View Full Version : Infected with Win32/NSAnti
Every time I open a disk drive AVG notifies me that i am infected with the Win32/NSAnti virus. it asks me to move into the vault, but of course no matter how many times i do this it still comes up everytime. also, i cannot view my hidden files/folders. I just reformatted my computer 2 days ago too...crappy. anyway here is the hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:58:47 PM, on 1/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Logitech\QuickCam10\COCIManager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
--
End of file - 9315 bytes
pskelley
2008-01-17, 15:02
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
You should know how easy it is to get infected anymore:
http://www.theregister.com/2007/05/11/google_malware_map/
http://redtape.msnbc.com/2007/05/the_next_net_th.html
Read the directions, do not post a Kaspersky scan until I request it.
Thanks to sUBs and anyone else who helped with this fix.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
Thanks
ComboFix 08-01-18.1 - Houston 2008-01-17 14:40:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1484 [GMT -8:00]
Running from: S:\Programs\Programs after reformat\Cure\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Autorun.inf
C:\WINDOWS\system32\kavo.exe
C:\WINDOWS\system32\kavo0.dll
C:\WINDOWS\system32\kavo1.dll
.
((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
.
2008-01-17 14:39 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-16 14:57 . 2008-01-16 14:57 <DIR> d-------- C:\Documents and Settings\Houston\Application Data\Grisoft
2008-01-16 14:41 . 2008-01-16 14:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-16 14:17 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-16 14:02 . 2008-01-16 14:03 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-01-16 14:02 . 2008-01-16 14:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-16 03:36 . 2008-01-16 03:36 114,829 -r-hs---- C:\g2p3s.exe
2008-01-16 03:30 . 2008-01-16 03:30 <DIR> d-------- C:\Program Files\Common Files\ChaosGroup
2008-01-16 03:30 . 2008-01-16 03:30 <DIR> d-------- C:\Program Files\Chaos Group
2008-01-15 21:04 . 2008-01-15 21:04 <DIR> d-------- C:\WINDOWS\Sun
2008-01-15 21:04 . 2008-01-15 21:04 <DIR> d-------- C:\Program Files\Java
2008-01-15 21:04 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-15 21:02 . 2008-01-15 21:02 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-15 19:38 . 2006-06-22 14:29 1,413,424 -ra------ C:\WINDOWS\system32\drivers\lvpopflt.sys
2008-01-15 19:38 . 2008-01-15 19:40 0 --a------ C:\WINDOWS\system32\drivers\lvuvc.hs
2008-01-15 19:32 . 2008-01-15 19:32 <DIR> d-------- C:\Program Files\Logitech
2008-01-15 19:32 . 2008-01-15 19:33 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-01-15 19:32 . 2008-01-15 19:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-01-15 19:29 . 2004-08-04 00:56 90,624 --a------ C:\WINDOWS\system32\kswdmcap.ax
2008-01-15 17:53 . 2008-01-15 17:53 <DIR> d-------- C:\Program Files\Flash Movie Player
2008-01-15 16:00 . 2008-01-15 16:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-15 15:54 . 2008-01-15 15:54 <DIR> d-------- C:\Program Files\Common Files\Control Panels
2008-01-15 15:52 . 2008-01-15 15:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ALM
2008-01-15 15:34 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-01-15 15:34 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-01-15 15:29 . 2008-01-15 15:29 <DIR> d-------- C:\Program Files\Bonjour
2008-01-15 15:25 . 2008-01-15 15:25 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-01-14 12:30 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-01-14 02:06 . 2008-01-14 02:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-01-14 01:59 . 2008-01-14 23:40 <DIR> d-------- C:\paracloud
2008-01-14 01:58 . 2008-01-14 01:58 <DIR> d-------- C:\Program Files\ParaCloud
2008-01-13 23:37 . 2008-01-13 23:37 <DIR> d-------- C:\Documents and Settings\Houston\Application Data\DoneEx
2008-01-13 22:56 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-01-13 22:43 . 2008-01-13 22:43 <DIR> d-------- C:\Program Files\AnswerWorks 4.0
2008-01-13 22:36 . 2008-01-13 22:44 <DIR> d-------- C:\Program Files\AutoCAD 2007
2008-01-13 22:36 . 2008-01-13 22:36 <DIR> d-------- C:\Documents and Settings\Houston\Application Data\Autodesk
2008-01-13 22:36 . 2008-01-13 22:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Autodesk
2008-01-13 22:35 . 2008-01-13 23:02 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2008-01-13 22:35 . 2008-01-13 23:01 <DIR> d-------- C:\Program Files\Autodesk
2008-01-13 22:17 . 2008-01-15 15:54 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-01-13 20:59 . 2008-01-13 20:59 <DIR> d-------- C:\Documents and Settings\Houston\Application Data\MaxwellDotNetSdk
2008-01-13 20:43 . 2008-01-13 20:43 <DIR> d-------- C:\Program Files\MaxwellDotNET
2008-01-13 20:43 . 2008-01-13 20:43 <DIR> d-------- C:\Documents and Settings\Houston\Application Data\MaxwellDotNET
2008-01-13 20:39 . 2008-01-13 20:39 <DIR> d-------- C:\Program Files\Next Limit
2008-01-13 20:36 . 2008-01-15 21:04 1,279 --a------ C:\WINDOWS\mozver.dat
2008-01-13 19:43 . 2008-01-13 19:43 <DIR> d-------- C:\Program Files\Common Files\McNeel Shared
2008-01-13 19:42 . 2008-01-13 19:43 <DIR> d-------- C:\Program Files\Rhinoceros 4.0
2008-01-13 19:42 . 2008-01-13 19:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McNeel
2008-01-13 17:11 . 2008-01-13 17:11 <DIR> d-------- C:\Program Files\allTunes
2008-01-13 17:11 . 2008-01-13 17:11 <DIR> d-------- C:\Documents and Settings\Houston\Application Data\allTunes
2008-01-13 17:11 . 2008-01-13 17:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\allTunes
2008-01-13 17:10 . 2008-01-16 16:06 <DIR> d-------- C:\Documents and Settings\Houston\Application Data\skypePM
2008-01-13 17:10 . 2008-01-16 17:51 <DIR> d-------- C:\Documents and Settings\Houston\Application Data\Skype
2008-01-13 17:10 . 2008-01-13 17:10 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-13 17:09 . 2008-01-13 19:56 <DIR> d-------- C:\Program Files\Skype
2008-01-13 17:09 . 2008-01-13 17:09 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-01-13 17:09 . 2008-01-13 17:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-01-13 17:08 . 2008-01-13 17:08 <DIR> d-------- C:\Documents and Settings\Houston\Application Data\acccore
2008-01-13 17:08 . 2008-01-13 17:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-01-13 17:08 . 2008-01-13 17:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-01-13 17:05 . 2008-01-13 17:05 <DIR> d-------- C:\Program Files\Viewpoint
2008-01-13 17:05 . 2008-01-13 17:05 <DIR> d-------- C:\Program Files\Google
2008-01-13 17:05 . 2008-01-13 17:05 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-01-13 17:05 . 2008-01-13 17:08 <DIR> d-------- C:\Program Files\AIM6
2008-01-13 17:05 . 2008-01-13 17:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-13 17:01 . 2008-01-13 17:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-01-13 17:01 . 2008-01-13 17:08 1,097 --ah----- C:\IPH.PH
2008-01-13 16:16 . 2008-01-13 16:16 <DIR> d-------- C:\Program Files\Microsoft Works
2008-01-13 16:12 . 2008-01-13 16:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-13 16:08 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-01-13 16:08 . 2008-01-13 16:08 376 --a------ C:\WINDOWS\ODBC.INI
2008-01-13 16:07 . 2008-01-13 16:07 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-01-13 16:07 . 2008-01-13 16:07 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-01-13 16:06 . 2008-01-13 16:06 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-13 16:04 . 2008-01-13 16:04 <DIR> dr-h----- C:\MSOCache
2008-01-13 15:29 . 2008-01-13 15:29 <DIR> d-------- C:\Program Files\CyberLink
2008-01-13 15:29 . 2008-01-13 15:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-01-13 15:26 . 2008-01-13 15:27 <DIR> d-------- C:\Program Files\HP
2008-01-13 15:26 . 2008-01-13 15:27 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-01-13 15:25 . 2008-01-13 15:27 101,571 --a------ C:\WINDOWS\hpdj6800.his
2008-01-13 15:25 . 2008-01-13 15:27 13,642 --a------ C:\WINDOWS\hpdj6800.ini
2008-01-13 15:24 . 2008-01-13 15:28 23,083 --a------ C:\WINDOWS\hpf6800m.his
2008-01-13 15:24 . 2008-01-13 15:28 5,412 --a------ C:\WINDOWS\hpf6800m.ini
2008-01-13 15:19 . 2008-01-13 15:19 <DIR> d-------- C:\Program Files\Nero
2008-01-13 15:19 . 2008-01-13 15:20 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-01-13 14:56 . 2008-01-13 14:56 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-01-13 14:55 . 2008-01-13 14:55 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-01-13 14:55 . 2008-01-13 14:55 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-13 14:36 . 2008-01-13 14:36 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-13 14:29 . 2008-01-13 14:29 13,646 --a------ C:\WINDOWS\system32\wpa.bak
