I've been trying to figure this one out for months and keep thinking I'm
just paranoid. Not being an XP expert (silicon and systems design) it took
me awhile to find all the pieces I'm still sorting out.
I'm DEFINATELY on a remote desktop, SuS is installed, MMC console appears to
be modified (mmccmdmgr.dll) w/ VB6 and the CD-Rom(s) are redirected and don't
give me what's really on them or "read them". Downloaded packages are
"signed". but the time stamp is off by a year or more, and they contain
things they shouldn't.
The USB drivers I downloaded from ViaForum are filled with QFE fills for
instance.
Even a Ghost diskwipe doesn't seem to get everything (Thinking it writes
stuff into the BIOS DMI).
All virus scans and spyware come back negative, but have realized, at least
in some cases, it either kills the app I started (Norton 2005) and starts an
older version (Norton 2002) or else it scans a clean part of the disk only.
(There's some disk space I can't access and found some code that looked like
it would return a "sector error" w/o the key).
I know this sounds like the ultimate paranoid delusion, but I'm sure it's
there. Although to be fair, until December when this first started to become
obvious, my security inside the firewall was pretty terrible. Since I had
tons of development stuff -- compilers, VM Ware, bits of old OSes in archives
-- it's possible someone or some program had a lot of time to set all this
stuff up. I also had 2003 server on the network, just to install (and
thought I had remove all the others from the network), and could have done
something then..although nothing intentional and certainly not too the extent
that I see (Like NT/2000 files).
My first question is: What's the cleanest way to remove SuS and get the
correct CAT files back and being referenced on XP Home? (SFC scan asks for a
2000 disk, which I obviously don't have).
Second question: While this may be just be, I've seen similar behavior on
friends computers (although they've all had some sort of contact with my
environment). Is there a quick way to detect SuS and some boot server
running?
Last Question: Anyone EVER heard of this? Is this a know issue I just
haven't been able to find anything about?
I'm happy to share bunches of data with anyone that wants it (or thinks I'm
just paranoid;). I'm currently thinking I'll be able to hook the 2003 server
back up and fix them through group and local policy changes, but it would be
nice if there was an easier fix.
Regards,
SRGriffin
On a compaq laptop I took apart to replace the DVD Drive, among other things
(Bought it new from Circuit City).
Ghost Wipe the drive, then loaded the OS image with the Compaq restore
disks(4 CDs). Loaded SP2 from CD from MS. Loaded Norton Security 2005,
Partition Commander 9, Fix-it Utilities. Renamed or deleted directories
containing any .Cab files or other possible installation sources. Cleaned
registry with "fix-it" default, safe settings.
Connected to direct internet connection to get updates and then
disconnected....
One of the updates automatically downloaded...Virtual PC Update!??
Hidden devices in control panel include: ACPI-Complient Embedded Controller;
AFD Networking Support Environment; clntmgmt.sys, dmboot, dmload, EABFilter,
Fallback, ksecdd, mnmdd, Fsks, RDPCDD, ParVdm.....more but realize some might
be XP standard ???
SQL Server and ISS appear to be install, but can't update them. IE 4.0 gets
installed and IEAK.
All computers have registry settings for:
Key Name: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\COMPAQ\0818\06040000
Class Name: <NO CLASS>
Last Write Time: 4/17/2005 - 5:10 PM
Value 0
Name: 00000000
Type: REG_BINARY
Data: <<Nearly 10kb in data follow>>
Key Name: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port
0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
Class Name: <NO CLASS>
Last Write Time: 4/17/2005 - 5:10 PM
Value 0
Name: Identifier
Type: REG_SZ
Data: FUJITSU MHR2030AT
Key Name: HKEY_LOCAL_MACHINE\HARDWARE\RESOURCEMAP\Hardware
Abstraction Layer\ACPI Compatible Eisa/Isa HAL
Class Name: <NO CLASS>
Last Write Time: 4/17/2005 - 5:10 PM
Value 0
Name: .Raw
Type: REG_RESOURCE_LIST
Data:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ComServersTable.ComServersTable.1\CLSID
Data: {7B3125F4-F14D-11D1-BE0C-000000000000}
HLM\System\CurrentControlSet\Services\Abiosdsk
HLM\System\CurrentControlSet\Services\basic2\enum\0
HLM\System\CurrentControlSet\Services\Cnxtdiag\Enum\0
HLM\System\CurrentControlSet\Services\dmadmin\
HLM\System\CurrentControlSet\Services\dmboot\
HLM\System\CurrentControlSet\Services\dmio\
HLM\System\CurrentControlSet\Services\EABFilter --> image:
\??\C:\WINDOWS\System32\drivers\EABFiltr.sys
HLM\System\CurrentControlSet\Services\MSPQM --> image:
system32\drivers\MSPQM.sys
HLM\System\CurrentControlSet\Services\MRxDAV\EncryptedDirectories\
HLM\System\CurrentControlSet\Services\MSIServer ---> MS Installer Server
HLM\System\CurrentControlSet\Services\P3\Enum\INITSTARTFAILED ---> 1 <<P4
System>>
HLM\System\CurrentControlSet\Services\Ql10wnt\Group\SCSI Miniport\
HLM\System\CurrentControlSet\Services\RASl2tp
HLM\System\CurrentControlSet\Services\RASMan
HLM\System\CurrentControlSet\Services\SharedAccess\Epoch\ <<<No Sharing
Enabled>>>
HLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\ --->xpsp2res.dll,-22019
HLM\System\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\
HLM\System\CurrentControlSet\Services\Simbad
HLM\System\CurrentControlSet\Services\Sparrow\Parameters\PnpInterface\1 --> 1
HLM\SYSTEM\CurrentControlSet\Services\Winsock\Setup Migration\Well Known
Guids\AppleTalk \IsoTp \McsXns
HLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\image ==> winrnr.dll
HLM\SYSTEM\CurrentControlSet\Services\wmiApSrv
HLM\SYSTEM\CurrentControlSet\Services\wuauserv\parameters\SerivceDll -->
wuauserv.dll
HLM\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection\http://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1\
HLM\SYSTEM\CurrentControlSet\Control\Arbiters\BrokenMemAtF8...\BrokenVideo
...\Root
HLM\SYSTEM\CurrentControlSet\Control\GroupOrderList\base
....\filter..\FSFilter {cluster,compression,replication, top....}
HLM\SYSTEM\CurrentControlSet\Control\HAL\CStateHacks
HLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages --> msv 1_0
HLM\SYSTEM\CurrentControlSet\Control\Lsa\forceguest --> 1
HLM\SYSTEM\CurrentControlSet\Control\Lsa\SecureBoot ---> 1
HLM\SYSTEM\CurrentControlSet\Control\Session Manager\SFC\CommonFilesDir
\ProgramFilesDir
HLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\Kmode
\Optional \Posix... \Windows
HLM\SYSTEM\CurrentControlSet\Control\ProductOptions\ProductType ---> WinNT
HLM\SYSTEM\CurrentControlSet\Control\Session
Manager\AppPatches\INSTSCR\ff060102c47b1f00040750db0100\e
<<Notice Offset on Hard drive>>
HLM\SYSTEM\CurrentControlSet\Enum\STORAGE\Volume\1&30a96598&0&Signature24DA24D9Offset7E00Length6FC7C0200\Control
HLM\SOFTWARE\ATI Technologies\CDS\System\0
HLM\SOFTWARE\GIANTCompany\AntiSpyware\ <<MS AntiSpyWare>>
HLM\SOFTWARE\ODBC\ODBC.INI\ODBC File DSN\DefaultDSNDir
HCU\Software\Microsoft\IEAK
HCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
HRZR_EHACNGU:::{20Q04SR0-3NRN-1069-N2Q8-08002O30309Q}
HRZR_EHACNGU:P:\JVAQBJF\flfgrz32\abgrcnq.rkr
HRZR_EHACVQY:%pfvqy2%\Npprffbevrf\Abgrcnq.yax
HRZR_PGYPHNPbhag:pgbe
HCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache\Extensible Cache\MSHist012005041820050419
Partition Commander (scout) log: [small portion]
==============START OF PARTITION MANAGER ============
Drive 0 (ATA) - Validated
From Windows (#0): 27.944 GB Total sectors = 58605120 (LBA -0)
Cylinders = 3648 Tracks = 255 Sectors/track = 63
From controller: 27.944 GB Total sectors = 58605120
Cylinders = 16383 Tracks = 16 Sectors/track = 63
HD-model: FUJITSU MHR2030AT (firmware 53BB) s/n: NJ36T2915YRW
Supports drive > 137 GB
Features: power=yes, removable=no, fault-detect=yes, security=yes
(0009)
Host protected area supported & enabled w/48-bit addr. (none used)
Drive & --Starting-- ---Ending--- -------Sectors------- ---Size
in GB-- Clust
Partition ID Sec Hd Cyl Sec Hd Cyl First Total Total
Unused size Volume label
C: +0-0 07 1 1 0 63 254 1023 63 58605057 27.944
FSv3.1 4K
0-1 00 0 0 0 0 0 0 0 0 0
- -
0-2 00 0 0 0 0 0 0 0 0 0
- -
0-3 00 0 0 0 0 0 0 0 0 0
- -
~~~~~~~~~~~~~~~~~~ <<<Con't>> ~~~~~~~~~~
3) Media descriptor byte (never below F0h) F8
4) Sectors per track (should match the disk) 63
5) Tracks per cylinder (should match the disk) 255
6) Total sectors from the partition entry 58605057
7) Total sectors from boot (should match partition) 58605056
8) Extended signature (29h for FAT/FAT32, 80h for NTFS) 80
9) File system ID "NTFS "
10) Start of the MFT 804864
11) Start of the MFT copy 2098486
12) Clusters per MFT record (power of 2 or F6h for 1K) F6h
13) Clusters per index record (power of 2 or F4h for 4K) 01h
14) Volume label ""
==========================END OF PARTITION MGR==========================
Any other thoughts or comments? Still working on getting server up to
manage these better....will that work with Home?
The laptop had win2000 installed on it.....AND the server was "infected"
too, but since it couldn't "trump" the domain rights it was relatively easy
to update security policies and fix.
So, on the "clean laptop install" and the "clean Sever 2003" install I had
win2000 installed also. I guess the real problem....posix was also
"installed". So POSSIBLY the server machine was just "infected" before.
But...this leads me to a bigger question...
How can this be confirmed w/o a Server handy and how many other people have
this same problem?? Seems like this could explain A LOT of things going on
lately....Internet Storm, Strange Permissions and such I see posted all over.
Oh, by the way...since Win2000 was in control, the other boot was still
WinXP SP1 even though I installed SP2 with a MS CD! Sure looked like it was
installed...but apparently it was uninstalled!
Very Disturbing....I'm guessing I know of of few others with this problem as
well.
From your description, there appears only one way out - retrieve data files
only, fdisk, and rebuild all the systems. I won't say it sounds like a root
kit 'cos I have never come across one (there is rootkitrevealer) so don't
know, but this sounds so sick fdisk is surely the only way forwards -
keeping infected systems powered off and off the network (IE all systems ).
"SRGriffin" <SRGr...@discussions.microsoft.com> wrote in message
news:9D79577F-54A0-4CE8...@microsoft.com...
--
markholmes
------------------------------------------------------------------------
Posted via http://www.webservertalk.com
------------------------------------------------------------------------
View this thread: http://www.webservertalk.com/message1024236.html
I WENT OUT AND BOUGHT A BRAND NEW COMPUTER AND IT WAS INSTALLED ON THE
FIRST BOOTUP...I SWEAR. THIS IS AN AMAZING VIRUS.
ANY HELP?
MY SYMPTOMS ARE THE SAME AS YOURS. I'LL POST MY HIJACKTHIS FILE...BUT
IT DOESNT REVEAL ANYTHING. I'M ON A WINDOWS MEDIA COMPUTER...I'VE
RELOADED THE SOFTWARE, REFORMATED...100's OF TIMES OVER THE PAST 6
MONTHS. IT CONTROLS EVERYTHING. CD...FLOPPY...DOS...COMMAND LINE. IT
WILL RUN AN HIDDEN UNINSTALLER RITE NEXT TO YOUR APPLICATION THAT
THREATENS IT. ANTIVIRUS...FIREWALLS...A JOKE!
THIS VIRUS IS EVEN ON MY DADS MACINTOSH. IT HAS DIFFERENT
SYMPTOMS...BUT HE HAS HAD PROFESSIONALS TRY TO FIX IT...WE HAVE BOTTH
SENT OUR COMPUTER IN TO THE PRO'S. THEY CAN'T FIX IT EITHER...THEY SEE
A COMPLETELY DIFFERENT REGISTRY. HOW DO YOU FIX THAT? BUY A NEW
COMPUTER? THE FILES / REGISTRY / COMPUTER YOU BOUGHT ARE NEVER GOING
TO BE THERE....I'M GLAD YOU FIXED YOURS.
I HAVE THOUGHT MINE WAS FIXED. I HAVE DOWNLOADED EVERY TROJAN / VIRUS
PROGRAM KNOWN...YES THEY CLAIM TO FIX THE MANY INFECTIONS ----------
BUT DAYS...WEEKS...THE COMPUTERS GONE!
YOU CAN READ IN THE REGISTRY HOW POWERFUL THIS VIRUS IS...IT HAS
COMPLETE CONTROL OF EVERYTHING. I EVEN THINK IT RUINED MY SONY CLIE
AND HAD CONTROL OF MY HP PRINTER...ANY INFRARED / BLUETOOTH, ETC. IT
ATTACKS.
MY DAD CANNOT STOP HIS MAC FROM BEING A SERVER. ITS A MESS...WE CANT
TERMINATE IT FROM USING ITS AIRPORT SERVICE...AND I'M SURE IT IS A PATH
TO INFECT / REINFECT.
I'M ILL.
PLEASE HELP.
I'VE SEEN OTHER PEOPLE CALL THIS THE TERMINAL SERVICE TROJAN.
IF THIS IS THE BIGGEST THREAT IN PC SECURITY...WHY ISN'T MICROSOFT...OR
THE ANTIVIRUS COMPANIES ALL OVER THIS?
I KNOW THAT NOT TOO MANY PEOPLE ARE INFECTED...BECAUSE IT LITERALLY
RUINES LIVES...I'VE READ A FEW POSTS THAT MAKE MINE SEEM SANE.
ALSO ... AMONG A MILLION THINGS OBVIOUS IN THE REGISTRY (BUT ONLY IN
THE REGISTRY!) PEOPLE MENTION THINGS LIKE WATCHDOG AND TIM BOMB ---
LOTS OF LEGACY STUFF... MOST EVERYTHING IN THE %SYSTEMROOT%...OR SOME
DRIVE LIKE .... HERES ONE FOR A CD....
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{1186654d-47b8-48b9-beb9-7df113ae3c67}\##?#IDE#CdRomHL-DT-ST_CD-RW_GCE-8527B________________1.01____#5&3aadb0d2&0&0.0.0#{1186654d-47b8-48b9-beb9-7df113ae3c67}
ANYWAY...ALL HELP IS APPRECIATED!
Logfile of HijackThis v1.99.1
Scan saved at 2:32:43 AM, on 1/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\VCOM\SYSTEM~1\SSuite.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Mark\LOCALS~1\Temp\Temporary Directory 1 for
hijackthis[1].zip\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://global.acer.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://wwww.yahoo.com/
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ntiMUI] c:\Program Files\NewTech Infosystems\NTI CD
& DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE"
/Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002]
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program
Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program
Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
- http://tinyurl.com/gxu22
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
- http://tinyurl.com/jzkj6
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA
Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP -
C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA,
Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
]-Originally posted by SRGriffin -
*Here are a few more details:
HLM\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection\http://tinyurl.com/e8zax
HLM\SYSTEM\CurrentControlSet\Control\Arbiters\BrokenMemAtF8...\BrokenVideo
....\Root
HLM\SYSTEM\CurrentControlSet\Control\GroupOrderList\base
.....\filter..\FSFilter {cluster,compression,replication, top....}
==========================END OF PARTITION
MGR==========================
"SRGriffin" wrote:
| I Have tried for months and spent over $5000 on pc equipment. This
| MALWARE has INFECTED EVERY COMPUTER - EVERY BIOS - EVERY HARDDRIVE.
|
| I WENT OUT AND BOUGHT A BRAND NEW COMPUTER AND IT WAS INSTALLED ON THEFIRST BOOTUP...I
| SWEAR. THIS IS AN AMAZING VIRUS.
< snip >
This is bullsh!t and FUD !
There are NO viruses that can infect and live in a BIOS.
You are obviously re-infecting your computer.
You are also going to piss off people by posting in all caps. It shows laziness and in
Usenet space it is considered shouting. Not to mention all caps is more difficult to read.
Add to that your posting a HJT log. HJT logs are more than discouraged in Usenet News
Groups simply put -- don't post them in News Groups. There are Expert forums SPECIFICALLY
for HJT logs.
Forums where you can get expert advice for HiJack This! (HJT) logs.
NOTE: Registration is REQUIRED before posting a log
NOTE: Web sites NOT listed in any particular order
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://www.dslreports.com/forum/security
http://castlecops.com/forum67.html
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://www.malwarebytes.org/forums/index.php?showforum=7
Finally, Trojans are not viruses. They do not slef replicate.
I don't know if you are a Troll or what but, this post certainly comes off as a Troll-like
post !
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
As soon as you reinstall Windows and format the existing hard drive , your
old data is gone
You must use only genuie and legal Microsoft products because only they
guarantee you
100% success with no problems . Install legal drivers only ! Install
reputable AV software as soon as you install Windows.
Update the AV . Use internet firewall . Download and apply all updates for
your Windows operating system.
Don't install stupid files/softwares that can pottentially be threat.
In your HJT log I see some things that are currently unknown for me but I
have no time to search in Google for them
you can do this to receive more info.
And again , what you say is absolutely wrong and impossible to happen !
Regards!
Panda_man
--
Bronze level Contributor
http://pandaman.my.contact.bg
http://www.eset.com
Please , rate posts