Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nuiico.dll


  • This topic is locked This topic is locked
21 replies to this topic

#1 rockdoctor

rockdoctor

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 20 November 2007 - 06:59 PM

After a battle with the Cinmeng trojan (and several others) I ran a DrWeb scan and it identified nuiico.dll as a possible trojan. I quarantined it, but now every time I start my user, RUNDLL complains it cant find it.

I cant find any reference to it in the registry or with autoruns.

I cant find any reference to it with Google or in these forums.

My computer "seems" to be running normally without it.

Is it malware software or Windows?

Can I put it back or remove the startup reference (how?).

TIA
Rockdoctor

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:26 AM

Posted 21 November 2007 - 11:07 AM

Most likely malware. In msconfig do you see a startup that has rundll32 in it?

#3 rockdoctor

rockdoctor
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 21 November 2007 - 11:53 AM

Cant see any reference to Rundll32 in the startup pane of msconfig, but there is one item that has no description in the Startup Item or Command columns. Location is HKLM\Software\Microsoft\Windows\CurrentVersion\Run (like everything else).

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:26 AM

Posted 24 November 2007 - 02:34 PM

I would suggest you post a hijackthis log. This file is most definitely malware and needs to be looked at.

#5 rockdoctor

rockdoctor
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 24 November 2007 - 11:05 PM

OK here is the HJT log. The nuiico.dll is still quarantined and the only unusual behaviour I am seeing is an occasional refusal to launch an associated program when a file is double clicked. The files can always be launched through an open dialog.

Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:17 AM, on 25/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\B's Recorder GOLD8\bgsvc.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Panasonic\HotKey Appendix\HKEYAPP.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\fpapli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\Tprbtn.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LSWin\LaoKey.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Maxtor\Maxtor Quick Start\maxbackservice.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Panasonic\WRITING\Writing.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Adobe Photoshop CS\Photoshop.exe
C:\DOCUME~1\Nick\LOCALS~1\Temp\~e5d141.tmp
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\Nick\LOCALS~1\Temp\~e5d141.tmp
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Hotkey] C:\WINDOWS\system32\hkeyman.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PRunOnce] C:\util\prunonce\PRunOnce.exe
O4 - HKLM\..\Run: [PCinfo] C:\Program Files\Panasonic\PCINFO\SetDiag.exe /FirstLogin
O4 - HKLM\..\Run: [Panasonic HotKey Manager] "C:\Program Files\Panasonic\HotKey Appendix\HKEYAPP.EXE"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [scroller] fpapli.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LSWin LaoKey] C:\Program Files\LSWin\LaoKey.exe -a
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\Hewlett-Packard\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
O4 - HKLM\..\Run: [MaxBackSchedule] C:\Program Files\Maxtor\Maxtor Quick Start\maxbackservice.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [mssSort] C:\Program Files\Maxtor\Maxtor Quick Start\msssort.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Panasonic Hand Writing.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {FFB2385E-E812-4091-8C12-2370DC67F769} - http://www.eachnet.com/specials/digi.html?..._000_soft0_digi (file missing)
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O15 - Trusted Zone: http://onecare.live.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1168787295585
O16 - DPF: {77AAD261-A84E-4564-BEC2-C51FF6A7187F} (MRActivXUI Class) - http://202.8.40.133/comp/partner/pcphone/v...wbaxuiph612.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1292890C-90E6-437A-8042-9A74605743BF}: NameServer = 85.255.116.132,85.255.112.221
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{1292890C-90E6-437A-8042-9A74605743BF}: NameServer = 85.255.116.132,85.255.112.221
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Service (bgsvc) - B.H.A Corporation - C:\Program Files\B's Recorder GOLD8\bgsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: USBest Service Zero (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Nick/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 13104 bytes

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:26 AM

Posted 25 November 2007 - 09:09 AM

  • Download Combofix to your desktop.

  • Doubleclick combofix.exe

  • Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, and after reboot if it asks for one, combofix will open again to gather the necessary information for the log. This may take a while so please be patient. When done, Combofix will close and a log should open called combofix.txt.

Post the contents of this log in your next reply along with a new hijackthislog.

Please do not post the ComboFix-quarantined-files.txt unless I ask you to.

#7 rockdoctor

rockdoctor
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 25 November 2007 - 10:42 AM

OK, Ran combofix and then HJT. The logs are below.

Noticed that my default browser was changed from Firefox to IE during the process.

Regards
Rockdoctor

***********************************

ComboFix 07-11-19.3 - Nick 2007-11-25 22:25:46.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.466 [GMT 7:00]
Running from: C:\Documents and Settings\Nick\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-10-25 to 2007-11-25 )))))))))))))))))))))))))))))))
.

2007-11-25 10:46 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-13 12:57 <DIR> d-------- C:\Documents and Settings\Nick\DoctorWeb
2007-11-13 08:12 208,896 --a------ C:\WINDOWS\system32\winlib0.dll
2007-11-11 11:31 14 --a------ C:\WINDOWS\system32\10512-5625
2007-11-11 11:30 <DIR> d-------- C:\Program Files\Windows Live
2007-11-11 11:30 <DIR> d-------- C:\Program Files\MSN Messenger
2007-11-11 11:30 20,541 --a------ C:\WINDOWS\system32\detoured.dll
2007-11-11 07:01 79 --a------ C:\WINDOWS\system32\mstacim.sig
2007-11-08 08:00 282,624 --a------ C:\WINDOWS\htmlpeek.dll
2007-11-08 08:00 78,848 --a------ C:\WINDOWS\system32\dayi.ime
2007-11-08 08:00 78,336 --a------ C:\WINDOWS\system32\chajei.ime
2007-11-08 08:00 20,335 --a------ C:\WINDOWS\system32\comrcinf.dat
2007-11-08 08:00 397 --a------ C:\WINDOWS\system32\cmbinfo.dat
2007-11-08 08:00 260 ---hs---- C:\WINDOWS\system32\buser.txt
2007-11-08 07:59 24,576 --a------ C:\WINDOWS\system32\my_70049.exe
2007-11-08 07:59 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
2007-11-08 07:59 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll
2007-11-08 07:59 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll
2007-11-08 07:59 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll
2007-11-08 07:59 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll
2007-11-08 07:59 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll
2007-10-30 19:55 191,536 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2007-10-30 19:55 145,968 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2007-10-30 19:55 39,856 --a------ C:\WINDOWS\system32\drivers\symids.sys
2007-10-30 19:55 37,936 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
2007-10-30 19:55 35,120 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2007-10-30 19:55 27,696 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2007-10-30 19:55 12,848 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2007-10-30 19:24 12,963 --a------ C:\WINDOWS\system32\drivers\SymRedir.cat
2007-10-30 19:24 1,358 --a------ C:\WINDOWS\system32\drivers\SymRedir.inf
2007-10-28 18:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Maxtor
2007-10-28 18:54 <DIR> d-------- C:\Program Files\Maxtor
2007-10-28 18:54 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Maxtor Quick Start
2007-10-26 11:29 <DIR> d-------- C:\Program Files\Mythicsoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-25 15:28 --------- d-----w C:\Documents and Settings\Nick\Application Data\Skype
2007-11-23 00:12 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-21 02:40 --------- d-----w C:\Program Files\GlobalMapper8
2007-11-21 00:34 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-11-17 00:03 --------- d-----w C:\Program Files\Norton AntiVirus
2007-11-12 12:23 --------- d-----w C:\Documents and Settings\Nick\Application Data\SUPERAntiSpyware.com
2007-11-12 12:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-08 01:00 8,464 --sh--w C:\WINDOWS\system32\sporder.dll
2007-11-08 01:00 151,063 ----a-w C:\WINDOWS\system32\morelion.exe
2007-10-30 12:55 625,032 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-10-30 12:55 242,056 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-10-12 04:01 --------- d-----w C:\Documents and Settings\Nick\Application Data\AdobeUM
2007-10-12 03:58 --------- d-----w C:\Documents and Settings\Nick\Application Data\HP
2007-10-12 03:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-10-12 03:50 --------- d-----w C:\Program Files\Hewlett-Packard
2007-10-12 03:38 1,386,496 ----a-w C:\WINDOWS\system32\msvbvm60.dll
2007-10-03 23:46 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-03 23:46 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-03 23:46 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-03 23:46 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-03 23:46 --------- d-----w C:\Program Files\Symantec
2007-09-05 03:17 43,520 ----a-w C:\WINDOWS\system32\CBNDLL.DLL
2007-09-05 03:17 376,832 ----a-w C:\WINDOWS\system32\MPIWIN32.DLL
.

((((((((((((((((((((((((((((( snapshot@2007-11-13_16.59.30.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 05:02:28 163,328 ----a-w C:\WINDOWS\erdnt\21-11-2007\ERDNT.EXE
+ 2007-11-21 00:56:04 12,992,512 ----a-w C:\WINDOWS\erdnt\21-11-2007\Users\00000001\NTUSER.DAT
+ 2007-11-21 00:56:04 241,664 ----a-w C:\WINDOWS\erdnt\21-11-2007\Users\00000002\UsrClass.dat
+ 2005-10-20 05:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\21-11-2007\ERDNT.EXE
+ 2007-11-21 01:03:32 12,926,976 ----a-w C:\WINDOWS\erdnt\AutoBackup\21-11-2007\Users\00000001\NTUSER.DAT
+ 2007-11-21 01:03:34 241,664 ----a-w C:\WINDOWS\erdnt\AutoBackup\21-11-2007\Users\00000002\UsrClass.dat
+ 2005-10-20 05:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\22-11-2007\ERDNT.EXE
+ 2007-11-22 00:01:12 12,931,072 ----a-w C:\WINDOWS\erdnt\AutoBackup\22-11-2007\Users\00000001\NTUSER.DAT
+ 2007-11-22 00:01:13 241,664 ----a-w C:\WINDOWS\erdnt\AutoBackup\22-11-2007\Users\00000002\UsrClass.dat
+ 2005-10-20 05:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\23-11-2007\ERDNT.EXE
+ 2007-11-23 00:10:43 12,935,168 ----a-w C:\WINDOWS\erdnt\AutoBackup\23-11-2007\Users\00000001\NTUSER.DAT
+ 2007-11-23 00:10:44 241,664 ----a-w C:\WINDOWS\erdnt\AutoBackup\23-11-2007\Users\00000002\UsrClass.dat
+ 2005-10-20 05:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\25-11-2007\ERDNT.EXE
+ 2007-11-25 01:52:46 12,947,456 ----a-w C:\WINDOWS\erdnt\AutoBackup\25-11-2007\Users\00000001\NTUSER.DAT
+ 2007-11-25 01:52:47 241,664 ----a-w C:\WINDOWS\erdnt\AutoBackup\25-11-2007\Users\00000002\UsrClass.dat
- 2006-12-19 21:52:18 8,453,632 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
+ 2007-10-26 03:36:51 8,454,656 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
- 2007-09-28 05:19:39 18,089,592 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2007-11-02 07:12:57 18,238,072 ----a-w C:\WINDOWS\system32\MRT.exe
- 2006-12-19 21:52:18 8,453,632 ----a-w C:\WINDOWS\system32\shell32.dll
+ 2007-10-26 03:36:51 8,454,656 ----a-w C:\WINDOWS\system32\shell32.dll
- 2007-08-21 10:20:02 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2007-10-29 10:26:53 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 16:13]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-07-02 14:10]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hotkey"="C:\WINDOWS\system32\hkeyman.exe" [2003-03-14 23:05]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-03-10 16:20]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-03-10 16:16]
"PRunOnce"="C:\util\prunonce\PRunOnce.exe" [2004-08-06 19:58]
"PCinfo"="C:\Program Files\Panasonic\PCINFO\SetDiag.exe" [2005-06-15 10:27]
"Panasonic HotKey Manager"="C:\Program Files\Panasonic\HotKey Appendix\HKEYAPP.EXE" [2005-06-14 11:41]
"AGRSMMSG"="AGRSMMSG.exe" [2004-12-20 22:10 C:\WINDOWS\AGRSMMSG.exe]
"gemstrmw"="C:\WINDOWS\system32\gemstrmw.exe" [2003-08-30 14:35]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-10-04 13:59]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-10-04 13:59]
"scroller"="fpapli.exe" [2005-04-18 19:18 C:\WINDOWS\system32\FPapli.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-06 08:22]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"LSWin LaoKey"="C:\Program Files\LSWin\LaoKey.exe" [2005-12-19 20:00]
"AASecuUFD"="" []
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 10:42]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 15:30]
"GhostStartTrayApp"="C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [2003-12-17 12:51]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49]
"ToolBoxFX"="C:\Program Files\Hewlett-Packard\ToolBoxFX\bin\HPTLBXFX.exe" [2006-02-02 08:12]
"MaxBackSchedule"="C:\Program Files\Maxtor\Maxtor Quick Start\maxbackservice.exe" [2005-10-06 10:22]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-06 09:22]
"mssSort"="C:\Program Files\Maxtor\Maxtor Quick Start\msssort.exe" [2005-07-15 14:29]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-05 04:00]

C:\Documents and Settings\Nick\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-02-12 08:49:27]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 19:44:06]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2004-02-25 08:35:22]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2007-01-20 08:33:32]
Panasonic Hand Writing.lnk - C:\Program Files\Panasonic\WRITING\Writing.exe [2006-02-23 03:12:23]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2007-01-14 21:23:33]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2005-10-04 13:59 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

R0 zrlf5owcz;zrlf5owc;C:\WINDOWS\system32\DRIVERS\zrlf5owcz.sys
R1 GhPciScan;GhostPciScanner;\??\C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys
R2 ArcGIS License Manager;ArcGIS License Manager;C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
R2 bgsvc;B's Recorder GOLD Service;C:\Program Files\B's Recorder GOLD8\bgsvc.exe
R2 brecal;Panasonic Battery Recalibration Driver;\??\C:\Program Files\Panasonic\BRECAL\Brecal.sys
R2 pcinfo;Panasonic PC Info. Viewer Driver;\??\C:\Program Files\Panasonic\PCINFO\pcinfo.sys
R2 s7k5mlm;s7k5mlm;\??\C:\WINDOWS\system32\drivers\s7k5mlm.sys
R2 SDKEY;Panasonic SD Misc. Function Driver;\??\C:\Program Files\Panasonic\SDKEY\SDKEY.SYS
R3 FIDMOU;Fujitsu touchpad;C:\WINDOWS\system32\DRIVERS\Fidmou.sys
R3 HOTKEY;Panasonic Hotkey Driver;C:\WINDOWS\system32\DRIVERS\HOTKEY.SYS
S3 CBUSB;MARX CryptoTech LP;C:\WINDOWS\system32\drivers\CBUSB.sys
S3 HPFXBULK;HPFXBULK;C:\WINDOWS\system32\drivers\hpfxbulk.sys
S3 KS-959;Kingsun KS-959 USB Infrared Adapter;C:\WINDOWS\system32\DRIVERS\KS-959.sys
S3 PolarUSB;Polar USB Interface;C:\WINDOWS\system32\DRIVERS\PolarUSB.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{06a396fb-6642-11dc-9249-00166fbed003}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30309042-a9fa-11db-9128-00166fbed003}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Boot.exe e
\Shell\Open\command - Boot.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3c7d6af8-8df2-11dc-9283-00166fbed003}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL msn.exe
\Shell\explore\Command - E:\msn.exe
\Shell\open\Command - E:\msn.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5faef046-d286-11db-9161-00166fbed003}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Boot.exe e
\Shell\Open\command - Boot.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{660d76e2-f842-11db-918e-00166fbed003}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe BB.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ff858a6-a5c4-11db-9120-00166fbed003}]
\Shell\AutoRun\command - SCVHOST.exe
\Shell\Open\command - SCVHOST.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{713a4707-1a0e-11dc-91c0-00166fbed003}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Toy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{713a4708-1a0e-11dc-91c0-00166fbed003}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Toy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f1d4e809-eb30-11db-917e-00166fbed003}]
\Shell\AutoRun\command - E:\USBNB.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-16 15:11:02 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Nick.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-25 22:28:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-25 22:29:54
C:\ComboFix2.txt ... 2007-11-13 17:04
.
--- E O F ---



***********************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:51 PM, on 25/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\B's Recorder GOLD8\bgsvc.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Panasonic\HotKey Appendix\HKEYAPP.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\fpapli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\Tprbtn.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LSWin\LaoKey.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Maxtor\Maxtor Quick Start\maxbackservice.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Panasonic\WRITING\Writing.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wisptis.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Hotkey] C:\WINDOWS\system32\hkeyman.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PRunOnce] C:\util\prunonce\PRunOnce.exe
O4 - HKLM\..\Run: [PCinfo] C:\Program Files\Panasonic\PCINFO\SetDiag.exe /FirstLogin
O4 - HKLM\..\Run: [Panasonic HotKey Manager] "C:\Program Files\Panasonic\HotKey Appendix\HKEYAPP.EXE"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [scroller] fpapli.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LSWin LaoKey] C:\Program Files\LSWin\LaoKey.exe -a
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\Hewlett-Packard\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
O4 - HKLM\..\Run: [MaxBackSchedule] C:\Program Files\Maxtor\Maxtor Quick Start\maxbackservice.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [mssSort] C:\Program Files\Maxtor\Maxtor Quick Start\msssort.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Panasonic Hand Writing.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {FFB2385E-E812-4091-8C12-2370DC67F769} - http://www.eachnet.com/specials/digi.html?..._000_soft0_digi (file missing)
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O15 - Trusted Zone: http://onecare.live.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1168787295585
O16 - DPF: {77AAD261-A84E-4564-BEC2-C51FF6A7187F} (MRActivXUI Class) - http://202.8.40.133/comp/partner/pcphone/v...wbaxuiph612.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1292890C-90E6-437A-8042-9A74605743BF}: NameServer = 85.255.116.132,85.255.112.221
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{1292890C-90E6-437A-8042-9A74605743BF}: NameServer = 85.255.116.132,85.255.112.221
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Service (bgsvc) - B.H.A Corporation - C:\Program Files\B's Recorder GOLD8\bgsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: USBest Service Zero (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Nick/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 12719 bytes

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:26 AM

Posted 26 November 2007 - 02:19 PM

Since you're also dealing with several Flashdrive infections, * Download next removal tool to your desktop:

http://www.techsupportforum.com/sectools/s...Disinfector.exe

If you have any flashdrives being used previously, since this is a flashdrive infection, insert your flashdrive as well, because above tool will disinfect it as well.

Then doubleclick the Flash_Disinfector.exe to run the tool.

Your desktop and icons will disappear afterwards. This is normal.

When the tool has finished, reboot your computer.

After reboot,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Suspect::[3]
C:\WINDOWS\system32\winlib0.dll
C:\WINDOWS\system32\buser.txt
C:\WINDOWS\system32\my_70049.exe
C:\WINDOWS\system32\sporder.dll
C:\WINDOWS\system32\morelion.exe
C:\WINDOWS\system32\DRIVERS\zrlf5owcz.sys
C:\WINDOWS\system32\drivers\s7k5mlm.sys

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30309042-a9fa-11db-9128-00166fbed003}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3c7d6af8-8df2-11dc-9283-00166fbed003}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5faef046-d286-11db-9161-00166fbed003}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{660d76e2-f842-11db-918e-00166fbed003}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ff858a6-a5c4-11db-9120-00166fbed003}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{713a4707-1a0e-11dc-91c0-00166fbed003}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{713a4708-1a0e-11dc-91c0-00166fbed003}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f1d4e809-eb30-11db-917e-00166fbed003}]


Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

#9 rockdoctor

rockdoctor
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 26 November 2007 - 08:37 PM

OK.

Ran the flash disinfector with all my USB drives plugged in.

Then ran combofix with the script provided. Logs are below.

Should I run the same script on other computers I have?

Thanks.

*********************************

ComboFix 07-11-19.3 - Nick 2007-11-27 7:42:11.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.480 [GMT 7:00]
Running from: C:\Documents and Settings\Nick\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nick\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-10-27 to 2007-11-27 )))))))))))))))))))))))))))))))
.

2007-11-25 10:46 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-13 12:57 <DIR> d-------- C:\Documents and Settings\Nick\DoctorWeb
2007-11-13 08:12 208,896 --a------ C:\WINDOWS\system32\winlib0.dll
2007-11-11 11:31 14 --a------ C:\WINDOWS\system32\10512-5625
2007-11-11 11:30 <DIR> d-------- C:\Program Files\Windows Live
2007-11-11 11:30 <DIR> d-------- C:\Program Files\MSN Messenger
2007-11-11 11:30 20,541 --a------ C:\WINDOWS\system32\detoured.dll
2007-11-11 07:01 79 --a------ C:\WINDOWS\system32\mstacim.sig
2007-11-08 08:00 282,624 --a------ C:\WINDOWS\htmlpeek.dll
2007-11-08 08:00 78,848 --a------ C:\WINDOWS\system32\dayi.ime
2007-11-08 08:00 78,336 --a------ C:\WINDOWS\system32\chajei.ime
2007-11-08 08:00 20,335 --a------ C:\WINDOWS\system32\comrcinf.dat
2007-11-08 08:00 397 --a------ C:\WINDOWS\system32\cmbinfo.dat
2007-11-08 08:00 260 ---hs---- C:\WINDOWS\system32\buser.txt
2007-11-08 07:59 24,576 --a------ C:\WINDOWS\system32\my_70049.exe
2007-11-08 07:59 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
2007-11-08 07:59 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll
2007-11-08 07:59 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll
2007-11-08 07:59 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll
2007-11-08 07:59 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll
2007-11-08 07:59 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll
2007-10-30 19:55 191,536 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2007-10-30 19:55 145,968 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2007-10-30 19:55 39,856 --a------ C:\WINDOWS\system32\drivers\symids.sys
2007-10-30 19:55 37,936 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
2007-10-30 19:55 35,120 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2007-10-30 19:55 27,696 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2007-10-30 19:55 12,848 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2007-10-30 19:24 12,963 --a------ C:\WINDOWS\system32\drivers\SymRedir.cat
2007-10-30 19:24 1,358 --a------ C:\WINDOWS\system32\drivers\SymRedir.inf
2007-10-28 18:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Maxtor
2007-10-28 18:54 <DIR> d-------- C:\Program Files\Maxtor
2007-10-28 18:54 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Maxtor Quick Start

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-27 00:10 --------- d-----w C:\Documents and Settings\Nick\Application Data\Skype
2007-11-23 00:12 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-21 02:40 --------- d-----w C:\Program Files\GlobalMapper8
2007-11-21 00:34 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-11-17 00:03 --------- d-----w C:\Program Files\Norton AntiVirus
2007-11-12 12:23 --------- d-----w C:\Documents and Settings\Nick\Application Data\SUPERAntiSpyware.com
2007-11-12 12:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-08 01:00 8,464 --sh--w C:\WINDOWS\system32\sporder.dll
2007-11-08 01:00 151,063 ----a-w C:\WINDOWS\system32\morelion.exe
2007-10-30 12:55 625,032 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-10-30 12:55 242,056 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-10-26 04:29 --------- d-----w C:\Program Files\Mythicsoft
2007-10-12 04:01 --------- d-----w C:\Documents and Settings\Nick\Application Data\AdobeUM
2007-10-12 03:58 --------- d-----w C:\Documents and Settings\Nick\Application Data\HP
2007-10-12 03:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-10-12 03:50 --------- d-----w C:\Program Files\Hewlett-Packard
2007-10-12 03:38 1,386,496 ----a-w C:\WINDOWS\system32\msvbvm60.dll
2007-10-03 23:46 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-03 23:46 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-03 23:46 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-03 23:46 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-03 23:46 --------- d-----w C:\Program Files\Symantec
2007-09-05 03:17 43,520 ----a-w C:\WINDOWS\system32\CBNDLL.DLL
2007-09-05 03:17 376,832 ----a-w C:\WINDOWS\system32\MPIWIN32.DLL
.

((((((((((((((((((((((((((((( snapshot@2007-11-13_16.59.30.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 05:02:28 163,328 ----a-w C:\WINDOWS\erdnt\21-11-2007\ERDNT.EXE
+ 2007-11-21 00:56:04 12,992,512 ----a-w C:\WINDOWS\erdnt\21-11-2007\Users\00000001\NTUSER.DAT
+ 2007-11-21 00:56:04 241,664 ----a-w C:\WINDOWS\erdnt\21-11-2007\Users\00000002\UsrClass.dat
+ 2005-10-20 05:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\21-11-2007\ERDNT.EXE
+ 2007-11-21 01:03:32 12,926,976 ----a-w C:\WINDOWS\erdnt\AutoBackup\21-11-2007\Users\00000001\NTUSER.DAT
+ 2007-11-21 01:03:34 241,664 ----a-w C:\WINDOWS\erdnt\AutoBackup\21-11-2007\Users\00000002\UsrClass.dat
+ 2005-10-20 05:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\22-11-2007\ERDNT.EXE
+ 2007-11-22 00:01:12 12,931,072 ----a-w C:\WINDOWS\erdnt\AutoBackup\22-11-2007\Users\00000001\NTUSER.DAT
+ 2007-11-22 00:01:13 241,664 ----a-w C:\WINDOWS\erdnt\AutoBackup\22-11-2007\Users\00000002\UsrClass.dat
+ 2005-10-20 05:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\23-11-2007\ERDNT.EXE
+ 2007-11-23 00:10:43 12,935,168 ----a-w C:\WINDOWS\erdnt\AutoBackup\23-11-2007\Users\00000001\NTUSER.DAT
+ 2007-11-23 00:10:44 241,664 ----a-w C:\WINDOWS\erdnt\AutoBackup\23-11-2007\Users\00000002\UsrClass.dat
+ 2005-10-20 05:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\25-11-2007\ERDNT.EXE
+ 2007-11-25 01:52:46 12,947,456 ----a-w C:\WINDOWS\erdnt\AutoBackup\25-11-2007\Users\00000001\NTUSER.DAT
+ 2007-11-25 01:52:47 241,664 ----a-w C:\WINDOWS\erdnt\AutoBackup\25-11-2007\Users\00000002\UsrClass.dat
+ 2005-10-20 05:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\26-11-2007\ERDNT.EXE
+ 2007-11-26 03:09:20 12,955,648 ----a-w C:\WINDOWS\erdnt\AutoBackup\26-11-2007\Users\00000001\NTUSER.DAT
+ 2007-11-26 03:09:20 241,664 ----a-w C:\WINDOWS\erdnt\AutoBackup\26-11-2007\Users\00000002\UsrClass.dat
+ 2005-10-20 05:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\27-11-2007\ERDNT.EXE
+ 2007-11-27 00:09:02 12,955,648 ----a-w C:\WINDOWS\erdnt\AutoBackup\27-11-2007\Users\00000001\NTUSER.DAT
+ 2007-11-27 00:09:03 241,664 ----a-w C:\WINDOWS\erdnt\AutoBackup\27-11-2007\Users\00000002\UsrClass.dat
- 2006-12-19 21:52:18 8,453,632 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
+ 2007-10-26 03:36:51 8,454,656 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
- 2007-09-28 05:19:39 18,089,592 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2007-11-02 07:12:57 18,238,072 ----a-w C:\WINDOWS\system32\MRT.exe
- 2006-12-19 21:52:18 8,453,632 ----a-w C:\WINDOWS\system32\shell32.dll
+ 2007-10-26 03:36:51 8,454,656 ----a-w C:\WINDOWS\system32\shell32.dll
- 2007-08-21 10:20:02 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2007-10-29 10:26:53 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 16:13]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-07-02 14:10]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hotkey"="C:\WINDOWS\system32\hkeyman.exe" [2003-03-14 23:05]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-03-10 16:20]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-03-10 16:16]
"PRunOnce"="C:\util\prunonce\PRunOnce.exe" [2004-08-06 19:58]
"PCinfo"="C:\Program Files\Panasonic\PCINFO\SetDiag.exe" [2005-06-15 10:27]
"Panasonic HotKey Manager"="C:\Program Files\Panasonic\HotKey Appendix\HKEYAPP.EXE" [2005-06-14 11:41]
"AGRSMMSG"="AGRSMMSG.exe" [2004-12-20 22:10 C:\WINDOWS\AGRSMMSG.exe]
"gemstrmw"="C:\WINDOWS\system32\gemstrmw.exe" [2003-08-30 14:35]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-10-04 13:59]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-10-04 13:59]
"scroller"="fpapli.exe" [2005-04-18 19:18 C:\WINDOWS\system32\FPapli.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-06 08:22]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"LSWin LaoKey"="C:\Program Files\LSWin\LaoKey.exe" [2005-12-19 20:00]
"AASecuUFD"="" []
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 10:42]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 15:30]
"GhostStartTrayApp"="C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [2003-12-17 12:51]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49]
"ToolBoxFX"="C:\Program Files\Hewlett-Packard\ToolBoxFX\bin\HPTLBXFX.exe" [2006-02-02 08:12]
"MaxBackSchedule"="C:\Program Files\Maxtor\Maxtor Quick Start\maxbackservice.exe" [2005-10-06 10:22]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-06 09:22]
"mssSort"="C:\Program Files\Maxtor\Maxtor Quick Start\msssort.exe" [2005-07-15 14:29]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-05 04:00]

C:\Documents and Settings\Nick\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-02-12 08:49:27]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 19:44:06]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2004-02-25 08:35:22]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2007-01-20 08:33:32]
Panasonic Hand Writing.lnk - C:\Program Files\Panasonic\WRITING\Writing.exe [2006-02-23 03:12:23]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2007-01-14 21:23:33]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2005-10-04 13:59 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

R0 zrlf5owcz;zrlf5owc;C:\WINDOWS\system32\DRIVERS\zrlf5owcz.sys
R1 GhPciScan;GhostPciScanner;\??\C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys
R2 ArcGIS License Manager;ArcGIS License Manager;C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
R2 bgsvc;B's Recorder GOLD Service;C:\Program Files\B's Recorder GOLD8\bgsvc.exe
R2 brecal;Panasonic Battery Recalibration Driver;\??\C:\Program Files\Panasonic\BRECAL\Brecal.sys
R2 pcinfo;Panasonic PC Info. Viewer Driver;\??\C:\Program Files\Panasonic\PCINFO\pcinfo.sys
R2 s7k5mlm;s7k5mlm;\??\C:\WINDOWS\system32\drivers\s7k5mlm.sys
R2 SDKEY;Panasonic SD Misc. Function Driver;\??\C:\Program Files\Panasonic\SDKEY\SDKEY.SYS
R3 FIDMOU;Fujitsu touchpad;C:\WINDOWS\system32\DRIVERS\Fidmou.sys
R3 HOTKEY;Panasonic Hotkey Driver;C:\WINDOWS\system32\DRIVERS\HOTKEY.SYS
S3 CBUSB;MARX CryptoTech LP;C:\WINDOWS\system32\drivers\CBUSB.sys
S3 HPFXBULK;HPFXBULK;C:\WINDOWS\system32\drivers\hpfxbulk.sys
S3 KS-959;Kingsun KS-959 USB Infrared Adapter;C:\WINDOWS\system32\DRIVERS\KS-959.sys
S3 PolarUSB;Polar USB Interface;C:\WINDOWS\system32\DRIVERS\PolarUSB.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{06a396fb-6642-11dc-9249-00166fbed003}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-11-16 15:11:02 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Nick.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-27 07:45:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-27 7:46:22
C:\ComboFix2.txt ... 2007-11-25 22:29
C:\ComboFix3.txt ... 2007-11-13 17:04
.
--- E O F ---




*********************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:10 AM, on 27/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\B's Recorder GOLD8\bgsvc.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Panasonic\HotKey Appendix\HKEYAPP.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\fpapli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\Tprbtn.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LSWin\LaoKey.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\Maxtor\Maxtor Quick Start\maxbackservice.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Panasonic\WRITING\Writing.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Hotkey] C:\WINDOWS\system32\hkeyman.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PRunOnce] C:\util\prunonce\PRunOnce.exe
O4 - HKLM\..\Run: [PCinfo] C:\Program Files\Panasonic\PCINFO\SetDiag.exe /FirstLogin
O4 - HKLM\..\Run: [Panasonic HotKey Manager] "C:\Program Files\Panasonic\HotKey Appendix\HKEYAPP.EXE"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [scroller] fpapli.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LSWin LaoKey] C:\Program Files\LSWin\LaoKey.exe -a
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\Hewlett-Packard\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
O4 - HKLM\..\Run: [MaxBackSchedule] C:\Program Files\Maxtor\Maxtor Quick Start\maxbackservice.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [mssSort] C:\Program Files\Maxtor\Maxtor Quick Start\msssort.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Panasonic Hand Writing.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {FFB2385E-E812-4091-8C12-2370DC67F769} - http://www.eachnet.com/specials/digi.html?..._000_soft0_digi (file missing)
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O15 - Trusted Zone: http://onecare.live.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1168787295585
O16 - DPF: {77AAD261-A84E-4564-BEC2-C51FF6A7187F} (MRActivXUI Class) - http://202.8.40.133/comp/partner/pcphone/v...wbaxuiph612.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1292890C-90E6-437A-8042-9A74605743BF}: NameServer = 85.255.116.132,85.255.112.221
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{1292890C-90E6-437A-8042-9A74605743BF}: NameServer = 85.255.116.132,85.255.112.221
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Service (bgsvc) - B.H.A Corporation - C:\Program Files\B's Recorder GOLD8\bgsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: USBest Service Zero (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Nick/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 12719 bytes

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:26 AM

Posted 27 November 2007 - 05:32 PM

Do you have CF-Submit.htm file on the desktop which you ran combofix from? If so, please double-click on it and submit the file. If you do not see that file, do you see a zip file on your desktop? It will be named something like [3]-Submit_date.zip

If so, please submit that file to http://www.bleepingcomputer.com/submit-malware.php?channel=3

As for your other machines, please do not do anything on those. If you use the same flash drives on those machines, feel free to run flash_disinfector on them, but do not run combofix without supervision.

#11 rockdoctor

rockdoctor
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 27 November 2007 - 07:09 PM

I ran a search for "submit" on my computer and neither of those files are present. I also noticed that the original script dissapeared after running.

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:26 AM

Posted 28 November 2007 - 10:55 AM

Let's try this the old fashioned way.

Download this program:

Suspicious files packer

Highlight the files listed below in bold and right-click and selecting copy.


C:\WINDOWS\system32\winlib0.dll
C:\WINDOWS\system32\buser.txt
C:\WINDOWS\system32\my_70049.exe
C:\WINDOWS\system32\sporder.dll
C:\WINDOWS\system32\morelion.exe
C:\WINDOWS\system32\DRIVERS\zrlf5owcz.sys
C:\WINDOWS\system32\drivers\s7k5mlm.sys


Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to yourmembername.cab (for example grinler.cab).

Then go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.

#13 rockdoctor

rockdoctor
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 28 November 2007 - 08:08 PM

OK,

Ran the file packer as instructed and submitted the file named Rockdoctor Nick.cab

At present, I am still getting the RunDLL error on each startup of my user.

Thanks
Rockdoctor

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:26 AM

Posted 29 November 2007 - 11:04 AM

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\winlib0.dll
C:\WINDOWS\system32\buser.txt
C:\WINDOWS\system32\my_70049.exe
C:\WINDOWS\system32\morelion.exe
C:\WINDOWS\system32\DRIVERS\zrlf5owcz.sys
C:\WINDOWS\system32\drivers\s7k5mlm.sys

Driver::
s7k5mlm
zrlf5owcz


Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

#15 rockdoctor

rockdoctor
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 29 November 2007 - 07:28 PM

OK,

Saved the file and ran the script successfully.
Suspect problem last tie was probably due to copying text from the email rather than the message board. The email includes some quote text at either end. This time I copied the text from the message board.

Combofix rebooted the machine and saved a log successfully.

Combofix log and HJT log follow:

ComboFix 07-11-30.3 - Nick 2007-11-30 7:05:57.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.431 [GMT 7:00]
Running from: C:\Documents and Settings\Nick\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nick\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\buser.txt
C:\WINDOWS\system32\drivers\s7k5mlm.sys
C:\WINDOWS\system32\DRIVERS\zrlf5owcz.sys
C:\WINDOWS\system32\morelion.exe
C:\WINDOWS\system32\my_70049.exe
C:\WINDOWS\system32\winlib0.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\buser.txt
C:\WINDOWS\system32\drivers\s7k5mlm.sys
C:\WINDOWS\system32\DRIVERS\zrlf5owcz.sys
C:\WINDOWS\system32\morelion.exe
C:\WINDOWS\system32\my_70049.exe
C:\WINDOWS\system32\winlib0.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_S7K5MLM
-------\LEGACY_ZRLF5OWCZ
-------\s7k5mlm
-------\zrlf5owcz


((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-30 )))))))))))))))))))))))))))))))
.

2007-11-29 21:39 . 2007-11-29 21:39 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-29 21:39 . 2007-11-29 21:39 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-29 08:10 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2007-11-25 10:46 . 2007-11-25 10:46 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-17 09:28 . 2007-11-17 09:28 75 --a------ C:\WINDOWS\hdkctnts.ini
2007-11-13 12:57 . 2007-11-13 12:57 <DIR> d-------- C:\Documents and Settings\Nick\DoctorWeb
2007-11-12 21:02 . 2007-11-12 21:02 0 --a------ C:\WINDOWS\Writing.INI
2007-11-11 11:45 . 2007-11-11 11:45 91 ---hs---- C:\WINDOWS\msper.htm
2007-11-11 11:31 . 2007-11-11 11:31 14 --a------ C:\WINDOWS\system32\10512-5625
2007-11-11 11:31 . 2007-11-11 11:31 0 --a------ C:\WINDOWS\17.tmp
2007-11-11 11:30 . 2007-11-11 11:30 <DIR> d-------- C:\Program Files\Windows Live
2007-11-11 11:30 . 2007-11-11 11:30 <DIR> d-------- C:\Program Files\MSN Messenger
2007-11-11 07:01 . 2007-11-11 11:28 79 --a------ C:\WINDOWS\system32\mstacim.sig
2007-11-09 06:30 . 2007-11-11 11:48 180 --ahs---- C:\WINDOWS\system32\soader.ini
2007-11-08 08:00 . 2004-08-05 12:00 482,304 --a------ C:\WINDOWS\system32\PINTLGNT.IME
2007-11-08 08:00 . 2007-11-08 08:00 282,624 --a------ C:\WINDOWS\htmlpeek.dll
2007-11-08 08:00 . 2004-08-05 12:00 79,360 --a------ C:\WINDOWS\system32\phon.ime
2007-11-08 08:00 . 2004-08-05 12:00 78,336 --a------ C:\WINDOWS\system32\chajei.ime
2007-11-08 08:00 . 2004-08-05 12:00 26,112 --a------ C:\WINDOWS\system32\romanime.ime
2007-11-08 08:00 . 2007-11-08 08:00 572 ---hs---- C:\WINDOWS\system32\msnet.ini
2007-11-08 08:00 . 2007-11-13 12:15 242 ---hs---- C:\WINDOWS\goper.ini
2007-11-08 07:59 . 2001-08-17 22:36 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2007-11-08 07:59 . 2001-08-17 22:36 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
2007-11-08 07:59 . 2001-08-17 22:36 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2007-11-08 07:59 . 2001-08-17 22:36 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll
2007-11-08 07:59 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2007-11-08 07:59 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2007-11-08 07:59 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2007-11-08 07:59 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll
2007-11-08 07:59 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll
2007-11-08 07:59 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll
2007-11-08 07:59 . 2001-08-17 14:55 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2007-11-08 07:59 . 2001-08-17 14:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll
2007-10-30 19:55 . 2007-10-30 19:55 191,536 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2007-10-30 19:55 . 2007-10-30 19:55 145,968 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2007-10-30 19:55 . 2007-10-30 19:55 39,856 --a------ C:\WINDOWS\system32\drivers\symids.sys
2007-10-30 19:55 . 2007-10-30 19:55 37,936 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
2007-10-30 19:55 . 2007-10-30 19:55 35,120 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2007-10-30 19:55 . 2007-10-30 19:55 27,696 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2007-10-30 19:55 . 2007-10-30 19:55 12,848 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2007-10-30 19:24 . 2007-10-30 19:24 12,963 --a------ C:\WINDOWS\system32\drivers\SymRedir.cat
2007-10-30 19:24 . 2007-10-30 19:24 1,358 --a------ C:\WINDOWS\system32\drivers\SymRedir.inf
2007-10-28 18:55 . 2007-10-28 18:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Maxtor
2007-10-28 18:54 . 2007-10-28 18:54 <DIR> d-------- C:\Program Files\Maxtor
2007-10-28 18:54 . 2007-10-28 18:54 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Maxtor Quick Start
2007-10-26 11:29 . 2007-10-26 11:29 <DIR> d-------- C:\Program Files\Mythicsoft
2007-10-16 15:28 . 2007-10-16 15:28 0 --a------ C:\concessions.kml
2007-10-16 15:27 . 2007-10-16 15:27 175 --a------ C:\Concessions.kfd
2007-10-12 10:58 . 2007-10-12 10:58 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\HP
2007-10-12 10:58 . 2007-10-12 10:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-10-12 10:45 . 2007-10-12 10:45 724 --a------ C:\WINDOWS\hpbvspst.his
2007-10-12 10:45 . 2007-10-12 10:45 344 --a------ C:\WINDOWS\hpbvspst.ini
2007-10-12 10:44 . 2005-10-29 00:01 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2007-10-12 10:44 . 2007-07-20 10:05 1,977 --a------ C:\WINDOWS\hpbvnstp.hi1
2007-10-12 10:44 . 2007-07-20 10:05 750 --a------ C:\WINDOWS\hpbvnstp.bu1
2007-10-12 10:43 . 2005-10-29 00:01 49,920 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2007-10-12 10:43 . 2005-09-20 23:17 17,024 -ra------ C:\WINDOWS\system32\drivers\hpfxgen.sys
2007-10-12 10:43 . 2005-09-20 23:22 9,344 -ra------ C:\WINDOWS\system32\drivers\hpfxbulk.sys
2007-10-12 10:43 . 2001-08-17 13:47 8,704 --a------ C:\WINDOWS\system32\drivers\Dot4Scan.sys
2007-10-12 10:43 . 2001-08-17 13:47 8,704 --a--c--- C:\WINDOWS\system32\dllcache\dot4scan.sys
2007-10-12 10:39 . 2007-10-12 10:58 53,654 --a------ C:\WINDOWS\hppins02.dat
2007-10-12 10:39 . 2006-01-25 15:12 2,009 --------- C:\WINDOWS\hppmdl02.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-29 23:54 --------- d-----w C:\Documents and Settings\Nick\Application Data\Skype
2007-11-23 00:12 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-21 02:40 --------- d-----w C:\Program Files\GlobalMapper8
2007-11-21 00:34 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-11-17 00:03 --------- d-----w C:\Program Files\Norton AntiVirus
2007-11-12 12:23 --------- d-----w C:\Documents and Settings\Nick\Application Data\SUPERAntiSpyware.com
2007-11-12 12:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-12 04:01 --------- d-----w C:\Documents and Settings\Nick\Application Data\AdobeUM
2007-10-12 03:50 --------- d-----w C:\Program Files\Hewlett-Packard
2007-10-03 23:46 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-03 23:46 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-03 23:46 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-03 23:46 --------- d-----w C:\Program Files\Symantec
.

((((((((((((((((((((((((((((( snapshot@2007-11-13_16.59.30.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-08 09:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe
+ 2007-11-26 20:58:11 140,288 ----a-w C:\WINDOWS\catchme.exe
+ 2005-10-20 05:02:28 163,328 ----a-w C:\WINDOWS\erdnt\21-11-2007\ERDNT.EXE
+ 2007-11-21 00:56:04 12,992,512 ----a-w C:\WINDOWS\erdnt\21-11-2007\Users\00000001\NTUSER.DAT
+ 2007-11-21 00:56:04 241,664 ----a-w C:\WINDOWS\erdnt\21-11-2007\Users\00000002\UsrClass.dat
+ 2005-10-20 05:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\21-11-2007\ERDNT.EXE
+ 2007-11-21 01:03:32 12,926,976 ----a-w C:\WINDOWS\erdnt\AutoBackup\21-11-2007\Users\00000001\NTUSER.DAT
+ 2007-11-21 01:03:34 241,664 ----a-w C:\WINDOWS\erdnt\AutoBackup\21-11-2007\Users\00000002\UsrClass.dat
+ 2005-10-20 05:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\22-11-2007\ERDNT.EXE
+ 2007-11-22 00:01:12 12,931,072 ----a-w C:\WINDOWS\erdnt\AutoBackup\22-11-2007\Users\00000001\NTUSER.DAT
+ 2007-11-22 00:01:13 241,664 ----a-w C:\WINDOWS\erdnt\AutoBackup\22-11-2007\Users\00000002\UsrClass.dat
+ 2005-10-20 05:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\23-11-2007\ERDNT.EXE
+ 2007-11-23 00:10:43 12,935,168 ----a-w C:\WINDOWS\erdnt\AutoBackup\23-11-2007\Users\00000001\NTUSER.DAT
+ 2007-11-23 00:10:44 241,664 ----a-w C:\WINDOWS\erdnt\AutoBackup\23-11-2007\Users\00000002\UsrClass.dat
+ 2005-10-20 05:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\25-11-2007\ERDNT.EXE
+ 2007-11-25 01:52:46 12,947,456 ----a-w C:\WINDOWS\erdnt\AutoBackup\25-11-2007\Users\00000001\NTUSER.DAT
+ 2007-11-25 01:52:47 241,664 ----a-w C:\WINDOWS\erdnt\AutoBackup\25-11-2007\Users\00000002\UsrClass.dat
+ 2005-10-20 05:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\26-11-2007\ERDNT.EXE
+ 2007-11-26 03:09:20 12,955,648 ----a-w C:\WINDOWS\erdnt\AutoBackup\26-11-2007\Users\00000001\NTUSER.DAT
+ 2007-11-26 03:09:20 241,664 ----a-w C:\WINDOWS\erdnt\AutoBackup\26-11-2007\Users\00000002\UsrClass.dat
+ 2005-10-20 05:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\27-11-2007\ERDNT.EXE
+ 2007-11-27 00:09:02 12,955,648 ----a-w C:\WINDOWS\erdnt\AutoBackup\27-11-2007\Users\00000001\NTUSER.DAT
+ 2007-11-27 00:09:03 241,664 ----a-w C:\WINDOWS\erdnt\AutoBackup\27-11-2007\Users\00000002\UsrClass.dat
+ 2005-10-20 05:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\29-11-2007\ERDNT.EXE
+ 2007-11-29 00:06:45 12,959,744 ----a-w C:\WINDOWS\erdnt\AutoBackup\29-11-2007\Users\00000001\NTUSER.DAT
+ 2007-11-29 00:06:46 241,664 ----a-w C:\WINDOWS\erdnt\AutoBackup\29-11-2007\Users\00000002\UsrClass.dat
- 2006-12-19 21:52:18 8,453,632 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
+ 2007-10-26 03:36:51 8,454,656 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
- 2007-09-28 05:19:39 18,089,592 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2007-11-02 07:12:57 18,238,072 ----a-w C:\WINDOWS\system32\MRT.exe
- 2006-12-19 21:52:18 8,453,632 ----a-w C:\WINDOWS\system32\shell32.dll
+ 2007-10-26 03:36:51 8,454,656 ----a-w C:\WINDOWS\system32\shell32.dll
+ 2003-06-25 09:05:08 266,360 ----a-w C:\WINDOWS\system32\TweakUI.exe
- 2007-08-21 10:20:02 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2007-10-29 10:26:53 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 16:13]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-07-02 14:10]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hotkey"="C:\WINDOWS\system32\hkeyman.exe" [2003-03-14 23:05]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-03-10 16:20]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-03-10 16:16]
"PRunOnce"="C:\util\prunonce\PRunOnce.exe" [2004-08-06 19:58]
"PCinfo"="C:\Program Files\Panasonic\PCINFO\SetDiag.exe" [2005-06-15 10:27]
"Panasonic HotKey Manager"="C:\Program Files\Panasonic\HotKey Appendix\HKEYAPP.EXE" [2005-06-14 11:41]
"AGRSMMSG"="AGRSMMSG.exe" [2004-12-20 22:10 C:\WINDOWS\AGRSMMSG.exe]
"gemstrmw"="C:\WINDOWS\system32\gemstrmw.exe" [2003-08-30 14:35]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-10-04 13:59]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-10-04 13:59]
"scroller"="fpapli.exe" [2005-04-18 19:18 C:\WINDOWS\system32\FPapli.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-06 08:22]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"LSWin LaoKey"="C:\Program Files\LSWin\LaoKey.exe" [2005-12-19 20:00]
"AASecuUFD"="" []
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 10:42]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 15:30]
"GhostStartTrayApp"="C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [2003-12-17 12:51]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49]
"ToolBoxFX"="C:\Program Files\Hewlett-Packard\ToolBoxFX\bin\HPTLBXFX.exe" [2006-02-02 08:12]
"MaxBackSchedule"="C:\Program Files\Maxtor\Maxtor Quick Start\maxbackservice.exe" [2005-10-06 10:22]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-06 09:22]
"mssSort"="C:\Program Files\Maxtor\Maxtor Quick Start\msssort.exe" [2005-07-15 14:29]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-05 04:00]

C:\Documents and Settings\Nick\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-02-12 08:49:27]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 19:44:06]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2004-02-25 08:35:22]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2007-01-20 08:33:32]
Panasonic Hand Writing.lnk - C:\Program Files\Panasonic\WRITING\Writing.exe [2006-02-23 03:12:23]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2007-01-14 21:23:33]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2005-10-04 13:59 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

R1 GhPciScan;GhostPciScanner;\??\C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys
R2 ArcGIS License Manager;ArcGIS License Manager;C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
R2 bgsvc;B's Recorder GOLD Service;C:\Program Files\B's Recorder GOLD8\bgsvc.exe
R2 brecal;Panasonic Battery Recalibration Driver;\??\C:\Program Files\Panasonic\BRECAL\Brecal.sys
R2 pcinfo;Panasonic PC Info. Viewer Driver;\??\C:\Program Files\Panasonic\PCINFO\pcinfo.sys
R2 SDKEY;Panasonic SD Misc. Function Driver;\??\C:\Program Files\Panasonic\SDKEY\SDKEY.SYS
R3 FIDMOU;Fujitsu touchpad;C:\WINDOWS\system32\DRIVERS\Fidmou.sys
R3 HOTKEY;Panasonic Hotkey Driver;C:\WINDOWS\system32\DRIVERS\HOTKEY.SYS
S3 CBUSB;MARX CryptoTech LP;C:\WINDOWS\system32\drivers\CBUSB.sys
S3 HPFXBULK;HPFXBULK;C:\WINDOWS\system32\drivers\hpfxbulk.sys
S3 KS-959;Kingsun KS-959 USB Infrared Adapter;C:\WINDOWS\system32\DRIVERS\KS-959.sys
S3 PolarUSB;Polar USB Interface;C:\WINDOWS\system32\DRIVERS\PolarUSB.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{06a396fb-6642-11dc-9249-00166fbed003}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-11-16 15:11:02 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Nick.job"
- C:\PROGRA~1\NORTON~1\Navw32.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-30 07:14:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-30 7:16:52 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-27 07:46
C:\ComboFix3.txt ... 2007-11-25 22:29
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:21:04 AM, on 30/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\B's Recorder GOLD8\bgsvc.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Panasonic\HotKey Appendix\HKEYAPP.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\fpapli.exe
C:\WINDOWS\system32\Tprbtn.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LSWin\LaoKey.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\Maxtor\Maxtor Quick Start\maxbackservice.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Panasonic\WRITING\Writing.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Hotkey] C:\WINDOWS\system32\hkeyman.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PRunOnce] C:\util\prunonce\PRunOnce.exe
O4 - HKLM\..\Run: [PCinfo] C:\Program Files\Panasonic\PCINFO\SetDiag.exe /FirstLogin
O4 - HKLM\..\Run: [Panasonic HotKey Manager] "C:\Program Files\Panasonic\HotKey Appendix\HKEYAPP.EXE"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [scroller] fpapli.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LSWin LaoKey] C:\Program Files\LSWin\LaoKey.exe -a
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\Hewlett-Packard\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
O4 - HKLM\..\Run: [MaxBackSchedule] C:\Program Files\Maxtor\Maxtor Quick Start\maxbackservice.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [mssSort] C:\Program Files\Maxtor\Maxtor Quick Start\msssort.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Panasonic Hand Writing.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {FFB2385E-E812-4091-8C12-2370DC67F769} - http://www.eachnet.com/specials/digi.html?..._000_soft0_digi (file missing)
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O15 - Trusted Zone: http://onecare.live.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1168787295585
O16 - DPF: {77AAD261-A84E-4564-BEC2-C51FF6A7187F} (MRActivXUI Class) - http://202.8.40.133/comp/partner/pcphone/v...wbaxuiph612.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1292890C-90E6-437A-8042-9A74605743BF}: NameServer = 85.255.116.132,85.255.112.221
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{1292890C-90E6-437A-8042-9A74605743BF}: NameServer = 85.255.116.132,85.255.112.221
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Service (bgsvc) - B.H.A Corporation - C:\Program Files\B's Recorder GOLD8\bgsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: USBest Service Zero (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Nick/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 12749 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users