Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Multiple Trojans [Solved]

Started by Yintoo , Feb 21 2009 04:25 PM

  • This topic is locked This topic is locked

#1
Yintoo
Posted 21 February 2009 - 04:25 PM

Yintoo

    New Member

  • Member
  • Pip
  • 9 posts
Ok I recently ran into a problem with AVG identifying hundreds of files and quarantining them, even though they just appeared to be programs that were already installed on my computer. I don't know what happened but now when I start the computer in normal mode the windows taskbar will not appear, everything else usually pops up but there is no way for me to get to the windows task bar. I can start into safe mode and the start bar appears, but AVG constantly reports many infections when I boot normally. I tried to reformat using a windows CD but when I try that it tells me I do not have a hard drive connected and setup terminates. Clearly I do have one connected because I can boot into safe mode and everything works. I've seen Virut and Win32 being identified on the virus scans. Here is my Hijack log, run in safe mode.

EDIT: Also I forgot to mention I've tried running SDFix and whenever I try to it BSoD's.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:20:23 PM, on 2/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Yintoo\Desktop\Sality_off.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityrespo...er/fix_homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [Wootalyzer] C:\Program Files\Wootalyzer\woot.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Startup: Hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Startup: Product Registration.lnk = C:\Program Files\Common Files\LogiShared\eReg\SetPoint\eReg.exe
O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (file missing)
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Windows Presentation Foundation Font Cache 3.0.0.0 (FontCache3.0.0.0) - Unknown owner - c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (file missing)
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Windows CardSpace (idsvc) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9758 bytes

Edited by Yintoo, 21 February 2009 - 04:27 PM.

  • 0

Advertisements

#2
handhfan
Posted 21 February 2009 - 08:09 PM

handhfan

    Trusted Helper

  • Expert
  • 13,659 posts
Hello, Yintoo, and welcome to GeeksToGo!

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#3
Yintoo
Posted 21 February 2009 - 10:28 PM

Yintoo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
When I ran combofix it came up saying I had AVG running, I closed AVG but it said AVG was still running and then started the program anyways.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:03 PM, on 2/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\WINDOWS\system32\dumprep.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Wootalyzer\woot.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\BN4B.tmp
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\reader_s.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\53.tmp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityrespo...er/fix_homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\actcontroller.exe,
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [Wootalyzer] C:\Program Files\Wootalyzer\woot.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Yintoo\reader_s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Startup: Hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Startup: Product Registration.lnk = C:\Program Files\Common Files\LogiShared\eReg\SetPoint\eReg.exe
O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (file missing)
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Windows Presentation Foundation Font Cache 3.0.0.0 (FontCache3.0.0.0) - Unknown owner - c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (file missing)
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Windows CardSpace (idsvc) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 12481 bytes












ComboFix 09-02-19.01 - Yintoo 2009-02-21 21:48:11.4 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1742 [GMT -6:00]
Running from: c:\documents and settings\Yintoo\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *disabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ntndis.sys

.
((((((((((((((((((((((((( Files Created from 2009-01-22 to 2009-02-22 )))))))))))))))))))))))))))))))
.

2009-02-21 16:06 . 2009-02-21 16:06 <DIR> d-------- c:\documents and settings\Yintoo\DoctorWeb
2009-02-21 15:10 . 2009-02-21 15:11 <DIR> d-------- C:\SDFix
2009-02-21 09:36 . 2009-02-21 09:36 88 --a------ c:\windows\system32\4E.tmp
2009-02-21 09:36 . 2009-02-21 09:36 1 --a------ c:\windows\system32\4F.tmp
2009-02-21 09:19 . 2009-02-21 09:19 88 --a------ c:\windows\system32\35.tmp
2009-02-21 09:19 . 2009-02-21 09:19 1 --a------ c:\windows\system32\36.tmp
2009-02-21 09:14 . 2009-02-21 09:14 88 --a------ c:\windows\system32\1D.tmp
2009-02-21 09:14 . 2009-02-21 09:14 1 --a------ c:\windows\system32\1E.tmp
2009-02-21 08:34 . 2009-02-21 08:34 88 --a------ c:\windows\system32\15.tmp
2009-02-21 08:34 . 2009-02-21 08:35 1 --a------ c:\windows\system32\16.tmp
2009-02-21 01:21 . 2009-02-21 01:21 37,888 --a------ c:\windows\system32\10.tmp
2009-02-21 01:21 . 2009-02-21 01:21 30,208 --a------ c:\windows\system32\E.tm_
2009-02-21 01:21 . 2009-02-21 01:21 25,601 --a------ c:\windows\system32\A.tm_
2009-02-21 01:21 . 2009-02-21 01:21 130 --a------ c:\windows\adobe.bat
2009-02-21 00:05 . 2009-02-21 00:05 47,616 --a------ c:\windows\system32\reader_s.ex_
2009-02-20 23:47 . 2009-02-20 23:47 38,913 --a------ c:\windows\system32\4.tm_
2009-02-20 19:42 . 2009-02-20 19:42 <DIR> d-------- c:\documents and settings\Yintoo\Application Data\Twain
2009-02-20 19:38 . 2009-02-20 22:39 <DIR> d-------- c:\documents and settings\Yintoo\.housecall6.6
2009-02-20 19:37 . 2009-02-20 22:39 <DIR> d-------- c:\program files\WebShow
2009-02-20 19:37 . 2009-02-20 19:37 129,024 --ahs---- c:\windows\system32\uxbsfy.dll
2009-02-20 19:32 . 2009-02-20 19:32 182,656 --a------ c:\windows\system32\dllcache\ndis.sys
2009-02-20 19:32 . 2009-02-20 19:32 88,065 --a------ c:\windows\system32\E13.tmp
2009-02-20 19:32 . 2009-02-20 19:32 25,601 --a------ c:\windows\system32\E12.tmp
2009-02-20 19:32 . 2009-02-20 19:32 2,560 --a------ c:\windows\system32\E15.tmp
2009-02-20 19:32 . 2009-02-20 19:33 616 --a------ c:\windows\system32\E20.tmp
2009-02-20 19:32 . 2009-02-20 19:32 208 --a------ c:\windows\system32\E10.tmp
2009-02-09 16:18 . 2004-08-17 21:14 442,368 -ra------ c:\windows\system32\vp6vfw.dll
2009-02-09 16:13 . 2009-02-09 16:13 <DIR> d-------- c:\program files\Elaborate Bytes
2009-02-08 18:41 . 2009-02-08 18:41 <DIR> d-------- c:\windows\system32\AGEIA
2009-02-08 18:41 . 2009-02-08 18:42 <DIR> d-------- c:\program files\AGEIA Technologies
2009-02-08 18:41 . 2009-01-06 22:06 35,950,872 --a------ C:\PhysX 8.10.13.exe
2009-02-08 18:40 . 2009-02-03 06:01 <DIR> d-------- C:\I-Fluid
2009-02-07 22:31 . 2009-02-07 22:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\CCP
2009-02-07 08:42 . 2009-02-07 08:42 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-02-02 16:57 . 2009-01-17 14:36 3,377 --a------ C:\rzr-f335.nfo
2009-01-29 19:17 . 2009-02-21 01:28 <DIR> d-------- c:\documents and settings\Yintoo\PsiData
2009-01-28 15:28 . 2009-01-28 15:28 <DIR> d-------- C:\CHEthermo
2009-01-27 20:14 . 2009-01-27 20:16 <DIR> d-------- c:\program files\Microsoft Games for Windows - LIVE
2009-01-27 20:13 . 2008-07-12 08:18 3,851,784 --a------ c:\windows\system32\D3DX9_39.dll
2009-01-27 20:13 . 2008-07-12 08:18 1,493,528 --a------ c:\windows\system32\D3DCompiler_39.dll
2009-01-27 20:13 . 2008-07-31 10:40 509,448 --a------ c:\windows\system32\XAudio2_2.dll
2009-01-27 20:13 . 2008-07-12 08:18 467,984 --a------ c:\windows\system32\d3dx10_39.dll
2009-01-27 20:13 . 2008-07-31 10:41 238,088 --a------ c:\windows\system32\xactengine3_2.dll
2009-01-27 20:13 . 2008-07-31 10:41 68,616 --a------ c:\windows\system32\XAPOFX1_1.dll
2009-01-27 20:01 . 2009-01-27 20:01 <DIR> d-------- c:\program files\KLC
2009-01-27 20:01 . 2000-05-22 00:00 203,976 --a------ c:\windows\system32\RICHTX32.OCX
2009-01-27 20:01 . 1999-12-07 07:00 61,491 --a------ c:\windows\system32\wbemdisp.TLB
2009-01-23 17:32 . 2009-02-21 00:15 <DIR> d-------- c:\documents and settings\Yintoo\Application Data\HPAppData
2009-01-22 07:00 . 2008-12-06 04:05 1,203,770 --------- c:\windows\system32\dllcache\sysmain.sdb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-22 04:06 --------- d-----w c:\documents and settings\Yintoo\Application Data\Hamachi
2009-02-22 03:45 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-02-21 22:08 75,264 ----a-w c:\windows\system32\locator.exe
2009-02-21 22:08 5,632 ----a-w c:\windows\system32\cisvc.exe
2009-02-21 22:08 44,544 ----a-w c:\windows\system32\alg.exe
2009-02-21 22:08 33,280 ----a-w c:\windows\system32\clipsrv.exe
2009-02-21 22:08 267,776 ----a-w c:\windows\system32\fxssvc.exe
2009-02-21 22:08 24,576 ----a-w c:\windows\MIDIDEF.EXE
2009-02-21 22:08 224,768 ----a-w c:\windows\system32\dmadmin.exe
2009-02-21 22:08 150,528 ----a-w c:\windows\system32\imapi.exe
2009-02-21 22:08 15,360 ----a-w c:\windows\system32\ctfmon.exe
2009-02-21 22:08 10,752 ----a-w c:\windows\system32\dumprep.exe
2009-02-21 22:08 1,050,624 ----a-w c:\windows\explorer.exe
2009-02-21 11:37 --------- d-----w c:\program files\Windows Media Connect 2
2009-02-21 11:06 --------- d-----w c:\program files\PeerGuardian2
2009-02-21 09:43 --------- d-----w c:\program files\Diablo II
2009-02-21 09:23 --------- d-----w c:\program files\Alarm
2009-02-21 07:17 90,112 ----a-w c:\windows\DUMP71f3.tmp
2009-02-21 07:05 90,112 ----a-w c:\windows\DUMP6f34.tmp
2009-02-21 05:45 --------- d-----w c:\documents and settings\Yintoo\Application Data\uTorrent
2009-02-21 04:41 --------- d-----w c:\program files\UDPixel
2009-02-21 01:50 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-21 01:47 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-21 01:37 129,024 --sha-w c:\windows\system32\zenewoji.dll
2009-02-21 01:32 182,656 ----a-w c:\windows\system32\drivers\ndis.sys
2009-02-21 01:22 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-15 19:07 --------- d-----w c:\program files\EA GAMES
2009-02-12 15:13 --------- d-----w c:\program files\Steam
2009-02-11 16:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 16:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-09 00:41 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-07 14:42 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-02-04 02:05 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-31 07:31 --------- d-----w c:\program files\Warcraft III
2009-01-22 00:00 --------- d-----w c:\documents and settings\Yintoo\Application Data\HP
2009-01-22 00:00 --------- d-----w c:\documents and settings\All Users\Application Data\WEBREG
2009-01-21 23:59 --------- d-----w c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-01-21 23:58 --------- d-----w c:\program files\HP
2009-01-21 23:57 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-01-21 23:55 --------- d-----w c:\program files\Hewlett-Packard
2009-01-21 23:55 --------- d-----w c:\program files\Common Files\HP
2009-01-21 23:55 --------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-01-21 23:55 --------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-01-21 04:04 --------- d-----w c:\program files\World of Warcraft
2009-01-19 00:39 --------- d-----w c:\program files\Jade Empire
2009-01-19 00:37 82,774 ----a-w c:\windows\Uninstall Jade Empire.exe
2009-01-18 23:01 --------- d-----w c:\program files\FlashGet
2009-01-18 14:39 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip
2009-01-13 17:34 --------- d-----w c:\program files\Curse
2009-01-07 19:37 --------- d-----w c:\program files\WorldOfGoo
2009-01-06 23:27 --------- d-----w c:\documents and settings\All Users\Application Data\2DBoy
2009-01-06 19:02 201,816 ----a-w c:\windows\system32\PnkBstrB.exe
2009-01-06 19:02 137,992 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-25 18:36 --------- d-----w c:\program files\iTunes
2008-12-25 18:36 --------- d-----w c:\program files\iPod
2008-12-25 18:36 --------- d-----w c:\program files\Common Files\Apple
2008-12-25 18:36 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-25 18:35 --------- d-----w c:\program files\QuickTime
2008-12-25 18:35 --------- d-----w c:\program files\Bonjour
2008-12-25 14:42 --------- d-----w c:\documents and settings\All Users\Application Data\LogiShrd
2008-12-25 14:38 --------- d-----w c:\program files\Common Files\LogiShared
2008-12-25 14:37 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-12-25 14:37 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-12-25 14:36 --------- d-----w c:\program files\Common Files\Logitech
2008-12-25 14:35 --------- d-----w c:\program files\Logitech
2008-12-25 14:35 --------- d-----w c:\documents and settings\All Users\Application Data\Logitech
2008-12-24 03:58 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-12-19 00:07 578,560 ----a-w c:\windows\system32\dllcache\user32.dll
2008-12-18 02:13 114 ----a-w C:\sccfg.sys
2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-01-01 18:53 22,328 ----a-w c:\documents and settings\Yintoo\Application Data\PnkBstrK.sys
2006-09-17 04:06 9 ----a-w c:\program files\install_log.dat
2006-11-24 19:52 56 --sh--r c:\windows\system32\16858DD69A.sys
2006-10-12 21:40 56 --sh--r c:\windows\system32\66C77C80B4.sys
2006-12-12 02:10 88 --sh--r c:\windows\system32\9AD68D8516.sys
2007-10-06 01:36 6,060 --sha-w c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

2004-08-04 03:00 31744 f6e5fc4d063d9cfb05f9e1945ac7a349 c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-13 18:12 31232 d7cc0c46b2f22169bdc4a53900947d4d c:\windows\ServicePackFiles\i386\svchost.exe
2009-02-21 16:09 31744 0b70b80c7deda0ba85f7cf8dbe1781a8 c:\windows\system32\svchost.exe

2004-08-04 03:00 182912 1df7f42665c94b825322fae71721130d c:\windows\$NtServicePackUninstall$\ndis.sys
2008-04-13 13:20 182656 1df7f42665c94b825322fae71721130d c:\windows\ServicePackFiles\i386\ndis.sys
2009-02-20 19:32 213120 1df7f42665c94b825322fae71721130d c:\windows\system32\dllcache\ndis.sys
2009-02-20 19:32 213120 1df7f42665c94b825322fae71721130d c:\windows\system32\drivers\ndis.sys

2009-02-21 16:08 1050624 af7a0c20b47c4165edde74a7f98cb5ee c:\windows\explorer.exe
2007-06-13 05:26 1050112 675d3de838571a9cc263aacf12126b59 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 04:23 1050624 6eef35bac1cc33b9a1a455b270cddd27 c:\windows\$NtServicePackUninstall$\explorer.exe
2004-08-04 03:00 1049088 6e37656065219249f3d8245a0e2f0edb c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-13 18:12 1050624 6b206c463fb8b6219eddfbb1fb2e1edf c:\windows\ServicePackFiles\i386\explorer.exe

2004-08-04 03:00 32768 19e067f4208fc25942fa07f9420922a6 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 18:12 32256 2a9e92602477ecf4c04c671d3b6fa390 c:\windows\ServicePackFiles\i386\ctfmon.exe
2009-02-21 16:08 15360 737443e3b98206e4397bd7b288130c4c c:\windows\system32\ctfmon.exe

2005-06-10 18:17 74752 22372724aaf628b1549ee47ef9d974c5 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 17:53 75264 484c170414c86f892b6830b78d5fa3a8 c:\windows\$NtServicePackUninstall$\spoolsv.exe
2008-04-13 18:12 75264 aae5797ef2acc6cf3abd1b02fc98362b c:\windows\ServicePackFiles\i386\spoolsv.exe
2009-02-21 16:09 57856 1cdf250a56496c567fc50048bfeeb547 c:\windows\system32\spoolsv.exe

2004-08-04 03:00 41472 8cc7e8de4a57a5fe2124c9142fc0df23 c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 18:12 43008 d075ab412318c54ad9b61feb40c62f13 c:\windows\ServicePackFiles\i386\userinit.exe
2009-02-21 16:09 26112 2057e4d66fa6aa74427f0f71b64c37a0 c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot_2009-02-21_ 0.52.57.87 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-21 02:02:28 183,808 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 02:02:28 184,320 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
- 2008-08-07 21:27:04 183,808 ----a-w c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2008-08-07 21:27:04 184,320 ----a-w c:\windows\ERUNT\SDFIX\ERDNT.EXE
- 2008-12-19 00:02:04 10,051,584 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2009-02-21 21:11:19 10,649,600 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2008-12-19 00:02:04 172,032 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2009-02-21 21:11:19 184,320 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2007-06-27 03:10:26 334,336 ----a-w c:\windows\inf\unregmp2.exe
+ 2009-02-21 22:08:39 317,440 ----a-w c:\windows\inf\unregmp2.exe
- 2008-04-13 18:53:32 574,976 ------w c:\windows\network diagnostic\xpnetdiag.exe
+ 2009-02-21 22:08:40 558,080 ----a-w c:\windows\network diagnostic\xpnetdiag.exe
- 2000-08-31 14:00:00 49,152 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 14:00:00 48,640 ----a-w c:\windows\NIRCMD.exe
+ 2009-02-02 22:56:27 186,900 ----a-w c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
+ 2009-02-02 22:56:27 186,900 ----a-w c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat.bak
- 2008-04-14 00:12:16 25,088 ------w c:\windows\ServicePackFiles\i386\defrag.exe
+ 2008-04-14 00:12:16 42,496 ------w c:\windows\ServicePackFiles\i386\defrag.exe
- 2009-02-21 06:38:20 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-21 21:55:35 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-21 06:38:20 49,152 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-21 21:55:35 49,152 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-21 06:38:21 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009022120090222\index.dat
+ 2009-02-21 17:08:35 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009022120090222\index.dat
- 2009-02-21 06:38:20 114,688 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-21 21:55:35 114,688 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2004-08-04 09:00:00 54,345 ----a-w c:\windows\system32\dllcache\zclientm.exe
+ 2004-08-04 09:00:00 53,833 ----a-w c:\windows\system32\dllcache\zclientm.exe
- 2008-04-14 00:12:17 22,016 ----a-w c:\windows\system32\dllhost.exe
+ 2009-02-21 22:08:45 5,120 ----a-w c:\windows\system32\dllhost.exe
- 2008-04-14 00:12:22 51,200 ----a-w c:\windows\system32\ie4uinit.exe
+ 2009-02-21 22:08:58 34,304 ----a-w c:\windows\system32\ie4uinit.exe
- 2008-04-14 00:12:43 238,080 ----a-w c:\windows\system32\logon.scr
+ 2009-02-21 22:09:00 220,672 ----a-w c:\windows\system32\logon.scr
- 2008-04-14 00:12:24 531,456 ----a-w c:\windows\system32\logonui.exe
+ 2009-02-21 22:09:00 514,560 ----a-w c:\windows\system32\logonui.exe
- 2008-04-14 00:12:25 53,248 ----a-w c:\windows\system32\mnmsrvc.exe
+ 2009-02-21 22:09:01 32,768 ----a-w c:\windows\system32\mnmsrvc.exe
- 2008-04-14 00:12:28 95,744 ----a-w c:\windows\system32\msiexec.exe
+ 2009-02-21 22:09:03 78,848 ----a-w c:\windows\system32\msiexec.exe
- 2008-04-14 00:12:29 128,512 ----a-w c:\windows\system32\netdde.exe
+ 2009-02-21 22:09:04 111,104 ----a-w c:\windows\system32\netdde.exe
- 2008-12-26 06:08:00 184,388 ----a-w c:\windows\system32\nvsvc32.exe
+ 2009-02-21 22:09:06 163,840 ----a-w c:\windows\system32\nvsvc32.exe
- 2008-04-14 00:12:32 28,672 ----a-w c:\windows\system32\regsvr32.exe
+ 2009-02-21 22:09:09 11,776 ----a-w c:\windows\system32\regsvr32.exe
- 2004-08-04 09:00:00 149,504 ----a-w c:\windows\system32\rsvp.exe
+ 2009-02-21 22:09:09 132,608 ----a-w c:\windows\system32\rsvp.exe
- 2008-04-14 00:12:33 50,688 ----a-w c:\windows\system32\rundll32.exe
+ 2009-02-21 22:09:10 33,280 ----a-w c:\windows\system32\rundll32.exe
- 2008-04-14 00:12:33 113,152 ----a-w c:\windows\system32\scardsvr.exe
+ 2009-02-21 22:09:10 95,744 ----a-w c:\windows\system32\scardsvr.exe
- 2008-04-14 00:12:34 158,720 ----a-w c:\windows\system32\sessmgr.exe
+ 2009-02-21 22:09:11 141,312 ----a-w c:\windows\system32\sessmgr.exe
- 2008-04-14 00:12:35 62,464 ----a-w c:\windows\system32\shmgrate.exe
+ 2009-02-21 22:09:12 45,056 ----a-w c:\windows\system32\shmgrate.exe
- 2008-04-14 00:12:35 106,496 ----a-w c:\windows\system32\smlogsvc.exe
+ 2009-02-21 22:09:12 89,600 ----a-w c:\windows\system32\smlogsvc.exe
- 2008-04-14 00:12:38 90,112 ----a-w c:\windows\system32\tlntsvr.exe
+ 2009-02-21 22:09:14 73,216 ----a-w c:\windows\system32\tlntsvr.exe
- 2008-04-14 00:12:38 35,328 ----a-w c:\windows\system32\ups.exe
+ 2009-02-21 22:09:14 18,432 ----a-w c:\windows\system32\ups.exe
- 2008-04-14 00:12:38 306,688 ----a-w c:\windows\system32\vssvc.exe
+ 2009-02-21 22:09:15 289,792 ----a-w c:\windows\system32\vssvc.exe
- 2004-08-04 09:00:00 30,208 -c--a-w c:\windows\system32\wbem\winmgmt.exe
+ 2009-02-21 22:09:16 13,312 -c--a-w c:\windows\system32\wbem\winmgmt.exe
- 2008-04-14 00:12:40 143,360 ----a-w c:\windows\system32\wbem\wmiapsrv.exe
+ 2009-02-21 22:09:16 126,464 ----a-w c:\windows\system32\wbem\wmiapsrv.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"WhatPulse"="c:\program files\WhatPulse\WhatPulse.exe" [2009-02-21 544256]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Wootalyzer"="c:\program files\Wootalyzer\woot.exe" [2009-02-21 392192]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"SetDefaultMIDI"="MIDIDef.exe" [2009-02-21 c:\windows\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-21 139264]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-07 1601304]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-02-21 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-26 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-26 86016]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2009-02-21 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2009-02-21 81920]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2008-06-29 52168]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 36864]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 c:\windows\KHALMNPR.Exe]
"nwiz"="nwiz.exe" [2008-12-26 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

c:\documents and settings\Yintoo\Start Menu\Programs\Startup\
Hamachi.lnk - c:\program files\Hamachi\hamachi.exe [2006-09-20 625952]
Product Registration.lnk - c:\program files\Common Files\LogiShared\eReg\SetPoint\eReg.exe [2007-04-09 3036688]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinCinema Manager.lnk - c:\program files\Sandisk\Common\Bin\WinCinemaMgr.exe [2006-12-23 303104]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-06-27 45056]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-03-25 214360]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-12-25 692224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2006-02-03 16:58 53248 c:\program files\Common Files\Logitech\Bluetooth\LBTWlgn.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-07 08:42 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\ff_vfw.dll
"vidc.wmv3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Nintendo Wi-Fi USB Connector Registration Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Run Nintendo Wi-Fi USB Connector Registration Tool.lnk
backup=c:\windows\pss\Run Nintendo Wi-Fi USB Connector Registration Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Yintoo^Start Menu^Programs^Startup^Hamachi.lnk]
path=c:\documents and settings\Yintoo\Start Menu\Programs\Startup\Hamachi.lnk
backup=c:\windows\pss\Hamachi.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--------- 2005-09-15 07:47 77824 c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
--a------ 2008-08-13 17:32 206064 c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
--a------ 2008-06-13 17:27 2772992 c:\program files\Electronic Arts\EADM\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-02-21 16:08 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
--a------ 2007-04-11 15:32 56080 c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BITS"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander - Forged Alliance\\bin\\ForgedAlliance.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\CambridgeSoft\\ChemOffice2008\\ChemDraw\\ChemDraw.exe"=
"c:\\Program Files\\Maxis\\SimCity 3000 Unlimited\\Apps\\Updater\\UPDATER.EXE"=
"c:\\Program Files\\Hamachi\\hamachi.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\warhammer 40,000 dawn of war ii - beta\\DOW2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\eve online\\eve.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\eve online\\bin\\ExeFile.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4000:TCP"= 4000:TCP:Warcraft III
"6112:TCP"= 6112:TCP:Warcraft 3
"32459:TCP"= 32459:TCP:uTorrent

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-18 325128]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-07 298264]
S0 Winns62;Winns62; [x]
S3 EraserUtilDrvI1;EraserUtilDrvI1;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI1.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI1.sys [?]
S3 pnicml;pnicml;\??\c:\docume~1\Yintoo\LOCALS~1\Temp\pnicml.sys --> c:\docume~1\Yintoo\LOCALS~1\Temp\pnicml.sys [?]
S3 XDva011;XDva011;\??\c:\windows\system32\XDva011.sys --> c:\windows\system32\XDva011.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Installer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a58beba0-2850-11dc-af05-00137220f276}]
\Shell\AutoRun\command - G:\Autorun.exe /run
\Shell\Shell00\Command - G:\Autorun.exe /run
\Shell\Shell01\Command - G:\Autorun.exe /action
\Shell\Shell02\Command - G:\Autorun.exe /uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af102aa8-91f3-11dc-af4f-00137220f276}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-02-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Yintoo\Application Data\Mozilla\Firefox\Profiles\fyumd661.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.gamefaqs.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\CambridgeSoft\ChemOffice2008\Chem3D\npChem3DPlugin.dll
FF - plugin: c:\program files\CambridgeSoft\ChemOffice2008\ChemDraw\NPCDP32.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-21 22:01:17
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\dellsupportcenter_14039

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(832)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\dumprep.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscript.exe
.
**************************************************************************
.
Completion time: 2009-02-21 22:22:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-22 04:22:07
ComboFix2.txt 2009-02-21 21:03:26
ComboFix3.txt 2009-02-21 06:54:33
ComboFix4.txt 2008-12-18 23:53:34

Pre-Run: 4,960,153,600 bytes free
Post-Run: 2,812,305,408 bytes free

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
476 --- E O F --- 2009-02-11 22:50:48

Attached Files

  • Attached File  log.txt   32.83KB   222 downloads

  • 0

#4
handhfan
Posted 23 February 2009 - 12:07 PM

handhfan

    Trusted Helper

  • Expert
  • 13,659 posts
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.


Posted Image

SP3 users select the download for SP2

Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.
  • 0

#5
Yintoo
Posted 23 February 2009 - 04:10 PM

Yintoo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I installed the recovery console just fine, but when combofix automatically restarted my computer into normal mode windows explorer either crashed or didn't load properly and once again nothing loaded except my background, combofix did not boot up again. I restarted into safe mode and combofix finished its log report as normal. Also once again it said AVG was running when I could not find it in the system tray or my running processes.

Attached Files

  • Attached File  log2.txt   27.99KB   452 downloads

Edited by Yintoo, 23 February 2009 - 04:11 PM.

  • 0

#6
handhfan
Posted 24 February 2009 - 12:32 AM

handhfan

    Trusted Helper

  • Expert
  • 13,659 posts
It looks like you got hit by the dreaded Virut virus. This is an extremely difficult virus to remove, as it infects hundreds of system core files. It would be impractical to try to remove it, as there is a high probability that it will come right back if we miss even one file. For now, the best option would be a complete reformatting of your computer, and then reinstalling Windows.

You can take the opportunity now to back up any important files that you will not want to lose, and prepare for a reformat, as it really is the very best option. Be careful to not save any program executables, as these carry a copy of the virus, and will just reinfected your new system.

Sorry that I bring such bad news.

If you have any questions or need assistance, let me know.
  • 0

#7
Yintoo
Posted 24 February 2009 - 10:13 AM

Yintoo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
That's fine, I kind of thought that it was something serious. However I don't know if it means anything but I tried to reinstall Windows from a boot disc I burned before coming here and whenever I would try the boot disc told me that I did not have a hard drive present and it couldn't run the setup without one and terminated. Obviously I have a hard drive as I can still log in and view and move my files. I've finished backing up my files though, is there a certain virus scanner I can use to detect the Virut to make sure I haven't transferred it? I think the only thing I transferred was music files, but otherwise I'm ready to continue reformatting. Sorry but I'll need some help reformatting as well :)

Edited by Yintoo, 24 February 2009 - 10:24 AM.

  • 0

#8
handhfan
Posted 24 February 2009 - 11:09 AM

handhfan

    Trusted Helper

  • Expert
  • 13,659 posts
It's possible, it all depends on how you went about reformating (this is extremely important), and then installing a fresh copy of the Operating System. Otherwise, the infected files will still remain on the computer.

This guide should help (it's for Home Edition, but it's not too unsimilar to the Professional version, which you have).

Let me know if this helps.
  • 0

#9
Yintoo
Posted 24 February 2009 - 04:07 PM

Yintoo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
My computer doesn't have a floppy drive, only 2 DVD/CD drives, so I can't do the section on how to get past the hard drive error message. I don't know if it helps, but I do have an external hard drive that is detected by the boot disc, just my internal one isn't detected and I cannot install the drivers without the floppy drive.

Edited by Yintoo, 24 February 2009 - 04:14 PM.

  • 0

#10
handhfan
Posted 24 February 2009 - 04:46 PM

handhfan

    Trusted Helper

  • Expert
  • 13,659 posts
Not sure why you are thinking of using a floppy drive. All you need is your Windows XP CD, and the internal harddisk where your infected system is stored.
  • 0

Advertisements

#11
Yintoo
Posted 24 February 2009 - 05:39 PM

Yintoo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Oh sorry, what I meant was that when I try to follow the setup I get the "Setup did not find any hard disk drives installed in your computer" error, which is linked to another guide saying it requires a floppy A to fix, http://www.windowsxp...dexfullpage.htm
  • 0

#12
handhfan
Posted 24 February 2009 - 05:42 PM

handhfan

    Trusted Helper

  • Expert
  • 13,659 posts
You won't need that one. The link I gave you should help you. Unless there is an issue with it.
  • 0

#13
handhfan
Posted 24 February 2009 - 05:44 PM

handhfan

    Trusted Helper

  • Expert
  • 13,659 posts
I see the link on the page I gave you, but you really don't need to do that if you aren't getting that error. You should be able to start from the directions under "PART 1".
  • 0

#14
Yintoo
Posted 24 February 2009 - 06:02 PM

Yintoo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Oh sorry, I am getting that error when I get to the part where I have to hit enter to continue.
  • 0

#15
handhfan
Posted 24 February 2009 - 06:20 PM

handhfan

    Trusted Helper

  • Expert
  • 13,659 posts
At this point, I think it might be better if you posted in the Windows XP forum, as this is where my expertise ends. :)
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP