BleepingComputer.com: cleanhcl virus

i have the cleanhcl virus, i was instructed to post this here: combofix log, dds logs


CF log


ComboFix 11-06-17.04 - 47 06/17/2011 23:13:30.4.8 - x64
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.6135.5163 [GMT -4:00]
Running from: c:\users\47\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-05-18 to 2011-06-18 )))))))))))))))))))))))))))))))
.
.
2011-06-18 03:14 . 2011-06-18 03:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-18 03:14 . 2011-06-18 03:14 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2011-06-08 21:16 . 2011-06-08 21:16 -------- d-----w- c:\program files (x86)\Activision
2011-06-03 03:34 . 2011-06-03 03:34 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-05-29 22:42 . 2011-06-05 00:26 -------- d-----w- c:\users\47\AppData\Roaming\Gearbox Software
2011-05-22 04:00 . 2011-06-16 01:10 -------- d-----w- c:\users\47\Tracing
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-29 13:11 . 2010-10-01 05:35 39984 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-05-29 13:11 . 2010-10-01 05:35 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-29 04:57 . 2010-08-04 23:48 215128 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2011-05-29 04:57 . 2010-05-12 05:45 215128 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2011-05-29 01:52 . 2010-08-04 23:48 280768 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2011-05-28 19:21 . 2011-05-13 02:43 0 ----a-w- c:\users\47\AppData\Local\Arubijiwawan.bin
2011-03-21 13:58 . 2011-05-08 03:56 152064 ----a-w- c:\windows\SysWow64\xvid.ax
2011-03-21 13:57 . 2011-05-08 03:56 173056 ----a-w- c:\windows\system32\xvid.ax
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2009-07-14 . 72D7B3EA16946E8F0CF7458150031CC6 . 1008640 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll
[-] 2010-05-12 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7600.16385] .. c:\windows\system32\user32.dll
.
[-] 2010-05-12 . 861C4346F9281DC0380DE72C8D55D6BE . 833024 . . [6.1.7600.16385] .. c:\windows\SysWOW64\user32.dll
[7] 2009-07-14 . E8B0FFC209E504CB7E79FC24E6C085F0 . 833024 . . [6.1.7600.16385] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4\user32.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-06-16_01.35.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-12 00:22 . 2011-06-18 03:05 27938 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-06-18 03:05 26700 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2011-06-14 23:15 26700 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-05-12 12:07 . 2011-06-18 03:03 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-05-12 12:07 . 2011-06-14 23:13 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-05-12 12:07 . 2011-06-14 23:13 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-05-12 12:07 . 2011-06-18 03:03 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-06-14 23:13 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-06-18 03:03 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-05-12 00:10 . 2011-06-18 03:03 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-05-12 00:10 . 2011-06-14 23:13 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-05-12 00:10 . 2011-06-14 23:13 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-05-12 00:10 . 2011-06-18 03:03 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-05-12 00:10 . 2011-06-18 03:03 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-05-12 00:10 . 2011-06-14 23:13 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-05-12 00:10 . 2011-06-14 23:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-05-12 00:10 . 2011-06-18 03:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-05-12 00:10 . 2011-06-14 23:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-05-12 00:10 . 2011-06-18 03:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-05-12 00:11 . 2011-06-18 03:05 4024 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-391758201-2664969089-1042611905-1001_UserData.bin
+ 2011-06-18 03:15 . 2011-06-18 03:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-06-16 01:35 . 2011-06-16 01:35 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-06-16 01:35 . 2011-06-16 01:35 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-06-18 03:15 . 2011-06-18 03:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:36 . 2011-06-14 23:19 615122 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-06-18 03:09 615122 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-06-18 03:09 103496 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2011-06-14 23:19 103496 c:\windows\system32\perfc009.dat
- 2011-02-08 08:09 . 2011-06-16 01:35 412224 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2011-02-08 08:09 . 2011-06-18 03:14 412224 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2009-07-14 05:01 . 2011-06-16 01:35 234392 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2011-06-18 03:14 234392 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2010-05-12 01:16 . 2011-06-16 01:35 14471624 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-391758201-2664969089-1042611905-1001-8192.dat
+ 2010-05-12 01:16 . 2011-06-18 03:14 14471624 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-391758201-2664969089-1042611905-1001-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-01-27 336384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [x]
R3 cpuz130;cpuz130;c:\users\47\AppData\Local\Temp\cpuz130\cpuz_x64.sys [x]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-05-18 79360]
R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys [x]
R3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys [x]
R3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM10864.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x64.sys [x]
S3 ALSysIO;ALSysIO;c:\users\47\AppData\Local\Temp\ALSysIO64.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-17 c:\windows\Tasks\ParetoLogic Registration.job
- c:\windows\system32\rundll32.exe [2009-07-13 01:14]
.
.
--------- x86-64 -----------
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.0.5
FF - ProfilePath - c:\users\47\AppData\Roaming\Mozilla\Firefox\Profiles\9w1u3ayj.default\
FF - prefs.js: browser.startup.homepage - torontodarkly.ca
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-391758201-2664969089-1042611905-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:71,8f,a0,ad,1d,07,75,17,f0,f4,88,09,d0,64,c7,87,4d,0a,e1,ab,4c,d6,66,
6c,2f,fd,d3,1e,dd,b4,cb,28,a7,35,7c,c1,f6,c1,7d,2c,84,bc,93,96,5f,d8,20,56,\
"??"=hex:65,34,23,f1,ac,3e,ae,99,14,20,f8,2a,53,ca,02,2f
.
[HKEY_USERS\S-1-5-21-391758201-2664969089-1042611905-1001\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:0f,87,5f,33,f3,25,c2,3f,a1,d1,a3,4c,3b,8a,1c,84,2e,ff,45,8a,bb,
ca,68,08,cc,a4,be,8d,8f,17,02,37,d5,99,ad,b6,9d,26,f1,d7,69,5d,98,41,33,3b,\
"rkeysecu"=hex:cb,7d,35,d1,20,7c,81,52,ac,e8,48,22,16,64,f0,1a
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe
c:\windows\SysWOW64\PnkBstrA.exe
.
**************************************************************************
.
Completion time: 2011-06-17 23:16:34 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-18 03:16
ComboFix2.txt 2011-06-16 03:14
ComboFix3.txt 2011-06-16 01:50
ComboFix4.txt 2011-06-16 01:37
.
Pre-Run: 11,513,876,480 bytes free
Post-Run: 11,280,084,992 bytes free
.
- - End Of File - - 63D50BA5BB00162ED36EBFFA1BDD105C













DDS log


.
DDS (Ver_2011-06-12.02) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_21
Run by 47 at 23:09:57 on 2011-06-17
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.6135.4983 [GMT -4:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Users\47\Desktop\Core Temp\Core Temp.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\System32\svchost.exe -k swprv
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.5
TCP: Interfaces\{15DF88D7-7B26-484D-B776-8385432E251D} : DhcpNameServer = 192.168.0.5
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\47\AppData\Roaming\Mozilla\Firefox\Profiles\9w1u3ayj.default\
FF - prefs.js: browser.startup.homepage - torontodarkly.ca
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.51204.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Veetle\Player\npvlc.dll
FF - plugin: C:\Program Files (x86)\Veetle\plugins\npVeetle.dll
FF - plugin: C:\Program Files (x86)\Veetle\VLCBroadcast\npvbp.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 cpuz134;cpuz134;\??\C:\Windows\system32\drivers\cpuz134_x64.sys --> C:\Windows\system32\drivers\cpuz134_x64.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 gupdate;Google Update Service (gupdate);"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc --> C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [?]
S3 cpuz132;cpuz132;\??\C:\Windows\system32\drivers\cpuz132_x64.sys --> C:\Windows\system32\drivers\cpuz132_x64.sys [?]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-5-17 79360]
S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;C:\Windows\system32\DRIVERS\MijXfilt.sys --> C:\Windows\system32\DRIVERS\MijXfilt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-06-16 03:13:18 -------- d-----w- C:\$RECYCLE.BIN
2011-06-16 01:33:06 98816 ----a-w- C:\Windows\sed.exe
2011-06-16 01:33:06 518144 ----a-w- C:\Windows\SWREG.exe
2011-06-16 01:33:06 256512 ----a-w- C:\Windows\PEV.exe
2011-06-16 01:33:06 208896 ----a-w- C:\Windows\MBR.exe
2011-06-16 01:32:41 -------- d-----w- C:\Windows\pss
2011-06-08 21:16:40 -------- d-----w- C:\Program Files (x86)\Activision
2011-06-03 03:34:04 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-05-22 04:00:47 14744 ----a-w- C:\Users\47\AppData\Roaming\Microsoft\IdentityCRL\production\ppcrlconfig.dll
2011-05-22 04:00:39 -------- d-----w- C:\Users\47\Tracing
.
==================== Find3M ====================
.
2011-05-29 13:11:30 39984 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-05-29 13:11:20 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-05-29 04:57:59 215128 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2011-05-29 04:57:59 215128 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2011-05-29 01:52:32 280768 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2011-03-21 13:58:03 152064 ----a-w- C:\Windows\SysWow64\xvid.ax
2011-03-21 13:57:44 173056 ----a-w- C:\Windows\System32\xvid.ax
.
============= FINISH: 23:10:07.28 ===============














DDS attach


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-12.02)
.
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 5/11/2010 8:09:24 PM
System Uptime: 6/17/2011 11:03:37 PM (0 hours ago)
.
Motherboard: EVGA | | 141-BL-E757
Processor: Intel® Core™ i7 CPU 930 @ 2.80GHz | Socket 423 | 3980/190mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 37 GiB total, 10.291 GiB free.
D: is FIXED (NTFS) - 37 GiB total, 12.03 GiB free.
E: is FIXED (NTFS) - 112 GiB total, 19.207 GiB free.
F: is CDROM (UDF)
G: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e96b-e325-11ce-bfc1-08002be10318}
Description: Standard PS/2 Keyboard
Device ID: ACPI\PNP0303\4&136CDFB0&0
Manufacturer: (Standard keyboards)
Name: Standard PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&136CDFB0&0
Service: i8042prt
.
==== System Restore Points ===================
.
RP163: 6/5/2011 11:38:18 PM - Scheduled Checkpoint
RP164: 6/8/2011 5:37:23 PM - Installed DirectX
RP165: 6/14/2011 7:12:08 PM - Installed Console Launcher
.
==== Installed Programs ======================
.
µTorrent
AC3Filter 1.62b
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.2
ATI Catalyst Registration
Bandisoft MPEG-1 Decoder
Batman: Arkham Asylum
Battlefield: Bad Company 2
BitMeter
Brothers in Arms: Earned in Blood
Call of Duty: Black Ops
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
ccc-core-static
CCC Help English
Counter-Strike: Source
Creative Audio Control Panel
Creative Console Launcher
Creative Software AutoUpdate
Creative Sound Blaster Properties x64 Edition
DivX Setup
Fallout: New Vegas
Google Update Helper
Java Auto Updater
Java™ 6 Update 21
Left 4 Dead 2
Malwarebytes' Anti-Malware version 1.51.0.1200
Microsoft Choice Guard
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox 4.0.1 (x86 en-US)
MSVCRT
Mumble 1.2.3
NVIDIA PhysX
OpenAL
Portal
PowerISO
PunkBuster Services
Rawr
SpeedFan (remove only)
StarCraft II
Steam
Team Fortress 2
VC80CRTRedist - 8.0.50727.4053
Veetle TV 0.9.18
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Media Player Firefox Plugin
World of Warcraft
Xvid Video Codec
.
==== Event Viewer Messages From Past Week ========
.
6/17/2011 11:04:06 PM, Error: Service Control Manager [7001] - The HomeGroup Listener service depends on the Server service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
6/17/2011 11:03:44 PM, Error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The system cannot find the file specified.
6/17/2011 11:03:40 PM, Error: Microsoft-Windows-Kernel-Processor-Power [35] - Performance power management features on processor 7 in group 0 are disabled due to a firmware problem. Check with the computer manufacturer for updated firmware.
6/17/2011 11:03:40 PM, Error: Microsoft-Windows-Kernel-Processor-Power [35] - Performance power management features on processor 6 in group 0 are disabled due to a firmware problem. Check with the computer manufacturer for updated firmware.
6/17/2011 11:03:40 PM, Error: Microsoft-Windows-Kernel-Processor-Power [35] - Performance power management features on processor 5 in group 0 are disabled due to a firmware problem. Check with the computer manufacturer for updated firmware.
6/17/2011 11:03:40 PM, Error: Microsoft-Windows-Kernel-Processor-Power [35] - Performance power management features on processor 4 in group 0 are disabled due to a firmware problem. Check with the computer manufacturer for updated firmware.
6/17/2011 11:03:40 PM, Error: Microsoft-Windows-Kernel-Processor-Power [35] - Performance power management features on processor 3 in group 0 are disabled due to a firmware problem. Check with the computer manufacturer for updated firmware.
6/17/2011 11:03:40 PM, Error: Microsoft-Windows-Kernel-Processor-Power [35] - Performance power management features on processor 2 in group 0 are disabled due to a firmware problem. Check with the computer manufacturer for updated firmware.
6/17/2011 11:03:40 PM, Error: Microsoft-Windows-Kernel-Processor-Power [35] - Performance power management features on processor 1 in group 0 are disabled due to a firmware problem. Check with the computer manufacturer for updated firmware.
6/17/2011 11:03:40 PM, Error: Microsoft-Windows-Kernel-Processor-Power [35] - Performance power management features on processor 0 in group 0 are disabled due to a firmware problem. Check with the computer manufacturer for updated firmware.
6/15/2011 9:47:01 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service VSS with arguments "" in order to run the server: {E579AB5F-1CC4-44B4-BED9-DE0991FF0623}
6/15/2011 9:43:10 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
6/15/2011 9:42:58 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
6/15/2011 9:42:57 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
6/15/2011 9:42:57 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
6/15/2011 9:42:57 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
6/15/2011 9:42:56 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
6/15/2011 9:42:51 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD CSC DfsC discache NetBIOS NetBT nsiproxy Psched rdbss SCDEmu spldr sptd tdx Wanarpv6 WfpLwf
6/15/2011 9:42:51 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
6/15/2011 9:42:51 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
6/15/2011 9:42:51 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
6/15/2011 9:42:51 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
6/15/2011 9:42:51 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
6/15/2011 9:42:51 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
6/15/2011 9:42:51 PM, Error: Service Control Manager [7001] - The Network Connections service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
6/15/2011 9:42:51 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/15/2011 9:42:51 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
6/15/2011 9:42:51 PM, Error: Service Control Manager [7001] - The Creative Audio Service service depends on the Windows Audio service which failed to start because of the following error: The dependency service or group failed to start.
6/15/2011 9:42:51 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
6/15/2011 9:42:42 PM, Error: sptd [4] - Driver detected an internal error in its data structures for .
6/15/2011 9:34:55 PM, Error: Application Popup [1060] - \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
6/15/2011 11:20:23 PM, Error: Service Control Manager [7034] - The Creative Audio Service service terminated unexpectedly. It has done this 1 time(s).
6/15/2011 11:12:38 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
6/15/2011 11:10:46 PM, Error: Application Popup [1060] - \??\C:\32788R22FWJFW\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
.
==== End Of File ===========================

bump

please help :D

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our MRT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the MRT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Blade
Forum Global Moderator

This post has been edited by Blade Zephon: 20 June 2011 - 10:58 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.scr
    
  • DDS.pif
  
  
• Double click on the DDS icon, allow it to run.
  
• A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  
• Notepad will open with the results.
  
• Follow the instructions that pop up for posting the results.
  
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:





Elle

i have the cleahlc rootkit(i think) . it shows up in my msconfig startup items. it causes popups in firefox.

no GMAR because im running win7 64bit

i dont have antivirus, will get after i fix this.




.
DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_21
Run by 47 at 14:43:14 on 2011-06-26
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.6135.5077 [GMT -4:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Users\47\Desktop\Core Temp\Core Temp.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.5
TCP: Interfaces\{15DF88D7-7B26-484D-B776-8385432E251D} : DhcpNameServer = 192.168.0.5
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\47\AppData\Roaming\Mozilla\Firefox\Profiles\9w1u3ayj.default\
FF - prefs.js: browser.startup.homepage - torontodarkly.ca
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.51204.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Veetle\Player\npvlc.dll
FF - plugin: C:\Program Files (x86)\Veetle\plugins\npVeetle.dll
FF - plugin: C:\Program Files (x86)\Veetle\VLCBroadcast\npvbp.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 cpuz134;cpuz134;\??\C:\Windows\system32\drivers\cpuz134_x64.sys --> C:\Windows\system32\drivers\cpuz134_x64.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 gupdate;Google Update Service (gupdate);"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc --> C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [?]
S3 cpuz132;cpuz132;\??\C:\Windows\system32\drivers\cpuz132_x64.sys --> C:\Windows\system32\drivers\cpuz132_x64.sys [?]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-5-17 79360]
S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;C:\Windows\system32\DRIVERS\MijXfilt.sys --> C:\Windows\system32\DRIVERS\MijXfilt.sys [?]
S3 npggsvc;nProtect GameGuard Service;C:\Windows\system32\GameMon.des -service --> C:\Windows\system32\GameMon.des -service [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-06-26 18:12:28 -------- d-----w- C:\$RECYCLE.BIN
2011-06-22 06:19:35 4005936 ----a-w- C:\Windows\SysWow64\GameMon.des
2011-06-22 06:19:31 5174 ----a-w- C:\Windows\SysWow64\nppt9x.vxd
2011-06-22 06:19:31 4682 ----a-w- C:\Windows\SysWow64\npptNT2.sys
2011-06-22 06:19:29 -------- d-----w- C:\Program Files\Common Files\INCA Shared
2011-06-19 20:26:20 -------- d-----w- C:\Users\47\AppData\Local\The Witcher 2
2011-06-16 01:33:06 98816 ----a-w- C:\Windows\sed.exe
2011-06-16 01:33:06 518144 ----a-w- C:\Windows\SWREG.exe
2011-06-16 01:33:06 256512 ----a-w- C:\Windows\PEV.exe
2011-06-16 01:33:06 208896 ----a-w- C:\Windows\MBR.exe
2011-06-16 01:32:41 -------- d-----w- C:\Windows\pss
2011-06-08 21:16:40 -------- d-----w- C:\Program Files (x86)\Activision
2011-06-03 03:34:04 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
.
==================== Find3M ====================
.
2011-05-29 13:11:30 39984 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-05-29 13:11:20 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-05-29 04:57:59 215128 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2011-05-29 04:57:59 215128 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2011-05-29 01:52:32 280768 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
.
============= FINISH: 14:43:26.03 ===============

This post has been edited by gypsyovrlord: 26 June 2011 - 01:50 PM

Hi,

Run ComboFix again (let it update itself). Post back its report + fresh dds logs (attach.txt too).

ComboFix 11-07-03.01 - 47 07/03/2011 20:42:42.6.8 - x64
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.6135.5078 [GMT -4:00]
Running from: c:\users\47\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-06-04 to 2011-07-04 )))))))))))))))))))))))))))))))
.
.
2011-07-04 00:44 . 2011-07-04 00:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-07-04 00:44 . 2011-07-04 00:44 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2011-06-22 06:19 . 2011-06-06 16:36 4005936 ----a-w- c:\windows\SysWow64\GameMon.des
2011-06-22 06:19 . 2005-01-02 03:43 4682 ----a-w- c:\windows\SysWow64\npptNT2.sys
2011-06-22 06:19 . 2003-07-18 12:17 5174 ----a-w- c:\windows\SysWow64\nppt9x.vxd
2011-06-22 06:19 . 2011-06-22 06:19 -------- d-----w- c:\program files\Common Files\INCA Shared
2011-06-19 20:26 . 2011-06-19 20:26 -------- d-----w- c:\users\47\AppData\Local\The Witcher 2
2011-06-08 21:16 . 2011-06-08 21:16 -------- d-----w- c:\program files (x86)\Activision
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-03 03:34 . 2011-06-03 03:34 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-05-29 13:11 . 2010-10-01 05:35 39984 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-05-29 13:11 . 2010-10-01 05:35 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-29 04:57 . 2010-08-04 23:48 215128 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2011-05-29 04:57 . 2010-05-12 05:45 215128 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2011-05-29 01:52 . 2010-08-04 23:48 280768 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2011-05-28 19:21 . 2011-05-13 02:43 0 ----a-w- c:\users\47\AppData\Local\Arubijiwawan.bin
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2009-07-14 . 72D7B3EA16946E8F0CF7458150031CC6 . 1008640 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll
[-] 2010-05-12 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7600.16385] .. c:\windows\system32\user32.dll
.
[-] 2010-05-12 . 861C4346F9281DC0380DE72C8D55D6BE . 833024 . . [6.1.7600.16385] .. c:\windows\SysWOW64\user32.dll
[7] 2009-07-14 . E8B0FFC209E504CB7E79FC24E6C085F0 . 833024 . . [6.1.7600.16385] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4\user32.dll
.
((((((((((((((((((((((((((((( SnapShot_2011-06-26_18.12.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-12 00:22 . 2011-07-04 00:22 29270 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-07-04 00:22 26700 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2011-06-26 18:00 26700 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2010-05-12 12:07 . 2011-06-26 17:59 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-05-12 12:07 . 2011-07-04 00:20 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-05-12 12:07 . 2011-07-04 00:20 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-05-12 12:07 . 2011-06-26 17:59 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-07-04 00:20 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2011-06-26 17:59 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-05-12 00:10 . 2011-07-04 00:20 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-05-12 00:10 . 2011-06-26 17:59 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-05-12 00:10 . 2011-06-26 17:59 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-05-12 00:10 . 2011-07-04 00:20 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-05-12 00:10 . 2011-07-04 00:20 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-05-12 00:10 . 2011-06-26 17:59 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-05-12 00:10 . 2011-07-04 00:20 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-05-12 00:10 . 2011-06-26 17:59 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-05-12 00:10 . 2011-07-04 00:20 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-05-12 00:10 . 2011-06-26 17:59 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-05-12 00:11 . 2011-07-04 00:22 4024 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-391758201-2664969089-1042611905-1001_UserData.bin
- 2010-05-12 00:11 . 2011-06-26 18:00 4024 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-391758201-2664969089-1042611905-1001_UserData.bin
- 2011-06-26 18:12 . 2011-06-26 18:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-07-04 00:45 . 2011-07-04 00:45 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-06-26 18:12 . 2011-06-26 18:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-07-04 00:45 . 2011-07-04 00:45 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:36 . 2011-06-26 18:05 615122 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-07-04 00:26 615122 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-07-04 00:26 103496 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2011-06-26 18:05 103496 c:\windows\system32\perfc009.dat
- 2009-07-14 05:12 . 2011-06-26 01:58 245760 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-14 05:12 . 2011-07-03 22:13 245760 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2011-02-08 08:09 . 2011-07-04 00:44 412224 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2011-02-08 08:09 . 2011-06-26 18:08 412224 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2009-07-14 05:01 . 2011-07-04 00:44 234392 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2011-06-26 18:08 234392 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 02:34 . 2011-06-28 20:26 9437184 c:\windows\system32\SMI\Store\Machine\schema.dat
- 2009-07-14 02:34 . 2011-06-22 06:06 9437184 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2010-05-12 01:16 . 2011-07-04 00:44 17308676 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-391758201-2664969089-1042611905-1001-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-01-27 336384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [x]
R3 cpuz130;cpuz130;c:\users\47\AppData\Local\Temp\cpuz130\cpuz_x64.sys [x]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-05-18 79360]
R3 dump_wmimmc;dump_wmimmc;e:\steam\steamapps\common\ava\Binaries\GameGuard\dump_wmimmc.sys [x]
R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys [x]
R3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys [x]
R3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM10864.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x64.sys [x]
S3 ALSysIO;ALSysIO;c:\users\47\AppData\Local\Temp\ALSysIO64.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-03 c:\windows\Tasks\ParetoLogic Registration.job
- c:\windows\system32\rundll32.exe [2009-07-13 01:14]
.
.
--------- x86-64 -----------
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.0.5
FF - ProfilePath - c:\users\47\AppData\Roaming\Mozilla\Firefox\Profiles\9w1u3ayj.default\
FF - prefs.js: browser.startup.homepage - torontodarkly.ca
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-391758201-2664969089-1042611905-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:71,8f,a0,ad,1d,07,75,17,f0,f4,88,09,d0,64,c7,87,4d,0a,e1,ab,4c,d6,66,
6c,2f,fd,d3,1e,dd,b4,cb,28,a7,35,7c,c1,f6,c1,7d,2c,84,bc,93,96,5f,d8,20,56,\
"??"=hex:65,34,23,f1,ac,3e,ae,99,14,20,f8,2a,53,ca,02,2f
.
[HKEY_USERS\S-1-5-21-391758201-2664969089-1042611905-1001\Software\SecuROM\License information*]
"datasecu"=hex:0f,87,5f,33,f3,25,c2,3f,a1,d1,a3,4c,3b,8a,1c,84,2e,ff,45,8a,bb,
ca,68,08,cc,a4,be,8d,8f,17,02,37,d5,99,ad,b6,9d,26,f1,d7,69,5d,98,41,33,3b,\
"rkeysecu"=hex:cb,7d,35,d1,20,7c,81,52,ac,e8,48,22,16,64,f0,1a
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe
c:\windows\SysWOW64\PnkBstrA.exe
.
**************************************************************************
.
Completion time: 2011-07-03 20:46:12 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-04 00:46
ComboFix2.txt 2011-06-26 18:13
ComboFix3.txt 2011-06-18 03:16
ComboFix4.txt 2011-06-16 03:14
ComboFix5.txt 2011-07-04 00:42
.
Pre-Run: 8,551,419,904 bytes free
Post-Run: 8,564,797,440 bytes free
.
- - End Of File - - 4CCED069FDE80FAB7C4A978F6A76F048














.
DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_21
Run by 47 at 20:49:46 on 2011-07-03
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.6135.5243 [GMT -4:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Users\47\Desktop\Core Temp\Core Temp.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\notepad.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.5
TCP: Interfaces\{15DF88D7-7B26-484D-B776-8385432E251D} : DhcpNameServer = 192.168.0.5
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\47\AppData\Roaming\Mozilla\Firefox\Profiles\9w1u3ayj.default\
FF - prefs.js: browser.startup.homepage - torontodarkly.ca
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.51204.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Veetle\Player\npvlc.dll
FF - plugin: C:\Program Files (x86)\Veetle\plugins\npVeetle.dll
FF - plugin: C:\Program Files (x86)\Veetle\VLCBroadcast\npvbp.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 cpuz134;cpuz134;\??\C:\Windows\system32\drivers\cpuz134_x64.sys --> C:\Windows\system32\drivers\cpuz134_x64.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 gupdate;Google Update Service (gupdate);"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc --> C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [?]
S3 cpuz132;cpuz132;\??\C:\Windows\system32\drivers\cpuz132_x64.sys --> C:\Windows\system32\drivers\cpuz132_x64.sys [?]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-5-17 79360]
S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;C:\Windows\system32\DRIVERS\MijXfilt.sys --> C:\Windows\system32\DRIVERS\MijXfilt.sys [?]
S3 npggsvc;nProtect GameGuard Service;C:\Windows\system32\GameMon.des -service --> C:\Windows\system32\GameMon.des -service [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-07-04 00:45:13 -------- d-----w- C:\$RECYCLE.BIN
2011-06-22 06:19:35 4005936 ----a-w- C:\Windows\SysWow64\GameMon.des
2011-06-22 06:19:31 5174 ----a-w- C:\Windows\SysWow64\nppt9x.vxd
2011-06-22 06:19:31 4682 ----a-w- C:\Windows\SysWow64\npptNT2.sys
2011-06-22 06:19:29 -------- d-----w- C:\Program Files\Common Files\INCA Shared
2011-06-19 20:26:20 -------- d-----w- C:\Users\47\AppData\Local\The Witcher 2
2011-06-16 01:33:06 98816 ----a-w- C:\Windows\sed.exe
2011-06-16 01:33:06 518144 ----a-w- C:\Windows\SWREG.exe
2011-06-16 01:33:06 256000 ----a-w- C:\Windows\PEV.exe
2011-06-16 01:33:06 208896 ----a-w- C:\Windows\MBR.exe
2011-06-16 01:32:41 -------- d-----w- C:\Windows\pss
2011-06-08 21:16:40 -------- d-----w- C:\Program Files (x86)\Activision
.
==================== Find3M ====================
.
2011-06-03 03:34:04 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-05-29 13:11:30 39984 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-05-29 13:11:20 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-05-29 04:57:59 215128 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2011-05-29 04:57:59 215128 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2011-05-29 01:52:32 280768 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
.
============= FINISH: 20:49:56.22 ===============

This post has been edited by gypsyovrlord: 03 July 2011 - 07:55 PM

Hi again,

Uninstall old Adobe Reader versions and get the latest one (Adobe Reader 10.1) here or get Foxit Reader here. Make sure you don't (unless you want to) install toolbar if choose Foxit Reader! You may also check free readers introduced here.



Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6 Update 26.
  
• Click the
  Download
  button to the right.
  
• Select Windows on platform combobox and check the box that says:
  Accept License Agreement. Click continue.
  
  
• The page will refresh.
  
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  
• Close any programs you may have running - especially your web browser.
  
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java versions.
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on jre-6u26-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.

Let Firefox update itself to version 5.0.


* Go here to run an online scanner from ESET.

• Note: You will need to use Internet explorer for this scan
  
• Tick the box next to YES, I accept the Terms of Use.
  
• Click Start
  
• When asked, allow the activex control to install
  
• Click Start
  
• Make sure that the option Remove found threats is UNchecked.
  
• Click Scan
  
• Wait for the scan to finish.

Post back its report & a fresh dds.txt log. Still symptoms left?

did all steps in order.

uninstalled java
reboot
installed new java
uninstalled firefox
installed new firefox
ran ESET
ran dds

cleanhlc still remains in my start menu in msconfig (unchecked, but there) . from what i have head is that it's a rootkit.


ESET report was : no threats

big question: should all or any of this be done in safe mode ?

.
DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by 47 at 2:46:21 on 2011-07-05
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.6135.4533 [GMT -4:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Users\47\Desktop\Core Temp\Core Temp.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
TCP: DhcpNameServer = 192.168.0.5
TCP: Interfaces\{15DF88D7-7B26-484D-B776-8385432E251D} : DhcpNameServer = 192.168.0.5
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\47\AppData\Roaming\Mozilla\Firefox\Profiles\9w1u3ayj.default\
FF - prefs.js: browser.startup.homepage - torontodarkly.ca
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.51204.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Veetle\Player\npvlc.dll
FF - plugin: C:\Program Files (x86)\Veetle\plugins\npVeetle.dll
FF - plugin: C:\Program Files (x86)\Veetle\VLCBroadcast\npvbp.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 cpuz134;cpuz134;\??\C:\Windows\system32\drivers\cpuz134_x64.sys --> C:\Windows\system32\drivers\cpuz134_x64.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 gupdate;Google Update Service (gupdate);"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc --> C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [?]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-5-17 79360]
S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;C:\Windows\system32\DRIVERS\MijXfilt.sys --> C:\Windows\system32\DRIVERS\MijXfilt.sys [?]
S3 npggsvc;nProtect GameGuard Service;C:\Windows\system32\GameMon.des -service --> C:\Windows\system32\GameMon.des -service [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-07-05 06:34:43 -------- d-----w- C:\Program Files (x86)\ESET
2011-07-05 06:17:48 525544 ----a-w- C:\Windows\System32\deployJava1.dll
2011-07-04 02:05:14 -------- d-----w- C:\$RECYCLE.BIN
2011-06-22 06:19:35 4005936 ----a-w- C:\Windows\SysWow64\GameMon.des
2011-06-22 06:19:31 5174 ----a-w- C:\Windows\SysWow64\nppt9x.vxd
2011-06-22 06:19:31 4682 ----a-w- C:\Windows\SysWow64\npptNT2.sys
2011-06-22 06:19:29 -------- d-----w- C:\Program Files\Common Files\INCA Shared
2011-06-19 20:26:20 -------- d-----w- C:\Users\47\AppData\Local\The Witcher 2
2011-06-16 01:33:06 98816 ----a-w- C:\Windows\sed.exe
2011-06-16 01:33:06 518144 ----a-w- C:\Windows\SWREG.exe
2011-06-16 01:33:06 256000 ----a-w- C:\Windows\PEV.exe
2011-06-16 01:33:06 208896 ----a-w- C:\Windows\MBR.exe
2011-06-16 01:32:41 -------- d-----w- C:\Windows\pss
2011-06-08 21:16:40 -------- d-----w- C:\Program Files (x86)\Activision
.
==================== Find3M ====================
.
2011-06-03 03:34:04 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-05-29 13:11:30 39984 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-05-29 13:11:20 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-05-29 04:57:59 215128 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2011-05-29 04:57:59 215128 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2011-05-29 01:52:32 280768 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
.
============= FINISH: 2:46:32.03 ===============

This post has been edited by gypsyovrlord: 05 July 2011 - 01:57 AM

Hi,

All steps should be taken in normal mode by default if it's accessible.

Please download the Registry Search tool by clicking on the
hard drive icon halfway down this page:
http://www.billsway.com/vbspage/
Save it to the desktop and run it. If you get an alert from your antivirus about scripting, choose to allow the script to run. Search for cleanhlc and click OK. Post the logfile from the tool here for me.

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "cleanhlc" 7/6/2011 12:51:22 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^cleanhlc.lnk]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^cleanhlc.lnk]
"path"="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\cleanhlc.lnk"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^cleanhlc.lnk]
"backup"="C:\\Windows\\pss\\cleanhlc.lnk.CommonStartup"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^cleanhlc.lnk]
"command"="C:\\Users\\47\\AppData\\Local\\cleanhlc.exe "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^cleanhlc.lnk]
"item"="cleanhlc"

Hi,

Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\users\47\AppData\Local\Arubijiwawan.bin
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\cleanhlc.lnk
C:\Windows\pss\cleanhlc.lnk.CommonStartup
C:\Users\47\AppData\Local\cleanhlc.exe
Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^cleanhlc.lnk]

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log. Also, run the Registry Search tool again like you did earlier.

yaaaaaaaaaaay !!! looks like its fixed.

thank you so much !



ComboFix 11-07-06.05 - 47 07/06/2011 23:18:57.8.8 - x64
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.6135.4813 [GMT -4:00]
Running from: c:\users\47\Desktop\ComboFix.exe
Command switches used :: c:\users\47\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\cleanhlc.lnk"
"c:\users\47\AppData\Local\Arubijiwawan.bin"
"c:\users\47\AppData\Local\cleanhlc.exe"
"c:\windows\pss\cleanhlc.lnk.CommonStartup"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\47\AppData\Local\Arubijiwawan.bin
c:\windows\pss\cleanhlc.lnk.CommonStartup
c:\windows\TEMP\~A87E.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-06-07 to 2011-07-07 )))))))))))))))))))))))))))))))
.
.
2011-07-07 03:20 . 2011-07-07 03:20 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-07-07 03:20 . 2011-07-07 03:20 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2011-07-07 00:38 . 2011-07-07 00:38 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-07-06 04:50 . 2011-07-06 04:50 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2011-07-05 06:34 . 2011-07-05 06:34 -------- d-----w- c:\program files (x86)\ESET
2011-07-05 06:23 . 2011-07-05 06:24 -------- d-----w- c:\program files\Java
2011-07-05 06:17 . 2011-07-05 06:24 525544 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-22 06:19 . 2011-06-06 16:36 4005936 ----a-w- c:\windows\SysWow64\GameMon.des
2011-06-22 06:19 . 2005-01-02 03:43 4682 ----a-w- c:\windows\SysWow64\npptNT2.sys
2011-06-22 06:19 . 2003-07-18 12:17 5174 ----a-w- c:\windows\SysWow64\nppt9x.vxd
2011-06-22 06:19 . 2011-06-22 06:19 -------- d-----w- c:\program files\Common Files\INCA Shared
2011-06-19 20:26 . 2011-06-19 20:26 -------- d-----w- c:\users\47\AppData\Local\The Witcher 2
2011-06-08 21:16 . 2011-07-06 06:58 -------- d-----w- c:\program files (x86)\Activision
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-29 13:11 . 2010-10-01 05:35 39984 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-05-29 13:11 . 2010-10-01 05:35 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-29 04:57 . 2010-08-04 23:48 215128 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2011-05-29 04:57 . 2010-05-12 05:45 215128 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2011-05-29 01:52 . 2010-08-04 23:48 280768 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2009-07-14 . 72D7B3EA16946E8F0CF7458150031CC6 . 1008640 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll
[-] 2010-05-12 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7600.16385] .. c:\windows\system32\user32.dll
.
[-] 2010-05-12 . 861C4346F9281DC0380DE72C8D55D6BE . 833024 . . [6.1.7600.16385] .. c:\windows\SysWOW64\user32.dll
[7] 2009-07-14 . E8B0FFC209E504CB7E79FC24E6C085F0 . 833024 . . [6.1.7600.16385] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4\user32.dll
.
((((((((((((((((((((((((((((( SnapShot_2011-06-26_18.12.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-12 00:22 . 2011-07-07 00:05 29784 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2011-06-26 18:00 26700 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-07-07 00:05 26700 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2010-05-12 12:07 . 2011-06-26 17:59 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-05-12 12:07 . 2011-07-07 00:03 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-05-12 12:07 . 2011-07-07 00:03 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-05-12 12:07 . 2011-06-26 17:59 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-06-26 17:59 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-07-07 00:03 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-05-12 00:10 . 2011-06-26 17:59 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-05-12 00:10 . 2011-07-07 00:03 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-05-12 00:10 . 2011-06-26 17:59 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-05-12 00:10 . 2011-07-07 00:03 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-05-12 00:10 . 2011-07-07 00:03 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-05-12 00:10 . 2011-06-26 17:59 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-05-12 00:10 . 2011-06-26 17:59 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-05-12 00:10 . 2011-07-07 00:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-05-12 00:10 . 2011-06-26 17:59 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-05-12 00:10 . 2011-07-07 00:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-06-20 01:02 . 2011-06-20 01:02 12800 c:\windows\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
+ 2011-07-06 06:15 . 2011-07-06 06:15 12800 c:\windows\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
- 2011-06-20 01:02 . 2011-06-20 01:02 53248 c:\windows\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
+ 2011-07-06 06:15 . 2011-07-06 06:15 53248 c:\windows\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
+ 2010-05-12 00:11 . 2011-07-07 00:05 4056 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-391758201-2664969089-1042611905-1001_UserData.bin
- 2011-06-26 18:12 . 2011-06-26 18:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-07-07 03:21 . 2011-07-07 03:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-07-07 03:21 . 2011-07-07 03:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-06-26 18:12 . 2011-06-26 18:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-07-07 00:38 . 2011-07-07 00:38 243360 c:\windows\SysWOW64\Macromed\Flash\FlashUtil10u_Plugin.exe
- 2009-07-14 02:36 . 2011-06-26 18:05 615122 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-07-07 00:10 615122 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2011-06-26 18:05 103496 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2011-07-07 00:10 103496 c:\windows\system32\perfc009.dat
+ 2011-07-05 06:24 . 2011-07-05 06:24 190752 c:\windows\system32\javaws.exe
+ 2011-07-05 06:24 . 2011-07-05 06:24 171808 c:\windows\system32\javaw.exe
+ 2011-07-05 06:24 . 2011-07-05 06:24 171808 c:\windows\system32\java.exe
- 2009-07-14 05:12 . 2011-06-26 01:58 245760 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-14 05:12 . 2011-07-03 22:13 245760 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2011-02-08 08:09 . 2011-06-26 18:08 412224 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2011-02-08 08:09 . 2011-07-07 03:20 412224 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2009-07-14 05:01 . 2011-07-07 03:20 234392 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2011-06-26 18:08 234392 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2010-06-25 03:04 . 2011-07-05 06:58 503726 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-391758201-2664969089-1042611905-1001-12288.dat
- 2010-06-25 03:04 . 2011-06-03 05:33 503726 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-391758201-2664969089-1042611905-1001-12288.dat
+ 2011-07-05 06:22 . 2011-07-05 06:22 528896 c:\windows\Installer\2dccc.msi
- 2011-06-20 01:02 . 2011-06-20 01:02 223232 c:\windows\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2011-07-06 06:15 . 2011-07-06 06:15 223232 c:\windows\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2011-07-06 06:15 . 2011-07-06 06:15 178176 c:\windows\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
- 2011-06-20 01:02 . 2011-06-20 01:02 178176 c:\windows\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
+ 2011-07-06 06:15 . 2011-07-06 06:15 364544 c:\windows\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
- 2011-06-20 01:02 . 2011-06-20 01:02 364544 c:\windows\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
+ 2011-07-06 06:15 . 2011-07-06 06:15 159232 c:\windows\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
- 2011-06-20 01:02 . 2011-06-20 01:02 159232 c:\windows\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
+ 2011-07-06 06:15 . 2011-07-06 06:15 145920 c:\windows\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
- 2011-06-20 01:02 . 2011-06-20 01:02 145920 c:\windows\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
- 2011-06-20 01:02 . 2011-06-20 01:02 578560 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2011-07-06 06:15 . 2011-07-06 06:15 578560 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2011-06-20 01:02 . 2011-06-20 01:02 578560 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2011-07-06 06:15 . 2011-07-06 06:15 578560 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2011-06-20 01:02 . 2011-06-20 01:02 577536 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2011-07-06 06:15 . 2011-07-06 06:15 577536 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2011-06-20 01:02 . 2011-06-20 01:02 577536 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2011-07-06 06:15 . 2011-07-06 06:15 577536 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2011-06-20 01:02 . 2011-06-20 01:02 577024 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2011-07-06 06:15 . 2011-07-06 06:15 577024 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2011-07-06 06:15 . 2011-07-06 06:15 576000 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2011-06-20 01:02 . 2011-06-20 01:02 576000 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2011-07-06 06:15 . 2011-07-06 06:15 567296 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2011-06-20 01:02 . 2011-06-20 01:02 567296 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2011-07-06 06:15 . 2011-07-06 06:15 563712 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2011-06-20 01:02 . 2011-06-20 01:02 563712 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2011-06-20 01:02 . 2011-06-20 01:02 473600 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
+ 2011-07-06 06:15 . 2011-07-06 06:15 473600 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
+ 2011-07-07 00:38 . 2011-07-07 00:38 6271648 c:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
- 2009-07-14 02:34 . 2011-06-22 06:06 9437184 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2009-07-14 02:34 . 2011-07-07 00:44 9437184 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2011-06-06 20:45 . 2011-06-06 20:45 2318848 c:\windows\Installer\d39e.msi
- 2011-06-20 01:02 . 2011-06-20 01:02 2846720 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2011-07-06 06:15 . 2011-07-06 06:15 2846720 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2011-06-20 01:02 . 2011-06-20 01:02 2676224 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2011-07-06 06:15 . 2011-07-06 06:15 2676224 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2010-05-12 01:16 . 2011-07-07 03:20 17724519 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-391758201-2664969089-1042611905-1001-8192.dat
+ 2011-05-04 14:50 . 2011-05-04 14:50 15020544 c:\windows\Installer\2dcd0.msi
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-01-27 336384]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [x]
R3 cpuz130;cpuz130;c:\users\47\AppData\Local\Temp\cpuz130\cpuz_x64.sys [x]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-05-18 79360]
R3 dump_wmimmc;dump_wmimmc;e:\steam\steamapps\common\ava\Binaries\GameGuard\dump_wmimmc.sys [x]
R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys [x]
R3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys [x]
R3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM10864.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x64.sys [x]
S3 ALSysIO;ALSysIO;c:\users\47\AppData\Local\Temp\ALSysIO64.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ALSYSIO
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-06 c:\windows\Tasks\ParetoLogic Registration.job
- c:\windows\system32\rundll32.exe [2009-07-13 01:14]
.
.
--------- x86-64 -----------
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.0.5
FF - ProfilePath - c:\users\47\AppData\Roaming\Mozilla\Firefox\Profiles\9w1u3ayj.default\
FF - prefs.js: browser.startup.homepage - torontodarkly.ca
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-391758201-2664969089-1042611905-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:71,8f,a0,ad,1d,07,75,17,f0,f4,88,09,d0,64,c7,87,4d,0a,e1,ab,4c,d6,66,
6c,2f,fd,d3,1e,dd,b4,cb,28,a7,35,7c,c1,f6,c1,7d,2c,84,bc,93,96,5f,d8,20,56,\
"??"=hex:65,34,23,f1,ac,3e,ae,99,14,20,f8,2a,53,ca,02,2f
.
[HKEY_USERS\S-1-5-21-391758201-2664969089-1042611905-1001\Software\SecuROM\License information*]
"datasecu"=hex:0f,87,5f,33,f3,25,c2,3f,a1,d1,a3,4c,3b,8a,1c,84,2e,ff,45,8a,bb,
ca,68,08,cc,a4,be,8d,8f,17,02,37,d5,99,ad,b6,9d,26,f1,d7,69,5d,98,41,33,3b,\
"rkeysecu"=hex:cb,7d,35,d1,20,7c,81,52,ac,e8,48,22,16,64,f0,1a
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe
c:\windows\SysWOW64\PnkBstrA.exe
.
**************************************************************************
.
Completion time: 2011-07-06 23:22:31 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-07 03:22
ComboFix2.txt 2011-07-04 02:06
ComboFix3.txt 2011-07-04 00:46
ComboFix4.txt 2011-06-26 18:13
ComboFix5.txt 2011-07-07 03:18
.
Pre-Run: 4,287,012,864 bytes free
Post-Run: 3,846,496,256 bytes free
.
- - End Of File - - CC4D10E7A7EE7790B991385A174D4DF7

This post has been edited by gypsyovrlord: 06 July 2011 - 10:29 PM

Good. Let's see the final steps then


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

A To disable the System Restore feature:

1. Click on the Start button.
2. Hover over the Computer option, right click on it and then click Properties.
3. On the left hand side, click Advanced Settings.
4. If asked to permit the action, click on Allow.
5. Click on the System Protection tab.
6. Select c: drive and click Configure...
7. Select Turn off protection
8. Press OK.
Repeat steps 6-8 for each hard drive.

B. Reboot.

C Turn ON System Restore.
Follow the steps like you did when disabling system restore but on step 7. select Restore system settings and previous versions of files -option.



Now lets uninstall ComboFix:

• Click START then RUN
  
• Now copy-paste Combofix /uninstall in the runbox and click OK

UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

• Download and run Secunia Personal Software Inspector (PSI) and fix its findings. Leave the program installed so you'll stay alarmed about vulnerable components in future too.
  
• Get Anti Virus Software and keep it updated - Most AVs will update automatically, but if not I would recommend making updating the AV the first job every time the PC is connected to the internet. An AV that is using defs that are seven days old is not going to be much protection. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. Good free antivirus programs are:
  Antivir
  Avast!
  Good commercial ones are from:
  Kaspersky and
  ESET

Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade

thank u again, Blade :D

do i still need to do all that IE stuff even though i dont use IE? I use firefox. or is IE part of windows?

Hi,

IE components are used by many programs and that's one reason for keeping latest version updates installed for it.

thank you :D