2008-01-13 14:07 . 2008-01-13 14:07 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-13 14:07 . 2008-01-16 17:51 <DIR> d-------- C:\Documents and Settings\Houston\Application Data\AVG7
2008-01-13 14:07 . 2008-01-16 14:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-13 14:07 . 2008-01-16 03:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-13 14:06 . 2008-01-13 14:06 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-13 14:06 . 2008-01-13 14:06 <DIR> d-------- C:\Program Files\iTunes
2008-01-13 14:06 . 2008-01-13 14:06 <DIR> d-------- C:\Program Files\iPod
2008-01-13 14:06 . 2008-01-13 14:06 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-13 14:06 . 2008-01-13 14:06 <DIR> d-------- C:\Documents and Settings\Houston\Application Data\Apple Computer
2008-01-13 14:06 . 2008-01-13 14:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-16 22:12 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-13 22:07 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-01-13 22:07 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-01-13 20:58 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-14 19:20 2,686,232 ----a-w C:\vcredist_x86.exe
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 00:38 802816]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 00:32 696320]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12 90112]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-12-19 10:12 16062464 C:\WINDOWS\RTHDCPL.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-08-25 15:25 737369]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-13 14:07 579072]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2006-06-26 10:34 614960]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-13 14:07 219136]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2007-06-11 01:25 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2007-03-29 22:14 624248 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 23:56 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 13:22 3739648 C:\Program Files\Google\Google Talk\googletalk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-02-18 09:55 49152 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2004-06-25 16:32 172032 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-06-01 16:51 257088 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
--a------ 2006-06-26 09:46 497200 C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2006-06-26 10:33 243248 C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-27 09:41 282624 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-12-08 17:35 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
--a------ 2005-09-16 14:01 557056 C:\WINDOWS\sm56hlpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2007-08-31 16:46 1460560 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=3 (0x3)
"HP Status Server"=3 (0x3)
"HP Port Resolver"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"odserv"=3 (0x3)
"ose"=3 (0x3)
"AVG Anti-Spyware Guard"=2 (0x2)
R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys [2005-07-20 13:52]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e842206-c409-11dc-947b-00030d4a4729}]
\Shell\AutoRun\command - E:\g2p3s.exe
\Shell\explore\Command - E:\g2p3s.exe
\Shell\open\Command - E:\g2p3s.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{93483230-c2df-11dc-9476-00030d4a4729}]
\Shell\AutoRun\command - E:\g2p3s.exe
\Shell\explore\Command - E:\g2p3s.exe
\Shell\open\Command - E:\g2p3s.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{93483240-c2df-11dc-9476-00030d4a4729}]
\Shell\AutoRun\command - E:\g2p3s.exe
\Shell\explore\Command - E:\g2p3s.exe
\Shell\open\Command - E:\g2p3s.exe
*Newly Created Service* - HTTPFILTER
*Newly Created Service* - PROCEXP90
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 14:44:52
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-18 14:46:55
ComboFix-quarantined-files.txt 2008-01-18 22:46:48
.
2008-01-14 19:03:38 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:47:47 PM, on 1/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Logitech\QuickCam10\COCIManager.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
--
End of file - 8781 bytes
pskelley
2008-01-18, 00:27
Remove combofix from your computer, be sure to delete C:\qoobox\quarantine\ folder.
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.
Then post it here. tell me about any malware issues also.
Thanks
sorry, maybe i just cant find it, but i dont see anything about an online scanner on that site. all i see is download free scanner...i did that, but i didnt know what to do after that. did you mean to download the program?
pskelley
2008-01-18, 13:06
When you click on this link: http://www.kaspersky.com/virusscanner
Just above the large box with the green boarder and to the left of this information:
The Kaspersky Online Virus Scanner uses Microsoft ActiveX technologies to scan your computer for malicious code and offers the same exceptional detection rates as other Kaspersky Lab products.
Is a button with a small microscope and the words Kaspersky Online Scanner in it. A click on that button will take you here:
http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html
Thanks
do you mean the kaspersky file scanner? i dont see a large box with a green border, or anything that mentions anything that you are talking about....maybe they changed the site since you last viewed it? i am using IE 7 and Firefox 2.0, they are the most updated of each browser. Everything on this page is about Kaspersky SOS, which is a downloaded program.
pskelley
2008-01-18, 21:17
Trying to comprehend, what country are you in? In this link:
http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html
the top line says in bold print:
"Welcome to the Kaspersky Online Scanner! Use it to scan your PC for viruses and other malware for free
If you are in another country, google for free online Kaspersky scan
http://www.google.com/search?hl=en&q=free+online+Kaspersky+scan&btnG=Google+Search
are you having any issues? Perhaps we will try another scanner if you can't locate this one.
Thanks
ok, i figured it out, not sure why i wasnt able to see it before, but it works now. anyway, 1 virus, 4 infected files.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, January 19, 2008 1:57:37 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/01/2008
Kaspersky Anti-Virus database records: 488677
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 170674
Number of viruses found: 1
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 01:06:48
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Houston\Application Data\Mozilla\Firefox\Profiles\mb7afbxh.default\cert8.db Object is locked skipped
C:\Documents and Settings\Houston\Application Data\Mozilla\Firefox\Profiles\mb7afbxh.default\history.dat Object is locked skipped
C:\Documents and Settings\Houston\Application Data\Mozilla\Firefox\Profiles\mb7afbxh.default\key3.db Object is locked skipped
C:\Documents and Settings\Houston\Application Data\Mozilla\Firefox\Profiles\mb7afbxh.default\parent.lock Object is locked skipped
C:\Documents and Settings\Houston\Application Data\Mozilla\Firefox\Profiles\mb7afbxh.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Houston\Application Data\Mozilla\Firefox\Profiles\mb7afbxh.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Houston\Application Data\Mozilla\Firefox\Profiles\mb7afbxh.default\ybookmarks@yahoo.log Object is locked skipped
C:\Documents and Settings\Houston\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Houston\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Houston\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Houston\Local Settings\Application Data\Mozilla\Firefox\Profiles\mb7afbxh.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Houston\Local Settings\Application Data\Mozilla\Firefox\Profiles\mb7afbxh.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Houston\Local Settings\Application Data\Mozilla\Firefox\Profiles\mb7afbxh.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Houston\Local Settings\Application Data\Mozilla\Firefox\Profiles\mb7afbxh.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Houston\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Houston\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Houston\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Houston\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Houston\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\g2p3s.exe Infected: Trojan-PSW.Win32.OnLineGames.opo skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{20D5AA1F-85D9-44DD-9913-3371F62EC146}\RP2\A0000007.exe Infected: Trojan-PSW.Win32.OnLineGames.opo skipped
C:\System Volume Information\_restore{20D5AA1F-85D9-44DD-9913-3371F62EC146}\RP2\A0000008.dll Infected: Trojan-PSW.Win32.OnLineGames.opo skipped
C:\System Volume Information\_restore{20D5AA1F-85D9-44DD-9913-3371F62EC146}\RP2\A0000009.dll Infected: Trojan-PSW.Win32.OnLineGames.opo skipped
C:\System Volume Information\_restore{20D5AA1F-85D9-44DD-9913-3371F62EC146}\RP4\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
pskelley
2008-01-18, 23:12
Thanks for returning the Kaspersky scan, please do this.
C:\g2p3s.exe <<< delete that file
Empty the Recycle Bin on your Desktop and restart the computer, then follow these directions.
MANUAL INSTRUCTIONS FOR SYSTEM RESTORE
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
If you follow those directions, the next Kaspersky scan will be clean and I do not need to see a clean scan result.
Here is the information about "Recovery Console" for your benefit.
How to install and use the Recovery Console in Windows XP
http://support.microsoft.com/kb/307654
http://www.bleepingcomputer.com/tutorials/tutorial117.html#install
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
when i open the C: drive, i dont see g2p3s.exe.
pskelley
2008-01-18, 23:41
This is where Kaspersky says that item is located:
C:\g2p3s.exe ------> Trojan-PSW.Win32.OnLineGames.opo
Making sure all files and folders are enabled, use Search to locate the file.
Start > Search > All Files and Folder > Copy/Paste
C:\g2p3s.exe into the box and click search. It may take a while, there are a lot of files.
Thanks
i searched for the file on the c drive, and it found one file:
C:\WINDOWS\Prefetch G2P3S.EXE-2318A42A.pf
is this the file that i should delete
pskelley
2008-01-19, 00:29
Delete that file, won't be the first time junk has hidden in the Prefetch folder.
Thanks
this time it said 1 virus, 1 infected file
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, January 19, 2008 5:50:55 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/01/2008
Kaspersky Anti-Virus database records: 488869
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 170214
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 01:06:28
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Houston\Application Data\Mozilla\Firefox\Profiles\mb7afbxh.default\cert8.db Object is locked skipped
C:\Documents and Settings\Houston\Application Data\Mozilla\Firefox\Profiles\mb7afbxh.default\history.dat Object is locked skipped
C:\Documents and Settings\Houston\Application Data\Mozilla\Firefox\Profiles\mb7afbxh.default\key3.db Object is locked skipped
C:\Documents and Settings\Houston\Application Data\Mozilla\Firefox\Profiles\mb7afbxh.default\parent.lock Object is locked skipped
C:\Documents and Settings\Houston\Application Data\Mozilla\Firefox\Profiles\mb7afbxh.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Houston\Application Data\Mozilla\Firefox\Profiles\mb7afbxh.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Houston\Application Data\Mozilla\Firefox\Profiles\mb7afbxh.default\ybookmarks@yahoo.log Object is locked skipped
C:\Documents and Settings\Houston\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Houston\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Houston\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Houston\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Houston\Local Settings\Application Data\Mozilla\Firefox\Profiles\mb7afbxh.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Houston\Local Settings\Application Data\Mozilla\Firefox\Profiles\mb7afbxh.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Houston\Local Settings\Application Data\Mozilla\Firefox\Profiles\mb7afbxh.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Houston\Local Settings\Application Data\Mozilla\Firefox\Profiles\mb7afbxh.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Houston\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Houston\Local Settings\History\History.IE5\MSHist012008011920080120\index.dat Object is locked skipped
C:\Documents and Settings\Houston\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Houston\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Houston\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Houston\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\g2p3s.exe Infected: Trojan-PSW.Win32.OnLineGames.opo skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{20D5AA1F-85D9-44DD-9913-3371F62EC146}\RP1\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
i looked through the log and saw that it was the same file that i needed to delete, this time i searched for it, and i could not find it. is it actually possible to remove this virus? also, i wanted to ask your opinion on how it got onto my system, i noticed that several other people on the school network at my college have it to, is it possible that it spread over the network, even though i have avg free and windows firewall (although i realize this isnt the greatest firewall). one more question....how bad of a virus is this actually?
thank you for the help....i decided to just go ahead and reformat again. thanks, i appreciate your time.
pskelley
2008-01-19, 11:49
According to Kaspersky, this item: C:\g2p3s.exe is still on the computer.
Here is what Kaspersky says it is:
Number of items = 1
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
C:\g2p3s.exe ------> Trojan-PSW.Win32.OnLineGames.opo
Here is some information at Google:
http://www.google.com/search?hl=en&q=Trojan-PSW.Win32.OnLineGames.opo&btnG=Search
http://www.google.com/search?hl=en&q=g2p3s.exe&btnG=Google+Search
Understand that I can not locate and delete the item for you, you must do that.
is it possible that it spread over the network
If it is a closed network, and one computer gets infected, it is likely they all will.
Here is some information that may answer your questions:
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
Information about reformatting:
http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm