c:\temp\fleok
    c:\program files\windows controlad
    c:\program files\vbouncer
    c:\documents and settings\all users\start menu\programs\web search tools
    c:\program files\power scan
    c:\program files\topconverting
    Driver::
    ISEXEng
    Amps2prt
    Registry::
    [-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LGODDFU"=-
    "REGSHAVE"=-
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows ControlAd]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XdPULD8]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\½%÷u0â@âµÑ]ð£%ziC:]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\½%÷u0â@âµÑ]ð£%ziC:\Program Files]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\½%÷u0â@âµÑ]ð£%ziC:\Program Files\ISTsvc]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\½%÷u0â@âµÑ]ð£%ziC:\Program Files\ISTsvc\istsvc.exe]
    [-HKEY_local_machine\software\microsoft\windows\currentversion\app management\arpcache\istsvc]
    [-HKEY_local_machine\software\microsoft\windows\currentversion\app management\arpcache\internet optimizer]
    [-HKEY_local_machine\software\microsoft\windows\currentversion\app management\arpcache\sais]
    [-HKEY_local_machine\software\microsoft\windows\currentversion\app management\arpcache\bargainbuddy]
    [-HKEY_local_machine\system\controlset001\services\isexeng]
    [-HKEY_local_machine\system\currentcontrolset\services\isexeng]
    [-HKEY_local_machine\software\windows controlad]
    [-HKEY_local_machine\software\microsoft\windows\currentversion\app management\arpcache\sidefind]
    [-HKEY_classes_root\clsid\{8b0fa130-0c3d-4cb1-aeb7-2c29da5509a3}]
    [-HKEY_classes_root\clsid\{310cc549-4541-46a9-940f-52b342a6e682}]
    [-HKEY_local_machine\system\controlset001\enum\root\legacy_wintoolssvc]
    [-HKEY_classes_root\tbps.plugininst]
    [-HKEY_local_machine\software\classes\tbps.plugindown]
    [-HKEY_local_machine\software\classes\tbps.plugininst]
    [-HKEY_classes_root\tbps.plugindown]
    [-HKEY_local_machine\software\ohbbackup]
    [-HKEY_local_machine\software\microsoft\windows\currentversion\app management\arpcache\tsa]
    [-HKEY_local_machine\software\searchrelevancy]
    [-HKEY_CLASSES_ROOT\Interface\{618be527-b7f5-417c-bc51-98fdc2d6de61}]
    [-HKEY_CLASSES_ROOT\Interface\{d1951679-1d52-43fc-9585-0737143585f5}]
    [-HKEY_LOCAL_MACHINE\software\classes\CLSID\{310cc549-4541-46a9-940f-52b342a6e682}]
    [-HKEY_LOCAL_MACHINE\software\classes\CLSID\{8b0fa130-0c3d-4cb1-aeb7-2c29da5509a3}]
    [-HKEY_CLASSES_ROOT\Interface\{ad29366c-63aa-4ff3-944f-91ad7193bca2}]
    [-HKEY_CLASSES_ROOT\Interface\{674A6BD5-317A-49CF-9647-1E085E660CE0}]
    

  • Save this as CFScript.txt and place it on your desktop.


    Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u4
http://java.sun.com/javase/downloads/index.jsp
Scroll down to where it says "The Java Runtime Environment (JRE) 6 update 4 allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check for any item with Java Runtime Environment (JRE or J2SE) in the name.
    Java 2 Runtime Environment, SE v1.4.2
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.

Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Suspected viruses, sluggish & erratic behaviour!

Unread postby DO498 » February 14th, 2008, 8:57 am

Hi Katana,
EXACT2XK.exe is a statistical calculation tool used by the owner; she would like it to remain on the system.
Re-run the combifix with the file you provided and the resulting log follows....
I downloaded the latest Java (6) having uninstalled (2). When running the (6) install it warned me that this is an unsupported o/s (SP1, they want SP2); I have now received an SP2 disk from microsoft, would this be a good point at which to install it, or would you rather wait till we've run through all your checks? (Is there any significant benefit to installing SP2?!!)

