Page 2 of 2 FirstFirst 12
Results 11 to 18 of 18

Thread: Win32.delf.rtk, Virtumonde and others.

  1. #11
    Junior Member
    Join Date
    Mar 2009
    Posts
    12

    Default

    Finally, the last one.

    I should probably mention, I decided to use the DDS log from after I turned Spybot's resident guard back on (turning it off again for the scan, of course) to hopefully give a better indication of what is still there.

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
    "igndlm.exe"="c:\program files\IGN\Download Manager\dlm.exe" [2008-08-01 1103216]
    "Eraser"="c:\program files\Eraser\eraser.exe" [2003-07-25 536576]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-09 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
    "avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 266497]
    "KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "RTHDCPL"="RTHDCPL.EXE" [2007-10-25 c:\windows\RTHDCPL.EXE]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2006-10-04 c:\windows\system32\narrator.exe]

    c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2008-10-29 1073152]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoSetActiveDesktop"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.iv31"= c:\windows\system32\ir32_32.dll
    "vidc.iv32"= c:\windows\system32\ir32_32.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashDisp.exe]
    "Debugger"=c:\windows\system32\alg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashserv.exe]
    "Debugger"=c:\windows\system32\alg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashSimpl.exe]
    "Debugger"=c:\windows\system32\alg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avesvc.exe]
    "Debugger"=c:\windows\system32\alg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdmcon.exe]
    "Debugger"=c:\windows\system32\alg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdnagent.exe]
    "Debugger"=c:\windows\system32\alg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdss.exe]
    "Debugger"=c:\windows\system32\alg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdswitch.exe]
    "Debugger"=c:\windows\system32\alg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DefWatch.exe]
    "Debugger"=c:\windows\system32\alg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\xcommsvr.exe]
    "Debugger"=c:\windows\system32\alg.exe

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2004-08-09 22:00 15360 c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
    --a------ 2006-03-16 03:12 1077248 c:\program files\DISC\DISCover.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscUpdateManager]
    --a------ 2006-03-16 03:11 61440 c:\program files\DISC\DISCUpdMgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
    --a------ 2006-03-20 10:05 90112 c:\program files\HP DigitalMedia Archive\DMAScheduler.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
    --a------ 2005-09-29 22:01 67584 c:\windows\ehome\ehtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    --a------ 2005-12-15 19:18 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
    --a------ 2006-02-15 23:34 249856 c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
    --a------ 2005-06-02 00:35 49152 c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    --a------ 2008-10-07 14:33 13574144 c:\windows\system32\nvcpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]
    --a------ 2006-01-20 01:20 53248 c:\program files\PC-Doctor 5 for Windows\RunProfiler.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
    --a------ 2005-07-22 23:14 237568 c:\windows\SMINST\Recguard.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
    --a------ 2004-12-14 03:23 663552 c:\windows\CREATOR\Remind_XP.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
    --------- 2005-08-03 00:19 77312 c:\windows\arpwrmsg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    --a------ 2008-10-07 14:33 1630208 c:\windows\system32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    --a------ 2007-10-25 03:57 16855552 c:\windows\RTHDCPL.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\Magic Workstation\\MWSPlay.exe"=
    "c:\\Program Files\\Hamachi\\hamachi.exe"=
    "c:\\Program Files\\Opera 9\\Opera.exe"=
    "c:\\Program Files\\mIRC\\mirc.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\WINDOWS\\system32\\dpnsvr.exe"=
    "c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
    "c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
    "c:\\WINDOWS\\system32\\rtcshare.exe"=
    "c:\\Program Files\\NetMeeting\\conf.exe"=
    "c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
    "c:\\Program Files\\Opera 9\\profile\\cache4\\temporary_download\\Diablo3-gameplaytrailer_en-US-downloader.exe"=
    "c:\\Program Files\\Sierra\\Homeworld2\\Bin\\Release\\Homeworld2.exe"=
    "c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
    "c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
    "c:\\Program Files\\THQ\\Company of Heroes\\Archive.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\DISC\\DISCover.exe"=
    "c:\\Program Files\\DISC\\DiscStreamHub.exe"=
    "c:\\Program Files\\DISC\\myFTP.exe"=
    "c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
    "c:\\Program Files\\Spectromancer\\spectromancer.exe"=
    "c:\\Program Files\\Lighthouse Interactive\\Sword of the Stars\\Sword of the Stars.exe"=
    "c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
    "c:\\Program Files\\Valve\\Steam\\SteamApps\\the_lone_knight\\source sdk base\\hl2.exe"=
    "c:\\Program Files\\Valve\\Steam\\SteamApps\\the_lone_knight\\zombie panic! source\\hl2.exe"=
    "c:\\Program Files\\Dead Space\\Dead Space.exe"=
    "c:\\Program Files\\Valve\\Steam\\Steam.exe"=
    "c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
    "c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
    "c:\\Program Files\\Activision\\Star Trek Armada II Fleet Operations\\Data\\armada2.exe"=
    "c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

    S2 Tcpipsrv;Tcp ipx Service;c:\windows\$ntunistalls\svchost.exe --> c:\windows\$ntunistalls\svchost.exe [?]
    S3 efipsk;efipsk;\??\c:\docume~1\HP_ADM~1\LOCALS~1\Temp\efipsk.sys --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\efipsk.sys [?]
    S3 pcistub;pcistub;c:\windows\system32\pcistub.sys [2004-08-09 2304]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    \Shell\AutoRun\command - E:\autorun.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
    \Shell\AutoRun\command - F:\autorun.exe
    \Shell\directx\command - f:\dx9\dxsetup.exe
    \Shell\setup\command - F:\autorun.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{505e0b0e-5a53-11db-affb-001731b06b4b}]
    \Shell\AutoRun\command - F:\autorun.exe
    \Shell\dinstall\command - f:\setup\Directx\dxsetup.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{505e0b0f-5a53-11db-affb-001731b06b4b}]
    \Shell\AutoRun\command - G:\autorun.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6772022d-9602-11db-b0c3-001731b06b4b}]
    \Shell\AutoRun\command - h:\setup\SETUP95.EXE
    \Shell\dxinstall\command - start setup\dxinst.exe
    \Shell\readme\command - notepad readme.txt

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6772022e-9602-11db-b0c3-001731b06b4b}]
    \Shell\AutoRun\command - I:\autorun.exe
    \Shell\dinstall\command - i:\setup\Directx\dxsetup.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2008-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{684EE1DB-CD52-4ca9-9CCF-93D5F6B419BA} - kmsvc32.dll
    BHO-{A6D6C060-BB36-4407-8F59-B06192FCFFA8} - c:\windows\system32\mlJYRjJA.dll
    BHO-{f604a4f9-fbe8-4a5c-ac38-1065d50b29f9} - c:\windows\system32\pehirema.dll
    HKLM-Run-bujopidiju - c:\windows\system32\mijejabe.dll
    HKLM-RunServices-Object Rec - sorhost.exe
    HKLM-Explorer_Run-xccinit - c:\windows\system32\inf\rundll33.exe
    SharedTaskScheduler-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kapigagi.dll
    Notify-dimsntfy - (no file)
    Notify-ljJDVpPj - ljJDVpPj.dll
    Notify-pmnkJApn - pmnkJApn.dll
    Notify-urqOGVPH - urqOGVPH.dll
    MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_06\bin\jusched.exe


    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=63&bd=PAVILION&pf=desktop
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=63&bd=PAVILION&pf=desktop
    uInternet Settings,ProxyServer = http=localhost:7171
    uInternet Settings,ProxyOverride = *.local;<local>
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    LSP: imdds.dll
    Trusted Zone: trymedia.com
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-03-10 16:38:51
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'lsass.exe'(864)
    c:\windows\system32\imdds.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
    c:\windows\arservice.exe
    c:\windows\ehome\ehrecvr.exe
    c:\windows\ehome\ehSched.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\windows\system32\nvsvc32.exe
    c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    c:\windows\system32\rundll32.exe
    c:\windows\ehome\mcrdsvc.exe
    c:\windows\system32\dllhost.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2009-03-10 16:52:10 - machine was rebooted [HP_Administrator]
    ComboFix-quarantined-files.txt 2009-03-10 22:52:08
    ComboFix2.txt 2007-11-13 03:06:21

    Pre-Run: 17,794,711,552 bytes free
    Post-Run: 18,433,421,312 bytes free

    Current=1 Default=1 Failed=0 LastKnownGood=7 Sets=,1,3,4,5,6,7
    3315 --- E O F --- 2009-01-13 23:48:54

  2. #12
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    turning Spybot's TeaTimer back on
    Hi

    TeaTimer should be kept disabled during whole fixing process.


    Please download Malwarebytes' Anti-Malware to your desktop.

    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    • Please post contents of that file in your next reply.




    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    Driver::
    "Tcp ipx Service"
    
    File::
    c:\docume~1\alluse~1\startm~1\programs\startup\xccstart.lnk
    c:\windows\system\xccef090131.exe
    c:\windows\system32\nfr.assembly
    c:\windows\system32\dll32.dll
    c:\windows\ld02.exe
    c:\windows\pp2.exe
    c:\windows\t55ft3518f44.dat
    c:\windows\9gdfgjf23
    c:\windows\system32\kmsvc32.dll
    c:\windows\system32\imdds.dll
    c:\windows\system32\wh
    c:\windows\system32\nelesoye.dll
    c:\windows\system32\hgset.ini
    c:\windows\system32\work.ini
    c:\windows\awepajon.dll
    
    Folder::
    c:\windows\$ntunistalls
    c:\windows\system32\3361
    c:\documents and settings\HP_Administrator\Application Data\uTorrent
    
    DDS::
    BHO: {684EE1DB-CD52-4ca9-9CCF-93D5F6B419BA} - No File
    BHO: {A6D6C060-BB36-4407-8F59-B06192FCFFA8} - No File
    BHO: {f604a4f9-fbe8-4a5c-ac38-1065d50b29f9} - No File
    TB: {4C4E7CDB-5BFC-4D74-83E2-8AE659B7EDA2} - No File
    Trusted Zone: trymedia.com
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "UserFaultCheck"=-
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashDisp.exe]
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashserv.exe]
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashSimpl.exe]
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avesvc.exe]
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdmcon.exe]
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdnagent.exe]
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdss.exe]
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdswitch.exe]
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DefWatch.exe]
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\xcommsvr.exe]
    
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify"=-

    Save this as
    CFScript

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



    Refering to the picture above, drag CFScript into ComboFix.exe
    Then post the resultant log.


    Combofix should never take more that 20 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
    If that happened we want to know, and also what process you had to end.


    Uninstall old Adobe Reader versions and get the latest one here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader!

    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

    Updating Java:
    • Download the latest version of Java Runtime Environment (JRE) 6 Update 12.
    • Click the
      Download
      button to the right.
    • Select Windows on platform combobox and check the box that says:
      Accept License Agreement. Click continue.
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version. Uncheck MSN toolbar if it's offered there.




    Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    If you use Firefox:
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    If you use Opera:
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.


    Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here. If you get a message that latest Java must be installed "enable" the Java add-ons in IE7. Do that using "manage add-ons" from the IE7 toolbar.


    Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  3. #13
    Junior Member
    Join Date
    Mar 2009
    Posts
    12

    Default

    Sorry. I wasn't aware about the Spybot thing.

    Combofix did go on a bit over twenty minutes, but the processes you told me to end only popped up for a half second at a time; I never got much opportunity to end them. Thankfully, it only took a minute or two over the time limit, so it was no particular issue with me.

    Onto the logfest;

    Malwarebytes:
    Malwarebytes' Anti-Malware 1.34
    Database version: 1837
    Windows 5.1.2600 Service Pack 2

    11/03/2009 9:07:33 PM
    mbam-log-2009-03-11 (21-07-33).txt

    Scan type: Full Scan (C:\|D:\|)
    Objects scanned: 382978
    Time elapsed: 2 hour(s), 9 minute(s), 5 second(s)

    Memory Processes Infected: 5
    Memory Modules Infected: 1
    Registry Keys Infected: 9
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 21

    Memory Processes Infected:
    C:\WINDOWS\system32\afisicx.exe (Trojan.Agent) -> Unloaded process successfully.
    C:\WINDOWS\system32\mabidwe.exe (Trojan.Agent) -> Unloaded process successfully.
    C:\WINDOWS\system32\nxtepad.exe (Backdoor.Bot) -> Unloaded process successfully.
    C:\WINDOWS\system32\sopidkc.exe (Backdoor.Bot) -> Unloaded process successfully.
    C:\WINDOWS\system32\umtcdtw.sys (Backdoor.Bot) -> Unloaded process successfully.

    Memory Modules Infected:
    C:\WINDOWS\system32\imdds.dll (Trojan.Agent) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sopidkc (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sopidkc (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdss.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xcommsvr.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Applications\nxtepad.exe (Hijack.Notepad) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_CLASSES_ROOT\txtfile\shell\open\command\ (Hijack.Notepad) -> Bad: ("C:\WINDOWS\system32\nxtepad.exe" "%1") Good: (notepad.exe %1) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\qoobox\Quarantine\C\WINDOWS\system32\senekaaflfeyrk.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
    C:\qoobox\Quarantine\C\WINDOWS\system32\senekacijsoela.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
    C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\seneka.sys.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
    C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\senekavlwgrmov.sys.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP0\A0000001.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP0\A0000002.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP0\A0000003.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP0\A0000166.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
    C:\WINDOWS\ld02.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\dll32.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\WINDOWS\pp2.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\afisicx.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\mabidwe.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\imdds.dll (Trojan.Agent) -> Delete on reboot.
    C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\msrstart.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\nxtepad.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\sopidkc.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\tpszxyd.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\umtcdtw.sys (Backdoor.Bot) -> Delete on reboot.

    Combofix:

    ComboFix 09-03-10.03 - HP_Administrator 2009-03-11 21:18:36.3 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3582.3043 [GMT -6:00]
    Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
    AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
    * Created a new restore point

    FILE ::
    c:\docume~1\alluse~1\startm~1\programs\startup\xccstart.lnk
    c:\windows\9gdfgjf23
    c:\windows\awepajon.dll
    c:\windows\ld02.exe
    c:\windows\pp2.exe
    c:\windows\system\xccef090131.exe
    c:\windows\system32\dll32.dll
    c:\windows\system32\hgset.ini
    c:\windows\system32\imdds.dll
    c:\windows\system32\kmsvc32.dll
    c:\windows\system32\nelesoye.dll
    c:\windows\system32\nfr.assembly
    c:\windows\system32\wh
    c:\windows\system32\work.ini
    c:\windows\t55ft3518f44.dat
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\docume~1\alluse~1\startm~1\programs\startup\xccstart.lnk
    c:\documents and settings\HP_Administrator\Application Data\uTorrent
    c:\documents and settings\HP_Administrator\Application Data\uTorrent\#24.torrent
    c:\documents and settings\HP_Administrator\Application Data\uTorrent\2007-05-09.torrent
    c:\documents and settings\HP_Administrator\Application Data\uTorrent\2007-10-10.torrent
    c:\documents and settings\HP_Administrator\Application Data\uTorrent\dht.dat
    c:\documents and settings\HP_Administrator\Application Data\uTorrent\dht.dat.old
    c:\documents and settings\HP_Administrator\Application Data\uTorrent\resume.dat
    c:\documents and settings\HP_Administrator\Application Data\uTorrent\resume.dat.old
    c:\documents and settings\HP_Administrator\Application Data\uTorrent\rss.dat
    c:\documents and settings\HP_Administrator\Application Data\uTorrent\rss.dat.old
    c:\documents and settings\HP_Administrator\Application Data\uTorrent\settings.dat
    c:\documents and settings\HP_Administrator\Application Data\uTorrent\settings.dat.old
    c:\documents and settings\HP_Administrator\Application Data\uTorrent\utorrent.lng
    c:\documents and settings\HP_Administrator\Application Data\uTorrent\Xenogears Light - An Arranged Album.torrent
    c:\windows\$ntunistalls
    c:\windows\9gdfgjf23
    c:\windows\awepajon.dll
    c:\windows\Install.txt
    c:\windows\system32\3361
    c:\windows\system32\3361\mlog
    c:\windows\system32\hgset.ini
    c:\windows\system32\kmsvc32.dll
    c:\windows\system32\nelesoye.dll
    c:\windows\system32\nfr.assembly
    c:\windows\system32\wh
    c:\windows\system32\work.ini
    c:\windows\t55ft3518f44.dat

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_AFISICX
    -------\Legacy_MABIDWE
    -------\Legacy_SOPIDKC


    ((((((((((((((((((((((((( Files Created from 2009-02-12 to 2009-03-12 )))))))))))))))))))))))))))))))
    .

    2009-03-11 18:56 . 2009-03-11 18:56 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
    2009-03-11 18:56 . 2009-03-11 18:56 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
    2009-03-11 18:56 . 2009-03-11 18:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-03-11 18:56 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
    2009-03-11 18:56 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
    2009-03-09 02:56 . 2009-03-10 02:24 <DIR> d-------- c:\program files\Koei
    2009-03-08 05:47 . 2009-03-08 07:28 <DIR> d-------- c:\program files\Sim
    2009-03-08 00:16 . 2009-03-08 00:17 <DIR> d-------- c:\program files\ERUNT
    2009-02-28 12:09 . 2002-02-15 15:02 676,352 --a------ c:\windows\system32\rtl60.bpl
    2009-02-28 12:08 . 2009-03-10 16:28 <DIR> d-------- c:\windows\system32\inf
    2009-02-20 21:02 . 2009-02-20 21:02 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\The Creative Assembly
    2009-02-18 23:48 . 2009-02-18 23:48 <DIR> d-------- c:\program files\OptimiData
    2009-02-18 18:54 . 2009-02-18 18:54 <DIR> d-------- c:\program files\Freelancer Mod Manager

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-03-12 03:26 --------- d-----w c:\program files\Eraser
    2009-03-11 20:05 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Hamachi
    2009-03-11 19:55 --------- d-----w c:\program files\Warcraft III
    2009-03-09 21:07 --------- d-----w c:\program files\DTP
    2009-03-08 18:20 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\HTSKApp
    2009-03-07 06:45 --------- d-----w c:\program files\THQ
    2009-03-07 06:43 --------- d-----w c:\program files\Microsoft Games
    2009-03-07 06:42 --------- d-----w c:\program files\Activision
    2009-03-07 06:00 --------- d--h--w c:\program files\InstallShield Installation Information
    2009-03-05 18:47 --------- d-----w c:\program files\Spybot - Search & Destroy
    2009-02-28 19:37 --------- d-----w c:\program files\Opera 9
    2009-02-28 18:58 --------- d-----w c:\program files\Google
    2009-02-24 11:12 --------- d-----w c:\program files\Ubisoft
    2009-02-14 21:48 --------- d-----w c:\program files\Battle for Wesnoth 1.5.9
    2009-02-11 17:21 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-02-04 17:57 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Activision
    2009-02-01 03:42 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Canon
    2009-01-28 07:15 --------- d-----w c:\program files\Microsoft Games for Windows - LIVE
    2009-01-21 20:46 --------- d-----w c:\program files\Magic Workstation
    2009-01-20 03:50 --------- d-----w c:\program files\Trend Micro
    2009-01-12 07:51 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Tilted Mill
    2007-11-16 02:07 22,328 ----a-w c:\documents and settings\HP_Administrator\Application Data\PnkBstrK.sys
    2003-12-18 17:33 20,102 ----a-w c:\program files\Readme.txt
    2003-09-03 13:46 10,960 ----a-w c:\program files\EULA.txt
    2006-09-20 21:59 22 --sha-w c:\windows\SMINST\HPCD.sys
    .

    ((((((((((((((((((((((((((((( SnapShot_2009-03-10_16.51.10.82 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-02-09 10:20:05 1,847,424 ----a-w c:\windows\$hf_mig$\KB958690\SP2QFE\win32k.sys
    + 2009-02-09 11:13:27 1,846,784 ----a-w c:\windows\$hf_mig$\KB958690\SP3GDR\win32k.sys
    + 2009-02-09 11:08:53 1,847,552 ----a-w c:\windows\$hf_mig$\KB958690\SP3QFE\win32k.sys
    + 2008-07-09 07:38:24 17,272 ----a-w c:\windows\$hf_mig$\KB958690\spmsg.dll
    + 2008-07-09 07:38:25 231,288 ----a-w c:\windows\$hf_mig$\KB958690\spuninst.exe
    + 2008-07-09 07:38:24 26,488 ----a-w c:\windows\$hf_mig$\KB958690\update\spcustom.dll
    + 2008-07-09 07:38:29 755,576 ----a-w c:\windows\$hf_mig$\KB958690\update\update.exe
    + 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB958690\update\updspapi.dll
    + 2008-12-05 06:41:26 144,896 ----a-w c:\windows\$hf_mig$\KB960225\SP2QFE\schannel.dll
    + 2008-12-05 06:54:55 144,896 ----a-w c:\windows\$hf_mig$\KB960225\SP3GDR\schannel.dll
    + 2008-12-05 06:58:08 144,896 ----a-w c:\windows\$hf_mig$\KB960225\SP3QFE\schannel.dll
    + 2007-11-30 11:18:51 17,272 ----a-w c:\windows\$hf_mig$\KB960225\spmsg.dll
    + 2007-11-30 11:18:51 231,288 ----a-w c:\windows\$hf_mig$\KB960225\spuninst.exe
    + 2007-11-30 11:18:51 26,488 ----a-w c:\windows\$hf_mig$\KB960225\update\spcustom.dll
    + 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB960225\update\update.exe
    + 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB960225\update\updspapi.dll
    + 2008-06-17 19:02:19 8,461,312 ----a-w c:\windows\$hf_mig$\KB967715\SP3GDR\shell32.dll
    + 2008-06-17 19:04:34 8,461,824 ----a-w c:\windows\$hf_mig$\KB967715\SP3QFE\shell32.dll
    + 2008-07-09 07:38:24 17,272 ----a-w c:\windows\$hf_mig$\KB967715\spmsg.dll
    + 2008-07-09 07:38:25 231,288 ----a-w c:\windows\$hf_mig$\KB967715\spuninst.exe
    + 2008-07-09 07:38:24 26,488 ----a-w c:\windows\$hf_mig$\KB967715\update\spcustom.dll
    + 2008-07-09 07:38:29 755,576 ----a-w c:\windows\$hf_mig$\KB967715\update\update.exe
    + 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB967715\update\updspapi.dll
    + 2005-10-20 19:02:28 163,328 ----a-w c:\windows\erdnt\AutoBackup\11-03-2009\ERDNT.EXE
    + 2009-03-11 17:08:02 23,252,992 ----a-w c:\windows\erdnt\AutoBackup\11-03-2009\Users\00000001\NTUSER.DAT
    + 2009-03-11 17:08:02 352,256 ----a-w c:\windows\erdnt\AutoBackup\11-03-2009\Users\00000002\UsrClass.dat
    + 2005-10-20 19:02:28 163,328 ----a-w c:\windows\erdnt\AutoBackup\2009-03-11\ERDNT.EXE
    + 2009-03-12 03:28:59 23,252,992 ----a-w c:\windows\erdnt\AutoBackup\2009-03-11\Users\00000001\NTUSER.DAT
    + 2009-03-12 03:29:00 352,256 ----a-w c:\windows\erdnt\AutoBackup\2009-03-11\Users\00000002\UsrClass.dat
    + 2008-10-16 20:38:34 124,928 -c----w c:\windows\ie7updates\KB961260-IE7\advpack.dll
    + 2008-10-16 20:38:34 347,136 -c----w c:\windows\ie7updates\KB961260-IE7\dxtmsft.dll
    + 2008-10-16 20:38:34 214,528 -c----w c:\windows\ie7updates\KB961260-IE7\dxtrans.dll
    + 2008-10-16 20:38:35 133,120 -c----w c:\windows\ie7updates\KB961260-IE7\extmgr.dll
    + 2008-10-16 20:38:35 63,488 -c----w c:\windows\ie7updates\KB961260-IE7\icardie.dll
    + 2008-10-16 13:11:09 70,656 -c----w c:\windows\ie7updates\KB961260-IE7\ie4uinit.exe
    + 2008-10-16 20:38:35 153,088 -c----w c:\windows\ie7updates\KB961260-IE7\ieakeng.dll
    + 2008-10-16 20:38:35 230,400 -c----w c:\windows\ie7updates\KB961260-IE7\ieaksie.dll
    + 2008-10-15 07:04:53 161,792 -c----w c:\windows\ie7updates\KB961260-IE7\ieakui.dll
    + 2008-10-16 20:38:35 383,488 -c----w c:\windows\ie7updates\KB961260-IE7\ieapfltr.dll
    + 2008-10-16 20:38:35 384,512 -c----w c:\windows\ie7updates\KB961260-IE7\iedkcs32.dll
    + 2008-10-16 20:38:37 6,066,176 -c----w c:\windows\ie7updates\KB961260-IE7\ieframe.dll
    + 2008-10-16 20:38:37 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\iernonce.dll
    + 2008-10-16 20:38:37 267,776 -c----w c:\windows\ie7updates\KB961260-IE7\iertutil.dll
    + 2008-10-16 13:11:09 13,824 -c----w c:\windows\ie7updates\KB961260-IE7\ieudinit.exe
    + 2008-10-15 07:06:26 633,632 -c----w c:\windows\ie7updates\KB961260-IE7\iexplore.exe
    + 2008-10-16 20:38:37 27,648 -c----w c:\windows\ie7updates\KB961260-IE7\jsproxy.dll
    + 2008-10-16 20:38:37 459,264 -c----w c:\windows\ie7updates\KB961260-IE7\msfeeds.dll
    + 2008-10-16 20:38:37 52,224 -c----w c:\windows\ie7updates\KB961260-IE7\msfeedsbs.dll
    + 2008-12-13 06:40:02 3,593,216 -c----w c:\windows\ie7updates\KB961260-IE7\mshtml.dll
    + 2008-10-16 20:38:38 477,696 -c----w c:\windows\ie7updates\KB961260-IE7\mshtmled.dll
    + 2008-10-16 20:38:38 193,024 -c----w c:\windows\ie7updates\KB961260-IE7\msrating.dll
    + 2008-10-16 20:38:39 671,232 -c----w c:\windows\ie7updates\KB961260-IE7\mstime.dll
    + 2008-10-16 20:38:39 102,912 -c----w c:\windows\ie7updates\KB961260-IE7\occache.dll
    + 2008-10-16 20:38:39 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\pngfilt.dll
    + 2007-03-06 01:22:41 213,216 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\spuninst.exe
    + 2007-03-06 01:23:51 371,424 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\updspapi.dll
    + 2008-10-16 20:38:39 105,984 -c----w c:\windows\ie7updates\KB961260-IE7\url.dll
    + 2008-10-16 20:38:39 1,160,192 -c----w c:\windows\ie7updates\KB961260-IE7\urlmon.dll
    + 2008-10-16 20:38:39 233,472 -c----w c:\windows\ie7updates\KB961260-IE7\webcheck.dll
    + 2008-10-16 20:38:40 826,368 -c----w c:\windows\ie7updates\KB961260-IE7\wininet.dll
    - 2009-01-13 23:48:52 12,288 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
    + 2009-03-11 09:02:32 12,288 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
    - 2009-01-13 23:48:52 135,168 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
    + 2009-03-11 09:02:32 135,168 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
    - 2009-01-13 23:48:52 11,264 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
    + 2009-03-11 09:02:32 11,264 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
    - 2009-01-13 23:48:52 27,136 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
    + 2009-03-11 09:02:32 27,136 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
    - 2009-01-13 23:48:52 4,096 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
    + 2009-03-11 09:02:32 4,096 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
    - 2009-01-13 23:48:52 794,624 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
    + 2009-03-11 09:02:32 794,624 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
    - 2009-01-13 23:48:52 249,856 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
    + 2009-03-11 09:02:32 249,856 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
    - 2009-01-13 23:48:53 23,040 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
    + 2009-03-11 09:02:32 23,040 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
    - 2009-01-13 23:48:52 286,720 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
    + 2009-03-11 09:02:32 286,720 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
    - 2009-01-13 23:48:52 409,600 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
    + 2009-03-11 09:02:32 409,600 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
    - 2008-10-16 20:38:34 124,928 ----a-w c:\windows\system32\advpack.dll
    + 2008-12-20 23:15:11 124,928 ----a-w c:\windows\system32\advpack.dll
    - 2008-10-16 20:38:34 124,928 ----a-w c:\windows\system32\dllcache\advpack.dll
    + 2008-12-20 23:15:11 124,928 ----a-w c:\windows\system32\dllcache\advpack.dll
    - 2008-10-16 20:38:34 347,136 ----a-w c:\windows\system32\dllcache\dxtmsft.dll
    + 2008-12-20 23:15:12 347,136 ----a-w c:\windows\system32\dllcache\dxtmsft.dll
    - 2008-10-16 20:38:34 214,528 ----a-w c:\windows\system32\dllcache\dxtrans.dll
    + 2008-12-20 23:15:13 214,528 ----a-w c:\windows\system32\dllcache\dxtrans.dll
    - 2008-10-16 20:38:35 133,120 ----a-w c:\windows\system32\dllcache\extmgr.dll
    + 2008-12-20 23:15:13 133,120 ----a-w c:\windows\system32\dllcache\extmgr.dll
    - 2008-10-16 20:38:35 63,488 ----a-w c:\windows\system32\dllcache\icardie.dll
    + 2008-12-20 23:15:13 63,488 ----a-w c:\windows\system32\dllcache\icardie.dll
    - 2008-10-16 13:11:09 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
    + 2008-12-19 09:10:15 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
    - 2008-10-16 20:38:35 153,088 ----a-w c:\windows\system32\dllcache\ieakeng.dll
    + 2008-12-20 23:15:14 153,088 ----a-w c:\windows\system32\dllcache\ieakeng.dll
    - 2008-10-16 20:38:35 230,400 ----a-w c:\windows\system32\dllcache\ieaksie.dll
    + 2008-12-20 23:15:14 230,400 ----a-w c:\windows\system32\dllcache\ieaksie.dll
    - 2008-10-15 07:04:53 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
    + 2008-12-19 05:23:56 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
    - 2008-10-16 20:38:35 383,488 ----a-w c:\windows\system32\dllcache\ieapfltr.dll
    + 2008-12-20 23:15:15 383,488 ----a-w c:\windows\system32\dllcache\ieapfltr.dll
    - 2008-10-16 20:38:35 384,512 ----a-w c:\windows\system32\dllcache\iedkcs32.dll
    + 2008-12-20 23:15:16 384,512 ----a-w c:\windows\system32\dllcache\iedkcs32.dll
    - 2008-10-16 20:38:37 6,066,176 ----a-w c:\windows\system32\dllcache\ieframe.dll
    + 2008-12-20 23:15:21 6,066,688 ----a-w c:\windows\system32\dllcache\ieframe.dll
    - 2008-10-16 20:38:37 44,544 ----a-w c:\windows\system32\dllcache\iernonce.dll
    + 2008-12-20 23:15:21 44,544 ----a-w c:\windows\system32\dllcache\iernonce.dll
    - 2008-10-16 20:38:37 267,776 ----a-w c:\windows\system32\dllcache\iertutil.dll
    + 2008-12-20 23:15:22 267,776 ----a-w c:\windows\system32\dllcache\iertutil.dll
    - 2008-10-16 13:11:09 13,824 ----a-w c:\windows\system32\dllcache\ieudinit.exe
    + 2008-12-19 09:10:15 13,824 ----a-w c:\windows\system32\dllcache\ieudinit.exe
    - 2008-10-15 07:06:26 633,632 ----a-w c:\windows\system32\dllcache\iexplore.exe
    + 2008-12-19 05:25:25 634,024 ----a-w c:\windows\system32\dllcache\iexplore.exe
    - 2008-10-16 20:38:37 27,648 ----a-w c:\windows\system32\dllcache\jsproxy.dll
    + 2008-12-20 23:15:23 27,648 ----a-w c:\windows\system32\dllcache\jsproxy.dll
    - 2008-10-16 20:38:37 459,264 ----a-w c:\windows\system32\dllcache\msfeeds.dll
    + 2008-12-20 23:15:23 459,264 ----a-w c:\windows\system32\dllcache\msfeeds.dll
    - 2008-10-16 20:38:37 52,224 ----a-w c:\windows\system32\dllcache\msfeedsbs.dll
    + 2008-12-20 23:15:24 52,224 ----a-w c:\windows\system32\dllcache\msfeedsbs.dll
    - 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
    + 2009-01-17 03:35:14 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll
    - 2008-10-16 20:38:38 477,696 ----a-w c:\windows\system32\dllcache\mshtmled.dll
    + 2008-12-20 23:15:30 477,696 ----a-w c:\windows\system32\dllcache\mshtmled.dll
    - 2008-10-16 20:38:38 193,024 ----a-w c:\windows\system32\dllcache\msrating.dll
    + 2008-12-20 23:15:31 193,024 ----a-w c:\windows\system32\dllcache\msrating.dll
    - 2008-10-16 20:38:39 671,232 ----a-w c:\windows\system32\dllcache\mstime.dll
    + 2008-12-20 23:15:32 671,232 ----a-w c:\windows\system32\dllcache\mstime.dll
    - 2008-10-16 20:38:39 102,912 ----a-w c:\windows\system32\dllcache\occache.dll
    + 2008-12-20 23:15:38 102,912 ----a-w c:\windows\system32\dllcache\occache.dll
    - 2008-10-16 20:38:39 44,544 ----a-w c:\windows\system32\dllcache\pngfilt.dll
    + 2008-12-20 23:15:38 44,544 ----a-w c:\windows\system32\dllcache\pngfilt.dll
    - 2007-04-25 14:21:15 144,896 ----a-w c:\windows\system32\dllcache\schannel.dll
    + 2008-12-05 07:12:45 144,896 ----a-w c:\windows\system32\dllcache\schannel.dll
    - 2007-10-26 03:34:01 8,460,288 ----a-w c:\windows\system32\dllcache\shell32.dll
    + 2008-07-03 13:03:29 8,460,800 ----a-w c:\windows\system32\dllcache\shell32.dll
    - 2008-10-16 20:38:39 105,984 ----a-w c:\windows\system32\dllcache\url.dll
    + 2008-12-20 23:15:39 105,984 ----a-w c:\windows\system32\dllcache\url.dll
    - 2008-10-16 20:38:39 1,160,192 ----a-w c:\windows\system32\dllcache\urlmon.dll
    + 2008-12-20 23:15:40 1,160,192 ----a-w c:\windows\system32\dllcache\urlmon.dll
    - 2008-10-16 20:38:39 233,472 ----a-w c:\windows\system32\dllcache\webcheck.dll
    + 2008-12-20 23:15:40 233,472 ----a-w c:\windows\system32\dllcache\webcheck.dll
    - 2008-09-15 11:57:41 1,846,016 ----a-w c:\windows\system32\dllcache\win32k.sys
    + 2009-02-09 10:19:34 1,846,272 ----a-w c:\windows\system32\dllcache\win32k.sys
    - 2008-10-16 20:38:40 826,368 ----a-w c:\windows\system32\dllcache\wininet.dll
    + 2008-12-20 23:15:41 826,368 ----a-w c:\windows\system32\dllcache\wininet.dll
    - 2007-06-12 05:51:12 10,834,944 ----a-w c:\windows\system32\dllcache\wmp.dll
    + 2008-11-12 00:34:42 10,838,016 ----a-w c:\windows\system32\dllcache\wmp.dll
    - 2008-10-16 20:38:34 347,136 ----a-w c:\windows\system32\dxtmsft.dll
    + 2008-12-20 23:15:12 347,136 ----a-w c:\windows\system32\dxtmsft.dll
    - 2008-10-16 20:38:34 214,528 ----a-w c:\windows\system32\dxtrans.dll
    + 2008-12-20 23:15:13 214,528 ----a-w c:\windows\system32\dxtrans.dll
    - 2008-10-16 20:38:35 133,120 ----a-w c:\windows\system32\extmgr.dll
    + 2008-12-20 23:15:13 133,120 ----a-w c:\windows\system32\extmgr.dll
    - 2009-02-19 17:55:06 216,064 ----a-w c:\windows\system32\FNTCACHE.DAT
    + 2009-03-11 17:07:23 216,064 ----a-w c:\windows\system32\FNTCACHE.DAT
    - 2008-10-16 20:38:35 63,488 ----a-w c:\windows\system32\icardie.dll
    + 2008-12-20 23:15:13 63,488 ----a-w c:\windows\system32\icardie.dll
    - 2008-10-16 13:11:09 70,656 ----a-w c:\windows\system32\ie4uinit.exe
    + 2008-12-19 09:10:15 70,656 ----a-w c:\windows\system32\ie4uinit.exe
    - 2008-10-16 20:38:35 153,088 ----a-w c:\windows\system32\ieakeng.dll
    + 2008-12-20 23:15:14 153,088 ----a-w c:\windows\system32\ieakeng.dll
    - 2008-10-16 20:38:35 230,400 ----a-w c:\windows\system32\ieaksie.dll
    + 2008-12-20 23:15:14 230,400 ----a-w c:\windows\system32\ieaksie.dll
    - 2008-10-15 07:04:53 161,792 ----a-w c:\windows\system32\ieakui.dll
    + 2008-12-19 05:23:56 161,792 ----a-w c:\windows\system32\ieakui.dll
    - 2008-10-16 20:38:35 383,488 ----a-w c:\windows\system32\ieapfltr.dll
    + 2008-12-20 23:15:15 383,488 ----a-w c:\windows\system32\ieapfltr.dll
    - 2008-10-16 20:38:35 384,512 ----a-w c:\windows\system32\iedkcs32.dll
    + 2008-12-20 23:15:16 384,512 ----a-w c:\windows\system32\iedkcs32.dll
    - 2008-10-16 20:38:37 6,066,176 ----a-w c:\windows\system32\ieframe.dll
    + 2008-12-20 23:15:21 6,066,688 ----a-w c:\windows\system32\ieframe.dll
    - 2008-10-16 20:38:37 44,544 ----a-w c:\windows\system32\iernonce.dll
    + 2008-12-20 23:15:21 44,544 ----a-w c:\windows\system32\iernonce.dll
    - 2008-10-16 20:38:37 267,776 ----a-w c:\windows\system32\iertutil.dll
    + 2008-12-20 23:15:22 267,776 ----a-w c:\windows\system32\iertutil.dll
    - 2008-10-16 13:11:09 13,824 ----a-w c:\windows\system32\ieudinit.exe
    + 2008-12-19 09:10:15 13,824 ----a-w c:\windows\system32\ieudinit.exe
    - 2008-10-16 20:38:37 27,648 ----a-w c:\windows\system32\jsproxy.dll
    + 2008-12-20 23:15:23 27,648 ----a-w c:\windows\system32\jsproxy.dll
    - 2008-10-16 20:38:37 459,264 ----a-w c:\windows\system32\msfeeds.dll
    + 2008-12-20 23:15:23 459,264 ----a-w c:\windows\system32\msfeeds.dll
    - 2008-10-16 20:38:37 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
    + 2008-12-20 23:15:24 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
    - 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\mshtml.dll
    + 2009-01-17 03:35:14 3,594,752 ----a-w c:\windows\system32\mshtml.dll
    - 2008-10-16 20:38:38 477,696 ----a-w c:\windows\system32\mshtmled.dll
    + 2008-12-20 23:15:30 477,696 ----a-w c:\windows\system32\mshtmled.dll
    - 2008-10-16 20:38:38 193,024 ----a-w c:\windows\system32\msrating.dll
    + 2008-12-20 23:15:31 193,024 ----a-w c:\windows\system32\msrating.dll
    - 2008-10-16 20:38:39 671,232 ----a-w c:\windows\system32\mstime.dll
    + 2008-12-20 23:15:32 671,232 ----a-w c:\windows\system32\mstime.dll
    + 2004-08-10 04:00:00 211,456 ----a-w c:\windows\system32\mtrstart.exe
    + 2004-08-10 04:00:00 211,456 ----a-w c:\windows\system32\nctedit.exe
    - 2008-10-16 20:38:39 102,912 ----a-w c:\windows\system32\occache.dll
    + 2008-12-20 23:15:38 102,912 ----a-w c:\windows\system32\occache.dll
    - 2008-10-16 20:38:39 44,544 ----a-w c:\windows\system32\pngfilt.dll
    + 2008-12-20 23:15:38 44,544 ----a-w c:\windows\system32\pngfilt.dll
    - 2007-04-25 14:21:15 144,896 ----a-w c:\windows\system32\schannel.dll
    + 2008-12-05 07:12:45 144,896 ----a-w c:\windows\system32\schannel.dll
    - 2007-10-26 03:34:01 8,460,288 ----a-w c:\windows\system32\shell32.dll
    + 2008-07-03 13:03:29 8,460,800 ----a-w c:\windows\system32\shell32.dll
    - 2007-11-30 12:39:22 17,272 ----a-w c:\windows\system32\spmsg.dll
    + 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
    - 2007-08-11 02:46:18 26,488 ----a-w c:\windows\system32\spupdsvc.exe
    + 2007-07-27 15:41:38 26,488 ----a-w c:\windows\system32\spupdsvc.exe
    - 2008-10-16 20:38:39 105,984 ----a-w c:\windows\system32\url.dll
    + 2008-12-20 23:15:39 105,984 ----a-w c:\windows\system32\url.dll
    - 2008-10-16 20:38:39 1,160,192 ----a-w c:\windows\system32\urlmon.dll
    + 2008-12-20 23:15:40 1,160,192 ----a-w c:\windows\system32\urlmon.dll
    - 2008-10-16 20:38:39 233,472 ----a-w c:\windows\system32\webcheck.dll
    + 2008-12-20 23:15:40 233,472 ----a-w c:\windows\system32\webcheck.dll
    - 2008-09-15 11:57:41 1,846,016 ----a-w c:\windows\system32\win32k.sys
    + 2009-02-09 10:19:34 1,846,272 ----a-w c:\windows\system32\win32k.sys
    - 2008-10-16 20:38:40 826,368 ----a-w c:\windows\system32\wininet.dll
    + 2008-12-20 23:15:41 826,368 ----a-w c:\windows\system32\wininet.dll
    - 2007-06-12 05:51:12 10,834,944 ----a-w c:\windows\system32\wmp.dll
    + 2008-11-12 00:34:42 10,838,016 ----a-w c:\windows\system32\wmp.dll
    - 2007-10-29 10:04:03 350,720 ----a-w c:\windows\system32\xpsp3res.dll
    + 2008-02-15 09:06:21 351,744 ----a-w c:\windows\system32\xpsp3res.dll
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
    "igndlm.exe"="c:\program files\IGN\Download Manager\dlm.exe" [2008-08-01 1103216]
    "Eraser"="c:\program files\Eraser\eraser.exe" [2003-07-25 536576]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-09 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
    "avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 266497]
    "KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "RTHDCPL"="RTHDCPL.EXE" [2007-10-25 c:\windows\RTHDCPL.EXE]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2006-10-04 c:\windows\system32\narrator.exe]

    c:\documents and settings\Default User\Start Menu\Programs\Startup\
    Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-05-31 27136]

    c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2008-10-29 1073152]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoSetActiveDesktop"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
    [BU]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJDVpPj]
    [BU]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkJApn]
    [BU]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqOGVPH]
    [BU]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.iv31"= c:\windows\system32\ir32_32.dll
    "vidc.iv32"= c:\windows\system32\ir32_32.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2004-08-09 22:00 15360 c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
    --a------ 2006-03-16 03:12 1077248 c:\program files\DISC\DISCover.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscUpdateManager]
    --a------ 2006-03-16 03:11 61440 c:\program files\DISC\DISCUpdMgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
    --a------ 2006-03-20 10:05 90112 c:\program files\HP DigitalMedia Archive\DMAScheduler.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
    --a------ 2005-09-29 22:01 67584 c:\windows\ehome\ehtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    --a------ 2005-12-15 19:18 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
    --a------ 2006-02-15 23:34 249856 c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
    --a------ 2005-06-02 00:35 49152 c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    --a------ 2008-10-07 14:33 13574144 c:\windows\system32\nvcpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]
    --a------ 2006-01-20 01:20 53248 c:\program files\PC-Doctor 5 for Windows\RunProfiler.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
    --a------ 2005-07-22 23:14 237568 c:\windows\SMINST\Recguard.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
    --a------ 2004-12-14 03:23 663552 c:\windows\CREATOR\Remind_XP.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
    --------- 2005-08-03 00:19 77312 c:\windows\arpwrmsg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    --a------ 2008-10-07 14:33 1630208 c:\windows\system32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    --a------ 2007-10-25 03:57 16855552 c:\windows\RTHDCPL.EXE

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\Magic Workstation\\MWSPlay.exe"=
    "c:\\Program Files\\Hamachi\\hamachi.exe"=
    "c:\\Program Files\\Opera 9\\Opera.exe"=
    "c:\\Program Files\\mIRC\\mirc.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\WINDOWS\\system32\\dpnsvr.exe"=
    "c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
    "c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
    "c:\\WINDOWS\\system32\\rtcshare.exe"=
    "c:\\Program Files\\NetMeeting\\conf.exe"=
    "c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
    "c:\\Program Files\\Opera 9\\profile\\cache4\\temporary_download\\Diablo3-gameplaytrailer_en-US-downloader.exe"=
    "c:\\Program Files\\Sierra\\Homeworld2\\Bin\\Release\\Homeworld2.exe"=
    "c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
    "c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
    "c:\\Program Files\\THQ\\Company of Heroes\\Archive.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\DISC\\DISCover.exe"=
    "c:\\Program Files\\DISC\\DiscStreamHub.exe"=
    "c:\\Program Files\\DISC\\myFTP.exe"=
    "c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
    "c:\\Program Files\\Spectromancer\\spectromancer.exe"=
    "c:\\Program Files\\Lighthouse Interactive\\Sword of the Stars\\Sword of the Stars.exe"=
    "c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
    "c:\\Program Files\\Valve\\Steam\\SteamApps\\the_lone_knight\\source sdk base\\hl2.exe"=
    "c:\\Program Files\\Valve\\Steam\\SteamApps\\the_lone_knight\\zombie panic! source\\hl2.exe"=
    "c:\\Program Files\\Dead Space\\Dead Space.exe"=
    "c:\\Program Files\\Valve\\Steam\\Steam.exe"=
    "c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
    "c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
    "c:\\Program Files\\Activision\\Star Trek Armada II Fleet Operations\\Data\\armada2.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

    S2 Tcpipsrv;Tcp ipx Service;c:\windows\$ntunistalls\svchost.exe --> c:\windows\$ntunistalls\svchost.exe [?]
    S3 efipsk;efipsk;\??\c:\docume~1\HP_ADM~1\LOCALS~1\Temp\efipsk.sys --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\efipsk.sys [?]
    S3 pcistub;pcistub;c:\windows\system32\pcistub.sys [2004-08-09 2304]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    \Shell\AutoRun\command - E:\autorun.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{505e0b0e-5a53-11db-affb-001731b06b4b}]
    \Shell\AutoRun\command - F:\autorun.exe
    \Shell\dinstall\command - f:\setup\Directx\dxsetup.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{505e0b0f-5a53-11db-affb-001731b06b4b}]
    \Shell\AutoRun\command - G:\autorun.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6772022d-9602-11db-b0c3-001731b06b4b}]
    \Shell\AutoRun\command - h:\setup\SETUP95.EXE
    \Shell\dxinstall\command - start setup\dxinst.exe
    \Shell\readme\command - notepad readme.txt

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6772022e-9602-11db-b0c3-001731b06b4b}]
    \Shell\AutoRun\command - I:\autorun.exe
    \Shell\dinstall\command - i:\setup\Directx\dxsetup.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2008-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=63&bd=PAVILION&pf=desktop
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=63&bd=PAVILION&pf=desktop
    uInternet Settings,ProxyServer = http=localhost:7171
    uInternet Settings,ProxyOverride = *.local;<local>
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-03-11 21:29:26
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
    c:\windows\arservice.exe
    c:\windows\ehome\ehrecvr.exe
    c:\windows\ehome\ehSched.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\windows\system32\rundll32.exe
    c:\windows\system32\nvsvc32.exe
    c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    c:\windows\ehome\mcrdsvc.exe
    c:\windows\system32\dllhost.exe
    c:\program files\Windows Live\Contacts\wlcomm.exe
    .
    **************************************************************************
    .
    Completion time: 2009-03-11 21:41:59 - machine was rebooted [HP_Administrator]
    ComboFix-quarantined-files.txt 2009-03-12 03:41:56
    ComboFix2.txt 2009-03-10 22:52:11
    ComboFix3.txt 2007-11-13 03:06:21

    Pre-Run: 17,859,432,448 bytes free
    Post-Run: 17,761,673,216 bytes free

    Current=1 Default=1 Failed=0 LastKnownGood=7 Sets=,1,3,4,5,6,7
    708 --- E O F --- 2009-03-11 09:02:36

    Kaspersky:

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7 REPORT
    Thursday, March 12, 2009
    Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
    Kaspersky Online Scanner 7 version: 7.0.25.0
    Program database last update: Thursday, March 12, 2009 05:40:02
    Records in database: 1890759
    --------------------------------------------------------------------------------

    Scan settings:
    Scan using the following database: extended
    Scan archives: yes
    Scan mail databases: yes

    Scan area - My Computer:
    C:\
    D:\
    E:\

    Scan statistics:
    Files scanned: 356150
    Threat name: 5
    Infected objects: 5
    Suspicious objects: 0
    Duration of the scan: 06:18:48


    File name / Threat name / Threats count
    C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 1
    C:\qoobox\Quarantine\C\WINDOWS\system32\frmwrk32.exe.vir Infected: Trojan.Win32.Small.bvb 1
    C:\qoobox\Quarantine\C\WINDOWS\xccdf32_090131a.dll.vir Infected: Trojan-Spy.Win32.Pophot.gzu 1
    C:\WINDOWS\system32\mtrstart.exe Infected: Trojan.Win32.Agent2.fbj 1
    C:\WINDOWS\system32\nctedit.exe Infected: Trojan.Win32.Agent2.fbj 1

    The selected area was scanned.

    DDS:

    DDS (Ver_09-02-01.01) - NTFSx86
    Run by HP_Administrator at 5:19:04.73 on 12/03/2009
    Internet Explorer: 7.0.5730.11
    Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.3582.2859 [GMT -6:00]

    AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\WINDOWS\arservice.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Eraser\eraser.exe
    C:\WINDOWS\system32\nvsvc32.exe
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\WiFiConnector\NintendoWFCReg.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Opera 9\opera.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Windows Live\Contacts\wlcomm.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Documents and Settings\HP_Administrator\Desktop\dds.com

    ============== Pseudo HJT Report ===============

    uStart Page = about:blank
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=63&bd=PAVILION&pf=desktop
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=63&bd=PAVILION&pf=desktop
    uInternet Settings,ProxyServer = http=localhost:7171
    uInternet Settings,ProxyOverride = *.local;<local>
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Click-to-Call BHO: {5c255c8a-e604-49b4-9d64-90988571cecb} - c:\program files\windows live\messenger\wlchtc.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
    uRun: [igndlm.exe] c:\program files\ign\download manager\dlm.exe /windowsstart /startifwork
    uRun: [Eraser] c:\program files\eraser\eraser.exe -hide
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [KBD] c:\hp\kbd\KBD.EXE
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    dRunOnce: [RunNarrator] Narrator.exe
    StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\runnin~1.lnk - c:\program files\wificonnector\NintendoWFCReg.exe
    dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
    IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
    DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
    DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
    DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
    DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
    DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
    DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
    DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165182224881
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
    DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
    DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
    DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ============= SERVICES / DRIVERS ===============

    R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2007-11-10 11840]
    R2 AntiVirScheduler;AntiVir PersonalEdition Classic Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2007-11-10 68865]
    R2 AntiVirService;AntiVir PersonalEdition Classic Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2007-11-10 151297]
    R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-9-20 1174152]
    R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2007-11-10 52032]
    S2 Tcpipsrv;Tcp ipx Service;c:\windows\$ntunistalls\svchost.exe --> c:\windows\$ntunistalls\svchost.exe [?]
    S3 efipsk;efipsk;\??\c:\docume~1\hp_adm~1\locals~1\temp\efipsk.sys --> c:\docume~1\hp_adm~1\locals~1\temp\efipsk.sys [?]
    S3 pcistub;pcistub;c:\windows\system32\pcistub.sys [2004-8-9 2304]

    =============== Created Last 30 ================

    2009-03-11 22:06 73,728 a------- c:\windows\system32\javacpl.cpl
    2009-03-11 22:00 410,984 a------- c:\windows\system32\deploytk.dll
    2009-03-11 21:17 161,792 a------- c:\windows\SWREG.exe
    2009-03-11 21:17 98,816 a------- c:\windows\sed.exe
    2009-03-11 18:56 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
    2009-03-11 18:56 15,504 a------- c:\windows\system32\drivers\mbam.sys
    2009-03-11 18:56 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-03-11 18:56 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
    2009-03-11 18:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2009-03-09 02:56 <DIR> --d----- c:\program files\Koei
    2009-03-08 05:47 <DIR> --d----- c:\program files\Sim
    2009-02-28 12:09 676,352 a------- c:\windows\system32\rtl60.bpl
    2009-02-28 12:08 <DIR> --d----- c:\windows\system32\inf
    2009-02-20 21:02 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\The Creative Assembly
    2009-02-18 23:48 <DIR> --d----- c:\program files\OptimiData
    2009-02-18 18:54 <DIR> --d----- c:\program files\Freelancer Mod Manager

    ==================== Find3M ====================

    2009-02-09 04:19 1,846,272 a------- c:\windows\system32\win32k.sys
    2009-02-09 04:19 1,846,272 a------- c:\windows\system32\dllcache\win32k.sys
    2009-02-06 19:52 49,504 a------- c:\windows\system32\sirenacm.dll
    2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
    2008-12-19 03:10 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
    2008-12-19 03:10 13,824 a------- c:\windows\system32\dllcache\ieudinit.exe
    2008-12-18 23:25 634,024 a------- c:\windows\system32\dllcache\iexplore.exe
    2008-12-18 23:23 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
    2007-11-15 20:07 22,328 a------- c:\docume~1\hp_adm~1\applic~1\PnkBstrK.sys
    2003-12-18 11:33 20,102 a------- c:\program files\Readme.txt
    2003-09-03 07:46 10,960 a------- c:\program files\EULA.txt
    2006-09-20 15:59 22 a--sh--- c:\windows\sminst\HPCD.sys

    ============= FINISH: 5:19:44.65 ===============

    That would seem to be it.

  4. #14
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi again


    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    Driver::
    Tcpipsrv
    
    File::
    C:\WINDOWS\system32\mtrstart.exe
    C:\WINDOWS\system32\nctedit.exe
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJDVpPj]
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkJApn]
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqOGVPH]

    Save this as
    CFScript

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



    Refering to the picture above, drag CFScript into ComboFix.exe
    Then post the resultant log & a fresh dds.txt log. How's the system running?


    Combofix should never take more that 20 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
    If that happened we want to know, and also what process you had to end.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  5. #15
    Junior Member
    Join Date
    Mar 2009
    Posts
    12

    Default

    I'm starting to get cautiously optimistic.

    Here you go:
    ComboFix 09-03-10.03 - HP_Administrator 2009-03-12 13:54:50.4 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3582.2996 [GMT -6:00]
    Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
    AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
    * Created a new restore point

    FILE ::
    c:\windows\system32\mtrstart.exe
    c:\windows\system32\nctedit.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\mtrstart.exe
    c:\windows\system32\nctedit.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_TCPIPSRV
    -------\Service_Tcpipsrv


    ((((((((((((((((((((((((( Files Created from 2009-02-12 to 2009-03-12 )))))))))))))))))))))))))))))))
    .

    2009-03-11 22:06 . 2009-03-11 22:06 73,728 --a------ c:\windows\system32\javacpl.cpl
    2009-03-11 22:00 . 2009-03-11 22:06 410,984 --a------ c:\windows\system32\deploytk.dll
    2009-03-11 18:56 . 2009-03-11 18:56 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
    2009-03-11 18:56 . 2009-03-11 18:56 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
    2009-03-11 18:56 . 2009-03-11 18:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-03-11 18:56 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
    2009-03-11 18:56 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
    2009-03-09 02:56 . 2009-03-10 02:24 <DIR> d-------- c:\program files\Koei
    2009-03-08 05:47 . 2009-03-08 07:28 <DIR> d-------- c:\program files\Sim
    2009-03-08 00:16 . 2009-03-08 00:17 <DIR> d-------- c:\program files\ERUNT
    2009-02-28 12:09 . 2002-02-15 15:02 676,352 --a------ c:\windows\system32\rtl60.bpl
    2009-02-28 12:08 . 2009-03-10 16:28 <DIR> d-------- c:\windows\system32\inf
    2009-02-20 21:02 . 2009-02-20 21:02 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\The Creative Assembly
    2009-02-18 23:48 . 2009-02-18 23:48 <DIR> d-------- c:\program files\OptimiData
    2009-02-18 18:54 . 2009-02-18 18:54 <DIR> d-------- c:\program files\Freelancer Mod Manager

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-03-12 20:02 --------- d-----w c:\program files\Eraser
    2009-03-12 09:23 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\HTSKApp
    2009-03-12 04:11 --------- d-----w c:\program files\Common Files\Adobe
    2009-03-12 04:06 --------- d-----w c:\program files\Java
    2009-03-11 20:05 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Hamachi
    2009-03-11 19:55 --------- d-----w c:\program files\Warcraft III
    2009-03-07 06:45 --------- d-----w c:\program files\THQ
    2009-03-07 06:43 --------- d-----w c:\program files\Microsoft Games
    2009-03-07 06:42 --------- d-----w c:\program files\Activision
    2009-03-07 06:00 --------- d--h--w c:\program files\InstallShield Installation Information
    2009-03-05 18:47 --------- d-----w c:\program files\Spybot - Search & Destroy
    2009-02-28 19:37 --------- d-----w c:\program files\Opera 9
    2009-02-28 18:58 --------- d-----w c:\program files\Google
    2009-02-24 11:12 --------- d-----w c:\program files\Ubisoft
    2009-02-14 21:48 --------- d-----w c:\program files\Battle for Wesnoth 1.5.9
    2009-02-11 17:21 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-02-04 17:57 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Activision
    2009-02-01 03:42 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Canon
    2009-01-28 07:15 --------- d-----w c:\program files\Microsoft Games for Windows - LIVE
    2009-01-21 20:46 --------- d-----w c:\program files\Magic Workstation
    2009-01-20 03:50 --------- d-----w c:\program files\Trend Micro
    2009-01-12 07:51 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Tilted Mill
    2007-11-16 02:07 22,328 ----a-w c:\documents and settings\HP_Administrator\Application Data\PnkBstrK.sys
    2003-12-18 17:33 20,102 ----a-w c:\program files\Readme.txt
    2003-09-03 13:46 10,960 ----a-w c:\program files\EULA.txt
    2006-09-20 21:59 22 --sha-w c:\windows\SMINST\HPCD.sys
    .

    ((((((((((((((((((((((((((((( SnapShot_2009-03-11_21.40.57.92 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2005-10-20 19:02:28 163,328 ----a-w c:\windows\erdnt\AutoBackup\12-03-2009\ERDNT.EXE
    + 2009-03-12 19:47:33 23,252,992 ----a-w c:\windows\erdnt\AutoBackup\12-03-2009\Users\00000001\NTUSER.DAT
    + 2009-03-12 19:47:34 352,256 ----a-w c:\windows\erdnt\AutoBackup\12-03-2009\Users\00000002\UsrClass.dat
    + 2005-10-20 19:02:28 163,328 ----a-w c:\windows\erdnt\AutoBackup\2009-03-12\ERDNT.EXE
    + 2009-03-12 20:08:09 23,252,992 ----a-w c:\windows\erdnt\AutoBackup\2009-03-12\Users\00000001\NTUSER.DAT
    + 2009-03-12 20:08:10 352,256 ----a-w c:\windows\erdnt\AutoBackup\2009-03-12\Users\00000002\UsrClass.dat
    - 2007-09-25 05:30:28 135,168 ----a-w c:\windows\system32\java.exe
    + 2009-03-12 04:06:46 144,792 ----a-w c:\windows\system32\java.exe
    - 2007-09-25 05:30:30 135,168 ----a-w c:\windows\system32\javaw.exe
    + 2009-03-12 04:06:46 144,792 ----a-w c:\windows\system32\javaw.exe
    - 2007-09-25 06:31:42 139,264 ----a-w c:\windows\system32\javaws.exe
    + 2009-03-12 04:06:46 148,888 ----a-w c:\windows\system32\javaws.exe
    + 2009-03-12 20:06:07 16,384 ----atw c:\windows\temp\Perflib_Perfdata_514.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
    "igndlm.exe"="c:\program files\IGN\Download Manager\dlm.exe" [2008-08-01 1103216]
    "Eraser"="c:\program files\Eraser\eraser.exe" [2003-07-25 536576]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-09 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
    "avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 266497]
    "KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-11 148888]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "RTHDCPL"="RTHDCPL.EXE" [2007-10-25 c:\windows\RTHDCPL.EXE]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2006-10-04 c:\windows\system32\narrator.exe]

    c:\documents and settings\Default User\Start Menu\Programs\Startup\
    Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-05-31 27136]

    c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2008-10-29 1073152]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoSetActiveDesktop"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.iv31"= c:\windows\system32\ir32_32.dll
    "vidc.iv32"= c:\windows\system32\ir32_32.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2004-08-09 22:00 15360 c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
    --a------ 2006-03-16 03:12 1077248 c:\program files\DISC\DISCover.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscUpdateManager]
    --a------ 2006-03-16 03:11 61440 c:\program files\DISC\DISCUpdMgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
    --a------ 2006-03-20 10:05 90112 c:\program files\HP DigitalMedia Archive\DMAScheduler.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
    --a------ 2005-09-29 22:01 67584 c:\windows\ehome\ehtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    --a------ 2005-12-15 19:18 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
    --a------ 2006-02-15 23:34 249856 c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
    --a------ 2005-06-02 00:35 49152 c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    --a------ 2008-10-07 14:33 13574144 c:\windows\system32\nvcpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]
    --a------ 2006-01-20 01:20 53248 c:\program files\PC-Doctor 5 for Windows\RunProfiler.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
    --a------ 2005-07-22 23:14 237568 c:\windows\SMINST\Recguard.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
    --a------ 2004-12-14 03:23 663552 c:\windows\CREATOR\Remind_XP.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
    --------- 2005-08-03 00:19 77312 c:\windows\arpwrmsg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    --a------ 2008-10-07 14:33 1630208 c:\windows\system32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    --a------ 2007-10-25 03:57 16855552 c:\windows\RTHDCPL.EXE

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\Magic Workstation\\MWSPlay.exe"=
    "c:\\Program Files\\Hamachi\\hamachi.exe"=
    "c:\\Program Files\\uTorrent\\utorrent.exe"=
    "c:\\Program Files\\Opera 9\\Opera.exe"=
    "c:\\Program Files\\mIRC\\mirc.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\WINDOWS\\system32\\dpnsvr.exe"=
    "c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
    "c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
    "c:\\WINDOWS\\system32\\rtcshare.exe"=
    "c:\\Program Files\\NetMeeting\\conf.exe"=
    "c:\\Program Files\\Opera 9\\profile\\cache4\\temporary_download\\Diablo3-gameplaytrailer_en-US-downloader.exe"=
    "c:\\Program Files\\Sierra\\Homeworld2\\Bin\\Release\\Homeworld2.exe"=
    "c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
    "c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
    "c:\\Program Files\\THQ\\Company of Heroes\\Archive.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\DISC\\DISCover.exe"=
    "c:\\Program Files\\DISC\\DiscStreamHub.exe"=
    "c:\\Program Files\\DISC\\myFTP.exe"=
    "c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
    "c:\\Program Files\\Spectromancer\\spectromancer.exe"=
    "c:\\Program Files\\Lighthouse Interactive\\Sword of the Stars\\Sword of the Stars.exe"=
    "c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
    "c:\\Program Files\\Valve\\Steam\\SteamApps\\the_lone_knight\\source sdk base\\hl2.exe"=
    "c:\\Program Files\\Valve\\Steam\\SteamApps\\the_lone_knight\\zombie panic! source\\hl2.exe"=
    "c:\\Program Files\\Dead Space\\Dead Space.exe"=
    "c:\\Program Files\\Valve\\Steam\\Steam.exe"=
    "c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
    "c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
    "c:\\Program Files\\Activision\\Star Trek Armada II Fleet Operations\\Data\\armada2.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
    "c:\\Documents and Settings\\HP_Administrator\\Application Data\\HTSKApp\\htskapp.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

    S3 efipsk;efipsk;\??\c:\docume~1\HP_ADM~1\LOCALS~1\Temp\efipsk.sys --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\efipsk.sys [?]
    S3 pcistub;pcistub;c:\windows\system32\pcistub.sys [2004-08-09 2304]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    \Shell\AutoRun\command - E:\autorun.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{505e0b0e-5a53-11db-affb-001731b06b4b}]
    \Shell\AutoRun\command - F:\autorun.exe
    \Shell\dinstall\command - f:\setup\Directx\dxsetup.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{505e0b0f-5a53-11db-affb-001731b06b4b}]
    \Shell\AutoRun\command - G:\autorun.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6772022d-9602-11db-b0c3-001731b06b4b}]
    \Shell\AutoRun\command - h:\setup\SETUP95.EXE
    \Shell\dxinstall\command - start setup\dxinst.exe
    \Shell\readme\command - notepad readme.txt

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6772022e-9602-11db-b0c3-001731b06b4b}]
    \Shell\AutoRun\command - I:\autorun.exe
    \Shell\dinstall\command - i:\setup\Directx\dxsetup.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2008-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=63&bd=PAVILION&pf=desktop
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=63&bd=PAVILION&pf=desktop
    uInternet Settings,ProxyServer = http=localhost:7171
    uInternet Settings,ProxyOverride = *.local;<local>
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-03-12 14:06:31
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
    c:\windows\arservice.exe
    c:\windows\ehome\ehrecvr.exe
    c:\windows\ehome\ehSched.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\windows\system32\nvsvc32.exe
    c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    c:\windows\ehome\mcrdsvc.exe
    c:\windows\system32\dllhost.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\taskmgr.exe
    .
    **************************************************************************
    .
    Completion time: 2009-03-12 14:19:11 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-03-12 20:19:09
    ComboFix2.txt 2009-03-12 11:49:23
    ComboFix3.txt 2009-03-10 22:52:11
    ComboFix4.txt 2007-11-13 03:06:21

    Pre-Run: 17,077,600,256 bytes free
    Post-Run: 17,026,732,032 bytes free

    Current=1 Default=1 Failed=0 LastKnownGood=7 Sets=,1,3,4,5,6,7
    273 --- E O F --- 2009-03-11 09:02:36

  6. #16
    Junior Member
    Join Date
    Mar 2009
    Posts
    12

    Default

    ... Oops. Forgot the dds log.

    System seems to be running just fine. I had to change the wallpaper for it to show up properly but other than that everything seems more or less the way it should be. There are no RunDLL errors, no sporadic bits of music, no IE popups and no random processes eating up 50% of my processing power for no apparent reason.

    DDS (Ver_09-02-01.01) - NTFSx86
    Run by HP_Administrator at 14:52:26.51 on 12/03/2009
    Internet Explorer: 7.0.5730.11
    Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.3582.2860 [GMT -6:00]

    AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\WINDOWS\arservice.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\Program Files\Eraser\eraser.exe
    C:\Program Files\WiFiConnector\NintendoWFCReg.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Windows Live\Contacts\wlcomm.exe
    C:\Program Files\Opera 9\opera.exe
    C:\Documents and Settings\HP_Administrator\Desktop\dds.com

    ============== Pseudo HJT Report ===============

    uStart Page = about:blank
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=63&bd=PAVILION&pf=desktop
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=63&bd=PAVILION&pf=desktop
    uInternet Settings,ProxyServer = http=localhost:7171
    uInternet Settings,ProxyOverride = *.local;<local>
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Click-to-Call BHO: {5c255c8a-e604-49b4-9d64-90988571cecb} - c:\program files\windows live\messenger\wlchtc.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
    uRun: [igndlm.exe] c:\program files\ign\download manager\dlm.exe /windowsstart /startifwork
    uRun: [Eraser] c:\program files\eraser\eraser.exe -hide
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [KBD] c:\hp\kbd\KBD.EXE
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    dRunOnce: [RunNarrator] Narrator.exe
    StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\runnin~1.lnk - c:\program files\wificonnector\NintendoWFCReg.exe
    dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
    IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
    DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
    DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
    DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
    DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
    DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
    DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
    DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165182224881
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
    DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
    DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
    DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ============= SERVICES / DRIVERS ===============

    R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2007-11-10 11840]
    R2 AntiVirScheduler;AntiVir PersonalEdition Classic Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2007-11-10 68865]
    R2 AntiVirService;AntiVir PersonalEdition Classic Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2007-11-10 151297]
    R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-9-20 1174152]
    R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2007-11-10 52032]
    S3 efipsk;efipsk;\??\c:\docume~1\hp_adm~1\locals~1\temp\efipsk.sys --> c:\docume~1\hp_adm~1\locals~1\temp\efipsk.sys [?]
    S3 pcistub;pcistub;c:\windows\system32\pcistub.sys [2004-8-9 2304]

    =============== Created Last 30 ================

    2009-03-11 22:06 73,728 a------- c:\windows\system32\javacpl.cpl
    2009-03-11 22:00 410,984 a------- c:\windows\system32\deploytk.dll
    2009-03-11 21:17 161,792 a------- c:\windows\SWREG.exe
    2009-03-11 21:17 98,816 a------- c:\windows\sed.exe
    2009-03-11 18:56 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
    2009-03-11 18:56 15,504 a------- c:\windows\system32\drivers\mbam.sys
    2009-03-11 18:56 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-03-11 18:56 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
    2009-03-11 18:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2009-03-09 02:56 <DIR> --d----- c:\program files\Koei
    2009-03-08 05:47 <DIR> --d----- c:\program files\Sim
    2009-02-28 12:09 676,352 a------- c:\windows\system32\rtl60.bpl
    2009-02-28 12:08 <DIR> --d----- c:\windows\system32\inf
    2009-02-20 21:02 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\The Creative Assembly
    2009-02-18 23:48 <DIR> --d----- c:\program files\OptimiData
    2009-02-18 18:54 <DIR> --d----- c:\program files\Freelancer Mod Manager

    ==================== Find3M ====================

    2009-02-09 04:19 1,846,272 a------- c:\windows\system32\win32k.sys
    2009-02-09 04:19 1,846,272 a------- c:\windows\system32\dllcache\win32k.sys
    2009-02-06 19:52 49,504 a------- c:\windows\system32\sirenacm.dll
    2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
    2008-12-19 03:10 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
    2008-12-19 03:10 13,824 a------- c:\windows\system32\dllcache\ieudinit.exe
    2008-12-18 23:25 634,024 a------- c:\windows\system32\dllcache\iexplore.exe
    2008-12-18 23:23 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
    2007-11-15 20:07 22,328 a------- c:\docume~1\hp_adm~1\applic~1\PnkBstrK.sys
    2003-12-18 11:33 20,102 a------- c:\program files\Readme.txt
    2003-09-03 07:46 10,960 a------- c:\program files\EULA.txt
    2006-09-20 15:59 22 a--sh--- c:\windows\sminst\HPCD.sys

    ============= FINISH: 14:52:44.84 ===============

  7. #17
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


    THESE STEPS ARE VERY IMPORTANT

    Let's reset system restore
    Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

    1. Turn off System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    2. Reboot.

    3. Turn ON System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    UN-Check *Turn off System Restore*.
    Click Apply, and then click OK.
    NOTE: only do this ONCE,NOT on a regular basis



    Now lets uninstall ComboFix:
    • Click START then RUN
    • Now type Combofix /u in the runbox and click OK



    Delete dds.com file and related logs.


    UPDATING WINDOWS AND INTERNET EXPLORER

    IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

    If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


    Make your Internet Explorer more secure

    This can be done by following these simple instructions:
    From within Internet Explorer click on the Tools menu and then click on Options.
    Click once on the Security tab
    Click once on the Internet icon so it becomes highlighted.
    Click once on the Custom Level button.
    Change the Download signed ActiveX controls to Prompt
    Change the Download unsigned ActiveX controls to Disable
    Change the Initialize and script ActiveX controls not marked as safe to Disable
    Change the Installation of desktop items to Prompt
    Change the Launching programs and files in an IFRAME to Prompt
    Change the Navigate sub-frames across different domains to Prompt
    When all these settings have been made, click on the OK button.
    If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.



    The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

    • Download SpywareBlaster
      Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
      kill bits
      in the registry, so that certain activex controls can't install.
      If you don't know what activex controls are, see here
      You can download SpywareBlaster here here
      SpywareBlaster tutorial
    • hosts file:
      • Every version of windows has a hosts file as part of them.
      • In a very basic sense, they are used to locate webpages.
      • We can customize a hosts file so that it blocks certain webpages.
      • However, it can slow down certain computers.
      • This is why using a hosts file is optional!!

      Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
      If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
      1. Click the start button (at the lower left hand corner of your screen)
      2. Click run
      3. In the dialog box, type services.msc
      4. hit enter, then locate dns client
      5. Highlight it, then double-click it.
      6. On the dropdown box, change the setting from automatic to manual.
      7. Click ok

    • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
      If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free or Comodo Firewall Pro (If you choose Comodo: Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and install firewall ONLY!).



    Just a final reminder for you. I am trying to stress these two points.
    UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
    Make sure all of your security programs are up to date.
    Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



    Once again, please post and tell me how things are going with your system... problems etc.

    Have a great day,
    Blade
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  8. #18
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

    Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

    If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.
    Last edited by tashi; 2009-03-23 at 16:56. Reason: Thank you Blade81
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •