win32.tdss.rtk

**pool_player65** · 2009-05-04, 10:28

Hello and thanks for your time. I'm at my wit's end because of this virulent win32.tdss.rtk. I copied and pasted my Hijackthis log; I downloaded ERUNT and saved file on my desktop. I await further instruction.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:09:55 AM, on 5/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1FD79A59-37B1-459B-9097-09F9FAB8A523} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-4026835802-157531593-2750893614-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-4026835802-157531593-2750893614-500\..\RunOnce: [SpybotDeletingB5928] command.com /c del "C:\WINDOWS\system32\ovfsthjnxdcatojbyikgssdvomlloyxvtmrbqq.dll_old" (User 'Administrator')
O4 - HKUS\S-1-5-21-4026835802-157531593-2750893614-500\..\RunOnce: [SpybotDeletingB4122] command.com /c del "C:\WINDOWS\system32\ovfsthmivjvyhlupirqilpwqughtycowusyqpw.dll_old" (User 'Administrator')
O4 - HKUS\S-1-5-21-4026835802-157531593-2750893614-500\..\RunOnce: [SpybotDeletingD3422] cmd.exe /c del "C:\WINDOWS\system32\ovfsthmivjvyhlupirqilpwqughtycowusyqpw.dll_old" (User 'Administrator')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.tvfreeload.com
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1238530204328
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JSC...ws-i586-jc.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\dahogemu.dll C:\WINDOWS\system32\duduhahi.dll C:\WINDOWS\system32\rimuwuka.dll c:\windows\system32\desoyahi.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

--
End of file - 8008 bytes

**Bio-Hazard** · 2009-05-04, 17:37

Hello and Welcome to forums!

My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

I will be working on your Malware issues this may or may not solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine.
I f you don't know or understand something please don't hesitate to ask.
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Absence of symptoms does not mean that everything is clear.

No Reply Within 5 Days Will Result In Your Topic Being Closed!!

Download and Run ComboFix

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Here you can find a tutorial about Combofix: HOW TO USE COMBOFIX

IMPORTANT: combofix.exe MUST be on your Desktop for us to proceed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Double click on ComboFix.exe and follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

NOTE: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Combofix should never take more that 20 minutes including the reboot if malware is detected.

Next Reply

Please reply with:

ComboFix log (found at C:\Combofix.txt)
New HijackThis log

**pool_player65** · 2009-05-05, 03:21

Originally Posted by Bio-Hazard

Hello and Welcome to forums!

My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

I will be working on your Malware issues this may or may not solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine.
I f you don't know or understand something please don't hesitate to ask.
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Absence of symptoms does not mean that everything is clear.

No Reply Within 5 Days Will Result In Your Topic Being Closed!!

Download and Run ComboFix

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Here you can find a tutorial about Combofix: HOW TO USE COMBOFIX

IMPORTANT: combofix.exe MUST be on your Desktop for us to proceed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Double click on ComboFix.exe and follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

NOTE: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Combofix should never take more that 20 minutes including the reboot if malware is detected.

Next Reply

Please reply with:

ComboFix log (found at C:\Combofix.txt)
New HijackThis log

Thanks for your help! My laptop was preloaded with WMC XP Home and I don't know if Windows Recovery Console is installed. I have no installation disks for it. Please recommend next course of action please because I don't trust my infected computer browser.

I have downloaded combofix to my destop and I printed its instructions.

**pool_player65** · 2009-05-05, 09:46

combofix and hijackthis logs as requested,

ComboFix 09-05-03.6 - Darlene 05/04/2009 23:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.633 [GMT -7:00]
Running from: c:\documents and settings\Darlene\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090504-1] *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\afnoinkdsfe.dll
c:\windows\system32\ak1.exe
c:\windows\system32\p2hhr.bat
c:\windows\Temp\2377548520.exe
c:\windows\Temp\2442236020.exe

.
((((((((((((((((((((((((( Files Created from 2009-04-05 to 2009-05-05 )))))))))))))))))))))))))))))))
.

2009-05-05 00:34 . 2009-05-05 00:34 -------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-05-05 00:32 . 2009-05-05 00:33 -------- d-----w c:\program files\Hewlett-Packard
2009-05-05 00:31 . 2009-05-05 00:34 20706 ----a-w c:\windows\hpoins01.dat
2009-05-05 00:31 . 2002-12-02 23:17 16618 ------w c:\windows\hpomdl01.dat
2009-05-05 00:22 . 2008-04-13 19:47 25856 ----a-w c:\windows\system32\dllcache\usbprint.sys
2009-05-05 00:22 . 2008-04-13 19:47 25856 ----a-w c:\windows\system32\drivers\usbprint.sys
2009-05-05 00:19 . 2008-04-13 19:45 32128 ----a-w c:\windows\system32\dllcache\usbccgp.sys
2009-05-05 00:19 . 2008-04-13 19:45 32128 ----a-w c:\windows\system32\drivers\usbccgp.sys
2009-05-02 20:20 . 2009-05-02 20:20 -------- d-----w c:\program files\ERUNT
2009-05-02 20:01 . 2009-05-02 20:01 -------- d-----w c:\program files\Trend Micro
2009-05-02 09:51 . 2009-05-02 09:51 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-04-30 22:57 . 2009-04-30 22:57 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-30 22:31 . 2009-04-30 22:31 -------- d-----w c:\program files\NOS
2009-04-30 22:31 . 2009-04-30 22:31 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-04-30 21:27 . 2009-04-30 21:27 520192 ----a-w c:\windows\system32\Corner Gas Screen Saver.scr
2009-04-30 21:27 . 2009-04-30 21:27 -------- d-----w c:\windows\system32\Corner Gas Screen Saver dir
2009-04-29 04:45 . 2009-04-29 04:45 -------- d-----w c:\documents and settings\Darlene\Local Settings\Application Data\Identities
2009-04-28 18:51 . 2009-04-28 18:51 -------- d-----w c:\program files\uTorrent
2009-04-28 18:51 . 2009-04-28 18:57 -------- d-----w c:\documents and settings\Darlene\Application Data\uTorrent
2009-04-28 17:34 . 2009-04-28 17:34 -------- d-----w c:\program files\Alwil Software
2009-04-15 03:24 . 2009-04-15 03:24 -------- d-----w c:\windows\system32\XPSViewer
2009-04-15 03:23 . 2009-04-15 03:23 -------- d-----w c:\program files\MSBuild
2009-04-15 03:23 . 2009-04-15 03:23 -------- d-----w c:\program files\Reference Assemblies
2009-04-15 03:23 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-04-15 03:23 . 2008-07-06 12:06 89088 ------w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-15 03:23 . 2008-07-06 10:50 597504 ------w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-15 03:23 . 2008-07-06 12:06 575488 ------w c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-15 03:23 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-04-15 03:23 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\dllcache\xpssvcs.dll
2009-04-15 03:23 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-04-15 03:23 . 2009-04-15 03:23 -------- d-----w C:\20be88bd4b237cbfab
2009-04-15 02:21 . 2009-04-15 02:21 -------- d-----w c:\documents and settings\Darlene\Application Data\AdobeUM
2009-04-14 19:08 . 2009-04-15 18:37 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-14 19:00 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-14 19:00 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-14 19:00 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-14 19:00 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-14 19:00 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-14 19:00 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 19:00 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 19:00 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 19:00 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-14 19:00 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 18:59 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-14 18:59 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 17:43 . 2009-04-14 17:43 66152 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-14 08:43 . 2009-04-14 08:43 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-14 05:08 . 2009-04-14 05:08 -------- d-----w c:\documents and settings\Darlene\Application Data\Malwarebytes
2009-04-14 05:08 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-14 05:08 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-14 05:08 . 2009-04-14 05:08 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-14 05:08 . 2009-05-04 06:40 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-13 03:09 . 2009-04-13 03:10 -------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-04-13 03:09 . 2009-04-13 03:09 -------- d-----w c:\program files\DVD Shrink
2009-04-12 22:40 . 2009-04-12 22:40 -------- d-----w c:\documents and settings\Darlene\Application Data\Red Kawa
2009-04-12 20:39 . 2009-04-12 20:39 -------- d-----w c:\program files\Regensoft
2009-04-12 20:38 . 2009-04-12 20:38 -------- d-----w c:\program files\Red Kawa
2009-04-12 18:27 . 2009-04-12 18:27 -------- d-----w c:\program files\iPod
2009-04-12 18:27 . 2009-04-12 18:27 -------- d-----w c:\program files\iTunes
2009-04-12 18:27 . 2009-04-12 18:27 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-12 18:15 . 2008-04-17 19:12 107368 ----a-w c:\windows\system32\GEARAspi.dll
2009-04-12 18:15 . 2009-03-19 23:32 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-04-11 20:53 . 2009-04-11 20:53 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-04-09 22:07 . 2009-04-09 22:07 -------- d-----w c:\program files\CCleaner
2009-04-09 19:44 . 2009-04-09 19:58 -------- d-----w c:\program files\Common Files\Solveig Multimedia
2009-04-09 19:44 . 2009-04-09 19:44 -------- d-----w c:\program files\Solveig Multimedia
2009-04-09 05:55 . 2009-04-09 06:48 -------- d-----w c:\program files\Common Files\ParetoLogic
2009-04-09 05:55 . 2009-04-09 05:55 -------- d-----w c:\documents and settings\Darlene\Local Settings\Application Data\Downloaded Installations
2009-04-09 02:33 . 2009-04-09 02:33 -------- d-----w c:\documents and settings\Darlene\Application Data\ImgBurn
2009-04-09 02:00 . 2009-04-09 02:01 -------- d-----w c:\program files\ImgBurn
2009-04-08 10:35 . 2009-04-08 10:35 -------- d-----w c:\program files\AviSynth 2.5
2009-04-08 10:33 . 2009-04-09 06:43 -------- d-----w c:\program files\Avi2Dvd
2009-04-08 07:56 . 2009-04-08 08:26 -------- d-----w c:\documents and settings\Darlene\.housecall6.6
2009-04-08 06:31 . 2009-05-02 06:53 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-08 06:31 . 2009-04-28 18:26 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-07 21:39 . 2008-06-19 23:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-04-07 21:38 . 2009-04-07 21:38 -------- d-----w c:\program files\Panda Security
2009-04-07 20:11 . 2009-04-08 06:22 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-07 18:06 . 2009-04-30 22:31 -------- d-----w c:\documents and settings\Darlene\Local Settings\Application Data\Adobe
2009-04-07 18:06 . 2009-04-07 18:06 -------- d-----w c:\program files\Common Files\Adobe
2009-04-06 22:21 . 2009-04-06 22:24 148 ----a-w c:\documents and settings\Darlene\Application Data\wklnhst.dat
2009-04-05 18:20 . 2009-04-05 18:20 -------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2009-04-05 18:03 . 2008-10-16 21:06 208744 ----a-w c:\windows\system32\muweb.dll
2009-04-05 18:03 . 2008-10-16 21:06 268648 ----a-w c:\windows\system32\mucltui.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-15 03:33 . 2009-03-31 17:59 66152 ----a-w c:\documents and settings\Darlene\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-12 18:27 . 2009-04-03 21:06 -------- d-----w c:\program files\Common Files\Apple
2009-04-05 00:13 . 2009-04-05 00:13 -------- d-----w c:\program files\Microsoft
2009-04-05 00:13 . 2009-04-05 00:13 -------- d-----w c:\program files\Windows Live
2009-04-05 00:13 . 2009-04-05 00:13 -------- d-----w c:\program files\Windows Live SkyDrive
2009-04-05 00:05 . 2009-04-05 00:05 -------- d-----w c:\program files\Common Files\Windows Live
2009-04-03 21:06 . 2009-04-03 21:06 -------- d-----w c:\program files\QuickTime
2009-04-03 21:06 . 2009-04-03 21:06 -------- d-----w c:\program files\Apple Software Update
2009-04-03 08:48 . 2009-03-31 17:57 130 ----a-w c:\documents and settings\Darlene\Local Settings\Application Data\fusioncache.dat
2009-04-03 07:06 . 2009-04-03 07:06 -------- d-----w c:\program files\RMVB Converter
2009-04-03 06:50 . 2009-04-03 06:50 -------- d-----w c:\program files\Real Alternative
2009-04-03 06:48 . 2005-11-01 00:08 -------- d-----w c:\program files\Common Files\Real
2009-04-02 02:13 . 2009-04-02 02:13 -------- d-----w c:\program files\K-Lite Codec Pack
2009-04-02 01:40 . 2009-04-02 01:40 -------- d-----w c:\program files\Windows Media Components
2009-04-02 01:20 . 2009-04-02 01:20 -------- d-----w c:\program files\Windows Media Connect 2
2009-04-01 06:01 . 2009-04-01 06:01 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-01 06:01 . 2005-11-01 00:02 -------- d-----w c:\program files\Java
2009-04-01 05:54 . 2009-04-01 05:54 -------- d-----w c:\program files\AVG
2009-04-01 01:22 . 2005-11-01 00:09 -------- d-----w c:\program files\MUSICMATCH
2009-03-31 21:15 . 2009-03-31 21:15 -------- d-----w c:\program files\MSXML 4.0
2009-03-31 20:52 . 2005-08-16 10:41 88859 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-31 19:57 . 2005-11-01 00:03 -------- d-----w c:\program files\Intel
2009-03-31 18:16 . 2005-08-17 02:58 -------- d-----w c:\program files\RGB
2009-03-31 18:07 . 2005-11-01 00:06 -------- d-----w c:\program files\Modem Helper
2009-03-31 18:07 . 2005-11-01 00:07 -------- d-----w c:\program files\Common Files\AOL
2009-03-10 12:46 . 2009-03-10 12:46 126976 ----a-w c:\windows\XviDplg.dll
2009-03-06 14:22 . 2005-08-16 10:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 06:59 . 2009-04-03 21:06 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-06 06:59 . 2009-04-03 21:06 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-03 00:18 . 2005-08-16 10:18 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-02 18:10 . 2008-12-08 12:53 67584 ----a-w c:\windows\system32\ff_vfw.dll
2009-02-20 18:09 . 2005-08-16 10:18 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2005-08-16 10:18 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-08-16 10:18 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2005-08-16 10:18 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2005-08-16 10:18 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2005-08-16 10:18 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 02:02 . 2004-08-04 04:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-07 01:52 . 2009-02-07 01:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 11:11 . 2005-08-16 10:18 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2005-08-16 10:18 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2005-08-16 10:18 35328 ----a-w c:\windows\system32\sc.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

c:\documents and settings\Darlene\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-10-31 24576]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-2 40960]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-03-03 33176]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{C2BA40A1-74F3-42BD-F434-12345A2C8953} - c:\windows\system32\afnoinkdsfe.dll
HKU-Default-Run-uidenhiufgsduiazghs - c:\windows\TEMP\zq7qzv7f4.exe
HKU-Default-Run-Diagnostic Manager - c:\windows\TEMP\2442236020.exe
SharedTaskScheduler-{C2BA40A1-74F3-42BD-F434-12345A2C8953} - c:\windows\system32\afnoinkdsfe.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://sympatico.msn.ca/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
Trusted Zone: tvfreeload.com
FF - ProfilePath - c:\documents and settings\Darlene\Application Data\Mozilla\Firefox\Profiles\bv024wqq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://sympatico.msn.ca/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-04 23:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\drivers\ovfsthwwbwrtqlbyiwsfiwunkxxfiastkkdapd.sys 83968 bytes executable
c:\docume~1\Darlene\LOCALS~1\Temp\ovfsthx000 0 bytes
c:\windows\system32\ovfsthchykrorudujdalyfvipkreabdmtoncfv.dat 17737 bytes
c:\windows\system32\ovfsthhvbqaruubokyqwggenqadmxjtbrqbtri.dll 18432 bytes executable
c:\windows\system32\ovfsthjnxdcatojbyikgssdvomlloyxvtmrbqq.dll 18944 bytes executable
c:\windows\system32\ovfsthmivjvyhlupirqilpwqughtycowusyqpw.dll 60928 bytes executable
c:\windows\system32\ovfsthqptowhjceijfpbwmlajckecwoeixelub.dat 43 bytes

scan completed successfully
hidden files: 7

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ovfsthptnqtjxbrvsvdboptasrpnmqbmqhxtqs]
"imagepath"="\systemroot\system32\drivers\ovfsthwwbwrtqlbyiwsfiwunkxxfiastkkdapd.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3432)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\msiexec.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-05 23:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-05 06:28

Pre-Run: 58,261,073,920 bytes free
Post-Run: 58,367,819,776 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

266 --- E O F --- 2009-04-28 18:58

Hijackthis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:08 PM, on 5/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.tvfreeload.com
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1238530204328
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JSC...ws-i586-jc.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

--
End of file - 6229 bytes

I may have blundered

I saved combofix and post combofix hijackthis logs and I did notice internet connection was lagging when my Avast program detected the god-awful malware. Moments before I was uncertain as to whether or not I should stop on-access protection when one thing happened after another.

My Dell Inspiron 6000 rebooted and Chkdsk corrected and repaired orphaned items and a few things I can't remember and then Avast went through its thing and I deleted whatever items it brought to my attention. I made some notes during the Avast scan, such as, Win32:Alureon-v [Trj] and Win32:Alureon-AM [Rtk].

I felt so vulnerable when I was debating as to whether or not I should stop on-access protection. Should I do combofix again??

**Bio-Hazard** · 2009-05-06, 00:35

Should I do combofix again??

No, just follow my next set of instructions.

Disconnect form the internet before doing this fix.

Run CFScript

Close any open browsers.
Open Notepad by click start
Click Run
Type notepad into the box and click enter
Notepad will open
Copy and Paste everything from the Code box into Notepad:

Code:

File::
c:\windows\XviDplg.dll
c:\documents and settings\Darlene\Local Settings\Application Data\fusioncache.dat

Folder::
c:\program files\uTorrent
c:\documents and settings\Darlene\Application Data\uTorrent

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
[-HKEY_CLASSES_ROOT\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}]
[-HKEY_CLASSES_ROOT\CLSID\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-

Rootkit::
c:\windows\system32\drivers\ovfsthwwbwrtqlbyiwsfiwunkxxfiastkkdapd.sys
c:\docume~1\Darlene\LOCALS~1\Temp\ovfsthx000
c:\windows\system32\ovfsthchykrorudujdalyfvipkreabdmtoncfv.dat
c:\windows\system32\ovfsthhvbqaruubokyqwggenqadmxjtbrqbtri.dll
c:\windows\system32\ovfsthjnxdcatojbyikgssdvomlloyxvtmrbqq.dll
c:\windows\system32\ovfsthmivjvyhlupirqilpwqughtycowusyqpw.dll
c:\windows\system32\ovfsthqptowhjceijfpbwmlajckecwoeixelub.dat

RegLock::
[HKEY_LOCAL_MACHINE\System\ControlSet001]

Save this as CFScript.txt, in the same location as ComboFix.exe (on your desktop)

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

NOTE: Do not mouseclick combofix's window whilst it's running. That may cause it to stall it.

Next Reply

Please reply with:

ComboFix log (found at C:\Combofix.txt)
New HijackThis log

**pool_player65** · 2009-05-06, 02:45

Combofix and Hijackthis logs as requested,

ComboFix 09-05-03.6 - Darlene 05/05/2009 17:22.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.642 [GMT -7:00]
Running from: c:\documents and settings\Darlene\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Darlene\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090505-0] *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\documents and settings\Darlene\Local Settings\Application Data\fusioncache.dat
c:\windows\XviDplg.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Darlene\Application Data\uTorrent
c:\documents and settings\Darlene\Application Data\uTorrent\dht.dat
c:\documents and settings\Darlene\Application Data\uTorrent\resume.dat
c:\documents and settings\Darlene\Application Data\uTorrent\resume.dat.old
c:\documents and settings\Darlene\Application Data\uTorrent\rss.dat
c:\documents and settings\Darlene\Application Data\uTorrent\settings.dat
c:\documents and settings\Darlene\Application Data\uTorrent\settings.dat.old
c:\documents and settings\Darlene\Local Settings\Application Data\fusioncache.dat
c:\program files\uTorrent
c:\program files\uTorrent\uTorrent.exe
c:\windows\system32\ovfsthchykrorudujdalyfvipkreabdmtoncfv.dat
c:\windows\system32\ovfsthqptowhjceijfpbwmlajckecwoeixelub.dat
c:\windows\XviDplg.dll

.
((((((((((((((((((((((((( Files Created from 2009-04-06 to 2009-05-06 )))))))))))))))))))))))))))))))
.

2009-05-05 00:34 . 2009-05-05 00:34 -------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-05-05 00:32 . 2009-05-05 00:33 -------- d-----w c:\program files\Hewlett-Packard
2009-05-05 00:31 . 2009-05-05 00:34 20706 ----a-w c:\windows\hpoins01.dat
2009-05-05 00:31 . 2002-12-02 23:17 16618 ------w c:\windows\hpomdl01.dat
2009-05-05 00:22 . 2008-04-13 19:47 25856 ----a-w c:\windows\system32\dllcache\usbprint.sys
2009-05-05 00:22 . 2008-04-13 19:47 25856 ----a-w c:\windows\system32\drivers\usbprint.sys
2009-05-05 00:19 . 2008-04-13 19:45 32128 ----a-w c:\windows\system32\dllcache\usbccgp.sys
2009-05-05 00:19 . 2008-04-13 19:45 32128 ----a-w c:\windows\system32\drivers\usbccgp.sys
2009-05-02 20:20 . 2009-05-02 20:20 -------- d-----w c:\program files\ERUNT
2009-05-02 20:01 . 2009-05-02 20:01 -------- d-----w c:\program files\Trend Micro
2009-05-02 09:51 . 2009-05-02 09:51 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-04-30 22:57 . 2009-04-30 22:57 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-30 22:31 . 2009-04-30 22:31 -------- d-----w c:\program files\NOS
2009-04-30 22:31 . 2009-04-30 22:31 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-04-30 21:27 . 2009-04-30 21:27 520192 ----a-w c:\windows\system32\Corner Gas Screen Saver.scr
2009-04-30 21:27 . 2009-04-30 21:27 -------- d-----w c:\windows\system32\Corner Gas Screen Saver dir
2009-04-29 04:45 . 2009-04-29 04:45 -------- d-----w c:\documents and settings\Darlene\Local Settings\Application Data\Identities
2009-04-28 17:34 . 2009-04-28 17:34 -------- d-----w c:\program files\Alwil Software
2009-04-15 03:24 . 2009-04-15 03:24 -------- d-----w c:\windows\system32\XPSViewer
2009-04-15 03:23 . 2009-04-15 03:23 -------- d-----w c:\program files\MSBuild
2009-04-15 03:23 . 2009-04-15 03:23 -------- d-----w c:\program files\Reference Assemblies
2009-04-15 03:23 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-04-15 03:23 . 2008-07-06 12:06 89088 ------w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-15 03:23 . 2008-07-06 10:50 597504 ------w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-15 03:23 . 2008-07-06 12:06 575488 ------w c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-15 03:23 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-04-15 03:23 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\dllcache\xpssvcs.dll
2009-04-15 03:23 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-04-15 03:23 . 2009-04-15 03:23 -------- d-----w C:\20be88bd4b237cbfab
2009-04-15 02:21 . 2009-04-15 02:21 -------- d-----w c:\documents and settings\Darlene\Application Data\AdobeUM
2009-04-14 19:08 . 2009-04-15 18:37 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-14 19:00 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-14 19:00 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-14 19:00 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-14 19:00 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-14 19:00 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-14 19:00 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 19:00 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 19:00 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 19:00 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-14 19:00 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 18:59 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-14 18:59 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 17:43 . 2009-04-14 17:43 66152 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-14 08:43 . 2009-04-14 08:43 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-14 05:08 . 2009-04-14 05:08 -------- d-----w c:\documents and settings\Darlene\Application Data\Malwarebytes
2009-04-14 05:08 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-14 05:08 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-14 05:08 . 2009-04-14 05:08 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-14 05:08 . 2009-05-04 06:40 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-13 03:09 . 2009-04-13 03:10 -------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-04-13 03:09 . 2009-04-13 03:09 -------- d-----w c:\program files\DVD Shrink
2009-04-12 22:40 . 2009-04-12 22:40 -------- d-----w c:\documents and settings\Darlene\Application Data\Red Kawa
2009-04-12 20:39 . 2009-04-12 20:39 -------- d-----w c:\program files\Regensoft
2009-04-12 20:38 . 2009-04-12 20:38 -------- d-----w c:\program files\Red Kawa
2009-04-12 18:27 . 2009-04-12 18:27 -------- d-----w c:\program files\iPod
2009-04-12 18:27 . 2009-04-12 18:27 -------- d-----w c:\program files\iTunes
2009-04-12 18:27 . 2009-04-12 18:27 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-12 18:15 . 2008-04-17 19:12 107368 ----a-w c:\windows\system32\GEARAspi.dll
2009-04-12 18:15 . 2009-03-19 23:32 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-04-11 20:53 . 2009-04-11 20:53 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-04-09 22:07 . 2009-04-09 22:07 -------- d-----w c:\program files\CCleaner
2009-04-09 19:44 . 2009-04-09 19:58 -------- d-----w c:\program files\Common Files\Solveig Multimedia
2009-04-09 19:44 . 2009-04-09 19:44 -------- d-----w c:\program files\Solveig Multimedia
2009-04-09 05:55 . 2009-04-09 06:48 -------- d-----w c:\program files\Common Files\ParetoLogic
2009-04-09 05:55 . 2009-04-09 05:55 -------- d-----w c:\documents and settings\Darlene\Local Settings\Application Data\Downloaded Installations
2009-04-09 02:33 . 2009-04-09 02:33 -------- d-----w c:\documents and settings\Darlene\Application Data\ImgBurn
2009-04-09 02:00 . 2009-04-09 02:01 -------- d-----w c:\program files\ImgBurn
2009-04-08 10:35 . 2009-04-08 10:35 -------- d-----w c:\program files\AviSynth 2.5
2009-04-08 10:33 . 2009-04-09 06:43 -------- d-----w c:\program files\Avi2Dvd
2009-04-08 07:56 . 2009-04-08 08:26 -------- d-----w c:\documents and settings\Darlene\.housecall6.6
2009-04-08 06:31 . 2009-05-02 06:53 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-08 06:31 . 2009-04-28 18:26 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-07 21:39 . 2008-06-19 23:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-04-07 21:38 . 2009-04-07 21:38 -------- d-----w c:\program files\Panda Security
2009-04-07 20:11 . 2009-04-08 06:22 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-07 18:06 . 2009-04-30 22:31 -------- d-----w c:\documents and settings\Darlene\Local Settings\Application Data\Adobe
2009-04-07 18:06 . 2009-04-07 18:06 -------- d-----w c:\program files\Common Files\Adobe
2009-04-06 22:21 . 2009-04-06 22:24 148 ----a-w c:\documents and settings\Darlene\Application Data\wklnhst.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-15 03:33 . 2009-03-31 17:59 66152 ----a-w c:\documents and settings\Darlene\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-12 18:27 . 2009-04-03 21:06 -------- d-----w c:\program files\Common Files\Apple
2009-04-05 18:20 . 2009-04-05 18:20 -------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2009-04-05 00:13 . 2009-04-05 00:13 -------- d-----w c:\program files\Microsoft
2009-04-05 00:13 . 2009-04-05 00:13 -------- d-----w c:\program files\Windows Live
2009-04-05 00:13 . 2009-04-05 00:13 -------- d-----w c:\program files\Windows Live SkyDrive
2009-04-05 00:05 . 2009-04-05 00:05 -------- d-----w c:\program files\Common Files\Windows Live
2009-04-03 21:06 . 2009-04-03 21:06 -------- d-----w c:\program files\QuickTime
2009-04-03 21:06 . 2009-04-03 21:06 -------- d-----w c:\program files\Apple Software Update
2009-04-03 07:06 . 2009-04-03 07:06 -------- d-----w c:\program files\RMVB Converter
2009-04-03 06:50 . 2009-04-03 06:50 -------- d-----w c:\program files\Real Alternative
2009-04-03 06:48 . 2005-11-01 00:08 -------- d-----w c:\program files\Common Files\Real
2009-04-02 02:13 . 2009-04-02 02:13 -------- d-----w c:\program files\K-Lite Codec Pack
2009-04-02 01:40 . 2009-04-02 01:40 -------- d-----w c:\program files\Windows Media Components
2009-04-02 01:20 . 2009-04-02 01:20 -------- d-----w c:\program files\Windows Media Connect 2
2009-04-01 06:01 . 2009-04-01 06:01 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-01 06:01 . 2005-11-01 00:02 -------- d-----w c:\program files\Java
2009-04-01 05:54 . 2009-04-01 05:54 -------- d-----w c:\program files\AVG
2009-04-01 01:22 . 2005-11-01 00:09 -------- d-----w c:\program files\MUSICMATCH
2009-03-31 21:15 . 2009-03-31 21:15 -------- d-----w c:\program files\MSXML 4.0
2009-03-31 20:52 . 2005-08-16 10:41 88859 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-31 19:57 . 2005-11-01 00:03 -------- d-----w c:\program files\Intel
2009-03-31 18:16 . 2005-08-17 02:58 -------- d-----w c:\program files\RGB
2009-03-31 18:07 . 2005-11-01 00:06 -------- d-----w c:\program files\Modem Helper
2009-03-31 18:07 . 2005-11-01 00:07 -------- d-----w c:\program files\Common Files\AOL
2009-03-06 14:22 . 2005-08-16 10:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 06:59 . 2009-04-03 21:06 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-06 06:59 . 2009-04-03 21:06 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-03 00:18 . 2005-08-16 10:18 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-02 18:10 . 2008-12-08 12:53 67584 ----a-w c:\windows\system32\ff_vfw.dll
2009-02-20 18:09 . 2005-08-16 10:18 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2005-08-16 10:18 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-08-16 10:18 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2005-08-16 10:18 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2005-08-16 10:18 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2005-08-16 10:18 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 02:02 . 2004-08-04 04:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-07 01:52 . 2009-02-07 01:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 11:11 . 2005-08-16 10:18 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2005-08-16 10:18 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2005-08-16 10:18 35328 ----a-w c:\windows\system32\sc.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-05-05_06.25.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-06 00:08 . 2009-05-06 00:08 16384 c:\windows\Temp\Perflib_Perfdata_798.dat
+ 2009-05-06 00:25 . 2009-05-06 00:25 16384 c:\windows\Temp\Perflib_Perfdata_60c.dat
+ 2009-05-06 00:25 . 2009-05-06 00:25 16384 c:\windows\Temp\Perflib_Perfdata_258.dat
+ 2009-05-05 07:07 . 2009-05-05 07:07 180224 c:\windows\ERDNT\AutoBackup\5-5-2009\Users\00000002\UsrClass.dat
+ 2009-05-05 07:07 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\5-5-2009\ERDNT.EXE
+ 2009-05-05 07:07 . 2009-05-05 07:07 6352896 c:\windows\ERDNT\AutoBackup\5-5-2009\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

c:\documents and settings\Darlene\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-10-31 24576]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-2 40960]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-03-03 33176]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://sympatico.msn.ca/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
Trusted Zone: tvfreeload.com
FF - ProfilePath - c:\documents and settings\Darlene\Application Data\Mozilla\Firefox\Profiles\bv024wqq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://sympatico.msn.ca/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-05 17:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(960)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Apoint\ApntEx.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\msiexec.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-05-06 17:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-06 00:29
ComboFix2.txt 2009-05-05 06:28

Pre-Run: 58,302,582,784 bytes free
Post-Run: 58,290,819,072 bytes free

263 --- E O F --- 2009-04-28 18:58

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:37:12 PM, on 5/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.tvfreeload.com
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1238530204328
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JSC...ws-i586-jc.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

--
End of file - 6096 bytes

**Bio-Hazard** · 2009-05-06, 07:45

Hello!

We are making good progress. You are doing great.

I'd like you to check (a file/some files) for Viruses.

Go to VirusTotal or Jotti's

c:\windows\system32\Corner Gas Screen Saver.scr

Copy/Paste file into the white Upload a file box.
Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
After a while, a window will open, with details of what the scans found.
Copy and Paste results in your next reply.

ATF-Cleaner

Please download ATF Cleaner by Atribune.

Save it to your desktop
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords please click No at the prompt.
Click Exit on the Main menu to close the program.

Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
- Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.

Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:

Jotti or virustotal results
Kaspersky Log
A fresh HijackThis Log ( after all the above has been done)
A description of how your computer is behaving

**pool_player65** · 2009-05-07, 05:45

Logs as requested,

Jotti's scan
File: Corner_Gas_Screen_Saver.scr
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: d5ac13be0b6086749cd9da6c2456cb2f
Packers detected: -

Wednesday, May 6, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, May 07, 2009 01:56:24
Records in database: 2139087
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
F:\
Scan statistics
Files scanned 54266
Threat name 2
Infected objects 3
Suspicious objects 0
Duration of the scan 01:12:21

File name Threat name Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\afnoinkdsfe.dll.vir Infected: Trojan-Downloader.Win32.Agent.bvpx 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\2377548520.exe.vir Infected: Trojan-Downloader.Win32.Agent.bvpv 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\2442236020.exe.vir Infected: Trojan-Downloader.Win32.Agent.bvpv 1
The selected area was scanned.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:05:49 PM, on 5/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.tvfreeload.com
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1238530204328
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JSC...ws-i586-jc.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

--
End of file - 5937 bytes

Hmmm, how's my Dell behaving?? Well I've been alternating between IE 7 and Firefox browers since you've been helping me. Prior to my Dell's maladies I relied on firefox because it seemed faster and yet I fell back onto IE due firefox seemed to be redirected more.

I've been replying in IE up until now because I want firefox more reliable. Imagine to my surprise when I can't use colour or emoticons here. I guess those features work for IE.

Google is my preferred Search engine and nefarious searches like "remove COA" is subject to redirection, aka browser hijack. Other than the occasional annoying hijacks, my Dell can still get Internet and burn DVDs for which I'm very happy.

**pool_player65** · 2009-05-07, 08:25

I forgot to mention

my touchpad used to act sluggish and I'd get so impatient and frustrated I would insert my mouse just to point & click.

However after our sessions my touchpad seems to cooperate more.

**Bio-Hazard** · 2009-05-07, 23:44

Originally Posted by pool_player65

Google is my preferred Search engine and nefarious searches like "remove COA" is subject to redirection, aka browser hijack. Other than the occasional annoying hijacks, my Dell can still get Internet and burn DVDs for which I'm very happy.

So you are still getting redirected? Does this happen with both browsers (IE and Firefox)? Do you use router to connect to internet?

Thread: win32.tdss.rtk

Thread Tools

Display

win32.tdss.rtk

Posting Permissions