Batter Up: W32/Bagle.RC.worm - hldrrr.exe (think got rid of wintems.exe & mdelk.exe)

**EasyEEE** · 2008-01-23, 01:48

Processes

Process:

System Idle Process
System
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Documents and Settings\Owner\Desktop\IceSword\IceSword122en\IceSword.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehRec.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Application Data\m\flec006.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\zHotkey.exe

Win32 Servies:

Started Service:

Service Name:AudioSrv Display Name:Windows Audio
Service Name:COMSysApp Display Name:COM+ System Application
Service Name:Creative Service for CDROM Access Display Name:Creative Service for CDROM Access
Service Name:CryptSvc Display Name:Cryptographic Services
Service Name:DcomLaunch Display Name:DCOM Server Process Launcher
Service Name:Dhcp Display Name:DHCP Client
Service Name:Dnscache Display Name:DNS Client
Service Name:ERSvc Display Name:Error Reporting Service
Service Name:EventSystem Display Name:COM+ Event System
Service Name:Eventlog Display Name:Event Log
Service Name:FastUserSwitchingCompatibility Display Name:Fast User Switching Compatibility
Service Name:HTTPFilter Display Name:HTTP SSL
Service Name:LmHosts Display Name:TCP/IP NetBIOS Helper
Service Name:McrdSvc Display Name:Media Center Extender Service
Service Name:NVSvc Display Name:NVIDIA Display Driver Service
Service Name:Netman Display Name:Network Connections
Service Name:Nla Display Name:Network Location Awareness (NLA)
Service Name:PlugPlay Display Name:Plug and Play
Service Name:PnkBstrA Display Name:PnkBstrA
Service Name:PolicyAgent Display Name:IPSEC Services
Service Name:PrismXL Display Name:PrismXL
Service Name:ProtectedStorage Display Name:Protected Storage
Service Name:RasMan Display Name:Remote Access Connection Manager
Service Name:RemoteRegistry Display Name:Remote Registry
Service Name:RpcSs Display Name:Remote Procedure Call (RPC)
Service Name:SENS Display Name:System Event Notification
Service Name:SSDPSRV Display Name:SSDP Discovery Service
Service Name:SamSs Display Name:Security Accounts Manager
Service Name:Schedule Display Name:Task Scheduler
Service Name:ShellHWDetection Display Name:Shell Hardware Detection
Service Name:Spooler Display Name:Print Spooler
Service Name:TapiSrv Display Name:Telephony
Service Name:TermService Display Name:Terminal Services
Service Name:Themes Display Name:Themes
Service Name:TrkWks Display Name:Distributed Link Tracking Client
Service Name:UMWdf Display Name:Windows User Mode Driver Framework
Service Name:WebClient Display Name:WebClient
Service Name:aawservice Display Name:Ad-Aware 2007 Service
Service Name:dmserver Display Name:Logical Disk Manager
Service Name:ehRecvr Display Name:Media Center Receiver Service
Service Name:helpsvc Display Name:Help and Support
Service Name:lanmanserver Display Name:Server
Service Name:lanmanworkstation Display Name:Workstation
Service Name:nTuneService Display Name:nTune Service
Service Name:seclogon Display Name:Secondary Logon
Service Name:srservice Display Name:System Restore Service
Service Name:winmgmt Display Name:Windows Management Instrumentation

SSDT

7 red entries of sptd.sys

Startup

Startup:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
desktop.ini

C:\Documents and Settings\Owner\Start Menu\Programs\Startup
desktop.ini

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
swg
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
NVIDIA nTune
"C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
DAEMON Tools
"C:\Program Files\DAEMON Tools\daemon.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
CTSyncU.exe
"C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
drvsyskit
C:\WINDOWS\system32\drivers\hldrrr.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
mule_st_key
C:\Documents and Settings\Owner\Application Data\m\flec006.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
german.exe
C:\WINDOWS\system32\wintems.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RTHDCPL
RTHDCPL.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Recguard
%WINDIR%\SMINST\RECGUARD.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
readericon
C:\Program Files\Digital Media Reader\readericon45G.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Power2GoExpress
"C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nwiz
nwiz.exe /install

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvMediaCenter
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSKDetectorExe
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
High Definition Audio Property Page Shortcut
HDAShCut.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ehTray
C:\WINDOWS\ehome\ehtray.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CLMLServer
"C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CLJ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CHotkey
zHotkey.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Alcmtr
ALCMTR.EXE

**Rorschach112** · 2008-01-23, 01:55

Perfect

Backup Your Registry with ERUNT

Please use the following link and scroll down to ERUNT and download it.
http://aumha.org/freeware/freeware.php
For version with the Installer:
Use the setup program to install ERUNT on your computer
For the zipped version:
Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Now for the fix. Close all windows and run IceSword.exe. Do not restart your until the very end to ensure the fix works

Step 1 : Click the Processes tab and right-click on the following red colored processes one by one and choose "Terminate Process". This will kill the rooted processes.

C:\Documents and Settings\Owner\Application Data\m\flec006.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\wintems.exe

Step 2 : Now, we have to delete the rooted files. Click the File button. This will display a Windows Explorer type interface. Navigate to the following file(s) in bold and delete them if present.

C:\Documents and Settings\Owner\Application Data\m\flec006.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\german.exe
C:\Documents and Settings\All Users\Application Data\hidires\hidr.exe

Step 3 : Now, we have to delete the rooted registry keys. Click the Registry button. This will display a regedit type interface. Navigate to the following registry keys in bold and delete them if present.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\srosa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\srosa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\srosa

Next navigate to these registry keys and delete the registry values in bold

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
drvsyskit
C:\WINDOWS\system32\drivers\hldrrr.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
mule_st_key
C:\Documents and Settings\Owner\Application Data\m\flec006.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
german.exe
C:\WINDOWS\system32\wintems.exe

Then reboot your PC and run IceSword again. Save new logs from the "Processes", "Win32 Services", and "Startup" tabs, taking note of any red entries from them and from the SSDT tab.

**EasyEEE** · 2008-01-23, 02:41

The following files were not found:

C:\WINDOWS\system32\german.exe
C:\Documents and Settings\All Users\Application Data\hidires\hidr.exe

Pretty sure the following entry was not there (may have been, and I may have deleted it per your intrusctions):

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa

ControlSet003 and ControlSet004 didn't exist:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\srosa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\srosa

Processes

Process:

System Idle Process
System
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Documents and Settings\Owner\Desktop\IceSword\IceSword122en\IceSword.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Application Data\m\flec006.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\zHotkey.exe

Win32 Services

Started Service:

Service Name:AudioSrv Display Name:Windows Audio
Service Name:Browser Display Name:Computer Browser
Service Name:COMSysApp Display Name:COM+ System Application
Service Name:Creative Service for CDROM Access Display Name:Creative Service for CDROM Access
Service Name:CryptSvc Display Name:Cryptographic Services
Service Name:DcomLaunch Display Name:DCOM Server Process Launcher
Service Name:Dhcp Display Name:DHCP Client
Service Name:Dnscache Display Name:DNS Client
Service Name:ERSvc Display Name:Error Reporting Service
Service Name:EventSystem Display Name:COM+ Event System
Service Name:Eventlog Display Name:Event Log
Service Name:FastUserSwitchingCompatibility Display Name:Fast User Switching Compatibility
Service Name:HTTPFilter Display Name:HTTP SSL
Service Name:LmHosts Display Name:TCP/IP NetBIOS Helper
Service Name:McrdSvc Display Name:Media Center Extender Service
Service Name:NVSvc Display Name:NVIDIA Display Driver Service
Service Name:Netman Display Name:Network Connections
Service Name:Nla Display Name:Network Location Awareness (NLA)
Service Name:PlugPlay Display Name:Plug and Play
Service Name:PnkBstrA Display Name:PnkBstrA
Service Name:PolicyAgent Display Name:IPSEC Services
Service Name:PrismXL Display Name:PrismXL
Service Name:ProtectedStorage Display Name:Protected Storage
Service Name:RasMan Display Name:Remote Access Connection Manager
Service Name:RemoteRegistry Display Name:Remote Registry
Service Name:RpcSs Display Name:Remote Procedure Call (RPC)
Service Name:SENS Display Name:System Event Notification
Service Name:SSDPSRV Display Name:SSDP Discovery Service
Service Name:SamSs Display Name:Security Accounts Manager
Service Name:Schedule Display Name:Task Scheduler
Service Name:ShellHWDetection Display Name:Shell Hardware Detection
Service Name:Spooler Display Name:Print Spooler
Service Name:TapiSrv Display Name:Telephony
Service Name:TermService Display Name:Terminal Services
Service Name:Themes Display Name:Themes
Service Name:TrkWks Display Name:Distributed Link Tracking Client
Service Name:UMWdf Display Name:Windows User Mode Driver Framework
Service Name:W32Time Display Name:Windows Time
Service Name:WebClient Display Name:WebClient
Service Name:aawservice Display Name:Ad-Aware 2007 Service
Service Name:dmserver Display Name:Logical Disk Manager
Service Name:ehRecvr Display Name:Media Center Receiver Service
Service Name:helpsvc Display Name:Help and Support
Service Name:lanmanserver Display Name:Server
Service Name:lanmanworkstation Display Name:Workstation
Service Name:nTuneService Display Name:nTune Service
Service Name:seclogon Display Name:Secondary Logon
Service Name:srservice Display Name:System Restore Service
Service Name:winmgmt Display Name:Windows Management Instrumentation

SSDT

7 red entries of sptd.sys

Startup

Startup:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
desktop.ini

C:\Documents and Settings\Owner\Start Menu\Programs\Startup
desktop.ini

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
swg
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
NVIDIA nTune
"C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
DAEMON Tools
"C:\Program Files\DAEMON Tools\daemon.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
CTSyncU.exe
"C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
drvsyskit
C:\WINDOWS\system32\drivers\hldrrr.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
german.exe
C:\WINDOWS\system32\wintems.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
mule_st_key
C:\Documents and Settings\Owner\Application Data\m\flec006.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RTHDCPL
RTHDCPL.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Recguard
%WINDIR%\SMINST\RECGUARD.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
readericon
C:\Program Files\Digital Media Reader\readericon45G.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Power2GoExpress
"C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nwiz
nwiz.exe /install

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvMediaCenter
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSKDetectorExe
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
High Definition Audio Property Page Shortcut
HDAShCut.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ehTray
C:\WINDOWS\ehome\ehtray.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CLMLServer
"C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CLJ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CHotkey
zHotkey.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Alcmtr
ALCMTR.EXE

**Rorschach112** · 2008-01-23, 13:51

Something is stopping it from being removed

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**EasyEEE** · 2008-01-23, 19:44

Walked away while it was doing it's scan. When I came back, apparently my system crashed (honestly doesn't do that very often at all).

What WAS interesting, was, a Windows Alert that Windows Firewall was blocking Flec06.exe or whatever... and asked if I wanted to keep blocking or allow. I allowed it to keep blocking.

Why that is interesting, is, everytime I check Windows Security, the Windows Firewall has been disabled. This is the first time since infection, that it appears Windows Firewall has remained active through a re-boot.

Anyway, does the log file get created or would there have been an option or notpad window open up?

Here is the HiJackThis Log following the auto-crash/reboot/whatever happened:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:41, on 2008-01-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner\Application Data\m\flec006.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=DTP&M=GT4016
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe"
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe"
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe
O4 - HKCU\..\Run: [mule_st_key] C:\Documents and Settings\Owner\Application Data\m\flec006.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/p.../PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1196686463109
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/Driver...aSmartScan.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - https://support.gateway.com/support/...vest/gwCID.CAB
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames...l.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Unknown owner - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe (file missing)
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 7614 bytes

**Rorschach112** · 2008-01-23, 20:05

Try run ComboFix again, if it crashes then try it in Safe Mode

**EasyEEE** · 2008-01-23, 20:10

System did not reboot/crash.

ComboFix Scan completed in just a couple of minutes.

ComboFix 08-01-23.2 - Owner 2008-01-23 14:06:37.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1595 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\wintems.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SROSA
-------\srosa

((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 )))))))))))))))))))))))))))))))
.

2008-01-23 13:21 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-22 21:40 . 2008-01-23 09:49 70,660 --a------ C:\WINDOWS\system32\mdelk.exe
2008-01-22 21:38 . 2008-01-23 09:51 <DIR> d-------- C:\WINDOWS\system32\drivers\down
2008-01-22 21:38 . 2004-10-08 05:03 837,281 --------- C:\WINDOWS\system32\drivers\hldrrr.exe
2008-01-21 20:54 . 2008-01-21 21:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-21 15:42 . 2008-01-21 15:42 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-21 14:55 . 2008-01-21 14:55 <DIR> d-------- C:\Deckard
2008-01-20 00:00 . 2008-01-22 10:40 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-19 18:24 . 2008-01-19 18:24 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-19 18:24 . 2008-01-19 18:24 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-19 15:02 . 2008-01-20 08:04 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-18 23:27 . 2008-01-21 15:01 <DIR> d-------- C:\Program Files\RegSupreme Pro
2008-01-18 19:24 . 2008-01-18 19:24 <DIR> d-------- C:\WINDOWS\Sun
2008-01-18 13:10 . 2008-01-18 13:10 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-18 13:10 . 2008-01-18 14:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-18 12:59 . 2008-01-18 12:59 1,158 --a------ C:\WINDOWS\mozver.dat
2008-01-18 12:41 . 2008-01-18 12:42 <DIR> d-------- C:\Program Files\Ontrack
2008-01-18 10:12 . 2008-01-18 10:17 <DIR> d-------- C:\Program Files\Symantec Client Security
2008-01-18 10:04 . 2008-01-18 10:05 <DIR> d-------- C:\Sym EndPoint
2008-01-17 09:04 . 2008-01-17 09:05 <DIR> d-------- C:\Program Files\QuickTime
2008-01-15 20:11 . 2007-12-17 13:53 159,458 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-01-15 16:02 . 2008-01-21 20:28 <DIR> d-------- C:\HJSplit
2008-01-13 20:43 . 2008-01-13 20:43 <DIR> d-------- C:\Program Files\MediaMonkey
2008-01-13 20:34 . 2008-01-13 22:58 <DIR> d-------- C:\Music
2008-01-13 20:22 . 1999-12-13 01:01 44,032 --------- C:\WINDOWS\system32\CTSVCCDA.EXE
2008-01-13 20:22 . 1999-11-18 01:00 25,088 --------- C:\WINDOWS\system32\CTSVCCTL.EXE
2008-01-13 14:41 . 2008-01-13 14:41 74,703 --a------ C:\WINDOWS\system32\mfc45.dll
2008-01-13 11:40 . 2008-01-13 11:40 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-07 16:36 . 2008-01-07 16:36 669,184 --a------ C:\WINDOWS\system32\pbsvc.exe
2008-01-06 23:27 . 2008-01-06 23:27 <DIR> d-------- C:\Program Files\YourWare Solutions
2008-01-04 11:15 . 2008-01-17 10:27 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2008-01-04 11:15 . 2008-01-07 16:36 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-01-04 11:15 . 2008-01-17 10:28 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-01-04 11:15 . 2008-01-04 11:15 319 --a------ C:\WINDOWS\game.ini
2008-01-04 10:22 . 2008-01-04 10:22 <DIR> d-------- C:\Program Files\Activision
2008-01-04 10:20 . 2008-01-04 10:20 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-01-03 19:19 . 2008-01-03 19:19 <DIR> d-------- C:\Program Files\Electronic Arts
2008-01-03 18:09 . 2008-01-21 20:27 <DIR> d-------- C:\Saved
2008-01-03 16:26 . 2008-01-03 16:26 <DIR> d-------- C:\Program Files\NVIDIA Corporation
2008-01-03 16:25 . 2008-01-03 16:25 <DIR> d-------- C:\Program Files\NVIDIA nTune Performance Application
2008-01-02 23:28 . 2008-01-15 20:35 <DIR> d-------- C:\WINDOWS\nview
2008-01-02 23:28 . 2008-01-15 20:11 164,081 --a------ C:\WINDOWS\system32\nvapps.xml
2008-01-02 23:28 . 2007-12-05 01:41 17,737 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-01-02 23:09 . 2007-12-05 01:41 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-01-02 22:52 . 2008-01-02 22:52 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-02 22:52 . 2008-01-02 22:52 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-01-01 23:45 . 2008-01-01 23:45 <DIR> d-------- C:\Program Files\ASUS
2008-01-01 23:21 . 2008-01-07 23:36 <DIR> d-------- C:\Program Files\SpeedFan
2008-01-01 18:58 . 2008-01-01 23:21 45 --a------ C:\WINDOWS\system32\initdebug.nfo
2008-01-01 13:38 . 2008-01-01 13:38 <DIR> d-------- C:\Mini CD DVD Images
2008-01-01 11:22 . 2008-01-01 11:23 <DIR> d-------- C:\Program Files\RivaTuner v2.06
2007-12-24 11:33 . 2007-12-24 11:33 <DIR> d-------- C:\Program Files\DVD Decrypter
2007-12-24 11:27 . 2007-12-24 11:27 <DIR> d-------- C:\Program Files\DVD Shrink
2007-12-23 05:19 . 2008-01-13 20:58 <DIR> d--h----- C:\Program Files\Creative Installation Information
2007-12-23 05:19 . 2007-12-23 05:19 <DIR> d-------- C:\Program Files\Common Files\Creative
2007-12-23 05:15 . 2008-01-13 20:58 <DIR> d-------- C:\Program Files\Creative

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-23 00:23 --------- d-----w C:\Program Files\eMule
2008-01-21 20:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-21 19:55 --------- d-----w C:\Program Files\Symantec
2008-01-20 00:50 --------- d-----w C:\Program Files\Google
2008-01-20 00:24 --------- d-----w C:\Program Files\Digital Media Reader
2008-01-13 02:18 --------- d-----w C:\Program Files\Microsoft Games
2008-01-08 23:35 --------- d-----w C:\Program Files\Common Files\Nero
2008-01-04 05:17 --------- d-----w C:\Program Files\NewsBin
2007-12-23 03:57 --------- d-----w C:\Program Files\Nero
2007-12-23 03:26 --------- d-----w C:\Program Files\DVD2one V2
2007-12-22 01:33 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-21 19:10 --------- d-----w C:\Program Files\Sierra Entertainment
2007-12-21 08:00 --------- d-----w C:\Program Files\MSXML 4.0
2007-12-21 01:12 --------- d-----w C:\Program Files\Common Files\Microsoft Games
2007-12-18 17:59 --------- d-----w C:\Program Files\IrfanView
2007-12-08 12:53 --------- d-----w C:\Program Files\DAEMON Tools
2007-12-08 12:49 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-12-07 19:31 --------- d-----w C:\Program Files\GameHouse
2007-12-05 07:53 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-12-05 06:41 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-12-05 06:41 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-12-05 06:41 8,523,776 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-12-05 06:41 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-12-05 06:41 7,435,392 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-12-05 06:41 6,901,760 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-12-05 06:41 6,549,504 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-12-05 06:41 5,773,568 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-12-05 06:41 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-12-05 06:41 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-12-05 06:41 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-12-05 06:41 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-12-05 06:41 385,024 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-12-05 06:41 35,328 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-12-05 06:41 35,328 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-12-05 06:41 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-12-05 06:41 3,710,976 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-12-05 06:41 3,420,160 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-12-05 06:41 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-12-05 06:41 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-12-05 06:41 2,498,560 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-12-05 06:41 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-12-05 06:41 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-12-05 06:41 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-12-05 06:41 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-12-05 06:41 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-12-05 06:41 1,474,560 ----a-w C:\WINDOWS\system32\nview.dll
2007-12-05 06:41 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-12-05 06:41 1,228,800 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-12-05 06:41 1,089,536 ----a-w C:\WINDOWS\system32\nvcuda.dll
2007-12-05 06:41 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-12-05 01:21 --------- d-----w C:\Program Files\AC3Filter
2007-12-05 01:04 --------- d-----w C:\Program Files\DivX
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-04 01:33 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-04 01:33 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-03 21:39 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-03 16:40 --------- d-----w C:\Program Files\QuickPar
2007-12-03 13:44 --------- d-----w C:\Program Files\McAfee
2007-12-03 13:08 --------- d-----w C:\Program Files\SystemRequirementsLab
2007-12-03 12:37 --------- d-----w C:\Program Files\Napster
2007-12-03 12:11 --------- d-----w C:\Program Files\Pure Networks
2007-12-03 12:10 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-03 07:06 --------- d-----w C:\Program Files\MSN Encarta Plus
2007-12-03 07:06 --------- d-----w C:\Program Files\Microsoft Works
2007-12-03 07:04 8,552 ----a-w C:\WINDOWS\system32\drivers\asctrm.sys
2007-12-03 07:04 --------- d-----w C:\Program Files\Viewpoint
2007-12-03 07:04 --------- d-----w C:\Program Files\Real
2007-12-03 07:04 --------- d-----w C:\Program Files\Common Files\Real
2007-12-03 07:04 --------- d-----w C:\Program Files\Common Files\Nullsoft
2007-12-03 07:03 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2007-12-03 07:03 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-03 07:02 --------- d-----w C:\Program Files\Realtek
2007-12-03 07:01 --------- d-----w C:\Program Files\Microsoft Digital Image 2006
2007-12-03 07:00 --------- d-----w C:\Program Files\Java
2007-12-03 06:59 --------- d-----w C:\Program Files\Common Files\Java
2007-12-03 06:55 --------- d-----w C:\Program Files\Microsoft.NET
2007-12-03 06:55 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-03 06:50 --------- d-----w C:\Program Files\CyberLink
2007-12-03 06:49 --------- d-----w C:\Program Files\Common Files\New Boundary
2007-12-03 06:46 --------- d-----w C:\Program Files\CONEXANT
2007-12-03 05:38 --------- d-----w C:\Program Files\Windows Plus
2007-12-03 05:38 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-29 22:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-11-29 22:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-11-29 22:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-29 22:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-11-28 21:55 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-28 21:53 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-11-28 21:53 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-11-28 21:53 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-11-28 21:53 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-11-28 21:52 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:39 228,864 ----a-w C:\WINDOWS\system32\wmasf.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2004-10-08 05:03 837281]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 19:25 81920]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-12-06 07:06 167368]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-11-23 17:12 851968]
"german.exe"="C:\WINDOWS\system32\wintems.exe" [ ]
"mule_st_key"="C:\Documents and Settings\Owner\Application Data\m\flec006.exe" [2008-01-23 09:49 96772]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 13:36 14854144 C:\WINDOWS\RTHDCPL.EXE]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-08-27 08:09 139264]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"Power2GoExpress"="C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" [2007-09-29 16:53 2680104]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 19:16 1121792]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 20:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 23:56 64512]
"CLMLServer"="C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe" [2007-09-27 23:10 122880]
"CLJ"="" []
"CHotkey"="zHotkey.exe" [2004-12-08 20:57 550912 C:\WINDOWS\zHotkey.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
"EnableLUA"= 0 (0x0)

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-01-17 14:03:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-23 14:07:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

**Rorschach112** · 2008-01-23, 20:14

Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\Documents and Settings\Owner\Application Data\m\flec006.exe

Folder::
C:\WINDOWS\system32\drivers\down

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"german.exe"=-
"mule_st_key"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Also post a new HijackThis log

**EasyEEE** · 2008-01-23, 20:31

ComboFix scanned, appeared to remove the bad files/entries, rebooted, continued, created log.

ComboFix

ComboFix 08-01-23.2 - Owner 2008-01-23 14:22:08.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1603 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Documents and Settings\Owner\Application Data\m\flec006.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\mdelk.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\m\flec006.exe
C:\WINDOWS\system32\drivers\down
C:\WINDOWS\system32\drivers\down\124687.exe
C:\WINDOWS\system32\drivers\down\132234.exe
C:\WINDOWS\system32\drivers\down\134390.exe
C:\WINDOWS\system32\drivers\down\137687.exe
C:\WINDOWS\system32\drivers\down\139546.exe
C:\WINDOWS\system32\drivers\down\143531.exe
C:\WINDOWS\system32\drivers\down\14720625.exe
C:\WINDOWS\system32\drivers\down\14745734.exe
C:\WINDOWS\system32\drivers\down\14747859.exe
C:\WINDOWS\system32\drivers\down\14751312.exe
C:\WINDOWS\system32\drivers\down\14761671.exe
C:\WINDOWS\system32\drivers\down\14770984.exe
C:\WINDOWS\system32\drivers\down\14796437.exe
C:\WINDOWS\system32\drivers\down\14802640.exe
C:\WINDOWS\system32\drivers\down\14802750.exe
C:\WINDOWS\system32\drivers\down\148031.exe
C:\WINDOWS\system32\drivers\down\14808578.exe
C:\WINDOWS\system32\drivers\down\14812015.exe
C:\WINDOWS\system32\drivers\down\14844312.exe
C:\WINDOWS\system32\drivers\down\14845390.exe
C:\WINDOWS\system32\drivers\down\14853546.exe
C:\WINDOWS\system32\drivers\down\14865218.exe
C:\WINDOWS\system32\drivers\down\14871031.exe
C:\WINDOWS\system32\drivers\down\14872718.exe
C:\WINDOWS\system32\drivers\down\14873171.exe
C:\WINDOWS\system32\drivers\down\14873687.exe
C:\WINDOWS\system32\drivers\down\14877234.exe
C:\WINDOWS\system32\drivers\down\14878968.exe
C:\WINDOWS\system32\drivers\down\14911875.exe
C:\WINDOWS\system32\drivers\down\14915781.exe
C:\WINDOWS\system32\drivers\down\14923234.exe
C:\WINDOWS\system32\drivers\down\190312.exe
C:\WINDOWS\system32\drivers\down\193578.exe
C:\WINDOWS\system32\drivers\down\194031.exe
C:\WINDOWS\system32\drivers\down\198828.exe
C:\WINDOWS\system32\drivers\down\200984.exe
C:\WINDOWS\system32\drivers\down\232718.exe
C:\WINDOWS\system32\drivers\down\233484.exe
C:\WINDOWS\system32\drivers\down\236406.exe
C:\WINDOWS\system32\drivers\down\241703.exe
C:\WINDOWS\system32\drivers\down\243453.exe
C:\WINDOWS\system32\drivers\down\245484.exe
C:\WINDOWS\system32\drivers\down\246093.exe
C:\WINDOWS\system32\drivers\down\246843.exe
C:\WINDOWS\system32\drivers\down\270250.exe
C:\WINDOWS\system32\drivers\down\272859.exe
C:\WINDOWS\system32\drivers\down\29338000.exe
C:\WINDOWS\system32\drivers\down\29341859.exe
C:\WINDOWS\system32\drivers\down\29343687.exe
C:\WINDOWS\system32\drivers\down\29345671.exe
C:\WINDOWS\system32\drivers\down\29350109.exe
C:\WINDOWS\system32\drivers\down\29352515.exe
C:\WINDOWS\system32\drivers\down\29368203.exe
C:\WINDOWS\system32\drivers\down\29371015.exe
C:\WINDOWS\system32\drivers\down\29371234.exe
C:\WINDOWS\system32\drivers\down\29376687.exe
C:\WINDOWS\system32\drivers\down\29378734.exe
C:\WINDOWS\system32\drivers\down\29380359.exe
C:\WINDOWS\system32\drivers\down\29380921.exe
C:\WINDOWS\system32\drivers\down\29384109.exe
C:\WINDOWS\system32\drivers\down\29390015.exe
C:\WINDOWS\system32\drivers\down\29391968.exe
C:\WINDOWS\system32\drivers\down\29392437.exe
C:\WINDOWS\system32\drivers\down\29392734.exe
C:\WINDOWS\system32\drivers\down\29393843.exe
C:\WINDOWS\system32\drivers\down\29395640.exe
C:\WINDOWS\system32\drivers\down\29396937.exe
C:\WINDOWS\system32\drivers\down\29427640.exe
C:\WINDOWS\system32\drivers\down\29429765.exe
C:\WINDOWS\system32\drivers\down\29436031.exe
C:\WINDOWS\system32\drivers\down\302578.exe
C:\WINDOWS\system32\drivers\down\304953.exe
C:\WINDOWS\system32\drivers\down\310906.exe
C:\WINDOWS\system32\drivers\down\43844406.exe
C:\WINDOWS\system32\drivers\down\43848078.exe
C:\WINDOWS\system32\drivers\down\43850421.exe
C:\WINDOWS\system32\drivers\down\43892437.exe
C:\WINDOWS\system32\drivers\down\43895375.exe
C:\WINDOWS\system32\drivers\down\43898000.exe
C:\WINDOWS\system32\drivers\down\43941828.exe
C:\WINDOWS\system32\drivers\down\43944203.exe
C:\WINDOWS\system32\drivers\down\43944390.exe
C:\WINDOWS\system32\drivers\down\43952187.exe
C:\WINDOWS\system32\drivers\down\43954203.exe
C:\WINDOWS\system32\drivers\down\43956906.exe
C:\WINDOWS\system32\drivers\down\43957593.exe
C:\WINDOWS\system32\drivers\down\43962218.exe
C:\WINDOWS\system32\drivers\down\43967953.exe
C:\WINDOWS\system32\drivers\down\43970437.exe
C:\WINDOWS\system32\drivers\down\43971281.exe
C:\WINDOWS\system32\drivers\down\43974828.exe
C:\WINDOWS\system32\drivers\down\43978625.exe
C:\WINDOWS\system32\drivers\down\43987078.exe
C:\WINDOWS\system32\drivers\down\43988875.exe
C:\WINDOWS\system32\drivers\down\44018937.exe
C:\WINDOWS\system32\drivers\down\44022828.exe
C:\WINDOWS\system32\drivers\down\44029203.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\mdelk.exe
.
---- Previous Run -------
.
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\wintems.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SROSA
-------\srosa

((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 )))))))))))))))))))))))))))))))
.

2008-01-23 14:24 . 2008-01-23 14:24 <DIR> d-------- C:\WINDOWS\system32\drivers\down
2008-01-23 14:24 . 2008-01-23 14:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-23 14:24 . 2008-01-23 14:24 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-23 13:21 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-21 20:54 . 2008-01-21 21:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-21 15:42 . 2008-01-21 15:42 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-21 14:55 . 2008-01-21 14:55 <DIR> d-------- C:\Deckard
2008-01-20 00:00 . 2008-01-22 10:40 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-19 18:24 . 2008-01-19 18:24 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-19 18:24 . 2008-01-19 18:24 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-19 15:02 . 2008-01-20 08:04 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-18 23:27 . 2008-01-21 15:01 <DIR> d-------- C:\Program Files\RegSupreme Pro
2008-01-18 19:24 . 2008-01-18 19:24 <DIR> d-------- C:\WINDOWS\Sun
2008-01-18 13:10 . 2008-01-18 13:10 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-18 13:10 . 2008-01-18 14:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-18 12:59 . 2008-01-18 12:59 1,158 --a------ C:\WINDOWS\mozver.dat
2008-01-18 12:41 . 2008-01-18 12:42 <DIR> d-------- C:\Program Files\Ontrack
2008-01-18 10:12 . 2008-01-18 10:17 <DIR> d-------- C:\Program Files\Symantec Client Security
2008-01-18 10:04 . 2008-01-18 10:05 <DIR> d-------- C:\Sym EndPoint
2008-01-17 09:04 . 2008-01-17 09:05 <DIR> d-------- C:\Program Files\QuickTime
2008-01-15 20:11 . 2007-12-17 13:53 159,458 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-01-15 16:02 . 2008-01-21 20:28 <DIR> d-------- C:\HJSplit
2008-01-13 20:43 . 2008-01-13 20:43 <DIR> d-------- C:\Program Files\MediaMonkey
2008-01-13 20:34 . 2008-01-13 22:58 <DIR> d-------- C:\Music
2008-01-13 20:22 . 1999-12-13 01:01 44,032 --------- C:\WINDOWS\system32\CTSVCCDA.EXE
2008-01-13 20:22 . 1999-11-18 01:00 25,088 --------- C:\WINDOWS\system32\CTSVCCTL.EXE
2008-01-13 14:41 . 2008-01-13 14:41 74,703 --a------ C:\WINDOWS\system32\mfc45.dll
2008-01-13 11:40 . 2008-01-13 11:40 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-07 16:36 . 2008-01-07 16:36 669,184 --a------ C:\WINDOWS\system32\pbsvc.exe
2008-01-06 23:27 . 2008-01-06 23:27 <DIR> d-------- C:\Program Files\YourWare Solutions
2008-01-04 11:15 . 2008-01-17 10:27 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2008-01-04 11:15 . 2008-01-07 16:36 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-01-04 11:15 . 2008-01-17 10:28 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-01-04 11:15 . 2008-01-04 11:15 319 --a------ C:\WINDOWS\game.ini
2008-01-04 10:22 . 2008-01-04 10:22 <DIR> d-------- C:\Program Files\Activision
2008-01-04 10:20 . 2008-01-04 10:20 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-01-03 19:19 . 2008-01-03 19:19 <DIR> d-------- C:\Program Files\Electronic Arts
2008-01-03 18:09 . 2008-01-21 20:27 <DIR> d-------- C:\Saved
2008-01-03 16:26 . 2008-01-03 16:26 <DIR> d-------- C:\Program Files\NVIDIA Corporation
2008-01-03 16:25 . 2008-01-03 16:25 <DIR> d-------- C:\Program Files\NVIDIA nTune Performance Application
2008-01-02 23:28 . 2008-01-15 20:35 <DIR> d-------- C:\WINDOWS\nview
2008-01-02 23:28 . 2008-01-15 20:11 164,081 --a------ C:\WINDOWS\system32\nvapps.xml
2008-01-02 23:28 . 2007-12-05 01:41 17,737 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-01-02 23:09 . 2007-12-05 01:41 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-01-02 22:52 . 2008-01-02 22:52 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-02 22:52 . 2008-01-02 22:52 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-01-01 23:45 . 2008-01-01 23:45 <DIR> d-------- C:\Program Files\ASUS
2008-01-01 23:21 . 2008-01-07 23:36 <DIR> d-------- C:\Program Files\SpeedFan
2008-01-01 18:58 . 2008-01-01 23:21 45 --a------ C:\WINDOWS\system32\initdebug.nfo
2008-01-01 13:38 . 2008-01-01 13:38 <DIR> d-------- C:\Mini CD DVD Images
2008-01-01 11:22 . 2008-01-01 11:23 <DIR> d-------- C:\Program Files\RivaTuner v2.06
2007-12-24 11:33 . 2007-12-24 11:33 <DIR> d-------- C:\Program Files\DVD Decrypter
2007-12-24 11:27 . 2007-12-24 11:27 <DIR> d-------- C:\Program Files\DVD Shrink
2007-12-23 05:19 . 2008-01-13 20:58 <DIR> d--h----- C:\Program Files\Creative Installation Information
2007-12-23 05:19 . 2007-12-23 05:19 <DIR> d-------- C:\Program Files\Common Files\Creative
2007-12-23 05:15 . 2008-01-13 20:58 <DIR> d-------- C:\Program Files\Creative

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-23 00:23 --------- d-----w C:\Program Files\eMule
2008-01-21 20:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-21 19:55 --------- d-----w C:\Program Files\Symantec
2008-01-20 00:50 --------- d-----w C:\Program Files\Google
2008-01-20 00:24 --------- d-----w C:\Program Files\Digital Media Reader
2008-01-13 02:18 --------- d-----w C:\Program Files\Microsoft Games
2008-01-08 23:35 --------- d-----w C:\Program Files\Common Files\Nero
2008-01-04 05:17 --------- d-----w C:\Program Files\NewsBin
2007-12-23 03:57 --------- d-----w C:\Program Files\Nero
2007-12-23 03:26 --------- d-----w C:\Program Files\DVD2one V2
2007-12-21 19:10 --------- d-----w C:\Program Files\Sierra Entertainment
2007-12-21 08:00 --------- d-----w C:\Program Files\MSXML 4.0
2007-12-21 01:12 --------- d-----w C:\Program Files\Common Files\Microsoft Games
2007-12-18 17:59 --------- d-----w C:\Program Files\IrfanView
2007-12-08 12:53 --------- d-----w C:\Program Files\DAEMON Tools
2007-12-08 12:49 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-12-07 19:31 --------- d-----w C:\Program Files\GameHouse
2007-12-05 06:41 7,435,392 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-12-05 01:21 --------- d-----w C:\Program Files\AC3Filter
2007-12-05 01:04 --------- d-----w C:\Program Files\DivX
2007-12-03 21:39 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-03 16:40 --------- d-----w C:\Program Files\QuickPar
2007-12-03 13:44 --------- d-----w C:\Program Files\McAfee
2007-12-03 13:08 --------- d-----w C:\Program Files\SystemRequirementsLab
2007-12-03 12:37 --------- d-----w C:\Program Files\Napster
2007-12-03 12:11 --------- d-----w C:\Program Files\Pure Networks
2007-12-03 12:10 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-03 07:06 --------- d-----w C:\Program Files\MSN Encarta Plus
2007-12-03 07:06 --------- d-----w C:\Program Files\Microsoft Works
2007-12-03 07:04 8,552 ----a-w C:\WINDOWS\system32\drivers\asctrm.sys
2007-12-03 07:04 --------- d-----w C:\Program Files\Viewpoint
2007-12-03 07:04 --------- d-----w C:\Program Files\Real
2007-12-03 07:04 --------- d-----w C:\Program Files\Common Files\Real
2007-12-03 07:04 --------- d-----w C:\Program Files\Common Files\Nullsoft
2007-12-03 07:03 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2007-12-03 07:03 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-03 07:02 --------- d-----w C:\Program Files\Realtek
2007-12-03 07:01 --------- d-----w C:\Program Files\Microsoft Digital Image 2006
2007-12-03 07:00 --------- d-----w C:\Program Files\Java
2007-12-03 06:59 --------- d-----w C:\Program Files\Common Files\Java
2007-12-03 06:55 --------- d-----w C:\Program Files\Microsoft.NET
2007-12-03 06:55 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-03 06:50 --------- d-----w C:\Program Files\CyberLink
2007-12-03 06:49 --------- d-----w C:\Program Files\Common Files\New Boundary
2007-12-03 06:46 --------- d-----w C:\Program Files\CONEXANT
2007-12-03 05:38 --------- d-----w C:\Program Files\Windows Plus
2007-12-03 05:38 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-25 15:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-23_13.32.23.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-23 18:22:30 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-23 19:22:05 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-23 18:22:30 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-23 19:22:05 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-23 18:22:30 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-23 19:22:05 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-23 18:22:30 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-23 19:22:05 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-23 18:22:30 3,874,816 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-23 19:22:05 3,883,008 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-23 18:22:30 57,344 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-23 19:22:05 57,344 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-23 19:25:02 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_7e8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2004-10-08 05:03 837281]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 19:25 81920]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-12-06 07:06 167368]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-11-23 17:12 851968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 13:36 14854144 C:\WINDOWS\RTHDCPL.EXE]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-08-27 08:09 139264]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"Power2GoExpress"="C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" [2007-09-29 16:53 2680104]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 19:16 1121792]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 20:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 23:56 64512]
"CLMLServer"="C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe" [2007-09-27 23:10 122880]
"CLJ"="" []
"CHotkey"="zHotkey.exe" [2004-12-08 20:57 550912 C:\WINDOWS\zHotkey.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
"EnableLUA"= 0 (0x0)

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

.
Contents of the 'Scheduled Tasks' folder
"2008-01-17 14:03:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-23 14:24:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

**EasyEEE** · 2008-01-23, 20:32

HiJiackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:29, on 2008-01-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=DTP&M=GT4016
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe"
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe"
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/p.../PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1196686463109
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/Driver...aSmartScan.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - https://support.gateway.com/support/...vest/gwCID.CAB
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames...l.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Unknown owner - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe (file missing)
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 7389 bytes

Thread: Batter Up: W32/Bagle.RC.worm - hldrrr.exe (think got rid of wintems.exe & mdelk.exe)

Thread Tools

Display

Processes

Posting Permissions