Combifix log:
ComboFix 08-02-13.2 - David 2008-02-14 12:21:57.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.472 [GMT 0:00]
Running from: C:\Documents and Settings\David\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\David\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Documents and Settings\Geoff\x.bat
C:\Documents and Settings\Lisa\x.bat
c:\temp\salm_kyf.dat
c:\temp\salmau.dat
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\mm21.INF
c:\windows\downloaded program files\osdeb.osd
C:\WINDOWS\LastGood\Downloaded Program Files\istactivex.inf
C:\WINDOWS\LastGood\Downloaded Program Files\mm21.INF
c:\windows\system32\vx0.nls
c:\windows\system32\vx1.nls
c:\windows\system32\vx1x.nls
c:\windows\system32\vx3.nls
c:\windows\system32\vx3x.nls
C:\WINDOWS\system32\x.bat
.

HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52, on 2008-02-14
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\D-Link RangeBooster N 650 DWA-645\acs.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\EzButton\CPLDBL10.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\qttask.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\D-Link\D-Link RangeBooster N 650 DWA-645\wirelesscm.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CPLDBL10] C:\Program Files\EzButton\CPLDBL10.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\kmd.exe /c C:\ComboFix\Combobatch.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link RangeBooster N 650 DWA-645\wirelesscm.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/cabs/ascstubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1122448515
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1123076500
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\Program Files\D-Link\D-Link RangeBooster N 650 DWA-645\acs.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 5879 bytes
DO498
Regular Member
 
Posts: 36
Joined: August 28th, 2007, 5:29 pm
Location: Dorset

Re: Suspected viruses, sluggish & erratic behaviour!

Unread postby Katana » February 14th, 2008, 9:52 am

If you have the CD, then install SP2 now. The benefit of installing SP2 is that it makes your machine more secure against infection.

Do you have the full ComboFix log, it looks like it got cut off. C:\ComboFix.txt
What problems, if any, are you having now ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Suspected viruses, sluggish & erratic behaviour!

Unread postby DO498 » February 19th, 2008, 2:23 pm

Hi Katana, Sorry for the delay in responding, my e-mail in/out had a hiccuup last week and so I didn't pick up a reply notification.
I've installed SP2, and so have now been able to install the latest Java.
The Combilog is all that I have in the txt file. Do you want me to re-run the scan? With or without the previous post's file you sent me?
The machine seems to be behaving pretty well now thanks, did you see any significant gremlins? I'm trying to remove the LG Camera Driver, but the Add/Remove progam pane just hangs when I hit "Change/Uninstall", is there a way around this?
Cheers, D.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:14, on 2008-02-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\D-Link RangeBooster N 650 DWA-645\acs.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\EzButton\CPLDBL10.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\qttask.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\D-Link\D-Link RangeBooster N 650 DWA-645\wirelesscm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\QCDRV\BIN\SETUP.EXE
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CPLDBL10] C:\Program Files\EzButton\CPLDBL10.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link RangeBooster N 650 DWA-645\wirelesscm.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/cabs/ascstubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1122448515
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1123076500
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\Program Files\D-Link\D-Link RangeBooster N 650 DWA-645\acs.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 6859 bytes
DO498
Regular Member
 
Posts: 36
Joined: August 28th, 2007, 5:29 pm
Location: Dorset

Re: Suspected viruses, sluggish & erratic behaviour!

Unread postby Katana » February 19th, 2008, 6:34 pm

CCleaner

Please download CCleaner to clean temp files from your computer.
  • Double click on the ccsetup.exe file to start the installation of the program.
  • Select your language and click OK, then next.
  • Read the license agreement and click I Agree.
  • Click next to use the default install location.
  • Under Install Options, choose all the default settings
  • Click Install then finish to complete installation.
  • Double click the CCleaner shortcut on the desktop to start the program.
  • On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
  • If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
  • Click on the "Options" icon at the left side of the window, then click on "Advanced."
    deselect "Only delete files in Windows Temp folders older than 48 hours."
  • Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items. Click on Issues and make sure Registry Integrity is UNchecked!
  • Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.

Now before you close CCleaner click Tools and find the LG Camera Driver, click it, and then click Run Uninstaller at the top right hand corner.


Please delete the copy of ComboFix.exe that you have, and download a fresh copy from the link below.
ComboFix.exe 1

Double click it, and lets see if we can get a log
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Suspected viruses, sluggish & erratic behaviour!

