Virtumonde.dll/netstat4.dll infection

H

hostile17

New member
According to Spybot-S&D, that's what I have. Selected 'remove' and promptly restarted, only to re-run the scan with the same results. SpyBot results log is posted after dds results.

Thank You.



DDS (Ver_10-12-12.02) - NTFSx86
Run by Steven at 21:28:52.18 on Fri 01/07/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.525 [GMT -8:00]

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Steven\Desktop\dds.scr
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WinPatrol System Monitor] c:\program files\billp studios\winpatrol\WinPatrol.exe
uRunOnce: [SpybotDeletingB5350] command.com /c del "c:\windows\system32\netstat4.dll"
uRunOnce: [SpybotDeletingD4085] cmd.exe /c del "c:\windows\system32\netstat4.dll"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRunOnce: [SpybotDeletingA26] command.com /c del "c:\windows\system32\netstat4.dll"
mRunOnce: [SpybotDeletingC5208] cmd.exe /c del "c:\windows\system32\netstat4.dll"
StartupFolder: c:\docume~1\steven\startm~1\programs\startup\erunt autobackup.lnk - c:\program files\erunt\AUTOBACK.EXE
mPolicies-explorer: NoPopUpsOnBoot = 1 (0x1)
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1290949892671
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = :\WINDOW
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\steven\applic~1\mozilla\firefox\profiles\kn5tze51.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - plugin: c:\documents and settings\steven\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\steven\application data\mozilla\firefox\profiles\kn5tze51.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\steven\application data\mozilla\firefox\profiles\kn5tze51.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
FF - plugin: c:\documents and settings\steven\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

============= SERVICES / DRIVERS ===============

R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-9-17 28552]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2010-12-5 3968]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-12-2 11608]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-9-10 239240]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-9-10 25240]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-7-13 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-7-13 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-12-2 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-12-2 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-12-2 61960]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-9-10 1901056]
R2 ubsbm;Unibrain 1394 SBM Driver;c:\windows\system32\drivers\UBSBM.sys [2011-1-2 17408]
R2 ubumapi;Unibrain 1394 FireAPI Driver;c:\windows\system32\drivers\UBUMAPI.sys [2011-1-2 46592]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2010-1-10 206608]
R3 ubohci;Unibrain 1394 OHCI Driver;c:\windows\system32\drivers\ubohci.sys [2011-1-2 116224]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [2004-8-4 14336]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-7-13 7408]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2010-1-10 206608]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 gupdate;Google Update Service (gupdate); [x]

=============== Created Last 30 ================

2011-01-08 04:38:17 -------- d-----w- C:\VundoFix Backups
2011-01-05 11:06:14 201484 ----a-w- c:\windows\system32\drivers\umss.sys
2011-01-04 10:45:23 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-03 01:23:54 46592 ----a-w- c:\windows\system32\drivers\UBUMAPI.sys
2011-01-03 01:23:54 17408 ----a-w- c:\windows\system32\drivers\UBSBM.sys
2011-01-03 01:23:54 127488 ----a-w- c:\windows\system32\drivers\UB1394.sys
2011-01-03 01:23:54 116224 ----a-w- c:\windows\system32\drivers\ubohci.sys
2011-01-01 11:45:44 0 ----a-w- c:\windows\ativpsrm.bin
2011-01-01 11:42:22 49664 ----a-w- c:\windows\system32\amdpcom32.dll
2011-01-01 11:42:22 45056 ----a-w- c:\windows\system32\aticalrt.dll
2011-01-01 11:42:22 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-01-01 11:42:22 3280896 ----a-w- c:\windows\system32\aticaldd.dll
2011-01-01 11:42:22 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2011-01-01 11:42:21 118784 ----a-w- c:\windows\system32\atibrtmon.exe
2011-01-01 11:42:20 45056 ----a-w- c:\windows\system32\aticalcl.dll
2011-01-01 11:42:20 303104 ----a-w- c:\windows\system32\atiok3x2.dll
2011-01-01 11:42:20 135168 ----a-w- c:\windows\system32\atiadlxx.dll
2010-12-31 01:11:17 258048 ----a-w- c:\windows\system32\UCI32M40.dll
2010-12-31 01:11:16 8704 ----a-r- c:\windows\system32\drivers\XAudio32.sys
2010-12-31 01:11:16 410624 ----a-r- c:\windows\system32\XAudio32.dll
2010-12-31 00:55:37 -------- d-----w- c:\docume~1\steven\locals~1\applic~1\Innovative Solutions
2010-12-31 00:55:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\Innovative Solutions
2010-12-31 00:55:28 -------- d-----w- c:\program files\Innovative Solutions
2010-12-31 00:14:56 73728 ----a-w- c:\windows\system32\RtNicProp32.dll
2010-12-31 00:14:56 105088 ----a-w- c:\windows\system32\drivers\Rtnicxp.sys
2010-12-31 00:07:51 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-12-31 00:07:50 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-30 23:57:25 -------- d-----w- c:\program files\Apoint2K
2010-12-30 23:38:18 -------- d-----w- c:\program files\Realtek
2010-12-30 23:14:44 -------- d-----w- c:\program files\Realtek AC97
2010-12-30 23:14:25 757760 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iKernel.dll
2010-12-30 23:14:25 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\ctor.dll
2010-12-30 23:14:25 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\DotNetInstaller.exe
2010-12-30 23:14:25 274432 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iscript.dll
2010-12-30 23:14:25 204800 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iuser.dll
2010-12-30 23:14:22 331908 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\setup.dll
2010-12-30 23:14:22 200836 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iGdi.dll
2010-12-30 22:56:05 -------- d-----w- c:\docume~1\steven\applic~1\DeviceDoctorSoftware
2010-12-30 22:34:37 -------- d-----w- c:\documents and settings\all users\Uniblue
2010-12-30 22:14:59 -------- d-----w- c:\docume~1\steven\applic~1\MSNInstaller
2010-12-29 08:16:29 -------- d-----w- c:\windows\system32\CatRoot2
2010-12-15 10:35:59 5959168 -c----w- c:\windows\system32\dllcache\mshtml.dll
2010-12-15 10:35:56 11080704 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-12-15 10:35:11 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-15 10:26:44 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-09 23:07:32 -------- d-----w- c:\docume~1\steven\applic~1\FoxPlayerAIR.01F2E49DE175CC541F416F2DF78BDD5E63AD0096.1
2010-12-09 23:07:28 -------- d-----w- c:\program files\FOX News Live

==================== Find3M ====================

2011-01-04 10:44:35 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-31 04:33:43 520192 ----a-w- c:\windows\system32\ati2sgag.exe
2010-11-30 01:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-30 01:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-28 02:10:38 83968 --sha-r- c:\windows\system32\netstat4.dll
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe

============= FINISH: 21:30:45.40 ===============



Virtumonde.dll: [SBI $2F4068FC] Library (File, nothing done)
C:\WINDOWS\system32\netstat4.dll
Properties.size=83968
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Properties.filedate=1290910239
Properties.filedatetext=2010-11-27 18:10:38


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-02-18 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2010-10-05 Includes\Adware.sbi (*)
2010-11-30 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2010-12-14 Includes\DialerC.sbi (*)
2010-01-25 Includes\HeavyDuty.sbi (*)
2010-11-30 Includes\Hijackers.sbi (*)
2010-11-30 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2010-12-14 Includes\KeyloggersC.sbi (*)
2010-12-14 Includes\Malware.sbi (*)
2011-01-04 Includes\MalwareC.sbi (*)
2010-05-18 Includes\PUPS.sbi (*)
2010-12-14 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2010-12-14 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2010-12-28 Includes\Spyware.sbi (*)
2010-12-28 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-12-28 Includes\Trojans.sbi (*)
2010-12-17 Includes\TrojansC-02.sbi (*)
2010-12-16 Includes\TrojansC-03.sbi (*)
2010-12-16 Includes\TrojansC-04.sbi (*)
2011-01-04 Includes\TrojansC-05.sbi (*)
2010-12-28 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
 
Thank you for your reply.

Ok. I tried to upload C:\WINDOWS\system32\netstat4.dll file to http://www.virustotal.com, but it appeared to either not be present in that folder, or invisible.

I made sure to have 'show hidden files' checked and the only similarly named items found were:

C:\WINDOWS\$NtServicePackUninstall$\netstat.exe
C:\WINDOWS\system32\netstat.exe
C:\WINDOWS\ServicePackFiles\i386\netstat.exe

A re-running of Spybot indicated that C:\WINDOWS\system32\netstat4.dll was still there, though.

I also used a technique of opening a .rar archive using winrar, then navigated up into system32 and was able to view some otherwise 'hidden' files in that folder. According to winrar, netstat4.dll is indeed there. I clicked 'view file' and got an 'access is denied' message. Out of curiosity, I tried to see what would happen if I tried to manually delete it. (I figured it wouldn't let me). It asked if I was sure (and said it was a read-only file). I clicked 'yes' and deletion was denied (I guess it was running, so it was protected). I saved a screenshot if needed.

I don't know how to make http://www.virustotal.com recognize this 'invisible' file in the same way WinRAR does, so I was ultimately unsuccessful at uploading it for analysis there.

I also ran a program called RootAlyzer (selecting the 'deep scan' option) and it singled out C:\WINDOWS\system32\netstat4.dll, saying "No admin in ACL". (I saved a screenshot of that as well).


I also uninstalled AVG Anti-Rootkit and left Avira AntiVir alone.

Thanks Again.
 
Hi,

Don't try to delete that file since it may be a false positive. Please reboot and don't start Spybot to make sure it doesn't lock the file.


Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Then see if you're able to upload the file.
 
Unchecking the 'Hide protected operating system files (recommended)' box did the trick. However, after clicking 'send file', the little 'sending file' box opened and then quickly closed and put me right back on the http://www.virustotal.com homepage.

I then attempted to upload a file of the same type and size and it worked fine. Uploading the netstat4.dll file simply refused to work.

Viewing the file in Explorer told me that the file is:

an Application Extension
82 kb in size
read-only
hidden
Created Saturday, November 27, 2010, 6:10:38 PM
Modified Saturday, November 27, 2010, 6:10:38 PM
Accessed Thursday, December 30, 2010, 4:14:08 AM
Status Online
Attributes RHSA
Owner STEVEN-D6F7F5D5\Steven
Company [Blank]
Description [Blank]
File Version [Blank]
Product Name [Blank]
Product Version [Blank]
 
Hi,

Click start -> run type cmd.exe. type following three commands one by one in the command prompt window:
attrib -r -h -s -a C:\WINDOWS\system32\netstat4.dll
copy /y C:\WINDOWS\system32\netstat4.dll C:\netstat4.dll
attrib +r +h +s +a C:\WINDOWS\system32\netstat4.dll

If all went well there should be netstat4.dll file in c: root (c:\). See if you're able to upload it.
 
Hello,

Typing in the first command got me:

Acces Denied - C:\WINDOWS\system32\netstat4.dll

(I figured the next two commands weren't worth entering.)



Is this behavior typical of any other known 'safe' system32 files, I wonder?
 
Hi,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
 
Hello,

I disabled Avira and shut down Comodo Firewall and WinPatrol before running ComboFix. I don't know if it matters, but after ComboFix restarted my computer, those programs restarted along with Windows (I don't know if the logs reflect that or not). They were disabled/closed when I ran comboFix, though.

Thanks



ComboFix 11-01-12.04 - Steven 01/13/2011 6:00.7.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.649 [GMT -8:00]
Running from: c:\documents and settings\Steven\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((( Files Created from 2010-12-13 to 2011-01-13 )))))))))))))))))))))))))))))))
.

2011-01-08 05:23 . 2011-01-08 05:24 -------- d-----w- c:\program files\ERUNT
2011-01-05 11:06 . 2005-04-29 23:18 201484 ----a-w- c:\windows\system32\drivers\umss.sys
2011-01-04 10:45 . 2011-01-04 10:44 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-03 01:23 . 2010-02-27 03:39 116224 ----a-w- c:\windows\system32\drivers\ubohci.sys
2011-01-03 01:23 . 2010-02-27 03:38 46592 ----a-w- c:\windows\system32\drivers\UBUMAPI.sys
2011-01-03 01:23 . 2010-02-27 03:38 17408 ----a-w- c:\windows\system32\drivers\UBSBM.sys
2011-01-03 01:23 . 2010-02-27 03:38 127488 ----a-w- c:\windows\system32\drivers\UB1394.sys
2011-01-01 11:45 . 2011-01-01 11:45 0 ----a-w- c:\windows\ativpsrm.bin
2011-01-01 11:42 . 2009-07-22 02:55 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-01-01 11:42 . 2009-04-29 11:06 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2011-01-01 11:42 . 2009-04-29 10:20 45056 ----a-w- c:\windows\system32\aticalrt.dll
2011-01-01 11:42 . 2009-04-29 10:18 3280896 ----a-w- c:\windows\system32\aticaldd.dll
2011-01-01 11:42 . 2009-02-26 12:44 49664 ----a-w- c:\windows\system32\amdpcom32.dll
2011-01-01 11:42 . 2008-10-22 10:51 118784 ----a-w- c:\windows\system32\atibrtmon.exe
2011-01-01 11:42 . 2009-04-29 10:20 45056 ----a-w- c:\windows\system32\aticalcl.dll
2011-01-01 11:42 . 2009-04-29 10:20 135168 ----a-w- c:\windows\system32\atiadlxx.dll
2011-01-01 11:42 . 2009-04-29 10:17 303104 ----a-w- c:\windows\system32\atiok3x2.dll
2010-12-31 01:11 . 2009-04-23 10:24 258048 ----a-w- c:\windows\system32\UCI32M40.dll
2010-12-31 01:11 . 2009-04-29 11:21 410624 ----a-r- c:\windows\system32\XAudio32.dll
2010-12-31 01:11 . 2009-04-29 11:20 8704 ----a-r- c:\windows\system32\drivers\XAudio32.sys
2010-12-31 00:55 . 2010-12-31 00:55 -------- d-----w- c:\documents and settings\Steven\Local Settings\Application Data\Innovative Solutions
2010-12-31 00:55 . 2010-12-31 00:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Innovative Solutions
2010-12-31 00:55 . 2010-12-31 00:55 -------- d-----w- c:\program files\Innovative Solutions
2010-12-31 00:14 . 2009-03-03 12:18 73728 ----a-w- c:\windows\system32\RtNicProp32.dll
2010-12-31 00:14 . 2008-02-25 20:54 105088 ----a-w- c:\windows\system32\drivers\Rtnicxp.sys
2010-12-31 00:07 . 2010-12-31 00:07 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-30 23:57 . 2010-12-31 00:07 -------- d-----w- c:\program files\Apoint2K
2010-12-30 23:38 . 2010-12-30 23:38 -------- d-----w- c:\program files\Realtek
2010-12-30 23:14 . 2010-12-30 23:14 -------- d-----w- c:\program files\Realtek AC97
2010-12-30 23:14 . 2006-02-07 23:45 757760 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iKernel.dll
2010-12-30 23:14 . 2006-02-07 23:40 204800 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iuser.dll
2010-12-30 23:14 . 2006-02-07 23:40 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll
2010-12-30 23:14 . 2006-02-07 23:40 274432 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iscript.dll
2010-12-30 23:14 . 2005-11-14 07:19 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\DotNetInstaller.exe
2010-12-30 23:14 . 2010-12-30 23:14 331908 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\setup.dll
2010-12-30 23:14 . 2010-12-30 23:14 200836 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iGdi.dll
2010-12-30 22:56 . 2010-12-30 22:56 -------- d-----w- c:\documents and settings\Steven\Application Data\DeviceDoctorSoftware
2010-12-30 22:34 . 2010-12-30 22:34 -------- d-----w- c:\documents and settings\All Users\Uniblue
2010-12-30 22:14 . 2010-12-30 22:21 -------- d-----w- c:\documents and settings\Steven\Application Data\MSNInstaller
2010-12-29 08:16 . 2011-01-13 14:06 -------- d-----w- c:\windows\system32\CatRoot2
2010-12-15 10:35 . 2010-11-06 00:26 5959168 -c----w- c:\windows\system32\dllcache\mshtml.dll
2010-12-15 10:35 . 2010-11-06 00:26 11080704 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-12-15 10:35 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-15 10:26 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-12 01:27 . 2010-09-11 07:41 285480 ----a-w- c:\windows\system32\guard32.dll
2011-01-12 01:26 . 2010-09-11 07:40 94784 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-01-12 01:26 . 2010-09-11 07:40 27576 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-01-12 01:26 . 2010-09-11 07:40 15592 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-01-12 01:26 . 2010-09-11 07:40 239368 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-01-04 10:44 . 2010-09-18 02:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-31 04:33 . 2009-07-13 12:22 520192 ----a-w- c:\windows\system32\ati2sgag.exe
2010-12-22 12:48 . 2010-12-02 08:01 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-12-21 02:09 . 2010-08-29 04:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 02:08 . 2010-08-29 04:51 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-05 02:48 . 2010-12-02 08:01 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-30 01:38 . 2010-11-30 01:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-30 01:38 . 2010-11-30 01:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12 . 2009-07-13 11:45 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2004-08-04 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-04 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-04 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-19 20:51 . 2010-11-26 12:17 222080 ------w- c:\windows\system32\MpSigStub.exe
2009-11-08 00:00 . 2009-11-08 00:00 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-11-08 00:00 . 2009-11-08 00:00 185240 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-11-08 00:00 . 2009-11-08 00:00 99224 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol System Monitor"="c:\program files\BillP Studios\WinPatrol\WinPatrol.exe" [2010-05-31 323976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-03 281768]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-01-12 2548040]

c:\documents and settings\Steven\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoPopUpsOnBoot"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 21:47 57344 ------w- c:\windows\Alcxmntr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2007-09-14 01:50 1603152 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2007-10-26 01:10 652624 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]
2010-05-31 11:18 323976 ------w- c:\program files\BillP Studios\WinPatrol\WinPatrol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)
"VSSERV"=2 (0x2)
"LIVESRV"=2 (0x2)
"idsvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"ose"=3 (0x3)
"TMWebProtect"=2 (0x2)
"TmProxy"=2 (0x2)
"MatSvc"=3 (0x3)
"IS360service"=2 (0x2)
"sp_rssrv"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)
"gupdate"=2 (0x2)
"ACDaemon"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [9/17/2010 10:49 AM 28552]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [9/10/2010 11:40 PM 239368]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [9/10/2010 11:40 PM 27576]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/13/2009 10:41 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/13/2009 10:41 AM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/2/2010 12:01 AM 135336]
R2 ubsbm;Unibrain 1394 SBM Driver;c:\windows\system32\drivers\UBSBM.sys [1/2/2011 5:23 PM 17408]
R2 ubumapi;Unibrain 1394 FireAPI Driver;c:\windows\system32\drivers\UBUMAPI.sys [1/2/2011 5:23 PM 46592]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [1/10/2010 3:58 AM 206608]
R3 ubohci;Unibrain 1394 OHCI Driver;c:\windows\system32\drivers\ubohci.sys [1/2/2011 5:23 PM 116224]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [8/4/2004 4:00 AM 14336]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [7/13/2009 10:41 AM 7408]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [1/10/2010 3:58 AM 206608]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 4:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
S4 gupdate;Google Update Service (gupdate); [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
HsfXAudioService REG_MULTI_SZ HsfXAudioService
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
FF - ProfilePath - c:\documents and settings\Steven\Application Data\Mozilla\Firefox\Profiles\kn5tze51.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-13 06:11
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1024)
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(3616)
c:\windows\system32\WININET.dll
c:\windows\system32\guard32.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-01-13 06:15:22 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-13 14:15

Pre-Run: 129,621,504,000 bytes free
Post-Run: 129,448,132,608 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 5F88C7B5407A507097FC2807AE6781C9







DDS (Ver_10-12-12.02) - NTFSx86
Run by Steven at 6:17:25.64 on Thu 01/13/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.549 [GMT -8:00]

AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Steven\Desktop\hg\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [WinPatrol System Monitor] c:\program files\billp studios\winpatrol\WinPatrol.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
StartupFolder: c:\docume~1\steven\startm~1\programs\startup\erunt autobackup.lnk - c:\program files\erunt\AUTOBACK.EXE
mPolicies-explorer: NoPopUpsOnBoot = 1 (0x1)
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1290949892671
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\steven\applic~1\mozilla\firefox\profiles\kn5tze51.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - plugin: c:\documents and settings\steven\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\steven\application data\mozilla\firefox\profiles\kn5tze51.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\steven\application data\mozilla\firefox\profiles\kn5tze51.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
FF - plugin: c:\documents and settings\steven\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-9-17 28552]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-12-2 11608]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-9-10 239368]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-9-10 27576]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-7-13 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-7-13 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-12-2 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-12-2 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-12-2 61960]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-9-10 1771288]
R2 ubsbm;Unibrain 1394 SBM Driver;c:\windows\system32\drivers\UBSBM.sys [2011-1-2 17408]
R2 ubumapi;Unibrain 1394 FireAPI Driver;c:\windows\system32\drivers\UBUMAPI.sys [2011-1-2 46592]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2010-1-10 206608]
R3 ubohci;Unibrain 1394 OHCI Driver;c:\windows\system32\drivers\ubohci.sys [2011-1-2 116224]
S0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys --> c:\windows\system32\drivers\avgarkt.sys [?]
S1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\avgarcln.sys --> c:\windows\system32\drivers\AvgArCln.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [2004-8-4 14336]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-7-13 7408]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2010-1-10 206608]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 gupdate;Google Update Service (gupdate); [x]

=============== Created Last 30 ================

2011-01-13 13:59:56 -------- d-sha-r- C:\cmdcons
2011-01-13 13:56:12 98816 ----a-w- c:\windows\sed.exe
2011-01-13 13:56:12 89088 ----a-w- c:\windows\MBR.exe
2011-01-13 13:56:12 256512 ----a-w- c:\windows\PEV.exe
2011-01-13 13:56:12 161792 ----a-w- c:\windows\SWREG.exe
2011-01-05 11:06:14 201484 ----a-w- c:\windows\system32\drivers\umss.sys
2011-01-04 10:45:23 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-03 01:23:54 46592 ----a-w- c:\windows\system32\drivers\UBUMAPI.sys
2011-01-03 01:23:54 17408 ----a-w- c:\windows\system32\drivers\UBSBM.sys
2011-01-03 01:23:54 127488 ----a-w- c:\windows\system32\drivers\UB1394.sys
2011-01-03 01:23:54 116224 ----a-w- c:\windows\system32\drivers\ubohci.sys
2011-01-01 11:45:44 0 ----a-w- c:\windows\ativpsrm.bin
2011-01-01 11:42:22 49664 ----a-w- c:\windows\system32\amdpcom32.dll
2011-01-01 11:42:22 45056 ----a-w- c:\windows\system32\aticalrt.dll
2011-01-01 11:42:22 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-01-01 11:42:22 3280896 ----a-w- c:\windows\system32\aticaldd.dll
2011-01-01 11:42:22 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2011-01-01 11:42:21 118784 ----a-w- c:\windows\system32\atibrtmon.exe
2011-01-01 11:42:20 45056 ----a-w- c:\windows\system32\aticalcl.dll
2011-01-01 11:42:20 303104 ----a-w- c:\windows\system32\atiok3x2.dll
2011-01-01 11:42:20 135168 ----a-w- c:\windows\system32\atiadlxx.dll
2010-12-31 01:11:17 258048 ----a-w- c:\windows\system32\UCI32M40.dll
2010-12-31 01:11:16 8704 ----a-r- c:\windows\system32\drivers\XAudio32.sys
2010-12-31 01:11:16 410624 ----a-r- c:\windows\system32\XAudio32.dll
2010-12-31 00:55:37 -------- d-----w- c:\docume~1\steven\locals~1\applic~1\Innovative Solutions
2010-12-31 00:55:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\Innovative Solutions
2010-12-31 00:55:28 -------- d-----w- c:\program files\Innovative Solutions
2010-12-31 00:14:56 73728 ----a-w- c:\windows\system32\RtNicProp32.dll
2010-12-31 00:14:56 105088 ----a-w- c:\windows\system32\drivers\Rtnicxp.sys
2010-12-31 00:07:51 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-12-31 00:07:50 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-30 23:57:25 -------- d-----w- c:\program files\Apoint2K
2010-12-30 23:38:18 -------- d-----w- c:\program files\Realtek
2010-12-30 23:14:44 -------- d-----w- c:\program files\Realtek AC97
2010-12-30 23:14:25 757760 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iKernel.dll
2010-12-30 23:14:25 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\ctor.dll
2010-12-30 23:14:25 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\DotNetInstaller.exe
2010-12-30 23:14:25 274432 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iscript.dll
2010-12-30 23:14:25 204800 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iuser.dll
2010-12-30 23:14:22 331908 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\setup.dll
2010-12-30 23:14:22 200836 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iGdi.dll
2010-12-30 22:56:05 -------- d-----w- c:\docume~1\steven\applic~1\DeviceDoctorSoftware
2010-12-30 22:34:37 -------- d-----w- c:\documents and settings\all users\Uniblue
2010-12-30 22:14:59 -------- d-----w- c:\docume~1\steven\applic~1\MSNInstaller
2010-12-29 08:16:29 -------- d-----w- c:\windows\system32\CatRoot2
2010-12-15 10:35:59 5959168 -c----w- c:\windows\system32\dllcache\mshtml.dll
2010-12-15 10:35:56 11080704 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-12-15 10:35:11 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-15 10:26:44 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys

==================== Find3M ====================

2011-01-12 01:27:06 285480 ----a-w- c:\windows\system32\guard32.dll
2011-01-04 10:44:35 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-31 04:33:43 520192 ----a-w- c:\windows\system32\ati2sgag.exe
2010-11-30 01:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-30 01:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-28 02:10:38 83968 --sha-r- c:\windows\system32\netstat4.dll
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe

============= FINISH: 6:18:23.92 ===============
 
Good. Time for the next steps.

Open notepad and copy/paste the text in the quotebox below into it:

Code: 
http://forums.spybot.info/showthread.php?p=393701#post393701
Suspect::[76]
C:\WINDOWS\system32\netstat4.dll


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

CFScriptB-4.gif


Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
 
Hello,

The first message I got was:
ComboFix needs to submit files for further analysis.
Please ensure that you're connected to the internet before clicking ok.

After clicking 'ok', inside the ComboFix window it eventually read:
Uploading files to server... 100%

Then, i received an Upload Failed!! message saying:
Web server appears to be temporarily inaccessible. For your convenience, ComboFix created a submissions form located at
*C:\CF-Submit.htm

Please use that to manually upload it later.



Here is the log:

ComboFix 11-01-13.01 - Steven 01/14/2011 0:33.9.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.567 [GMT -8:00]
Running from: c:\documents and settings\Steven\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Steven\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

file zipped: c:\windows\system32\netstat4.dll
.

((((((((((((((((((((((((( Files Created from 2010-12-14 to 2011-01-14 )))))))))))))))))))))))))))))))
.

2011-01-08 05:23 . 2011-01-08 05:24 -------- d-----w- c:\program files\ERUNT
2011-01-05 11:06 . 2005-04-29 23:18 201484 ----a-w- c:\windows\system32\drivers\umss.sys
2011-01-04 10:45 . 2011-01-04 10:44 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-03 01:23 . 2010-02-27 03:39 116224 ----a-w- c:\windows\system32\drivers\ubohci.sys
2011-01-03 01:23 . 2010-02-27 03:38 46592 ----a-w- c:\windows\system32\drivers\UBUMAPI.sys
2011-01-03 01:23 . 2010-02-27 03:38 17408 ----a-w- c:\windows\system32\drivers\UBSBM.sys
2011-01-03 01:23 . 2010-02-27 03:38 127488 ----a-w- c:\windows\system32\drivers\UB1394.sys
2011-01-01 11:45 . 2011-01-01 11:45 0 ----a-w- c:\windows\ativpsrm.bin
2011-01-01 11:42 . 2009-07-22 02:55 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-01-01 11:42 . 2009-04-29 11:06 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2011-01-01 11:42 . 2009-04-29 10:20 45056 ----a-w- c:\windows\system32\aticalrt.dll
2011-01-01 11:42 . 2009-04-29 10:18 3280896 ----a-w- c:\windows\system32\aticaldd.dll
2011-01-01 11:42 . 2009-02-26 12:44 49664 ----a-w- c:\windows\system32\amdpcom32.dll
2011-01-01 11:42 . 2008-10-22 10:51 118784 ----a-w- c:\windows\system32\atibrtmon.exe
2011-01-01 11:42 . 2009-04-29 10:20 45056 ----a-w- c:\windows\system32\aticalcl.dll
2011-01-01 11:42 . 2009-04-29 10:20 135168 ----a-w- c:\windows\system32\atiadlxx.dll
2011-01-01 11:42 . 2009-04-29 10:17 303104 ----a-w- c:\windows\system32\atiok3x2.dll
2010-12-31 01:11 . 2009-04-23 10:24 258048 ----a-w- c:\windows\system32\UCI32M40.dll
2010-12-31 01:11 . 2009-04-29 11:21 410624 ----a-r- c:\windows\system32\XAudio32.dll
2010-12-31 01:11 . 2009-04-29 11:20 8704 ----a-r- c:\windows\system32\drivers\XAudio32.sys
2010-12-31 00:55 . 2010-12-31 00:55 -------- d-----w- c:\documents and settings\Steven\Local Settings\Application Data\Innovative Solutions
2010-12-31 00:55 . 2010-12-31 00:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Innovative Solutions
2010-12-31 00:55 . 2010-12-31 00:55 -------- d-----w- c:\program files\Innovative Solutions
2010-12-31 00:14 . 2009-03-03 12:18 73728 ----a-w- c:\windows\system32\RtNicProp32.dll
2010-12-31 00:14 . 2008-02-25 20:54 105088 ----a-w- c:\windows\system32\drivers\Rtnicxp.sys
2010-12-31 00:07 . 2010-12-31 00:07 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-30 23:57 . 2010-12-31 00:07 -------- d-----w- c:\program files\Apoint2K
2010-12-30 23:38 . 2010-12-30 23:38 -------- d-----w- c:\program files\Realtek
2010-12-30 23:14 . 2010-12-30 23:14 -------- d-----w- c:\program files\Realtek AC97
2010-12-30 23:14 . 2006-02-07 23:45 757760 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iKernel.dll
2010-12-30 23:14 . 2006-02-07 23:40 204800 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iuser.dll
2010-12-30 23:14 . 2006-02-07 23:40 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll
2010-12-30 23:14 . 2006-02-07 23:40 274432 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iscript.dll
2010-12-30 23:14 . 2005-11-14 07:19 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\DotNetInstaller.exe
2010-12-30 23:14 . 2010-12-30 23:14 331908 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\setup.dll
2010-12-30 23:14 . 2010-12-30 23:14 200836 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iGdi.dll
2010-12-30 22:56 . 2010-12-30 22:56 -------- d-----w- c:\documents and settings\Steven\Application Data\DeviceDoctorSoftware
2010-12-30 22:34 . 2010-12-30 22:34 -------- d-----w- c:\documents and settings\All Users\Uniblue
2010-12-30 22:14 . 2010-12-30 22:21 -------- d-----w- c:\documents and settings\Steven\Application Data\MSNInstaller
2010-12-29 08:16 . 2011-01-14 07:58 -------- d-----w- c:\windows\system32\CatRoot2
2010-12-15 10:35 . 2010-11-06 00:26 5959168 -c----w- c:\windows\system32\dllcache\mshtml.dll
2010-12-15 10:35 . 2010-11-06 00:26 11080704 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-12-15 10:35 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-15 10:26 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-12 01:27 . 2010-09-11 07:41 285480 ----a-w- c:\windows\system32\guard32.dll
2011-01-12 01:26 . 2010-09-11 07:40 94784 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-01-12 01:26 . 2010-09-11 07:40 27576 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-01-12 01:26 . 2010-09-11 07:40 15592 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-01-12 01:26 . 2010-09-11 07:40 239368 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-01-04 10:44 . 2010-09-18 02:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-31 04:33 . 2009-07-13 12:22 520192 ----a-w- c:\windows\system32\ati2sgag.exe
2010-12-22 12:48 . 2010-12-02 08:01 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-12-21 02:09 . 2010-08-29 04:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 02:08 . 2010-08-29 04:51 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-05 02:48 . 2010-12-02 08:01 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-30 01:38 . 2010-11-30 01:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-30 01:38 . 2010-11-30 01:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12 . 2009-07-13 11:45 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2004-08-04 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-04 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-04 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-19 20:51 . 2010-11-26 12:17 222080 ------w- c:\windows\system32\MpSigStub.exe
2009-11-08 00:00 . 2009-11-08 00:00 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-11-08 00:00 . 2009-11-08 00:00 185240 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-11-08 00:00 . 2009-11-08 00:00 99224 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol System Monitor"="c:\program files\BillP Studios\WinPatrol\WinPatrol.exe" [2010-05-31 323976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-03 281768]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-01-12 2548040]

c:\documents and settings\Steven\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoPopUpsOnBoot"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 21:47 57344 ------w- c:\windows\Alcxmntr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2007-09-14 01:50 1603152 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2007-10-26 01:10 652624 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]
2010-05-31 11:18 323976 ------w- c:\program files\BillP Studios\WinPatrol\WinPatrol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)
"VSSERV"=2 (0x2)
"LIVESRV"=2 (0x2)
"idsvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"ose"=3 (0x3)
"TMWebProtect"=2 (0x2)
"TmProxy"=2 (0x2)
"MatSvc"=3 (0x3)
"IS360service"=2 (0x2)
"sp_rssrv"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)
"gupdate"=2 (0x2)
"ACDaemon"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [9/17/2010 10:49 AM 28552]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [9/10/2010 11:40 PM 239368]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [9/10/2010 11:40 PM 27576]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/13/2009 10:41 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/13/2009 10:41 AM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/2/2010 12:01 AM 135336]
R2 ubsbm;Unibrain 1394 SBM Driver;c:\windows\system32\drivers\UBSBM.sys [1/2/2011 5:23 PM 17408]
R2 ubumapi;Unibrain 1394 FireAPI Driver;c:\windows\system32\drivers\UBUMAPI.sys [1/2/2011 5:23 PM 46592]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [1/10/2010 3:58 AM 206608]
R3 ubohci;Unibrain 1394 OHCI Driver;c:\windows\system32\drivers\ubohci.sys [1/2/2011 5:23 PM 116224]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [8/4/2004 4:00 AM 14336]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [7/13/2009 10:41 AM 7408]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [1/10/2010 3:58 AM 206608]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 4:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
S4 gupdate;Google Update Service (gupdate); [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
HsfXAudioService REG_MULTI_SZ HsfXAudioService
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
FF - ProfilePath - c:\documents and settings\Steven\Application Data\Mozilla\Firefox\Profiles\kn5tze51.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-14 00:37
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)
c:\windows\system32\guard32.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1024)
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(456)
c:\windows\system32\WININET.dll
c:\windows\system32\guard32.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-01-14 00:40:08
ComboFix-quarantined-files.txt 2011-01-14 08:40

Pre-Run: 129,413,591,040 bytes free
Post-Run: 129,399,382,016 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 4C9A829EA07AEBCCFE8F42AE1FA0A01F
 
Then, i received an Upload Failed!! message saying:
Web server appears to be temporarily inaccessible. For your convenience, ComboFix created a submissions form located at
*C:\CF-Submit.htm

Please use that to manually upload it later.
Click to expand...
Please see if the site works now (open that created .htm file).
 
Hello,

Ok, I got this message:

Malware Submission
Your file was successfully submitted. Please let the user helping you know that you have submitted the file.
 
Hi,

Update Spybot and then run the scan to see if that item is still flagged.
 
Hi,

Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
c:\windows\system32\netstat4.dll


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

CFScriptB-4.gif


Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe.
Reboot if ComboFix didn't do it automatically. Then post the resultant log. Any issues left?
 
Hi, here's the log:


ComboFix 11-01-13.01 - Steven 01/16/2011 2:55.10.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.621 [GMT -8:00]
Running from: c:\documents and settings\Steven\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Steven\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

FILE ::
"c:\windows\system32\netstat4.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\netstat4.dll

.
((((((((((((((((((((((((( Files Created from 2010-12-16 to 2011-01-16 )))))))))))))))))))))))))))))))
.

2011-01-08 05:23 . 2011-01-08 05:24 -------- d-----w- c:\program files\ERUNT
2011-01-05 11:06 . 2005-04-29 23:18 201484 ----a-w- c:\windows\system32\drivers\umss.sys
2011-01-04 10:45 . 2011-01-04 10:44 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-03 01:23 . 2010-02-27 03:39 116224 ----a-w- c:\windows\system32\drivers\ubohci.sys
2011-01-03 01:23 . 2010-02-27 03:38 46592 ----a-w- c:\windows\system32\drivers\UBUMAPI.sys
2011-01-03 01:23 . 2010-02-27 03:38 17408 ----a-w- c:\windows\system32\drivers\UBSBM.sys
2011-01-03 01:23 . 2010-02-27 03:38 127488 ----a-w- c:\windows\system32\drivers\UB1394.sys
2011-01-01 11:45 . 2011-01-01 11:45 0 ----a-w- c:\windows\ativpsrm.bin
2011-01-01 11:42 . 2009-07-22 02:55 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-01-01 11:42 . 2009-04-29 11:06 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2011-01-01 11:42 . 2009-04-29 10:20 45056 ----a-w- c:\windows\system32\aticalrt.dll
2011-01-01 11:42 . 2009-04-29 10:18 3280896 ----a-w- c:\windows\system32\aticaldd.dll
2011-01-01 11:42 . 2009-02-26 12:44 49664 ----a-w- c:\windows\system32\amdpcom32.dll
2011-01-01 11:42 . 2008-10-22 10:51 118784 ----a-w- c:\windows\system32\atibrtmon.exe
2011-01-01 11:42 . 2009-04-29 10:20 45056 ----a-w- c:\windows\system32\aticalcl.dll
2011-01-01 11:42 . 2009-04-29 10:20 135168 ----a-w- c:\windows\system32\atiadlxx.dll
2011-01-01 11:42 . 2009-04-29 10:17 303104 ----a-w- c:\windows\system32\atiok3x2.dll
2010-12-31 01:11 . 2009-04-23 10:24 258048 ----a-w- c:\windows\system32\UCI32M40.dll
2010-12-31 01:11 . 2009-04-29 11:21 410624 ----a-r- c:\windows\system32\XAudio32.dll
2010-12-31 01:11 . 2009-04-29 11:20 8704 ----a-r- c:\windows\system32\drivers\XAudio32.sys
2010-12-31 00:55 . 2010-12-31 00:55 -------- d-----w- c:\documents and settings\Steven\Local Settings\Application Data\Innovative Solutions
2010-12-31 00:55 . 2010-12-31 00:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Innovative Solutions
2010-12-31 00:55 . 2010-12-31 00:55 -------- d-----w- c:\program files\Innovative Solutions
2010-12-31 00:14 . 2009-03-03 12:18 73728 ----a-w- c:\windows\system32\RtNicProp32.dll
2010-12-31 00:14 . 2008-02-25 20:54 105088 ----a-w- c:\windows\system32\drivers\Rtnicxp.sys
2010-12-31 00:07 . 2010-12-31 00:07 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-30 23:57 . 2010-12-31 00:07 -------- d-----w- c:\program files\Apoint2K
2010-12-30 23:38 . 2010-12-30 23:38 -------- d-----w- c:\program files\Realtek
2010-12-30 23:14 . 2010-12-30 23:14 -------- d-----w- c:\program files\Realtek AC97
2010-12-30 23:14 . 2006-02-07 23:45 757760 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iKernel.dll
2010-12-30 23:14 . 2006-02-07 23:40 204800 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iuser.dll
2010-12-30 23:14 . 2006-02-07 23:40 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll
2010-12-30 23:14 . 2006-02-07 23:40 274432 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iscript.dll
2010-12-30 23:14 . 2005-11-14 07:19 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\DotNetInstaller.exe
2010-12-30 23:14 . 2010-12-30 23:14 331908 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\setup.dll
2010-12-30 23:14 . 2010-12-30 23:14 200836 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iGdi.dll
2010-12-30 22:56 . 2010-12-30 22:56 -------- d-----w- c:\documents and settings\Steven\Application Data\DeviceDoctorSoftware
2010-12-30 22:34 . 2010-12-30 22:34 -------- d-----w- c:\documents and settings\All Users\Uniblue
2010-12-30 22:14 . 2010-12-30 22:21 -------- d-----w- c:\documents and settings\Steven\Application Data\MSNInstaller
2010-12-29 08:16 . 2011-01-16 08:33 -------- d-----w- c:\windows\system32\CatRoot2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-12 01:27 . 2010-09-11 07:41 285480 ----a-w- c:\windows\system32\guard32.dll
2011-01-12 01:26 . 2010-09-11 07:40 94784 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-01-12 01:26 . 2010-09-11 07:40 27576 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-01-12 01:26 . 2010-09-11 07:40 15592 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-01-12 01:26 . 2010-09-11 07:40 239368 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-01-04 10:44 . 2010-09-18 02:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-31 04:33 . 2009-07-13 12:22 520192 ----a-w- c:\windows\system32\ati2sgag.exe
2010-12-22 12:48 . 2010-12-02 08:01 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-12-21 02:09 . 2010-08-29 04:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 02:08 . 2010-08-29 04:51 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-05 02:48 . 2010-12-02 08:01 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-30 01:38 . 2010-11-30 01:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-30 01:38 . 2010-11-30 01:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12 . 2009-07-13 11:45 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2004-08-04 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-04 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-04 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-19 20:51 . 2010-11-26 12:17 222080 ------w- c:\windows\system32\MpSigStub.exe
2009-11-08 00:00 . 2009-11-08 00:00 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-11-08 00:00 . 2009-11-08 00:00 185240 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-11-08 00:00 . 2009-11-08 00:00 99224 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

((((((((((((((((((((((((((((( SnapShot@2011-01-13_14.11.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-01-16 08:33 . 2011-01-16 08:33 208896 c:\windows\ERDNT\AutoBackup\1-16-2011\Users\00000002\UsrClass.dat
+ 2011-01-16 08:33 . 2005-10-20 20:02 163328 c:\windows\ERDNT\AutoBackup\1-16-2011\ERDNT.EXE
+ 2011-01-15 15:43 . 2011-01-15 15:43 208896 c:\windows\ERDNT\AutoBackup\1-15-2011\Users\00000002\UsrClass.dat
+ 2011-01-15 15:43 . 2005-10-20 20:02 163328 c:\windows\ERDNT\AutoBackup\1-15-2011\ERDNT.EXE
+ 2011-01-14 16:02 . 2011-01-14 16:02 208896 c:\windows\ERDNT\AutoBackup\1-14-2011\Users\00000002\UsrClass.dat
+ 2011-01-14 16:02 . 2005-10-20 20:02 163328 c:\windows\ERDNT\AutoBackup\1-14-2011\ERDNT.EXE
+ 2011-01-16 08:33 . 2011-01-16 08:33 12713984 c:\windows\ERDNT\AutoBackup\1-16-2011\Users\00000001\ntuser.dat
+ 2011-01-15 15:43 . 2011-01-15 15:43 12713984 c:\windows\ERDNT\AutoBackup\1-15-2011\Users\00000001\ntuser.dat
+ 2011-01-14 16:02 . 2011-01-14 16:02 12713984 c:\windows\ERDNT\AutoBackup\1-14-2011\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol System Monitor"="c:\program files\BillP Studios\WinPatrol\WinPatrol.exe" [2010-05-31 323976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-03 281768]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-01-12 2548040]

c:\documents and settings\Steven\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoPopUpsOnBoot"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 21:47 57344 ------w- c:\windows\Alcxmntr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2007-09-14 01:50 1603152 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2007-10-26 01:10 652624 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]
2010-05-31 11:18 323976 ------w- c:\program files\BillP Studios\WinPatrol\WinPatrol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)
"VSSERV"=2 (0x2)
"LIVESRV"=2 (0x2)
"idsvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"ose"=3 (0x3)
"TMWebProtect"=2 (0x2)
"TmProxy"=2 (0x2)
"MatSvc"=3 (0x3)
"IS360service"=2 (0x2)
"sp_rssrv"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)
"gupdate"=2 (0x2)
"ACDaemon"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [9/17/2010 10:49 AM 28552]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [9/10/2010 11:40 PM 239368]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [9/10/2010 11:40 PM 27576]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/13/2009 10:41 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/13/2009 10:41 AM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/2/2010 12:01 AM 135336]
R2 ubsbm;Unibrain 1394 SBM Driver;c:\windows\system32\drivers\UBSBM.sys [1/2/2011 5:23 PM 17408]
R2 ubumapi;Unibrain 1394 FireAPI Driver;c:\windows\system32\drivers\UBUMAPI.sys [1/2/2011 5:23 PM 46592]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [1/10/2010 3:58 AM 206608]
R3 ubohci;Unibrain 1394 OHCI Driver;c:\windows\system32\drivers\ubohci.sys [1/2/2011 5:23 PM 116224]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [8/4/2004 4:00 AM 14336]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [7/13/2009 10:41 AM 7408]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [1/10/2010 3:58 AM 206608]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 4:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
S4 gupdate;Google Update Service (gupdate); [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
HsfXAudioService REG_MULTI_SZ HsfXAudioService
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
FF - ProfilePath - c:\documents and settings\Steven\Application Data\Mozilla\Firefox\Profiles\kn5tze51.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-16 03:00
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(968)
c:\windows\system32\guard32.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1024)
c:\windows\system32\guard32.dll
.
Completion time: 2011-01-16 03:02:22
ComboFix-quarantined-files.txt 2011-01-16 11:02

Pre-Run: 129,510,539,264 bytes free
Post-Run: 129,501,786,112 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 077BDC92912FFB877E35EA730D351537



All else seems to be ok, thanls.
 
Hi,

Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis



Now lets uninstall ComboFix:
  • Click START then RUN
  • Now copy-paste Combofix /uninstall in the runbox and click OK



UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.


Download and run Secunia Personal Software Inspector (PSI) and fix its findings.



Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:
 
Everything appears to be running fine, thanks.
I followed those steps as you laid them out!



I'm just curious as to what I shoud do with the dds/erunt programs?
 
You're welcome :)

I'm just curious as to what I shoud do with the dds/erunt programs?
Click to expand...
Delete DDS. If you don't want to keep Erunt you can uninstall it.
 
You must log in or register to reply here.
Back
Top