Please help with virus removal.

Unknown
edited March 2007 in Spyware & Virus Removal
I downloaded a virus that I thought was a mod for the game World of Warcraft, I thought it looked funky and then on restart a windows window came up asking me if I wanted to run some exe, I didn't and realized what I'd done.

I went through all the steps, Ad aware removed some tracking cookies, Spybot removed these:
starware
webtrends live
zedo
Microsoft.Windowssecuritycenter.antivirus/firewall disable notify
mediaplex
ipfw
doubleclick
cassava
avenue a, inc
adrevolver

panda froze twice at around 10%

Here is the Kasperspy log:
KASPERSKY ONLINE SCANNER REPORT
Friday, March 16, 2007 8:35:52 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 17/03/2007
Kaspersky Anti-Virus database records: 282518
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
E:\
Scan Statistics:
Total number of scanned objects: 58232
Number of viruses found: 3
Number of infected objects: 5 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:19:28
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\0102\0310\values Object is locked skipped
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\jessica\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\jessica\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\jessica\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\jessica\Local Settings\Application Data\Microsoft\Zune\CurrentDatabase_365.wmdb Object is locked skipped
C:\Documents and Settings\jessica\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\jessica\Local Settings\History\History.IE5\MSHist012007031620070317\index.dat Object is locked skipped
C:\Documents and Settings\jessica\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\jessica\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\jessica\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP111\A0035633.exe Infected: Trojan-PSW.Win32.WOW.ps skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP112\A0036148.dll Infected: not-a-virus:AdWare.Win32.Comet.c skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP130\A0036608.exe Infected: Trojan-PSW.Win32.WOW.ps skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP138\A0037234.exe Infected: Backdoor.Win32.PoisonIvy.d skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP138\A0037265.exe Infected: Backdoor.Win32.PoisonIvy.d skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP138\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

I messed up the bit defender log, I saved it as a text document. If this is unreadable to you guys I can run it again, if not here it is...

EDIT: I found a program to turn the html text into regular text, replacing the originally hard to read html
</
\
| Title : BitDefender Online Scanner -Scan Report |
| Description : ** UNKNOWN ** |
| |
| File name : BITDE.txt |
| File size : 3,003 bytes (approx) |
| Create date : 17-Mar-2007 |
\
/
NOTE: The above TEXT_HEADER is absent in the registered version
Your output starts below this line
*BitDefender Online Scanner*
Scan report generated at: Sat, Mar 17, 2007 - 03:28:30*
*
Scan path: *C:\;E:\;
*
Statistics*
Time 02:46:02
Files 492251
Folders 5410
Boot Sectors 3
Archives 8267
Packed Files 57951
Results*
Identified 1
Viruses
Infected Files 2
Suspect Files 0
Warnings 0
Disinfected 0
Deleted Files 2
Engines Info*
Virus Definitions 405543
Engine build AVCORE v1.0 (build
2397) (i386) (Feb 8
2007 14:24:08)
Scan plugins 14
Archive plugins 38
Unpack plugins 6
E-mail plugins 6
System plugins 1
Scan Settings*
First Action Disinfect
Second Action Delete
Heuristics Yes
Enable Warnings Yes
Scanned Extensions *;
Exclude Extensions
Scan Emails Yes
Scan Archives Yes
Scan Packed Yes
Scan Files Yes
Scan Boot Yes
Scanned File* * Status*
C:\System Volume Detected with:
Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP138\A0037234.exe Application.Poisonivy.A
C:\System Volume Disinfection failed
Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP138\A0037234.exe
C:\System Volume Deleted
Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP138\A0037234.exe
C:\System Volume Detected with:
Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP138\A0037265.exe Application.Poisonivy.A
C:\System Volume Disinfection failed
Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP138\A0037265.exe
C:\System Volume Deleted
Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP138\A0037265.exe
*
*

============================================================================
Converted by an unregistered version of Detagger 2.4
Visit http://www.jafsoft.com/detagger/
This TEXT_FOOTER can be customised or removed in the registered version
============================================================================

Here is the Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:36:42 AM, on 3/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://register.hp.com/servlet/WebReg.servlets.ProdReg1Servlet?appID=java_wreg_wreg_genpg&modelID=EP420UA&product_full_name=Pavilion%20dv5000&PROD_SERIAL_ID=CND6070T5V&PURCH_DT_MONTH=08&PURCH_DT_DAY=07&PURCH_DT_YEAR=2006&gwCountry=US&language=EN&prodOS=011
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4985/mcfscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe

Any help is greatly appreciated, Thanks in advance, Kyle.

Comments

  • oldguy2oldguy2
    edited March 2007
    What happen to all your start ups ?

    Download ComboScan to your Desktop.
    • Close all applications and windows.
    • Double-click on comboscan.exe to run it, and follow the prompts.
    • The scan may take a minute. When the scan is complete, a text file will open - ComboScan.txt
    Extra Note: When running Comboscan, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags Comboscan as suspicious. Please allow the Comboscan to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)
    Post the Comboscan.txt from the Comboscan into your next reply
  • kyleb
    edited March 2007
    I ran bit defender again so I could get a more readable report, it said I had no problems but it sure looked like they weren't all removed earlier.

    ComboScan v20070306.20 run by jessica on 2007-03-17 at 09:40:19
    Computer is in Normal Mode.
    -- System Restore
    Successfully created ComboScan Restore Point.

    -- Last 5 Restore Point(s) --
    58: 2007-03-17 13:40:25 UTC - RP139 - ComboScan Restore Point
    57: 2007-03-16 07:01:19 UTC - RP138 - Software Distribution Service 2.0
    56: 2007-03-15 13:42:53 UTC - RP137 - System Checkpoint
    55: 2007-03-14 06:09:12 UTC - RP136 - System Checkpoint
    54: 2007-03-12 17:09:39 UTC - RP135 - Configured iTunes

    -- First Restore Point --
    1: 2006-12-17 18:17:45 UTC - RP82 - Software Distribution Service 2.0

    Performed disk cleanup.

    -- HijackThis (run as jessica.exe)
    Logfile of HijackThis v1.99.1
    Scan saved at 9:40:34 AM, on 3/17/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\jessica\Local Settings\Temporary Internet Files\Content.IE5\CPIBG5EB\comboscan[1].exe
    C:\PROGRA~1\HIJACK~1\jessica.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://register.hp.com/servlet/WebReg.servlets.ProdReg1Servlet?appID=java_wreg_wreg_genpg&modelID=EP420UA&product_full_name=Pavilion%20dv5000&PROD_SERIAL_ID=CND6070T5V&PURCH_DT_MONTH=08&PURCH_DT_DAY=07&PURCH_DT_YEAR=2006&gwCountry=US&language=EN&prodOS=011
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
    O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4985/mcfscan.cab
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe

    -- File Associations
    .bat - batfile - "%1" %*
    .chm - chm.file - "C:\WINDOWS\hh.exe" %1
    .cmd - cmdfile - "%1" %*
    .com - comfile - "%1" %*
    .exe - exefile - "%1" %*
    .hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
    .inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
    .ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
    .js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
    .lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
    .pif - piffile - "%1" %*
    .reg - regfile - regedit.exe "%1"
    .scr - scrfile - "%1" /S
    .txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
    .vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*

    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled
    1R AmdK8 (AMD Processor Driver) - C:\WINDOWS\system32\drivers\AmdK8.sys
    3S Arp1394 (1394 ARP Client Protocol) - C:\WINDOWS\system32\drivers\arp1394.sys
    3R ati2mtag - C:\WINDOWS\system32\drivers\ati2mtag.sys
    3R BCM43XX (Broadcom 802.11 Network Adapter Driver) - C:\WINDOWS\system32\drivers\BCMWL5.SYS
    3R CAMCAUD (Conexant AMC Audio) - C:\WINDOWS\system32\drivers\camc6aud.sys
    3R CAMCHALA - C:\WINDOWS\system32\drivers\camc6hal.sys
    3S dot4 (MS IEEE-1284.4 Driver) - C:\WINDOWS\system32\drivers\Dot4.sys
    3S Dot4Print (Print Class Driver for IEEE-1284.4) - C:\WINDOWS\system32\drivers\Dot4Prt.sys
    3S Dot4Scan (Scan Class Driver for IEEE-1284.4) - C:\WINDOWS\system32\drivers\Dot4scan.sys
    3S dot4usb (Dot4USB Filter Dot4USB Filter) - C:\WINDOWS\system32\drivers\Dot4usb.sys
    1R eabfiltr - C:\WINDOWS\system32\drivers\eabfiltr.sys
    3S eabusb - C:\WINDOWS\system32\drivers\EabUsb.sys
    3R HidUsb (Microsoft HID Class Driver) - C:\WINDOWS\system32\drivers\hidusb.sys
    3R HSFHWATI - C:\WINDOWS\system32\drivers\HSFHWATI.sys
    3R HSF_DP - C:\WINDOWS\system32\drivers\HSF_DP.sys
    2R mdmxsdk - C:\WINDOWS\system32\drivers\mdmxsdk.sys
    3R mouhid (Mouse HID Driver) - C:\WINDOWS\system32\drivers\mouhid.sys
    3S NIC1394 (1394 Net Driver) - C:\WINDOWS\system32\drivers\nic1394.sys
    0R ohci1394 (Texas Instruments OHCI Compliant IEEE 1394 Host Controller) - C:\WINDOWS\system32\drivers\ohci1394.sys
    2R pciinfo (HP Pci Information) - C:\DOCUME~1\jessica\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys (not found)
    0R PxHelp20 - C:\WINDOWS\system32\drivers\pxhelp20.sys
    3S Rasirda (WAN Miniport (IrDA)) - C:\WINDOWS\system32\drivers\rasirda.sys
    3R RTL8023xp (Realtek 10/100/1000 NIC Family all in one NDIS XP Driver) - C:\WINDOWS\system32\drivers\Rtlnicxp.sys
    3S SMCIRDA (SMC IrCC Miniport Device Driver) - C:\WINDOWS\system32\drivers\smcirda.sys
    0R sptd - C:\WINDOWS\system32\drivers\sptd.sys
    3R SynTP (Synaptics TouchPad Driver) - C:\WINDOWS\system32\drivers\SynTP.sys
    3S usbccgp (Microsoft USB Generic Parent Driver) - C:\WINDOWS\system32\drivers\usbccgp.sys
    3R usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - C:\WINDOWS\system32\drivers\usbehci.sys
    3R usbohci (Microsoft USB Open Host Controller Miniport Driver) - C:\WINDOWS\system32\drivers\usbohci.sys
    3S usbprint (Microsoft USB PRINTER Class) - C:\WINDOWS\system32\drivers\usbprint.sys
    3S USBSTOR (USB Mass Storage Driver) - C:\WINDOWS\system32\drivers\USBSTOR.SYS
    3R winachsf - C:\WINDOWS\system32\drivers\HSF_CNXT.sys
    1R WmiAcpi (Microsoft Windows Management Interface for ACPI) - C:\WINDOWS\system32\drivers\wmiacpi.sys
    3S WudfPf (Windows Driver Foundation - User-mode Driver Framework Platform Driver) - C:\WINDOWS\system32\drivers\WudfPf.sys
    3S WudfRd (Windows Driver Foundation - User-mode Driver Framework Reflector) - C:\WINDOWS\system32\drivers\WudfRd.sys

    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled
    3S aspnet_state (ASP.NET State Service) - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
    4S Ati HotKey Poller - C:\WINDOWS\system32\Ati2evxx.exe
    4S dlbt_device - C:\WINDOWS\system32\dlbtcoms.exe -service
    3S hpqwmi (HP WMI Interface) - C:\Program Files\HPQ\SHARED\HPQWMI.exe
    4S LightScribeService (LightScribeService Direct Disc Labeling Service) - "C:\Program Files\Common Files\LightScribe\LSSrvc.exe"
    4S ose (Office Source Engine) - "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
    2R ZuneNetworkSvc (Zune Network Sharing Service) - "C:\Program Files\Zune\ZuneNss.exe"

    -- Files created between 2007-02-17 and 2007-03-17
    2007-03-16 20:36:49 0 d
    C:\WINDOWS\BDOSCAN8
    2007-03-16 18:53:58 0 d
    C:\WINDOWS\system32\Kaspersky Lab<KASPER~1>
    2007-03-16 18:32:47 0 d
    C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
    2007-03-16 18:30:56 0 d
    C:\Program Files\SpywareBlaster<SPYWAR~1>
    2007-03-16 18:17:25 0 d
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy<SPYBOT~1>
    2007-03-16 16:15:25 0 d
    C:\WINDOWS\McAfee.com
    2007-03-09 03:34:25 0 d
    C:\Program Files\AC3Filter<AC3FIL~1>
    2007-03-08 18:11:13 0 d
    c- C:\WINDOWS\system32\DRVSTORE
    2007-03-08 18:11:13 0 d
    C:\Program Files\DIFX
    2007-03-08 18:11:07 0 d
    C:\Program Files\Common Files\ComponentOne<COMPON~1>
    2007-03-08 18:11:02 0 d
    C:\Program Files\Zune
    2007-03-06 02:12:46 2560
    n--- C:\WINDOWS\system32\drivers\cdralw2k.sys
    2007-03-06 02:12:46 2432
    n--- C:\WINDOWS\system32\drivers\cdr4_xp.sys
    2007-03-06 02:12:45 129784
    n--- C:\WINDOWS\system32\pxafs.dll
    2007-02-23 00:29:49 200704 --a
    C:\WINDOWS\system32\ssldivx.dll
    2007-02-23 00:29:49 1044480 --a
    C:\WINDOWS\system32\libdivx.dll
    2007-02-23 00:25:24 196608 --a
    C:\WINDOWS\system32\dtu100.dll
    2007-02-23 00:25:24 73728 --a
    C:\WINDOWS\system32\dpl100.dll
    2007-02-23 00:25:23 53248 --a
    C:\WINDOWS\system32\dpuGUI10.dll
    2007-02-23 00:25:22 57344 --a
    C:\WINDOWS\system32\dpv11.dll
    2007-02-23 00:25:22 344064 --a
    C:\WINDOWS\system32\dpus11.dll
    2007-02-23 00:25:22 593920 --a
    C:\WINDOWS\system32\dpuGUI11.dll
    2007-02-23 00:25:22 294912 --a
    C:\WINDOWS\system32\dpu11.dll
    2007-02-23 00:25:22 294912 --a
    C:\WINDOWS\system32\dpu10.dll
    2007-02-23 00:25:19 802816 --a
    C:\WINDOWS\system32\divx_xx11.dll<DIVX_X~3.DLL>
    2007-02-23 00:25:19 823296 --a
    C:\WINDOWS\system32\divx_xx0c.dll<DIVX_X~1.DLL>
    2007-02-23 00:25:19 823296 --a
    C:\WINDOWS\system32\divx_xx07.dll<DIVX_X~2.DLL>
    2007-02-23 00:25:19 639066 --a
    C:\WINDOWS\system32\DivX.dll

    -- Find3M Report
    2007-03-16 14:24:02 0 d
    C:\Documents and Settings\jessica\Application Data\Azureus
    2007-03-12 13:10:01 0 d--h
    C:\Program Files\InstallShield Installation Information<INSTAL~1>
    2007-03-12 13:08:48 0 d
    C:\Program Files\InterActual<INTERA~1>
    2007-03-12 13:08:21 0 d
    C:\Program Files\Google
    2007-03-12 13:07:49 0 d
    C:\Program Files\DivX
    2007-03-12 12:54:17 0 d
    C:\Program Files\PacificPoker<PACIFI~1>
    2007-03-12 12:52:52 936 --a
    C:\Documents and Settings\jessica\Application Data\wklnhst.dat
    2007-03-09 01:33:25 0 d
    C:\Program Files\UltimateBet<ULTIMA~1>
    2007-03-08 18:12:46 0 d---s---- C:\Documents and Settings\jessica\Application Data\Microsoft<MICROS~1>
    2007-03-06 10:45:36 0 d
    C:\Program Files\World of Warcraft<WORLDO~1>
    2007-03-06 02:14:05 0 d
    C:\Program Files\Azureus
    2007-02-23 00:29:58 524288 --a
    C:\WINDOWS\system32\DivXsm.exe
    2007-02-23 00:29:56 3596288 --a
    C:\WINDOWS\system32\qt-dx331.dll
    2007-02-23 00:29:52 118520
    n--- C:\WINDOWS\system32\pxinsi64.exe
    2007-02-23 00:29:52 116472
    n--- C:\WINDOWS\system32\pxcpyi64.exe
    2007-02-18 12:20:34 0 d
    C:\Program Files\PartyGaming<PARTYG~1>
    2007-02-15 21:40:35 124472 --a
    C:\WINDOWS\system32\DivXCodecUpdateChecker.exe<DIVXCO~1.EXE>
    2007-02-13 16:30:45 0 d
    C:\Program Files\RegistrySmart<REGIST~1>
    2007-01-29 04:58:06 60416
    n--- C:\WINDOWS\system32\tzchange.exe
    2006-12-19 17:52:18 134656 --a
    C:\WINDOWS\system32\shsvcs.dll
    2006-12-19 14:16:47 333824 --a
    C:\WINDOWS\system32\wiaservc.dll

    -- Registry Dump

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
    "Installed"="1"
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
    "Installed"="1"
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
    "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\WinZip Quick Pick.lnk"
    "backup"="C:\\WINDOWS\\pss\\WinZip Quick Pick.lnkCommon Startup"
    "location"="Common Startup"
    "command"="C:\\PROGRA~1\\WinZip\\WZQKPICK.EXE "
    "item"="WinZip Quick Pick"
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^jessica^Start Menu^Programs^Startup^WordWeb.lnk]
    "path"="C:\\Documents and Settings\\jessica\\Start Menu\\Programs\\Startup\\WordWeb.lnk"
    "backup"="C:\\WINDOWS\\pss\\WordWeb.lnkStartup"
    "location"="Startup"
    "command"="C:\\PROGRA~1\\WordWeb\\wweb32.exe "
    "item"="WordWeb"
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="atiptaxx"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
    "inimapping"="0"
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="ccApp"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
    "inimapping"="0"
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="cpqset"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
    "inimapping"="0"
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="daemon"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
    "inimapping"="0"
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="EabServr"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start"
    "inimapping"="0"
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="HPWuSchd2"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\Hp\\HP Software Update\\HPWuSchd2.exe"
    "inimapping"="0"
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="HP Wireless Assistant"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\hpq\\HP Wireless Assistant\\HP Wireless Assistant.exe"
    "inimapping"="0"
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="iTunesHelper"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
    "inimapping"="0"
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="lsburnwatcher"
    "hkey"="HKLM"
    "command"="c:\\hp\\drivers\\hplsbwatcher\\lsburnwatcher.exe"
    "inimapping"="0"
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="msmsgs"
    "hkey"="HKCU"
    "command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
    "inimapping"="0"
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="qttask"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "inimapping"="0"
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="jusched"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
    "inimapping"="0"
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="SynTPEnh"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
    "inimapping"="0"
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Media Connect 2]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="WMCCFG"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Windows Media Connect 2\\WMCCFG.exe\" /StartQuiet"
    "inimapping"="0"
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="WMPNSCFG"
    "hkey"="HKCU"
    "command"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"
    "inimapping"="0"
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="ZuneLauncher"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Zune\\ZuneLauncher.exe\""
    "inimapping"="0"
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WMPNetworkSvc"=dword:00000002
    "ose"=dword:00000003
    "LightScribeService"=dword:00000002
    "iPodService"=dword:00000003
    "Ati HotKey Poller"=dword:00000002
    "SBService"=dword:00000002
    "navapsvc"=dword:00000002
    "LiveUpdate"=dword:00000003
    "ccSetMgr"=dword:00000002
    "ccPwdSvc"=dword:00000003
    "ccProxy"=dword:00000002
    "ccEvtMgr"=dword:00000002
    "Automatic LiveUpdate Scheduler"=dword:00000002
    "dlbt_device"=dword:00000003

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
    "WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
    HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
    LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService REG_MULTI_SZ DnsCache\0\0
    DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
    rpcss REG_MULTI_SZ RpcSs\0\0
    imgsvc REG_MULTI_SZ StiSvc\0\0
    termsvcs REG_MULTI_SZ TermService\0\0
    WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

    -- End of ComboScan: finished at 2007-03-17 at 09:40:53
  • kyleb
    edited March 2007
    I found a program to fix the html text representation, I pasted that over the html in an edit of the original post. I do see that it looked like there was still viruses on my machine in that log even though a second run of bitdefender didn't find any so I ran Kaspersky again.

    The result confirmed I'm still infected, I cannot post the log, the forum is saying I am not allowed to post links yet:confused:
  • kyleb
    edited March 2007
    In effort to remove these viruses I downloaded a trial version of Kasperky, I completely updated it and it does not find the viruses that the free online scan reported!
  • oldguy2oldguy2
    edited March 2007
    What the online scan found is infected System Restrore points, They are harmless unless of course you use the restore point,
    We can flush the restore points and those wont show up anymore,

    A question for you though, which Anti Virus are you using I see signs of both MaFee and Nortons, you should only have one running at a time, currently you don't have one running at all :eek:

    Lets flush out your restore points

    Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
    • 1. Turn off System Restore.
      • On the Desktop, right-click My Computer.
      • Click Properties.
        Click the System Restore tab.
        Check Turn off System Restore.
        Click Apply, and then click OK.
      2. Restart your computer.
      3. Turn ON System Restore.
      • On the Desktop, right-click My Computer.
      • Click Properties.
        Click the System Restore tab.
        UN-Check Turn off System Restore.
        Click Apply, and then click OK.
    System Restore will now be active again.


    Rescan with either online scan and those should now be gone,

    Could you provide me with an uninstall list please


    • Start HijackThis
    • Click on the Config button
    • Click on the Misc Tools button
    • Click on the Open Uninstall Manager button.
    • You can click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad into this topic please,

  • kyleb
    edited March 2007
    I don't know what McAfee would be on this machine, it came with a Norton suite on it that I deleted after it expired and the firewall kept giving me difficulties at the WoW forums. I have Kaspersky trial installed atm.

    Here's the list

    AC3Filter (remove only)
    Ad-Aware SE Personal
    Adobe Flash Player 9 ActiveX
    Adobe Reader 6.0.1
    Ahead NeroVision Express
    Athlon 64 Processor Driver
    ATI - Software Uninstall Utility
    ATI Control Panel
    ATI Display Driver
    Azureus
    Broadcom 802.11 Wireless LAN Adapter
    Conexant AC-Link Audio
    Dell Photo AIO Printer 922
    Detagger 2.4
    DivX Codec
    DivX Player
    Full Tilt Poker
    Google Toolbar for Internet Explorer
    High Definition Audio Driver Package - KB835221
    Hijackthis 1.99.1
    HijackThis 1.99.1
    home box office Screen Saver
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows XP (KB896256)
    Hotfix for Windows XP (KB926239)
    HP Help and Support
    HP Software Update
    HP User Guides 0012
    HP Wireless Assistant 1.01 C1
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 5
    Kaspersky Anti-Virus 6.0
    Kaspersky Anti-Virus 6.0
    Kaspersky Online Scanner
    LimeWire 4.12.6
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB886903)
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Money 2005
    Microsoft Office Standard Edition 2003
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Works
    MSXML 4.0 SP2 (KB927978)
    MSXML 6.0 Parser (KB927977)
    muvee autoProducer 4.0 - SE
    Panda ActiveScan
    PartyPoker
    Quick Launch Buttons 5.20 D2
    QuickTime
    REALTEK Gigabit and Fast Ethernet NIC Driver
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB883939)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893066)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896422)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911567)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB912919)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB917159)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB917422)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB918899)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920214)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921398)
    Security Update for Windows XP (KB921883)
    Security Update for Windows XP (KB922616)
    Security Update for Windows XP (KB922760)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923694)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924191)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925454)
    Security Update for Windows XP (KB925486)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928090)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Security Update for Windows XP (KB929969)
    Sid Meier's Civilization 4
    Sid Meier's Civilization 4 - Warlords
    Soft Data Fax Modem with SmartCP
    Sonic Audio Module
    Sonic Copy Module
    Sonic Data Module
    Sonic Express Labeler
    Sonic MyDVD Plus
    Sonic Update Manager
    Spybot - Search & Destroy 1.4
    SpywareBlaster v3.5.1
    Synaptics Pointing Device Driver
    Texas Instruments PCIxx21/x515 drivers.
    UltimateBet
    Update for Windows XP (KB894391)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB908531)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB911280)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB929338)
    Update for Windows XP (KB931836)
    Ventrilo Client
    Windows Driver Package - Microsoft WPD (12/01/2006 1.2.0.0)
    Windows Installer 3.1 (KB893803)
    Windows Media Connect
    Windows Media Format 11 runtime
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Media Player 11
    Windows XP Hotfix - KB873333
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB883667
    Windows XP Hotfix - KB884575
    Windows XP Hotfix - KB885250
    Windows XP Hotfix - KB885464
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB885855
    Windows XP Hotfix - KB885884
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB888113
    Windows XP Hotfix - KB888239
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB888402
    Windows XP Hotfix - KB889673
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB891781
    Windows XP Hotfix - KB892559
    WordWeb
    World of Warcraft
    Zone Deluxe Games
    Zune
  • kyleb
    edited March 2007
    Kaspersky online scan reports that I am clean.
  • oldguy2oldguy2
    edited March 2007
    kyleb wrote:
    Kaspersky online scan reports that I am clean.

    Thats great news !
    I must point out that the use of p2p programs are the likely source of your malware problems I recommend you remove them but the choice is yours, the program highlighted in Red
    Also the programs highloghted in Green are sometimes bundled with malware if you didn't install them go ahead and remove them if not leave them alone

    Click on start, then control panel, and then double-click on add/remove programs. From within add/remove program uninstall the following if they exist by double-clicking on the following entries:


    LimeWire 4.12.6
    PartyPoker
    UltimateBet
    Full Tilt Poker

    I have Kaspersky trial installed atm
    Good job !

    Prevention Programs:
    • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
    • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
    • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
    • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
    Other necessary Programs:
    • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
    • Firewall<= A firewall is definatley a must have. A good free Firewall ZoneLabs.
    • More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.
    And also see TonyKlein's good advice
    So how did I get infected in the first place?


    Let me know how the computer is running
  • kyleb
    edited March 2007
    Thank you for all your help Oldguy2:D
  • oldguy2oldguy2
    edited March 2007
    kyleb wrote:
    Thank you for all your help Oldguy2:D


    Your very welcome, Glad I could help :D
  • Rahina-RescueRahina-Rescue Finland
    edited March 2007
    This topic is now closed. If you wish it reopened, please send a Private Message (PM) to one of the Spyware Mods with a link to your thread.

    Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required.

    If you are not the user who started this thread, you must start a new Thread instead :)
This discussion has been closed.