Unread postby DO498 » February 20th, 2008, 4:06 pm

Hi Katana. Done the CCleaner, however when I ran the Unintaller against the LG Camera Driver I got the hour-glass for about 5 seconds then nothing (same sort of reaction as when trying to uninstall via add/remove)???
Re-ran the Combifix, full log now follows! I've done a bit more housekeeping on the machine so another HJT log follows also. I notice in the HJT log that there are still some references to Symantec (Norton was uninstalled a while back!)
The machine seems to be running pretty well now, Kaspersky has just this minute noted some threats that must be dealt with immediately, so I try and work out what it's telling me when I've posted this.. Thanks, D.

ComboFix 08-02-20.2 - David 2008-02-20 19:47:51.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.517 [GMT 0:00]
Running from: C:\Documents and Settings\David\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.

2008-02-20 19:30 . 2008-02-20 19:30 268 --ah-c--- C:\sqmdata02.sqm
2008-02-20 19:30 . 2008-02-20 19:30 244 --ah-c--- C:\sqmnoopt02.sqm
2008-02-20 16:07 . 2008-02-20 16:07 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-02-20 10:34 . 2008-02-20 10:34 <DIR> d-------- C:\Program Files\CCleaner
2008-02-19 18:12 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-19 18:11 . 2008-02-19 18:11 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-19 17:13 . 2008-02-19 17:13 <DIR> d-------- C:\WINDOWS\provisioning
2008-02-19 17:07 . 2008-02-19 17:07 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-02-19 16:49 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002454_.tmp
2008-02-19 15:57 . 2008-02-19 15:57 <DIR> d-------- C:\WINDOWS\EHome
2008-02-18 16:32 . 2008-02-18 16:32 7,168 --ahsc--- C:\Thumbs.db
2008-02-18 11:41 . 2008-02-18 11:41 <DIR> d-------- C:\Documents and Settings\David\Application Data\CD-LabelPrint
2008-02-18 11:27 . 2008-02-18 11:27 <DIR> d-------- C:\Documents and Settings\David\Application Data\FUJIFILM
2008-02-14 12:17 . 2008-02-14 12:17 <DIR> d-------- C:\Documents and Settings\David\Application Data\ScanSoft
2008-02-13 12:18 . 2008-02-13 12:18 <DIR> d-------- C:\Program Files\Panda Security
2008-02-13 11:25 . 2008-02-13 11:25 68,456 --a------ C:\Documents and Settings\David\Application Data\GDIPFONTCACHEV1.DAT
2008-02-12 15:27 . 2008-02-12 15:27 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-02-12 15:26 . 2008-02-12 15:26 <DIR> d-------- C:\WINDOWS\ShellNew
2008-02-12 11:49 . 2008-02-12 11:49 <DIR> d-------- C:\Documents and Settings\David\Application Data\Microsoft Web Folders
2008-02-01 12:12 . 2008-02-01 12:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-01 11:51 . 2008-02-01 11:51 268 --ah-c--- C:\sqmdata01.sqm
2008-02-01 11:51 . 2008-02-01 11:51 244 --ah-c--- C:\sqmnoopt01.sqm
2008-02-01 10:07 . 2008-02-01 10:07 21,035 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-02-01 10:06 . 2006-05-26 15:29 999,808 -ra------ C:\WINDOWS\system32\drivers\ar5416.sys
2008-02-01 10:05 . 2008-02-01 10:05 <DIR> d-------- C:\WINDOWS\pcidevice
2008-02-01 10:05 . 2008-02-01 10:05 <DIR> d-------- C:\Program Files\D-Link
2008-01-27 11:16 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-27 11:16 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-27 11:15 . 2008-01-27 11:15 <DIR> d-------- C:\WINDOWS\system32\bits
2008-01-27 11:13 . 2008-02-20 10:36 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-27 11:13 . 2005-02-25 03:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-23 23:12 . 2008-02-01 08:46 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-01-23 23:12 . 2008-01-23 23:12 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-01-23 23:11 . 2008-01-23 23:11 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-23 23:11 . 2008-02-20 19:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-23 23:11 . 2008-02-20 19:30 4,635,936 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-23 23:11 . 2008-02-20 19:31 202,016 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-23 23:11 . 2008-02-20 19:30 65,120 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-23 23:11 . 2008-02-20 19:31 21,380 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-23 23:09 . 2008-01-23 23:09 <DIR> d-------- C:\kav
2008-01-23 22:33 . 2004-02-22 20:08 1,112,347 --a--c--- C:\Geoff & Lisa's Wedding 21st Sept 2002 038.jpg
2008-01-23 21:11 . 2004-08-04 00:56 438,784 --------- C:\WINDOWS\system32\xpob2res.dll
2008-01-23 21:11 . 2004-08-04 00:56 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2008-01-23 21:11 . 2004-08-04 00:56 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-01-23 21:11 . 2004-08-04 00:56 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll
2008-01-23 21:11 . 2004-08-04 00:56 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2008-01-23 21:08 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-01-23 21:08 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-23 21:08 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-23 21:08 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-23 21:08 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-23 19:54 . 2008-01-23 19:54 268 --ah-c--- C:\sqmdata00.sqm
2008-01-23 19:54 . 2008-01-23 19:54 244 --ah-c--- C:\sqmnoopt00.sqm
2008-01-23 19:47 . 2008-01-23 19:47 <DIR> d-------- C:\Documents and Settings\David\Application Data\Ulead Systems

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-20 18:13 --------- d-----w C:\Program Files\MSN Messenger
2008-02-20 18:08 --------- d-----w C:\Program Files\Google
2008-02-20 16:09 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-20 10:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-20 09:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-02-20 09:55 --------- d-----w C:\Program Files\Canon
2008-02-20 09:48 --------- d-----w C:\Program Files\FinePixViewer
2008-02-19 18:12 --------- d-----w C:\Program Files\Java
2008-02-18 11:50 --------- d-----w C:\Program Files\EPSON
2008-02-18 11:13 --------- d-----w C:\Program Files\Logitech
2008-01-23 19:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-06 20:51 1,409 ----a-w C:\WINDOWS\Fonts\HELSM___.FOT
2008-01-06 20:51 1,409 ----a-w C:\WINDOWS\Fonts\HELSINKI.FOT
2008-01-06 20:51 --------- d-----w C:\Program Files\Sibelius Software
2007-12-18 00:44 219,664 ----a-w C:\WINDOWS\system32\klogon.dll
2005-01-04 21:20 59,120 ----a-w C:\Documents and Settings\Lisa\Application Data\GDIPFONTCACHEV1.DAT
2004-10-01 15:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2001-04-01 03:00 26,538 -c--a-w C:\Program Files\EXACT2XK.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-05-29 15:26 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-05-29 15:14 114688]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-06-18 12:44 151552]
"CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" [2003-07-23 17:03 135168]
"CPLDBL10"="C:\Program Files\EzButton\CPLDBL10.EXE" [2003-07-03 18:34 204800]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2003-07-29 15:19 638976]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2003-07-18 14:24 49152]
"QuickTime Task"="C:\WINDOWS\System32\qttask.exe" [2003-12-25 13:07 28672]
"AS00_Gear511"="C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe" [2003-07-31 02:52 401408]
"LVCOMSX"="C:\WINDOWS\System32\LVCOMSX.EXE" [2004-10-08 11:52 221184]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-12-18 00:43 227856]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
Wireless Connection Manager.lnk - C:\Program Files\D-Link\D-Link RangeBooster N 650 DWA-645\wirelesscm.exe [2008-02-01 10:05:46 5644288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DSLMON.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DSLMON.lnk
backup=C:\WINDOWS\pss\DSLMON.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\combofix]
--a------ 2004-08-04 00:56 388608 C:\WINDOWS\system32\kmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
--a------ 2004-01-14 01:10 409600 C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iKeyWorks]
--a------ 2003-02-21 16:40 73728 C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
C:\Program Files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
--a------ 2003-05-08 12:00 49152 C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerBar]
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­úü‰üžiC:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­úü‰üžiC:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­úü‰üžiC:\Program Files\ISTsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­úü‰üžiC:\Program Files\ISTsvc\istsvc.exe]
C:\WINDOWS\tkliwfkt.exe

R2 DPortIO;Dritek Port I/O Driver;C:\WINDOWS\system32\Drivers\DPortIO.sys [2001-04-12 14:04]
R3 AWINDIS5;AWINDIS5 Protocol Driver;C:\WINDOWS\System32\AWINDIS5.SYS [2002-04-11 17:43]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 TOSHIBASoftModem;TOSHIBA Software Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys [2002-09-17 14:12]
S3 NETGEAR_WG511_SERVICE;NETGEAR WG511T Wireless Adapter Service;C:\WINDOWS\system32\DRIVERS\wg511nd5.sys [2003-06-20 13:47]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 19:50:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-20 19:52:58
ComboFix-quarantined-files.txt 2008-02-20 19:52:40
ComboFix2.txt 2008-02-20 11:24:07
ComboFix3.txt 2008-02-13 12:09:49
.
2008-01-27 11:15:22 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:57:24, on 20/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\D-Link RangeBooster N 650 DWA-645\acs.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\EzButton\CPLDBL10.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\D-Link\D-Link RangeBooster N 650 DWA-645\wirelesscm.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CPLDBL10] C:\Program Files\EzButton\CPLDBL10.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link RangeBooster N 650 DWA-645\wirelesscm.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/cabs/ascstubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1122448515
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1123076500
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\Program Files\D-Link\D-Link RangeBooster N 650 DWA-645\acs.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 6642 bytes
DO498
Regular Member
 
Posts: 36
Joined: August 28th, 2007, 5:29 pm
Location: Dorset

Re: Suspected viruses, sluggish & erratic behaviour!

Unread postby Katana » February 20th, 2008, 5:32 pm

What did Kaspersky find ?

Fix With HJT

Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines IF still present
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis

Remove Norton

Please click HERE and follow the instructions to download and run the norton removal tool




Recovery Console
!!!!!! Warning !!!!!!.... Your log shows that Recovery Console is not installed.
Due to the threat that current and future malware poses it is vital that you have some form of recovery console.
Please visit http://www.bleepingcomputer.com/combofi ... e-combofix and follow the instructions for
Windows Recovery Console
or
Creating a bootable CD of NTFS4Dos.

It is important that you do this as soon as you can.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Suspected viruses, sluggish & erratic behaviour!

Unread postby DO498 » February 22nd, 2008, 12:33 pm

Hi Katana,

Done all as requested; although I did have to use the Norton Removal tool originally so I was surprised to see registry entries still present!

Run what I think I should havet o create a recovery Console .... relevant combi log follows (looks a bit brief to me???). Also deleted/rerun Combifix to check for that warning (now absent) - log follows, and as ever an HJT log. Any further ideas on how to dump that camera driver? (It's not causing any bother, but it is superfluous!). Cheers, D

Recovery Console log:
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

---------- oOo ----------

Combifix Log:

ComboFix 08-02-22.3 - David 2008-02-22 15:25:30.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.482 [GMT 0:00]
Running from: C:\Documents and Settings\David\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-01-22 to 2008-02-22 )))))))))))))))))))))))))))))))
.

2008-02-20 20:12 . 2006-08-21 09:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-02-20 20:12 . 2006-08-21 09:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-02-20 20:12 . 2006-08-21 12:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-02-20 20:08 . 2008-02-20 20:29 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-02-20 19:30 . 2008-02-20 19:30 268 --ah-c--- C:\sqmdata02.sqm
2008-02-20 19:30 . 2008-02-20 19:30 244 --ah-c--- C:\sqmnoopt02.sqm
2008-02-20 16:07 . 2008-02-20 16:07 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-02-20 10:34 . 2008-02-20 10:34 <DIR> d-------- C:\Program Files\CCleaner
2008-02-20 10:34 . 2007-07-09 13:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-02-19 18:12 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-19 18:11 . 2008-02-19 18:11 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-19 17:13 . 2008-02-19 17:13 <DIR> d-------- C:\WINDOWS\provisioning
2008-02-19 17:07 . 2008-02-19 17:07 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-02-19 16:49 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002454_.tmp
2008-02-19 15:57 . 2008-02-19 15:57 <DIR> d-------- C:\WINDOWS\EHome
2008-02-18 16:32 . 2008-02-18 16:32 7,168 --ahsc--- C:\Thumbs.db
2008-02-18 11:41 . 2008-02-18 11:41 <DIR> d-------- C:\Documents and Settings\David\Application Data\CD-LabelPrint
2008-02-18 11:27 . 2008-02-18 11:27 <DIR> d-------- C:\Documents and Settings\David\Application Data\FUJIFILM
2008-02-14 12:17 . 2008-02-14 12:17 <DIR> d-------- C:\Documents and Settings\David\Application Data\ScanSoft
2008-02-13 12:18 . 2008-02-13 12:18 <DIR> d-------- C:\Program Files\Panda Security
2008-02-13 11:25 . 2008-02-13 11:25 68,456 --a------ C:\Documents and Settings\David\Application Data\GDIPFONTCACHEV1.DAT
2008-02-12 15:27 . 2008-02-12 15:27 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-02-12 15:26 . 2008-02-12 15:26 <DIR> d-------- C:\WINDOWS\ShellNew
2008-02-12 11:49 . 2008-02-12 11:49 <DIR> d-------- C:\Documents and Settings\David\Application Data\Microsoft Web Folders
2008-02-01 12:12 . 2008-02-01 12:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-01 11:51 . 2008-02-01 11:51 268 --ah-c--- C:\sqmdata01.sqm
2008-02-01 11:51 . 2008-02-01 11:51 244 --ah-c--- C:\sqmnoopt01.sqm
2008-02-01 10:07 . 2008-02-01 10:07 21,035 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-02-01 10:06 . 2006-05-26 15:29 999,808 -ra------ C:\WINDOWS\system32\drivers\ar5416.sys
2008-02-01 10:05 . 2008-02-01 10:05 <DIR> d-------- C:\WINDOWS\pcidevice
2008-02-01 10:05 . 2008-02-01 10:05 <DIR> d-------- C:\Program Files\D-Link
2008-01-28 14:59 . 2007-11-14 07:26 450,560 -----c--- C:\WINDOWS\system32\dllcache\jscript.dll
2008-01-28 14:58 . 2006-08-14 10:34 332,928 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-01-28 14:57 . 2006-06-22 10:47 181,248 -----c--- C:\WINDOWS\system32\dllcache\rasmans.dll
2008-01-28 14:56 . 2006-08-25 15:45 617,472 -----c--- C:\WINDOWS\system32\dllcache\comctl32.dll
2008-01-28 14:56 . 2006-05-19 12:59 111,616 -----c--- C:\WINDOWS\system32\dllcache\dhcpcsvc.dll
2008-01-28 14:56 . 2006-05-19 12:59 94,720 -----c--- C:\WINDOWS\system32\dllcache\iphlpapi.dll
2008-01-27 11:19 . 2006-08-16 09:37 225,664 -----c--- C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-01-27 11:19 . 2006-08-16 11:58 100,352 -----c--- C:\WINDOWS\system32\dllcache\6to4svc.dll
2008-01-27 11:18 . 2006-03-17 00:38 28,672 --------- C:\WINDOWS\system32\verclsid.exe
2008-01-27 11:16 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-27 11:16 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-27 11:15 . 2008-01-27 11:15 <DIR> d-------- C:\WINDOWS\system32\bits
2008-01-27 11:13 . 2008-02-20 20:29 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-27 11:13 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-27 11:11 . 2006-05-05 09:41 453,120 -----c--- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2008-01-27 11:11 . 2006-05-05 09:47 174,592 -----c--- C:\WINDOWS\system32\dllcache\rdbss.sys
2008-01-23 23:12 . 2008-02-01 08:46 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-01-23 23:12 . 2008-01-23 23:12 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-01-23 23:11 . 2008-01-23 23:11 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-23 23:11 . 2008-02-21 10:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-23 23:11 . 2008-02-22 15:28 4,793,632 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-23 23:11 . 2008-02-22 15:27 215,584 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-23 23:11 . 2008-02-21 10:51 67,472 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-23 23:11 . 2008-02-21 10:51 22,724 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-23 23:09 . 2008-01-23 23:09 <DIR> d-------- C:\kav
2008-01-23 22:33 . 2004-02-22 20:08 1,112,347 --a--c--- C:\Geoff & Lisa's Wedding 21st Sept 2002 038.jpg
2008-01-23 21:11 . 2004-08-04 00:56 438,784 --------- C:\WINDOWS\system32\xpob2res.dll
2008-01-23 21:11 . 2004-08-04 00:56 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2008-01-23 21:11 . 2004-08-04 00:56 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-01-23 21:11 . 2004-08-04 00:56 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll
2008-01-23 21:11 . 2004-08-04 00:56 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2008-01-23 21:08 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-01-23 21:08 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-23 21:08 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-23 21:08 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-23 21:08 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-23 19:54 . 2008-01-23 19:54 268 --ah-c--- C:\sqmdata00.sqm
2008-01-23 19:54 . 2008-01-23 19:54 244 --ah-c--- C:\sqmnoopt00.sqm
2008-01-23 19:47 . 2008-01-23 19:47 <DIR> d-------- C:\Documents and Settings\David\Application Data\Ulead Systems

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-20 18:13 --------- d-----w C:\Program Files\MSN Messenger
2008-02-20 18:08 --------- d-----w C:\Program Files\Google
2008-02-20 16:09 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-20 10:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-20 09:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-02-20 09:55 --------- d-----w C:\Program Files\Canon
2008-02-20 09:48 --------- d-----w C:\Program Files\FinePixViewer
2008-02-19 18:12 --------- d-----w C:\Program Files\Java
2008-02-18 11:50 --------- d-----w C:\Program Files\EPSON
2008-02-18 11:13 --------- d-----w C:\Program Files\Logitech
2008-01-23 19:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-06 20:51 1,409 ----a-w C:\WINDOWS\Fonts\HELSM___.FOT
2008-01-06 20:51 1,409 ----a-w C:\WINDOWS\Fonts\HELSINKI.FOT
2008-01-06 20:51 --------- d-----w C:\Program Files\Sibelius Software
2007-12-18 00:44 219,664 ----a-w C:\WINDOWS\system32\klogon.dll
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2005-01-04 21:20 59,120 ----a-w C:\Documents and Settings\Lisa\Application Data\GDIPFONTCACHEV1.DAT
2004-10-01 15:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2001-04-01 03:00 26,538 -c--a-w C:\Program Files\EXACT2XK.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-05-29 15:26 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-05-29 15:14 114688]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-06-18 12:44 151552]
"CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" [2003-07-23 17:03 135168]
"CPLDBL10"="C:\Program Files\EzButton\CPLDBL10.EXE" [2003-07-03 18:34 204800]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2003-07-29 15:19 638976]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2003-07-18 14:24 49152]
"QuickTime Task"="C:\WINDOWS\System32\qttask.exe" [2003-12-25 13:07 28672]
"AS00_Gear511"="C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe" [2003-07-31 02:52 401408]
"LVCOMSX"="C:\WINDOWS\System32\LVCOMSX.EXE" [2004-10-08 11:52 221184]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-12-18 00:43 227856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
Wireless Connection Manager.lnk - C:\Program Files\D-Link\D-Link RangeBooster N 650 DWA-645\wirelesscm.exe [2008-02-01 10:05:46 5644288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DSLMON.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DSLMON.lnk
backup=C:\WINDOWS\pss\DSLMON.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\combofix]
--a------ 2004-08-04 00:56 388608 C:\WINDOWS\system32\kmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
--a------ 2004-01-14 01:10 409600 C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iKeyWorks]
--a------ 2003-02-21 16:40 73728 C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
C:\Program Files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
--a------ 2003-05-08 12:00 49152 C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerBar]
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­úü‰üžiC:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­úü‰üžiC:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­úü‰üžiC:\Program Files\ISTsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁÐ]­úü‰üžiC:\Program Files\ISTsvc\istsvc.exe]
C:\WINDOWS\tkliwfkt.exe

R2 DPortIO;Dritek Port I/O Driver;C:\WINDOWS\system32\Drivers\DPortIO.sys [2001-04-12 14:04]
R3 AWINDIS5;AWINDIS5 Protocol Driver;C:\WINDOWS\System32\AWINDIS5.SYS [2002-04-11 17:43]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 TOSHIBASoftModem;TOSHIBA Software Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys [2002-09-17 14:12]
S3 NETGEAR_WG511_SERVICE;NETGEAR WG511T Wireless Adapter Service;C:\WINDOWS\system32\DRIVERS\wg511nd5.sys [2003-06-20 13:47]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-22 15:28:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-22 15:29:52
ComboFix-quarantined-files.txt 2008-02-22 15:29:26
ComboFix2.txt 2008-02-20 19:53:00
ComboFix3.txt 2008-02-20 11:24:07
ComboFix4.txt 2008-02-13 12:09:49
.
2008-02-20 20:29:25 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:23:39, on 22/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\D-Link RangeBooster N 650 DWA-645\acs.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\EzButton\CPLDBL10.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\D-Link\D-Link RangeBooster N 650 DWA-645\wirelesscm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Logitech\QCDRV\BIN\SETUP.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CPLDBL10] C:\Program Files\EzButton\CPLDBL10.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link RangeBooster N 650 DWA-645\wirelesscm.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/cabs/ascstubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1122448515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1123076500
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\Program Files\D-Link\D-Link RangeBooster N 650 DWA-645\acs.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe

--
End of file - 5756 bytes
DO498
Regular Member
 
Posts: 36
Joined: August 28th, 2007, 5:29 pm
Location: Dorset
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 498 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware