Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

-tt xxxx numbered search in Avant Browser

Started by SmartEgo , Mar 18 2008 10:58 AM

Please log in to reply

#1
SmartEgo

Posted 18 March 2008 - 10:58 AM

Member

Member
22 posts

Dear Geeks

My Computer at Univ. seem to be infected by a malware (maybe homepage hijacker)

The main annoyance after scanning it with Norton is the -tt and number search that pops up each time I write some address in the Avant Browser.
I cannot specify more symptoms but you may guess more from HJT log. I got National Instruments software running on it so I wish you may help me with this one so I won't format and reinstall all working software.

Thanks Geeks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:53:05 PM, on 3/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\RTProxy.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Virtual CD v9\System\vc9secs.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Virtual CD v9\System\VC9Play.exe
C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Virtual CD v9\System\VC9Tray.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Avant Browser\avant.exe
C:\MATLAB6p5\bin\win32\matlab.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [VC9Player] C:\Program Files\Virtual CD v9\System\VC9Play.exe
O4 - HKLM\..\Run: [niDevMon] C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [antinetcut2] C:\Program Files\Anti Netcut\Anti NetCut.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_7
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZCxdm490YYEG
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Read with DeskBot - C:\Program Files\BellCraft.com\DeskBot\DeskBot.htm
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileop...nt/FileOpen.CAB
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: 553CB7CB - Unknown owner - C:\WINDOWS\system32\874A51B.EXE
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: nidevldu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: nimcdldu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: nimcrpcsu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: nipxirmu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: niRTProxy - National Instruments - C:\WINDOWS\system32\RTProxy.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Virtual CD v9 Management Service (VC9SecS) - H+H Software GmbH - C:\Program Files\Virtual CD v9\System\vc9secs.exe

--
End of file - 14469 bytes

#2
Tigger93

Posted 23 March 2008 - 04:39 PM

Trusted Helper

Retired Staff
1,870 posts

Hello and Welcome to Geekstogo!

Sorry for the delay.

Open HijackThis and put a check next to these:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O23 - Service: 553CB7CB - Unknown owner - C:\WINDOWS\system32\874A51B.EXE

Click Fix Checked and close HijackThis.

Open Notepad and copy and paste in the following:

sc stop "553CB7CB"
sc delete "553CB7CB"

del /q fix1.bat

Save it as fix1.bat to the desktop. Double-click on it and a black screen may quickly appear and disappear; this is normal.

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
```
C:\WINDOWS\system32\874A51B.EXE
```
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

#3
SmartEgo

Posted 26 March 2008 - 06:31 AM

Member

Topic Starter
Member
22 posts

dear Tigger93

here is the log you asked for:

C:\WINDOWS\system32\874A51B.EXE moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03262008_142631

However just now a new search page about -tt 2916 just opened while i clicked the reply button.
I did not reboot yet, but if this nag sustains i'll NOT repost. you may assume it still standing

Thanks for your help.

#4
Tigger93

Posted 26 March 2008 - 03:58 PM

Trusted Helper

Retired Staff
1,870 posts

I did not reboot yet, but if this nag sustains i'll NOT repost. you may assume it still standing

Sorry, I'm a bit confused here?

Can you please post a new HijackThis log please?

#5
SmartEgo

Posted 29 March 2008 - 04:35 AM

Member

Topic Starter
Member
22 posts

It seems there is no more -tt xxxx searches however I have to enter the user name and password twice to get to my account.

(another issue my friend's computer at the univ. has some wirdness can I post from his computer currently/later after I solve my computer issues, OR should h register himsewlf following some rule of yours?
Thanks very much for your help)

anyways your's the expert, here is what you asked for, HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:04 PM, on 3/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\RTProxy.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Virtual CD v9\System\vc9secs.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Virtual CD v9\System\VC9Play.exe
C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Athan\Athan.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Virtual CD v9\System\VC9Tray.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Avant Browser\avant.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn0\yt.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [VC9Player] C:\Program Files\Virtual CD v9\System\VC9Play.exe
O4 - HKLM\..\Run: [niDevMon] C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [antinetcut2] C:\Program Files\Anti Netcut\Anti NetCut.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_7
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZCxdm490YYEG
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Read with DeskBot - C:\Program Files\BellCraft.com\DeskBot\DeskBot.htm
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileop...nt/FileOpen.CAB
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: nidevldu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: nimcdldu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: nimcrpcsu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: nipxirmu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: niRTProxy - National Instruments - C:\WINDOWS\system32\RTProxy.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Virtual CD v9 Management Service (VC9SecS) - H+H Software GmbH - C:\Program Files\Virtual CD v9\System\vc9secs.exe

--
End of file - 16119 bytes

#6
SmartEgo

Posted 29 March 2008 - 09:24 AM

Member

Topic Starter
Member
22 posts

sorry there is still -tt xxxx pages
sorry

#7
Tigger93

Posted 29 March 2008 - 04:53 PM

Trusted Helper

Retired Staff
1,870 posts

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#8
SmartEgo

Posted 31 March 2008 - 07:51 AM

Member

Topic Starter
Member
22 posts

ComboFix 08-03-30.3 - Administrator 2008-03-31 15:33:06.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.333 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\auto.exe
C:\Autorun.inf
C:\WINDOWS\system32\setting.ini
C:\WINDOWS\system32\sys_dll.dll
F:\auto.exe
F:\Autorun.inf
G:\auto.exe
G:\Autorun.inf
H:\auto.exe
H:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))
.

2008-03-28 19:46 . 2008-03-28 19:46 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-03-28 19:42 . 2008-03-28 19:43 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-03-26 14:26 . 2008-03-26 14:26 <DIR> d-------- C:\_OTMoveIt
2008-03-18 18:59 . 2008-03-18 18:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ieSpell
2008-03-18 18:58 . 2008-03-18 18:58 <DIR> d-------- C:\Program Files\ieSpell
2008-03-12 13:39 . 2008-03-12 13:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\IDM
2008-03-12 13:39 . 2008-03-12 13:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\DMCache
2008-03-08 15:01 . 2008-03-08 15:01 <DIR> d-------- C:\Documents and Settings\me\Application Data\FileOpen
2008-03-08 15:01 . 2008-03-08 15:01 <DIR> d-------- C:\Documents and Settings\me\Application Data\AdobeUM
2008-03-08 13:48 . 2008-03-08 13:48 <DIR> dr-h----- C:\Documents and Settings\me\Application Data\yahoo!
2008-03-08 13:26 . 2008-03-08 13:26 <DIR> d-------- C:\Documents and Settings\me\Application Data\Avant Profiles
2008-03-08 13:25 . 2008-03-08 13:25 <DIR> d-------- C:\Documents and Settings\me\Phone Browser
2008-03-08 13:25 . 2008-03-08 13:25 <DIR> d-------- C:\Documents and Settings\me\Application Data\PC Suite
2008-03-08 13:23 . 2007-06-19 13:01 <DIR> d-------- C:\Documents and Settings\me\Application Data\Share-to-Web Upload Folder
2008-03-05 10:21 . 2008-03-06 21:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-05 10:21 . 2008-03-06 21:32 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-03-05 10:21 . 2008-03-06 21:32 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-04 21:43 . 2008-03-04 21:43 <DIR> d-------- C:\Program Files\UnH Solutions
2008-03-04 18:35 . 2008-03-04 18:35 286,720 --------- C:\WINDOWS\Setup1.exe
2008-03-04 18:35 . 2008-03-04 18:35 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-03-04 18:07 . 2008-03-04 18:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-04 17:52 . 2008-03-04 19:01 7,302 --a------ C:\WINDOWS\system32\rrtnotify.wav
2008-02-25 12:30 . 2008-02-25 12:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AWR
2008-02-25 12:30 . 2008-02-25 12:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AWR
2008-02-25 12:30 . 2005-01-19 07:56 1,344,704 --a------ C:\WINDOWS\system32\SBE6_32.DLL
2008-02-25 12:30 . 2005-01-19 07:56 550,576 --a------ C:\WINDOWS\system32\sb6ent.ocx
2008-02-25 12:30 . 2005-01-19 07:56 330,794 --a------ C:\WINDOWS\system32\SBE6_000.HLP
2008-02-25 12:30 . 2005-01-19 07:56 6,575 --a------ C:\WINDOWS\system32\SBE6_000.CNT
2008-02-25 12:29 . 2008-02-25 12:29 <DIR> d-------- C:\Program Files\AWR
2008-02-24 13:13 . 2008-02-24 13:13 <DIR> d-------- C:\Program Files\Avant Browser
2008-02-24 13:13 . 2008-02-24 13:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Avant Profiles
2008-02-23 13:03 . 2008-02-23 13:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ATTNaturalVoices
2008-02-23 13:02 . 2008-02-23 13:02 <DIR> d-------- C:\WINDOWS\speech
2008-02-23 13:02 . 2008-02-23 13:02 <DIR> d-------- C:\WINDOWS\lhsp
2008-02-23 13:00 . 2008-02-23 13:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\BellCraft.com
2008-02-23 12:57 . 2008-02-23 12:57 <DIR> d-------- C:\Program Files\BellCraft.com
2008-02-23 12:57 . 2004-03-08 23:00 224,016 --a------ C:\WINDOWS\system32\TABCTL32.OCX
2008-02-23 12:47 . 2008-02-23 12:47 <DIR> d-------- C:\Program Files\ATTNaturalVoices
2008-02-20 16:04 . 2008-02-15 17:12 206,256 --a------ C:\WINDOWS\system32\idmmbc.dll
2008-02-15 12:11 . 2008-02-16 11:04 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-02-15 12:11 . 2008-02-16 11:04 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-02-11 13:25 . 2008-02-11 13:25 <DIR> d-------- C:\Program Files\FileOpen
2008-02-11 13:25 . 2008-02-11 13:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FileOpen
2008-02-11 13:25 . 2008-02-11 13:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\FileOpen

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 08:11 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-03-04 08:11 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-03-04 08:11 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-04 08:11 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-08 05:21 3,592,192 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 11:01 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-12-06 11:00 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-12-06 11:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-06 04:59 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-12-02 07:38 737,280 ----a-w C:\WINDOWS\iun6002.exe
2006-09-16 14:20 3,808 ----a-w C:\Program Files\SETUP.LST
2006-09-16 14:20 1,880,140 ----a-w C:\Program Files\Anti NetCut.CAB
2005-10-13 07:55 88,761 ----a-w C:\WINDOWS\inf\pxiclean.exe
1998-06-17 22:00 140,800 ----a-w C:\Program Files\setup.exe
2006-01-23 08:32 131,072 ----a-w C:\Program Files\internet explorer\plugins\LV80ActiveXControl.dll
2006-06-07 12:40 132,848 ----a-w C:\Program Files\internet explorer\plugins\LV82ActiveXControl.dll
2003-05-01 07:36 114,688 ----a-w C:\Program Files\internet explorer\plugins\LV7ActiveXControl.dll
2004-03-15 15:51 114,688 ----a-w C:\Program Files\internet explorer\plugins\LV71ActiveXControl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:56 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 10:45 68856]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-17 03:45 23120680]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2005-10-24 16:53 307200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-01-07 12:09 46592 C:\WINDOWS\SOUNDMAN.EXE]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52 483328]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 04:10 409600]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"VC9Player"="C:\Program Files\Virtual CD v9\System\VC9Play.exe" [2007-09-20 13:23 197904]
"niDevMon"="C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe" [2005-10-06 11:49 263168]
"DataLayer"="C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe" [2005-06-07 11:31 819712]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2005-06-29 15:29 176128]
"Athan"="C:\Program Files\Athan\Athan.exe" [2007-09-06 21:25 1003520]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 16:24 86016]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 07:59 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 09:11 771704]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"antinetcut2"="C:\Program Files\Anti Netcut\Anti NetCut.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 22:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-03-11 15:36:33 25214]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\National Instruments\\LabVIEW 8.0\\LabVIEW.exe"=
"C:\\Program Files\\National Instruments\\Shared\\Example Finder\\1.0\\bin\\NIExampleFinder.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Avant Browser\\avant.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 NIPALK;NIPALK;C:\WINDOWS\system32\drivers\nipalk.sys [2005-09-22 21:12]
R0 PCIIMAQ;National Instruments IMAQ Driver;C:\WINDOWS\system32\drivers\PCIIMAQ.sys [2005-08-30 10:38]
R1 vdrv9000;vdrv9000;C:\WINDOWS\system32\DRIVERS\vdrv9000.sys [2007-08-20 14:34]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2006-07-27 10:00]
R2 gpib420;GPIB Analyzer;C:\WINDOWS\system32\drivers\gpib420.sys [2005-07-18 01:45]
R2 GpibPrtK;Gpib Port;C:\WINDOWS\system32\drivers\gpibprtk.sys [2005-07-18 01:25]
R2 lvalarmk;lvalarmk;C:\WINDOWS\system32\drivers\lvalarmk.dll [2005-07-27 08:58]
R2 mxssvr;NI Configuration Manager;"C:\Program Files\National Instruments\MAX\nimxs.exe" [2005-10-03 22:52]
R2 niarbk;niarbk;C:\WINDOWS\system32\drivers\niarbk.dll [2005-10-13 09:29]
R2 nibffrk;nibffrk;C:\WINDOWS\system32\drivers\nibffrk.dll [2005-10-13 09:29]
R2 nicanpk;nicanpk;C:\WINDOWS\system32\DRIVERS\nicanpk.dll [2005-10-14 06:02]
R2 Nidaq32k;Nidaq32k;C:\WINDOWS\system32\drivers\Nidaq32k.sys [2005-10-13 10:17]
R2 nidimk;nidimk;C:\WINDOWS\system32\drivers\nidimk.dll [2005-09-28 21:14]
R2 nidmmk;NI DMM and Data Logger Kernel Driver;C:\WINDOWS\system32\drivers\nidmmk.dll [2005-10-13 10:18]
R2 nidmxfk;nidmxfk;C:\WINDOWS\system32\drivers\nidmxfk.dll [2005-10-13 07:27]
R2 nidwgk;nidwgk;C:\WINDOWS\system32\drivers\nidwgk.dll [2005-09-20 20:48]
R2 niembrtk;niembrtk;C:\WINDOWS\system32\drivers\niembrtk.sys [2004-07-08 10:24]
R2 niemrk;niemrk;C:\WINDOWS\system32\drivers\niemrk.dll [2005-10-07 00:19]
R2 nifslk;nifslk;C:\WINDOWS\system32\drivers\nifslk.dll [2005-10-06 11:32]
R2 nigplk;nigplk;C:\WINDOWS\system32\drivers\nigplk.dll [2005-09-20 18:17]
R2 nihsdrk;nihsdrk;C:\WINDOWS\system32\drivers\nihsdrk.dll [2005-09-20 20:45]
R2 niimaqk;niimaqk;C:\WINDOWS\system32\drivers\niimaqk.dll [2005-09-21 15:41]
R2 nimdsk;nimdsk;C:\WINDOWS\system32\drivers\nimdsk.dll [2005-10-13 09:30]
R2 nimxpk;nimxpk;C:\WINDOWS\system32\drivers\nimxpk.dll [2005-10-06 12:31]
R2 nipxirmk;nipxirmk;C:\WINDOWS\system32\drivers\nipxirmk.dll [2005-09-21 11:30]
R2 niRTProxy;niRTProxy;C:\WINDOWS\system32\RTProxy.exe C:\WINDOWS\system32\RTProxy.exe []
R2 nisldk;nisldk;C:\WINDOWS\system32\drivers\nisldk.dll [2005-09-20 20:32]
R2 nisrcdk;nisrcdk;C:\WINDOWS\system32\drivers\nisrcdk.dll [2005-09-20 20:04]
R2 nistck;nistck;C:\WINDOWS\system32\drivers\nistck.dll [2005-10-13 09:30]
R2 niswdk;niswdk;C:\WINDOWS\system32\drivers\niswdk.dll [2005-10-08 01:08]
R2 NITaggerService;National Instruments Variable Engine;"C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe" [2005-10-11 15:13]
R2 usb6xxxk;usb6xxxk;C:\WINDOWS\system32\drivers\usb6xxxk.dll [2005-10-07 00:06]
R2 VC9SecS;Virtual CD v9 Management Service;C:\Program Files\Virtual CD v9\System\vc9secs.exe [2007-09-19 15:29]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-03 22:29]
R3 nicdrk;nicdrk;C:\WINDOWS\system32\drivers\nicdrk.dll [2005-10-06 11:56]
R3 nimdbgk;nimdbgk;C:\WINDOWS\system32\drivers\nimdbgk.dll [2005-09-28 20:07]
R3 nimru2k;nimru2k;C:\WINDOWS\system32\drivers\nimru2k.dll [2005-09-28 21:54]
R3 nimsdrk;nimsdrk;C:\WINDOWS\system32\drivers\nimsdrk.dll [2005-10-06 12:19]
R3 nimstsk;nimstsk;C:\WINDOWS\system32\drivers\nimstsk.dll [2005-10-06 12:25]
R3 nimxdfk;nimxdfk;C:\WINDOWS\system32\drivers\nimxdfk.dll [2005-09-28 20:52]
R3 niorbk;niorbk;C:\WINDOWS\system32\drivers\niorbk.dll [2005-10-06 16:22]
R3 niscdk;niscdk;C:\WINDOWS\system32\drivers\niscdk.dll [2005-10-06 12:07]
S3 HH9Help.sys;HH9Help.sys;C:\WINDOWS\system32\drivers\HH9Help.sys [2006-09-20 12:42]
S3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller;C:\WINDOWS\system32\DRIVERS\m4cxw2k3.sys [2005-03-10 07:42]
S3 nidsark;nidsark;C:\WINDOWS\system32\drivers\nidsark.dll [2005-10-06 12:14]
S3 niesrk;niesrk;C:\WINDOWS\system32\drivers\niesrk.dll [2005-10-07 00:19]
S3 nimcdfxk;nimcdfxk;C:\WINDOWS\system32\drivers\nimcdfxk.dll [2005-09-14 10:45]
S3 nimcdlbk;nimcdlbk;C:\WINDOWS\system32\drivers\nimcdlbk.dll [2005-09-14 10:29]
S3 nimslk;nimslk;C:\WINDOWS\system32\drivers\nimslk.dll [2005-10-06 01:00]
S3 nimsrlk;nimsrlk;C:\WINDOWS\system32\drivers\nimsrlk.dll [2005-10-06 01:00]
S3 nipalusb;NI-PAL USB Driver;C:\WINDOWS\system32\DRIVERS\nipalusb.sys [2005-09-22 21:13]
S3 nisdigk;nisdigk;C:\WINDOWS\system32\drivers\nisdigk.dll [2005-10-07 00:06]
S3 nisftk;nisftk;C:\WINDOWS\system32\drivers\nisftk.dll [2005-10-06 11:48]
S3 nispdk;nispdk;C:\WINDOWS\system32\drivers\nispdk.dll [2005-10-06 12:07]
S3 nissrk;nissrk;C:\WINDOWS\system32\drivers\nissrk.dll [2005-10-07 00:20]
S3 nistc2k;nistc2k;C:\WINDOWS\system32\drivers\nistc2k.dll [2005-10-06 12:03]
S3 nistcrk;nistcrk;C:\WINDOWS\system32\drivers\nistcrk.dll [2005-10-10 20:07]
S3 nitiork;nitiork;C:\WINDOWS\system32\drivers\nitiork.dll [2005-10-07 00:54]
S3 NiViFWK;NI-VISA FireWire Driver;C:\WINDOWS\system32\drivers\NiViFWK.sys [2005-10-12 17:13]
S3 NiViPciK;NI-VISA PCI Driver;C:\WINDOWS\system32\drivers\NiViPciK.sys [2005-10-12 17:04]
S3 NiViPxiK;NI-VISA PXI Driver;C:\WINDOWS\system32\drivers\NiViPxiK.sys [2005-10-12 17:04]
S3 niwdk;niwdk;C:\WINDOWS\system32\drivers\niwdk.sys [2005-10-05 17:34]
S3 niwfrk;niwfrk;C:\WINDOWS\system32\drivers\niwfrk.dll [2005-10-07 00:20]
S3 nixsrk;nixsrk;C:\WINDOWS\system32\drivers\nixsrk.dll [2005-10-07 00:20]
S3 PORTMON;PORTMON;C:\DOCUME~1\user05\LOCALS~1\Temp\Rar$EX00.937\PORTMSYS.SYS []
S3 scrcap;scrcap;C:\WINDOWS\system32\DRIVERS\scrcap.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24505f4a-d6bf-11db-a603-00104bb0c20c}]
\Shell\AutoRun\command - K:\d6fagcs8.cmd
\Shell\explore\Command - K:\d6fagcs8.cmd
\Shell\open\Command - K:\d6fagcs8.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{61631e1e-a896-11dc-9a83-00104bb0c20c}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{83e29194-847a-11dc-9a3e-00104bb0c20c}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Sys.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba8f6b75-39cd-11dc-99c2-00104bb0c20c}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Sys.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eb594348-f26d-11dc-9b18-00104bb0c20c}]
\Shell\AutoRun\command - ShuiNiu.exe
\Shell\Explore\Command - ShuiNiu.exe
\Shell\Open\Command - ShuiNiu.exe

*Newly Created Service* - COMHOST
*Newly Created Service* - NIPALK
.
Contents of the 'Scheduled Tasks' folder
"2008-03-31 07:00:02 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\blastclnnn.exe
"2005-02-26 13:18:54 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Administrator.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-31 15:43:10
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
c:\matlab6p5\bin\win32\matlab.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\system32\nipalsm.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Virtual CD v9\System\VC9Tray.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
.
**************************************************************************
.
Completion time: 2008-03-31 15:46:54 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-03-31 13:46:46
Pre-Run: 5,400,903,680 bytes free
Post-Run: 5,239,996,416 bytes free
.
2008-03-13 06:53:25 --- E O F ---

=======================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:51:24 PM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\RTProxy.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Virtual CD v9\System\vc9secs.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Virtual CD v9\System\VC9Play.exe
C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Athan\Athan.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Virtual CD v9\System\VC9Tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Avant Browser\avant.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn0\yt.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [VC9Player] C:\Program Files\Virtual CD v9\System\VC9Play.exe
O4 - HKLM\..\Run: [niDevMon] C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [antinetcut2] C:\Program Files\Anti Netcut\Anti NetCut.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_7
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZCxdm490YYEG
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Read with DeskBot - C:\Program Files\BellCraft.com\DeskBot\DeskBot.htm
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileop...nt/FileOpen.CAB
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: nidevldu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: nimcdldu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: nimcrpcsu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: nipxirmu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: niRTProxy - National Instruments - C:\WINDOWS\system32\RTProxy.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Virtual CD v9 Management Service (VC9SecS) - H+H Software GmbH - C:\Program Files\Virtual CD v9\System\vc9secs.exe

--
End of file - 15333 bytes

#9
SmartEgo

Posted 31 March 2008 - 07:54 AM

Member

Topic Starter
Member
22 posts

I still have this annoying -tt thing
I hope you can solve it with further fixes

#10
Tigger93

Posted 01 April 2008 - 02:45 PM

Trusted Helper

Retired Staff
1,870 posts

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\rrtnotify.wav
C:\Program Files\setup.exe
K:\d6fagcs8.cmd
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\system32\blastclnnn.exe

Folder::
C:\_OTMoveIt

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

#11
SmartEgo

Posted 06 April 2008 - 02:34 AM

Member

Topic Starter
Member
22 posts

here is the combfix log

ComboFix 08-04-04.1 - Administrator 2008-04-06 9:54:29.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.190 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: and Settings\Administrator\Desktop\ComboFix.exe C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-06 to 2008-04-06 )))))))))))))))))))))))))))))))
.

2008-03-28 19:46 . 2008-03-28 19:46 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-03-28 19:42 . 2008-03-28 19:43 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-03-26 14:26 . 2008-03-26 14:26 <DIR> d-------- C:\_OTMoveIt
2008-03-18 18:59 . 2008-03-18 18:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ieSpell
2008-03-18 18:58 . 2008-03-18 18:58 <DIR> d-------- C:\Program Files\ieSpell
2008-03-12 13:39 . 2008-03-12 13:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\IDM
2008-03-12 13:39 . 2008-03-12 13:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\DMCache
2008-03-08 15:01 . 2008-03-08 15:01 <DIR> d-------- C:\Documents and Settings\me\Application Data\FileOpen
2008-03-08 15:01 . 2008-03-08 15:01 <DIR> d-------- C:\Documents and Settings\me\Application Data\AdobeUM
2008-03-08 13:48 . 2008-03-08 13:48 <DIR> dr-h----- C:\Documents and Settings\me\Application Data\yahoo!
2008-03-08 13:26 . 2008-03-08 13:26 <DIR> d-------- C:\Documents and Settings\me\Application Data\Avant Profiles
2008-03-08 13:25 . 2008-03-08 13:25 <DIR> d-------- C:\Documents and Settings\me\Phone Browser
2008-03-08 13:25 . 2008-03-08 13:25 <DIR> d-------- C:\Documents and Settings\me\Application Data\PC Suite
2008-03-08 13:23 . 2007-06-19 13:01 <DIR> d-------- C:\Documents and Settings\me\Application Data\Share-to-Web Upload Folder

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-06 19:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-06 19:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-06 19:32 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-03-04 19:43 --------- d-----w C:\Program Files\UnH Solutions
2008-03-04 16:35 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-03-04 16:35 286,720 ------w C:\WINDOWS\Setup1.exe
2008-03-04 16:07 --------- d-----w C:\Program Files\Trend Micro
2008-03-04 08:11 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-03-04 08:11 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-03-04 08:11 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-04 08:11 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-02-25 10:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\AWR
2008-02-25 10:30 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AWR
2008-02-25 10:29 --------- d-----w C:\Program Files\AWR
2008-02-24 11:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Avant Profiles
2008-02-24 11:13 --------- d-----w C:\Program Files\Avant Browser
2008-02-23 11:03 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ATTNaturalVoices
2008-02-23 11:00 --------- d-----w C:\Documents and Settings\Administrator\Application Data\BellCraft.com
2008-02-23 10:57 --------- d-----w C:\Program Files\BellCraft.com
2008-02-23 10:47 --------- d-----w C:\Program Files\ATTNaturalVoices
2008-02-15 15:12 206,256 ----a-w C:\WINDOWS\system32\idmmbc.dll
2008-02-11 11:25 --------- d-----w C:\Program Files\FileOpen
2008-02-11 11:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\FileOpen
2008-02-11 11:25 --------- d-----w C:\Documents and Settings\Administrator\Application Data\FileOpen
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2006-09-16 14:20 3,808 ----a-w C:\Program Files\SETUP.LST
2006-09-16 14:20 1,880,140 ----a-w C:\Program Files\Anti NetCut.CAB
2005-10-13 07:55 88,761 ----a-w C:\WINDOWS\inf\pxiclean.exe
1998-06-17 22:00 140,800 ----a-w C:\Program Files\setup.exe
2006-01-23 08:32 131,072 ----a-w C:\Program Files\internet explorer\plugins\LV80ActiveXControl.dll
2006-06-07 12:40 132,848 ----a-w C:\Program Files\internet explorer\plugins\LV82ActiveXControl.dll
2003-05-01 07:36 114,688 ----a-w C:\Program Files\internet explorer\plugins\LV7ActiveXControl.dll
2004-03-15 15:51 114,688 ----a-w C:\Program Files\internet explorer\plugins\LV71ActiveXControl.dll
.

((((((((((((((((((((((((((((( snapshot@2008-03-31_15.46.11.06 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 06:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
- 2000-08-31 06:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2000-08-31 06:00:00 73,728 ----a-w C:\WINDOWS\fdsv.exe
+ 2000-08-31 06:00:00 80,412 ----a-w C:\WINDOWS\grep.exe
+ 2000-08-31 06:00:00 98,816 ----a-w C:\WINDOWS\sed.exe
+ 2000-08-31 06:00:00 161,792 ----a-w C:\WINDOWS\swreg.exe
+ 2000-08-31 06:00:00 136,704 ----a-w C:\WINDOWS\swsc.exe
+ 2000-08-31 06:00:00 212,480 ----a-w C:\WINDOWS\swxcacls.exe
+ 2000-08-31 06:00:00 49,152 ----a-w C:\WINDOWS\VFind.exe
+ 2000-08-31 06:00:00 68,096 ----a-w C:\WINDOWS\zip.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:56 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 10:45 68856]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-17 03:45 23120680]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2005-10-24 16:53 307200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-01-07 12:09 46592 C:\WINDOWS\SOUNDMAN.EXE]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52 483328]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 04:10 409600]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"niDevMon"="C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe" [2005-10-06 11:49 263168]
"DataLayer"="C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe" [2005-06-07 11:31 819712]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2005-06-29 15:29 176128]
"Athan"="C:\Program Files\Athan\Athan.exe" [2007-09-06 21:25 1003520]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 16:24 86016]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 07:59 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 09:11 771704]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"antinetcut2"="C:\Program Files\Anti Netcut\Anti NetCut.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 22:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-03-11 15:36:33 25214]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\National Instruments\\LabVIEW 8.0\\LabVIEW.exe"=
"C:\\Program Files\\National Instruments\\Shared\\Example Finder\\1.0\\bin\\NIExampleFinder.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Avant Browser\\avant.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 NIPALK;NIPALK;C:\WINDOWS\system32\drivers\nipalk.sys [2005-09-22 21:12]
R0 PCIIMAQ;National Instruments IMAQ Driver;C:\WINDOWS\system32\drivers\PCIIMAQ.sys [2005-08-30 10:38]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2006-07-27 10:00]
R2 gpib420;GPIB Analyzer;C:\WINDOWS\system32\drivers\gpib420.sys [2005-07-18 01:45]
R2 GpibPrtK;Gpib Port;C:\WINDOWS\system32\drivers\gpibprtk.sys [2005-07-18 01:25]
R2 lvalarmk;lvalarmk;C:\WINDOWS\system32\drivers\lvalarmk.dll [2005-07-27 08:58]
R2 mxssvr;NI Configuration Manager;"C:\Program Files\National Instruments\MAX\nimxs.exe" [2005-10-03 22:52]
R2 niarbk;niarbk;C:\WINDOWS\system32\drivers\niarbk.dll [2005-10-13 09:29]
R2 nibffrk;nibffrk;C:\WINDOWS\system32\drivers\nibffrk.dll [2005-10-13 09:29]
R2 nicanpk;nicanpk;C:\WINDOWS\system32\DRIVERS\nicanpk.dll [2005-10-14 06:02]
R2 Nidaq32k;Nidaq32k;C:\WINDOWS\system32\drivers\Nidaq32k.sys [2005-10-13 10:17]
R2 nidimk;nidimk;C:\WINDOWS\system32\drivers\nidimk.dll [2005-09-28 21:14]
R2 nidmmk;NI DMM and Data Logger Kernel Driver;C:\WINDOWS\system32\drivers\nidmmk.dll [2005-10-13 10:18]
R2 nidmxfk;nidmxfk;C:\WINDOWS\system32\drivers\nidmxfk.dll [2005-10-13 07:27]
R2 nidwgk;nidwgk;C:\WINDOWS\system32\drivers\nidwgk.dll [2005-09-20 20:48]
R2 niembrtk;niembrtk;C:\WINDOWS\system32\drivers\niembrtk.sys [2004-07-08 10:24]
R2 niemrk;niemrk;C:\WINDOWS\system32\drivers\niemrk.dll [2005-10-07 00:19]
R2 nifslk;nifslk;C:\WINDOWS\system32\drivers\nifslk.dll [2005-10-06 11:32]
R2 nigplk;nigplk;C:\WINDOWS\system32\drivers\nigplk.dll [2005-09-20 18:17]
R2 nihsdrk;nihsdrk;C:\WINDOWS\system32\drivers\nihsdrk.dll [2005-09-20 20:45]
R2 niimaqk;niimaqk;C:\WINDOWS\system32\drivers\niimaqk.dll [2005-09-21 15:41]
R2 nimdsk;nimdsk;C:\WINDOWS\system32\drivers\nimdsk.dll [2005-10-13 09:30]
R2 nimxpk;nimxpk;C:\WINDOWS\system32\drivers\nimxpk.dll [2005-10-06 12:31]
R2 nipxirmk;nipxirmk;C:\WINDOWS\system32\drivers\nipxirmk.dll [2005-09-21 11:30]
R2 niRTProxy;niRTProxy;C:\WINDOWS\system32\RTProxy.exe C:\WINDOWS\system32\RTProxy.exe []
R2 nisldk;nisldk;C:\WINDOWS\system32\drivers\nisldk.dll [2005-09-20 20:32]
R2 nisrcdk;nisrcdk;C:\WINDOWS\system32\drivers\nisrcdk.dll [2005-09-20 20:04]
R2 nistck;nistck;C:\WINDOWS\system32\drivers\nistck.dll [2005-10-13 09:30]
R2 niswdk;niswdk;C:\WINDOWS\system32\drivers\niswdk.dll [2005-10-08 01:08]
R2 NITaggerService;National Instruments Variable Engine;"C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe" [2005-10-11 15:13]
R2 usb6xxxk;usb6xxxk;C:\WINDOWS\system32\drivers\usb6xxxk.dll [2005-10-07 00:06]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-03 22:29]
R3 nicdrk;nicdrk;C:\WINDOWS\system32\drivers\nicdrk.dll [2005-10-06 11:56]
R3 nimdbgk;nimdbgk;C:\WINDOWS\system32\drivers\nimdbgk.dll [2005-09-28 20:07]
R3 nimru2k;nimru2k;C:\WINDOWS\system32\drivers\nimru2k.dll [2005-09-28 21:54]
R3 nimsdrk;nimsdrk;C:\WINDOWS\system32\drivers\nimsdrk.dll [2005-10-06 12:19]
R3 nimstsk;nimstsk;C:\WINDOWS\system32\drivers\nimstsk.dll [2005-10-06 12:25]
R3 nimxdfk;nimxdfk;C:\WINDOWS\system32\drivers\nimxdfk.dll [2005-09-28 20:52]
R3 niorbk;niorbk;C:\WINDOWS\system32\drivers\niorbk.dll [2005-10-06 16:22]
R3 niscdk;niscdk;C:\WINDOWS\system32\drivers\niscdk.dll [2005-10-06 12:07]
S3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller;C:\WINDOWS\system32\DRIVERS\m4cxw2k3.sys [2005-03-10 07:42]
S3 nidsark;nidsark;C:\WINDOWS\system32\drivers\nidsark.dll [2005-10-06 12:14]
S3 niesrk;niesrk;C:\WINDOWS\system32\drivers\niesrk.dll [2005-10-07 00:19]
S3 nimcdfxk;nimcdfxk;C:\WINDOWS\system32\drivers\nimcdfxk.dll [2005-09-14 10:45]
S3 nimcdlbk;nimcdlbk;C:\WINDOWS\system32\drivers\nimcdlbk.dll [2005-09-14 10:29]
S3 nimslk;nimslk;C:\WINDOWS\system32\drivers\nimslk.dll [2005-10-06 01:00]
S3 nimsrlk;nimsrlk;C:\WINDOWS\system32\drivers\nimsrlk.dll [2005-10-06 01:00]
S3 nipalusb;NI-PAL USB Driver;C:\WINDOWS\system32\DRIVERS\nipalusb.sys [2005-09-22 21:13]
S3 nisdigk;nisdigk;C:\WINDOWS\system32\drivers\nisdigk.dll [2005-10-07 00:06]
S3 nisftk;nisftk;C:\WINDOWS\system32\drivers\nisftk.dll [2005-10-06 11:48]
S3 nispdk;nispdk;C:\WINDOWS\system32\drivers\nispdk.dll [2005-10-06 12:07]
S3 nissrk;nissrk;C:\WINDOWS\system32\drivers\nissrk.dll [2005-10-07 00:20]
S3 nistc2k;nistc2k;C:\WINDOWS\system32\drivers\nistc2k.dll [2005-10-06 12:03]
S3 nistcrk;nistcrk;C:\WINDOWS\system32\drivers\nistcrk.dll [2005-10-10 20:07]
S3 nitiork;nitiork;C:\WINDOWS\system32\drivers\nitiork.dll [2005-10-07 00:54]
S3 NiViFWK;NI-VISA FireWire Driver;C:\WINDOWS\system32\drivers\NiViFWK.sys [2005-10-12 17:13]
S3 NiViPciK;NI-VISA PCI Driver;C:\WINDOWS\system32\drivers\NiViPciK.sys [2005-10-12 17:04]
S3 NiViPxiK;NI-VISA PXI Driver;C:\WINDOWS\system32\drivers\NiViPxiK.sys [2005-10-12 17:04]
S3 niwdk;niwdk;C:\WINDOWS\system32\drivers\niwdk.sys [2005-10-05 17:34]
S3 niwfrk;niwfrk;C:\WINDOWS\system32\drivers\niwfrk.dll [2005-10-07 00:20]
S3 nixsrk;nixsrk;C:\WINDOWS\system32\drivers\nixsrk.dll [2005-10-07 00:20]
S3 PORTMON;PORTMON;C:\DOCUME~1\user05\LOCALS~1\Temp\Rar$EX00.937\PORTMSYS.SYS []
S3 scrcap;scrcap;C:\WINDOWS\system32\DRIVERS\scrcap.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{61631e1e-a896-11dc-9a83-00104bb0c20c}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{83e29194-847a-11dc-9a3e-00104bb0c20c}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Sys.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba8f6b75-39cd-11dc-99c2-00104bb0c20c}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Sys.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eb594348-f26d-11dc-9b18-00104bb0c20c}]
\Shell\AutoRun\command - ShuiNiu.exe
\Shell\Explore\Command - ShuiNiu.exe
\Shell\Open\Command - ShuiNiu.exe

*Newly Created Service* - COMHOST
*Newly Created Service* - NIPALK
.
Contents of the 'Scheduled Tasks' folder
"2008-04-06 07:00:04 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\blastclnnn.exe
"2005-02-26 13:18:54 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Administrator.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-06 10:20:29
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\matlab6p5\bin\win32\matlab.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\system32\nipalsm.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
.
**************************************************************************
.
Completion time: 2008-04-06 10:23:40 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-04-06 08:23:30
ComboFix2.txt 2008-03-31 13:46:56
Pre-Run: 5,099,241,472 bytes free
Post-Run: 5,030,232,064 bytes free
.
2008-03-13 06:53:25 --- E O F ---

here isd the HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:09 AM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\RTProxy.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\system32\nipalsm.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Athan\Athan.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.masrawy.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn0\yt.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [niDevMon] C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [antinetcut2] C:\Program Files\Anti Netcut\Anti NetCut.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_7
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZCxdm490YYEG
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Read with DeskBot - C:\Program Files\BellCraft.com\DeskBot\DeskBot.htm
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileop...nt/FileOpen.CAB
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: nidevldu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: nimcdldu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: nimcrpcsu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: nipxirmu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: niRTProxy - National Instruments - C:\WINDOWS\system32\RTProxy.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 14815 bytes

#12
Tigger93

Posted 06 April 2008 - 08:03 AM

Trusted Helper

Retired Staff
1,870 posts

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
```
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\system32\blastclnnn.exe
```
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

1 - Flash Drive Disinfector
Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Edited by Tigger93, 06 April 2008 - 08:04 AM.

#13
SmartEgo

Posted 07 April 2008 - 08:01 AM

Member

Topic Starter
Member
22 posts

I inocultaed my flash drive but I cannot guarantee all my friend's.
I'll try disinfictor on everyone I catch.
I uninstalled Avant Browser and I find no -tt xxxx no more yet,
Internet explorer always open this page instead of the home page:
"http://files/Interne...r/iexplore.exe"
Also on printing files esp. pdf and doc's I have to press the hp LJ1100 button every page I print.
These are the main annoyances. You think these are still related to some malware

Thanks alot Tigger93

This RemoveIt log

[Custom Input]
< C:\WINDOWS\Tasks\At1.job >
C:\WINDOWS\Tasks\At1.job moved successfully.
< C:\WINDOWS\system32\blastclnnn.exe >
File/Folder C:\WINDOWS\system32\blastclnnn.exe not found.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 04072008_154750

And HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:56:24 PM, on 4/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\RTProxy.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\system32\nipalsm.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Athan\Athan.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\aromis.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\Notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.masrawy.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn0\yt.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [niDevMon] C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [antinetcut2] C:\Program Files\Anti Netcut\Anti NetCut.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_7
O4 - HKCU\..\Run: [aromis] C:\WINDOWS\aromis.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZCxdm490YYEG
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Read with DeskBot - C:\Program Files\BellCraft.com\DeskBot\DeskBot.htm
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileop...nt/FileOpen.CAB
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: nidevldu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: nimcdldu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: nimcrpcsu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: nipxirmu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: niRTProxy - National Instruments - C:\WINDOWS\system32\RTProxy.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 15001 bytes

#14
Tigger93

Posted 07 April 2008 - 03:38 PM

Trusted Helper

Retired Staff
1,870 posts

If you still have Combofix, please delete it.

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

#15
SmartEgo

Posted 15 April 2008 - 06:10 AM

Member

Topic Starter
Member
22 posts

Dear Tigger93
Thanks for your effort in helping me
HERE is the CF log

ComboFix 08-04-11.8 - Administrator 2008-04-12 17:25:36.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.219 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CCEVTMGR
-------\Service_ccEvtMgr

((((((((((((((((((((((((( Files Created from 2005-09-28 to 2005-10-31 )))))))))))))))))))))))))))))))
.

2005-10-14 08:37 . 2005-10-14 08:37 118,916 --a------ C:\WINDOWS\system32\nidnt_s1.nfw
2005-10-14 06:18 . 2005-10-14 06:18 69 --a------ C:\WINDOWS\nicancfg.ini
2005-10-13 13:38 . 2005-10-13 13:38 1,074,984 --a------ C:\WINDOWS\system32\nids.dll
2005-10-13 10:24 . 2005-10-13 10:24 32,768 --a------ C:\WINDOWS\system32\nidaqcfg.exe
2005-10-13 10:24 . 2005-10-13 10:24 28,672 --a------ C:\WINDOWS\system32\nidqcfgc.dll
2005-10-13 10:24 . 2005-10-13 10:24 20,480 --a------ C:\WINDOWS\system32\nitpan32.exe
2005-10-13 10:18 . 2005-10-13 10:18 50,688 --a------ C:\WINDOWS\system32\drivers\nidmmk.dll
2005-10-13 10:17 . 2005-10-13 10:17 674,304 --a------ C:\WINDOWS\system32\drivers\nidaq32k.sys
2005-10-13 10:14 . 2005-10-13 10:14 88,576 --a------ C:\WINDOWS\system32\drivers\nipsbfw.sys
2005-10-13 10:14 . 2005-10-13 10:14 54,272 --a------ C:\WINDOWS\system32\drivers\nidaqusb.sys
2005-10-13 10:12 . 2005-10-13 10:12 102,400 --a------ C:\WINDOWS\system32\niddvctl.dll
2005-10-13 10:11 . 2005-10-13 10:11 151,552 --a------ C:\WINDOWS\system32\nidqsrvr.exe
2005-10-13 10:11 . 2005-10-13 10:11 8,704 --a------ C:\WINDOWS\system32\niidaqlv.dll
2005-10-13 10:10 . 2005-10-13 10:10 2,867,200 --a------ C:\WINDOWS\system32\niidaq32.dll
2005-10-13 09:58 . 2005-10-13 09:58 59,392 --a------ C:\WINDOWS\system32\cfswitch.dll
2005-10-13 09:55 . 2005-10-13 09:55 73,216 --a------ C:\WINDOWS\system32\CfgEng32.dll
2005-10-13 09:51 . 2005-10-13 09:51 700,416 --a------ C:\WINDOWS\system32\nidaqk.dll
2005-10-13 09:48 . 2005-10-13 09:48 57,344 --a------ C:\WINDOWS\system32\nivdaq32.exe
2005-10-13 09:48 . 2005-10-13 09:48 49,152 --a------ C:\WINDOWS\system32\nihdlc32.exe
2005-10-13 09:48 . 2005-10-13 09:48 18,944 --a------ C:\WINDOWS\system32\nicfqsvr.dll
2005-10-13 09:33 . 2005-10-13 09:33 5,081 --a------ C:\WINDOWS\system32\ni7030.dat
2005-10-13 09:30 . 2005-10-13 09:30 598,016 --a------ C:\WINDOWS\system32\NIScale.dll
2005-10-13 09:30 . 2005-10-13 09:30 122,880 --a------ C:\WINDOWS\system32\niSTCp.dll
2005-10-13 09:30 . 2005-10-13 09:30 111,616 --a------ C:\WINDOWS\system32\drivers\niSTCk.dll
2005-10-13 09:30 . 2005-10-13 09:30 53,248 --a------ C:\WINDOWS\system32\nimdsu.dll
2005-10-13 09:30 . 2005-10-13 09:30 45,056 --a------ C:\WINDOWS\system32\nimdsP.dll
2005-10-13 09:30 . 2005-10-13 09:30 30,208 --a------ C:\WINDOWS\system32\drivers\nimdsk.dll
2005-10-13 09:30 . 2005-10-13 09:30 28,672 --a------ C:\WINDOWS\system32\niSTCu.dll
2005-10-13 09:30 . 2005-10-13 09:30 15,360 --a------ C:\WINDOWS\system32\nimxprxu.dll
2005-10-13 09:29 . 2005-10-13 09:29 40,960 --a------ C:\WINDOWS\system32\nibffru.dll
2005-10-13 09:29 . 2005-10-13 09:29 37,376 --a------ C:\WINDOWS\system32\drivers\niarbk.dll
2005-10-13 09:29 . 2005-10-13 09:29 32,768 --a------ C:\WINDOWS\system32\nibffrp.dll
2005-10-13 09:29 . 2005-10-13 09:29 21,504 --a------ C:\WINDOWS\system32\drivers\nibffrk.dll
2005-10-13 09:28 . 2005-10-13 09:28 4,540,740 --a------ C:\WINDOWS\nihwdb.psm
2005-10-13 09:28 . 2005-10-13 09:28 28,672 --a------ C:\WINDOWS\system32\NIAutoConfig.exe
2005-10-13 09:28 . 2005-10-13 09:28 28,672 --a------ C:\WINDOWS\system32\NIAutoCfgRda.exe
2005-10-13 07:27 . 2005-10-13 07:27 166,912 --a------ C:\WINDOWS\system32\drivers\nidmxfk.dll
2005-10-12 17:13 . 2005-10-12 17:13 8,704 --a------ C:\WINDOWS\system32\drivers\NiViFWK.sys
2005-10-12 17:07 . 2005-10-12 17:07 38,912 --a------ C:\WINDOWS\system32\drivers\NiViUsbK.sys
2005-10-12 17:07 . 2005-10-12 17:07 38,400 --a------ C:\WINDOWS\system32\drivers\NiUsbTmc.sys
2005-10-12 17:04 . 2005-10-12 17:04 37,376 --a------ C:\WINDOWS\system32\drivers\NiViPciK.sys
2005-10-12 17:04 . 2005-10-12 17:04 10,752 --a------ C:\WINDOWS\system32\drivers\NiViPxiK.sys
2005-10-12 16:59 . 2005-10-12 16:59 160,768 --a------ C:\WINDOWS\system32\visa32.dll
2005-10-12 16:59 . 2005-10-12 16:59 56,320 --a------ C:\WINDOWS\system32\NiViSv32.dll
2005-10-12 13:39 . 2005-10-12 13:39 40,960 --a-s---- C:\WINDOWS\system32\NiSpyLog.dll
2005-10-12 12:21 . 2005-10-12 12:21 73,728 --a------ C:\WINDOWS\system32\iviconfig.dll
2005-10-12 12:21 . 2005-10-12 12:21 73,216 --a------ C:\WINDOWS\system32\IviConfig_CalExec.dll
2005-10-12 12:21 . 2005-10-12 12:21 37,888 --a------ C:\WINDOWS\system32\iviconfig_lv.dll
2005-10-12 12:21 . 2005-10-12 12:21 35,840 --a------ C:\WINDOWS\system32\iviconfig_visa.dll
2005-10-12 12:19 . 2005-10-12 12:19 238,592 --a------ C:\WINDOWS\system32\Ivi.dll
2005-10-12 12:14 . 2005-10-12 12:14 68,608 --a------ C:\WINDOWS\system32\ivi_support_c.dll
2005-10-12 12:14 . 2005-10-12 12:14 5,632 --a------ C:\WINDOWS\system32\ivi_support_cs.dll
2005-10-12 12:12 . 2005-10-12 12:12 42,496 --a------ C:\WINDOWS\system32\ivi_support_f.dll
2005-10-11 15:00 . 2005-10-11 15:00 286,720 --a------ C:\WINDOWS\system32\ninetbrw.ocx
2005-10-11 00:16 . 2005-10-11 00:16 523,264 --a------ C:\WINDOWS\system32\niScopeDMF2u.dll
2005-10-11 00:16 . 2005-10-11 00:16 410,624 --a------ C:\WINDOWS\system32\niScopeDAQ2u.dll
2005-10-11 00:07 . 2005-10-11 00:07 552,960 --a------ C:\WINDOWS\system32\ni407xCalAnlys.dll
2005-10-11 00:04 . 2005-10-11 00:04 97,792 --a------ C:\WINDOWS\system32\nihwsu.dll
2005-10-10 20:07 . 2005-10-10 20:07 820,224 --a------ C:\WINDOWS\system32\nitioxu.dll
2005-10-10 20:07 . 2005-10-10 20:07 247,296 --a------ C:\WINDOWS\system32\nistcxu.dll
2005-10-10 20:07 . 2005-10-10 20:07 172,544 --a------ C:\WINDOWS\system32\nitioru.dll
2005-10-10 20:07 . 2005-10-10 20:07 110,080 --a------ C:\WINDOWS\system32\drivers\nistcrk.dll
2005-10-10 20:07 . 2005-10-10 20:07 31,232 --a------ C:\WINDOWS\system32\nistcru.dll
2005-10-10 20:02 . 2005-10-10 20:02 216,064 --a------ C:\WINDOWS\system32\nidmfpan.exe
2005-10-10 20:02 . 2005-10-10 20:02 139,776 --a------ C:\WINDOWS\system32\nimmgluu.dll
2005-10-10 20:02 . 2005-10-10 20:02 7,680 --a------ C:\WINDOWS\system32\niviobsu.dll
2005-10-10 20:01 . 2005-10-10 20:01 555 --a------ C:\WINDOWS\system32\nidmfpan.exe.manifest
2005-10-08 01:08 . 2005-10-08 01:08 598,528 --a------ C:\WINDOWS\system32\niswdu.dll
2005-10-08 01:08 . 2005-10-08 01:08 476,160 --a------ C:\WINDOWS\system32\drivers\niswdk.dll
2005-10-08 01:08 . 2005-10-08 01:08 238,080 --a------ C:\WINDOWS\system32\nisweu.dll
2005-10-08 01:03 . 2005-10-08 01:03 708,608 --a------ C:\WINDOWS\system32\nisceu.dll
2005-10-08 01:03 . 2005-10-08 01:03 393,216 --a------ C:\WINDOWS\system32\niscdu.dll
2005-10-08 01:03 . 2005-10-08 01:03 40,960 --a------ C:\WINDOWS\system32\nispdu.dll
2005-10-08 01:00 . 2005-10-08 01:00 148,480 --a------ C:\WINDOWS\system32\nicdxu.dll
2005-10-08 01:00 . 2005-10-08 01:00 133,120 --a------ C:\WINDOWS\system32\nicdru.dll
2005-10-08 00:22 . 2005-10-08 00:22 326,144 --a------ C:\WINDOWS\system32\nisftu.dll
2005-10-07 00:54 . 2005-10-07 00:54 692,736 --a------ C:\WINDOWS\system32\drivers\nitiork.dll
2005-10-07 00:20 . 2005-10-07 00:20 1,058,304 --a------ C:\WINDOWS\system32\drivers\nissrk.dll
2005-10-07 00:20 . 2005-10-07 00:20 926,720 --a------ C:\WINDOWS\system32\drivers\nixsrk.dll
2005-10-07 00:20 . 2005-10-07 00:20 422,400 --a------ C:\WINDOWS\system32\drivers\niwfrk.dll
2005-10-07 00:19 . 2005-10-07 00:19 489,984 --a------ C:\WINDOWS\system32\drivers\niesrk.dll
2005-10-07 00:19 . 2005-10-07 00:19 346,624 --a------ C:\WINDOWS\system32\drivers\niemrk.dll
2005-10-07 00:06 . 2005-10-07 00:06 233,472 --a------ C:\WINDOWS\system32\drivers\nisdigk.dll
2005-10-07 00:06 . 2005-10-07 00:06 163,963 --a------ C:\WINDOWS\system32\drivers\usb9162k.sys
2005-10-07 00:06 . 2005-10-07 00:06 19,968 --a------ C:\WINDOWS\system32\drivers\usb6xxxk.dll
2005-10-07 00:06 . 2005-10-07 00:06 10,665 --a------ C:\WINDOWS\system32\drivers\NIUSB717A0200.bin
2005-10-07 00:06 . 2005-10-07 00:06 10,664 --a------ C:\WINDOWS\system32\drivers\NIUSB717B0200.bin
2005-10-07 00:06 . 2005-10-07 00:06 9,381 --a------ C:\WINDOWS\system32\drivers\NIUSB717B0100.bin
2005-10-07 00:06 . 2005-10-07 00:06 9,146 --a------ C:\WINDOWS\system32\drivers\NIUSB717A0100.bin
2005-10-07 00:06 . 2005-10-07 00:06 8,091 --a------ C:\WINDOWS\system32\drivers\NIUSB718A0100.bin
2005-10-07 00:06 . 2005-10-07 00:06 7,310 --a------ C:\WINDOWS\system32\drivers\NIUSB718A0200.bin
2005-10-06 18:11 . 2005-10-06 18:11 24,705 --a------ C:\WINDOWS\system32\nimcdbu.dll
2005-10-06 18:09 . 2005-10-06 18:09 43,141 --a------ C:\WINDOWS\system32\nimcrpcsu.dll
2005-10-06 17:59 . 2005-10-06 17:59 169,092 --a------ C:\WINDOWS\system32\NIMCInit.dll
2005-10-06 16:23 . 2005-10-06 16:23 72,192 --a------ C:\WINDOWS\system32\niorbu.dll
2005-10-06 16:22 . 2005-10-06 16:22 38,912 --a------ C:\WINDOWS\system32\drivers\niorbk.dll
2005-10-06 12:32 . 2005-10-06 12:32 18,944 --a------ C:\WINDOWS\system32\nimxpu.dll
2005-10-06 12:31 . 2005-10-06 12:31 19,456 --a------ C:\WINDOWS\system32\drivers\nimxpk.dll
2005-10-06 12:27 . 2005-10-06 12:27 494,776 --a------ C:\WINDOWS\system32\nidaqmx.tlb
2005-10-06 12:25 . 2005-10-06 12:25 51,200 --a------ C:\WINDOWS\system32\drivers\nimstsk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-28 17:46 --------- d-----w C:\Program Files\Common Files\Scanner
2008-03-28 17:43 --------- d-----w C:\Program Files\CA Yahoo! Anti-Spy
2008-03-18 16:59 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ieSpell
2008-03-18 16:58 --------- d-----w C:\Program Files\ieSpell
2008-03-12 11:39 --------- d-----w C:\Documents and Settings\Administrator\Application Data\IDM
2008-03-12 11:39 --------- d-----w C:\Documents and Settings\Administrator\Application Data\DMCache
2008-03-08 13:01 --------- d-----w C:\Documents and Settings\me\Application Data\FileOpen
2008-03-08 13:01 --------- d-----w C:\Documents and Settings\me\Application Data\AdobeUM
2008-03-08 11:48 --------- d--h--r C:\Documents and Settings\me\Application Data\yahoo!
2008-03-08 11:26 --------- d-----w C:\Documents and Settings\me\Application Data\Avant Profiles
2008-03-08 11:25 --------- d-----w C:\Documents and Settings\me\Application Data\PC Suite
2008-03-06 19:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-06 19:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-06 19:32 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-03-04 19:43 --------- d-----w C:\Program Files\UnH Solutions
2008-03-04 16:07 --------- d-----w C:\Program Files\Trend Micro
2008-03-04 08:11 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-03-04 08:11 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-04 08:11 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-02-25 10:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\AWR
2008-02-25 10:30 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AWR
2008-02-25 10:29 --------- d-----w C:\Program Files\AWR
2008-02-24 11:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Avant Profiles
2008-02-24 11:13 --------- d-----w C:\Program Files\Avant Browser
2008-02-23 11:03 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ATTNaturalVoices
2008-02-23 11:00 --------- d-----w C:\Documents and Settings\Administrator\Application Data\BellCraft.com
2008-02-23 10:57 --------- d-----w C:\Program Files\BellCraft.com
2008-02-23 10:47 --------- d-----w C:\Program Files\ATTNaturalVoices
2008-02-11 11:25 --------- d-----w C:\Program Files\FileOpen
2008-02-11 11:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\FileOpen
2008-02-11 11:25 --------- d-----w C:\Documents and Settings\Administrator\Application Data\FileOpen
2007-12-28 11:15 --------- d-----w C:\Program Files\Kaspersky Lab
2007-12-28 11:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-27 18:11 --------- d-----w C:\Program Files\kav
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-09 12:20 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3
2007-12-02 07:33 --------- d-----w C:\Program Files\Athan
2007-12-01 09:29 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2007-12-01 07:48 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2007-11-30 21:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-11-30 21:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-11-30 21:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-30 21:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-11-30 21:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-11-30 21:57 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-11-30 21:57 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-11-30 21:57 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-11-30 21:57 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-30 14:57 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Yahoo!
2007-11-30 13:48 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MathWorks
2007-11-29 18:18 --------- d-----w C:\Documents and Settings\Administrator\Application Data\PC Suite
2007-11-20 10:56 --------- d-----w C:\Program Files\Nokia
2007-11-20 10:56 --------- d-----w C:\Program Files\Common Files\PCSuite
2007-11-20 10:56 --------- d-----w C:\Program Files\Common Files\Nokia
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-10 06:49 --------- d-----w C:\Program Files\MSXML 4.0
2007-11-07 15:20 --------- d-----w C:\Program Files\Common Files\National Instruments Shared
2007-11-07 15:18 --------- d-----w C:\Program Files\cameralink
2007-11-07 15:01 --------- d-----w C:\Program Files\IVI
2007-11-07 14:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\MGS
2007-11-03 10:02 --------- d-----w C:\Program Files\DNA
2007-10-30 17:55 39,856 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2007-10-30 17:55 37,936 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2007-10-30 17:55 35,120 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2007-10-30 17:55 27,696 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2007-10-30 17:55 191,536 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2007-10-30 17:55 145,968 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2007-10-30 17:55 12,848 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2007-10-30 17:24 12,963 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2007-10-30 17:24 1,358 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2007-10-30 17:20 360,064 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2007-09-05 11:34 --------- d-----w C:\Program Files\ZD Soft
2007-08-28 08:15 --------- d-----w C:\Program Files\Skype
2007-08-28 08:15 --------- d-----w C:\Program Files\Common Files\Skype
2007-08-28 08:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-08-20 09:32 --------- d-----w C:\Program Files\Java
2007-08-20 09:28 --------- d-----w C:\Program Files\Common Files\Java
2007-07-06 10:05 72,960 ----a-w C:\WINDOWS\system32\drivers\mqac.sys
2007-07-05 16:34 --------- d-----w C:\Program Files\D-Link
2007-06-30 10:06 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-06-19 11:01 --------- d-----w C:\Documents and Settings\me\Application Data\Share-to-Web Upload Folder
2007-06-19 11:01 --------- d-----w C:\Documents and Settings\LogMeInRemoteUser\Application Data\Share-to-Web Upload Folder
2007-06-19 11:01 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-06-18 11:02 --------- d-----w C:\Program Files\Internet Download Manager
2007-06-18 10:35 --------- d-----w C:\Program Files\Common Files\Bcgsoft
2007-06-18 10:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\National Instruments
2007-06-18 10:22 --------- d-----w C:\Program Files\Common Files\Merge Modules
2007-05-13 07:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-05-10 16:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-05-10 12:47 --------- d-----w C:\Program Files\TechSmith
2007-05-10 12:36 --------- d-----w C:\Program Files\Google
2007-05-10 12:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2007-05-10 10:45 --------- d-----w C:\Program Files\Yahoo!
2007-05-02 15:40 --------- d-----w C:\Program Files\MSECache
2007-04-23 11:32 364,160 ----a-w C:\WINDOWS\system32\drivers\update.sys
2007-04-10 10:13 --------- d-----w C:\Program Files\ZEMAX
2007-04-04 13:29 --------- d-----w C:\Program Files\PIC Simulator IDE
2007-04-03 14:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
2007-03-18 08:55 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\MathWorks
2007-03-17 07:57 --------- d-----w C:\Program Files\National Instruments
2006-01-23 08:32 131,072 ----a-w C:\Program Files\internet explorer\plugins\LV80ActiveXControl.dll
2006-06-07 12:40 132,848 ----a-w C:\Program Files\internet explorer\plugins\LV82ActiveXControl.dll
2003-05-01 07:36 114,688 ----a-w C:\Program Files\internet explorer\plugins\LV7ActiveXControl.dll
2004-03-15 15:51 114,688 ----a-w C:\Program Files\internet explorer\plugins\LV71ActiveXControl.dll
.

((((((((((((((((((((((((((((( snapshot@2008-03-31_15.46.11.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-19 09:40:28 1,845,888 ------w C:\WINDOWS\$hf_mig$\KB941693\SP2QFE\win32k.sys
+ 2007-03-06 01:22:36 14,048 ------w C:\WINDOWS\$hf_mig$\KB941693\spmsg.dll
+ 2007-03-06 01:22:42 213,216 ------w C:\WINDOWS\$hf_mig$\KB941693\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ------w C:\WINDOWS\$hf_mig$\KB941693\update\spcustom.dll
+ 2007-03-06 01:23:00 716,000 ------w C:\WINDOWS\$hf_mig$\KB941693\update\update.exe
+ 2007-03-06 01:23:52 371,424 ------w C:\WINDOWS\$hf_mig$\KB941693\update\updspapi.dll
+ 2008-02-20 05:19:36 147,968 ------w C:\WINDOWS\$hf_mig$\KB945553\SP2QFE\dnsapi.dll
+ 2008-02-20 18:49:36 45,568 ------w C:\WINDOWS\$hf_mig$\KB945553\SP2QFE\dnsrslvr.dll
+ 2007-03-06 01:22:36 14,048 ------w C:\WINDOWS\$hf_mig$\KB945553\spmsg.dll
+ 2007-03-06 01:22:42 213,216 ------w C:\WINDOWS\$hf_mig$\KB945553\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ------w C:\WINDOWS\$hf_mig$\KB945553\update\spcustom.dll
+ 2007-03-06 01:23:00 716,000 ------w C:\WINDOWS\$hf_mig$\KB945553\update\update.exe
+ 2007-03-06 01:23:52 371,424 ------w C:\WINDOWS\$hf_mig$\KB945553\update\updspapi.dll
+ 2008-03-01 13:03:00 124,928 ------w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\advpack.dll
+ 2008-03-01 13:03:00 347,136 ------w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\dxtmsft.dll
+ 2008-03-01 13:03:00 214,528 ------w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\dxtrans.dll
+ 2008-03-01 13:03:00 132,608 ------w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\extmgr.dll
+ 2008-03-01 13:03:00 63,488 ------w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\icardie.dll
+ 2008-02-22 09:39:56 70,656 ------w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\ie4uinit.exe
+ 2008-03-01 13:03:00 153,088 ------w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\ieakeng.dll
+ 2008-03-01 13:03:00 230,400 ------w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\ieaksie.dll
+ 2008-02-15 05:44:26 161,792 ------w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\ieakui.dll
+ 2007-04-17 09:32:38 2,455,488 ------w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\ieapfltr.dat
+ 2008-03-01 13:03:00 383,488 ------w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\ieapfltr.dll
+ 2008-03-01 13:03:00 388,608 ------w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\iedkcs32.dll
+ 2008-03-01 13:03:02 6,067,712 ------w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\ieframe.dll
+ 2008-03-01 13:03:02 44,544 ------w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\iernonce.dll
+ 2008-03-01 13:03:02 267,776 ------w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\iertutil.dll
+ 2008-02-22 09:39:56 13,824 ------w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\ieudinit.exe
+ 2008-02-22 09:40:22 625,664 ------w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\iexplore.exe
+ 2008-03-01 13:03:02 27,648 ------w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\jsproxy.dll
+ 2008-03-01 13:03:02 459,264 ------w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\msfeeds.dll
+ 2008-03-01 13:03:02 52,224 ------w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\msfeedsbs.dll
+ 2008-03-01 13:03:02 3,593,216 ------w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\mshtml.dll
+ 2008-03-01 13:03:02 478,208 ------w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\mshtmled.dll
+ 2008-03-01 13:03:02 193,024 ------w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\msrating.dll
+ 2008-03-01 13:03:02 671,232 ------w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\mstime.dll
+ 2008-03-01 13:03:02 102,912 ------w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\occache.dll
+ 2008-03-01 13:03:02 44,544 ------w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\pngfilt.dll
+ 2008-03-01 13:03:02 105,984 ------w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\url.dll
+ 2008-03-01 13:03:02 1,162,752 ------w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\urlmon.dll
+ 2008-03-01 13:03:02 233,472 ------w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\webcheck.dll
+ 2008-03-01 13:03:02 827,392 ------w C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
+ 2007-03-06 01:22:34 14,048 ------w C:\WINDOWS\$hf_mig$\KB947864-IE7\spmsg.dll
+ 2007-03-06 01:22:40 213,216 ------w C:\WINDOWS\$hf_mig$\KB947864-IE7\spuninst.exe
+ 2007-03-06 01:22:32 22,752 ------w C:\WINDOWS\$hf_mig$\KB947864-IE7\update\spcustom.dll
+ 2007-03-06 01:22:56 716,000 ------w C:\WINDOWS\$hf_mig$\KB947864-IE7\update\update.exe
+ 2007-03-06 01:23:52 371,424 ------w C:\WINDOWS\$hf_mig$\KB947864-IE7\update\updspapi.dll
+ 2008-02-20 06:52:44 282,624 ------w C:\WINDOWS\$hf_mig$\KB948590\SP2QFE\gdi32.dll
+ 2007-03-06 01:22:36 14,048 ------w C:\WINDOWS\$hf_mig$\KB948590\spmsg.dll
+ 2007-03-06 01:22:42 213,216 ------w C:\WINDOWS\$hf_mig$\KB948590\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ------w C:\WINDOWS\$hf_mig$\KB948590\update\spcustom.dll
+ 2007-03-06 01:23:00 716,000 ------w C:\WINDOWS\$hf_mig$\KB948590\update\update.exe
+ 2007-03-06 01:23:52 371,424 ------w C:\WINDOWS\$hf_mig$\KB948590\update\updspapi.dll
+ 2007-03-06 01:22:34 14,048 ------w C:\WINDOWS\$hf_mig$\KB948881\spmsg.dll
+ 2007-03-06 01:22:40 213,216 ------w C:\WINDOWS\$hf_mig$\KB948881\spuninst.exe
+ 2007-03-06 01:22:32 22,752 ------w C:\WINDOWS\$hf_mig$\KB948881\update\spcustom.dll
+ 2007-03-06 01:22:56 716,000 ------w C:\WINDOWS\$hf_mig$\KB948881\update\update.exe
+ 2007-03-06 01:23:48 371,424 ------w C:\WINDOWS\$hf_mig$\KB948881\update\updspapi.dll
+ 2007-03-06 01:22:42 213,216 ------w C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe
+ 2007-03-06 01:23:52 371,424 ------w C:\WINDOWS\$NtUninstallKB941693$\spuninst\updspapi.dll
+ 2007-03-08 13:47:48 1,843,584 ------w C:\WINDOWS\$NtUninstallKB941693$\win32k.sys
+ 2006-06-26 17:37:10 148,480 ------w C:\WINDOWS\$NtUninstallKB945553$\dnsapi.dll
+ 2004-08-03 20:56:44 45,568 ------w C:\WINDOWS\$NtUninstallKB945553$\dnsrslvr.dll
+ 2007-03-06 01:22:42 213,216 ------w C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe
+ 2007-03-06 01:23:52 371,424 ------w C:\WINDOWS\$NtUninstallKB945553$\spuninst\updspapi.dll
+ 2007-06-19 14:31:20 282,112 ------w C:\WINDOWS\$NtUninstallKB948590$\gdi32.dll
+ 2007-03-06 01:22:42 213,216 ------w C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe
+ 2007-03-06 01:23:52 371,424 ------w C:\WINDOWS\$NtUninstallKB948590$\spuninst\updspapi.dll
+ 2007-03-06 01:22:40 213,216 ------w C:\WINDOWS\$NtUninstallKB948881$\spuninst\spuninst.exe
+ 2007-03-06 01:23:48 371,424 ------w C:\WINDOWS\$NtUninstallKB948881$\spuninst\updspapi.dll
- 2000-08-31 06:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
- 2000-08-31 06:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2000-08-31 06:00:00 73,728 ----a-w C:\WINDOWS\fdsv.exe
+ 2000-08-31 06:00:00 80,412 ----a-w C:\WINDOWS\grep.exe
+ 2007-12-07 02:21:46 124,928 ------w C:\WINDOWS\ie7updates\KB947864-IE7\advpack.dll
+ 2007-12-19 23:01:06 347,136 ------w C:\WINDOWS\ie7updates\KB947864-IE7\dxtmsft.dll
+ 2007-12-07 02:21:46 214,528 ------w C:\WINDOWS\ie7updates\KB947864-IE7\dxtrans.dll
+ 2007-12-07 02:21:46 133,120 ------w C:\WINDOWS\ie7updates\KB947864-IE7\extmgr.dll
+ 2007-12-07 02:21:46 63,488 ------w C:\WINDOWS\ie7updates\KB947864-IE7\icardie.dll
+ 2007-12-06 11:00:58 70,656 ------w C:\WINDOWS\ie7updates\KB947864-IE7\ie4uinit.exe
+ 2007-12-07 02:21:46 153,088 ------w C:\WINDOWS\ie7updates\KB947864-IE7\ieakeng.dll
+ 2007-12-07 02:21:46 230,400 ------w C:\WINDOWS\ie7updates\KB947864-IE7\ieaksie.dll
+ 2007-12-06 04:59:52 161,792 ------w C:\WINDOWS\ie7updates\KB947864-IE7\ieakui.dll
+ 2007-12-07 02:21:46 383,488 ------w C:\WINDOWS\ie7updates\KB947864-IE7\ieapfltr.dll
+ 2007-12-07 02:21:46 384,512 ------w C:\WINDOWS\ie7updates\KB947864-IE7\iedkcs32.dll
+ 2007-12-07 02:21:46 6,066,176 ------w C:\WINDOWS\ie7updates\KB947864-IE7\ieframe.dll
+ 2007-12-07 02:21:46 44,544 ------w C:\WINDOWS\ie7updates\KB947864-IE7\iernonce.dll
+ 2007-12-07 02:21:46 267,776 ------w C:\WINDOWS\ie7updates\KB947864-IE7\iertutil.dll
+ 2007-12-06 11:00:58 13,824 ------w C:\WINDOWS\ie7updates\KB947864-IE7\ieudinit.exe
+ 2007-12-06 11:01:26 625,664 ------w C:\WINDOWS\ie7updates\KB947864-IE7\iexplore.exe
+ 2007-12-07 02:21:48 27,648 ------w C:\WINDOWS\ie7updates\KB947864-IE7\jsproxy.dll
+ 2007-12-07 02:21:48 459,264 ------w C:\WINDOWS\ie7updates\KB947864-IE7\msfeeds.dll
+ 2007-12-07 02:21:48 52,224 ------w C:\WINDOWS\ie7updates\KB947864-IE7\msfeedsbs.dll
+ 2007-12-08 05:21:48 3,592,192 ------w C:\WINDOWS\ie7updates\KB947864-IE7\mshtml.dll
+ 2007-12-07 02:21:48 478,208 ------w C:\WINDOWS\ie7updates\KB947864-IE7\mshtmled.dll
+ 2007-12-07 02:21:48 193,024 ------w C:\WINDOWS\ie7updates\KB947864-IE7\msrating.dll
+ 2007-12-07 02:21:48 671,232 ------w C:\WINDOWS\ie7updates\KB947864-IE7\mstime.dll
+ 2007-12-07 02:21:48 102,912 ------w C:\WINDOWS\ie7updates\KB947864-IE7\occache.dll
+ 2008-01-11 05:53:32 44,544 ------w C:\WINDOWS\ie7updates\KB947864-IE7\pngfilt.dll
+ 2007-03-06 01:22:40 213,216 ------w C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:52 371,424 ------w C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\updspapi.dll
+ 2007-12-07 02:21:48 105,984 ------w C:\WINDOWS\ie7updates\KB947864-IE7\url.dll
+ 2007-12-07 02:21:48 1,159,680 ------w C:\WINDOWS\ie7updates\KB947864-IE7\urlmon.dll
+ 2007-12-07 02:21:48 233,472 ------w C:\WINDOWS\ie7updates\KB947864-IE7\webcheck.dll
+ 2007-12-07 02:21:48 824,832 ------w C:\WINDOWS\ie7updates\KB947864-IE7\wininet.dll
+ 2000-08-31 06:00:00 98,816 ----a-w C:\WINDOWS\sed.exe
+ 2000-08-31 06:00:00 161,792 ----a-w C:\WINDOWS\swreg.exe
+ 2000-08-31 06:00:00 136,704 ----a-w C:\WINDOWS\swsc.exe
+ 2000-08-31 06:00:00 212,480 ----a-w C:\WINDOWS\swxcacls.exe
- 2007-12-07 02:21:46 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2008-03-01 13:06:20 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2007-12-07 02:21:46 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2008-03-01 13:06:20 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
- 2006-06-26 17:37:10 148,480 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-02-20 05:32:44 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
- 2004-08-03 20:56:44 45,568 ----a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
+ 2008-02-20 05:32:44 45,568 ----a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
- 2007-12-19 23:01:06 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-03-01 13:06:22 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2007-12-07 02:21:46 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-03-01 13:06:22 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-12-07 02:21:46 133,120 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-03-01 13:06:22 133,120 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2007-06-19 14:31:20 282,112 ----a-w C:\WINDOWS\system32\dllcache\gdi32.dll
+ 2008-02-20 06:51:06 282,624 ----a-w C:\WINDOWS\system32\dllcache\gdi32.dll
- 2007-12-07 02:21:46 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
+ 2008-03-01 13:06:22 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
- 2007-12-06 11:00:58 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2008-02-29 08:55:24 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2007-12-07 02:21:46 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2008-03-01 13:06:22 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2007-12-07 02:21:46 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2008-03-01 13:06:22 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2007-12-06 04:59:52 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2008-02-15 05:44:26 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2007-12-07 02:21:46 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
+ 2008-03-01 13:06:22 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
- 2007-12-07 02:21:46 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2008-03-01 13:06:22 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2007-12-07 02:21:46 6,066,176 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
+ 2008-03-01 13:06:24 6,066,176 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
- 2007-12-07 02:21:46 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2008-03-01 13:06:24 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2007-12-07 02:21:46 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
+ 2008-03-01 13:06:26 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
- 2007-12-06 11:00:58 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
+ 2008-02-22 10:00:52 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
- 2007-12-06 11:01:26 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2008-02-29 08:55:46 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2007-12-07 02:21:48 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-03-01 13:06:26 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2007-12-07 02:21:48 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
+ 2008-03-01 13:06:26 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
- 2007-12-07 02:21:48 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
+ 2008-03-01 13:06:26 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
- 2007-12-08 05:21:48 3,592,192 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-03-01 16:36:30 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-12-07 02:21:48 478,208 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-03-01 13:06:28 478,208 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2007-12-07 02:21:48 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-03-01 13:06:28 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-12-07 02:21:48 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-03-01 13:06:30 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
- 2007-12-07 02:21:48 102,912 ------w C:\WINDOWS\system32\dllcache\occache.dll
+ 2008-03-01 13:06:30 102,912 ------w C:\WINDOWS\system32\dllcache\occache.dll
- 2008-01-11 05:53:32 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-03-01 13:06:30 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2007-12-07 02:21:48 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
+ 2008-03-01 13:06:30 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
- 2007-12-07 02:21:48 1,159,680 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-03-01 13:06:30 1,159,680 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2007-12-07 02:21:48 233,472 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2008-03-01 13:06:30 233,472 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
+ 2008-03-19 09:47:00 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
- 2007-12-07 02:21:48 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-03-01 13:06:32 826,368 ------w C:\WINDOWS\system32\dllcache\wininet.dll
- 2006-06-26 17:37:10 148,480 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-02-20 05:32:44 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
- 2004-08-03 20:56:44 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
+ 2008-02-20 05:32:44 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
- 2007-12-19 23:01:06 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-03-01 13:06:22 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2007-12-07 02:21:46 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-03-01 13:06:22 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-12-07 02:21:46 133,120 ------w C:\WINDOWS\system32\extmgr.dll
+ 2008-03-01 13:06:22 133,120 ------w C:\WINDOWS\system32\extmgr.dll
- 2007-09-29 06:31:04 321,928 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-04-10 07:23:38 321,928 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2007-06-19 14:31:20 282,112 ----a-w C:\WINDOWS\system32\gdi32.dll
+ 2008-02-20 06:51:06 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
- 2007-12-07 02:21:46 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2008-03-01 13:06:22 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2007-12-06 11:00:58 70,656 ------w C:\WINDOWS\system32\ie4uinit.exe
+ 2008-02-29 08:55:24 70,656 ------w C:\WINDOWS\system32\ie4uinit.exe
- 2007-12-07 02:21:46 153,088 ------w C:\WINDOWS\system32\ieakeng.dll
+ 2008-03-01 13:06:22 153,088 ------w C:\WINDOWS\system32\ieakeng.dll
- 2007-12-07 02:21:46 230,400 ------w C:\WINDOWS\system32\ieaksie.dll
+ 2008-03-01 13:06:22 230,400 ------w C:\WINDOWS\system32\ieaksie.dll
- 2007-12-06 04:59:52 161,792 ------w C:\WINDOWS\system32\ieakui.dll
+ 2008-02-15 05:44:26 161,792 ------w C:\WINDOWS\system32\ieakui.dll
- 2007-12-07 02:21:46 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2008-03-01 13:06:22 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2007-12-07 02:21:46 384,512 ------w C:\WINDOWS\system32\iedkcs32.dll
+ 2008-03-01 13:06:22 384,512 ------w C:\WINDOWS\system32\iedkcs32.dll
- 2007-12-07 02:21:46 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2008-03-01 13:06:24 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2007-12-07 02:21:46 44,544 ------w C:\WINDOWS\system32\iernonce.dll
+ 2008-03-01 13:06:24 44,544 ------w C:\WINDOWS\system32\iernonce.dll
- 2007-12-07 02:21:46 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2008-03-01 13:06:26 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2007-12-06 11:00:58 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2008-02-22 10:00:52 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2007-12-07 02:21:48 27,648 ------w C:\WINDOWS\system32\jsproxy.dll
+ 2008-03-01 13:06:26 27,648 ------w C:\WINDOWS\system32\jsproxy.dll
- 2008-03-05 16:30:54 19,148,408 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-04-06 05:56:20 19,836,024 ----a-w C:\WINDOWS\system32\MRT.exe
- 2007-12-07 02:21:48 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2008-03-01 13:06:26 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2007-12-07 02:21:48 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2008-03-01 13:06:26 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2007-12-08 05:21:48 3,592,192 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-03-01 16:36:30 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-12-07 02:21:48 478,208 ------w C:\WINDOWS\system32\mshtmled.dll
+ 2008-03-01 13:06:28 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-12-07 02:21:48 193,024 ------w C:\WINDOWS\system32\msrating.dll
+ 2008-03-01 13:06:28 193,024 ------w C:\WINDOWS\system32\msrating.dll
- 2007-12-07 02:21:48 671,232 ------w C:\WINDOWS\system32\mstime.dll
+ 2008-03-01 13:06:30 671,232 ------w C:\WINDOWS\system32\mstime.dll
- 2007-12-07 02:21:48 102,912 ------w C:\WINDOWS\system32\occache.dll
+ 2008-03-01 13:06:30 102,912 ------w C:\WINDOWS\system32\occache.dll
- 2008-01-11 05:53:32 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-03-01 13:06:30 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-01-28 07:52:30 357,888 --sh--w C:\WINDOWS\system32\ShuiNiu.exe
- 2007-12-07 02:21:48 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2008-03-01 13:06:30 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2007-12-07 02:21:48 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-03-01 13:06:30 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2007-12-07 02:21:48 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2008-03-01 13:06:30 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
- 2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
+ 2008-03-19 09:47:00 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
- 2007-12-07 02:21:48 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2008-03-01 13:06:32 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2000-08-31 06:00:00 49,152 ----a-w C:\WINDOWS\VFind.exe
+ 2000-08-31 06:00:00 68,096 ----a-w C:\WINDOWS\zip.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:56 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 10:45 68856]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-17 03:45 23120680]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2005-10-24 16:53 307200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-01-07 12:09 46592 C:\WINDOWS\SOUNDMAN.EXE]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52 483328]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 04:10 409600]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"niDevMon"="C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe" [2005-10-06 11:49 263168]
"DataLayer"="C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe" [2005-06-07 11:31 819712]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2005-06-29 15:29 176128]
"Athan"="C:\Program Files\Athan\Athan.exe" [2007-09-06 21:25 1003520]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 16:24 86016]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 07:59 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 09:11 771704]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"antinetcut2"="C:\Program Files\Anti Netcut\Anti NetCut.exe" [ ]
"DsNiu"="C:\WINDOWS\system32\ShuiNiu.exe" [2008-01-28 09:52 357888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 22:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-03-11 15:36:33 25214]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\National Instruments\\LabVIEW 8.0\\LabVIEW.exe"=
"C:\\Program Files\\National Instruments\\Shared\\Example Finder\\1.0\\bin\\NIExampleFinder.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Avant Browser\\avant.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 NIPALK;NIPALK;C:\WINDOWS\system32\drivers\nipalk.sys [2005-09-22 21:12]
R0 PCIIMAQ;National Instruments IMAQ Driver;C:\WINDOWS\system32\drivers\PCIIMAQ.sys [2005-08-30 10:38]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2006-07-27 10:00]
R2 gpib420;GPIB Analyzer;C:\WINDOWS\system32\drivers\gpib420.sys [2005-07-18 01:45]
R2 GpibPrtK;Gpib Port;C:\WINDOWS\system32\drivers\gpibprtk.sys [2005-07-18 01:25]
R2 lvalarmk;lvalarmk;C:\WINDOWS\system32\drivers\lvalarmk.dll [2005-07-27 08:58]
R2 mxssvr;NI Configuration Manager;"C:\Program Files\National Instruments\MAX\nimxs.exe" [2005-10-03 22:52]
R2 niarbk;niarbk;C:\WINDOWS\system32\drivers\niarbk.dll [2005-10-13 09:29]
R2 nibffrk;nibffrk;C:\WINDOWS\system32\drivers\nibffrk.dll [2005-10-13 09:29]
R2 nicanpk;nicanpk;C:\WINDOWS\system32\DRIVERS\nicanpk.dll [2005-10-14 06:02]
R2 Nidaq32k;Nidaq32k;C:\WINDOWS\system32\drivers\Nidaq32k.sys [2005-10-13 10:17]
R2 nidimk;nidimk;C:\WINDOWS\system32\drivers\nidimk.dll [2005-09-28 21:14]
R2 nidmmk;NI DMM and Data Logger Kernel Driver;C:\WINDOWS\system32\drivers\nidmmk.dll [2005-10-13 10:18]
R2 nidmxfk;nidmxfk;C:\WINDOWS\system32\drivers\nidmxfk.dll [2005-10-13 07:27]
R2 nidwgk;nidwgk;C:\WINDOWS\system32\drivers\nidwgk.dll [2005-09-20 20:48]
R2 niembrtk;niembrtk;C:\WINDOWS\system32\drivers\niembrtk.sys [2004-07-08 10:24]
R2 niemrk;niemrk;C:\WINDOWS\system32\drivers\niemrk.dll [2005-10-07 00:19]
R2 nifslk;nifslk;C:\WINDOWS\system32\drivers\nifslk.dll [2005-10-06 11:32]
R2 nigplk;nigplk;C:\WINDOWS\system32\drivers\nigplk.dll [2005-09-20 18:17]
R2 nihsdrk;nihsdrk;C:\WINDOWS\system32\drivers\nihsdrk.dll [2005-09-20 20:45]
R2 niimaqk;niimaqk;C:\WINDOWS\system32\drivers\niimaqk.dll [2005-09-21 15:41]
R2 nimdsk;nimdsk;C:\WINDOWS\system32\drivers\nimdsk.dll [2005-10-13 09:30]
R2 nimxpk;nimxpk;C:\WINDOWS\system32\drivers\nimxpk.dll [2005-10-06 12:31]
R2 nipxirmk;nipxirmk;C:\WINDOWS\system32\drivers\nipxirmk.dll [2005-09-21 11:30]
R2 niRTProxy;niRTProxy;C:\WINDOWS\system32\RTProxy.exe C:\WINDOWS\system32\RTProxy.exe []
R2 nisldk;nisldk;C:\WINDOWS\system32\drivers\nisldk.dll [2005-09-20 20:32]
R2 nisrcdk;nisrcdk;C:\WINDOWS\system32\drivers\nisrcdk.dll [2005-09-20 20:04]
R2 nistck;nistck;C:\WINDOWS\system32\drivers\nistck.dll [2005-10-13 09:30]
R2 niswdk;niswdk;C:\WINDOWS\system32\drivers\niswdk.dll [2005-10-08 01:08]
R2 NITaggerService;National Instruments Variable Engine;"C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe" [2005-10-11 15:13]
R2 usb6xxxk;usb6xxxk;C:\WINDOWS\system32\drivers\usb6xxxk.dll [2005-10-07 00:06]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-03 22:29]
R3 nicdrk;nicdrk;C:\WINDOWS\system32\drivers\nicdrk.dll [2005-10-06 11:56]
R3 nimdbgk;nimdbgk;C:\WINDOWS\system32\drivers\nimdbgk.dll [2005-09-28 20:07]
R3 nimru2k;nimru2k;C:\WINDOWS\system32\drivers\nimru2k.dll [2005-09-28 21:54]
R3 nimsdrk;nimsdrk;C:\WINDOWS\system32\drivers\nimsdrk.dll [2005-10-06 12:19]
R3 nimstsk;nimstsk;C:\WINDOWS\system32\drivers\nimstsk.dll [2005-10-06 12:25]
R3 nimxdfk;nimxdfk;C:\WINDOWS\system32\drivers\nimxdfk.dll [2005-09-28 20:52]
R3 niorbk;niorbk;C:\WINDOWS\system32\drivers\niorbk.dll [2005-10-06 16:22]
R3 niscdk;niscdk;C:\WINDOWS\system32\drivers\niscdk.dll [2005-10-06 12:07]
S3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller;C:\WINDOWS\system32\DRIVERS\m4cxw2k3.sys [2005-03-10 07:42]
S3 nidsark;nidsark;C:\WINDOWS\system32\drivers\nidsark.dll [2005-10-06 12:14]
S3 niesrk;niesrk;C:\WINDOWS\system32\drivers\niesrk.dll [2005-10-07 00:19]
S3 nimcdfxk;nimcdfxk;C:\WINDOWS\system32\drivers\nimcdfxk.dll [2005-09-14 10:45]
S3 nimcdlbk;nimcdlbk;C:\WINDOWS\system32\drivers\nimcdlbk.dll [2005-09-14 10:29]
S3 nimslk;nimslk;C:\WINDOWS\system32\drivers\nimslk.dll [2005-10-06 01:00]
S3 nimsrlk;nimsrlk;C:\WINDOWS\system32\drivers\nimsrlk.dll [2005-10-06 01:00]
S3 nipalusb;NI-PAL USB Driver;C:\WINDOWS\system32\DRIVERS\nipalusb.sys [2005-09-22 21:13]
S3 nisdigk;nisdigk;C:\WINDOWS\system32\drivers\nisdigk.dll [2005-10-07 00:06]
S3 nisftk;nisftk;C:\WINDOWS\system32\drivers\nisftk.dll [2005-10-06 11:48]
S3 nispdk;nispdk;C:\WINDOWS\system32\drivers\nispdk.dll [2005-10-06 12:07]
S3 nissrk;nissrk;C:\WINDOWS\system32\drivers\nissrk.dll [2005-10-07 00:20]
S3 nistc2k;nistc2k;C:\WINDOWS\system32\drivers\nistc2k.dll [2005-10-06 12:03]
S3 nistcrk;nistcrk;C:\WINDOWS\system32\drivers\nistcrk.dll [2005-10-10 20:07]
S3 nitiork;nitiork;C:\WINDOWS\system32\drivers\nitiork.dll [2005-10-07 00:54]
S3 NiViFWK;NI-VISA FireWire Driver;C:\WINDOWS\system32\drivers\NiViFWK.sys [2005-10-12 17:13]
S3 NiViPciK;NI-VISA PCI Driver;C:\WINDOWS\system32\drivers\NiViPciK.sys [2005-10-12 17:04]
S3 NiViPxiK;NI-VISA PXI Driver;C:\WINDOWS\system32\drivers\NiViPxiK.sys [2005-10-12 17:04]
S3 niwdk;niwdk;C:\WINDOWS\system32\drivers\niwdk.sys [2005-10-05 17:34]
S3 niwfrk;niwfrk;C:\WINDOWS\system32\drivers\niwfrk.dll [2005-10-07 00:20]
S3 nixsrk;nixsrk;C:\WINDOWS\system32\drivers\nixsrk.dll [2005-10-07 00:20]
S3 PORTMON;PORTMON;C:\DOCUME~1\user05\LOCALS~1\Temp\Rar$EX00.937\PORTMSYS.SYS []
S3 scrcap;scrcap;C:\WINDOWS\system32\DRIVERS\scrcap.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0bec3367-dc4a-11db-a60a-00104bb0c20c}]
\Shell\AutoRun\command - I:\
\Shell\explore\Command - WScript.exe .\__.vbs
\Shell\open\Command - WScript.exe .\__.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{116c5b46-7d53-11dc-9a30-00104bb0c20c}]
\Shell\AutoRun\command - I:\ShuiNiu.exe
\Shell\Explore\Command - I:\ShuiNiu.exe
\Shell\Open\Command - I:\ShuiNiu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{61631e1e-a896-11dc-9a83-00104bb0c20c}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{83e29194-847a-11dc-9a3e-00104bb0c20c}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Sys.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eb594348-f26d-11dc-9b18-00104bb0c20c}]
\Shell\AutoRun\command - ShuiNiu.exe
\Shell\Explore\Command - ShuiNiu.exe
\Shell\Open\Command - ShuiNiu.exe

*Newly Created Service* - COMHOST
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2005-10-31 14:03:56
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSVCHST.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\APPCORE\APPSVC32.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSVCHST.EXE
C:\WINDOWS\SYSTEM32\LKCITDL.EXE
C:\WINDOWS\SYSTEM32\LKADS.EXE
C:\WINDOWS\SYSTEM32\LKTSRV.EXE
C:\MATLAB6P5\WEBSERVER\BIN\WIN32\MATLABSERVER.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\MATLAB6P5\BIN\WIN32\MATLAB.EXE
C:\PROGRAM FILES\NATIONAL INSTRUMENTS\SHARED\SECURITY\NIDMSRV.EXE
C:\PROGRAM FILES\COMMON FILES\PCSUITE\SERVICES\SERVIC~1.EXE
C:\WINDOWS\SYSTEM32\NISVCLOC.EXE
C:\WINDOWS\SYSTEM32\NIPALSM.EXE
C:\WINDOWS\