Solve : Trojan.Packed.NsAnti?

1.	Solve : Trojan.Packed.NsAnti?
Answer» Second Hijack this second scan hijack Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:01:22, on 31/07/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0013) Boot MODE: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\Program Files\FarStone\VirtualDrive\vdtask.exe C:\Program Files\FarStone\VirtualDrive\Netsrv.exe C:\Program Files\Nero\Nero 7\InCD\InCD.exe C:\WINDOWS\system32\devldr32.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\Program Files\Trend Micro\HijackThis\snare.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe" O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [Virtual Drive] "C:\Program Files\FarStone\VirtualDrive\vdtask.exe" O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=081508 serial=DR12CES-6935367-CQC lang=EN O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: RESEARCH - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file:///C:/Program%20Files/Autodesk%20Architectural%20Desktop%203/AcDcToday.ocx O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file:///C:/Program%20Files/Autodesk%20Architectural%20Desktop%203/InstBanr.ocx O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file:///C:/Program%20Files/Autodesk%20Architectural%20Desktop%203/InstFred.ocx O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file:///C:/Program%20Files/Autodesk%20Architectural%20Desktop%203/AcPreview.ocx O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe -- End of file - 8297 bytes This scan is after I put in my pendrive,I always virus scan everytime I put a pen drive in No virus found, I did a hijach this, an It showed I had the amvo again,so I formated my pen drive, did another combofixed again this is the log, I have reformatted my pendrive again, took the drive out and reinserted it, did a hijack this scan nothing. Q. 1. when the pendrive is in why doesn't combofix scan that drive also? 2. why doesn't my AV, pull it out? ComboFix 08-07-31.02 - Peter 2008-08-02 10:29:38.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.178 [GMT 1:00] Running from: C:\Documents and Settings\Peter\Desktop\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Autorun.inf C:\kdxdweli.cmd C:\WINDOWS\system32\amvo.exe C:\WINDOWS\system32\amvo0.dll D:\Autorun.inf G:\Autorun.inf H:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2008-07-02 to 2008-08-02 ))))))))))))))))))))))))))))))) . 2008-08-02 10:20 . 2008-08-02 10:20d--------C:\Documents and Settings\Mercy 2008-08-01 09:52 . 2008-08-01 09:52d--------C:\Program Files\Intense Language Office 2008-07-31 11:00 . 2008-07-31 11:05d--------C:\Program Files\Evrsoft First Page 2006 2008-07-31 11:00 . 2005-09-23 17:02887,296--a------C:\WINDOWS\system32\KsDHTMLEDLib.ocx 2008-07-31 10:22 . 2008-07-31 10:23d--h-----C:\WINDOWS\system32\GroupPolicy 2008-07-31 09:18 . 2008-07-31 09:18d--------C:\WINDOWS\ERUNT 2008-07-31 09:14 . 2008-07-31 13:21d--------C:\SDFix 2008-07-29 12:23 . 2008-07-29 12:23d--------C:\Deckard 2008-07-29 12:20 . 2008-07-29 12:2033--a------C:\WINDOWS\SYMGAMES.INI 2008-07-28 16:47 . 2008-07-28 16:47d--------C:\Documents and Settings\Peter\Application Data\Autodesk 2008-07-25 11:10 . 2008-07-25 11:10d--------C:\Program Files\GSP 2008-07-24 15:16 . 2008-07-24 15:16d--------C:\Documents and Settings\Peter\Application Data\farstone 2008-07-23 17:00 . 2008-07-23 17:17d--------C:\Documents and Settings\Peter\Application Data\CyberLink 2008-07-23 17:00 . 2008-07-23 17:17d--------C:\Documents and Settings\All Users\Application Data\CyberLink 2008-07-20 16:34 . 2008-07-20 16:34d--------C:\WINDOWS\system32\LogFiles 2008-07-20 16:33 . 2008-07-20 16:34d--------C:\WINDOWS\system32\drivers\umdf 2008-07-19 15:13 . 2002-09-10 15:11311,296--a------C:\WINDOWS\system32\hptcpmui.dll 2008-07-19 15:13 . 2003-01-31 14:17208,896--a------C:\WINDOWS\system32\hptcpmon.dll 2008-07-19 15:13 . 2003-01-31 14:17135,168--a------C:\WINDOWS\system32\hptcpmib.dll 2008-07-19 15:13 . 2001-08-13 10:313,399--a------C:\WINDOWS\system32\hptcpmon.ini 2008-07-19 15:13 . 2008-07-19 15:13136--a------C:\WINDOWS\system32\AddPort.ini 2008-07-19 15:05 . 2008-07-28 12:19d--------C:\Program Files\[emailprotected] 2008-07-18 15:47 . 2008-07-18 15:47d--------C:\Documents and Settings\Peter\Application Data\AdobeUM 2008-07-18 14:24 . 2008-07-21 08:33d--------C:\Program Files\Malwarebytes' Anti-Malware 2008-07-18 14:24 . 2008-07-18 14:24d--------C:\Documents and Settings\Peter\Application Data\Malwarebytes 2008-07-18 14:24 . 2008-07-18 14:24d--------C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-07-18 14:24 . 2008-07-07 17:3534,296--a------C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-07-18 14:24 . 2008-07-07 17:3517,144--a------C:\WINDOWS\system32\drivers\mbam.sys 2008-07-18 12:16 . 2008-07-18 12:16d--------C:\Program Files\Common Files\Wise INSTALLATION Wizard 2008-07-18 10:39 . 2004-08-03 23:0125,856--a------C:\WINDOWS\system32\drivers\usbprint.sys 2008-07-18 09:53 . 2008-07-18 12:16d--------C:\Program Files\SUPERAntiSpyware 2008-07-18 09:53 . 2008-07-18 12:16d--------C:\Documents and Settings\Peter\Application Data\SUPERAntiSpyware.com 2008-07-18 09:53 . 2008-07-18 09:53d--------C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-07-18 09:31 . 2008-07-18 09:31d--------C:\Program Files\Trend Micro 2008-07-18 09:25 . 2004-08-03 23:0826,496--a--c---C:\WINDOWS\system32\dllcache\usbstor.sys 2008-07-17 11:30 . 2008-07-17 11:3053,680--a------C:\WINDOWS\FontData.fdb 2008-07-17 10:38 . 2008-07-17 10:38d--------C:\Documents and Settings\Peter\Application Data\Corel 2008-07-16 18:04 . 2008-07-16 18:04d--------C:\Program Files\VCop2 2008-07-16 16:49 . 2008-07-28 10:0816--a------C:\WINDOWS\system32\coh.cache 2008-07-16 16:11 . 2008-07-16 16:11d--h-----C:\WINDOWS\$hf_mig$ 2008-07-16 16:11 . 2006-05-09 20:0022,752--a------C:\WINDOWS\system32\spupdsvc.exe 2008-07-16 16:06 . 2008-07-16 16:06d--------C:\Program Files\WexTech 2008-07-16 16:06 . 2008-07-16 16:06d--------C:\Program Files\Common Files\LHSPF 2008-07-16 16:06 . 2000-05-02 10:03225,280--a------C:\WINDOWS\system32\awrtl30.dll 2008-07-16 16:06 . 1998-08-04 11:22111,616---------C:\WINDOWS\system32\Ltih30tb.dll 2008-07-16 16:05 . 2000-10-20 13:25487,184--a------C:\WINDOWS\system32\Mrt7enu.dll 2008-07-16 16:05 . 2000-10-20 13:25446,464--a------C:\WINDOWS\system32\hhactivex.dll 2008-07-16 16:05 . 2000-10-20 13:2579,360--a------C:\WINDOWS\system32\acdbres.dll 2008-07-16 16:05 . 2000-10-20 13:2531,744--a------C:\WINDOWS\system32\Hlp95en.dll 2008-07-16 16:04 . 2008-07-16 16:05d--------C:\Program Files\Volo View Express 2008-07-16 16:04 . 2008-07-16 16:04d--------C:\Documents and Settings\Peter\WINDOWS 2008-07-16 16:04 . 2000-10-20 13:25299,520--a------C:\WINDOWS\uninst.exe 2008-07-16 16:01 . 2008-07-16 16:06d--------C:\Program Files\Common Files\Wextech Shared 2008-07-16 16:00 . 2008-07-16 16:06d--------C:\Program Files\Common Files\Autodesk Shared 2008-07-16 16:00 . 2008-07-28 16:41d--------C:\Program Files\Autodesk Architectural Desktop 3 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-01 14:56---------d-----wC:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-07-31 09:48---------d-----wC:\Program Files\Common Files\Symantec Shared 2008-07-25 10:10---------d--h--wC:\Program Files\InstallShield Installation Information 2008-07-25 10:09---------d-----wC:\Program Files\Common Files\InstallShield 2008-07-23 12:33---------d-----wC:\Documents and Settings\Peter\Application Data\Ahead 2008-07-16 14:52---------d-----wC:\Program Files\CyberLink 2008-07-16 14:49---------d-----wC:\Program Files\Common Files\Ahead 2008-07-16 14:46---------d-----wC:\Program Files\Common Files\Adobe 2008-07-16 14:45---------d-----wC:\Program Files\Nero 2008-07-16 14:45---------d-----wC:\Documents and Settings\All Users\Application Data\Nero 2008-07-16 14:23---------d-----wC:\Program Files\Norton AntiVirus 2008-07-16 14:22---------d-----wC:\Documents and Settings\All Users\Application Data\Symantec 2008-07-16 14:20806----a-wC:\WINDOWS\system32\drivers\SYMEVENT.INF 2008-07-16 14:208,014----a-wC:\WINDOWS\system32\drivers\SYMEVENT.CAT 2008-07-16 14:2048,776----a-wC:\WINDOWS\system32\S32EVNT1.DLL 2008-07-16 14:20115,000----a-wC:\WINDOWS\system32\drivers\SYMEVENT.SYS 2008-07-16 14:20---------d-----wC:\Program Files\Symantec 2008-07-16 14:11---------d-----wC:\Program Files\Microsoft Works 2008-07-16 14:10---------d-----wC:\Program Files\MSBuild 2008-07-16 14:08---------d-----wC:\Program Files\Corel 2008-07-16 14:08---------d-----wC:\Program Files\Common Files\Corel 2008-07-16 13:50---------d-----wC:\Program Files\FarStone 2008-07-16 13:39---------d-----wC:\Program Files\microsoft frontpage 1997-07-21 18:301,045,776--sha-wC:\WINDOWS\system32\Msjet35.dll 1997-06-23 02:00123,664--sha-wC:\WINDOWS\system32\Msjint35.dll 1997-06-23 11:0624,848--sha-wC:\WINDOWS\system32\Msjter35.dll 1997-06-23 11:06252,176--sha-wC:\WINDOWS\system32\Msrd2x35.dll 1997-06-23 11:06287,504--sha-wC:\WINDOWS\system32\Msxbse35.dll . ((((((((((((((((((((((((((((( [emailprotected]_ 9.40.03.66 ))))))))))))))))))))))))))))))))))))))))) . - 2008-07-16 14:12:161,165,584----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\accicons.exe + 2008-08-01 14:47:551,165,584----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\accicons.exe - 2008-07-16 14:12:1620,240----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\cagicon.exe + 2008-08-01 14:48:0120,240----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\cagicon.exe - 2008-07-16 14:12:16159,504----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\inficon.exe + 2008-08-01 14:47:57159,504----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\inficon.exe - 2008-07-16 14:12:16217,864----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\misc.exe + 2008-08-01 14:48:00217,864----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\misc.exe - 2008-07-16 14:12:1718,704----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\mspicons.exe + 2008-08-01 14:48:0118,704----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\mspicons.exe - 2008-07-16 14:12:1735,088----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\oisicon.exe + 2008-08-01 14:48:0335,088----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\oisicon.exe - 2008-07-16 14:12:16845,584----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\outicon.exe + 2008-08-01 14:47:59845,584----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\outicon.exe - 2008-07-16 14:12:16922,384----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\pptico.exe + 2008-08-01 14:48:00922,384----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\pptico.exe - 2008-07-16 14:12:16272,648----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\pubs.exe + 2008-08-01 14:48:00272,648----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\pubs.exe - 2008-07-16 14:12:17888,080----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\wordicon.exe + 2008-08-01 14:48:02888,080----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\wordicon.exe - 2008-07-16 14:12:161,172,240----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\xlicons.exe + 2008-08-01 14:47:571,172,240----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\xlicons.exe - 2008-07-16 14:05:43217,864----a-rC:\WINDOWS\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe + 2008-08-01 14:56:14217,864----a-rC:\WINDOWS\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe - 2008-07-16 15:17:05343,424----a-wC:\WINDOWS\system32\FNTCACHE.DAT + 2008-08-02 09:01:38343,424----a-wC:\WINDOWS\system32\FNTCACHE.DAT + 2001-04-15 03:20:0047,616----a-wC:\WINDOWS\system32\intedreg.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05 143360] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360] "ILO_Office_Manager"="IntEdReg.exe" [2001-04-15 04:20 47616 C:\WINDOWS\system32\intedreg.exe] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 08:59 115816] "osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-01-14 10:11 771704] "Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12 483328] "Virtual Drive"="C:\Program Files\FarStone\VirtualDrive\vdtask.exe" [2001-10-20 05:47 57344] "CorelDRAW Graphics Suite 11b"="C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe" [2003-11-25 13:39 729088] "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648] "InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2006-11-10 16:19 1051648] "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 15:10 56928] "LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55 54832] "Intense Registry Service"="IntEdReg.exe" [2001-04-15 04:20 47616 C:\WINDOWS\system32\intedreg.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:56 15360] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2008-07-16 14:48:56 25214] Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-07-16 15:33:15 113664] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableStatusMessages"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux"= ctwdm32.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "C:\\Program Files\\FarStone\\VirtualDrive\\netsrv.exe"= "C:\\Program Files\\[emailprotected]\\LookAtLan.exe"= "C:\\WINDOWS\\system32\\sessmgr.exe"= "C:\\WINDOWS\\system32\\mmc.exe"= R2 cdant;cdant;C:\WINDOWS\system32\drivers\cdant.sys [2001-09-06 22:13] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39686e63-595a-11dd-9a1d-000d87b86781}] \Shell\AutoRun\command - wscript.exe sys.vbs \Shell\open\Command - wscript.exe sys.vbs Newly Created Service - CATCHME . Contents of the 'Scheduled Tasks' folder 2008-07-31 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Peter.job - C:\Program Files\Norton AntiVirus\Navw32.exe [2007-01-14 12:09] . . ------- Supplementary Scan ------- . O8 -: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 -: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 -: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 -: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 -: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 -: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 -: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 -: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-02 10:31:22 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . Completion time: 2008-08-02 10:33:51 ComboFix-quarantined-files.txt 2008-08-02 09:33:16 Pre-Run: 11,423,133,696 bytes free Post-Run: 11,416,059,904 bytes free 216 I think I've got rid of the problem. I''ll wait for your reply. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 09:08:56, on 04/08/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0013) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\Program Files\FarStone\VirtualDrive\vdtask.exe C:\Program Files\FarStone\VirtualDrive\Netsrv.exe C:\Program Files\Nero\Nero 7\InCD\InCD.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\Program Files\Intense Language Office\Common\OffMan.exe C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\snare.exe C:\Program Files\Trend Micro\HijackThis\snare.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe" O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [Virtual Drive] "C:\Program Files\FarStone\VirtualDrive\vdtask.exe" O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=081508 serial=DR12CES-6935367-CQC lang=EN O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [ILO_Office_Manager] IntEdReg.exe /OFFMAN O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file:///C:/Program%20Files/Autodesk%20Architectural%20Desktop%203/AcDcToday.ocx O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file:///C:/Program%20Files/Autodesk%20Architectural%20Desktop%203/InstBanr.ocx O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file:///C:/Program%20Files/Autodesk%20Architectural%20Desktop%203/InstFred.ocx O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file:///C:/Program%20Files/Autodesk%20Architectural%20Desktop%203/AcPreview.ocx O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe -- End of file - 8368 bytes Quote I think I've got rid of the problem. I''ll wait for your reply. What did you do? There are still trojans left. Read this article: Danger: Remote Access Trojans. If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one! If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the Backdoor Trojan has been removed the computer is now secure. Many experts in the security COMMUNITY believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. When should I re-format? How should I reinstall?. How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it will be 100% secure afterwards or that the removal will be successful. Delete these files/folders, as follows: 1. Go to Start > Run > type Notepad.exe and click OK to open Notepad. It must be Notepad, not Wordpad. Click Start , then Run Type notepad.exe in the Run Box. 2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C Code: [Select]KillAll:: File:: C:\WINDOWS\system32\devldr32.exe C:\Program Files\FarStone\VirtualDrive\netsrv.exe Registry:: [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39686e63-595a-11dd-9a1d-000d87b86781}] 3. Go to the Notepad window and click Edit > Paste 4. Then click File > Save 5. Name the file CFScript.txt - Save the file to your Desktop 6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you SEE in the screenshot below. Important: Perform this instruction carefully! ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it will produce a log for you. Post that log (Combofix.txt) in your next reply. Note: Do not mouseclick combofix's window while it is running. That may cause your system to freeze** ----------

Answer»

Second Hijack this

second scan hijack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:01:22, on 31/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot MODE: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\FarStone\VirtualDrive\vdtask.exe
C:\Program Files\FarStone\VirtualDrive\Netsrv.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Trend Micro\HijackThis\snare.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Virtual Drive] "C:\Program Files\FarStone\VirtualDrive\vdtask.exe"
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=081508 serial=DR12CES-6935367-CQC lang=EN
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: RESEARCH - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file:///C:/Program%20Files/Autodesk%20Architectural%20Desktop%203/AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file:///C:/Program%20Files/Autodesk%20Architectural%20Desktop%203/InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file:///C:/Program%20Files/Autodesk%20Architectural%20Desktop%203/InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file:///C:/Program%20Files/Autodesk%20Architectural%20Desktop%203/AcPreview.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8297 bytes
This scan is after I put in my pendrive,I always virus scan everytime I put a pen drive in No virus found,
I did a hijach this, an It showed I had the amvo again,so I formated my pen drive, did another combofixed again this is the log, I have reformatted my pendrive again, took the drive out and reinserted it, did a hijack this scan nothing.

Q. 1. when the pendrive is in why doesn't combofix scan that drive also?
2. why doesn't my AV, pull it out?

ComboFix 08-07-31.02 - Peter 2008-08-02 10:29:38.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.178 [GMT 1:00]
Running from: C:\Documents and Settings\Peter\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\kdxdweli.cmd
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
D:\Autorun.inf
G:\Autorun.inf
H:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-07-02 to 2008-08-02 )))))))))))))))))))))))))))))))
.

2008-08-02 10:20 . 2008-08-02 10:20d--------C:\Documents and Settings\Mercy
2008-08-01 09:52 . 2008-08-01 09:52d--------C:\Program Files\Intense Language Office
2008-07-31 11:00 . 2008-07-31 11:05d--------C:\Program Files\Evrsoft First Page 2006
2008-07-31 11:00 . 2005-09-23 17:02887,296--a------C:\WINDOWS\system32\KsDHTMLEDLib.ocx
2008-07-31 10:22 . 2008-07-31 10:23d--h-----C:\WINDOWS\system32\GroupPolicy
2008-07-31 09:18 . 2008-07-31 09:18d--------C:\WINDOWS\ERUNT
2008-07-31 09:14 . 2008-07-31 13:21d--------C:\SDFix
2008-07-29 12:23 . 2008-07-29 12:23d--------C:\Deckard
2008-07-29 12:20 . 2008-07-29 12:2033--a------C:\WINDOWS\SYMGAMES.INI
2008-07-28 16:47 . 2008-07-28 16:47d--------C:\Documents and Settings\Peter\Application Data\Autodesk
2008-07-25 11:10 . 2008-07-25 11:10d--------C:\Program Files\GSP
2008-07-24 15:16 . 2008-07-24 15:16d--------C:\Documents and Settings\Peter\Application Data\farstone
2008-07-23 17:00 . 2008-07-23 17:17d--------C:\Documents and Settings\Peter\Application Data\CyberLink
2008-07-23 17:00 . 2008-07-23 17:17d--------C:\Documents and Settings\All Users\Application Data\CyberLink
2008-07-20 16:34 . 2008-07-20 16:34d--------C:\WINDOWS\system32\LogFiles
2008-07-20 16:33 . 2008-07-20 16:34d--------C:\WINDOWS\system32\drivers\umdf
2008-07-19 15:13 . 2002-09-10 15:11311,296--a------C:\WINDOWS\system32\hptcpmui.dll
2008-07-19 15:13 . 2003-01-31 14:17208,896--a------C:\WINDOWS\system32\hptcpmon.dll
2008-07-19 15:13 . 2003-01-31 14:17135,168--a------C:\WINDOWS\system32\hptcpmib.dll
2008-07-19 15:13 . 2001-08-13 10:313,399--a------C:\WINDOWS\system32\hptcpmon.ini
2008-07-19 15:13 . 2008-07-19 15:13136--a------C:\WINDOWS\system32\AddPort.ini
2008-07-19 15:05 . 2008-07-28 12:19d--------C:\Program Files\[emailprotected]
2008-07-18 15:47 . 2008-07-18 15:47d--------C:\Documents and Settings\Peter\Application Data\AdobeUM
2008-07-18 14:24 . 2008-07-21 08:33d--------C:\Program Files\Malwarebytes' Anti-Malware
2008-07-18 14:24 . 2008-07-18 14:24d--------C:\Documents and Settings\Peter\Application Data\Malwarebytes
2008-07-18 14:24 . 2008-07-18 14:24d--------C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-18 14:24 . 2008-07-07 17:3534,296--a------C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-18 14:24 . 2008-07-07 17:3517,144--a------C:\WINDOWS\system32\drivers\mbam.sys
2008-07-18 12:16 . 2008-07-18 12:16d--------C:\Program Files\Common Files\Wise INSTALLATION Wizard
2008-07-18 10:39 . 2004-08-03 23:0125,856--a------C:\WINDOWS\system32\drivers\usbprint.sys
2008-07-18 09:53 . 2008-07-18 12:16d--------C:\Program Files\SUPERAntiSpyware
2008-07-18 09:53 . 2008-07-18 12:16d--------C:\Documents and Settings\Peter\Application Data\SUPERAntiSpyware.com
2008-07-18 09:53 . 2008-07-18 09:53d--------C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-18 09:31 . 2008-07-18 09:31d--------C:\Program Files\Trend Micro
2008-07-18 09:25 . 2004-08-03 23:0826,496--a--c---C:\WINDOWS\system32\dllcache\usbstor.sys
2008-07-17 11:30 . 2008-07-17 11:3053,680--a------C:\WINDOWS\FontData.fdb
2008-07-17 10:38 . 2008-07-17 10:38d--------C:\Documents and Settings\Peter\Application Data\Corel
2008-07-16 18:04 . 2008-07-16 18:04d--------C:\Program Files\VCop2
2008-07-16 16:49 . 2008-07-28 10:0816--a------C:\WINDOWS\system32\coh.cache
2008-07-16 16:11 . 2008-07-16 16:11d--h-----C:\WINDOWS\$hf_mig$
2008-07-16 16:11 . 2006-05-09 20:0022,752--a------C:\WINDOWS\system32\spupdsvc.exe
2008-07-16 16:06 . 2008-07-16 16:06d--------C:\Program Files\WexTech
2008-07-16 16:06 . 2008-07-16 16:06d--------C:\Program Files\Common Files\LHSPF
2008-07-16 16:06 . 2000-05-02 10:03225,280--a------C:\WINDOWS\system32\awrtl30.dll
2008-07-16 16:06 . 1998-08-04 11:22111,616---------C:\WINDOWS\system32\Ltih30tb.dll
2008-07-16 16:05 . 2000-10-20 13:25487,184--a------C:\WINDOWS\system32\Mrt7enu.dll
2008-07-16 16:05 . 2000-10-20 13:25446,464--a------C:\WINDOWS\system32\hhactivex.dll
2008-07-16 16:05 . 2000-10-20 13:2579,360--a------C:\WINDOWS\system32\acdbres.dll
2008-07-16 16:05 . 2000-10-20 13:2531,744--a------C:\WINDOWS\system32\Hlp95en.dll
2008-07-16 16:04 . 2008-07-16 16:05d--------C:\Program Files\Volo View Express
2008-07-16 16:04 . 2008-07-16 16:04d--------C:\Documents and Settings\Peter\WINDOWS
2008-07-16 16:04 . 2000-10-20 13:25299,520--a------C:\WINDOWS\uninst.exe
2008-07-16 16:01 . 2008-07-16 16:06d--------C:\Program Files\Common Files\Wextech Shared
2008-07-16 16:00 . 2008-07-16 16:06d--------C:\Program Files\Common Files\Autodesk Shared
2008-07-16 16:00 . 2008-07-28 16:41d--------C:\Program Files\Autodesk Architectural Desktop 3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-01 14:56---------d-----wC:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-31 09:48---------d-----wC:\Program Files\Common Files\Symantec Shared
2008-07-25 10:10---------d--h--wC:\Program Files\InstallShield Installation Information
2008-07-25 10:09---------d-----wC:\Program Files\Common Files\InstallShield
2008-07-23 12:33---------d-----wC:\Documents and Settings\Peter\Application Data\Ahead
2008-07-16 14:52---------d-----wC:\Program Files\CyberLink
2008-07-16 14:49---------d-----wC:\Program Files\Common Files\Ahead
2008-07-16 14:46---------d-----wC:\Program Files\Common Files\Adobe
2008-07-16 14:45---------d-----wC:\Program Files\Nero
2008-07-16 14:45---------d-----wC:\Documents and Settings\All Users\Application Data\Nero
2008-07-16 14:23---------d-----wC:\Program Files\Norton AntiVirus
2008-07-16 14:22---------d-----wC:\Documents and Settings\All Users\Application Data\Symantec
2008-07-16 14:20806----a-wC:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-07-16 14:208,014----a-wC:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-07-16 14:2048,776----a-wC:\WINDOWS\system32\S32EVNT1.DLL
2008-07-16 14:20115,000----a-wC:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-07-16 14:20---------d-----wC:\Program Files\Symantec
2008-07-16 14:11---------d-----wC:\Program Files\Microsoft Works
2008-07-16 14:10---------d-----wC:\Program Files\MSBuild
2008-07-16 14:08---------d-----wC:\Program Files\Corel
2008-07-16 14:08---------d-----wC:\Program Files\Common Files\Corel
2008-07-16 13:50---------d-----wC:\Program Files\FarStone
2008-07-16 13:39---------d-----wC:\Program Files\microsoft frontpage
1997-07-21 18:301,045,776--sha-wC:\WINDOWS\system32\Msjet35.dll
1997-06-23 02:00123,664--sha-wC:\WINDOWS\system32\Msjint35.dll
1997-06-23 11:0624,848--sha-wC:\WINDOWS\system32\Msjter35.dll
1997-06-23 11:06252,176--sha-wC:\WINDOWS\system32\Msrd2x35.dll
1997-06-23 11:06287,504--sha-wC:\WINDOWS\system32\Msxbse35.dll
.

((((((((((((((((((((((((((((( [emailprotected]_ 9.40.03.66 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-16 14:12:161,165,584----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\accicons.exe
+ 2008-08-01 14:47:551,165,584----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\accicons.exe
- 2008-07-16 14:12:1620,240----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-08-01 14:48:0120,240----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-07-16 14:12:16159,504----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\inficon.exe
+ 2008-08-01 14:47:57159,504----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\inficon.exe
- 2008-07-16 14:12:16217,864----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\misc.exe
+ 2008-08-01 14:48:00217,864----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\misc.exe
- 2008-07-16 14:12:1718,704----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-08-01 14:48:0118,704----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-07-16 14:12:1735,088----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-08-01 14:48:0335,088----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-07-16 14:12:16845,584----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-08-01 14:47:59845,584----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\outicon.exe
- 2008-07-16 14:12:16922,384----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-08-01 14:48:00922,384----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\pptico.exe
- 2008-07-16 14:12:16272,648----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\pubs.exe
+ 2008-08-01 14:48:00272,648----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\pubs.exe
- 2008-07-16 14:12:17888,080----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-08-01 14:48:02888,080----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-07-16 14:12:161,172,240----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-08-01 14:47:571,172,240----a-rC:\WINDOWS\Installer\{90120000-0011-0000-0000-0000000FF1CE}\xlicons.exe
- 2008-07-16 14:05:43217,864----a-rC:\WINDOWS\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
+ 2008-08-01 14:56:14217,864----a-rC:\WINDOWS\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
- 2008-07-16 15:17:05343,424----a-wC:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-08-02 09:01:38343,424----a-wC:\WINDOWS\system32\FNTCACHE.DAT
+ 2001-04-15 03:20:0047,616----a-wC:\WINDOWS\system32\intedreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05 143360]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"ILO_Office_Manager"="IntEdReg.exe" [2001-04-15 04:20 47616 C:\WINDOWS\system32\intedreg.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 08:59 115816]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-01-14 10:11 771704]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12 483328]
"Virtual Drive"="C:\Program Files\FarStone\VirtualDrive\vdtask.exe" [2001-10-20 05:47 57344]
"CorelDRAW Graphics Suite 11b"="C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe" [2003-11-25 13:39 729088]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2006-11-10 16:19 1051648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 15:10 56928]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55 54832]
"Intense Registry Service"="IntEdReg.exe" [2001-04-15 04:20 47616 C:\WINDOWS\system32\intedreg.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2008-07-16 14:48:56 25214]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-07-16 15:33:15 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\FarStone\\VirtualDrive\\netsrv.exe"=
"C:\\Program Files\\[emailprotected]\\LookAtLan.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=

R2 cdant;cdant;C:\WINDOWS\system32\drivers\cdant.sys [2001-09-06 22:13]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39686e63-595a-11dd-9a1d-000d87b86781}]
\Shell\AutoRun\command - wscript.exe sys.vbs
\Shell\open\Command - wscript.exe sys.vbs

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-07-31 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Peter.job
- C:\Program Files\Norton AntiVirus\Navw32.exe [2007-01-14 12:09]
.
.
------- Supplementary Scan -------
.
O8 -: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-02 10:31:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-02 10:33:51
ComboFix-quarantined-files.txt 2008-08-02 09:33:16

Pre-Run: 11,423,133,696 bytes free
Post-Run: 11,416,059,904 bytes free

216
I think I've got rid of the problem. I''ll wait for your reply.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:08:56, on 04/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\FarStone\VirtualDrive\vdtask.exe
C:\Program Files\FarStone\VirtualDrive\Netsrv.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Intense Language Office\Common\OffMan.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\snare.exe
C:\Program Files\Trend Micro\HijackThis\snare.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Virtual Drive] "C:\Program Files\FarStone\VirtualDrive\vdtask.exe"
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=081508 serial=DR12CES-6935367-CQC lang=EN
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ILO_Office_Manager] IntEdReg.exe /OFFMAN
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file:///C:/Program%20Files/Autodesk%20Architectural%20Desktop%203/AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file:///C:/Program%20Files/Autodesk%20Architectural%20Desktop%203/InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file:///C:/Program%20Files/Autodesk%20Architectural%20Desktop%203/InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file:///C:/Program%20Files/Autodesk%20Architectural%20Desktop%203/AcPreview.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8368 bytes
Quote

I think I've got rid of the problem. I''ll wait for your reply.

What did you do? There are still trojans left.

Read this article: Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one! If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the Backdoor Trojan has been removed the computer is now secure. Many experts in the security COMMUNITY believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS.

When should I re-format? How should I reinstall?.
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it will be 100% secure afterwards or that the removal will be successful.

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.

Click Start , then Run
Type notepad.exe in the Run Box.

2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]KillAll::

File::
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\FarStone\VirtualDrive\netsrv.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39686e63-595a-11dd-9a1d-000d87b86781}]
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you SEE in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to freeze

----------

Solve : Trojan.Packed.NsAnti?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment