0

Need some help getting rid of andt & indt2. Spybot doesn't pick it up, any help would be greatly appreciated. Here's a log from Hijackthis.

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe
C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorEngine.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Stardock\CursorFX\CursorFX.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Say the Time\SayTimeMain.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Advanced WindowsCare V2 Pro] "C:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe" /startup
O4 - HKLM\..\Run: [SpeedBitVideoAccelerator] "C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe"
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" -boot
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [CursorFX] "C:\Program Files\Stardock\CursorFX\CursorFX.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Say the Time.lnk = C:\Program Files\Say the Time\SayTime.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: AshampooDefragService - Unknown owner - C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe

--
End of file - 7337 bytes

Thanks.

3
Contributors
17
Replies
18
Views
9 Years
Discussion Span
Last Post by PhilliePhan
0

Have Hijackthis fix these entries:

O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe

O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe

0

Have Hijackthis fix these entries:

O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe

O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe

Not getting the annoying clicking anymore but: O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe - still appears on the hijackthis log.

Thanks for your help.

0

Try fixing it in safe mode, Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Run Hijackthis in safe mode and have it fix the entry.

0

Try fixing it in safe mode, Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Run Hijackthis in safe mode and have it fix the entry.

'Fixed checked' in safe mode here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:45:44, on 27/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe
C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Stardock\CursorFX\CursorFX.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Say the Time\SayTimeMain.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\routing.exe
C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe
C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Advanced WindowsCare V2 Pro] "C:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe" /startup
O4 - HKLM\..\Run: [SpeedBitVideoAccelerator] "C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [CursorFX] "C:\Program Files\Stardock\CursorFX\CursorFX.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Say the Time.lnk = C:\Program Files\Say the Time\SayTime.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AshampooDefragService - Unknown owner - C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe

--
End of file - 6601 bytes

As you can see it's still showing up.

0

'Fixed checked' in safe mode here's the log:
As you can see it's still showing up.

HijackThis is more a diagnostic tool than a "fixer" program.
It does not attempt to delete any actual malware files (except for those associated with 02 BHO entries). At its core, it is a powerful registry editor.
The "fixes" you are attempting are incomplete and probably being thwarted by SpyBotSD's Tea Timer feature.

FIRST:
Disable SpybotSD's Tea Timer. Do that now.

THEN:

  • Download combofix.exe by sUBs to your computer's Desktop.
  • Alternate Download
  • (If you already have a previous version, delete it and download a new version).
  • Double click combofix.exe & follow the prompts.
    Note: Combofix will automatically disconnect your Internet connection when it runs, do not reconnect it.

When it finishes, it ought to

  • Produce a log for you. ( C:\ComboFix\ComboFix.txt)
  • Restore your Internet connection.

IMPORTANT:

  • Do not use your computer while Combofix is running.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    If you've lost your Internet connection when Combofix has completely finished, re-start your computer to restore it.

Please post that log for us along with a fresh HJT. Let us know if you run into any difficulty.

Best Luck :)
PP

0

Hi PP;
Here's the combofix log:

ComboFix 08-02-25.3 - Rob 2008-02-28 0:44:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1607 [GMT 0:00]
Running from: C:\Documents and Settings\Rob\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Rob\Application Data\inst.exe
C:\Program Files\internet explorer\svchost.exe
C:\WINDOWS\msvrc20.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-28 to 2008-02-28 )))))))))))))))))))))))))))))))
.

2008-02-28 00:15 . 2008-02-28 00:15 251,392 --a------ C:\WINDOWS\system32\andt.sys
2008-02-28 00:15 . 2008-02-28 00:15 45,056 --a------ C:\WINDOWS\system32\Indt2.sys
2008-02-27 12:32 . 2008-02-27 12:33 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-27 12:32 . 2008-02-27 12:32 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\SUPERAntiSpyware.com
2008-02-27 12:32 . 2008-02-27 12:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-27 12:31 . 2008-02-27 12:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-27 10:53 . 2008-02-27 23:43 7,662 --a------ C:\WINDOWS\system32\oodbs.lor
2008-02-27 00:31 . 2008-02-27 17:00 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-02-27 00:10 . 2008-02-27 00:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-02-26 23:52 . 2008-02-26 23:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-26 23:47 . 2008-02-27 00:27 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\PrevxCSI
2008-02-26 19:16 . 2008-02-26 19:16 0 --a------ C:\WINDOWS\OODCNT.INI
2008-02-26 18:37 . 2008-02-27 22:15 <DIR> d-------- C:\WINDOWS\system32\oodag
2008-02-26 18:24 . 2008-02-26 18:24 <DIR> d-------- C:\Program Files\OO Software
2008-02-26 17:04 . 2008-02-26 17:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ashampoo
2008-02-26 14:44 . 2008-02-26 14:44 <DIR> d-------- C:\Program Files\Veoh Networks
2008-02-25 19:13 . 2008-02-27 20:52 <DIR> d-------- C:\Program Files\SpeedBit Video Accelerator
2008-02-25 19:13 . 2008-02-25 19:13 172,032 --a------ C:\WINDOWS\system32\AniGIF.ocx
2008-02-25 14:19 . 2008-02-25 14:19 <DIR> d-------- C:\Program Files\Nero
2008-02-25 14:17 . 2008-02-25 14:17 31,232 --a------ C:\WINDOWS\system32\routing.exe
2008-02-25 14:17 . 2008-02-25 14:17 40 --a------ C:\WINDOWS\system32\drmgs.sys
2008-02-25 13:39 . 2008-02-25 13:39 <DIR> d-------- C:\Program Files\PowerISO
2008-02-25 13:32 . 2008-02-25 13:32 0 --a------ C:\WINDOWS\Irremote.ini
2008-02-25 10:10 . 2007-06-25 22:30 86,016 --a------ C:\WINDOWS\system32\WNASPINT.DLL
2008-02-25 10:10 . 2007-04-24 19:33 32,768 --a------ C:\WINDOWS\system32\FrogASPI.DLL
2008-02-25 09:48 . 2008-02-25 09:48 <DIR> d-------- C:\Program Files\IObit
2008-02-25 01:35 . 2008-02-25 01:35 <DIR> d-------- C:\WINDOWS\Applian FLV Player
2008-02-24 21:06 . 2008-02-24 21:06 <DIR> d-------- C:\Documents and Settings\Rob\dwhelper
2008-02-23 17:31 . 2008-02-23 17:32 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\TVU networks
2008-02-23 17:31 . 2008-02-23 17:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TVU networks
2008-02-23 17:30 . 2008-02-23 17:31 <DIR> d-------- C:\Program Files\TVUPlayer
2008-02-22 10:40 . 2008-02-22 10:40 <DIR> d-------- C:\WINDOWS\Sun
2008-02-18 18:53 . 2001-09-06 10:00 1,700,352 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-02-18 18:53 . 2007-06-25 14:02 475,136 --a------ C:\WINDOWS\system32\SkinCrafter2.dll
2008-02-17 00:04 . 2008-02-17 00:04 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\vlc
2008-02-17 00:03 . 2008-02-17 00:03 <DIR> d-------- C:\Program Files\VideoLAN
2008-02-16 10:18 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-02-16 10:18 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-02-15 23:42 . 2004-03-22 23:17 24,816 --a------ C:\WINDOWS\system32\mdimon.dll
2008-02-15 23:42 . 2008-02-15 23:42 376 --a------ C:\WINDOWS\ODBC.INI
2008-02-15 23:40 . 2008-02-15 23:40 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-02-15 23:35 . 2008-02-15 23:40 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-02-15 23:34 . 2008-02-15 23:34 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-02-15 23:32 . 2008-02-15 23:32 <DIR> d-------- C:\Program Files\Disc2Phone
2008-02-15 23:26 . 2008-02-15 23:26 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-02-15 23:24 . 2008-02-15 23:24 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\Teleca
2008-02-15 23:23 . 2008-02-15 23:23 <DIR> d-------- C:\Program Files\Sony Ericsson
2008-02-15 23:23 . 2008-02-15 23:24 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2008-02-15 23:23 . 2008-02-15 23:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Teleca
2008-02-15 23:23 . 2008-02-15 23:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-02-15 23:22 . 2008-02-15 23:23 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-15 23:21 . 2008-02-15 23:21 6,176 --a------ C:\WINDOWS\system32\drivers\w810cm.sys
2008-02-15 23:21 . 2008-02-15 23:21 5,808 --a------ C:\WINDOWS\system32\drivers\w810wh.sys
2008-02-15 22:51 . 2008-02-15 22:51 <DIR> d-------- C:\Program Files\Real
2008-02-15 22:51 . 2008-02-15 22:51 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-02-15 22:51 . 2008-02-15 22:51 <DIR> d-------- C:\Program Files\Common Files\Real
2008-02-14 13:27 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-02-14 13:27 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-02-13 21:14 . 2008-02-13 21:14 <DIR> d-------- C:\Program Files\InstallShield Installation Information
2008-02-13 21:13 . 2008-02-26 14:43 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-02-13 17:24 . 2008-02-13 17:25 81 --a------ C:\WINDOWS\WB.ini
2008-02-13 06:07 . 2008-01-12 18:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-02-13 06:07 . 2008-01-15 09:54 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-02-13 06:07 . 2008-01-15 05:28 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-02-13 03:22 . 2008-02-13 03:22 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\Symantec
2008-02-12 20:13 . 2008-02-12 20:13 <DIR> d-------- C:\N360_BACKUP
2008-02-12 20:11 . 2008-02-12 20:11 16 --a------ C:\WINDOWS\system32\coh.cache
2008-02-12 17:46 . 2008-02-13 18:10 <DIR> d-------- C:\Program Files\Norton 360
2008-02-12 17:40 . 2008-02-12 22:09 <DIR> d-------- C:\Program Files\Symantec
2008-02-12 17:40 . 2008-02-12 22:09 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-12 17:40 . 2008-02-12 22:09 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-02-12 17:40 . 2008-02-12 22:09 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-02-12 17:40 . 2008-02-12 22:09 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-02-12 17:39 . 2008-02-26 02:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-12 17:38 . 2008-02-27 23:44 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-12 17:35 . 2008-02-12 17:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-12 16:08 . 2008-02-12 16:08 <DIR> d-------- C:\Program Files\LimeWire
2008-02-12 16:08 . 2008-02-26 16:31 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\LimeWire
2008-02-12 01:24 . 2008-02-12 01:24 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\{404C1499-24DB-49AC-BF11-F0AD2C046836}
2008-02-11 23:30 . 2008-02-11 23:28 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-11 23:30 . 2008-02-11 23:30 3,439 --a------ C:\WINDOWS\unins000.dat
2008-02-11 23:26 . 2008-02-27 00:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-11 23:02 . 2008-02-11 23:02 <DIR> d-------- C:\Documents and Settings\Digital\Application Data\Nero
2008-02-11 23:02 . 2008-02-11 23:02 <DIR> d-------- C:\Documents and Settings\Digital\Application Data\Grisoft
2008-02-11 22:55 . 2008-02-11 22:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-11 22:13 . 2008-02-11 22:14 163,712 --a------ C:\WINDOWS\system32\drivers\vidstub.sys
2008-02-11 20:40 . 2008-02-11 20:43 <DIR> d-------- C:\Program Files\SopCast
2008-02-11 20:26 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.DLL
2008-02-11 20:17 . 2008-02-12 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-11 19:28 . 2008-02-11 19:28 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-02-11 19:14 . 2008-02-11 19:14 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-02-11 19:10 . 2008-02-11 19:10 <DIR> d-------- C:\Program Files\Say the Time
2008-02-11 19:03 . 2008-02-28 00:44 <DIR> d-------- C:\Program Files\PeerGuardian2
2008-02-11 19:02 . 2004-08-04 04:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-02-11 18:52 . 2008-02-11 18:58 <DIR> d-------- C:\Program Files\Your Uninstaller 2008
2008-02-11 18:52 . 2008-02-11 18:52 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\URSoft
2008-02-11 18:52 . 2008-02-27 17:10 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-11 18:51 . 2008-02-11 18:51 <DIR> d-------- C:\Program Files\VSO
2008-02-11 18:51 . 2008-02-26 13:36 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\Vso
2008-02-11 18:51 . 2008-02-11 18:51 47,360 --a------ C:\Documents and Settings\Rob\Application Data\pcouffin.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 22:51 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-02-11 18:51 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-02-11 16:57 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-20 07:07 33,292 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys
2008-01-10 13:16 159,839 ----a-w C:\WINDOWS\system32\xvidvfw.dll
2008-01-10 13:15 755,027 ----a-w C:\WINDOWS\system32\xvidcore.dll
2007-12-24 13:49 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 02:33 682,496 ----a-w C:\WINDOWS\system32\divx.dll
2007-11-29 23:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 23:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40 1421824]
"CursorFX"="C:\Program Files\Stardock\CursorFX\CursorFX.exe" [2008-02-08 16:50 418120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"BootSkin Startup Jobs"="C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 16:21 270336]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 05:59 115816]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-15 22:51 185896]
"Advanced WindowsCare V2 Pro"="C:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe" [2007-09-19 22:10 2916528]
"SpeedBitVideoAccelerator"="C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe" [2008-02-25 19:13 2283120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"1A:Stardock TrayMonitor"="" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 04:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Say the Time.lnk - C:\Program Files\Say the Time\SayTime.exe [2007-05-18 04:00:00 90112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2008-02-11 18:09 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a-squared]
C:\Program Files\a-squared Anti-Malware\a2guard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DefragTaskBar]
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-08-03 12:51 1422632 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-08-08 09:25 1828136 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]
--a------ 2007-05-11 02:08 2512392 C:\WINDOWS\system32\oodtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrevxCSI]
C:\Program Files\PrevxCSI\prevxcsi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 16:17 159744 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-12-14 03:42 144784 C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2007-06-21 14:06 1318912 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-02-22 21:42 3537968 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\sopvod.exe"=

R2 sbbotdi;sbbotdi;C:\PROGRA~1\SpeedBit Video Accelerator\sbbotdi.sys [2008-02-25 19:13]
R2 VideoAcceleratorService;VideoAcceleratorService;C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe -start []
S2 perfmons;perfmons Service;C:\WINDOWS\system32\perfs.exe [2004-08-07 00:15]
S2 Routing;Routing Service;C:\WINDOWS\system32\routing.exe [2008-02-25 14:17]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Setupx.exe

*Newly Created Service* - COMHOST
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-28 00:45:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-28 0:46:21
ComboFix-quarantined-files.txt 2008-02-28 00:46:13
.
2008-02-16 08:19:57 --- E O F ---


& here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:47:26, on 28/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe
C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Stardock\CursorFX\CursorFX.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Say the Time\SayTimeMain.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe
C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Advanced WindowsCare V2 Pro] "C:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe" /startup
O4 - HKLM\..\Run: [SpeedBitVideoAccelerator] "C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [CursorFX] "C:\Program Files\Stardock\CursorFX\CursorFX.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Say the Time.lnk = C:\Program Files\Say the Time\SayTime.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AshampooDefragService - Unknown owner - C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe

--
End of file - 6438 bytes

I appreciate the help.

0

Hi PP;
Here's the combofix log:
I appreciate the help.

Happy to try to help :)

-- You should uninstall Limewire


Then, let's give this a go, shall we?

-- Please DELETE your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into/over ComboFix.exe to start ComboFix

-- Let Combofix run as before and post me that log.

And, I guess we'll go from there....

Cheers :)
PP

0

Hi PP. Here's the combofix log as requested:

ComboFix 08-02-25.3 - Rob 2008-02-28 10:28:25.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1641 [GMT 0:00]
Running from: C:\Documents and Settings\Rob\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Rob\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\andt.sys
C:\WINDOWS\system32\Indt2.sys
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\routing.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\routing.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-28 to 2008-02-28 )))))))))))))))))))))))))))))))
.

2008-02-28 00:56 . 2008-02-28 00:56 <DIR> d---s---- C:\Documents and Settings\Rob\UserData
2008-02-27 12:32 . 2008-02-27 12:33 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-27 12:32 . 2008-02-27 12:32 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\SUPERAntiSpyware.com
2008-02-27 12:32 . 2008-02-27 12:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-27 12:31 . 2008-02-27 12:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-27 10:53 . 2008-02-28 10:30 10,216 --a------ C:\WINDOWS\system32\oodbs.lor
2008-02-27 00:31 . 2008-02-27 17:00 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-02-27 00:10 . 2008-02-27 00:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-02-26 23:52 . 2008-02-26 23:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-26 23:47 . 2008-02-27 00:27 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\PrevxCSI
2008-02-26 19:16 . 2008-02-26 19:16 0 --a------ C:\WINDOWS\OODCNT.INI
2008-02-26 18:37 . 2008-02-27 22:15 <DIR> d-------- C:\WINDOWS\system32\oodag
2008-02-26 18:24 . 2008-02-26 18:24 <DIR> d-------- C:\Program Files\OO Software
2008-02-26 17:04 . 2008-02-26 17:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ashampoo
2008-02-26 14:44 . 2008-02-26 14:44 <DIR> d-------- C:\Program Files\Veoh Networks
2008-02-25 19:13 . 2008-02-27 20:52 <DIR> d-------- C:\Program Files\SpeedBit Video Accelerator
2008-02-25 19:13 . 2008-02-25 19:13 172,032 --a------ C:\WINDOWS\system32\AniGIF.ocx
2008-02-25 14:19 . 2008-02-25 14:19 <DIR> d-------- C:\Program Files\Nero
2008-02-25 14:17 . 2008-02-25 14:17 40 --a------ C:\WINDOWS\system32\drmgs.sys
2008-02-25 13:39 . 2008-02-25 13:39 <DIR> d-------- C:\Program Files\PowerISO
2008-02-25 13:32 . 2008-02-25 13:32 0 --a------ C:\WINDOWS\Irremote.ini
2008-02-25 10:10 . 2007-06-25 22:30 86,016 --a------ C:\WINDOWS\system32\WNASPINT.DLL
2008-02-25 10:10 . 2007-04-24 19:33 32,768 --a------ C:\WINDOWS\system32\FrogASPI.DLL
2008-02-25 09:48 . 2008-02-25 09:48 <DIR> d-------- C:\Program Files\IObit
2008-02-25 01:35 . 2008-02-25 01:35 <DIR> d-------- C:\WINDOWS\Applian FLV Player
2008-02-24 21:06 . 2008-02-24 21:06 <DIR> d-------- C:\Documents and Settings\Rob\dwhelper
2008-02-23 17:31 . 2008-02-23 17:32 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\TVU networks
2008-02-23 17:31 . 2008-02-23 17:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TVU networks
2008-02-23 17:30 . 2008-02-23 17:31 <DIR> d-------- C:\Program Files\TVUPlayer
2008-02-22 10:40 . 2008-02-22 10:40 <DIR> d-------- C:\WINDOWS\Sun
2008-02-18 18:53 . 2001-09-06 10:00 1,700,352 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-02-18 18:53 . 2007-06-25 14:02 475,136 --a------ C:\WINDOWS\system32\SkinCrafter2.dll
2008-02-17 00:04 . 2008-02-17 00:04 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\vlc
2008-02-17 00:03 . 2008-02-17 00:03 <DIR> d-------- C:\Program Files\VideoLAN
2008-02-16 10:18 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-02-16 10:18 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-02-15 23:42 . 2004-03-22 23:17 24,816 --a------ C:\WINDOWS\system32\mdimon.dll
2008-02-15 23:42 . 2008-02-15 23:42 376 --a------ C:\WINDOWS\ODBC.INI
2008-02-15 23:40 . 2008-02-15 23:40 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-02-15 23:35 . 2008-02-15 23:40 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-02-15 23:34 . 2008-02-15 23:34 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-02-15 23:32 . 2008-02-15 23:32 <DIR> d-------- C:\Program Files\Disc2Phone
2008-02-15 23:26 . 2008-02-15 23:26 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-02-15 23:24 . 2008-02-15 23:24 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\Teleca
2008-02-15 23:23 . 2008-02-15 23:23 <DIR> d-------- C:\Program Files\Sony Ericsson
2008-02-15 23:23 . 2008-02-15 23:24 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2008-02-15 23:23 . 2008-02-15 23:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Teleca
2008-02-15 23:23 . 2008-02-15 23:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-02-15 23:22 . 2008-02-15 23:23 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-15 23:21 . 2008-02-15 23:21 6,176 --a------ C:\WINDOWS\system32\drivers\w810cm.sys
2008-02-15 23:21 . 2008-02-15 23:21 5,808 --a------ C:\WINDOWS\system32\drivers\w810wh.sys
2008-02-15 22:51 . 2008-02-15 22:51 <DIR> d-------- C:\Program Files\Real
2008-02-15 22:51 . 2008-02-15 22:51 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-02-15 22:51 . 2008-02-15 22:51 <DIR> d-------- C:\Program Files\Common Files\Real
2008-02-14 13:27 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-02-14 13:27 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-02-13 21:14 . 2008-02-13 21:14 <DIR> d-------- C:\Program Files\InstallShield Installation Information
2008-02-13 21:13 . 2008-02-26 14:43 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-02-13 17:24 . 2008-02-13 17:25 81 --a------ C:\WINDOWS\WB.ini
2008-02-13 06:07 . 2008-01-12 18:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-02-13 06:07 . 2008-01-15 09:54 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-02-13 06:07 . 2008-01-15 05:28 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-02-13 03:22 . 2008-02-13 03:22 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\Symantec
2008-02-12 20:13 . 2008-02-12 20:13 <DIR> d-------- C:\N360_BACKUP
2008-02-12 20:11 . 2008-02-12 20:11 16 --a------ C:\WINDOWS\system32\coh.cache
2008-02-12 17:46 . 2008-02-13 18:10 <DIR> d-------- C:\Program Files\Norton 360
2008-02-12 17:40 . 2008-02-12 22:09 <DIR> d-------- C:\Program Files\Symantec
2008-02-12 17:40 . 2008-02-12 22:09 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-12 17:40 . 2008-02-12 22:09 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-02-12 17:40 . 2008-02-12 22:09 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-02-12 17:40 . 2008-02-12 22:09 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-02-12 17:39 . 2008-02-28 00:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-12 17:38 . 2008-02-28 10:13 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-12 17:35 . 2008-02-12 17:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-12 16:08 . 2008-02-26 16:31 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\LimeWire
2008-02-12 01:24 . 2008-02-12 01:24 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\{404C1499-24DB-49AC-BF11-F0AD2C046836}
2008-02-11 23:30 . 2008-02-11 23:28 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-11 23:30 . 2008-02-11 23:30 3,439 --a------ C:\WINDOWS\unins000.dat
2008-02-11 23:26 . 2008-02-27 00:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-11 23:02 . 2008-02-11 23:02 <DIR> d-------- C:\Documents and Settings\Digital\Application Data\Nero
2008-02-11 23:02 . 2008-02-11 23:02 <DIR> d-------- C:\Documents and Settings\Digital\Application Data\Grisoft
2008-02-11 22:55 . 2008-02-11 22:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-11 22:13 . 2008-02-11 22:14 163,712 --a------ C:\WINDOWS\system32\drivers\vidstub.sys
2008-02-11 20:40 . 2008-02-11 20:43 <DIR> d-------- C:\Program Files\SopCast
2008-02-11 20:26 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.DLL
2008-02-11 20:17 . 2008-02-12 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-11 19:28 . 2008-02-11 19:28 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-02-11 19:14 . 2008-02-11 19:14 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-02-11 19:10 . 2008-02-11 19:10 <DIR> d-------- C:\Program Files\Say the Time
2008-02-11 19:03 . 2008-02-28 10:27 <DIR> d-------- C:\Program Files\PeerGuardian2
2008-02-11 19:02 . 2004-08-04 04:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-02-11 18:52 . 2008-02-11 18:58 <DIR> d-------- C:\Program Files\Your Uninstaller 2008
2008-02-11 18:52 . 2008-02-11 18:52 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\URSoft
2008-02-11 18:52 . 2008-02-28 10:16 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-11 18:51 . 2008-02-11 18:51 <DIR> d-------- C:\Program Files\VSO
2008-02-11 18:51 . 2008-02-26 13:36 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\Vso
2008-02-11 18:51 . 2008-02-11 18:51 47,360 --a------ C:\Documents and Settings\Rob\Application Data\pcouffin.sys
2008-02-11 18:44 . 2008-02-11 18:44 <DIR> d-------- C:\Program Files\Winamp
2008-02-11 18:44 . 2008-02-19 22:05 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\Winamp
2008-02-11 18:31 . 2008-02-25 23:03 69 --a------ C:\WINDOWS\NeroDigital.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 22:51 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-02-11 18:51 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-02-11 16:57 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-20 07:07 33,292 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys
2008-01-10 13:16 159,839 ----a-w C:\WINDOWS\system32\xvidvfw.dll
2008-01-10 13:15 755,027 ----a-w C:\WINDOWS\system32\xvidcore.dll
2007-12-24 13:49 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 02:33 682,496 ----a-w C:\WINDOWS\system32\divx.dll
2007-11-29 23:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 23:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40 1421824]
"CursorFX"="C:\Program Files\Stardock\CursorFX\CursorFX.exe" [2008-02-08 16:50 418120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"BootSkin Startup Jobs"="C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 16:21 270336]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 05:59 115816]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-15 22:51 185896]
"Advanced WindowsCare V2 Pro"="C:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe" [2007-09-19 22:10 2916528]
"SpeedBitVideoAccelerator"="C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe" [2008-02-25 19:13 2283120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"1A:Stardock TrayMonitor"="" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 04:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Say the Time.lnk - C:\Program Files\Say the Time\SayTime.exe [2007-05-18 04:00:00 90112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2008-02-11 18:09 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a-squared]
C:\Program Files\a-squared Anti-Malware\a2guard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DefragTaskBar]
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-08-03 12:51 1422632 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-08-08 09:25 1828136 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]
--a------ 2007-05-11 02:08 2512392 C:\WINDOWS\system32\oodtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrevxCSI]
C:\Program Files\PrevxCSI\prevxcsi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 16:17 159744 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-12-14 03:42 144784 C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2007-06-21 14:06 1318912 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-02-22 21:42 3537968 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\sopvod.exe"=

R2 sbbotdi;sbbotdi;C:\PROGRA~1\SpeedBit Video Accelerator\sbbotdi.sys [2008-02-25 19:13]
R2 VideoAcceleratorService;VideoAcceleratorService;C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe -start []
S2 Routing;Routing Service;C:\WINDOWS\system32\routing.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Setupx.exe

*Newly Created Service* - COMHOST
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-28 10:30:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\Stardock\Object Desktop\WindowBlinds\tray.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Say the Time\SayTimeMain.exe
C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorEngine.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\luall.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
.
**************************************************************************
.
Completion time: 2008-02-28 10:34:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-28 10:34:06
ComboFix2.txt 2008-02-28 10:22:56
ComboFix3.txt 2008-02-28 00:46:22
.
2008-02-16 08:19:57 --- E O F ---

Ta.

0

Hi digital11,

Let's try this one more time - I hate to say it, but I missed one. This particular infection often has some rootkit-type stealthing attributes that try to hide its components. I wish I could say I missed a hidden one, but that's not the case... LOL!

Anyhoo, I'd like to do one more CFScript. I changed it a bit and it should get the remaining baddies. In addition, I'd like to look for a couple associated baddies that have not shown themselves.


-- Please DELETE your copy of ComboFix and download a fresh one to your Desktop
-- Please Download this updated CFScript to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into/over ComboFix.exe to start ComboFix

-- Let Combofix run as before and post me that log.
-- I'd also like to see a fresh HijackThis Log from after this CFScript step.

With any luck, that ought to do the trick!

Cheers :)
PP

0

Hello PP, here are the new logs you needed:
HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:21:28, on 01/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe
C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorEngine.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Stardock\CursorFX\CursorFX.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Say the Time\SayTimeMain.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Advanced WindowsCare V2 Pro] "C:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe" /startup
O4 - HKLM\..\Run: [SpeedBitVideoAccelerator] "C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [CursorFX] "C:\Program Files\Stardock\CursorFX\CursorFX.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Say the Time.lnk = C:\Program Files\Say the Time\SayTime.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AshampooDefragService - Unknown owner - C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe

--
End of file - 6797 bytes

Combofix log:

ComboFix 08-03-01 - Rob 2008-02-29 20:11:14.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1574 [GMT 0:00]
Running from: C:\Documents and Settings\Rob\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Rob\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-01 to 2008-03-01 )))))))))))))))))))))))))))))))
.

2008-02-28 00:56 . 2008-02-28 00:56 <DIR> d---s---- C:\Documents and Settings\Rob\UserData
2008-02-27 12:32 . 2008-02-27 12:33 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-27 12:32 . 2008-02-27 12:32 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\SUPERAntiSpyware.com
2008-02-27 12:32 . 2008-02-27 12:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-27 12:31 . 2008-02-27 12:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-27 10:53 . 2008-02-29 20:05 11,493 --a------ C:\WINDOWS\system32\oodbs.lor
2008-02-27 00:31 . 2008-02-27 17:00 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-02-27 00:10 . 2008-02-27 00:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-02-26 23:52 . 2008-02-26 23:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-26 23:47 . 2008-02-27 00:27 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\PrevxCSI
2008-02-26 19:16 . 2008-02-26 19:16 0 --a------ C:\WINDOWS\OODCNT.INI
2008-02-26 18:37 . 2008-02-27 22:15 <DIR> d-------- C:\WINDOWS\system32\oodag
2008-02-26 18:24 . 2008-02-26 18:24 <DIR> d-------- C:\Program Files\OO Software
2008-02-26 17:04 . 2008-02-26 17:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ashampoo
2008-02-26 14:44 . 2008-02-26 14:44 <DIR> d-------- C:\Program Files\Veoh Networks
2008-02-25 19:13 . 2008-02-27 20:52 <DIR> d-------- C:\Program Files\SpeedBit Video Accelerator
2008-02-25 19:13 . 2008-02-25 19:13 172,032 --a------ C:\WINDOWS\system32\AniGIF.ocx
2008-02-25 14:19 . 2008-02-25 14:19 <DIR> d-------- C:\Program Files\Nero
2008-02-25 14:17 . 2008-02-25 14:17 40 --a------ C:\WINDOWS\system32\drmgs.sys
2008-02-25 13:39 . 2008-02-25 13:39 <DIR> d-------- C:\Program Files\PowerISO
2008-02-25 13:32 . 2008-02-25 13:32 0 --a------ C:\WINDOWS\Irremote.ini
2008-02-25 10:10 . 2007-06-25 22:30 86,016 --a------ C:\WINDOWS\system32\WNASPINT.DLL
2008-02-25 10:10 . 2007-04-24 19:33 32,768 --a------ C:\WINDOWS\system32\FrogASPI.DLL
2008-02-25 09:48 . 2008-02-25 09:48 <DIR> d-------- C:\Program Files\IObit
2008-02-25 01:35 . 2008-02-25 01:35 <DIR> d-------- C:\WINDOWS\Applian FLV Player
2008-02-24 21:06 . 2008-02-24 21:06 <DIR> d-------- C:\Documents and Settings\Rob\dwhelper
2008-02-23 17:31 . 2008-02-23 17:32 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\TVU networks
2008-02-23 17:31 . 2008-02-23 17:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TVU networks
2008-02-23 17:30 . 2008-02-23 17:31 <DIR> d-------- C:\Program Files\TVUPlayer
2008-02-22 10:40 . 2008-02-22 10:40 <DIR> d-------- C:\WINDOWS\Sun
2008-02-18 18:53 . 2001-09-06 10:00 1,700,352 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-02-18 18:53 . 2007-06-25 14:02 475,136 --a------ C:\WINDOWS\system32\SkinCrafter2.dll
2008-02-17 00:04 . 2008-02-17 00:04 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\vlc
2008-02-17 00:03 . 2008-02-17 00:03 <DIR> d-------- C:\Program Files\VideoLAN
2008-02-16 10:18 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-02-16 10:18 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-02-15 23:42 . 2004-03-22 23:17 24,816 --a------ C:\WINDOWS\system32\mdimon.dll
2008-02-15 23:42 . 2008-02-15 23:42 376 --a------ C:\WINDOWS\ODBC.INI
2008-02-15 23:40 . 2008-02-15 23:40 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-02-15 23:35 . 2008-02-15 23:40 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-02-15 23:34 . 2008-02-15 23:34 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-02-15 23:32 . 2008-02-15 23:32 <DIR> d-------- C:\Program Files\Disc2Phone
2008-02-15 23:26 . 2008-02-15 23:26 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-02-15 23:24 . 2008-02-15 23:24 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\Teleca
2008-02-15 23:23 . 2008-02-15 23:23 <DIR> d-------- C:\Program Files\Sony Ericsson
2008-02-15 23:23 . 2008-02-15 23:24 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2008-02-15 23:23 . 2008-02-15 23:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Teleca
2008-02-15 23:23 . 2008-02-15 23:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-02-15 23:22 . 2008-02-15 23:23 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-15 23:21 . 2008-02-15 23:21 6,176 --a------ C:\WINDOWS\system32\drivers\w810cm.sys
2008-02-15 23:21 . 2008-02-15 23:21 5,808 --a------ C:\WINDOWS\system32\drivers\w810wh.sys
2008-02-15 22:51 . 2008-02-15 22:51 <DIR> d-------- C:\Program Files\Real
2008-02-15 22:51 . 2008-02-15 22:51 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-02-15 22:51 . 2008-02-15 22:51 <DIR> d-------- C:\Program Files\Common Files\Real
2008-02-14 13:27 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-02-14 13:27 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-02-13 21:14 . 2008-02-13 21:14 <DIR> d-------- C:\Program Files\InstallShield Installation Information
2008-02-13 21:13 . 2008-02-26 14:43 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-02-13 17:24 . 2008-02-13 17:25 81 --a------ C:\WINDOWS\WB.ini
2008-02-13 06:07 . 2008-01-12 18:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-02-13 06:07 . 2008-01-15 09:54 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-02-13 06:07 . 2008-01-15 05:28 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-02-13 03:22 . 2008-02-13 03:22 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\Symantec
2008-02-12 20:13 . 2008-02-12 20:13 <DIR> d-------- C:\N360_BACKUP
2008-02-12 20:11 . 2008-02-12 20:11 16 --a------ C:\WINDOWS\system32\coh.cache
2008-02-12 17:46 . 2008-02-13 18:10 <DIR> d-------- C:\Program Files\Norton 360
2008-02-12 17:40 . 2008-02-12 22:09 <DIR> d-------- C:\Program Files\Symantec
2008-02-12 17:40 . 2008-02-12 22:09 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-12 17:40 . 2008-02-12 22:09 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-02-12 17:40 . 2008-02-12 22:09 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-02-12 17:40 . 2008-02-12 22:09 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-02-12 17:39 . 2008-02-28 00:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-12 17:38 . 2008-02-28 10:13 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-12 17:35 . 2008-02-12 17:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-12 16:08 . 2008-02-26 16:31 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\LimeWire
2008-02-12 01:24 . 2008-02-12 01:24 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\{404C1499-24DB-49AC-BF11-F0AD2C046836}
2008-02-11 23:30 . 2008-02-11 23:28 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-11 23:30 . 2008-02-11 23:30 3,439 --a------ C:\WINDOWS\unins000.dat
2008-02-11 23:26 . 2008-02-27 00:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-11 23:02 . 2008-02-11 23:02 <DIR> d-------- C:\Documents and Settings\Digital\Application Data\Nero
2008-02-11 23:02 . 2008-02-11 23:02 <DIR> d-------- C:\Documents and Settings\Digital\Application Data\Grisoft
2008-02-11 22:55 . 2008-02-11 22:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-11 22:13 . 2008-02-11 22:14 163,712 --a------ C:\WINDOWS\system32\drivers\vidstub.sys
2008-02-11 20:40 . 2008-02-11 20:43 <DIR> d-------- C:\Program Files\SopCast
2008-02-11 20:26 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.DLL
2008-02-11 20:17 . 2008-02-12 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-11 19:28 . 2008-02-11 19:28 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-02-11 19:14 . 2008-02-11 19:14 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-02-11 19:10 . 2008-02-11 19:10 <DIR> d-------- C:\Program Files\Say the Time
2008-02-11 19:03 . 2008-03-01 20:12 <DIR> d-------- C:\Program Files\PeerGuardian2
2008-02-11 19:02 . 2004-08-04 04:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-02-11 18:52 . 2008-02-11 18:58 <DIR> d-------- C:\Program Files\Your Uninstaller 2008
2008-02-11 18:52 . 2008-02-11 18:52 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\URSoft
2008-02-11 18:52 . 2008-02-28 10:16 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-11 18:51 . 2008-02-11 18:51 <DIR> d-------- C:\Program Files\VSO
2008-02-11 18:51 . 2008-02-26 13:36 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\Vso
2008-02-11 18:51 . 2008-02-11 18:51 47,360 --a------ C:\Documents and Settings\Rob\Application Data\pcouffin.sys
2008-02-11 18:44 . 2008-02-11 18:44 <DIR> d-------- C:\Program Files\Winamp
2008-02-11 18:44 . 2008-02-19 22:05 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\Winamp
2008-02-11 18:31 . 2008-02-25 23:03 69 --a------ C:\WINDOWS\NeroDigital.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 22:51 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-02-11 18:51 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-02-11 16:57 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-20 07:07 33,292 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys
2008-01-10 13:16 159,839 ----a-w C:\WINDOWS\system32\xvidvfw.dll
2008-01-10 13:15 755,027 ----a-w C:\WINDOWS\system32\xvidcore.dll
2007-12-24 13:49 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 02:33 682,496 ----a-w C:\WINDOWS\system32\divx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40 1421824]
"CursorFX"="C:\Program Files\Stardock\CursorFX\CursorFX.exe" [2008-02-08 16:50 418120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"BootSkin Startup Jobs"="C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 16:21 270336]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 05:59 115816]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-15 22:51 185896]
"Advanced WindowsCare V2 Pro"="C:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe" [2007-09-19 22:10 2916528]
"SpeedBitVideoAccelerator"="C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe" [2008-02-25 19:13 2283120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"1A:Stardock TrayMonitor"="" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 04:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Say the Time.lnk - C:\Program Files\Say the Time\SayTime.exe [2007-05-18 04:00:00 90112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2008-02-11 18:09 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a-squared]
C:\Program Files\a-squared Anti-Malware\a2guard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DefragTaskBar]
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-08-03 12:51 1422632 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-08-08 09:25 1828136 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]
--a------ 2007-05-11 02:08 2512392 C:\WINDOWS\system32\oodtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrevxCSI]
C:\Program Files\PrevxCSI\prevxcsi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 16:17 159744 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-12-14 03:42 144784 C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2007-06-21 14:06 1318912 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-02-22 21:42 3537968 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\sopvod.exe"=

R2 sbbotdi;sbbotdi;C:\PROGRA~1\SpeedBit Video Accelerator\sbbotdi.sys [2008-02-25 19:13]
R2 VideoAcceleratorService;VideoAcceleratorService;C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe [2008-02-25 19:13]
S2 Routing;Routing Service;C:\WINDOWS\system32\routing.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Setupx.exe

*Newly Created Service* - COMHOST
*Newly Created Service* - PGFILTER
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-01 20:12:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\Stardock\Object Desktop\WindowBlinds\tray.dll
.
Completion time: 2008-03-01 20:14:34
ComboFix-quarantined-files.txt 2008-03-01 20:13:40
ComboFix2.txt 2008-02-28 10:34:31
ComboFix3.txt 2008-02-28 10:22:56
ComboFix4.txt 2008-02-28 00:46:22
.
2008-02-16 08:19:57 --- E O F ---


Thank you.

0

Hello PP, here are the new logs you needed:
HJT log. Thank you.

You're welcome :)

-- Things are looking better, but that Routing Service remains as a remnant in the registry. Let's do this to remove it:
Run HijackThis and open the Misc Tools section and select Delete an NT service and follow the instructions to enter and remove Routing Service (Routing)

-- Are you able to navigate to and DELETE C:\WINDOWS\system32\drmgs.sys?
It is important that we make sure this is gone.

I kinda miss the days when we ripped these baddies out manually - Tools such as ComboFix are a Godsend to over-worked and under-staffed forums, but I still prefer a more "hands on" approach. But I digress from the task at hand . . . LOL!

ALSO:
Please run http://www.eset.com/onlinescan/
-- You will need to temporarily disable your current Anti-virus program.
-- Make sure that the option Remove found threats is Unchecked, and the option Scan unwanted applications is checked.
-- Remember to Re-enable your Resident Anti-virus program after the scan has finished.
-- A logfile ought to be found at C:\\Program Files\\EsetOnlineScanner\\log.txt.
Please post that for me.
I would also like to see a fresh HJT Log from after all of the above has been completed.


Hopefully that will do the trick. If not, we'll try something else. I have added this baddie to a batch tool I've been writing off and on for a while and we can try that, if all else fails to remove these remnants.
In cases where any sort of rootkit-type stealthing is involved (or may be involved), I tend to be overly cautious....

Best :)
PP

0

Hi; followed the instructions to remove Routing Service (Routing) but reads 'the service routing is enabled and/or running. Disable it first'. I can' find it to disable it. Probably an easy solution, any ideas?

0

Hi; followed the instructions to remove Routing Service (Routing) but reads 'the service routing is enabled and/or running. Disable it first'. I can' find it to disable it. Probably an easy solution, any ideas?

That shouldn't be running now - that is odd.

Click START > RUN > Type services.msc > ENTER
Find the EXACT Routing Service (Routing)
-- DoubleClick on it and make sure Path to executable reads: C:\WINDOWS\system32\routing.exe
-- Under Service status, if it says "started, click the "stop" button
-- Just above that, where it says "Startup type:," select Disabled and click OK

Then try to remove it with HJT as I posted before. If there are any similarly named "routing" services make sure you target the exact one above.

I do not know why this is being so stubborn. If this fails, let me know if you're up for running my little batch scan tool. No guarantees that it will remove it either and it is definitely a "run at your own risk" proposition (I've run it on my XP box a gazillion times with no problems - 'course I change it a bit each time ;) ).

PP

0

Hi PP, think I've done everything that was needed, here are the new logs:
HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:03:34, on 02/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Stardock\CursorFX\CursorFX.exe
C:\Program Files\Say the Time\SayTimeMain.exe
C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Advanced WindowsCare V2 Pro] "C:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe" /startup
O4 - HKLM\..\Run: [SpeedBitVideoAccelerator] "C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [CursorFX] "C:\Program Files\Stardock\CursorFX\CursorFX.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Say the Time.lnk = C:\Program Files\Say the Time\SayTime.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AshampooDefragService - Unknown owner - C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe

--
End of file - 6780 bytes

Eset online scan:
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2912 (20080229)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=d87be6008751bd4c9f2bf542fc85751a
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-03-02 01:00:29
# local_time=2008-03-02 01:00:29 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 2
# scanned=217956
# found=2
# scan_time=2286
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\svchost.exe.vir probably unknown NewHeur_PE virus 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\routing.exe.vir probably a variant of Win32/TrojanDownloader.Delf.OBC trojan 6F3B1AF21F1AC76A2F377B1E1963A8D8

Cheers.

0

Those logs show clean - how are things running now?

** Were you able to locate C:\WINDOWS\system32\drmgs.sys? Let me know.


Let's go ahead and remove Combofix:

• Click Start > Run
• Type or Copy&Paste ComboFix /u into the Run Box. (be sure there is a space between the x and the / if you type it)
• Click OK

I strongly suggest you keep a close eye on things in the near future (actually you ought to always ;) ) - as I mentioned, I have seen this baddie accompanied by rootkit-type components and those are always worrisome.... Plus, your infection put up more of a fight than I expected it to which makes me wonder if there is more to it.

-- Do the ESET Online Scan weekly for at least a month.

-- Also, have a look at my "Protect Yourself" linky below and definitely install Spyware Blaster and keep it updated!

PP :)

0

Hello, I did locate & remove C:\WINDOWS\system32\drmgs.sys also uninstalled Combofix. Things seem to be okay now.
Thanks for all your help & time, it's appreciated.

Rob.

0

Hello, I did locate & remove C:\WINDOWS\system32\drmgs.sys also uninstalled Combofix. Things seem to be okay now.
Thanks for all your help & time, it's appreciated.
Rob.

You're Welcome :)
PP

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.