Batter Up: W32/Bagle.RC.worm - hldrrr.exe (think got rid of wintems.exe & mdelk.exe)

E

EasyEEE

New member
Batter Up: W32/Bagle.RC.worm - hldrrr.exe (think got rid of wintems.exe & mdelk.exe)

Ok, as others, I have been infected with several tojans.

Ready to listen to the Masters. ;)

I had scanned the files with Norton's Anti-Virus prior to executing the file. Of course, it said it was clean. Obviously, it wasn't. It uninstalled Norton's Anti-Virus and Firewall uninstalled upon execution. Unable to reinstall.

Ran several on-line scanners, all claiming to have removed files, even tried to follow the replied walk-throughs. I believe I managed to get rid of wintems.exe and mdelk.exe, but at this point, who knows.

I still have the hldrrr.exe / Bagle.RC.worm. Fun.

Can't install Spybot.

I ran Deckard's System Scanner (DSS) earlier, and forgot to save the two files. Now, it will only create one. Is there a work around for that?

Ok, ready to do it. :D
 
Deckard's System Scanner v20071014.68
Run by Owner on 2008-01-21 21:20:44
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:20:44 PM, on 1/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT4016
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe"
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe"
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1196686463109
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - https://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Unknown owner - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe (file missing)
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 7370 bytes

-- Files created between 2007-12-21 and 2008-01-21 -----------------------------

2008-01-21 20:54:40 0 d-------- C:\Program Files\Trend Micro
2008-01-21 15:42:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-21 15:42:04 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-21 15:15:50 0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-01-20 11:18:19 0 d-------- C:\Documents and Settings\Owner\DesktopErunt
2008-01-20 00:00:00 102664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys <Not Verified; Trend Micro Inc.; ActiveClean>
2008-01-19 23:59:07 0 d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-01-19 15:02:59 0 d-------- C:\WINDOWS\BDOSCAN8
2008-01-19 12:35:58 0 d-------- C:\WINDOWS\pss
2008-01-18 23:27:58 0 d-------- C:\Program Files\RegSupreme Pro
2008-01-18 19:24:16 0 d-------- C:\WINDOWS\Sun
2008-01-18 19:24:16 0 d-------- C:\Documents and Settings\Owner\Application Data\Sun
2008-01-18 13:10:43 0 d-------- C:\Program Files\Lavasoft
2008-01-18 13:10:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-18 13:10:22 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-18 12:59:41 1158 --a------ C:\WINDOWS\mozver.dat
2008-01-18 12:41:46 0 d-------- C:\Program Files\Ontrack
2008-01-18 10:12:01 0 d-------- C:\Program Files\Symantec Client Security
2008-01-18 10:04:50 0 d-------- C:\Sym EndPoint
2008-01-17 09:04:56 0 d-------- C:\Program Files\QuickTime
2008-01-15 16:02:24 0 d-------- C:\HJSplit
2008-01-13 20:43:09 0 d-------- C:\Program Files\MediaMonkey
2008-01-13 20:34:59 0 d-------- C:\Music
2008-01-13 20:22:08 25088 -----n--- C:\WINDOWS\system32\CTSVCCTL.EXE <Not Verified; Creative Technology Ltd; Creative Service Control>
2008-01-13 20:22:08 44032 -----n--- C:\WINDOWS\system32\CTSVCCDA.EXE <Not Verified; Creative Technology Ltd; Creative Service for CDROM Access>
2008-01-13 14:47:27 0 d-------- C:\Documents and Settings\Owner\Application Data\SampleView
2008-01-13 14:42:03 0 d-------- C:\Documents and Settings\LocalService\Application Data\iolo
2008-01-13 14:41:15 74703 --a------ C:\WINDOWS\system32\mfc45.dll
2008-01-13 14:40:08 0 d-------- C:\Documents and Settings\Owner\Application Data\iolo
2008-01-13 14:40:08 0 d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-01-13 11:45:14 0 d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-01-13 11:43:51 2917 --a------ C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
2008-01-13 11:43:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-13 11:40:27 0 d-------- C:\Program Files\Apple Software Update
2008-01-13 11:40:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-07 16:36:41 669184 --a------ C:\WINDOWS\system32\pbsvc.exe
2008-01-06 23:27:42 0 d-------- C:\Program Files\YourWare Solutions
2008-01-04 10:22:56 0 d-------- C:\Program Files\Activision
2008-01-04 10:20:17 0 d--hs---- C:\WINDOWS\ftpcache
2008-01-03 19:19:11 0 d-------- C:\Program Files\Electronic Arts
2008-01-03 18:09:40 0 d-------- C:\Saved
2008-01-03 16:26:39 0 d-------- C:\Program Files\NVIDIA Corporation
2008-01-03 16:25:50 0 d-------- C:\Program Files\NVIDIA nTune Performance Application
2008-01-02 23:28:52 0 d-------- C:\WINDOWS\nview
2008-01-02 22:52:12 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-02 22:52:11 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-01-01 23:45:48 0 d-------- C:\Program Files\ASUS
2008-01-01 23:21:46 0 d-------- C:\Program Files\SpeedFan
2008-01-01 13:38:20 0 d-------- C:\Mini CD DVD Images
2008-01-01 11:22:49 0 d-------- C:\Program Files\RivaTuner v2.06
2007-12-24 11:33:01 0 d-------- C:\Program Files\DVD Decrypter
2007-12-24 11:27:23 0 d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-24 11:27:22 0 d-------- C:\Program Files\DVD Shrink
2007-12-23 06:59:14 0 d-------- C:\Documents and Settings\Owner\Application Data\Creative
2007-12-23 05:19:06 0 d-------- C:\Program Files\Common Files\Creative
2007-12-23 05:19:05 0 d--h----- C:\Program Files\Creative Installation Information
2007-12-23 05:15:25 0 d-------- C:\Program Files\Creative
2007-12-22 22:59:36 0 d-------- C:\Documents and Settings\Owner\Application Data\Nero
2007-12-22 22:57:35 0 d-------- C:\Program Files\Nero
2007-12-22 22:57:35 0 d-------- C:\Program Files\Common Files\Nero
2007-12-22 22:57:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-12-22 22:26:44 0 d-------- C:\Program Files\DVD2one V2
2007-12-22 22:23:42 0 d-------- C:\Documents and Settings\Owner\Application Data\PgcEdit
2007-12-21 20:33:13 0 dr-h----- C:\Documents and Settings\Owner\Application Data\SecuROM
2007-12-21 14:10:28 0 d-------- C:\Program Files\Sierra Entertainment
2007-12-21 03:00:20 0 d-------- C:\Program Files\MSXML 4.0




End of Part 1
 
Part 2 of Deckard's System Scanner


-- Find3M Report ---------------------------------------------------------------

2008-01-21 15:07:34 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-21 14:55:07 0 d-------- C:\Program Files\Symantec
2008-01-21 14:48:16 0 d-------- C:\Program Files\Common Files
2008-01-20 11:04:05 0 d-------- C:\Documents and Settings\Owner\Application Data\NewsBin
2008-01-19 19:50:25 0 d-------- C:\Program Files\Google
2008-01-19 19:24:20 0 d-------- C:\Program Files\Digital Media Reader
2008-01-18 23:42:52 0 d-------- C:\Program Files\eMule
2008-01-18 10:08:20 0 d-------- C:\Documents and Settings\Owner\Application Data\U3
2008-01-18 09:41:07 40 --a------ C:\WINDOWS\system32\profile.dat
2008-01-12 21:18:16 0 d-------- C:\Program Files\Microsoft Games
2008-01-04 00:17:59 0 d-------- C:\Program Files\NewsBin
2008-01-03 16:41:36 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2007-12-20 20:12:51 0 d-------- C:\Program Files\Common Files\Microsoft Games
2007-12-18 12:59:36 0 d-------- C:\Program Files\IrfanView
2007-12-08 10:06:54 0 d-------- C:\Documents and Settings\Owner\Application Data\Microsoft Games
2007-12-08 07:53:57 0 d-------- C:\Program Files\DAEMON Tools
2007-12-07 21:13:07 0 d-------- C:\Documents and Settings\Owner\Application Data\CyberLink
2007-12-07 14:41:11 0 d-------- C:\Documents and Settings\Owner\Application Data\PlayFirst
2007-12-07 14:39:55 0 d-------- C:\Documents and Settings\Owner\Application Data\GameHouse
2007-12-07 14:31:17 0 d-------- C:\Program Files\GameHouse
2007-12-06 23:01:45 0 d-------- C:\Documents and Settings\Owner\Application Data\Talkback
2007-12-06 22:55:18 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2007-12-06 22:45:46 0 d-------- C:\Documents and Settings\Owner\Application Data\Jane s Hotel
2007-12-06 16:50:20 0 d-------- C:\Documents and Settings\Owner\Application Data\DivX
2007-12-05 01:41:00 1626112 --a------ C:\WINDOWS\system32\nwiz.exe
2007-12-05 01:41:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2007-12-05 01:41:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2007-12-05 01:41:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-12-05 01:41:00 1474560 --a------ C:\WINDOWS\system32\nview.dll
2007-12-05 01:41:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2007-12-05 01:41:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-12-05 01:41:00 425984 --a------ C:\WINDOWS\system32\keystone.exe
2007-12-04 20:21:58 0 d-------- C:\Program Files\AC3Filter
2007-12-04 20:20:19 0 d-------- C:\Documents and Settings\Owner\Application Data\Google
2007-12-04 20:04:39 0 d-------- C:\Program Files\DivX
2007-12-04 20:01:49 0 d-------- C:\Documents and Settings\Owner\Application Data\WinRAR
2007-12-03 20:33:18 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-12-03 20:33:18 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-03 20:33:18 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-03 20:33:16 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-03 16:39:35 0 d-------- C:\Program Files\Common Files\Adobe
2007-12-03 15:07:24 0 d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
2007-12-03 11:40:47 0 d-------- C:\Program Files\QuickPar
2007-12-03 08:44:01 0 d-------- C:\Program Files\McAfee
2007-12-03 08:08:19 0 d-------- C:\Program Files\SystemRequirementsLab
2007-12-03 07:37:58 0 d-------- C:\Program Files\Napster
2007-12-03 07:11:33 0 d-------- C:\Program Files\Pure Networks
2007-12-03 07:10:08 0 d-------- C:\Program Files\Common Files\AOL
2007-12-03 07:10:03 0 d-------- C:\Documents and Settings\Owner\Application Data\AOL
2007-12-03 06:19:18 0 d-------- C:\Documents and Settings\Owner\Application Data\McAfee.com Personal Firewall
2007-12-03 06:15:39 0 d-------- C:\Documents and Settings\Owner\Application Data\Macromedia
2007-12-03 02:06:16 0 d-------- C:\Program Files\Microsoft Works
2007-12-03 02:06:05 0 d-------- C:\Program Files\MSN Encarta Plus
2007-12-03 02:04:56 0 d-------- C:\Program Files\Common Files\Nullsoft
2007-12-03 02:04:56 0 d-------- C:\Documents and Settings\Owner\Application Data\You've Got Pictures Screensaver
2007-12-03 02:04:35 0 d-------- C:\Program Files\Common Files\Real
2007-12-03 02:04:32 0 d-------- C:\Program Files\Real
2007-12-03 02:04:20 0 d-------- C:\Program Files\Viewpoint
2007-12-03 02:03:44 335 --a------ C:\WINDOWS\nsreg.dat
2007-12-03 02:03:36 0 d-------- C:\Program Files\Common Files\Roxio Shared
2007-12-03 02:03:23 0 d-------- C:\Program Files\Common Files\InstallShield
2007-12-03 02:02:30 0 d-------- C:\Program Files\Realtek
2007-12-03 02:01:22 0 d-------- C:\Program Files\Microsoft Digital Image 2006
2007-12-03 02:01:16 4 --a------ C:\WINDOWS\Pix11.dat
2007-12-03 02:00:13 0 d-------- C:\Program Files\Java
2007-12-03 01:59:54 0 d-------- C:\Program Files\Common Files\Java
2007-12-03 01:55:26 0 d-------- C:\Program Files\Microsoft ActiveSync
2007-12-03 01:55:06 0 d-------- C:\Program Files\Microsoft.NET
2007-12-03 01:50:34 0 d-------- C:\Program Files\CyberLink
2007-12-03 01:49:52 0 d-------- C:\Program Files\Common Files\New Boundary
2007-12-03 01:47:44 2 -r-hs---- C:\USER
2007-12-03 01:46:53 0 d-------- C:\Program Files\CONEXANT
2007-12-03 00:42:45 60 --a------ C:\WINDOWS\system32\SYSDRV.DAT
2007-12-03 00:41:37 0 d-------- C:\Program Files\Windows NT
2007-12-03 00:41:35 0 d-------- C:\Program Files\Movie Maker
2007-12-03 00:41:34 0 d-------- C:\Program Files\Messenger
2007-12-03 00:38:18 0 d-------- C:\Program Files\Windows Plus
2007-12-03 00:38:18 0 d-------- C:\Program Files\Online Services
2007-12-03 00:38:18 0 d-------- C:\Program Files\MSN Gaming Zone
2007-12-03 00:38:18 0 d-------- C:\Program Files\microsoft frontpage
2007-12-03 00:38:18 0 d-------- C:\Program Files\Common Files\SpeechEngines
2007-12-03 00:38:18 0 d-------- C:\Program Files\Common Files\ODBC
2007-12-03 00:38:18 0 d-------- C:\Program Files\Common Files\MSSoap
2007-12-03 00:38:14 0 d-------- C:\Documents and Settings\Owner\Application Data\Identities
2007-11-29 17:30:28 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 17:28:24 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-11-29 17:28:24 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-11-28 16:52:32 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-10-25 10:26:48 53248 --a------ C:\WINDOWS\bdoscandel.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [09/22/2005 01:36 PM C:\WINDOWS\RTHDCPL.EXE]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [08/27/2005 08:09 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [01/10/2008 03:27 PM]
"Power2GoExpress"="C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" [09/29/2007 04:53 PM]
"nwiz"="nwiz.exe" [12/05/2007 01:41 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/05/2007 01:41 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/05/2007 01:41 AM]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [08/12/2005 07:16 PM]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [01/07/2005 08:07 PM C:\WINDOWS\system32\HdAShCut.exe]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/05/2005 11:56 PM]
"CLMLServer"="C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe" [09/27/2007 11:10 PM]
"CLJ"="" []
"CHotkey"="zHotkey.exe" [12/08/2004 08:57 PM C:\WINDOWS\zHotkey.exe]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 06:43 PM C:\WINDOWS\ALCMTR.EXE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 02:00 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [10/08/2004 05:03 AM]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [09/04/2007 07:25 PM]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [12/06/2007 07:06 AM]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [11/23/2006 05:12 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=NA

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"EnableLUA"=0 (0x0)

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ecb3481-a1a7-11dc-98a5-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480




-- End of Deckard's System Scanner: finished at 2008-01-21 21:21:04 ------------
 
Ice Sword Process:

Process:

System Idle Process
System
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Documents and Settings\Owner\Desktop\IceSword\IceSword122en\IceSword.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\alg.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehRec.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\zHotkey.exe
 
Ice Sword Win32 Services:

Started Service:

Service Name:ALG Display Name:Application Layer Gateway Service
Service Name:AudioSrv Display Name:Windows Audio
Service Name:COMSysApp Display Name:COM+ System Application
Service Name:Creative Service for CDROM Access Display Name:Creative Service for CDROM Access
Service Name:CryptSvc Display Name:Cryptographic Services
Service Name:DcomLaunch Display Name:DCOM Server Process Launcher
Service Name:Dhcp Display Name:DHCP Client
Service Name:Dnscache Display Name:DNS Client
Service Name:ERSvc Display Name:Error Reporting Service
Service Name:EventSystem Display Name:COM+ Event System
Service Name:Eventlog Display Name:Event Log
Service Name:FastUserSwitchingCompatibility Display Name:Fast User Switching Compatibility
Service Name:HTTPFilter Display Name:HTTP SSL
Service Name:LmHosts Display Name:TCP/IP NetBIOS Helper
Service Name:McrdSvc Display Name:Media Center Extender Service
Service Name:NVSvc Display Name:NVIDIA Display Driver Service
Service Name:Netman Display Name:Network Connections
Service Name:Nla Display Name:Network Location Awareness (NLA)
Service Name:PlugPlay Display Name:Plug and Play
Service Name:PnkBstrA Display Name:PnkBstrA
Service Name:PolicyAgent Display Name:IPSEC Services
Service Name:PrismXL Display Name:PrismXL
Service Name:ProtectedStorage Display Name:Protected Storage
Service Name:RasMan Display Name:Remote Access Connection Manager
Service Name:RemoteRegistry Display Name:Remote Registry
Service Name:RpcSs Display Name:Remote Procedure Call (RPC)
Service Name:SENS Display Name:System Event Notification
Service Name:SSDPSRV Display Name:SSDP Discovery Service
Service Name:SamSs Display Name:Security Accounts Manager
Service Name:Schedule Display Name:Task Scheduler
Service Name:SharedAccess Display Name:Windows Firewall/Internet Connection Sharing (ICS)
Service Name:ShellHWDetection Display Name:Shell Hardware Detection
Service Name:Spooler Display Name:Print Spooler
Service Name:TapiSrv Display Name:Telephony
Service Name:TermService Display Name:Terminal Services
Service Name:Themes Display Name:Themes
Service Name:TrkWks Display Name:Distributed Link Tracking Client
Service Name:UMWdf Display Name:Windows User Mode Driver Framework
Service Name:W32Time Display Name:Windows Time
Service Name:WebClient Display Name:WebClient
Service Name:aawservice Display Name:Ad-Aware 2007 Service
Service Name:dmserver Display Name:Logical Disk Manager
Service Name:ehRecvr Display Name:Media Center Receiver Service
Service Name:helpsvc Display Name:Help and Support
Service Name:lanmanserver Display Name:Server
Service Name:lanmanworkstation Display Name:Workstation
Service Name:nTuneService Display Name:nTune Service
Service Name:seclogon Display Name:Secondary Logon
Service Name:srservice Display Name:System Restore Service
Service Name:winmgmt Display Name:Windows Management Instrumentation



Under SSDT, there are 7 red entries of sptd.sys.
 
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, January 21, 2008 8:01:29 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/01/2008
Kaspersky Anti-Virus database records: 526068
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 134770
Number of viruses found: 3
Number of infected objects: 45
Number of suspicious objects: 0
Duration of the scan process: 03:34:53

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6cm3zby8.default\cert8.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6cm3zby8.default\history.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6cm3zby8.default\key3.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6cm3zby8.default\parent.lock Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6cm3zby8.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6cm3zby8.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\6cm3zby8.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\6cm3zby8.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\6cm3zby8.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\6cm3zby8.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Power2Go\CLML\CLDB.db Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008012120080122\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HXM6BIOM\b64_3[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HXM6BIOM\b64_3[2].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LKRU6YW8\b64_3[2].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SRAF89YK\b64_2[1].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SRAF89YK\b64_3[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10\A0001424.exe Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10\A0001431.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10\A0001442.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10\A0001443.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10\A0001450.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10\A0001490.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10\A0001493.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10\change.log Object is locked skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000139.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000141.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000142.exe Infected: Trojan.Win32.Pakes.bwy skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000144.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000145.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000146.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000147.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000148.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000149.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000150.exe Infected: Trojan.Win32.Pakes.bwy skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000151.exe Infected: Trojan.Win32.Pakes.bwy skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000152.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000155.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000156.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000158.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000159.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000176.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0000177.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP5\A0000299.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP5\A0000300.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP5\A0000317.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP5\A0000318.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6\A0000452.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6\A0000453.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6\A0000460.exe Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6\A0000484.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6\A0000494.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6\A0000660.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6\A0000663.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6\A0000730.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP6\A0000734.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP7\A0000940.exe Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB896256$\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{F2E3B076-8525-4719-81D2-4BC095B5A3A6}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dllcache\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_53c.dat Object is locked skipped
D:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP10\change.log Object is locked skipped

Scan process completed.
 
Hello



Please run Icesword


If you get a lot of "red entries" in an IceSword log, don't panic.

Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.


Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.


Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop.


Step 4 : Now, click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.


Now post all of the data collected under the headings for :

Processes
Win32 Services
SSDT
Startup
 
Thanks for the reply. All other requested information has been posted. Rebooted before posting that and haven't rebooted or made any system changes/attempts to fix since posted. Just a few games of Freecell. Appreciate the help!




Startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RTHDCPL
RTHDCPL.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Recguard
%WINDIR%\SMINST\RECGUARD.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
readericon
C:\Program Files\Digital Media Reader\readericon45G.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Power2GoExpress
"C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nwiz
nwiz.exe /install

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvMediaCenter
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSKDetectorExe
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
High Definition Audio Property Page Shortcut
HDAShCut.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ehTray
C:\WINDOWS\ehome\ehtray.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CLMLServer
"C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CLJ


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CHotkey
zHotkey.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Alcmtr
ALCMTR.EXE

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
swg
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
NVIDIA nTune
"C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
DAEMON Tools
"C:\Program Files\DAEMON Tools\daemon.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
CTSyncU.exe
"C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
drvsyskit
C:\WINDOWS\system32\drivers\hldrrr.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
mule_st_key
C:\Documents and Settings\Owner\Application Data\m\flec006.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
german.exe
C:\WINDOWS\system32\wintems.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
desktop.ini


C:\Documents and Settings\Owner\Start Menu\Programs\Startup
desktop.ini
 
Processes

Processes


Process:

System Idle Process
System
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Documents and Settings\Owner\Desktop\IceSword\IceSword122en\IceSword.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehRec.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Application Data\m\flec006.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\zHotkey.exe




Win32 Servies:

Started Service:

Service Name:AudioSrv Display Name:Windows Audio
Service Name:COMSysApp Display Name:COM+ System Application
Service Name:Creative Service for CDROM Access Display Name:Creative Service for CDROM Access
Service Name:CryptSvc Display Name:Cryptographic Services
Service Name:DcomLaunch Display Name:DCOM Server Process Launcher
Service Name:Dhcp Display Name:DHCP Client
Service Name:Dnscache Display Name:DNS Client
Service Name:ERSvc Display Name:Error Reporting Service
Service Name:EventSystem Display Name:COM+ Event System
Service Name:Eventlog Display Name:Event Log
Service Name:FastUserSwitchingCompatibility Display Name:Fast User Switching Compatibility
Service Name:HTTPFilter Display Name:HTTP SSL
Service Name:LmHosts Display Name:TCP/IP NetBIOS Helper
Service Name:McrdSvc Display Name:Media Center Extender Service
Service Name:NVSvc Display Name:NVIDIA Display Driver Service
Service Name:Netman Display Name:Network Connections
Service Name:Nla Display Name:Network Location Awareness (NLA)
Service Name:PlugPlay Display Name:Plug and Play
Service Name:PnkBstrA Display Name:PnkBstrA
Service Name:PolicyAgent Display Name:IPSEC Services
Service Name:PrismXL Display Name:PrismXL
Service Name:ProtectedStorage Display Name:Protected Storage
Service Name:RasMan Display Name:Remote Access Connection Manager
Service Name:RemoteRegistry Display Name:Remote Registry
Service Name:RpcSs Display Name:Remote Procedure Call (RPC)
Service Name:SENS Display Name:System Event Notification
Service Name:SSDPSRV Display Name:SSDP Discovery Service
Service Name:SamSs Display Name:Security Accounts Manager
Service Name:Schedule Display Name:Task Scheduler
Service Name:ShellHWDetection Display Name:Shell Hardware Detection
Service Name:Spooler Display Name:Print Spooler
Service Name:TapiSrv Display Name:Telephony
Service Name:TermService Display Name:Terminal Services
Service Name:Themes Display Name:Themes
Service Name:TrkWks Display Name:Distributed Link Tracking Client
Service Name:UMWdf Display Name:Windows User Mode Driver Framework
Service Name:WebClient Display Name:WebClient
Service Name:aawservice Display Name:Ad-Aware 2007 Service
Service Name:dmserver Display Name:Logical Disk Manager
Service Name:ehRecvr Display Name:Media Center Receiver Service
Service Name:helpsvc Display Name:Help and Support
Service Name:lanmanserver Display Name:Server
Service Name:lanmanworkstation Display Name:Workstation
Service Name:nTuneService Display Name:nTune Service
Service Name:seclogon Display Name:Secondary Logon
Service Name:srservice Display Name:System Restore Service
Service Name:winmgmt Display Name:Windows Management Instrumentation




SSDT

7 red entries of sptd.sys




Startup

Startup:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
desktop.ini


C:\Documents and Settings\Owner\Start Menu\Programs\Startup
desktop.ini


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
swg
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
NVIDIA nTune
"C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
DAEMON Tools
"C:\Program Files\DAEMON Tools\daemon.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
CTSyncU.exe
"C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
drvsyskit
C:\WINDOWS\system32\drivers\hldrrr.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
mule_st_key
C:\Documents and Settings\Owner\Application Data\m\flec006.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
german.exe
C:\WINDOWS\system32\wintems.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RTHDCPL
RTHDCPL.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Recguard
%WINDIR%\SMINST\RECGUARD.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
readericon
C:\Program Files\Digital Media Reader\readericon45G.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Power2GoExpress
"C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nwiz
nwiz.exe /install

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvMediaCenter
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSKDetectorExe
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
High Definition Audio Property Page Shortcut
HDAShCut.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ehTray
C:\WINDOWS\ehome\ehtray.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CLMLServer
"C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CLJ


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CHotkey
zHotkey.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Alcmtr
ALCMTR.EXE
 
Perfect :)

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe



Now for the fix. Close all windows and run IceSword.exe. Do not restart your until the very end to ensure the fix works

Step 1 : Click the Processes tab and right-click on the following red colored processes one by one and choose "Terminate Process". This will kill the rooted processes.

C:\Documents and Settings\Owner\Application Data\m\flec006.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\wintems.exe


Step 2 : Now, we have to delete the rooted files. Click the File button. This will display a Windows Explorer type interface. Navigate to the following file(s) in bold and delete them if present.

C:\Documents and Settings\Owner\Application Data\m\flec006.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\german.exe
C:\Documents and Settings\All Users\Application Data\hidires\hidr.exe


Step 3 : Now, we have to delete the rooted registry keys. Click the Registry button. This will display a regedit type interface. Navigate to the following registry keys in bold and delete them if present.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\srosa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\srosa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\srosa


Next navigate to these registry keys and delete the registry values in bold

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
drvsyskit
C:\WINDOWS\system32\drivers\hldrrr.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
mule_st_key
C:\Documents and Settings\Owner\Application Data\m\flec006.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
german.exe
C:\WINDOWS\system32\wintems.exe

Then reboot your PC and run IceSword again. Save new logs from the "Processes", "Win32 Services", and "Startup" tabs, taking note of any red entries from them and from the SSDT tab.
 
The following files were not found:

C:\WINDOWS\system32\german.exe
C:\Documents and Settings\All Users\Application Data\hidires\hidr.exe


Pretty sure the following entry was not there (may have been, and I may have deleted it per your intrusctions):

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa


ControlSet003 and ControlSet004 didn't exist:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\srosa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\srosa


Processes


Process:

System Idle Process
System
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Documents and Settings\Owner\Desktop\IceSword\IceSword122en\IceSword.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Application Data\m\flec006.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\zHotkey.exe




Win32 Services

Started Service:

Service Name:AudioSrv Display Name:Windows Audio
Service Name:Browser Display Name:Computer Browser
Service Name:COMSysApp Display Name:COM+ System Application
Service Name:Creative Service for CDROM Access Display Name:Creative Service for CDROM Access
Service Name:CryptSvc Display Name:Cryptographic Services
Service Name:DcomLaunch Display Name:DCOM Server Process Launcher
Service Name:Dhcp Display Name:DHCP Client
Service Name:Dnscache Display Name:DNS Client
Service Name:ERSvc Display Name:Error Reporting Service
Service Name:EventSystem Display Name:COM+ Event System
Service Name:Eventlog Display Name:Event Log
Service Name:FastUserSwitchingCompatibility Display Name:Fast User Switching Compatibility
Service Name:HTTPFilter Display Name:HTTP SSL
Service Name:LmHosts Display Name:TCP/IP NetBIOS Helper
Service Name:McrdSvc Display Name:Media Center Extender Service
Service Name:NVSvc Display Name:NVIDIA Display Driver Service
Service Name:Netman Display Name:Network Connections
Service Name:Nla Display Name:Network Location Awareness (NLA)
Service Name:PlugPlay Display Name:Plug and Play
Service Name:PnkBstrA Display Name:PnkBstrA
Service Name:PolicyAgent Display Name:IPSEC Services
Service Name:PrismXL Display Name:PrismXL
Service Name:ProtectedStorage Display Name:Protected Storage
Service Name:RasMan Display Name:Remote Access Connection Manager
Service Name:RemoteRegistry Display Name:Remote Registry
Service Name:RpcSs Display Name:Remote Procedure Call (RPC)
Service Name:SENS Display Name:System Event Notification
Service Name:SSDPSRV Display Name:SSDP Discovery Service
Service Name:SamSs Display Name:Security Accounts Manager
Service Name:Schedule Display Name:Task Scheduler
Service Name:ShellHWDetection Display Name:Shell Hardware Detection
Service Name:Spooler Display Name:Print Spooler
Service Name:TapiSrv Display Name:Telephony
Service Name:TermService Display Name:Terminal Services
Service Name:Themes Display Name:Themes
Service Name:TrkWks Display Name:Distributed Link Tracking Client
Service Name:UMWdf Display Name:Windows User Mode Driver Framework
Service Name:W32Time Display Name:Windows Time
Service Name:WebClient Display Name:WebClient
Service Name:aawservice Display Name:Ad-Aware 2007 Service
Service Name:dmserver Display Name:Logical Disk Manager
Service Name:ehRecvr Display Name:Media Center Receiver Service
Service Name:helpsvc Display Name:Help and Support
Service Name:lanmanserver Display Name:Server
Service Name:lanmanworkstation Display Name:Workstation
Service Name:nTuneService Display Name:nTune Service
Service Name:seclogon Display Name:Secondary Logon
Service Name:srservice Display Name:System Restore Service
Service Name:winmgmt Display Name:Windows Management Instrumentation




SSDT

7 red entries of sptd.sys




Startup

Startup:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
desktop.ini


C:\Documents and Settings\Owner\Start Menu\Programs\Startup
desktop.ini


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
swg
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
NVIDIA nTune
"C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
DAEMON Tools
"C:\Program Files\DAEMON Tools\daemon.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
CTSyncU.exe
"C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
drvsyskit
C:\WINDOWS\system32\drivers\hldrrr.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
german.exe
C:\WINDOWS\system32\wintems.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
mule_st_key
C:\Documents and Settings\Owner\Application Data\m\flec006.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RTHDCPL
RTHDCPL.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Recguard
%WINDIR%\SMINST\RECGUARD.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
readericon
C:\Program Files\Digital Media Reader\readericon45G.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Power2GoExpress
"C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nwiz
nwiz.exe /install

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvMediaCenter
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSKDetectorExe
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
High Definition Audio Property Page Shortcut
HDAShCut.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ehTray
C:\WINDOWS\ehome\ehtray.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CLMLServer
"C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CLJ


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CHotkey
zHotkey.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Alcmtr
ALCMTR.EXE
 
Something is stopping it from being removed

Download ComboFix from one of the locations below, and save it to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
 
Walked away while it was doing it's scan. When I came back, apparently my system crashed (honestly doesn't do that very often at all).

What WAS interesting, was, a Windows Alert that Windows Firewall was blocking Flec06.exe or whatever... and asked if I wanted to keep blocking or allow. I allowed it to keep blocking.

Why that is interesting, is, everytime I check Windows Security, the Windows Firewall has been disabled. This is the first time since infection, that it appears Windows Firewall has remained active through a re-boot.

Anyway, does the log file get created or would there have been an option or notpad window open up?

Here is the HiJackThis Log following the auto-crash/reboot/whatever happened:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:41, on 2008-01-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner\Application Data\m\flec006.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT4016
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe"
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe"
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe
O4 - HKCU\..\Run: [mule_st_key] C:\Documents and Settings\Owner\Application Data\m\flec006.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1196686463109
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - https://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Unknown owner - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe (file missing)
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 7614 bytes
 
System did not reboot/crash.

ComboFix Scan completed in just a couple of minutes.

ComboFix 08-01-23.2 - Owner 2008-01-23 14:06:37.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1595 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\wintems.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SROSA
-------\srosa




((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 )))))))))))))))))))))))))))))))
.

2008-01-23 13:21 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-22 21:40 . 2008-01-23 09:49 70,660 --a------ C:\WINDOWS\system32\mdelk.exe
2008-01-22 21:38 . 2008-01-23 09:51 <DIR> d-------- C:\WINDOWS\system32\drivers\down
2008-01-22 21:38 . 2004-10-08 05:03 837,281 --------- C:\WINDOWS\system32\drivers\hldrrr.exe
2008-01-21 20:54 . 2008-01-21 21:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-21 15:42 . 2008-01-21 15:42 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-21 14:55 . 2008-01-21 14:55 <DIR> d-------- C:\Deckard
2008-01-20 00:00 . 2008-01-22 10:40 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-19 18:24 . 2008-01-19 18:24 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-19 18:24 . 2008-01-19 18:24 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-19 15:02 . 2008-01-20 08:04 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-18 23:27 . 2008-01-21 15:01 <DIR> d-------- C:\Program Files\RegSupreme Pro
2008-01-18 19:24 . 2008-01-18 19:24 <DIR> d-------- C:\WINDOWS\Sun
2008-01-18 13:10 . 2008-01-18 13:10 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-18 13:10 . 2008-01-18 14:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-18 12:59 . 2008-01-18 12:59 1,158 --a------ C:\WINDOWS\mozver.dat
2008-01-18 12:41 . 2008-01-18 12:42 <DIR> d-------- C:\Program Files\Ontrack
2008-01-18 10:12 . 2008-01-18 10:17 <DIR> d-------- C:\Program Files\Symantec Client Security
2008-01-18 10:04 . 2008-01-18 10:05 <DIR> d-------- C:\Sym EndPoint
2008-01-17 09:04 . 2008-01-17 09:05 <DIR> d-------- C:\Program Files\QuickTime
2008-01-15 20:11 . 2007-12-17 13:53 159,458 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-01-15 16:02 . 2008-01-21 20:28 <DIR> d-------- C:\HJSplit
2008-01-13 20:43 . 2008-01-13 20:43 <DIR> d-------- C:\Program Files\MediaMonkey
2008-01-13 20:34 . 2008-01-13 22:58 <DIR> d-------- C:\Music
2008-01-13 20:22 . 1999-12-13 01:01 44,032 --------- C:\WINDOWS\system32\CTSVCCDA.EXE
2008-01-13 20:22 . 1999-11-18 01:00 25,088 --------- C:\WINDOWS\system32\CTSVCCTL.EXE
2008-01-13 14:41 . 2008-01-13 14:41 74,703 --a------ C:\WINDOWS\system32\mfc45.dll
2008-01-13 11:40 . 2008-01-13 11:40 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-07 16:36 . 2008-01-07 16:36 669,184 --a------ C:\WINDOWS\system32\pbsvc.exe
2008-01-06 23:27 . 2008-01-06 23:27 <DIR> d-------- C:\Program Files\YourWare Solutions
2008-01-04 11:15 . 2008-01-17 10:27 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2008-01-04 11:15 . 2008-01-07 16:36 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-01-04 11:15 . 2008-01-17 10:28 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-01-04 11:15 . 2008-01-04 11:15 319 --a------ C:\WINDOWS\game.ini
2008-01-04 10:22 . 2008-01-04 10:22 <DIR> d-------- C:\Program Files\Activision
2008-01-04 10:20 . 2008-01-04 10:20 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-01-03 19:19 . 2008-01-03 19:19 <DIR> d-------- C:\Program Files\Electronic Arts
2008-01-03 18:09 . 2008-01-21 20:27 <DIR> d-------- C:\Saved
2008-01-03 16:26 . 2008-01-03 16:26 <DIR> d-------- C:\Program Files\NVIDIA Corporation
2008-01-03 16:25 . 2008-01-03 16:25 <DIR> d-------- C:\Program Files\NVIDIA nTune Performance Application
2008-01-02 23:28 . 2008-01-15 20:35 <DIR> d-------- C:\WINDOWS\nview
2008-01-02 23:28 . 2008-01-15 20:11 164,081 --a------ C:\WINDOWS\system32\nvapps.xml
2008-01-02 23:28 . 2007-12-05 01:41 17,737 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-01-02 23:09 . 2007-12-05 01:41 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-01-02 22:52 . 2008-01-02 22:52 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-02 22:52 . 2008-01-02 22:52 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-01-01 23:45 . 2008-01-01 23:45 <DIR> d-------- C:\Program Files\ASUS
2008-01-01 23:21 . 2008-01-07 23:36 <DIR> d-------- C:\Program Files\SpeedFan
2008-01-01 18:58 . 2008-01-01 23:21 45 --a------ C:\WINDOWS\system32\initdebug.nfo
2008-01-01 13:38 . 2008-01-01 13:38 <DIR> d-------- C:\Mini CD DVD Images
2008-01-01 11:22 . 2008-01-01 11:23 <DIR> d-------- C:\Program Files\RivaTuner v2.06
2007-12-24 11:33 . 2007-12-24 11:33 <DIR> d-------- C:\Program Files\DVD Decrypter
2007-12-24 11:27 . 2007-12-24 11:27 <DIR> d-------- C:\Program Files\DVD Shrink
2007-12-23 05:19 . 2008-01-13 20:58 <DIR> d--h----- C:\Program Files\Creative Installation Information
2007-12-23 05:19 . 2007-12-23 05:19 <DIR> d-------- C:\Program Files\Common Files\Creative
2007-12-23 05:15 . 2008-01-13 20:58 <DIR> d-------- C:\Program Files\Creative

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-23 00:23 --------- d-----w C:\Program Files\eMule
2008-01-21 20:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-21 19:55 --------- d-----w C:\Program Files\Symantec
2008-01-20 00:50 --------- d-----w C:\Program Files\Google
2008-01-20 00:24 --------- d-----w C:\Program Files\Digital Media Reader
2008-01-13 02:18 --------- d-----w C:\Program Files\Microsoft Games
2008-01-08 23:35 --------- d-----w C:\Program Files\Common Files\Nero
2008-01-04 05:17 --------- d-----w C:\Program Files\NewsBin
2007-12-23 03:57 --------- d-----w C:\Program Files\Nero
2007-12-23 03:26 --------- d-----w C:\Program Files\DVD2one V2
2007-12-22 01:33 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-21 19:10 --------- d-----w C:\Program Files\Sierra Entertainment
2007-12-21 08:00 --------- d-----w C:\Program Files\MSXML 4.0
2007-12-21 01:12 --------- d-----w C:\Program Files\Common Files\Microsoft Games
2007-12-18 17:59 --------- d-----w C:\Program Files\IrfanView
2007-12-08 12:53 --------- d-----w C:\Program Files\DAEMON Tools
2007-12-08 12:49 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-12-07 19:31 --------- d-----w C:\Program Files\GameHouse
2007-12-05 07:53 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-12-05 06:41 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-12-05 06:41 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-12-05 06:41 8,523,776 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-12-05 06:41 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-12-05 06:41 7,435,392 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-12-05 06:41 6,901,760 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-12-05 06:41 6,549,504 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-12-05 06:41 5,773,568 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-12-05 06:41 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-12-05 06:41 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-12-05 06:41 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-12-05 06:41 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-12-05 06:41 385,024 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-12-05 06:41 35,328 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-12-05 06:41 35,328 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-12-05 06:41 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-12-05 06:41 3,710,976 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-12-05 06:41 3,420,160 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-12-05 06:41 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-12-05 06:41 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-12-05 06:41 2,498,560 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-12-05 06:41 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-12-05 06:41 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-12-05 06:41 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-12-05 06:41 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-12-05 06:41 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-12-05 06:41 1,474,560 ----a-w C:\WINDOWS\system32\nview.dll
2007-12-05 06:41 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-12-05 06:41 1,228,800 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-12-05 06:41 1,089,536 ----a-w C:\WINDOWS\system32\nvcuda.dll
2007-12-05 06:41 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-12-05 01:21 --------- d-----w C:\Program Files\AC3Filter
2007-12-05 01:04 --------- d-----w C:\Program Files\DivX
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-04 01:33 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-04 01:33 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-03 21:39 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-03 16:40 --------- d-----w C:\Program Files\QuickPar
2007-12-03 13:44 --------- d-----w C:\Program Files\McAfee
2007-12-03 13:08 --------- d-----w C:\Program Files\SystemRequirementsLab
2007-12-03 12:37 --------- d-----w C:\Program Files\Napster
2007-12-03 12:11 --------- d-----w C:\Program Files\Pure Networks
2007-12-03 12:10 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-03 07:06 --------- d-----w C:\Program Files\MSN Encarta Plus
2007-12-03 07:06 --------- d-----w C:\Program Files\Microsoft Works
2007-12-03 07:04 8,552 ----a-w C:\WINDOWS\system32\drivers\asctrm.sys
2007-12-03 07:04 --------- d-----w C:\Program Files\Viewpoint
2007-12-03 07:04 --------- d-----w C:\Program Files\Real
2007-12-03 07:04 --------- d-----w C:\Program Files\Common Files\Real
2007-12-03 07:04 --------- d-----w C:\Program Files\Common Files\Nullsoft
2007-12-03 07:03 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2007-12-03 07:03 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-03 07:02 --------- d-----w C:\Program Files\Realtek
2007-12-03 07:01 --------- d-----w C:\Program Files\Microsoft Digital Image 2006
2007-12-03 07:00 --------- d-----w C:\Program Files\Java
2007-12-03 06:59 --------- d-----w C:\Program Files\Common Files\Java
2007-12-03 06:55 --------- d-----w C:\Program Files\Microsoft.NET
2007-12-03 06:55 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-03 06:50 --------- d-----w C:\Program Files\CyberLink
2007-12-03 06:49 --------- d-----w C:\Program Files\Common Files\New Boundary
2007-12-03 06:46 --------- d-----w C:\Program Files\CONEXANT
2007-12-03 05:38 --------- d-----w C:\Program Files\Windows Plus
2007-12-03 05:38 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-29 22:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-11-29 22:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-11-29 22:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-29 22:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-11-28 21:55 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-28 21:53 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-11-28 21:53 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-11-28 21:53 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-11-28 21:53 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-11-28 21:52 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:39 228,864 ----a-w C:\WINDOWS\system32\wmasf.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2004-10-08 05:03 837281]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 19:25 81920]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-12-06 07:06 167368]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-11-23 17:12 851968]
"german.exe"="C:\WINDOWS\system32\wintems.exe" [ ]
"mule_st_key"="C:\Documents and Settings\Owner\Application Data\m\flec006.exe" [2008-01-23 09:49 96772]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 13:36 14854144 C:\WINDOWS\RTHDCPL.EXE]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-08-27 08:09 139264]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"Power2GoExpress"="C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" [2007-09-29 16:53 2680104]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 19:16 1121792]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 20:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 23:56 64512]
"CLMLServer"="C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe" [2007-09-27 23:10 122880]
"CLJ"="" []
"CHotkey"="zHotkey.exe" [2004-12-08 20:57 550912 C:\WINDOWS\zHotkey.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
"EnableLUA"= 0 (0x0)

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-01-17 14:03:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-23 14:07:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
 
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\Documents and Settings\Owner\Application Data\m\flec006.exe

Folder::
C:\WINDOWS\system32\drivers\down

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"german.exe"=-
"mule_st_key"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
Click to expand...

Save this as CFScript.txt, in the same location as ComboFix.exe


CFScript.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Also post a new HijackThis log
 
ComboFix scanned, appeared to remove the bad files/entries, rebooted, continued, created log.

ComboFix

ComboFix 08-01-23.2 - Owner 2008-01-23 14:22:08.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1603 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Documents and Settings\Owner\Application Data\m\flec006.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\mdelk.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\m\flec006.exe
C:\WINDOWS\system32\drivers\down
C:\WINDOWS\system32\drivers\down\124687.exe
C:\WINDOWS\system32\drivers\down\132234.exe
C:\WINDOWS\system32\drivers\down\134390.exe
C:\WINDOWS\system32\drivers\down\137687.exe
C:\WINDOWS\system32\drivers\down\139546.exe
C:\WINDOWS\system32\drivers\down\143531.exe
C:\WINDOWS\system32\drivers\down\14720625.exe
C:\WINDOWS\system32\drivers\down\14745734.exe
C:\WINDOWS\system32\drivers\down\14747859.exe
C:\WINDOWS\system32\drivers\down\14751312.exe
C:\WINDOWS\system32\drivers\down\14761671.exe
C:\WINDOWS\system32\drivers\down\14770984.exe
C:\WINDOWS\system32\drivers\down\14796437.exe
C:\WINDOWS\system32\drivers\down\14802640.exe
C:\WINDOWS\system32\drivers\down\14802750.exe
C:\WINDOWS\system32\drivers\down\148031.exe
C:\WINDOWS\system32\drivers\down\14808578.exe
C:\WINDOWS\system32\drivers\down\14812015.exe
C:\WINDOWS\system32\drivers\down\14844312.exe
C:\WINDOWS\system32\drivers\down\14845390.exe
C:\WINDOWS\system32\drivers\down\14853546.exe
C:\WINDOWS\system32\drivers\down\14865218.exe
C:\WINDOWS\system32\drivers\down\14871031.exe
C:\WINDOWS\system32\drivers\down\14872718.exe
C:\WINDOWS\system32\drivers\down\14873171.exe
C:\WINDOWS\system32\drivers\down\14873687.exe
C:\WINDOWS\system32\drivers\down\14877234.exe
C:\WINDOWS\system32\drivers\down\14878968.exe
C:\WINDOWS\system32\drivers\down\14911875.exe
C:\WINDOWS\system32\drivers\down\14915781.exe
C:\WINDOWS\system32\drivers\down\14923234.exe
C:\WINDOWS\system32\drivers\down\190312.exe
C:\WINDOWS\system32\drivers\down\193578.exe
C:\WINDOWS\system32\drivers\down\194031.exe
C:\WINDOWS\system32\drivers\down\198828.exe
C:\WINDOWS\system32\drivers\down\200984.exe
C:\WINDOWS\system32\drivers\down\232718.exe
C:\WINDOWS\system32\drivers\down\233484.exe
C:\WINDOWS\system32\drivers\down\236406.exe
C:\WINDOWS\system32\drivers\down\241703.exe
C:\WINDOWS\system32\drivers\down\243453.exe
C:\WINDOWS\system32\drivers\down\245484.exe
C:\WINDOWS\system32\drivers\down\246093.exe
C:\WINDOWS\system32\drivers\down\246843.exe
C:\WINDOWS\system32\drivers\down\270250.exe
C:\WINDOWS\system32\drivers\down\272859.exe
C:\WINDOWS\system32\drivers\down\29338000.exe
C:\WINDOWS\system32\drivers\down\29341859.exe
C:\WINDOWS\system32\drivers\down\29343687.exe
C:\WINDOWS\system32\drivers\down\29345671.exe
C:\WINDOWS\system32\drivers\down\29350109.exe
C:\WINDOWS\system32\drivers\down\29352515.exe
C:\WINDOWS\system32\drivers\down\29368203.exe
C:\WINDOWS\system32\drivers\down\29371015.exe
C:\WINDOWS\system32\drivers\down\29371234.exe
C:\WINDOWS\system32\drivers\down\29376687.exe
C:\WINDOWS\system32\drivers\down\29378734.exe
C:\WINDOWS\system32\drivers\down\29380359.exe
C:\WINDOWS\system32\drivers\down\29380921.exe
C:\WINDOWS\system32\drivers\down\29384109.exe
C:\WINDOWS\system32\drivers\down\29390015.exe
C:\WINDOWS\system32\drivers\down\29391968.exe
C:\WINDOWS\system32\drivers\down\29392437.exe
C:\WINDOWS\system32\drivers\down\29392734.exe
C:\WINDOWS\system32\drivers\down\29393843.exe
C:\WINDOWS\system32\drivers\down\29395640.exe
C:\WINDOWS\system32\drivers\down\29396937.exe
C:\WINDOWS\system32\drivers\down\29427640.exe
C:\WINDOWS\system32\drivers\down\29429765.exe
C:\WINDOWS\system32\drivers\down\29436031.exe
C:\WINDOWS\system32\drivers\down\302578.exe
C:\WINDOWS\system32\drivers\down\304953.exe
C:\WINDOWS\system32\drivers\down\310906.exe
C:\WINDOWS\system32\drivers\down\43844406.exe
C:\WINDOWS\system32\drivers\down\43848078.exe
C:\WINDOWS\system32\drivers\down\43850421.exe
C:\WINDOWS\system32\drivers\down\43892437.exe
C:\WINDOWS\system32\drivers\down\43895375.exe
C:\WINDOWS\system32\drivers\down\43898000.exe
C:\WINDOWS\system32\drivers\down\43941828.exe
C:\WINDOWS\system32\drivers\down\43944203.exe
C:\WINDOWS\system32\drivers\down\43944390.exe
C:\WINDOWS\system32\drivers\down\43952187.exe
C:\WINDOWS\system32\drivers\down\43954203.exe
C:\WINDOWS\system32\drivers\down\43956906.exe
C:\WINDOWS\system32\drivers\down\43957593.exe
C:\WINDOWS\system32\drivers\down\43962218.exe
C:\WINDOWS\system32\drivers\down\43967953.exe
C:\WINDOWS\system32\drivers\down\43970437.exe
C:\WINDOWS\system32\drivers\down\43971281.exe
C:\WINDOWS\system32\drivers\down\43974828.exe
C:\WINDOWS\system32\drivers\down\43978625.exe
C:\WINDOWS\system32\drivers\down\43987078.exe
C:\WINDOWS\system32\drivers\down\43988875.exe
C:\WINDOWS\system32\drivers\down\44018937.exe
C:\WINDOWS\system32\drivers\down\44022828.exe
C:\WINDOWS\system32\drivers\down\44029203.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\mdelk.exe
.
---- Previous Run -------
.
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\wintems.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SROSA
-------\srosa






((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 )))))))))))))))))))))))))))))))
.

2008-01-23 14:24 . 2008-01-23 14:24 <DIR> d-------- C:\WINDOWS\system32\drivers\down
2008-01-23 14:24 . 2008-01-23 14:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-23 14:24 . 2008-01-23 14:24 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-23 13:21 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-21 20:54 . 2008-01-21 21:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-21 15:42 . 2008-01-21 15:42 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-21 14:55 . 2008-01-21 14:55 <DIR> d-------- C:\Deckard
2008-01-20 00:00 . 2008-01-22 10:40 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-19 18:24 . 2008-01-19 18:24 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-19 18:24 . 2008-01-19 18:24 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-19 15:02 . 2008-01-20 08:04 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-18 23:27 . 2008-01-21 15:01 <DIR> d-------- C:\Program Files\RegSupreme Pro
2008-01-18 19:24 . 2008-01-18 19:24 <DIR> d-------- C:\WINDOWS\Sun
2008-01-18 13:10 . 2008-01-18 13:10 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-18 13:10 . 2008-01-18 14:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-18 12:59 . 2008-01-18 12:59 1,158 --a------ C:\WINDOWS\mozver.dat
2008-01-18 12:41 . 2008-01-18 12:42 <DIR> d-------- C:\Program Files\Ontrack
2008-01-18 10:12 . 2008-01-18 10:17 <DIR> d-------- C:\Program Files\Symantec Client Security
2008-01-18 10:04 . 2008-01-18 10:05 <DIR> d-------- C:\Sym EndPoint
2008-01-17 09:04 . 2008-01-17 09:05 <DIR> d-------- C:\Program Files\QuickTime
2008-01-15 20:11 . 2007-12-17 13:53 159,458 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-01-15 16:02 . 2008-01-21 20:28 <DIR> d-------- C:\HJSplit
2008-01-13 20:43 . 2008-01-13 20:43 <DIR> d-------- C:\Program Files\MediaMonkey
2008-01-13 20:34 . 2008-01-13 22:58 <DIR> d-------- C:\Music
2008-01-13 20:22 . 1999-12-13 01:01 44,032 --------- C:\WINDOWS\system32\CTSVCCDA.EXE
2008-01-13 20:22 . 1999-11-18 01:00 25,088 --------- C:\WINDOWS\system32\CTSVCCTL.EXE
2008-01-13 14:41 . 2008-01-13 14:41 74,703 --a------ C:\WINDOWS\system32\mfc45.dll
2008-01-13 11:40 . 2008-01-13 11:40 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-07 16:36 . 2008-01-07 16:36 669,184 --a------ C:\WINDOWS\system32\pbsvc.exe
2008-01-06 23:27 . 2008-01-06 23:27 <DIR> d-------- C:\Program Files\YourWare Solutions
2008-01-04 11:15 . 2008-01-17 10:27 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2008-01-04 11:15 . 2008-01-07 16:36 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-01-04 11:15 . 2008-01-17 10:28 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-01-04 11:15 . 2008-01-04 11:15 319 --a------ C:\WINDOWS\game.ini
2008-01-04 10:22 . 2008-01-04 10:22 <DIR> d-------- C:\Program Files\Activision
2008-01-04 10:20 . 2008-01-04 10:20 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-01-03 19:19 . 2008-01-03 19:19 <DIR> d-------- C:\Program Files\Electronic Arts
2008-01-03 18:09 . 2008-01-21 20:27 <DIR> d-------- C:\Saved
2008-01-03 16:26 . 2008-01-03 16:26 <DIR> d-------- C:\Program Files\NVIDIA Corporation
2008-01-03 16:25 . 2008-01-03 16:25 <DIR> d-------- C:\Program Files\NVIDIA nTune Performance Application
2008-01-02 23:28 . 2008-01-15 20:35 <DIR> d-------- C:\WINDOWS\nview
2008-01-02 23:28 . 2008-01-15 20:11 164,081 --a------ C:\WINDOWS\system32\nvapps.xml
2008-01-02 23:28 . 2007-12-05 01:41 17,737 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-01-02 23:09 . 2007-12-05 01:41 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-01-02 22:52 . 2008-01-02 22:52 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-02 22:52 . 2008-01-02 22:52 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-01-01 23:45 . 2008-01-01 23:45 <DIR> d-------- C:\Program Files\ASUS
2008-01-01 23:21 . 2008-01-07 23:36 <DIR> d-------- C:\Program Files\SpeedFan
2008-01-01 18:58 . 2008-01-01 23:21 45 --a------ C:\WINDOWS\system32\initdebug.nfo
2008-01-01 13:38 . 2008-01-01 13:38 <DIR> d-------- C:\Mini CD DVD Images
2008-01-01 11:22 . 2008-01-01 11:23 <DIR> d-------- C:\Program Files\RivaTuner v2.06
2007-12-24 11:33 . 2007-12-24 11:33 <DIR> d-------- C:\Program Files\DVD Decrypter
2007-12-24 11:27 . 2007-12-24 11:27 <DIR> d-------- C:\Program Files\DVD Shrink
2007-12-23 05:19 . 2008-01-13 20:58 <DIR> d--h----- C:\Program Files\Creative Installation Information
2007-12-23 05:19 . 2007-12-23 05:19 <DIR> d-------- C:\Program Files\Common Files\Creative
2007-12-23 05:15 . 2008-01-13 20:58 <DIR> d-------- C:\Program Files\Creative

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-23 00:23 --------- d-----w C:\Program Files\eMule
2008-01-21 20:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-21 19:55 --------- d-----w C:\Program Files\Symantec
2008-01-20 00:50 --------- d-----w C:\Program Files\Google
2008-01-20 00:24 --------- d-----w C:\Program Files\Digital Media Reader
2008-01-13 02:18 --------- d-----w C:\Program Files\Microsoft Games
2008-01-08 23:35 --------- d-----w C:\Program Files\Common Files\Nero
2008-01-04 05:17 --------- d-----w C:\Program Files\NewsBin
2007-12-23 03:57 --------- d-----w C:\Program Files\Nero
2007-12-23 03:26 --------- d-----w C:\Program Files\DVD2one V2
2007-12-21 19:10 --------- d-----w C:\Program Files\Sierra Entertainment
2007-12-21 08:00 --------- d-----w C:\Program Files\MSXML 4.0
2007-12-21 01:12 --------- d-----w C:\Program Files\Common Files\Microsoft Games
2007-12-18 17:59 --------- d-----w C:\Program Files\IrfanView
2007-12-08 12:53 --------- d-----w C:\Program Files\DAEMON Tools
2007-12-08 12:49 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-12-07 19:31 --------- d-----w C:\Program Files\GameHouse
2007-12-05 06:41 7,435,392 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-12-05 01:21 --------- d-----w C:\Program Files\AC3Filter
2007-12-05 01:04 --------- d-----w C:\Program Files\DivX
2007-12-03 21:39 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-03 16:40 --------- d-----w C:\Program Files\QuickPar
2007-12-03 13:44 --------- d-----w C:\Program Files\McAfee
2007-12-03 13:08 --------- d-----w C:\Program Files\SystemRequirementsLab
2007-12-03 12:37 --------- d-----w C:\Program Files\Napster
2007-12-03 12:11 --------- d-----w C:\Program Files\Pure Networks
2007-12-03 12:10 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-03 07:06 --------- d-----w C:\Program Files\MSN Encarta Plus
2007-12-03 07:06 --------- d-----w C:\Program Files\Microsoft Works
2007-12-03 07:04 8,552 ----a-w C:\WINDOWS\system32\drivers\asctrm.sys
2007-12-03 07:04 --------- d-----w C:\Program Files\Viewpoint
2007-12-03 07:04 --------- d-----w C:\Program Files\Real
2007-12-03 07:04 --------- d-----w C:\Program Files\Common Files\Real
2007-12-03 07:04 --------- d-----w C:\Program Files\Common Files\Nullsoft
2007-12-03 07:03 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2007-12-03 07:03 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-03 07:02 --------- d-----w C:\Program Files\Realtek
2007-12-03 07:01 --------- d-----w C:\Program Files\Microsoft Digital Image 2006
2007-12-03 07:00 --------- d-----w C:\Program Files\Java
2007-12-03 06:59 --------- d-----w C:\Program Files\Common Files\Java
2007-12-03 06:55 --------- d-----w C:\Program Files\Microsoft.NET
2007-12-03 06:55 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-03 06:50 --------- d-----w C:\Program Files\CyberLink
2007-12-03 06:49 --------- d-----w C:\Program Files\Common Files\New Boundary
2007-12-03 06:46 --------- d-----w C:\Program Files\CONEXANT
2007-12-03 05:38 --------- d-----w C:\Program Files\Windows Plus
2007-12-03 05:38 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-25 15:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-23_13.32.23.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-23 18:22:30 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-23 19:22:05 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-23 18:22:30 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-23 19:22:05 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-23 18:22:30 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-23 19:22:05 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-23 18:22:30 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-23 19:22:05 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-23 18:22:30 3,874,816 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-23 19:22:05 3,883,008 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-23 18:22:30 57,344 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-23 19:22:05 57,344 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-23 19:25:02 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_7e8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2004-10-08 05:03 837281]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 19:25 81920]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-12-06 07:06 167368]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-11-23 17:12 851968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 13:36 14854144 C:\WINDOWS\RTHDCPL.EXE]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-08-27 08:09 139264]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"Power2GoExpress"="C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" [2007-09-29 16:53 2680104]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 19:16 1121792]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 20:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 23:56 64512]
"CLMLServer"="C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe" [2007-09-27 23:10 122880]
"CLJ"="" []
"CHotkey"="zHotkey.exe" [2004-12-08 20:57 550912 C:\WINDOWS\zHotkey.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
"EnableLUA"= 0 (0x0)

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"


.
Contents of the 'Scheduled Tasks' folder
"2008-01-17 14:03:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-23 14:24:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
 
HiJiackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:29, on 2008-01-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT4016
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe"
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe"
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1196686463109
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - https://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Unknown owner - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe (file missing)
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 7389 bytes
 
You must log in or register to reply here.
Back
Top