Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Please help, HijackThis txt file inside.... [RESOLVED]

Started by psswrd , Jan 19 2008 08:06 AM

This topic is locked

#1
psswrd

Posted 19 January 2008 - 08:06 AM

Member

Member
22 posts

i recently got some pref.exe; routing.exe, ndt2.sys. I managed to clean them out. then I got them again- a day later, clean it again. and today i got them again. can you check if i clean them all out??

How and where am I getting them from? I do use Azureus Vuze.. is it from them? not the stuff I am downloading, i am refering to the Vuze apps that part of Azureus.

let me know if i am ok now.

thanks,'
john

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:00:59 AM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
d:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\eHome\ehmsas.exe
D:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\PROGRA~1\MICROS~2\rapimgr.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Tweak-XP Pro 4\Tweak-XP.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "D:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: iSiloX Clipper - {C86027A6-12A1-4298-B6EA-A42AC6EE6C7C} - d:\Program Files\iSilo\iSiloX\iSiloXIE.dll
O9 - Extra 'Tools' menuitem: iSiloX Clipper... - {C86027A6-12A1-4298-B6EA-A42AC6EE6C7C} - d:\Program Files\iSilo\iSiloX\iSiloXIE.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1198560061000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1198560057218
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B88F3DC-CEC5-40D9-84C6-E4E9D42136E9}: NameServer = 167.206.3.182,167.206.3.183
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: ScsiAccess - Unknown owner - d:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9323 bytes

#2
miekiemoes

Posted 19 January 2008 - 10:01 AM

Malware Expert

Member
5,503 posts

Hi,

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.co...cle.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint
Viewpoint Manager
Viewpoint Media Player

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

#3
psswrd

Posted 19 January 2008 - 01:24 PM

Member

Topic Starter
Member
22 posts

oops. see the next post.

Edited by psswrd, 19 January 2008 - 01:50 PM.

#4
psswrd

Posted 19 January 2008 - 01:38 PM

Member

Topic Starter
Member
22 posts

Thanks.. here's the comboFix

ComboFix 08-01-18.5 - johnlo 2008-01-19 14:15:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1415 [GMT -5:00]
Running from: C:\Documents and Settings\johnlo\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\internet explorer\keygen.exe
C:\Program Files\internet explorer\svchost.exe
C:\WINDOWS\system32\CMMGR32.EXE

.
((((((((((((((((((((((((( Files Created from 2007-12-19 to 2008-01-19 )))))))))))))))))))))))))))))))
.

2008-01-19 14:14 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-19 00:01 . 2008-01-19 00:01 253,952 --a------ C:\WINDOWS\system32\andt.sys
2008-01-16 22:51 . 2008-01-16 22:51 <DIR> d-------- C:\Program Files\iPod
2008-01-16 20:40 . 2008-01-19 07:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-16 20:40 . 2008-01-16 20:40 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-16 20:05 . 2008-01-16 20:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Fellowes
2008-01-16 20:04 . 2008-01-16 20:04 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-01-16 17:25 . 2008-01-16 17:25 45,056 --a------ C:\WINDOWS\system32\Indt2.sys
2008-01-16 00:14 . 2008-01-16 00:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-14 22:01 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-14 21:26 . 2008-01-14 22:24 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-14 21:26 . 2008-01-14 21:26 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-14 21:26 . 2008-01-14 21:26 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-14 21:26 . 2008-01-14 21:26 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-14 20:53 . 2008-01-16 00:14 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\SUPERAntiSpyware.com
2008-01-14 20:53 . 2008-01-14 20:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-13 09:25 . 2008-01-13 09:26 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\Photodex
2008-01-12 08:15 . 2008-01-12 08:15 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\Snapfish
2008-01-12 08:15 . 2008-01-12 08:15 1,157 --a------ C:\WINDOWS\mozver.dat
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-06 10:51 . 2008-01-06 10:54 <DIR> d-------- C:\Documents and Settings\johnlo\.roescache
2008-01-06 10:51 . 2008-01-06 20:16 <DIR> d-------- C:\Documents and Settings\johnlo\.Mpix
2007-12-29 17:47 . 2007-12-29 20:25 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\AdobeUM
2007-12-29 16:36 . 2008-01-08 17:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-29 16:33 . 2007-12-29 16:33 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\GlobalSCAPE
2007-12-29 16:07 . 2007-12-29 16:07 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\Media Player Classic
2007-12-29 15:15 . 2007-06-07 14:11 380,928 --a------ C:\WINDOWS\system32\ac3filter.acm
2007-12-29 15:13 . 2007-01-01 00:00 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2007-12-29 15:13 . 2007-06-17 20:21 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-12-29 15:13 . 2007-06-17 20:21 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2007-12-29 15:08 . 2007-12-29 15:08 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\DivX
2007-12-29 15:08 . 2008-01-17 23:05 69 --a------ C:\WINDOWS\NeroDigital.ini
2007-12-29 15:07 . 2007-06-28 18:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-12-29 15:07 . 2007-06-28 18:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-12-29 15:07 . 2007-06-28 18:55 77,824 --a------ C:\WINDOWS\system32\xvid.ax
2007-12-29 14:56 . 2007-12-29 14:56 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\CyberLink
2007-12-29 14:56 . 2007-12-29 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2007-12-29 14:54 . 2007-12-29 14:56 <DIR> d-------- C:\Program Files\CyberLink
2007-12-29 14:22 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-12-29 11:48 . 2007-12-29 11:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-12-29 11:42 . 2008-01-14 22:09 <DIR> d-------- C:\Program Files\Bonjour
2007-12-29 11:31 . 2007-12-29 11:31 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-12-29 11:16 . 2007-12-29 11:16 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\Nero
2007-12-29 11:14 . 2007-12-29 11:15 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-12-29 11:14 . 2007-12-29 11:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-12-29 11:09 . 2007-12-29 11:09 40 --a------ C:\WINDOWS\system32\drmgs.sys
2007-12-27 23:34 . 2007-12-27 23:34 <DIR> d-------- C:\WINDOWS\Sun
2007-12-27 23:11 . 2007-12-27 23:11 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\ImgBurn
2007-12-27 22:42 . 2007-12-27 22:46 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\CCleanup
2007-12-26 23:04 . 2007-12-26 23:04 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-12-25 17:07 . 2007-12-25 17:07 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\iSilo
2007-12-25 16:55 . 2007-12-25 16:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-12-25 16:54 . 2007-12-25 16:54 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-12-25 16:53 . 2007-12-29 11:42 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-12-25 16:24 . 2007-12-25 16:24 737,280 --a------ C:\WINDOWS\iun6002.exe
2007-12-25 13:16 . 2007-12-25 13:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2007-12-25 12:57 . 2007-12-25 13:00 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-25 12:57 . 2007-12-25 13:00 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-25 12:48 . 2007-12-25 13:00 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-25 12:48 . 2007-12-25 13:00 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-25 12:47 . 2007-12-25 13:00 <DIR> d-------- C:\Program Files\Symantec
2007-12-25 12:47 . 2008-01-14 22:17 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-25 12:47 . 2008-01-19 08:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-25 12:28 . 2007-12-25 12:28 <DIR> d-------- C:\WINDOWS\%DownloadedProgramFiles%
2007-12-25 12:16 . 2007-12-28 17:04 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-12-25 12:16 . 2007-12-25 12:17 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-12-25 12:08 . 2007-12-25 12:08 1,047,552 --a------ C:\WINDOWS\system32\mfc71u.dll
2007-12-25 12:07 . 2007-12-25 12:07 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-12-25 12:07 . 2007-12-25 12:07 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-12-25 12:06 . 2007-12-25 12:06 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-12-25 12:03 . 2007-12-25 12:03 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-12-25 11:16 . 2007-12-25 12:17 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-12-25 09:59 . 2008-01-17 23:46 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\Azureus
2007-12-25 09:59 . 2007-12-25 09:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2007-12-25 01:43 . 2007-12-25 01:43 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-25 01:37 . 2007-12-25 01:37 <DIR> d-------- C:\Program Files\MSBuild
2007-12-25 01:35 . 2007-12-25 11:43 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-12-25 01:35 . 2007-12-25 01:35 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-12-25 01:34 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-12-25 01:32 . 2006-03-20 22:23 23,040 --------- C:\WINDOWS\kb913800.exe
2007-12-25 01:20 . 2006-01-10 19:48 46,592 --------- C:\WINDOWS\system32\drivers\irbus.sys
2007-12-25 01:20 . 2006-01-10 19:48 19,200 --------- C:\WINDOWS\system32\drivers\hidir.sys
2007-12-25 01:17 . 2006-11-13 01:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-12-25 01:17 . 2006-11-13 01:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-12-25 01:17 . 2006-11-13 01:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-12-25 01:13 . 2007-12-25 01:13 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2007-12-25 00:46 . 2007-12-26 23:25 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\Apple Computer
2007-12-25 00:45 . 2008-01-16 22:50 <DIR> d-------- C:\Program Files\QuickTime
2007-12-25 00:45 . 2007-12-25 17:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-25 00:44 . 2007-12-25 00:44 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-12-25 00:44 . 2007-12-25 00:44 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-25 00:44 . 2007-12-25 00:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-25 00:44 . 2007-10-31 14:09 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2007-12-25 00:41 . 2007-12-25 00:41 <DIR> d-------- C:\Program Files\Java
2007-12-25 00:41 . 2007-12-25 00:41 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-25 00:41 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-25 00:29 . 2007-12-25 00:29 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-12-25 00:29 . 2007-12-25 00:29 <DIR> d-------- C:\Program Files\AIM6
2007-12-25 00:29 . 2007-12-25 00:29 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\acccore

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-30 02:57 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-29 22:50 73,728 ----a-w C:\WINDOWS\system32\RBRegEx350.dll
2007-12-29 22:50 67,072 ----a-w C:\WINDOWS\system32\LP0310.dll
2007-12-29 22:50 61,952 ----a-w C:\WINDOWS\system32\rbap350.dll
2007-12-29 22:50 41,472 ----a-w C:\WINDOWS\system32\MBSPlugin.DLL
2007-12-29 22:50 40,960 ----a-w C:\WINDOWS\system32\RBShell400.dll
2007-12-29 22:50 37,888 ----a-w C:\WINDOWS\system32\MBSRegistryPlugin.DLL
2007-12-29 22:50 35,328 ----a-w C:\WINDOWS\system32\MBSFolderPlugin.DLL
2007-12-29 22:50 31,744 ----a-w C:\WINDOWS\system32\MBSMacTTPlugin.DLL
2007-12-29 22:50 29,184 ----a-w C:\WINDOWS\system32\LP0301Gestalt.dll
2007-12-29 22:50 28,160 ----a-w C:\WINDOWS\system32\MBSRegPlugin.DLL
2007-12-29 22:50 28,160 ----a-w C:\WINDOWS\system32\LP0301ResFork.dll
2007-12-29 22:50 27,648 ----a-w C:\WINDOWS\system32\LP0301LinkFile.dll
2007-12-29 21:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-25 06:29 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe
2007-12-25 04:50 60,416 ----a-w C:\WINDOWS\ALCFDRTM.EXE
2007-12-25 04:47 --------- d-----w C:\Program Files\DIFX
2007-12-25 04:37 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-25 04:31 --------- d-----w C:\Program Files\Windows Plus
2007-12-14 00:09 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-12-05 07:53 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-12-05 06:41 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-12-05 06:41 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-12-05 06:41 8,523,776 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-12-05 06:41 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-12-05 06:41 7,435,392 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-12-05 06:41 6,901,760 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-12-05 06:41 6,549,504 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-12-05 06:41 5,773,568 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-12-05 06:41 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-12-05 06:41 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-12-05 06:41 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-12-05 06:41 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-12-05 06:41 385,024 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-12-05 06:41 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-12-05 06:41 35,328 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-12-05 06:41 35,328 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-12-05 06:41 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-12-05 06:41 3,710,976 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-12-05 06:41 3,420,160 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-12-05 06:41 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-12-05 06:41 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-12-05 06:41 2,498,560 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-12-05 06:41 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-12-05 06:41 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-12-05 06:41 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-12-05 06:41 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-12-05 06:41 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-12-05 06:41 1,474,560 ----a-w C:\WINDOWS\system32\nview.dll
2007-12-05 06:41 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-12-05 06:41 1,228,800 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-12-05 06:41 1,089,536 ----a-w C:\WINDOWS\system32\nvcuda.dll
2007-12-05 06:41 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-12-04 14:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-12-04 07:08 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-04 07:08 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-04 07:08 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-12-04 07:08 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-12-04 07:08 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-12-04 07:08 118,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-04 01:33 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-04 01:33 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-03 23:04 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
2007-12-01 04:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-12-01 04:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-12-01 04:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-12-01 04:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-12-01 04:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-12-01 04:57 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-12-01 04:57 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-12-01 04:57 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-12-01 04:57 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-29 22:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-11-29 22:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-11-29 22:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-29 22:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-11-28 21:55 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-28 21:53 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-11-28 21:53 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-11-28 21:53 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-11-28 21:53 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-11-28 21:52 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-11-21 22:31 132,904 ----a-w C:\WINDOWS\system32\drivers\imagesrv.sys
2007-11-21 22:31 11,304 ----a-w C:\WINDOWS\system32\drivers\imagedrv.sys
2007-10-31 00:55 625,032 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-10-31 00:55 242,056 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-24 06:47 96,760 ----a-w C:\WINDOWS\system32\dfshim.dll
2007-10-24 06:47 84,480 ----a-w C:\WINDOWS\system32\mscories.dll
2007-10-24 06:47 282,112 ----a-w C:\WINDOWS\system32\mscoree.dll
2007-10-24 06:47 158,720 ----a-w C:\WINDOWS\system32\mscorier.dll
2004-09-28 03:00 26,240 ----a-w C:\WINDOWS\inf\RAMDSK.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="D:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56 64512]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-12-25 12:03 84640]
"osCheck"="D:\Program Files\Norton AntiVirus\osCheck.exe" [2007-12-25 12:07 26248]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2006-01-12 20:52 483328 D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
--a------ 2007-11-16 19:20 91432 C:\Program Files\Cyberlink\Shared Files\brs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-12-13 19:10 1688872 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 D:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--------- 2007-10-11 12:06 62760 d:\Program Files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaFace Integration]
--a------ 2005-03-28 03:45 53248 D:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\muBlinder]
--a------ 2007-11-03 11:11 1421312 D:\muBlinder\muBlinder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-12-03 14:21 2213160 D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 14:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 01:41 8523776 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-12-05 01:41 81920 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2007-10-28 09:35 72736 d:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-07-27 17:01 68096 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

R0 m5289;m5289;C:\WINDOWS\system32\DRIVERS\m5289.sys [2005-07-04 14:21]
R0 uliagpkx;ULi AGP Bus Filter Driver;C:\WINDOWS\system32\DRIVERS\agpkx.sys [2005-05-03 17:31]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};d:\Program Files\CyberLink\PowerDVD\000.fcl [2007-11-03 00:12]
R3 ULI5261XP;ULi M526X Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ULILAN51.SYS [2005-03-22 20:36]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-01-13 04:05:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-15 11:10:51 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - johnlo.job"
- D:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-19 14:16:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-19 14:16:46
ComboFix-quarantined-files.txt 2008-01-19 19:16:44

After I did the above, I didnt realized I didnt have THE RECOVERY CONSOLE install, so i did that and this is my result after that... hope i didnt do anything wrong. and after the combofix, its the hijackit log.

thanks

ComboFix 08-01-18.5 - johnlo 2008-01-19 14:34:55.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1608 [GMT -5:00]
Running from: C:\Documents and Settings\johnlo\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-19 to 2008-01-19 )))))))))))))))))))))))))))))))
.

2008-01-19 14:31 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-19 14:31 . 2008-01-19 07:35 221 --a------ C:\Boot.bak
2008-01-19 14:14 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-19 00:01 . 2008-01-19 00:01 253,952 --a------ C:\WINDOWS\system32\andt.sys
2008-01-16 22:51 . 2008-01-16 22:51 <DIR> d-------- C:\Program Files\iPod
2008-01-16 20:40 . 2008-01-19 07:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-16 20:40 . 2008-01-16 20:40 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-16 20:05 . 2008-01-16 20:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Fellowes
2008-01-16 20:04 . 2008-01-16 20:04 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-01-16 17:25 . 2008-01-16 17:25 45,056 --a------ C:\WINDOWS\system32\Indt2.sys
2008-01-16 00:14 . 2008-01-16 00:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-14 22:01 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-14 21:26 . 2008-01-14 22:24 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-14 21:26 . 2008-01-14 21:26 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-14 21:26 . 2008-01-14 21:26 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-14 21:26 . 2008-01-14 21:26 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-14 20:53 . 2008-01-16 00:14 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\SUPERAntiSpyware.com
2008-01-14 20:53 . 2008-01-14 20:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-13 09:25 . 2008-01-13 09:26 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\Photodex
2008-01-12 08:15 . 2008-01-12 08:15 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\Snapfish
2008-01-12 08:15 . 2008-01-12 08:15 1,157 --a------ C:\WINDOWS\mozver.dat
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-06 10:51 . 2008-01-06 10:54 <DIR> d-------- C:\Documents and Settings\johnlo\.roescache
2008-01-06 10:51 . 2008-01-06 20:16 <DIR> d-------- C:\Documents and Settings\johnlo\.Mpix
2007-12-29 17:47 . 2007-12-29 20:25 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\AdobeUM
2007-12-29 16:36 . 2008-01-08 17:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-29 16:33 . 2007-12-29 16:33 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\GlobalSCAPE
2007-12-29 16:07 . 2007-12-29 16:07 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\Media Player Classic
2007-12-29 15:15 . 2007-06-07 14:11 380,928 --a------ C:\WINDOWS\system32\ac3filter.acm
2007-12-29 15:13 . 2007-01-01 00:00 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2007-12-29 15:13 . 2007-06-17 20:21 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-12-29 15:13 . 2007-06-17 20:21 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2007-12-29 15:08 . 2007-12-29 15:08 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\DivX
2007-12-29 15:08 . 2008-01-17 23:05 69 --a------ C:\WINDOWS\NeroDigital.ini
2007-12-29 15:07 . 2007-06-28 18:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-12-29 15:07 . 2007-06-28 18:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-12-29 15:07 . 2007-06-28 18:55 77,824 --a------ C:\WINDOWS\system32\xvid.ax
2007-12-29 14:56 . 2007-12-29 14:56 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\CyberLink
2007-12-29 14:56 . 2007-12-29 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2007-12-29 14:54 . 2007-12-29 14:56 <DIR> d-------- C:\Program Files\CyberLink
2007-12-29 14:22 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-12-29 11:48 . 2007-12-29 11:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-12-29 11:42 . 2008-01-14 22:09 <DIR> d-------- C:\Program Files\Bonjour
2007-12-29 11:31 . 2007-12-29 11:31 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-12-29 11:16 . 2007-12-29 11:16 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\Nero
2007-12-29 11:14 . 2007-12-29 11:15 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-12-29 11:14 . 2007-12-29 11:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-12-29 11:09 . 2007-12-29 11:09 40 --a------ C:\WINDOWS\system32\drmgs.sys
2007-12-27 23:34 . 2007-12-27 23:34 <DIR> d-------- C:\WINDOWS\Sun
2007-12-27 23:11 . 2007-12-27 23:11 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\ImgBurn
2007-12-27 22:42 . 2007-12-27 22:46 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\CCleanup
2007-12-26 23:04 . 2007-12-26 23:04 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-12-25 17:07 . 2007-12-25 17:07 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\iSilo
2007-12-25 16:55 . 2007-12-25 16:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-12-25 16:54 . 2007-12-25 16:54 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-12-25 16:53 . 2007-12-29 11:42 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-12-25 16:24 . 2007-12-25 16:24 737,280 --a------ C:\WINDOWS\iun6002.exe
2007-12-25 13:16 . 2007-12-25 13:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2007-12-25 12:57 . 2007-12-25 13:00 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-25 12:57 . 2007-12-25 13:00 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-25 12:48 . 2007-12-25 13:00 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-25 12:48 . 2007-12-25 13:00 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-25 12:47 . 2007-12-25 13:00 <DIR> d-------- C:\Program Files\Symantec
2007-12-25 12:47 . 2008-01-14 22:17 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-25 12:47 . 2008-01-19 08:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-25 12:28 . 2007-12-25 12:28 <DIR> d-------- C:\WINDOWS\%DownloadedProgramFiles%
2007-12-25 12:16 . 2007-12-28 17:04 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-12-25 12:16 . 2007-12-25 12:17 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-12-25 12:08 . 2007-12-25 12:08 1,047,552 --a------ C:\WINDOWS\system32\mfc71u.dll
2007-12-25 12:07 . 2007-12-25 12:07 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-12-25 12:07 . 2007-12-25 12:07 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-12-25 12:06 . 2007-12-25 12:06 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-12-25 12:03 . 2007-12-25 12:03 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-12-25 11:16 . 2007-12-25 12:17 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-12-25 09:59 . 2008-01-17 23:46 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\Azureus
2007-12-25 09:59 . 2007-12-25 09:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2007-12-25 01:43 . 2007-12-25 01:43 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-25 01:37 . 2007-12-25 01:37 <DIR> d-------- C:\Program Files\MSBuild
2007-12-25 01:35 . 2007-12-25 11:43 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-12-25 01:35 . 2007-12-25 01:35 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-12-25 01:34 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-12-25 01:32 . 2006-03-20 22:23 23,040 --------- C:\WINDOWS\kb913800.exe
2007-12-25 01:20 . 2006-01-10 19:48 46,592 --------- C:\WINDOWS\system32\drivers\irbus.sys
2007-12-25 01:20 . 2006-01-10 19:48 19,200 --------- C:\WINDOWS\system32\drivers\hidir.sys
2007-12-25 01:17 . 2006-11-13 01:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-12-25 01:17 . 2006-11-13 01:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-12-25 01:17 . 2006-11-13 01:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-12-25 01:13 . 2007-12-25 01:13 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2007-12-25 00:46 . 2007-12-26 23:25 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\Apple Computer
2007-12-25 00:45 . 2008-01-16 22:50 <DIR> d-------- C:\Program Files\QuickTime
2007-12-25 00:45 . 2007-12-25 17:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-25 00:44 . 2007-12-25 00:44 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-12-25 00:44 . 2007-12-25 00:44 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-25 00:44 . 2007-12-25 00:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-25 00:44 . 2007-10-31 14:09 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2007-12-25 00:41 . 2007-12-25 00:41 <DIR> d-------- C:\Program Files\Java
2007-12-25 00:41 . 2007-12-25 00:41 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-25 00:41 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-25 00:29 . 2007-12-25 00:29 <DIR> d-------- C:\Program Files\Common Files\AOL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-30 02:57 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-29 22:50 73,728 ----a-w C:\WINDOWS\system32\RBRegEx350.dll
2007-12-29 22:50 67,072 ----a-w C:\WINDOWS\system32\LP0310.dll
2007-12-29 22:50 61,952 ----a-w C:\WINDOWS\system32\rbap350.dll
2007-12-29 22:50 41,472 ----a-w C:\WINDOWS\system32\MBSPlugin.DLL
2007-12-29 22:50 40,960 ----a-w C:\WINDOWS\system32\RBShell400.dll
2007-12-29 22:50 37,888 ----a-w C:\WINDOWS\system32\MBSRegistryPlugin.DLL
2007-12-29 22:50 35,328 ----a-w C:\WINDOWS\system32\MBSFolderPlugin.DLL
2007-12-29 22:50 31,744 ----a-w C:\WINDOWS\system32\MBSMacTTPlugin.DLL
2007-12-29 22:50 29,184 ----a-w C:\WINDOWS\system32\LP0301Gestalt.dll
2007-12-29 22:50 28,160 ----a-w C:\WINDOWS\system32\MBSRegPlugin.DLL
2007-12-29 22:50 28,160 ----a-w C:\WINDOWS\system32\LP0301ResFork.dll
2007-12-29 22:50 27,648 ----a-w C:\WINDOWS\system32\LP0301LinkFile.dll
2007-12-29 21:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-25 06:29 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe
2007-12-25 04:50 60,416 ----a-w C:\WINDOWS\ALCFDRTM.EXE
2007-12-25 04:47 --------- d-----w C:\Program Files\DIFX
2007-12-25 04:37 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-25 04:31 --------- d-----w C:\Program Files\Windows Plus
2007-12-14 00:09 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-12-05 07:53 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-12-05 06:41 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-12-05 06:41 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-12-05 06:41 8,523,776 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-12-05 06:41 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-12-05 06:41 7,435,392 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-12-05 06:41 6,901,760 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-12-05 06:41 6,549,504 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-12-05 06:41 5,773,568 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-12-05 06:41 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-12-05 06:41 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-12-05 06:41 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-12-05 06:41 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-12-05 06:41 385,024 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-12-05 06:41 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-12-05 06:41 35,328 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-12-05 06:41 35,328 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-12-05 06:41 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-12-05 06:41 3,710,976 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-12-05 06:41 3,420,160 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-12-05 06:41 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-12-05 06:41 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-12-05 06:41 2,498,560 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-12-05 06:41 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-12-05 06:41 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-12-05 06:41 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-12-05 06:41 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-12-05 06:41 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-12-05 06:41 1,474,560 ----a-w C:\WINDOWS\system32\nview.dll
2007-12-05 06:41 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-12-05 06:41 1,228,800 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-12-05 06:41 1,089,536 ----a-w C:\WINDOWS\system32\nvcuda.dll
2007-12-05 06:41 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-12-04 14:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-12-04 07:08 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-04 07:08 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-04 07:08 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-12-04 07:08 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-12-04 07:08 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-12-04 07:08 118,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-04 01:33 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-04 01:33 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-03 23:04 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
2007-12-01 04:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-12-01 04:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-12-01 04:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-12-01 04:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-12-01 04:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-12-01 04:57 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-12-01 04:57 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-12-01 04:57 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-12-01 04:57 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-29 22:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-11-29 22:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-11-29 22:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-29 22:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-11-28 21:55 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-28 21:53 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-11-28 21:53 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-11-28 21:53 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-11-28 21:53 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-11-28 21:52 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-11-21 22:31 132,904 ----a-w C:\WINDOWS\system32\drivers\imagesrv.sys
2007-11-21 22:31 11,304 ----a-w C:\WINDOWS\system32\drivers\imagedrv.sys
2007-10-31 00:55 625,032 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-10-31 00:55 242,056 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-24 06:47 96,760 ----a-w C:\WINDOWS\system32\dfshim.dll
2007-10-24 06:47 84,480 ----a-w C:\WINDOWS\system32\mscories.dll
2007-10-24 06:47 282,112 ----a-w C:\WINDOWS\system32\mscoree.dll
2007-10-24 06:47 158,720 ----a-w C:\WINDOWS\system32\mscorier.dll
2004-09-28 03:00 26,240 ----a-w C:\WINDOWS\inf\RAMDSK.SYS
.

((((((((((((((((((((((((((((( snapshot@2008-01-19_14.16.33.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-19 19:14:57 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-19 19:31:10 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-19 19:14:57 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-19 19:31:10 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-19 19:14:57 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-19 19:31:10 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-19 19:14:57 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-19 19:31:10 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-19 19:14:57 3,747,840 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-19 19:31:10 3,747,840 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-19 19:14:57 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-19 19:31:10 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="D:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56 64512]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-12-25 12:03 84640]
"osCheck"="D:\Program Files\Norton AntiVirus\osCheck.exe" [2007-12-25 12:07 26248]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2006-01-12 20:52 483328 D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
--a------ 2007-11-16 19:20 91432 C:\Program Files\Cyberlink\Shared Files\brs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-12-13 19:10 1688872 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 D:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--------- 2007-10-11 12:06 62760 d:\Program Files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaFace Integration]
--a------ 2005-03-28 03:45 53248 D:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\muBlinder]
--a------ 2007-11-03 11:11 1421312 D:\muBlinder\muBlinder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-12-03 14:21 2213160 D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 14:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 01:41 8523776 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-12-05 01:41 81920 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2007-10-28 09:35 72736 d:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-07-27 17:01 68096 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

R0 m5289;m5289;C:\WINDOWS\system32\DRIVERS\m5289.sys [2005-07-04 14:21]
R0 uliagpkx;ULi AGP Bus Filter Driver;C:\WINDOWS\system32\DRIVERS\agpkx.sys [2005-05-03 17:31]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};d:\Program Files\CyberLink\PowerDVD\000.fcl [2007-11-03 00:12]
R3 ULI5261XP;ULi M526X Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ULILAN51.SYS [2005-03-22 20:36]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-13 04:05:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-15 11:10:51 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - johnlo.job"
- D:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-19 14:36:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-19 14:36:23
ComboFix-quarantined-files.txt 2008-01-19 19:36:21
ComboFix2.txt 2008-01-19 19:16:47

and here's the new hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:38:17 PM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
d:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
D:\PROGRA~1\MICROS~2\rapimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

Edited by psswrd, 19 January 2008 - 03:49 PM.

#5
miekiemoes

Posted 19 January 2008 - 06:04 PM

Malware Expert

Member
5,503 posts

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\Indt2.sys
C:\WINDOWS\system32\drmgs.sys

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Also, Go to next site:
http://www.virustota.../en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\system32\andt.sys

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply as well.

#6
psswrd

Posted 19 January 2008 - 06:28 PM

Member

Topic Starter
Member
22 posts

thanks again. here you go

ComboFix 08-01-18.5 - johnlo 2008-01-19 19:14:29.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1511 [GMT -5:00]
Running from: C:\Documents and Settings\johnlo\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\johnlo\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))
.

2008-01-19 15:28 . 2008-01-19 15:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-19 15:28 . 2008-01-19 15:28 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-19 14:31 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-19 14:31 . 2008-01-19 07:35 221 --a------ C:\Boot.bak
2008-01-19 14:14 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-19 00:01 . 2008-01-19 00:01 253,952 --a------ C:\WINDOWS\system32\andt.sys
2008-01-16 22:51 . 2008-01-16 22:51 <DIR> d-------- C:\Program Files\iPod
2008-01-16 20:05 . 2008-01-16 20:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Fellowes
2008-01-16 20:04 . 2008-01-16 20:04 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-01-16 17:25 . 2008-01-16 17:25 45,056 --a------ C:\WINDOWS\system32\Indt2.sys
2008-01-16 00:14 . 2008-01-16 00:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-14 22:01 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-14 21:26 . 2008-01-14 22:24 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-14 21:26 . 2008-01-14 21:26 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-14 21:26 . 2008-01-14 21:26 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-14 21:26 . 2008-01-14 21:26 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-14 20:53 . 2008-01-16 00:14 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\SUPERAntiSpyware.com
2008-01-14 20:53 . 2008-01-14 20:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-13 09:25 . 2008-01-19 16:25 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\Photodex
2008-01-12 08:15 . 2008-01-12 08:15 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\Snapfish
2008-01-12 08:15 . 2008-01-12 08:15 1,157 --a------ C:\WINDOWS\mozver.dat
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-06 10:51 . 2008-01-06 10:54 <DIR> d-------- C:\Documents and Settings\johnlo\.roescache
2008-01-06 10:51 . 2008-01-06 20:16 <DIR> d-------- C:\Documents and Settings\johnlo\.Mpix
2007-12-29 17:47 . 2007-12-29 20:25 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\AdobeUM
2007-12-29 16:36 . 2008-01-08 17:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-29 16:33 . 2007-12-29 16:33 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\GlobalSCAPE
2007-12-29 16:07 . 2007-12-29 16:07 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\Media Player Classic
2007-12-29 15:15 . 2007-06-07 14:11 380,928 --a------ C:\WINDOWS\system32\ac3filter.acm
2007-12-29 15:13 . 2007-01-01 00:00 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2007-12-29 15:13 . 2007-06-17 20:21 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-12-29 15:13 . 2007-06-17 20:21 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2007-12-29 15:08 . 2007-12-29 15:08 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\DivX
2007-12-29 15:08 . 2008-01-19 19:13 69 --a------ C:\WINDOWS\NeroDigital.ini
2007-12-29 15:07 . 2007-06-28 18:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-12-29 15:07 . 2007-06-28 18:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-12-29 15:07 . 2007-06-28 18:55 77,824 --a------ C:\WINDOWS\system32\xvid.ax
2007-12-29 14:56 . 2007-12-29 14:56 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\CyberLink
2007-12-29 14:56 . 2007-12-29 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2007-12-29 14:54 . 2007-12-29 14:56 <DIR> d-------- C:\Program Files\CyberLink
2007-12-29 14:22 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-12-29 11:48 . 2007-12-29 11:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-12-29 11:42 . 2008-01-14 22:09 <DIR> d-------- C:\Program Files\Bonjour
2007-12-29 11:31 . 2007-12-29 11:31 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-12-29 11:16 . 2007-12-29 11:16 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\Nero
2007-12-29 11:14 . 2007-12-29 11:15 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-12-29 11:14 . 2007-12-29 11:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-12-29 11:09 . 2007-12-29 11:09 40 --a------ C:\WINDOWS\system32\drmgs.sys
2007-12-27 23:34 . 2007-12-27 23:34 <DIR> d-------- C:\WINDOWS\Sun
2007-12-27 23:11 . 2007-12-27 23:11 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\ImgBurn
2007-12-27 22:42 . 2007-12-27 22:46 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\CCleanup
2007-12-26 23:04 . 2007-12-26 23:04 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-12-25 17:07 . 2007-12-25 17:07 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\iSilo
2007-12-25 16:55 . 2007-12-25 16:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-12-25 16:54 . 2007-12-25 16:54 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-12-25 16:53 . 2007-12-29 11:42 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-12-25 16:24 . 2007-12-25 16:24 737,280 --a------ C:\WINDOWS\iun6002.exe
2007-12-25 13:16 . 2007-12-25 13:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2007-12-25 12:57 . 2007-12-25 13:00 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-25 12:57 . 2007-12-25 13:00 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-25 12:48 . 2007-12-25 13:00 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-25 12:48 . 2007-12-25 13:00 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-25 12:47 . 2007-12-25 13:00 <DIR> d-------- C:\Program Files\Symantec
2007-12-25 12:47 . 2008-01-14 22:17 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-25 12:47 . 2008-01-19 08:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-25 12:28 . 2007-12-25 12:28 <DIR> d-------- C:\WINDOWS\%DownloadedProgramFiles%
2007-12-25 12:16 . 2007-12-28 17:04 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-12-25 12:16 . 2007-12-25 12:17 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-12-25 12:08 . 2007-12-25 12:08 1,047,552 --a------ C:\WINDOWS\system32\mfc71u.dll
2007-12-25 12:07 . 2007-12-25 12:07 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-12-25 12:07 . 2007-12-25 12:07 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-12-25 12:06 . 2007-12-25 12:06 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-12-25 12:03 . 2007-12-25 12:03 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-12-25 11:16 . 2007-12-25 12:17 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-12-25 09:59 . 2008-01-19 19:11 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\Azureus
2007-12-25 09:59 . 2007-12-25 09:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2007-12-25 01:43 . 2007-12-25 01:43 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-25 01:37 . 2007-12-25 01:37 <DIR> d-------- C:\Program Files\MSBuild
2007-12-25 01:35 . 2007-12-25 11:43 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-12-25 01:35 . 2007-12-25 01:35 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-12-25 01:34 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-12-25 01:32 . 2006-03-20 22:23 23,040 --------- C:\WINDOWS\kb913800.exe
2007-12-25 01:20 . 2006-01-10 19:48 46,592 --------- C:\WINDOWS\system32\drivers\irbus.sys
2007-12-25 01:20 . 2006-01-10 19:48 19,200 --------- C:\WINDOWS\system32\drivers\hidir.sys
2007-12-25 01:17 . 2006-11-13 01:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-12-25 01:17 . 2006-11-13 01:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-12-25 01:17 . 2006-11-13 01:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-12-25 01:13 . 2007-12-25 01:13 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2007-12-25 00:46 . 2007-12-26 23:25 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\Apple Computer
2007-12-25 00:45 . 2008-01-16 22:50 <DIR> d-------- C:\Program Files\QuickTime
2007-12-25 00:45 . 2007-12-25 17:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-25 00:44 . 2007-12-25 00:44 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-12-25 00:44 . 2007-12-25 00:44 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-25 00:44 . 2007-12-25 00:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-25 00:44 . 2007-10-31 14:09 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2007-12-25 00:41 . 2007-12-25 00:41 <DIR> d-------- C:\Program Files\Java
2007-12-25 00:41 . 2007-12-25 00:41 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-25 00:41 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-25 00:29 . 2007-12-25 00:29 <DIR> d-------- C:\Program Files\Common Files\AOL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-30 02:57 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-29 22:50 73,728 ----a-w C:\WINDOWS\system32\RBRegEx350.dll
2007-12-29 22:50 67,072 ----a-w C:\WINDOWS\system32\LP0310.dll
2007-12-29 22:50 61,952 ----a-w C:\WINDOWS\system32\rbap350.dll
2007-12-29 22:50 41,472 ----a-w C:\WINDOWS\system32\MBSPlugin.DLL
2007-12-29 22:50 40,960 ----a-w C:\WINDOWS\system32\RBShell400.dll
2007-12-29 22:50 37,888 ----a-w C:\WINDOWS\system32\MBSRegistryPlugin.DLL
2007-12-29 22:50 35,328 ----a-w C:\WINDOWS\system32\MBSFolderPlugin.DLL
2007-12-29 22:50 31,744 ----a-w C:\WINDOWS\system32\MBSMacTTPlugin.DLL
2007-12-29 22:50 29,184 ----a-w C:\WINDOWS\system32\LP0301Gestalt.dll
2007-12-29 22:50 28,160 ----a-w C:\WINDOWS\system32\MBSRegPlugin.DLL
2007-12-29 22:50 28,160 ----a-w C:\WINDOWS\system32\LP0301ResFork.dll
2007-12-29 22:50 27,648 ----a-w C:\WINDOWS\system32\LP0301LinkFile.dll
2007-12-29 21:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-25 06:29 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe
2007-12-25 04:50 60,416 ----a-w C:\WINDOWS\ALCFDRTM.EXE
2007-12-25 04:47 --------- d-----w C:\Program Files\DIFX
2007-12-25 04:37 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-25 04:31 --------- d-----w C:\Program Files\Windows Plus
2007-12-14 00:09 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-12-05 07:53 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-12-05 06:41 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-12-05 06:41 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-12-05 06:41 8,523,776 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-12-05 06:41 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-12-05 06:41 7,435,392 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-12-05 06:41 6,901,760 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-12-05 06:41 6,549,504 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-12-05 06:41 5,773,568 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-12-05 06:41 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-12-05 06:41 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-12-05 06:41 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-12-05 06:41 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-12-05 06:41 385,024 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-12-05 06:41 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-12-05 06:41 35,328 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-12-05 06:41 35,328 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-12-05 06:41 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-12-05 06:41 3,710,976 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-12-05 06:41 3,420,160 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-12-05 06:41 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-12-05 06:41 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-12-05 06:41 2,498,560 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-12-05 06:41 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-12-05 06:41 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-12-05 06:41 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-12-05 06:41 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-12-05 06:41 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-12-05 06:41 1,474,560 ----a-w C:\WINDOWS\system32\nview.dll
2007-12-05 06:41 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-12-05 06:41 1,228,800 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-12-05 06:41 1,089,536 ----a-w C:\WINDOWS\system32\nvcuda.dll
2007-12-05 06:41 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-12-04 14:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-12-04 07:08 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-04 07:08 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-04 07:08 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-12-04 07:08 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-12-04 07:08 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-12-04 07:08 118,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-04 01:33 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-04 01:33 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-03 23:04 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
2007-12-01 04:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-12-01 04:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-12-01 04:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-12-01 04:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-12-01 04:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-12-01 04:57 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-12-01 04:57 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-12-01 04:57 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-12-01 04:57 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-29 22:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-11-29 22:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-11-29 22:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-29 22:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-11-28 21:55 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-28 21:53 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-11-28 21:53 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-11-28 21:53 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-11-28 21:53 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-11-28 21:52 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-11-21 22:31 132,904 ----a-w C:\WINDOWS\system32\drivers\imagesrv.sys
2007-11-21 22:31 11,304 ----a-w C:\WINDOWS\system32\drivers\imagedrv.sys
2007-10-31 00:55 625,032 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-10-31 00:55 242,056 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-24 06:47 96,760 ----a-w C:\WINDOWS\system32\dfshim.dll
2007-10-24 06:47 84,480 ----a-w C:\WINDOWS\system32\mscories.dll
2007-10-24 06:47 282,112 ----a-w C:\WINDOWS\system32\mscoree.dll
2007-10-24 06:47 158,720 ----a-w C:\WINDOWS\system32\mscorier.dll
2004-09-28 03:00 26,240 ----a-w C:\WINDOWS\inf\RAMDSK.SYS
.

((((((((((((((((((((((((((((( snapshot@2008-01-19_14.16.33.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-19 19:14:57 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-20 00:14:15 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-19 19:14:57 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-20 00:14:15 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-19 19:14:57 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-20 00:14:15 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-19 19:14:57 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-20 00:14:15 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-19 19:14:57 3,747,840 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-20 00:14:15 3,747,840 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-19 19:14:57 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-20 00:14:15 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="D:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56 64512]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-12-25 12:03 84640]
"osCheck"="D:\Program Files\Norton AntiVirus\osCheck.exe" [2007-12-25 12:07 26248]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2006-01-12 20:52 483328 D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
--a------ 2007-11-16 19:20 91432 C:\Program Files\Cyberlink\Shared Files\brs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-12-13 19:10 1688872 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 D:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--------- 2007-10-11 12:06 62760 d:\Program Files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaFace Integration]
--a------ 2005-03-28 03:45 53248 D:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\muBlinder]
--a------ 2007-11-03 11:11 1421312 D:\muBlinder\muBlinder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-12-03 14:21 2213160 D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 14:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 01:41 8523776 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-12-05 01:41 81920 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2007-10-28 09:35 72736 d:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-07-27 17:01 68096 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

R0 m5289;m5289;C:\WINDOWS\system32\DRIVERS\m5289.sys [2005-07-04 14:21]
R0 uliagpkx;ULi AGP Bus Filter Driver;C:\WINDOWS\system32\DRIVERS\agpkx.sys [2005-05-03 17:31]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};d:\Program Files\CyberLink\PowerDVD\000.fcl [2007-11-03 00:12]
R3 ULI5261XP;ULi M526X Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ULILAN51.SYS [2005-03-22 20:36]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-13 04:05:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-15 11:10:51 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - johnlo.job"
- D:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-19 19:15:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-19 19:16:03
ComboFix-quarantined-files.txt 2008-01-20 00:16:00
ComboFix2.txt 2008-01-19 19:36:24
ComboFix3.txt 2008-01-19 19:16:47

HijackIt Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:26:09 PM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
d:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\PROGRA~1\MICROS~2\rapimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
D:\Program Files\Microsoft ActiveSync\WCESMgr.exe
D:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "D:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: iSiloX Clipper - {C86027A6-12A1-4298-B6EA-A42AC6EE6C7C} - d:\Program Files\iSilo\iSiloX\iSiloXIE.dll
O9 - Extra 'Tools' menuitem: iSiloX Clipper... - {C86027A6-12A1-4298-B6EA-A42AC6EE6C7C} - d:\Program Files\iSilo\iSiloX\iSiloXIE.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1198560061000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1198560057218
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B88F3DC-CEC5-40D9-84C6-E4E9D42136E9}: NameServer = 167.206.3.182,167.206.3.183
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: ScsiAccess - Unknown owner - d:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9510 bytes

From VirusTotal

File ndt2.sys received on 01.15.2008 14:26:58 (CET)
Current status: finished
Result: 2/32 (6.25%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
FileAdvisor - - -
Fortinet - - -
F-Prot - - -
F-Secure - - -
Ikarus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - a variant of Win32/TrojanDownloader.Delf.DSX
Norman - - -
Panda - - -
Prevx1 - - Generic.Malware
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - -
Additional information
MD5: 7d4bd6f3aa9a269cbcb438099d5872aa
SHA1: ca47b2b39502245623843454185f12f1b3c2bfd3
SHA256: f98fc57b948fe9239298e2a150583480401eaad863a61347b9c05b9cb6584336
SHA512: 672268101da47b49be59d775f55cb4681e3b9d1106ec714b379ed42b79e7fb45 c3af816b28259d0c572fbf92c982d356dd91fc7022509ba5c924b9e899260e9a

#7
miekiemoes

Posted 20 January 2008 - 12:49 PM

Malware Expert

Member
5,503 posts

Hi,

It appears that you didn't create the CFScript correctly. Did you include File:: on top? Because File:: should be present, otherwise Combofix doesn't know what to do with it.
Also, you didn't read my instructions properly about C:\WINDOWS\system32\andt.sys
Instead you uploaded ndt2.sys. You had to upload andt.sys at Virustotal, so please perform that step again as well.

So recreate the CFScript.txt I posted previously + drag it into Combofix as instructed and post the new log + upload C:\WINDOWS\system32\andt.sys at Virustotal and post the results in your next reply as well.

#8
psswrd

Posted 21 January 2008 - 05:02 PM

Member

Topic Starter
Member
22 posts

Sorry for the late reply. went away for the weekend. and sorry about my previous posted... anyway, hopefully what i did now is correct.

ComboFix 08-01-18.5 - johnlo 2008-01-21 17:53:45.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1562 [GMT -5:00]
Running from: C:\Documents and Settings\johnlo\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\johnlo\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\drmgs.sys
C:\WINDOWS\system32\Indt2.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drmgs.sys
C:\WINDOWS\system32\Indt2.sys

.
((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 )))))))))))))))))))))))))))))))
.

2008-01-20 07:51 . 2008-01-20 07:51 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-20 07:51 . 2008-01-20 07:51 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-19 14:31 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-19 14:31 . 2008-01-19 07:35 221 --a------ C:\Boot.bak
2008-01-19 14:14 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-19 00:01 . 2008-01-19 00:01 253,952 --a------ C:\WINDOWS\system32\andt.sys
2008-01-16 22:51 . 2008-01-16 22:51 <DIR> d-------- C:\Program Files\iPod
2008-01-16 20:05 . 2008-01-16 20:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Fellowes
2008-01-16 20:04 . 2008-01-16 20:04 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-01-16 00:14 . 2008-01-16 00:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-14 22:01 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-14 21:26 . 2008-01-14 22:24 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-14 21:26 . 2008-01-14 21:26 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-14 21:26 . 2008-01-14 21:26 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-14 21:26 . 2008-01-14 21:26 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-14 20:53 . 2008-01-16 00:14 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\SUPERAntiSpyware.com
2008-01-14 20:53 . 2008-01-14 20:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-13 09:25 . 2008-01-19 16:25 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\Photodex
2008-01-12 08:15 . 2008-01-12 08:15 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\Snapfish
2008-01-12 08:15 . 2008-01-12 08:15 1,157 --a------ C:\WINDOWS\mozver.dat
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-06 10:51 . 2008-01-06 10:54 <DIR> d-------- C:\Documents and Settings\johnlo\.roescache
2008-01-06 10:51 . 2008-01-06 20:16 <DIR> d-------- C:\Documents and Settings\johnlo\.Mpix
2007-12-29 17:47 . 2007-12-29 20:25 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\AdobeUM
2007-12-29 16:36 . 2008-01-08 17:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-29 16:33 . 2007-12-29 16:33 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\GlobalSCAPE
2007-12-29 16:07 . 2007-12-29 16:07 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\Media Player Classic
2007-12-29 15:15 . 2007-06-07 14:11 380,928 --a------ C:\WINDOWS\system32\ac3filter.acm
2007-12-29 15:13 . 2007-01-01 00:00 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2007-12-29 15:13 . 2007-06-17 20:21 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-12-29 15:13 . 2007-06-17 20:21 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2007-12-29 15:08 . 2007-12-29 15:08 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\DivX
2007-12-29 15:08 . 2008-01-19 19:53 69 --a------ C:\WINDOWS\NeroDigital.ini
2007-12-29 15:07 . 2007-06-28 18:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-12-29 15:07 . 2007-06-28 18:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-12-29 15:07 . 2007-06-28 18:55 77,824 --a------ C:\WINDOWS\system32\xvid.ax
2007-12-29 14:56 . 2007-12-29 14:56 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\CyberLink
2007-12-29 14:56 . 2007-12-29 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2007-12-29 14:54 . 2007-12-29 14:56 <DIR> d-------- C:\Program Files\CyberLink
2007-12-29 14:22 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-12-29 11:48 . 2007-12-29 11:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-12-29 11:42 . 2008-01-14 22:09 <DIR> d-------- C:\Program Files\Bonjour
2007-12-29 11:31 . 2007-12-29 11:31 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-12-29 11:16 . 2007-12-29 11:16 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\Nero
2007-12-29 11:14 . 2007-12-29 11:15 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-12-29 11:14 . 2007-12-29 11:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-12-27 23:34 . 2007-12-27 23:34 <DIR> d-------- C:\WINDOWS\Sun
2007-12-27 23:11 . 2007-12-27 23:11 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\ImgBurn
2007-12-27 22:42 . 2007-12-27 22:46 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\CCleanup
2007-12-26 23:04 . 2007-12-26 23:04 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-12-25 17:07 . 2007-12-25 17:07 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\iSilo
2007-12-25 16:55 . 2007-12-25 16:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-12-25 16:54 . 2007-12-25 16:54 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-12-25 16:53 . 2007-12-29 11:42 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-12-25 16:24 . 2007-12-25 16:24 737,280 --a------ C:\WINDOWS\iun6002.exe
2007-12-25 13:16 . 2007-12-25 13:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2007-12-25 12:57 . 2007-12-25 13:00 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-25 12:57 . 2007-12-25 13:00 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-25 12:48 . 2007-12-25 13:00 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-25 12:48 . 2007-12-25 13:00 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-25 12:47 . 2007-12-25 13:00 <DIR> d-------- C:\Program Files\Symantec
2007-12-25 12:47 . 2008-01-14 22:17 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-25 12:47 . 2008-01-19 08:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-25 12:28 . 2007-12-25 12:28 <DIR> d-------- C:\WINDOWS\%DownloadedProgramFiles%
2007-12-25 12:16 . 2007-12-28 17:04 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-12-25 12:16 . 2007-12-25 12:17 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-12-25 12:08 . 2007-12-25 12:08 1,047,552 --a------ C:\WINDOWS\system32\mfc71u.dll
2007-12-25 12:07 . 2007-12-25 12:07 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-12-25 12:07 . 2007-12-25 12:07 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-12-25 12:06 . 2007-12-25 12:06 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-12-25 12:03 . 2007-12-25 12:03 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-12-25 11:16 . 2007-12-25 12:17 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-12-25 09:59 . 2008-01-19 20:12 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\Azureus
2007-12-25 09:59 . 2007-12-25 09:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2007-12-25 01:43 . 2007-12-25 01:43 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-25 01:37 . 2007-12-25 01:37 <DIR> d-------- C:\Program Files\MSBuild
2007-12-25 01:35 . 2007-12-25 11:43 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-12-25 01:35 . 2007-12-25 01:35 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-12-25 01:34 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-12-25 01:32 . 2006-03-20 22:23 23,040 --------- C:\WINDOWS\kb913800.exe
2007-12-25 01:20 . 2006-01-10 19:48 46,592 --------- C:\WINDOWS\system32\drivers\irbus.sys
2007-12-25 01:20 . 2006-01-10 19:48 19,200 --------- C:\WINDOWS\system32\drivers\hidir.sys
2007-12-25 01:17 . 2006-11-13 01:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-12-25 01:17 . 2006-11-13 01:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-12-25 01:17 . 2006-11-13 01:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-12-25 01:13 . 2007-12-25 01:13 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2007-12-25 00:46 . 2007-12-26 23:25 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\Apple Computer
2007-12-25 00:45 . 2008-01-16 22:50 <DIR> d-------- C:\Program Files\QuickTime
2007-12-25 00:45 . 2007-12-25 17:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-25 00:44 . 2007-12-25 00:44 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-12-25 00:44 . 2007-12-25 00:44 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-25 00:44 . 2007-12-25 00:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-25 00:44 . 2007-10-31 14:09 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2007-12-25 00:41 . 2007-12-25 00:41 <DIR> d-------- C:\Program Files\Java
2007-12-25 00:41 . 2007-12-25 00:41 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-25 00:41 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-25 00:29 . 2007-12-25 00:29 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-12-25 00:29 . 2007-12-25 00:29 <DIR> d-------- C:\Program Files\AIM6
2007-12-25 00:29 . 2007-12-25 00:29 <DIR> d-------- C:\Documents and Settings\johnlo\Application Data\acccore

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-30 02:57 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-29 22:50 73,728 ----a-w C:\WINDOWS\system32\RBRegEx350.dll
2007-12-29 22:50 67,072 ----a-w C:\WINDOWS\system32\LP0310.dll
2007-12-29 22:50 61,952 ----a-w C:\WINDOWS\system32\rbap350.dll
2007-12-29 22:50 41,472 ----a-w C:\WINDOWS\system32\MBSPlugin.DLL
2007-12-29 22:50 40,960 ----a-w C:\WINDOWS\system32\RBShell400.dll
2007-12-29 22:50 37,888 ----a-w C:\WINDOWS\system32\MBSRegistryPlugin.DLL
2007-12-29 22:50 35,328 ----a-w C:\WINDOWS\system32\MBSFolderPlugin.DLL
2007-12-29 22:50 31,744 ----a-w C:\WINDOWS\system32\MBSMacTTPlugin.DLL
2007-12-29 22:50 29,184 ----a-w C:\WINDOWS\system32\LP0301Gestalt.dll
2007-12-29 22:50 28,160 ----a-w C:\WINDOWS\system32\MBSRegPlugin.DLL
2007-12-29 22:50 28,160 ----a-w C:\WINDOWS\system32\LP0301ResFork.dll
2007-12-29 22:50 27,648 ----a-w C:\WINDOWS\system32\LP0301LinkFile.dll
2007-12-29 21:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-25 06:29 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe
2007-12-25 04:50 60,416 ----a-w C:\WINDOWS\ALCFDRTM.EXE
2007-12-25 04:47 --------- d-----w C:\Program Files\DIFX
2007-12-25 04:37 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-25 04:31 --------- d-----w C:\Program Files\Windows Plus
2007-12-14 00:09 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-12-05 07:53 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-12-05 06:41 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-12-05 06:41 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-12-05 06:41 8,523,776 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-12-05 06:41 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-12-05 06:41 7,435,392 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-12-05 06:41 6,901,760 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-12-05 06:41 6,549,504 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-12-05 06:41 5,773,568 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-12-05 06:41 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-12-05 06:41 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-12-05 06:41 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-12-05 06:41 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-12-05 06:41 385,024 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-12-05 06:41 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-12-05 06:41 35,328 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-12-05 06:41 35,328 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-12-05 06:41 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-12-05 06:41 3,710,976 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-12-05 06:41 3,420,160 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-12-05 06:41 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-12-05 06:41 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-12-05 06:41 2,498,560 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-12-05 06:41 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-12-05 06:41 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-12-05 06:41 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-12-05 06:41 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-12-05 06:41 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-12-05 06:41 1,474,560 ----a-w C:\WINDOWS\system32\nview.dll
2007-12-05 06:41 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-12-05 06:41 1,228,800 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-12-05 06:41 1,089,536 ----a-w C:\WINDOWS\system32\nvcuda.dll
2007-12-05 06:41 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-12-04 14:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-12-04 07:08 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-04 07:08 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-04 07:08 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-12-04 07:08 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-12-04 07:08 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-12-04 07:08 118,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-04 01:33 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-04 01:33 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-03 23:04 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
2007-12-01 04:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-12-01 04:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-12-01 04:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-12-01 04:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-12-01 04:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-12-01 04:57 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-12-01 04:57 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-12-01 04:57 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-12-01 04:57 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-29 22:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-11-29 22:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-11-29 22:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-29 22:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-11-28 21:55 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-28 21:53 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-11-28 21:53 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-11-28 21:53 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-11-28 21:53 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-11-28 21:52 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-11-21 22:31 132,904 ----a-w C:\WINDOWS\system32\drivers\imagesrv.sys
2007-11-21 22:31 11,304 ----a-w C:\WINDOWS\system32\drivers\imagedrv.sys
2007-10-31 00:55 625,032 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-10-31 00:55 242,056 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-24 06:47 96,760 ----a-w C:\WINDOWS\system32\dfshim.dll
2007-10-24 06:47 84,480 ----a-w C:\WINDOWS\system32\mscories.dll
2007-10-24 06:47 282,112 ----a-w C:\WINDOWS\system32\mscoree.dll
2007-10-24 06:47 158,720 ----a-w C:\WINDOWS\system32\mscorier.dll
2004-09-28 03:00 26,240 ----a-w C:\WINDOWS\inf\RAMDSK.SYS
.

((((((((((((((((((((((((((((( snapshot@2008-01-19_14.16.33.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-19 19:14:57 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-21 22:53:41 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-19 19:14:57 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-21 22:53:41 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-19 19:14:57 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-21 22:53:41 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-19 19:14:57 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-21 22:53:41 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-19 19:14:57 3,747,840 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-21 22:53:41 3,764,224 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-19 19:14:57 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-21 22:53:41 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="D:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56 64512]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-12-25 12:03 84640]
"osCheck"="D:\Program Files\Norton AntiVirus\osCheck.exe" [2007-12-25 12:07 26248]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2006-01-12 20:52 483328 D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
--a------ 2007-11-16 19:20 91432 C:\Program Files\Cyberlink\Shared Files\brs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-12-13 19:10 1688872 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 D:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--------- 2007-10-11 12:06 62760 d:\Program Files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaFace Integration]
--a------ 2005-03-28 03:45 53248 D:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\muBlinder]
--a------ 2007-11-03 11:11 1421312 D:\muBlinder\muBlinder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-12-03 14:21 2213160 D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 14:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 01:41 8523776 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-12-05 01:41 81920 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2007-10-28 09:35 72736 d:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-07-27 17:01 68096 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

R0 m5289;m5289;C:\WINDOWS\system32\DRIVERS\m5289.sys [2005-07-04 14:21]
R0 uliagpkx;ULi AGP Bus Filter Driver;C:\WINDOWS\system32\DRIVERS\agpkx.sys [2005-05-03 17:31]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};d:\Program Files\CyberLink\PowerDVD\000.fcl [2007-11-03 00:12]
R3 ULI5261XP;ULi M526X Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ULILAN51.SYS [2005-03-22 20:36]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-20 04:05:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-15 11:10:51 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - johnlo.job"
- D:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-21 17:54:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-21 17:54:56
ComboFix-quarantined-files.txt 2008-01-21 22:54:54
ComboFix2.txt 2008-01-21 22:51:43
ComboFix3.txt 2008-01-20 00:16:03
ComboFix4.txt 2008-01-19 19:36:24
ComboFix5.txt 2008-01-19 19:16:47

hijackit

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:00:58 PM, on 1/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
d:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\PROGRA~1\MICROS~2\rapimgr.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\Program Files\Norton AntiVirus\NAVW32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "D:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: iSiloX Clipper - {C86027A6-12A1-4298-B6EA-A42AC6EE6C7C} - d:\Program Files\iSilo\iSiloX\iSiloXIE.dll
O9 - Extra 'Tools' menuitem: iSiloX Clipper... - {C86027A6-12A1-4298-B6EA-A42AC6EE6C7C} - d:\Program Files\iSilo\iSiloX\iSiloXIE.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1198560061000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1198560057218
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B88F3DC-CEC5-40D9-84C6-E4E9D42136E9}: NameServer = 167.206.3.182,167.206.3.183
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: ScsiAccess - Unknown owner - d:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9385 bytes

Virustotal

File andt.sys received on 01.20.2008 01:21:14 (CET)
Current status: finished
Result: 5/32 (15.62%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.1.19.10 2008.01.18 -
AntiVir 7.6.0.48 2008.01.18 -
Authentium 4.93.8 2008.01.19 -
Avast 4.7.1098.0 2008.01.19 Win32:Delf-HTI
AVG 7.5.0.516 2008.01.19 -
BitDefender 7.2 2008.01.20 -
CAT-QuickHeal 9.00 2008.01.19 TrojanDownloader.Delf.dwi
ClamAV 0.91.2 2008.01.19 -
DrWeb 4.44.0.09170 2008.01.19 -
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5470 2008.01.18 -
Ewido 4.0 2008.01.19 -
FileAdvisor 1 2008.01.20 -
Fortinet 3.14.0.0 2008.01.19 -
F-Prot 4.4.2.54 2008.01.19 -
F-Secure 6.70.13260.0 2008.01.19 -
Ikarus T3.1.1.20 2008.01.19 -
Kaspersky 7.0.0.125 2008.01.20 -
McAfee 5211 2008.01.18 -
Microsoft 1.3109 2008.01.20 TrojanDownloader:Win32/Delf.HA
NOD32v2 2807 2008.01.19 a variant of Win32/TrojanDownloader.Delf.DSX
Norman 5.80.02 2008.01.18 -
Panda 9.0.0.4 2008.01.19 -
Prevx1 V2 2008.01.20 Generic.Malware
Rising 20.27.50.00 2008.01.19 -
Sophos 4.24.0 2008.01.19 -
Sunbelt 2.2.907.0 2008.01.17 -
Symantec 10 2008.01.19 -
TheHacker 6.2.9.191 2008.01.19 -
VBA32 3.12.2.5 2008.01.19 -
VirusBuster 4.3.26:9 2008.01.19 -
Webwasher-Gateway 6.6.2 2008.01.18 -
Additional information
File size: 253952 bytes
MD5: 7d4bd6f3aa9a269cbcb438099d5872aa
SHA1: ca47b2b39502245623843454185f12f1b3c2bfd3
PEiD: -
Prevx info: http://info.prevx.co...04C74000F453B7C

Thanks.

#9
miekiemoes

Posted 22 January 2008 - 12:17 AM

Malware Expert

Member
5,503 posts

Hi,

Please navigate to and remove the C:\WINDOWS\system32\andt.sys file.

If you are not able to remove it, let me know.

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then, as a final check... * Go here to run an online scannner from ESET.

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Check next options: Remove found threats and Scan unwanted applications.
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log in your next reply and also let me know how things are now.

Edited by miekiemoes, 22 January 2008 - 12:17 AM.

#10
psswrd

Posted 22 January 2008 - 05:43 AM

Member

Topic Starter
Member
22 posts

here you go.

i noticed that i had one file detected as a threat. i dont use outlook express at all......

let me know if there's anything else i did to do. thx.

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2814 (20080122)
# vers_arch_module=1.063 (20080117)
# vers_adv_heur_module=1.060 (20070601)
# EOSSerial=1d585cc6e3d2b04fa9885ad0bbf1d734
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-01-22 11:34:16
# local_time=2008-01-22 06:34:16 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=249478
# found=1
# scan_time=2257
C:\Program Files\Outlook Express\svchost.exe Win32/TrojanDownloader.Delf.DTT trojan (unable to clean - deleted) 00000000000000000000000000000000

#11
miekiemoes

Posted 22 January 2008 - 08:08 AM

Malware Expert

Member
5,503 posts

The file that was deleted was not a part of Outlook express, but was added there by malware. Deleting that file won't affect Outlook express

Anyway, how are things now?

#12
psswrd

Posted 22 January 2008 - 08:12 PM

Member

Topic Starter
Member
22 posts

The file that was deleted was not a part of Outlook express, but was added there by malware. Deleting that file won't affect Outlook express

Anyway, how are things now?

Thank you. I think everything seem to be ok. I guess if something goes wrong again, I will open another thread for help.

Thanks.

#13
miekiemoes

Posted 23 January 2008 - 02:49 AM

Malware Expert

Member
5,503 posts

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

#14
miekiemoes

Posted 30 January 2008 - 07:16 AM

Malware Expert

Member
5,503 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.