Mobile/PDA About Us Advertise here
User User name Password  
  Not registered yet? Register here.
Lost your password? Click here. 		 
  Home   News   Guides   Downloads   Glossary   Hardware   Profiles   Forums   v4  
 Advertise at AfterDawn.com     Link to us!     Private messages     Compose a private message     List of all updated threads     Threads without replies     Search messages
Sunday 9.3.2025 / 15:31
Search AfterDawn Forums:        In English   Suomeksi   På svenska
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > cant remove rootkit ndt2
Show topics
 
Forums
Forums
cant remove rootkit ndt2
  Jump to:
 
Posted Message
Page:12Next >
FatalAD
Junior Member
_ 		14. January 2008 @ 15:46 _ Link to this message    Send private message to this user   
rootkit ndt2 I cant remove this it keeps poping up I used superantispyware and others please help
[ + quote]
Advertisement
_ 		__
bluecoal
Suspended due to non-functional email address
_ 		14. January 2008 @ 15:55 _ Link to this message    Send private message to this user   
Here is a rootkit removal tool you can try:

http://www.grisoft.com/doc/download-free-anti-rootkit/us/crp/0

If that doesn't work, you will probably need to post a hijackthis log and see if someone can help you using that.
[ + quote]
FatalAD
Junior Member
_ 		14. January 2008 @ 18:05 _ Link to this message    Send private message to this user   
Ill try that thankz
[ + quote]
QuikDraw
Senior Member
_ 		14. January 2008 @ 18:22 _ Link to this message    Send private message to this user   
Here's another Rootkit removal tool to try if the first one doesn't do the trick.
http://www.download.com/Panda-Anti-Rootk...j=dl&tag=button

Download HijackThis and post a log, to help us identify your PC infections. Open HJK, Click, Do a system scan and save a logfile. Post log here for review.
http://www.download.com/3000-8022_4-10781312.html
[ + quote]

This message has been edited since posting. Last time this message was edited on 14. January 2008 @ 18:30
FatalAD
Junior Member
_ 		14. January 2008 @ 18:38 _ Link to this message    Send private message to this user   
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:35:45 PM, on 1/14/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BitComet\BitComet.exe
C:\Windows\explorer.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\A and J\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O1 - Hosts: 82.98.86.179 asvmgs.com
O1 - Hosts: 82.98.86.179 mywifjen.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [RunSpySweeperScheduleAtStartup] "C:\Windows\system32\msfeedssync.exe" /ScheduleSweep=User_Feed_Synchronization-{5B929132-E04A-4BF5-872A-B07ABD722C0A}
O4 - HKCU\..\Run: [Windows Updates] c:\windows\system\Update.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (no file)
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/sh...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Unknown owner - (no file)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\Windows\system32\routing.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7685 bytes
[ + quote]
FatalAD
Junior Member
_ 		14. January 2008 @ 18:47 _ Link to this message    Send private message to this user   
panda 1 didnt work on vista and avg sayed I was ok but norton and superantispyware say I have that rootkit
[ + quote]
QuikDraw
Senior Member
_ 		14. January 2008 @ 20:52 _ Link to this message    Send private message to this user   
You have too many Anti-Spyware programs installed. Webroot, SuperAntivirusSpyware, and Windows Defender. For now remove all but Windows Defender.

NOTE: Important! HJK must installed in it's own folder or it will not create backups! C:\HJK

Reboot into safe mode. Open HJK. Click, Do a scan only. Place ticks (check marks) next to all the items listed below. Click, "Fix Checked" Reboot normal. Run a new HJK scan and post log here.

O1 - Hosts: 82.98.86.179 asvmgs.com

O1 - Hosts: 82.98.86.179 mywifjen.com

O4 - HKCU\..\Run: [RunSpySweeperScheduleAtStartup] "C:\Windows\system32\msfeedssync.exe" /ScheduleSweep=User_Feed_Synchronization-{5B929132-E04A-4BF5-872A-B07ABD722C0A}

O4 - HKCU\..\Run: [Windows Updates] c:\windows\system\Update.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: (no name) - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)

O9 - Extra button: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (no file)

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)

O23 - Service: NBService - Unknown owner - (no file)

O23 - Service: Routing Service (Routing) - Unknown owner - C:\Windows\system32\routing.exe
[ + quote]

This message has been edited since posting. Last time this message was edited on 16. January 2008 @ 04:56
FatalAD
Junior Member
_ 		14. January 2008 @ 21:35 _ Link to this message    Send private message to this user   
here it is

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:31:38 PM, on 1/14/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\hjt\HiJackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [RunSpySweeperScheduleAtStartup] "C:\Windows\system32\msfeedssync.exe" /ScheduleSweep=User_Feed_Synchronization-{5B929132-E04A-4BF5-872A-B07ABD722C0A}
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (no file)
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/sh...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\Windows\system32\routing.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6985 bytes
[ + quote]
QuikDraw
Senior Member
_ 		16. January 2008 @ 06:06 _ Link to this message    Send private message to this user   
Please, temporarily uninstall Webroot SpySweeper. We will be installing other scan tools, Spysweeper may interfer with scan results and give false positives. Once you have removed this, here's the next step. Download Deckard's System Scanner(Comboscan) Follow the directions and post both logs. http://www.geekstogo.com/forum/index.php...ads&showfile=19
[ + quote]

This message has been edited since posting. Last time this message was edited on 16. January 2008 @ 06:07
FatalAD
Junior Member
_ 		16. January 2008 @ 22:01 _ Link to this message    Send private message to this user   
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista? Home Premium (build 6000)
Architecture: X86; Language: English

CPU 0: Intel(R) Core(TM)2 Duo CPU E6750 @ 2.66GHz
Percentage of Memory in Use: 18%
Physical Memory (total/avail): 2046.5 MiB / 1673.73 MiB
Pagefile Memory (total/avail): 4349.63 MiB / 4068.43 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1926.16 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 298.09 GiB total, 238.15 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD3200AAKS-22SBA0 ATA Device - 298.09 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 298.09 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: Norton AntiVirus v2007 (Symantec Corporation)
AV: Norton AntiVirus v2007 (Symantec Corporation)
AS: Spybot - Search and Destroy v1.0.0.4 (Safer Networking Ltd.)
AS: AVG Anti-Spyware v7, 5, 1, 43 (GRISOFT s.r.o.) Disabled Outdated
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation) Disabled
AS: Spy Sweeper v5.5.7.103 (Webroot Software Inc) Disabled
AS: Norton AntiVirus v2007 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\A and J\AppData\Roaming
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=AANDJ-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\A and J
LOCALAPPDATA=C:\Users\A and J\AppData\Local
LOGONSERVER=\\AANDJ-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\MpcStar\Codecs\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 11, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0b
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SAFEBOOT_OPTION=MINIMAL
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\AANDJ~1\AppData\Local\Temp
TMP=C:\Users\AANDJ~1\AppData\Local\Temp
USERDOMAIN=AandJ-PC
USERNAME=A and J
USERPROFILE=C:\Users\A and J
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

A and J (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Your Uninstaller 2008\unins000.exe"
--> C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\Windows\UNNeroBackItUp.exe /UNINSTALL
--> C:\Windows\UNNeroMediaHome.exe /UNINSTALL
--> C:\Windows\UNNeroShowTime.exe /UNINSTALL
--> C:\Windows\UNNeroVision.exe /UNINSTALL
--> C:\Windows\UNRecode.exe /UNINSTALL
--> MsiExec.exe /I{1BCEA516-B4C5-4B2D-BFA0-AB7910BAD862}
--> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
--> MsiExec.exe /I{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}
--> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
--> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
--> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
ActivePerl 5.6.1 Build 638 --> MsiExec.exe /I{D048A3AD-31D3-44A5-9D12-C4ADD3253B00}
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Audition 2.0 --> msiexec /I {01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}
Adobe Audition 3.0 --> msiexec /I {53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}
Adobe Bridge 1.0 --> MsiExec.exe /I{AE3D38A6-13B1-40B3-9423-D1FA9982FB6A}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5102}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Center 2.0 --> MsiExec.exe /I{8FFC924C-ED06-44CB-8867-3CA778ECE903}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3 --> C:\Program Files\Common Files\Adobe\Installers\2ac78060bc5856b0c1cf873bb919b58\Setup.exe
Adobe Photoshop CS3 --> MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81100000003}
Adobe Setup --> MsiExec.exe /I{D1BB4446-AE9C-4256-9A7F-4D46604D2462}
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3 --> MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Attansic L1 Gigabit Ethernet Driver --> rundll32.exe C:\Windows\system32\Attansic\L1\atcInst.dll,VisUninst C:\Windows\system32\Attansic\L1 x86 pci\ven_1969&dev_1048
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
BitComet 0.97 --> C:\Program Files\BitComet\uninst.exe
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
DVDFab HD Decrypter 4.0.5.1 Beta --> "C:\Program Files\DVDFab HD Decrypter 4\unins000.exe"
DVDFab Platinum 4.0.5.1 Beta --> "C:\Program Files\DVDFab Platinum 4\unins000.exe"
DVDFab Platinum 4.0.5.1.B by Dr.Pc Putte - Team RES --> "C:\Program Files\DVDFab Platinum 4\unins001.exe"
EPA 608 Certification --> C:\Program Files\Mainstream Engineering Corporation\EPA 608 Certification\_uninst\uninstaller.exe
FL Studio 7 --> C:\Program Files\Image-Line\FL Studio 7\uninstall.exe
HijackThis 2.0.2 --> "C:\PROGRA~1\hjt\HijackThis.exe" /uninstall
HVAC SMS --> C:\Windows\uninst.exe -fC:\PROGRA~1\HVACSMS\module4\DeIsL1.isu
IL Download Manager --> C:\Program Files\Image-Line\Downloader\uninstall.exe
Internet Worm Protection --> MsiExec.exe /I{2908F0CB-C1D4-447F-97A2-CFC135C9F8D4}
iTunes --> MsiExec.exe /I{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
LimeWire PRO 4.16.1 --> "C:\Program Files\LimeWire\uninstall.exe"
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft SQL Server 2005 Compact Edition [ENU] --> MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.11) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MpcStar 2.2 --> C:\Program Files\MpcStar\uninst.exe
Nero 8 --> MsiExec.exe /X{5FCCD531-1B38-4A94-924C-127F722F1033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Norton AntiVirus --> MsiExec.exe /X{830D8CBD-C668-49e2-A969-C2C2106332E0}
Norton AntiVirus (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{830D8CBD-C668-49e2-A969-C2C2106332E0}_14_2_0_29\{830D8CBD-C668-49e2-A969-C2C2106332E0}.exe" /X
Norton AntiVirus Help --> MsiExec.exe /I{34EEB1F5-E939-40A1-A6BA-957282A4B2C8}
Norton AntiVirus Parent MSI --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton AntiVirus SYMLT MSI --> MsiExec.exe /I{D1FF75E7-DD42-4CFD-B052-20B3FFF4EDB8}
Norton Protection Center --> MsiExec.exe /I{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
QuickTime --> MsiExec.exe /I{E0D51394-1D45-460A-B62D-383BC4F8B335}
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista --> C:\Program Files\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\Setup.exe -runfromtemp -l0x0009 -removeonly
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Symantec --> MsiExec.exe /I{228F6876-A313-40A3-91C0-C3CBE6997D09}
Torrent Harvester --> C:\Program Files\Torrent Harvester\uninstall.exe
Update for Outlook 2007 Junk Email Filter (kb943597) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A751F0DB-8476-4207-956E-20AEBBA4B1DA}
VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
Windows Media Player Firefox Plugin --> MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type31810 / Success
Event Submitted/Written: 01/16/2008 06:53:44 PM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type31808 / Error
Event Submitted/Written: 01/16/2008 06:53:35 PM
Event ID/Source: 4609 / EventSystem
Event Description:
d:\vistartm\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Event Record #/Type31806 / Warning
Event Submitted/Written: 01/16/2008 06:53:28 PM
Event ID/Source: 6000 / Wlclntfy
Event Description:
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.

Event Record #/Type31804 / Success
Event Submitted/Written: 01/16/2008 06:53:26 PM
Event ID/Source: 5615 / WinMgmt
Event Description:


Event Record #/Type31801 / Success
Event Submitted/Written: 01/16/2008 06:51:50 PM
Event ID/Source: 903 / Software Licensing Service
Event Description:
The Software Licensing service has stopped.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type79373 / Error
Event Submitted/Written: 01/16/2008 06:54:37 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
Network List ServiceNetwork Location Awareness%%1068

Event Record #/Type79372 / Error
Event Submitted/Written: 01/16/2008 06:54:37 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
Network List ServiceNetwork Location Awareness%%1068

Event Record #/Type79370 / Error
Event Submitted/Written: 01/16/2008 06:54:37 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
Network List ServiceNetwork Location Awareness%%1068

Event Record #/Type79369 / Error
Event Submitted/Written: 01/16/2008 06:54:37 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
Network List ServiceNetwork Location Awareness%%1068

Event Record #/Type79368 / Error
Event Submitted/Written: 01/16/2008 06:54:37 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
AFD
AsIO
DfsC
eeCtrl
i8042prt
NetBIOS
netbt
nsiproxy
PSched
RasAcd
rdbss
SCDEmu
Smb
SPBBCDrv
spldr
SRTSP
SRTSPX
SYMTDI
Tcpip
tdx
Wanarpv6



-- End of Deckard's System Scanner: finished at 2008-01-16 18:57:32 ------------
[ + quote]
FatalAD
Junior Member
_ 		16. January 2008 @ 23:37 _ Link to this message    Send private message to this user   
A new folder has appeared in my c drive program data and the is 2 gigs worth of stuff in there what do I do with it ?
[ + quote]
FatalAD
Junior Member
_ 		17. January 2008 @ 01:09 _ Link to this message    Send private message to this user   
scratch that last comment it was a hidden folder that got unhidden
[ + quote]
QuikDraw
Senior Member
_ 		17. January 2008 @ 01:17 _ Link to this message    Send private message to this user   
[ + quote]

This message has been edited since posting. Last time this message was edited on 17. January 2008 @ 01:24
tucker001
Member
_ 		17. January 2008 @ 10:50 _ Link to this message    Send private message to this user   
format and reinstall is the only way to remove rootkits 100%
[ + quote]
Kindle Fire 1st Gen running Jelly Bean
Nexus S 4G running 4.1.1 Jelly Bean
PS3 Slim 3000 Model 4.3.1
PS3 ID: killbarney1123
QuikDraw
Senior Member
_ 		17. January 2008 @ 15:49 _ Link to this message    Send private message to this user   
OK, let's review what's been done up to this point:
AVG Anti-Rootkit removal tool
HijackThis
Deckard's System scanner

Run this method one more time.
Copy and paste this to notepad:

@echo off
sc stop perfmons
sc stop Routing
sc delete perfmons
sc delete Routing
exit

Save it as "All Files" and name it FixServices.bat. Please save it on your desktop.
Double click FixServices.bat. A window will open and close. This is normal.

Next, establish an internet connection & perform an online scan using Internet Explorer at Kaspersky Second Opinion Scanner
http://www.kaspersky.com/service?chapter=161739400


Instructions are on the page:

Download and Install the kav6.0.3.837_sosen.exe package on the local machine with default settings. (Click Next on every option to accept default settings and choose the Complete button for a full install)

Run an Update in the Kaspersky SOS software. (This is the virus signature definitions update and needs internet connection)

Disable your AntiVirus application

Run a full scan to detect and remove any malware that has not been found or disinfected by the other vendor?s anti-virus.

Save that log and post it. Also post a new HijackThis log.
[ + quote]

This message has been edited since posting. Last time this message was edited on 17. January 2008 @ 15:51
FatalAD
Junior Member
_ 		20. January 2008 @ 03:53 _ Link to this message    Send private message to this user   
Scan critical areas
-------------------
Scanned: 6516
Detected: 2
Untreated: 0
Start time: 1/20/2008 12:37:07 AM
Duration: 00:03:12
Finish time: 1/20/2008 12:40:19 AM
Signatures published: 1/19/2008 9:07:01 PM


Detected
--------
Status Object
------ ------
deleted: Trojan program Trojan-Clicker.Win32.VB.yj File: C:\Windows\system32\Indt2.sys
deleted: Trojan program Trojan-Downloader.Win32.Delf.eah File: C:\Windows\system32\ndt2.sys
[ + quote]
FatalAD
Junior Member
_ 		20. January 2008 @ 03:56 _ Link to this message    Send private message to this user   
Protection
----------
Total scanned: 53550
Detected: 3
Untreated: 0
Start time: 1/20/2008 12:36:31 AM
Duration: 00:00:00
Finish time: 1/20/2008 12:36:31 AM


Detected
--------
Status Object
------ ------
deleted: Trojan program Trojan-Clicker.Win32.VB.yj File: C:\Windows\system32\Indt2.sys
deleted: Trojan program Trojan-Downloader.Win32.Delf.eah File: C:\Windows\system32\ndt2.sys
deleted: Trojan program Trojan-Clicker.Win32.VB.xj File: C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\Indt2.sys


Events
------
Time Event
---- -----
1/20/2008 12:37:50 AM File C:\Windows\system32\Indt2.sys: detected Trojan program 'Trojan-Clicker.Win32.VB.yj'.
1/20/2008 12:37:50 AM Security threats have been detected. You are advised to neutralize them immediately.
1/20/2008 12:37:50 AM File C:\Windows\system32\Indt2.sys: is still infected, postponed.
1/20/2008 12:38:02 AM File C:\Windows\system32\ndt2.sys: detected Trojan program 'Trojan-Downloader.Win32.Delf.eah'.
1/20/2008 12:38:02 AM File C:\Windows\system32\ndt2.sys: is still infected, postponed.
1/20/2008 12:38:24 AM File c:\windows\system32\indt2.sys: detected Trojan program 'Trojan-Clicker.Win32.VB.yj'.
1/20/2008 12:40:12 AM File c:\windows\system32\indt2.sys: deleted.
1/20/2008 12:40:12 AM File c:\windows\system32\ndt2.sys: detected Trojan program 'Trojan-Downloader.Win32.Delf.eah'.
1/20/2008 12:40:19 AM File c:\windows\system32\ndt2.sys: deleted.
1/20/2008 12:42:11 AM File C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\Indt2.sys: detected Trojan program 'Trojan-Clicker.Win32.VB.xj'.
1/20/2008 12:42:11 AM Security threats have been detected. You are advised to neutralize them immediately.
1/20/2008 12:42:11 AM File C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\Indt2.sys: is still infected, postponed.


Reports
-------
Component Status Start Finish Size
--------- ------ ----- ------ ----
Update completed 1/20/2008 12:35:00 AM 1/20/2008 12:35:45 AM 134.4 KB
Scan critical areas completed 1/20/2008 12:37:07 AM 1/20/2008 12:40:19 AM 160 bytes
Scan My Computer running 1/20/2008 12:42:07 AM 0 bytes


Quarantine
----------
Status Object Size Added
------ ------ ---- -----


Backup
------
Status Object Size
------ ------ ----
Infected: Trojan program Trojan-Downloader.Win32.Delf.eah c:\windows\system32\ndt2.sys 248 KB
Infected: Trojan program Trojan-Clicker.Win32.VB.xj c:\system volume information\systemrestore\frstaging\windows\system32\indt2.sys 44 KB
Infected: Trojan program Trojan-Clicker.Win32.VB.yj c:\windows\system32\indt2.sys 44 KB
[ + quote]
QuikDraw
Senior Member
_ 		20. January 2008 @ 04:11 _ Link to this message    Send private message to this user   
Also post a new HijackThis log.

[ + quote]
FatalAD
Junior Member
_ 		20. January 2008 @ 05:15 _ Link to this message    Send private message to this user   
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:14:47 AM, on 1/20/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\hjt\HiJackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files\PowerISO\PWRISOVM.EXE"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [RunSpySweeperScheduleAtStartup] "C:\Windows\system32\msfeedssync.exe" /ScheduleSweep=User_Feed_Synchronization-{5B929132-E04A-4BF5-872A-B07ABD722C0A}
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (no file)
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/sh...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 7122 bytes
[ + quote]
QuikDraw
Senior Member
_ 		20. January 2008 @ 15:53 _ Link to this message    Send private message to this user   
Looking much better now! A few more steps. Some infections still remain in the System Restore data archive.

To completely and immediately remove any infected file or files in the data store, turn off and then turn on System Restore. To do so, follow these steps:

1. Click Start, and then click Control Panel.
2. Click Performance and Maintenance, and then double-click System.
3. Click the System Restore tab, and then click to select the Turn off System Restore for all drives check box.
4. Click OK, and then click Yes to initiate the restore point deletion.

To turn on System Restore again after the restore point deletion has completed, repeat these steps, but click to clear the Turn off System Restore for all drives check box.

To show hidden files and folder:

Start> all programs or programs> windows explorer. In windows explorer click view> folder options. On the Folder Options window, click the View tab. In the Advanced Settings group click show hidden files and folder. Uncheck Hide extensions for known file types Click Apply> OK. Close Windows Explorer.

Download ComboFix to the desktop.
http://forums.majorgeeks.com/showthread.php?t=134965
Close all open Windows including this one.
Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
Copy and paste the Combofix log here for review.

Reboot into safe mode. Start> run> type regedit. Navigate to this registry key. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions. R/click and delete each of the following extensions if they still appear.

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
{2670000A-7350-4f3c-8081-5663EE0C6C49}
{92780B25-18CC-41C8-B9BE-3C9C571A8263}
{D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A}

Close registry. Reboot normal.

Post a new Hijackthis log.
[ + quote]
FatalAD
Junior Member
_ 		20. January 2008 @ 17:50 _ Link to this message    Send private message to this user   
ComboFix 08-01-20.1 - A and J 2008-01-20 14:41:15.1 - NTFSx86
Microsoft® Windows Vista? Home Premium 6.0.6000.0.1252.1.1033.18.1397 [GMT -8:00]
Running from: C:\Users\A and J\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\internet explorer\svchost.exe
C:\Users\A and J\AppData\Roaming\inst.exe
C:\Windows\system32\drivers\npf.sys
C:\Windows\system32\packet.dll
C:\Windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\NPF


((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))
.

2008-01-20 14:36 . 2000-08-31 08:00 51,200 --a------ C:\Windows\NirCmd.exe
2008-01-20 00:34 . 2008-01-20 14:45 <DIR> d-------- C:\Users\All Users\Kaspersky Lab
2008-01-20 00:34 . 2008-01-20 14:45 <DIR> d-------- C:\ProgramData\Kaspersky Lab
2008-01-20 00:34 . 2008-01-20 00:34 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-15 21:39 . 2008-01-15 21:39 <DIR> d-------- C:\Users\A and J\AppData\Roaming\PACE Anti-Piracy
2008-01-15 21:39 . 2008-01-15 21:39 <DIR> d-------- C:\Program Files\Common Files\PACE Anti-Piracy
2008-01-15 21:23 . 2008-01-15 22:16 <DIR> d-------- C:\Program Files\Common Files\Digidesign
2008-01-15 21:17 . 2008-01-15 21:17 <DIR> d-------- C:\Program Files\PowerISO
2008-01-14 18:03 . 2008-01-20 02:14 <DIR> d-------- C:\Program Files\hjt
2008-01-14 15:38 . 2008-01-14 15:43 <DIR> d-------- C:\Users\A and J\Pavark
2008-01-14 13:30 . 2008-01-14 13:30 <DIR> d-------- C:\Users\A and J\LimeWire Store Purchased
2008-01-13 13:50 . 2008-01-13 13:50 32,256 --a------ C:\Windows\System32\tmpxp_278457640065.bk
2008-01-12 22:02 . 2008-01-12 22:02 123 --a------ C:\Windows\rootkitno.ini
2008-01-12 22:01 . C:\Windows\(2) C:\ComboFix\winstart.bat
2008-01-12 09:21 . 2008-01-12 09:21 <DIR> d-------- C:\Program Files\LimeWire
2008-01-12 01:26 . 2008-01-12 08:59 <DIR> d-------- C:\Users\A and J\AppData\Roaming\FrostWire
2008-01-10 14:30 . 2008-01-10 14:30 <DIR> d-------- C:\Users\A and J\AppData\Roaming\SUPERAntiSpyware.com
2008-01-09 14:46 . 2008-01-09 15:02 69 --a------ C:\Windows\NeroDigital.ini
2008-01-08 12:20 . 2008-01-08 12:20 802,816 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-01-08 12:20 . 2008-01-08 12:20 216,760 --a------ C:\Windows\System32\drivers\netio.sys
2008-01-08 12:20 . 2008-01-08 12:20 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-01-08 12:20 . 2008-01-08 12:20 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-01-08 12:20 . 2008-01-08 12:20 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-01-08 12:19 . 2008-01-08 12:19 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-01-08 12:19 . 2008-01-08 12:19 1,686,016 --a------ C:\Windows\System32\gameux.dll
2008-01-08 12:19 . 2008-01-08 12:19 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys
2008-01-08 12:19 . 2008-01-08 12:19 211,000 --a------ C:\Windows\System32\drivers\volsnap.sys
2008-01-08 12:19 . 2008-01-08 12:19 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-01-08 12:19 . 2008-01-08 12:19 109,624 --a------ C:\Windows\System32\drivers\ataport.sys
2008-01-08 12:19 . 2008-01-08 12:19 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys
2008-01-08 12:19 . 2008-01-08 12:19 21,560 --a------ C:\Windows\System32\drivers\atapi.sys
2008-01-08 12:19 . 2008-01-08 12:19 15,928 --a------ C:\Windows\System32\drivers\pciide.sys
2008-01-08 12:19 . 2008-01-08 12:19 11,776 --a------ C:\Windows\System32\sbunattend.exe
2008-01-03 00:10 . <DIR> C:\Users\A and J\AppData\Roaming\NeroDigitalT
2008-01-02 23:57 . 2008-01-02 23:59 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-01-02 14:17 . 2008-01-02 15:01 <DIR> d-------- C:\Users\A and J\AppData\Roaming\Simply Super Software
2008-01-02 14:17 . 2006-05-25 14:52 162,304 --a------ C:\Windows\System32\ztvunrar36.dll
2008-01-02 14:17 . 2003-02-02 19:06 153,088 --a------ C:\Windows\System32\unrar3.dll
2008-01-02 14:17 . 2005-08-26 00:50 77,312 --a------ C:\Windows\System32\ztvunace26.dll
2008-01-02 14:17 . 2002-03-06 00:00 75,264 --a------ C:\Windows\System32\unacev2.dll
2008-01-02 14:17 . 2006-06-19 12:01 69,632 --a------ C:\Windows\System32\ztvcabinet.dll
2007-12-28 15:13 . 2007-12-28 15:13 <DIR> d-------- C:\Users\All Users\Grisoft
2007-12-28 15:13 . 2007-12-28 15:13 <DIR> d-------- C:\ProgramData\Grisoft
2007-12-27 13:08 . 2007-12-27 13:08 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com
2007-12-27 13:08 . 2007-12-27 13:08 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com
2007-12-21 14:19 . 2007-12-21 14:19 <DIR> d-------- C:\Users\A and J\AppData\Roaming\Apple Computer
2007-12-21 14:19 . 2007-12-21 14:19 <DIR> d-------- C:\Program Files\iTunes
2007-12-21 14:19 . 2007-12-21 14:19 <DIR> d-------- C:\Program Files\iPod
2007-12-21 14:16 . 2007-12-21 14:16 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-21 14:15 . 2007-12-21 14:15 <DIR> d-------- C:\Users\All Users\Apple
2007-12-21 14:15 . 2007-12-21 14:15 <DIR> d-------- C:\ProgramData\Apple
2007-12-21 14:15 . 2007-12-21 14:15 <DIR> d-------- C:\Program Files\Common Files\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 07:12 --------- d-----w C:\Users\A and J\AppData\Roaming\LimeWire
2008-01-18 20:45 --------- d-----w C:\Users\A and J\AppData\Roaming\Vso
2008-01-17 03:10 47,360 ----a-w C:\Users\A and J\AppData\Roaming\pcouffin.sys
2008-01-17 03:09 --------- d-----w C:\Program Files\DVDFab Platinum 4
2008-01-17 02:48 --------- d---a-w C:\ProgramData\TEMP
2008-01-16 06:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-16 00:44 --------- d-----w C:\Program Files\pgcedit
2008-01-14 20:50 --------- d-----w C:\Program Files\DVDFab HD Decrypter 4
2008-01-09 08:03 --------- d-----w C:\Program Files\VstPlugins
2008-01-09 08:03 --------- d-----w C:\Program Files\Image-Line
2008-01-08 21:40 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-08 21:40 --------- d-----w C:\Program Files\Windows Mail
2008-01-08 20:19 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-01-08 20:19 449,024 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-01-08 20:19 2,144,768 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-01-08 20:19 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-01-03 08:10 --------- d-----w C:\Users\A and J\AppData\Roaming\NeroDigital?
2008-01-03 07:57 --------- d-----w C:\ProgramData\Nero
2007-12-21 22:19 --------- d-----w C:\ProgramData\Apple Computer
2007-12-20 06:57 81,920 ----a-w C:\Windows\System32\IEDFix.exe
2007-12-20 06:51 3,318 ----a-w C:\Windows\System32\tmp.reg
2007-12-19 20:13 --------- d-----w C:\ProgramData\Microsoft Help
2007-12-14 03:09 972,072 ----a-w C:\Windows\UNNeroMediaHome.exe
2007-12-12 05:20 --------- d-----w C:\Program Files\Mainstream Engineering Corporation
2007-12-12 05:01 --------- d-----w C:\Program Files\HVACSMS
2007-12-12 05:01 --------- d-----w C:\Program Files\Common Files\click2learn
2007-12-11 20:31 805 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF
2007-12-11 20:31 123,952 ----a-w C:\Windows\system32\drivers\SYMEVENT.SYS
2007-12-11 20:31 10,740 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT
2007-12-11 20:31 --------- d-----w C:\Program Files\Symantec
2007-12-11 19:19 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-11 19:19 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-11 19:19 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-11 19:18 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2007-12-11 19:18 824,832 ----a-w C:\Windows\System32\wininet.dll
2007-12-11 19:18 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2007-12-11 19:18 56,320 ----a-w C:\Windows\System32\iesetup.dll
2007-12-11 19:18 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2007-12-11 19:18 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2007-12-11 19:18 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2007-12-11 19:18 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2007-12-11 19:16 3,504,824 ----a-w C:\Windows\System32\ntkrnlpa.exe
2007-12-11 19:16 3,470,520 ----a-w C:\Windows\System32\ntoskrnl.exe
2007-12-11 02:15 --------- d-----w C:\ProgramData\Symantec
2007-12-08 08:55 --------- d-----w C:\Program Files\Your Uninstaller 2008
2007-12-06 21:40 --------- d-----w C:\ProgramData\vsosdk
2007-12-06 08:58 36,864 ----a-w C:\Windows\System32\wmdmps.dll
2007-12-06 08:58 311,296 ----a-w C:\Windows\System32\mswmdm.dll
2007-12-06 08:58 31,744 ----a-w C:\Windows\System32\wmdmlog.dll
2007-12-04 17:59 972,072 ----a-w C:\Windows\UNRecode.exe
2007-12-04 02:04 95,600 ----a-w C:\Windows\System32\NeroCo.dll
2007-12-02 23:48 --------- d-----w C:\ProgramData\WLInstaller
2007-12-02 22:50 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2007-12-02 22:48 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-01 07:57 43,696 ----a-w C:\Windows\system32\drivers\srtspx.sys
2007-12-01 07:57 317,616 ----a-w C:\Windows\system32\drivers\srtspl.sys
2007-12-01 07:57 279,088 ----a-w C:\Windows\system32\drivers\srtsp.sys
2007-12-01 07:57 10,549 ----a-w C:\Windows\system32\drivers\srtspx.cat
2007-12-01 07:57 10,549 ----a-w C:\Windows\system32\drivers\srtspl.cat
2007-12-01 07:57 10,545 ----a-w C:\Windows\system32\drivers\srtsp.cat
2007-12-01 07:57 1,430 ----a-w C:\Windows\system32\drivers\srtspl.inf
2007-12-01 07:57 1,421 ----a-w C:\Windows\system32\drivers\srtspx.inf
2007-12-01 07:57 1,415 ----a-w C:\Windows\system32\drivers\srtsp.inf
2007-11-30 20:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-24 22:43 --------- d-----w C:\Program Files\NeroInstall.bak
2007-11-23 20:43 --------- d-----w C:\Program Files\Java
2007-11-23 20:42 --------- d-----w C:\Program Files\Common Files\Java
2007-11-23 07:50 --------- d-----w C:\Users\A and J\AppData\Roaming\PgcEdit
2007-11-23 07:50 --------- d-----w C:\ProgramData\FLEXnet
2007-11-23 07:50 --------- d-----w C:\Program Files\Microsoft Works
2007-11-23 07:50 --------- d-----w C:\Program Files\CCleaner
2007-11-23 07:50 --------- d-----w C:\Program Files\BitComet
2007-11-23 01:45 --------- d-----w C:\Users\A and J\AppData\Roaming\Talkback
2007-11-17 21:10 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2007-11-15 09:45 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2007-11-15 09:45 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2007-11-15 09:45 542,720 ----a-w C:\Windows\System32\sysmain.dll
2007-11-15 09:45 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2007-11-15 09:45 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2007-11-15 09:45 297,984 ----a-w C:\Windows\System32\wlansec.dll
2007-11-15 09:45 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2007-11-15 09:45 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2007-11-15 09:45 2,923,520 ----a-w C:\Windows\explorer.exe
2007-11-15 09:45 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2007-10-31 20:03 245,408 ----a-w C:\Windows\System32\unicows.dll
2007-09-07 03:01 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-08 12:19 1232896]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 04:35 125440]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 04:36 201728]
"RunSpySweeperScheduleAtStartup"="C:\Windows\system32\msfeedssync.exe" [2006-11-02 01:45 12288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-09-06 03:39 1006264]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-23 11:04 4423680 C:\Windows\RtHDVCpl.exe]
"Skytel"="Skytel.exe" [2007-03-16 07:06 1822720 C:\Windows\SkyTel.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 11:59 115816]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51 583048]
"Windows Mobile-based device management"="%windir%\WindowsMobile\wmdSync.exe" [ ]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 14:21 2213160]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-06 16:05 200704]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" [2007-11-19 14:40 231952]

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\IDS-DI~1\20080116.002\IDSvix86.sys [2007-11-06 08:07]
R2 RapiMgr;Windows Mobile-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 01:45]
R2 WcesComm;Windows Mobile 2003-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 01:45]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;C:\Windows\system32\DRIVERS\l160x86.sys [2007-08-29 15:39]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-09-29 03:13]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-10-30 19:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted REG_MULTI_SZ hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 04:00:15 C:\Windows\Tasks\Norton AntiVirus - Run Full System Scan - A and J.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeB/TASK:
"2008-01-20 08:10:22 C:\Windows\Tasks\User_Feed_Synchronization-{5B929132-E04A-4BF5-872A-B07ABD722C0A}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 14:45:48
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-20 14:47:21 - machine was rebooted [A and J]
ComboFix-quarantined-files.txt 2008-01-20 22:47:15
.
2008-01-17 22:25:51 --- E O F ---
[ + quote]
FatalAD
Junior Member
_ 		20. January 2008 @ 18:06 _ Link to this message    Send private message to this user   
ComboFix 08-01-20.1 - A and J 2008-01-20 14:41:15.1 - NTFSx86
Microsoft® Windows Vista? Home Premium 6.0.6000.0.1252.1.1033.18.1397 [GMT -8:00]
Running from: C:\Users\A and J\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\internet explorer\svchost.exe
C:\Users\A and J\AppData\Roaming\inst.exe
C:\Windows\system32\drivers\npf.sys
C:\Windows\system32\packet.dll
C:\Windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\NPF


((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))
.

2008-01-20 14:36 . 2000-08-31 08:00 51,200 --a------ C:\Windows\NirCmd.exe
2008-01-20 00:34 . 2008-01-20 14:45 <DIR> d-------- C:\Users\All Users\Kaspersky Lab
2008-01-20 00:34 . 2008-01-20 14:45 <DIR> d-------- C:\ProgramData\Kaspersky Lab
2008-01-20 00:34 . 2008-01-20 00:34 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-15 21:39 . 2008-01-15 21:39 <DIR> d-------- C:\Users\A and J\AppData\Roaming\PACE Anti-Piracy
2008-01-15 21:39 . 2008-01-15 21:39 <DIR> d-------- C:\Program Files\Common Files\PACE Anti-Piracy
2008-01-15 21:23 . 2008-01-15 22:16 <DIR> d-------- C:\Program Files\Common Files\Digidesign
2008-01-15 21:17 . 2008-01-15 21:17 <DIR> d-------- C:\Program Files\PowerISO
2008-01-14 18:03 . 2008-01-20 02:14 <DIR> d-------- C:\Program Files\hjt
2008-01-14 15:38 . 2008-01-14 15:43 <DIR> d-------- C:\Users\A and J\Pavark
2008-01-14 13:30 . 2008-01-14 13:30 <DIR> d-------- C:\Users\A and J\LimeWire Store Purchased
2008-01-13 13:50 . 2008-01-13 13:50 32,256 --a------ C:\Windows\System32\tmpxp_278457640065.bk
2008-01-12 22:02 . 2008-01-12 22:02 123 --a------ C:\Windows\rootkitno.ini
2008-01-12 22:01 . C:\Windows\(2) C:\ComboFix\winstart.bat
2008-01-12 09:21 . 2008-01-12 09:21 <DIR> d-------- C:\Program Files\LimeWire
2008-01-12 01:26 . 2008-01-12 08:59 <DIR> d-------- C:\Users\A and J\AppData\Roaming\FrostWire
2008-01-10 14:30 . 2008-01-10 14:30 <DIR> d-------- C:\Users\A and J\AppData\Roaming\SUPERAntiSpyware.com
2008-01-09 14:46 . 2008-01-09 15:02 69 --a------ C:\Windows\NeroDigital.ini
2008-01-08 12:20 . 2008-01-08 12:20 802,816 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-01-08 12:20 . 2008-01-08 12:20 216,760 --a------ C:\Windows\System32\drivers\netio.sys
2008-01-08 12:20 . 2008-01-08 12:20 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-01-08 12:20 . 2008-01-08 12:20 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-01-08 12:20 . 2008-01-08 12:20 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-01-08 12:19 . 2008-01-08 12:19 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-01-08 12:19 . 2008-01-08 12:19 1,686,016 --a------ C:\Windows\System32\gameux.dll
2008-01-08 12:19 . 2008-01-08 12:19 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys
2008-01-08 12:19 . 2008-01-08 12:19 211,000 --a------ C:\Windows\System32\drivers\volsnap.sys
2008-01-08 12:19 . 2008-01-08 12:19 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-01-08 12:19 . 2008-01-08 12:19 109,624 --a------ C:\Windows\System32\drivers\ataport.sys
2008-01-08 12:19 . 2008-01-08 12:19 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys
2008-01-08 12:19 . 2008-01-08 12:19 21,560 --a------ C:\Windows\System32\drivers\atapi.sys
2008-01-08 12:19 . 2008-01-08 12:19 15,928 --a------ C:\Windows\System32\drivers\pciide.sys
2008-01-08 12:19 . 2008-01-08 12:19 11,776 --a------ C:\Windows\System32\sbunattend.exe
2008-01-03 00:10 . <DIR> C:\Users\A and J\AppData\Roaming\NeroDigitalT
2008-01-02 23:57 . 2008-01-02 23:59 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-01-02 14:17 . 2008-01-02 15:01 <DIR> d-------- C:\Users\A and J\AppData\Roaming\Simply Super Software
2008-01-02 14:17 . 2006-05-25 14:52 162,304 --a------ C:\Windows\System32\ztvunrar36.dll
2008-01-02 14:17 . 2003-02-02 19:06 153,088 --a------ C:\Windows\System32\unrar3.dll
2008-01-02 14:17 . 2005-08-26 00:50 77,312 --a------ C:\Windows\System32\ztvunace26.dll
2008-01-02 14:17 . 2002-03-06 00:00 75,264 --a------ C:\Windows\System32\unacev2.dll
2008-01-02 14:17 . 2006-06-19 12:01 69,632 --a------ C:\Windows\System32\ztvcabinet.dll
2007-12-28 15:13 . 2007-12-28 15:13 <DIR> d-------- C:\Users\All Users\Grisoft
2007-12-28 15:13 . 2007-12-28 15:13 <DIR> d-------- C:\ProgramData\Grisoft
2007-12-27 13:08 . 2007-12-27 13:08 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com
2007-12-27 13:08 . 2007-12-27 13:08 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com
2007-12-21 14:19 . 2007-12-21 14:19 <DIR> d-------- C:\Users\A and J\AppData\Roaming\Apple Computer
2007-12-21 14:19 . 2007-12-21 14:19 <DIR> d-------- C:\Program Files\iTunes
2007-12-21 14:19 . 2007-12-21 14:19 <DIR> d-------- C:\Program Files\iPod
2007-12-21 14:16 . 2007-12-21 14:16 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-21 14:15 . 2007-12-21 14:15 <DIR> d-------- C:\Users\All Users\Apple
2007-12-21 14:15 . 2007-12-21 14:15 <DIR> d-------- C:\ProgramData\Apple
2007-12-21 14:15 . 2007-12-21 14:15 <DIR> d-------- C:\Program Files\Common Files\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 07:12 --------- d-----w C:\Users\A and J\AppData\Roaming\LimeWire
2008-01-18 20:45 --------- d-----w C:\Users\A and J\AppData\Roaming\Vso
2008-01-17 03:10 47,360 ----a-w C:\Users\A and J\AppData\Roaming\pcouffin.sys
2008-01-17 03:09 --------- d-----w C:\Program Files\DVDFab Platinum 4
2008-01-17 02:48 --------- d---a-w C:\ProgramData\TEMP
2008-01-16 06:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-16 00:44 --------- d-----w C:\Program Files\pgcedit
2008-01-14 20:50 --------- d-----w C:\Program Files\DVDFab HD Decrypter 4
2008-01-09 08:03 --------- d-----w C:\Program Files\VstPlugins
2008-01-09 08:03 --------- d-----w C:\Program Files\Image-Line
2008-01-08 21:40 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-08 21:40 --------- d-----w C:\Program Files\Windows Mail
2008-01-08 20:19 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-01-08 20:19 449,024 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-01-08 20:19 2,144,768 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-01-08 20:19 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-01-03 08:10 --------- d-----w C:\Users\A and J\AppData\Roaming\NeroDigital?
2008-01-03 07:57 --------- d-----w C:\ProgramData\Nero
2007-12-21 22:19 --------- d-----w C:\ProgramData\Apple Computer
2007-12-20 06:57 81,920 ----a-w C:\Windows\System32\IEDFix.exe
2007-12-20 06:51 3,318 ----a-w C:\Windows\System32\tmp.reg
2007-12-19 20:13 --------- d-----w C:\ProgramData\Microsoft Help
2007-12-14 03:09 972,072 ----a-w C:\Windows\UNNeroMediaHome.exe
2007-12-12 05:20 --------- d-----w C:\Program Files\Mainstream Engineering Corporation
2007-12-12 05:01 --------- d-----w C:\Program Files\HVACSMS
2007-12-12 05:01 --------- d-----w C:\Program Files\Common Files\click2learn
2007-12-11 20:31 805 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF
2007-12-11 20:31 123,952 ----a-w C:\Windows\system32\drivers\SYMEVENT.SYS
2007-12-11 20:31 10,740 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT
2007-12-11 20:31 --------- d-----w C:\Program Files\Symantec
2007-12-11 19:19 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-11 19:19 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-11 19:19 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-11 19:18 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2007-12-11 19:18 824,832 ----a-w C:\Windows\System32\wininet.dll
2007-12-11 19:18 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2007-12-11 19:18 56,320 ----a-w C:\Windows\System32\iesetup.dll
2007-12-11 19:18 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2007-12-11 19:18 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2007-12-11 19:18 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2007-12-11 19:18 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2007-12-11 19:16 3,504,824 ----a-w C:\Windows\System32\ntkrnlpa.exe
2007-12-11 19:16 3,470,520 ----a-w C:\Windows\System32\ntoskrnl.exe
2007-12-11 02:15 --------- d-----w C:\ProgramData\Symantec
2007-12-08 08:55 --------- d-----w C:\Program Files\Your Uninstaller 2008
2007-12-06 21:40 --------- d-----w C:\ProgramData\vsosdk
2007-12-06 08:58 36,864 ----a-w C:\Windows\System32\wmdmps.dll
2007-12-06 08:58 311,296 ----a-w C:\Windows\System32\mswmdm.dll
2007-12-06 08:58 31,744 ----a-w C:\Windows\System32\wmdmlog.dll
2007-12-04 17:59 972,072 ----a-w C:\Windows\UNRecode.exe
2007-12-04 02:04 95,600 ----a-w C:\Windows\System32\NeroCo.dll
2007-12-02 23:48 --------- d-----w C:\ProgramData\WLInstaller
2007-12-02 22:50 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2007-12-02 22:48 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-01 07:57 43,696 ----a-w C:\Windows\system32\drivers\srtspx.sys
2007-12-01 07:57 317,616 ----a-w C:\Windows\system32\drivers\srtspl.sys
2007-12-01 07:57 279,088 ----a-w C:\Windows\system32\drivers\srtsp.sys
2007-12-01 07:57 10,549 ----a-w C:\Windows\system32\drivers\srtspx.cat
2007-12-01 07:57 10,549 ----a-w C:\Windows\system32\drivers\srtspl.cat
2007-12-01 07:57 10,545 ----a-w C:\Windows\system32\drivers\srtsp.cat
2007-12-01 07:57 1,430 ----a-w C:\Windows\system32\drivers\srtspl.inf
2007-12-01 07:57 1,421 ----a-w C:\Windows\system32\drivers\srtspx.inf
2007-12-01 07:57 1,415 ----a-w C:\Windows\system32\drivers\srtsp.inf
2007-11-30 20:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-24 22:43 --------- d-----w C:\Program Files\NeroInstall.bak
2007-11-23 20:43 --------- d-----w C:\Program Files\Java
2007-11-23 20:42 --------- d-----w C:\Program Files\Common Files\Java
2007-11-23 07:50 --------- d-----w C:\Users\A and J\AppData\Roaming\PgcEdit
2007-11-23 07:50 --------- d-----w C:\ProgramData\FLEXnet
2007-11-23 07:50 --------- d-----w C:\Program Files\Microsoft Works
2007-11-23 07:50 --------- d-----w C:\Program Files\CCleaner
2007-11-23 07:50 --------- d-----w C:\Program Files\BitComet
2007-11-23 01:45 --------- d-----w C:\Users\A and J\AppData\Roaming\Talkback
2007-11-17 21:10 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2007-11-15 09:45 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2007-11-15 09:45 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2007-11-15 09:45 542,720 ----a-w C:\Windows\System32\sysmain.dll
2007-11-15 09:45 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2007-11-15 09:45 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2007-11-15 09:45 297,984 ----a-w C:\Windows\System32\wlansec.dll
2007-11-15 09:45 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2007-11-15 09:45 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2007-11-15 09:45 2,923,520 ----a-w C:\Windows\explorer.exe
2007-11-15 09:45 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2007-10-31 20:03 245,408 ----a-w C:\Windows\System32\unicows.dll
2007-09-07 03:01 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-08 12:19 1232896]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 04:35 125440]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 04:36 201728]
"RunSpySweeperScheduleAtStartup"="C:\Windows\system32\msfeedssync.exe" [2006-11-02 01:45 12288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-09-06 03:39 1006264]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-23 11:04 4423680 C:\Windows\RtHDVCpl.exe]
"Skytel"="Skytel.exe" [2007-03-16 07:06 1822720 C:\Windows\SkyTel.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 11:59 115816]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51 583048]
"Windows Mobile-based device management"="%windir%\WindowsMobile\wmdSync.exe" [ ]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 14:21 2213160]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-06 16:05 200704]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" [2007-11-19 14:40 231952]

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\IDS-DI~1\20080116.002\IDSvix86.sys [2007-11-06 08:07]
R2 RapiMgr;Windows Mobile-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 01:45]
R2 WcesComm;Windows Mobile 2003-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 01:45]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;C:\Windows\system32\DRIVERS\l160x86.sys [2007-08-29 15:39]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-09-29 03:13]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-10-30 19:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted REG_MULTI_SZ hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 04:00:15 C:\Windows\Tasks\Norton AntiVirus - Run Full System Scan - A and J.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeB/TASK:
"2008-01-20 08:10:22 C:\Windows\Tasks\User_Feed_Synchronization-{5B929132-E04A-4BF5-872A-B07ABD722C0A}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 14:45:48
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-20 14:47:21 - machine was rebooted [A and J]
ComboFix-quarantined-files.txt 2008-01-20 22:47:15
.
2008-01-17 22:25:51 --- E O F ---
[ + quote]
FatalAD
Junior Member
_ 		20. January 2008 @ 18:08 _ Link to this message    Send private message to this user   
ComboFix 08-01-20.1 - A and J 2008-01-20 14:41:15.1 - NTFSx86
Microsoft® Windows Vista? Home Premium 6.0.6000.0.1252.1.1033.18.1397 [GMT -8:00]
Running from: C:\Users\A and J\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\internet explorer\svchost.exe
C:\Users\A and J\AppData\Roaming\inst.exe
C:\Windows\system32\drivers\npf.sys
C:\Windows\system32\packet.dll
C:\Windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\NPF


((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))
.

2008-01-20 14:36 . 2000-08-31 08:00 51,200 --a------ C:\Windows\NirCmd.exe
2008-01-20 00:34 . 2008-01-20 14:45 <DIR> d-------- C:\Users\All Users\Kaspersky Lab
2008-01-20 00:34 . 2008-01-20 14:45 <DIR> d-------- C:\ProgramData\Kaspersky Lab
2008-01-20 00:34 . 2008-01-20 00:34 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-15 21:39 . 2008-01-15 21:39 <DIR> d-------- C:\Users\A and J\AppData\Roaming\PACE Anti-Piracy
2008-01-15 21:39 . 2008-01-15 21:39 <DIR> d-------- C:\Program Files\Common Files\PACE Anti-Piracy
2008-01-15 21:23 . 2008-01-15 22:16 <DIR> d-------- C:\Program Files\Common Files\Digidesign
2008-01-15 21:17 . 2008-01-15 21:17 <DIR> d-------- C:\Program Files\PowerISO
2008-01-14 18:03 . 2008-01-20 02:14 <DIR> d-------- C:\Program Files\hjt
2008-01-14 15:38 . 2008-01-14 15:43 <DIR> d-------- C:\Users\A and J\Pavark
2008-01-14 13:30 . 2008-01-14 13:30 <DIR> d-------- C:\Users\A and J\LimeWire Store Purchased
2008-01-13 13:50 . 2008-01-13 13:50 32,256 --a------ C:\Windows\System32\tmpxp_278457640065.bk
2008-01-12 22:02 . 2008-01-12 22:02 123 --a------ C:\Windows\rootkitno.ini
2008-01-12 22:01 . C:\Windows\(2) C:\ComboFix\winstart.bat
2008-01-12 09:21 . 2008-01-12 09:21 <DIR> d-------- C:\Program Files\LimeWire
2008-01-12 01:26 . 2008-01-12 08:59 <DIR> d-------- C:\Users\A and J\AppData\Roaming\FrostWire
2008-01-10 14:30 . 2008-01-10 14:30 <DIR> d-------- C:\Users\A and J\AppData\Roaming\SUPERAntiSpyware.com
2008-01-09 14:46 . 2008-01-09 15:02 69 --a------ C:\Windows\NeroDigital.ini
2008-01-08 12:20 . 2008-01-08 12:20 802,816 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-01-08 12:20 . 2008-01-08 12:20 216,760 --a------ C:\Windows\System32\drivers\netio.sys
2008-01-08 12:20 . 2008-01-08 12:20 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-01-08 12:20 . 2008-01-08 12:20 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-01-08 12:20 . 2008-01-08 12:20 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-01-08 12:19 . 2008-01-08 12:19 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-01-08 12:19 . 2008-01-08 12:19 1,686,016 --a------ C:\Windows\System32\gameux.dll
2008-01-08 12:19 . 2008-01-08 12:19 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys
2008-01-08 12:19 . 2008-01-08 12:19 211,000 --a------ C:\Windows\System32\drivers\volsnap.sys
2008-01-08 12:19 . 2008-01-08 12:19 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-01-08 12:19 . 2008-01-08 12:19 109,624 --a------ C:\Windows\System32\drivers\ataport.sys
2008-01-08 12:19 . 2008-01-08 12:19 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys
2008-01-08 12:19 . 2008-01-08 12:19 21,560 --a------ C:\Windows\System32\drivers\atapi.sys
2008-01-08 12:19 . 2008-01-08 12:19 15,928 --a------ C:\Windows\System32\drivers\pciide.sys
2008-01-08 12:19 . 2008-01-08 12:19 11,776 --a------ C:\Windows\System32\sbunattend.exe
2008-01-03 00:10 . <DIR> C:\Users\A and J\AppData\Roaming\NeroDigitalT
2008-01-02 23:57 . 2008-01-02 23:59 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-01-02 14:17 . 2008-01-02 15:01 <DIR> d-------- C:\Users\A and J\AppData\Roaming\Simply Super Software
2008-01-02 14:17 . 2006-05-25 14:52 162,304 --a------ C:\Windows\System32\ztvunrar36.dll
2008-01-02 14:17 . 2003-02-02 19:06 153,088 --a------ C:\Windows\System32\unrar3.dll
2008-01-02 14:17 . 2005-08-26 00:50 77,312 --a------ C:\Windows\System32\ztvunace26.dll
2008-01-02 14:17 . 2002-03-06 00:00 75,264 --a------ C:\Windows\System32\unacev2.dll
2008-01-02 14:17 . 2006-06-19 12:01 69,632 --a------ C:\Windows\System32\ztvcabinet.dll
2007-12-28 15:13 . 2007-12-28 15:13 <DIR> d-------- C:\Users\All Users\Grisoft
2007-12-28 15:13 . 2007-12-28 15:13 <DIR> d-------- C:\ProgramData\Grisoft
2007-12-27 13:08 . 2007-12-27 13:08 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com
2007-12-27 13:08 . 2007-12-27 13:08 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com
2007-12-21 14:19 . 2007-12-21 14:19 <DIR> d-------- C:\Users\A and J\AppData\Roaming\Apple Computer
2007-12-21 14:19 . 2007-12-21 14:19 <DIR> d-------- C:\Program Files\iTunes
2007-12-21 14:19 . 2007-12-21 14:19 <DIR> d-------- C:\Program Files\iPod
2007-12-21 14:16 . 2007-12-21 14:16 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-21 14:15 . 2007-12-21 14:15 <DIR> d-------- C:\Users\All Users\Apple
2007-12-21 14:15 . 2007-12-21 14:15 <DIR> d-------- C:\ProgramData\Apple
2007-12-21 14:15 . 2007-12-21 14:15 <DIR> d-------- C:\Program Files\Common Files\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 07:12 --------- d-----w C:\Users\A and J\AppData\Roaming\LimeWire
2008-01-18 20:45 --------- d-----w C:\Users\A and J\AppData\Roaming\Vso
2008-01-17 03:10 47,360 ----a-w C:\Users\A and J\AppData\Roaming\pcouffin.sys
2008-01-17 03:09 --------- d-----w C:\Program Files\DVDFab Platinum 4
2008-01-17 02:48 --------- d---a-w C:\ProgramData\TEMP
2008-01-16 06:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-16 00:44 --------- d-----w C:\Program Files\pgcedit
2008-01-14 20:50 --------- d-----w C:\Program Files\DVDFab HD Decrypter 4
2008-01-09 08:03 --------- d-----w C:\Program Files\VstPlugins
2008-01-09 08:03 --------- d-----w C:\Program Files\Image-Line
2008-01-08 21:40 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-08 21:40 --------- d-----w C:\Program Files\Windows Mail
2008-01-08 20:19 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-01-08 20:19 449,024 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-01-08 20:19 2,144,768 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-01-08 20:19 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-01-03 08:10 --------- d-----w C:\Users\A and J\AppData\Roaming\NeroDigital?
2008-01-03 07:57 --------- d-----w C:\ProgramData\Nero
2007-12-21 22:19 --------- d-----w C:\ProgramData\Apple Computer
2007-12-20 06:57 81,920 ----a-w C:\Windows\System32\IEDFix.exe
2007-12-20 06:51 3,318 ----a-w C:\Windows\System32\tmp.reg
2007-12-19 20:13 --------- d-----w C:\ProgramData\Microsoft Help
2007-12-14 03:09 972,072 ----a-w C:\Windows\UNNeroMediaHome.exe
2007-12-12 05:20 --------- d-----w C:\Program Files\Mainstream Engineering Corporation
2007-12-12 05:01 --------- d-----w C:\Program Files\HVACSMS
2007-12-12 05:01 --------- d-----w C:\Program Files\Common Files\click2learn
2007-12-11 20:31 805 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF
2007-12-11 20:31 123,952 ----a-w C:\Windows\system32\drivers\SYMEVENT.SYS
2007-12-11 20:31 10,740 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT
2007-12-11 20:31 --------- d-----w C:\Program Files\Symantec
2007-12-11 19:19 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-11 19:19 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-11 19:19 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-11 19:18 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2007-12-11 19:18 824,832 ----a-w C:\Windows\System32\wininet.dll
2007-12-11 19:18 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2007-12-11 19:18 56,320 ----a-w C:\Windows\System32\iesetup.dll
2007-12-11 19:18 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2007-12-11 19:18 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2007-12-11 19:18 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2007-12-11 19:18 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2007-12-11 19:16 3,504,824 ----a-w C:\Windows\System32\ntkrnlpa.exe
2007-12-11 19:16 3,470,520 ----a-w C:\Windows\System32\ntoskrnl.exe
2007-12-11 02:15 --------- d-----w C:\ProgramData\Symantec
2007-12-08 08:55 --------- d-----w C:\Program Files\Your Uninstaller 2008
2007-12-06 21:40 --------- d-----w C:\ProgramData\vsosdk
2007-12-06 08:58 36,864 ----a-w C:\Windows\System32\wmdmps.dll
2007-12-06 08:58 311,296 ----a-w C:\Windows\System32\mswmdm.dll
2007-12-06 08:58 31,744 ----a-w C:\Windows\System32\wmdmlog.dll
2007-12-04 17:59 972,072 ----a-w C:\Windows\UNRecode.exe
2007-12-04 02:04 95,600 ----a-w C:\Windows\System32\NeroCo.dll
2007-12-02 23:48 --------- d-----w C:\ProgramData\WLInstaller
2007-12-02 22:50 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2007-12-02 22:48 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-01 07:57 43,696 ----a-w C:\Windows\system32\drivers\srtspx.sys
2007-12-01 07:57 317,616 ----a-w C:\Windows\system32\drivers\srtspl.sys
2007-12-01 07:57 279,088 ----a-w C:\Windows\system32\drivers\srtsp.sys
2007-12-01 07:57 10,549 ----a-w C:\Windows\system32\drivers\srtspx.cat
2007-12-01 07:57 10,549 ----a-w C:\Windows\system32\drivers\srtspl.cat
2007-12-01 07:57 10,545 ----a-w C:\Windows\system32\drivers\srtsp.cat
2007-12-01 07:57 1,430 ----a-w C:\Windows\system32\drivers\srtspl.inf
2007-12-01 07:57 1,421 ----a-w C:\Windows\system32\drivers\srtspx.inf
2007-12-01 07:57 1,415 ----a-w C:\Windows\system32\drivers\srtsp.inf
2007-11-30 20:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-24 22:43 --------- d-----w C:\Program Files\NeroInstall.bak
2007-11-23 20:43 --------- d-----w C:\Program Files\Java
2007-11-23 20:42 --------- d-----w C:\Program Files\Common Files\Java
2007-11-23 07:50 --------- d-----w C:\Users\A and J\AppData\Roaming\PgcEdit
2007-11-23 07:50 --------- d-----w C:\ProgramData\FLEXnet
2007-11-23 07:50 --------- d-----w C:\Program Files\Microsoft Works
2007-11-23 07:50 --------- d-----w C:\Program Files\CCleaner
2007-11-23 07:50 --------- d-----w C:\Program Files\BitComet
2007-11-23 01:45 --------- d-----w C:\Users\A and J\AppData\Roaming\Talkback
2007-11-17 21:10 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2007-11-15 09:45 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2007-11-15 09:45 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2007-11-15 09:45 542,720 ----a-w C:\Windows\System32\sysmain.dll
2007-11-15 09:45 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2007-11-15 09:45 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2007-11-15 09:45 297,984 ----a-w C:\Windows\System32\wlansec.dll
2007-11-15 09:45 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2007-11-15 09:45 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2007-11-15 09:45 2,923,520 ----a-w C:\Windows\explorer.exe
2007-11-15 09:45 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2007-10-31 20:03 245,408 ----a-w C:\Windows\System32\unicows.dll
2007-09-07 03:01 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-08 12:19 1232896]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 04:35 125440]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 04:36 201728]
"RunSpySweeperScheduleAtStartup"="C:\Windows\system32\msfeedssync.exe" [2006-11-02 01:45 12288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-09-06 03:39 1006264]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-23 11:04 4423680 C:\Windows\RtHDVCpl.exe]
"Skytel"="Skytel.exe" [2007-03-16 07:06 1822720 C:\Windows\SkyTel.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 11:59 115816]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51 583048]
"Windows Mobile-based device management"="%windir%\WindowsMobile\wmdSync.exe" [ ]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 14:21 2213160]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-06 16:05 200704]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" [2007-11-19 14:40 231952]

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\IDS-DI~1\20080116.002\IDSvix86.sys [2007-11-06 08:07]
R2 RapiMgr;Windows Mobile-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 01:45]
R2 WcesComm;Windows Mobile 2003-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 01:45]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;C:\Windows\system32\DRIVERS\l160x86.sys [2007-08-29 15:39]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-09-29 03:13]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-10-30 19:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted REG_MULTI_SZ hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 04:00:15 C:\Windows\Tasks\Norton AntiVirus - Run Full System Scan - A and J.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeB/TASK:
"2008-01-20 08:10:22 C:\Windows\Tasks\User_Feed_Synchronization-{5B929132-E04A-4BF5-872A-B07ABD722C0A}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 14:45:48
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-20 14:47:21 - machine was rebooted [A and J]
ComboFix-quarantined-files.txt 2008-01-20 22:47:15
.
2008-01-17 22:25:51 --- E O F ---
[ + quote]
FatalAD
Junior Member
_ 		20. January 2008 @ 18:39 _ Link to this message    Send private message to this user   
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:39:20 PM, on 1/20/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\hjt\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files\PowerISO\PWRISOVM.EXE"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [RunSpySweeperScheduleAtStartup] "C:\Windows\system32\msfeedssync.exe" /ScheduleSweep=User_Feed_Synchronization-{5B929132-E04A-4BF5-872A-B07ABD722C0A}
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (no file)
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/sh...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 7141 bytes
[ + quote]
Advertisement
_ 		__
 
_
QuikDraw
Senior Member
_ 		21. January 2008 @ 03:32 _ Link to this message    Send private message to this user   
How's the PC running?
[ + quote]
 
Page:12Next >
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > cant remove rootkit ndt2
 

Digital video: AfterDawn.com | AfterDawn Forums
Music: MP3Lizard.com
Gaming: Blasteroids.com | Blasteroids Forums | Compare game prices
Software: Software downloads
Blogs: User profile pages
RSS feeds: AfterDawn.com News | Software updates | AfterDawn Forums
International: AfterDawn in Finnish | AfterDawn in Swedish | AfterDawn in Norwegian | download.fi
Navigate: Search | Site map
About us: About AfterDawn Ltd | Advertise on our sites | Rules, Restrictions, Legal disclaimer & Privacy policy
Contact us: Send feedback | Contact our media sales team
 
  © 1999-2025 by AfterDawn Ltd.

  IDG TechNetwork