Does this HJT log look suspicious?

[tanger]

I was able to boot into safe mode without any problems however...dont know if this will help

[Ried]

Please run a scan with dds.com and post both reports

[tanger]

I ran dds.com in safe mode...here are the logs



DDS (Version 1.0.1) - NTFSx86 MINIMAL
Run by Warren at 21:49:44.64 on 16/12/2008
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.2047.1774 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Warren\Desktop\dds.com

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [EPSON Stylus CX4800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [combofix] c:\windows\system32\cf30058.exe /c c:\combofix\Combobatch.bat
mRunOnce: [combofix] c:\windows\system32\cf30058.exe /c c:\combofix\Combobatch.bat
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\asus wifi-ap solo.lnk - c:\program files\asus wifi-ap solo\RtWLan.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-explorer: NoInstrumentation = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\microsoft office\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\microsoft office\office11\REFIEBAR.DLL
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: klogon - c:\windows\system32\klogon.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\warren\applic~1\mozilla\firefox\profiles\po1w7agd.default\
FF - prefs.js: browser.startup.homepage - www.tsn.ca

============= SERVICES / DRIVERS ===============

S0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-4-16 112144]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 32784]
S1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2008-7-16 213008]
S2 AVP;Kaspersky Internet Security;"c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe" -r [2008-4-25 201992]
S3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-3-25 24592]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-11-26 176128]
S3 SjyPkt;SjyPkt;\??\c:\windows\system32\drivers\SjyPkt.sys [2008-11-26 13532]

=============== Created Last 30 ================

2008-12-16 09:02 4,444 a------- c:\windows\system32\pid.PNF
2008-12-16 08:54 <DIR> a-dshr-- C:\autorun.inf
2008-12-16 07:37 <DIR> a-dshr-- C:\cmdcons
2008-12-16 07:35 <DIR> --d----- C:\ComboFix
2008-12-13 01:06 <DIR> --d----- c:\program files\Nobilis
2008-12-12 11:52 <DIR> --d----- c:\program files\MathType
2008-12-11 16:02 453,152 a------- c:\windows\system32\nvudisp.exe
2008-12-11 16:02 203,520 a------- c:\windows\system32\nvapps.xml
2008-12-11 16:02 18,537 a------- c:\windows\system32\nvdisp.nvu
2008-12-11 16:02 <DIR> --d----- c:\windows\nview
2008-12-11 16:02 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-12-11 16:01 <DIR> --d----- C:\NVIDIA
2008-12-11 14:05 <DIR> --d----- c:\windows\SHELLNEW
2008-12-11 13:43 <DIR> --d----- c:\windows\Downloaded Installations
2008-12-10 14:03 <DIR> --d----- c:\windows\SxsCaPendDel
2008-12-04 02:25 161,792 a------- c:\windows\SWREG.exe
2008-12-04 02:25 98,816 a------- c:\windows\sed.exe
2008-12-04 00:47 250 a------- c:\windows\gmer.ini
2008-12-02 22:50 79 a------- c:\windows\wininit.ini
2008-12-02 14:34 <DIR> --d----- c:\program files\Foxit Software
2008-12-02 11:15 <DIR> --d----- c:\docume~1\warren\applic~1\Kaspersky_Key_Finder_(KKF
2008-11-28 00:34 <DIR> --d----- c:\docume~1\warren\applic~1\Design Science
2008-11-28 00:22 <DIR> --d----- c:\docume~1\warren\applic~1\Inkscape
2008-11-28 00:21 <DIR> --d----- c:\program files\Inkscape
2008-11-27 19:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Alias
2008-11-26 21:24 21,035 a------- c:\windows\system32\drivers\AegisP.sys
2008-11-26 21:23 176,128 a------- c:\windows\system32\drivers\RTL8187.sys
2008-11-26 21:23 13,532 a------- c:\windows\system32\drivers\SjyPkt.sys
2008-11-26 21:23 <DIR> --d----- c:\program files\ASUS WiFi-AP Solo
2008-11-26 17:35 28 a------- c:\windows\pdf995.ini
2008-11-26 17:34 59 a------- c:\windows\wpd99.drv
2008-11-26 17:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\pdf995
2008-11-26 17:34 249,856 a------- c:\windows\system32\pdfmona.dll
2008-11-26 17:34 51,716 a------- c:\windows\system32\pdf995mon.dll
2008-11-26 17:34 <DIR> --d----- c:\program files\pdf995
2008-11-21 23:08 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-21 23:08 73,728 a------- c:\windows\system32\javacpl.cpl

==================== Find3M ====================

2008-12-16 20:34 3,784,736 ac-sh--- c:\windows\system32\drivers\fidbox.dat
2008-12-16 20:34 712,736 ac-sh--- c:\windows\system32\drivers\fidbox2.dat
2008-12-16 20:34 33,792 ac-sh--- c:\windows\system32\drivers\fidbox.idx
2008-12-16 20:34 5,612 ac-sh--- c:\windows\system32\drivers\fidbox2.idx
2008-10-24 06:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-13 09:56 70,936 a------- c:\windows\system32\PhysXLoader.dll
2008-10-07 09:13 288,024 a------- c:\windows\system32\PhysXCplUI.exe
2008-10-07 09:13 23,320 a------- c:\windows\system32\PhysXDevice.dll
2008-10-07 09:13 288,024 a------- c:\windows\system32\PhysXCompatCplUI.exe
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelTraditionalChinese.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelSwedish.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelSpanish.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelSimplifiedChinese.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelPortugese.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelKorean.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelJapanese.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelGerman.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelFrench.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-07-18 13:06 47,360 ac------ c:\docume~1\warren\applic~1\pcouffin.sys
2006-06-23 13:48 32,768 ac------ c:\windows\inf\UpdateUSB.exe
2004-08-04 07:00 73,728 ac-sh--- c:\windows\registeredpackages\{dd90d410-1823-43eb-9a16-a2331bf08799}$backup$\system\wmplayer.exe

============= FINISH: 21:50:02.73 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Version 1.0)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 02/05/2008 2:58:43 AM
System Uptime: 16/12/2008 8:34:45 PM (1 hours ago)

Motherboard: ASUSTeK Computer INC. | | P5K-E
Processor: Intel(R) Core(TM)2 Duo CPU E6750 @ 2.66GHz | LGA775 | 2671/333mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 233 GiB total, 164.976 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 466 GiB total, 44.037 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E96A-E325-11CE-BFC1-08002BE10318}
Description: Standard Dual Channel PCI IDE Controller
Device ID: PCI\VEN_197B&DEV_2363&SUBSYS_824F1043&REV_03\4&332B0EE8&0&00E4
Manufacturer: (Standard IDE ATA/ATAPI controllers)
Name: Standard Dual Channel PCI IDE Controller
PNP Device ID: PCI\VEN_197B&DEV_2363&SUBSYS_824F1043&REV_03\4&332B0EE8&0&00E4
Service: pciide

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_11AB&DEV_4364&SUBSYS_81F81043&REV_12\4&625283&0&00E5
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_11AB&DEV_4364&SUBSYS_81F81043&REV_12\4&625283&0&00E5
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\ATK0110\1010110
Manufacturer:
Name:
PNP Device ID: ACPI\ATK0110\1010110
Service:

Class GUID: {4D36E978-E325-11CE-BFC1-08002BE10318}
Description: Communications Port
Device ID: ACPI\PNP0501\1
Manufacturer: (Standard port types)
Name: Communications Port (COM1)
PNP Device ID: ACPI\PNP0501\1
Service: Serial

Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: PS/2 Keyboard
Device ID: ACPI\PNP0303\4&B6AFFD&0
Manufacturer: Logitech
Name: PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&B6AFFD&0
Service: i8042prt

Class GUID: {4D36E96A-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) ICH9 2 port Serial ATA Storage Controller 2 - 2926
Device ID: PCI\VEN_8086&DEV_2926&SUBSYS_82771043&REV_02\3&11583659&0&FD
Manufacturer: Intel
Name: Intel(R) ICH9 2 port Serial ATA Storage Controller 2 - 2926
PNP Device ID: PCI\VEN_8086&DEV_2926&SUBSYS_82771043&REV_02\3&11583659&0&FD
Service: pciide

Class GUID: {4D36E97B-E325-11CE-BFC1-08002BE10318}
Description: SCSI/RAID Host Controller
Device ID: ACPI\PNPA000\4&5D18F2DF&0
Manufacturer: (Standard mass storage controllers)
Name: SCSI/RAID Host Controller
PNP Device ID: ACPI\PNPA000\4&5D18F2DF&0
Service: aqsx7ul7

==== System Restore Points ===================

RP1: 04/12/2008 2:25:33 AM - System Checkpoint
RP2: 04/12/2008 2:27:48 AM - ComboFix created restore point
RP3: 05/12/2008 5:58:48 AM - System Checkpoint
RP4: 06/12/2008 6:29:27 AM - System Checkpoint
RP5: 07/12/2008 8:32:05 AM - System Checkpoint
RP6: 08/12/2008 8:34:56 AM - System Checkpoint
RP7: 09/12/2008 10:12:43 AM - System Checkpoint
RP8: 10/12/2008 1:58:53 PM - Removed Microsoft Silverlight
RP9: 10/12/2008 2:00:50 PM - Removed Microsoft Office Enterprise 2007
RP10: 11/12/2008 1:43:50 PM - Installed GiPo@FileUtilities 3.2
RP11: 11/12/2008 1:54:15 PM - Revo Uninstaller's restore point - GiPo@FileUtilities 3.2
RP12: 11/12/2008 1:54:29 PM - Removed GiPo@FileUtilities 3.2
RP13: 11/12/2008 1:58:11 PM - Installed Microsoft Office Enterprise 2007
RP14: 11/12/2008 2:10:02 PM - Printer Driver Send To Microsoft OneNote Driver Installed
RP15: 11/12/2008 3:04:07 PM - Configured Microsoft Office Enterprise 2007
RP16: 11/12/2008 11:43:50 PM - Software Distribution Service 3.0
RP17: 12/12/2008 6:33:55 PM - Revo Uninstaller's restore point - Disciples 2 Gold Gallean
RP18: 13/12/2008 1:11:48 AM - Installed Microsoft Visual C++ 2005 Redistributable
RP19: 14/12/2008 11:25:48 AM - Software Distribution Service 3.0
RP20: 15/12/2008 11:27:36 AM - System Checkpoint
RP21: 15/12/2008 4:43:38 PM - ComboFix created restore point
RP22: 16/12/2008 7:36:11 AM - ComboFix created restore point
RP23: 16/12/2008 4:30:18 PM - Software Distribution Service 3.0

==== Installed Programs ======================


*edited to save space*

==== Event Viewer Messages ===================

11/12/2008 1:39:24 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/12/2008 1:37:42 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
11/12/2008 1:37:36 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
11/12/2008 1:19:29 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips i8042prt intelppm IPSec kl1 klbg KLIF MRxSmb NetBIOS NetBT RasAcd Rdbss SCDEmu Tcpip
11/12/2008 1:19:29 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/12/2008 1:19:29 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/12/2008 1:19:29 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

==== End Of File ===========================

[Ried]

What I'd like you to do is try System Restore.

Click Start>All Programs>Accessories>System Tools

• Select System Restore
• Next, select 'Restore my computer to an earlier time'
• On the left side, you will see bolded dates . Select 15/12/2008 4:43:38 PM - ComboFix created restore point
• Follow the on-screen prompts.

Can you boot into Normal Mode without receiving the activation message?

[tanger]

I have successfully restored to 15/12/2008 4:43 and can boot into windows normally without the activation wizard

[Ried]

Please run Combofix.exe again and post the ComboFix.txt

[tanger]

ComboFix 08-12-15.01 - Warren 2008-12-17 21:20:39.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1490 [GMT -5:00]
Running from: c:\documents and settings\Warren\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-11-18 to 2008-12-18 )))))))))))))))))))))))))))))))
.

2008-12-16 07:37 . 2008-12-17 01:20 <DIR> d-ahs---- C:\cmdcons(2)
2008-12-13 01:06 . 2008-12-13 01:06 <DIR> d-------- c:\program files\Nobilis
2008-12-12 11:52 . 2008-12-12 11:54 <DIR> d-------- c:\program files\MathType
2008-12-11 16:02 . 2008-12-11 16:02 <DIR> d-------- c:\windows\nview
2008-12-11 16:02 . 2008-11-12 13:45 453,152 --a------ c:\windows\system32\NVUNINST.EXE
2008-12-11 16:02 . 2008-11-12 14:54 453,152 --a------ c:\windows\system32\nvudisp.exe
2008-12-11 16:02 . 2008-12-17 01:32 203,520 --a------ c:\windows\system32\nvapps.xml
2008-12-11 16:02 . 2008-11-12 14:54 18,537 --a------ c:\windows\system32\nvdisp.nvu
2008-12-11 16:01 . 2008-12-11 16:01 <DIR> d-------- C:\NVIDIA
2008-12-11 14:08 . 2008-12-11 14:08 <DIR> d-------- c:\program files\Microsoft Works
2008-12-11 14:05 . 2008-12-11 15:06 <DIR> d-------- c:\windows\SHELLNEW
2008-12-11 13:43 . 2008-12-11 13:43 <DIR> d-------- c:\windows\Downloaded Installations
2008-12-11 13:37 . 2008-12-17 01:21 <DIR> d-------- c:\documents and settings\Administrator
2008-12-10 15:20 . 2008-12-10 15:20 <DIR> d-------- c:\documents and settings\Warren\Application Data\vlc
2008-12-10 14:03 . 2008-12-11 12:46 <DIR> d-------- c:\windows\SxsCaPendDel
2008-12-04 00:47 . 2008-12-04 00:47 250 --a------ c:\windows\gmer.ini
2008-12-02 22:50 . 2008-12-02 22:50 79 --a------ c:\windows\wininit.ini
2008-12-02 14:34 . 2008-12-02 14:34 <DIR> d-------- c:\program files\Foxit Software
2008-12-02 11:15 . 2008-12-02 11:15 <DIR> d-------- c:\documents and settings\Warren\Application Data\Kaspersky_Key_Finder_(KKF
2008-11-28 00:34 . 2008-11-28 00:34 <DIR> d-------- c:\documents and settings\Warren\Application Data\Design Science
2008-11-28 00:29 . 2008-11-28 14:45 <DIR> d-------- c:\documents and settings\Warren\Application Data\gtk-2.0
2008-11-28 00:22 . 2008-11-28 00:22 <DIR> d-------- c:\documents and settings\Warren\Application Data\Inkscape
2008-11-28 00:21 . 2008-11-28 00:22 <DIR> d-------- c:\program files\Inkscape
2008-11-27 19:10 . 2008-11-27 19:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Alias
2008-11-26 21:24 . 2008-11-26 21:24 21,035 --a------ c:\windows\system32\drivers\AegisP.sys
2008-11-26 21:23 . 2008-11-26 21:23 <DIR> d-------- c:\program files\ASUS WiFi-AP Solo
2008-11-26 21:23 . 2006-06-16 15:30 176,128 --a------ c:\windows\system32\drivers\RTL8187.sys
2008-11-26 21:23 . 2006-03-31 04:39 13,532 --a------ c:\windows\system32\drivers\SjyPkt.sys
2008-11-26 17:35 . 2008-11-26 17:35 <DIR> d-------- c:\documents and settings\Warren\Application Data\pdf995
2008-11-26 17:35 . 2008-11-26 17:35 28 --a------ c:\windows\pdf995.ini
2008-11-26 17:34 . 2008-11-26 17:35 <DIR> d-------- c:\program files\pdf995
2008-11-26 17:34 . 2008-12-02 14:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\pdf995
2008-11-26 17:34 . 2008-11-26 17:34 249,856 --a------ c:\windows\system32\pdfmona.dll
2008-11-26 17:34 . 2008-11-26 17:34 51,716 --a------ c:\windows\system32\pdf995mon.dll
2008-11-26 17:34 . 2008-12-02 14:17 59 --a------ c:\windows\wpd99.drv
2008-11-21 23:10 . 2008-11-21 23:10 <DIR> d-------- c:\windows\Sun
2008-11-21 23:08 . 2008-11-10 05:43 410,984 --a------ c:\windows\system32\deploytk.dll
2008-11-21 23:08 . 2008-11-10 03:39 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-21 23:07 . 2008-12-03 09:05 <DIR> d-------- c:\program files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-18 02:19 729,120 -csha-w c:\windows\system32\drivers\fidbox2.dat
2008-12-18 02:19 5,668 -csha-w c:\windows\system32\drivers\fidbox2.idx
2008-12-18 02:16 --------- d-----w c:\documents and settings\Warren\Application Data\uTorrent
2008-12-18 00:35 33,960 -csha-w c:\windows\system32\drivers\fidbox.idx
2008-12-18 00:35 3,806,240 -csha-w c:\windows\system32\drivers\fidbox.dat
2008-12-17 06:39 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-17 06:32 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-12-11 21:03 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-11 21:02 --------- d-----w c:\program files\AGEIA Technologies
2008-12-11 20:06 --------- d-----w c:\program files\MSBuild
2008-12-10 20:14 --------- d-----w c:\program files\VideoLAN
2008-12-02 19:32 --------- d-----w c:\program files\Common Files\Adobe
2008-11-28 00:10 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-28 00:10 --------- d-----w c:\documents and settings\Warren\Application Data\Autodesk
2008-11-28 00:01 --------- d-----w c:\documents and settings\All Users\Application Data\Autodesk
2008-11-27 02:23 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-18 14:08 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-17 06:10 --------- d-----w c:\program files\WorldOfGoo
2008-11-05 21:41 --------- d-----w c:\program files\iTunes
2008-11-05 21:41 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-05 21:40 --------- d-----w c:\program files\QuickTime
2008-11-05 21:40 --------- d-----w c:\program files\iPod
2008-11-05 21:40 --------- d-----w c:\program files\Common Files\Apple
2008-11-05 21:40 --------- d-----w c:\program files\Bonjour
2008-11-05 21:40 --------- d-----w c:\program files\Apple Software Update
2008-11-05 05:02 --------- d-----w c:\program files\VS Revo Group
2008-11-05 03:34 --------- d-----w c:\program files\Microsoft Visual Studio 9.0
2008-11-05 01:03 --------- d-----w c:\program files\Common Files\Logitech
2008-11-05 01:03 --------- d-----w c:\program files\Common Files\Logishrd
2008-11-05 00:42 --------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2008-11-05 00:39 --------- d-----w c:\program files\Microsoft SDKs
2008-11-03 22:17 --------- d-----w c:\program files\Common Files\Macrovision Shared
2008-11-02 00:01 --------- d-----w c:\program files\THQ
2008-11-01 23:34 --------- d-----w c:\program files\Steam
2008-10-30 01:46 --------- d-----w c:\program files\Curve Expert
2008-10-27 20:27 --------- d-----w c:\documents and settings\All Users\Application Data\2DBoy
2008-10-27 20:23 --------- d-----w c:\documents and settings\Warren\Application Data\My Battle for Middle-earth(tm) II Files
2008-10-27 05:04 --------- d-----w c:\program files\EA GAMES
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-22 21:30 --------- d-----w c:\program files\Microsoft.NET
2008-10-22 20:54 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-10-22 16:11 --------- d-----w c:\program files\Reference Assemblies
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 -c--a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 -c--a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-13 14:56 70,936 ----a-w c:\windows\system32\PhysXLoader.dll
2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelTraditionalChinese.dll
2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelSwedish.dll
2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelSpanish.dll
2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelSimplifiedChinese.dll
2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelPortugese.dll
2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelKorean.dll
2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelJapanese.dll
2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelGerman.dll
2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelFrench.dll
2008-10-07 14:13 288,024 ----a-w c:\windows\system32\PhysXCplUI.exe
2008-10-07 14:13 288,024 ----a-w c:\windows\system32\PhysXCompatCplUI.exe
2008-10-07 14:13 23,320 ----a-w c:\windows\system32\PhysXDevice.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-28 16:12 507,904 ----a-w c:\windows\system32\winlogon.exe
2008-07-18 18:06 47,360 -c--a-w c:\documents and settings\Warren\Application Data\pcouffin.sys
2006-06-23 18:48 32,768 -c--a-w c:\windows\inf\UpdateUSB.exe
2004-08-04 12:00 73,728 -csha-w c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
.

------- Sigcheck -------

2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 05:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 06:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 06:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-07-11 23:10 360320 b3acff769e44cc8ae708ab740a52cf5d c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-04 07:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB941644$\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2008-05-02 17:26 360064 8283a4d489b207991efdc8328733d0bc c:\windows\$NtUninstallKB951748_0$\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\TCPIP.SYS
2008-09-28 11:11 361600 cbeebeb899e31ef52b962cb31fc8ca5c c:\windows\system32\dllcache\TCPIP.SYS
2008-09-28 11:11 361600 cbeebeb899e31ef52b962cb31fc8ca5c c:\windows\system32\drivers\TCPIP.SYS

2008-05-02 17:11 502272 6225f14b8ce08ccba8b25ad27843c674 c:\windows\$NtServicePackUninstall$\winlogon.exe
2008-04-13 19:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\ServicePackFiles\i386\winlogon.exe
2008-09-28 11:12 507904 679a7259741f6a09994f02ce261b5f2e c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-04-25 201992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ASUS WiFi-AP Solo.lnk - c:\program files\ASUS WiFi-AP Solo\RtWLan.exe [2008-11-26 987136]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-11-04 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a--c--- 2006-11-16 18:04 139264 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX4800 Series]
--a--c--- 2005-02-02 03:00 98304 c:\windows\system32\spool\drivers\w32x86\3\E_FATIADA.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2007-08-31 14:01 1037736 c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 18:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2006-01-12 14:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-11-12 14:54 13672448 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-11-12 14:54 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a--c--- 2008-03-14 18:50 233472 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
-----c--- 2006-07-13 06:12 729088 c:\program files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a--c--- 2006-12-18 20:34 868352 c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-11-10 05:43 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-11-12 14:54 1630208 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\English\\setup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Steam\\steamapps\\warrenlightning\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-03-25 24592]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2008-11-26 176128]
R3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys [2008-11-26 13532]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67b0ce98-414d-11dd-94ec-0015af291d0c}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84b05056-adcd-11dd-9591-0015af291d0c}]
\Shell\Auto\command - sxs2.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs2.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c8532678-8e23-11dd-9552-0015af291d0c}]
\Shell\Auto\command - E:\auto.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
\Shell\explore\Command - E:\t.com
\Shell\open\Command - E:\t.com

*Newly Created Service* - CATCHME
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\Microsoft Office\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Warren\Application Data\Mozilla\Firefox\Profiles\po1w7agd.default\
FF - prefs.js: browser.startup.homepage - www.tsn.ca
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-17 21:21:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1088)
c:\windows\system32\klogon.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
Completion time: 2008-12-17 21:21:51
ComboFix-quarantined-files.txt 2008-12-18 02:21:49
ComboFix2.txt 2008-12-18 02:18:42
ComboFix3.txt 2008-12-16 12:38:36
ComboFix4.txt 2008-12-15 21:45:46

Pre-Run: 175,604,289,536 bytes free
Post-Run: 175,584,694,272 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /noguiboot

260 --- E O F --- 2008-12-17 06:39:16

[Ried]

Ok, now we're back to having a malware copy of winlogon.exe and the infected E:\ drive.


Open your E:\ drive and ensure Hidden files and folders are viewable:

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

Tell me if you see this file - E:\t.com

[tanger]

there is no file E:\t.com

[Ried]

Let's try this again.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Quote:

FCopy::
c:\windows\ServicePackFiles\i386\winlogon.exe | c:\windows\system32\winlogon.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84b05056-adcd-11dd-9591-0015af291d0c}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c8532678-8e23-11dd-9552-0015af291d0c}]

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe


If ComboFix did not reboot the machine, please do so now and return with the C:\ComboFix.txt

[tanger]

After Combofix ran, I had to reboot manually, but now the activation wizard is back and I cannot login.

[Ried]

Then you're just going to have to reactivate Windows. Scroll down toward the bottom of this Microsoft Article for instructions on reactivating by phone.

[tanger]

OK, reactivation is complete

[Ried]

Good. Let's search for remnants.




Please perform an online scan using Internet Explorer at this website - http://www.bitdefender.com/scan8/ie.html

Under SCANNING OPTIONS, use the following Settings:

• Action options - Report only
• Second option - Report only

Once finished, click on the Details button to view the results.
To the upper right of the results you will see an option saying "Click here to export the scan results" Post the log of the scan results in your next reply

[tanger]

BitDefender Online Scanner







Scan report generated at: Fri, Dec 19, 2008 - 04:04:52









Scan path: C:\Documents and Settings\Warren\Local Settings\Application Data\Microsoft\Messenger\warreng_007@hotmail.com\Sharing Folders;C:\Documents and Settings\Warren\My Documents;C:\Documents and Settings\All Users\Documents;C:\;D:\;E:\;C:\Documents and Settings\Warren\My Documents;C:\Documents and Settings\Warren\Desktop\Ipod Touch Themes;C:\Documents and Settings\Warren\Desktop\War;















Statistics

Time


02:41:24

Files


575720

Folders


14329

Boot Sectors


0

Archives


5567

Packed Files


25912







Results

Identified Viruses


3

Infected Files


7

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


7







Engines Info

Virus Definitions


2362432

Engine build


AVCORE v1.7 (build 8314.19) (i386) (Sep 29 2008 17:19:14)

Scan plugins


17

Archive plugins


45

Unpack plugins


7

E-mail plugins


6

System plugins


4







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

E:\RECYCLER\S-1-5-21-1844237615-813497703-1708537768-500\De13.Patch-CORE_CRP\keygen.exe


Infected with: Trojan.Generic.372257

E:\RECYCLER\S-1-5-21-1844237615-813497703-1708537768-500\De13.Patch-CORE_CRP\keygen.exe


Deleted

E:\RECYCLER\S-1-5-21-1844237615-813497703-1708537768-500\De20.rar=>WinRar 3.71 final + keygen (Works 100% )\keygen.exe


Infected with: Trojan.Generic.372257

E:\RECYCLER\S-1-5-21-1844237615-813497703-1708537768-500\De20.rar=>WinRar 3.71 final + keygen (Works 100% )\keygen.exe


Deleted

E:\RECYCLER\S-1-5-21-1844237615-813497703-1708537768-500\De20.rar


Update failed

E:\System Volume Information\_restore{A2B50913-712E-43D2-B4E2-5F2F0935FDC3}\RP28\A0004970.exe


Infected with: Trojan.Generic.372257

E:\System Volume Information\_restore{A2B50913-712E-43D2-B4E2-5F2F0935FDC3}\RP28\A0004970.exe


Deleted

E:\[Programs]\EvID4226Patch223d-en\EvID4226Patch.exe


Infected with: Virtool.12372

E:\[Programs]\EvID4226Patch223d-en\EvID4226Patch.exe


Deleted

E:\[Programs]\WinRar 3.71 final + keygen\keygen.exe


Infected with: Trojan.Generic.372257

E:\[Programs]\WinRar 3.71 final + keygen\keygen.exe


Deleted

E:\[Programs]\WPA_Kill_2.0.1\WPA_Kill.exe


Infected with: Virtool.Wpakill.AK

E:\[Programs]\WPA_Kill_2.0.1\WPA_Kill.exe


Deleted

E:\[Programs]\WPA_Kill_2.0.1\WPA_Kill_2.0.1.zip=>WPA_Kill.exe


Infected with: Virtool.Wpakill.AK

E:\[Programs]\WPA_Kill_2.0.1\WPA_Kill_2.0.1.zip=>WPA_Kill.exe


Deleted

E:\[Programs]\WPA_Kill_2.0.1\WPA_Kill_2.0.1.zip


Updated

[Ried]

That should do it, tanger. Your logs are clean - how is the system behaving?

If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------


To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

• It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.


Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer


In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?
Think Prevention


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.

[tanger]

Ried, thank you VERY VERY much for all your help and guidance through this entire process. My system seems to be behaving perfect right now and I think we can consider this thread resovled.

I just wanted to clarify, when I entered the ComboFix /u command, that uninstalled ComboFix and created a new restore point as well?

Thanks once again.

All the best,

Warren

[Ried]

You're welcome, tanger.

If after running the command, you saw a message that stated ComboFix has uninstalled... then yes, the tool uninstalled and created a new Restore point. Did you see that message?

[tanger]

Yes I did,

Thanks

[Ried]

Then all is well.

Take care, tanger.