Vundo Hell [Archive] - Safer-Networking Forums

paulie_ldn

2008-02-02, 20:35

Hello,

My PC has been infected with Vundo and I'm stumped on how to remove. I've tried all the simple things i.e spybot and Norton but it just keeps coming back.

I've posted the Combofix and HJT logs below.

Any help will much appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:26:59, on 02/02/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\NILaunch.exe
C:\Program Files\Lexmark 5400 Series\lxctmon.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\WerCon.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Net-It Launcher] C:\Windows\system32\NILaunch.exe
O4 - HKLM\..\Run: [lxctmon.exe] "C:\Program Files\Lexmark 5400 Series\lxctmon.exe"
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Program Files\Lexmark 5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [ElcomSoft DPR Server] C:\Program Files\ElcomSoft\Distributed Password Recovery\esdprs.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\DEFAUL~1.DEF\AppData\Local\Temp\urqol.dll,c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: lxct_device - - C:\Windows\system32\lxctcoms.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 8603 bytes

ComboFix 08-02.02.5 - default 2008-02-02 17:57:25.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.999 [GMT 0:00]
Running from: C:\Users\default.default-PC\Desktop\ComboFix.exe
* Created a new restore point

ComboFix 08-02.02.5 - default 2008-02-02 17:57:25.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.999 [GMT 0:00]
Running from: C:\Users\default.default-PC\Desktop\ComboFix.exe
* Created a new restore point

paulie_ldn

2008-02-02, 20:37

ComboFix 08-02.02.5 - default 2008-02-02 17:57:25.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.999 [GMT 0:00]
Running from: C:\Users\default.default-PC\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.

2008-02-02 17:57 . 2008-02-02 17:57 <DIR> d-------- C:\Program Files\Remove-it
2008-02-02 17:57 . 2004-08-10 19:00 16,384 --a------ C:\Windows\System32\tskill.exe
2008-02-02 11:55 . 2008-02-02 11:55 <DIR> d-------- C:\VundoFix Backups
2008-02-02 11:43 . 2008-02-02 12:13 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-02-02 11:43 . 2008-02-02 12:13 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-02-02 11:43 . 2008-02-02 11:43 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-02 11:38 . 2008-02-02 11:38 0 --a------ C:\Windows\Irremote.ini
2008-02-02 11:30 . 2008-02-02 11:30 0 --a------ C:\Windows\nsreg.dat
2008-01-30 10:05 . 2008-01-30 10:05 <DIR> d-------- C:\Program Files\iTunes
2008-01-30 10:05 . 2008-01-30 10:05 <DIR> d-------- C:\Program Files\iPod
2008-01-30 10:05 . 2008-01-30 10:05 54,156 --ah----- C:\Windows\QTFont.qfn
2008-01-30 10:05 . 2008-01-30 10:05 1,409 --a------ C:\Windows\QTFont.for
2008-01-30 10:03 . 2008-01-30 10:04 <DIR> d-------- C:\Program Files\QuickTime
2008-01-27 18:06 . 2008-01-27 18:06 <DIR> d-------- C:\Users\bkc\AppData\Roaming\Nero
2008-01-27 10:43 . 2008-01-27 10:43 <DIR> d-------- C:\Users\All Users\LightScribe
2008-01-27 10:43 . 2008-01-27 10:43 <DIR> d-------- C:\ProgramData\LightScribe
2008-01-27 10:36 . 2008-01-27 10:36 <DIR> d-------- C:\Users\default.default-PC\AppData\Roaming\Nero
2008-01-27 10:33 . 2008-02-02 11:39 <DIR> d-------- C:\Users\All Users\Nero
2008-01-27 10:33 . 2008-02-02 11:39 <DIR> d-------- C:\ProgramData\Nero
2008-01-27 10:33 . 2008-01-27 10:33 <DIR> d-------- C:\Program Files\Nero
2008-01-27 10:33 . 2008-02-02 11:39 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-01-24 19:58 . 2008-02-02 18:03 <DIR> d-------- C:\Users\All Users\Kontiki
2008-01-24 19:58 . 2008-01-24 19:58 <DIR> d-------- C:\Users\All Users\Channel4
2008-01-24 19:58 . 2008-02-02 18:03 <DIR> d-------- C:\ProgramData\Kontiki
2008-01-24 19:58 . 2008-01-24 19:58 <DIR> d-------- C:\ProgramData\Channel4
2008-01-24 19:58 . 2008-01-24 19:58 <DIR> d-------- C:\Program Files\Kontiki
2008-01-24 19:58 . 2008-01-24 19:58 <DIR> d-------- C:\Program Files\Channel4
2008-01-17 10:49 . 2008-01-17 10:49 <DIR> d-------- C:\Users\All Users\Adobe
2008-01-17 10:49 . 2008-01-17 10:49 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\Windows\System32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\Windows\System32\QuickTime.qts
2008-01-09 23:07 . 2008-01-09 23:07 802,816 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-01-09 23:07 . 2008-01-09 23:07 216,760 --a------ C:\Windows\System32\drivers\netio.sys
2008-01-09 23:07 . 2008-01-09 23:07 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-01-09 23:07 . 2008-01-09 23:07 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-01-09 23:07 . 2008-01-09 23:07 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-01-09 23:06 . 2008-01-09 23:06 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-01-09 23:06 . 2008-01-09 23:06 1,686,016 --a------ C:\Windows\System32\gameux.dll
2008-01-09 23:06 . 2008-01-09 23:06 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys
2008-01-09 23:06 . 2008-01-09 23:06 211,000 --a------ C:\Windows\System32\drivers\volsnap.sys
2008-01-09 23:06 . 2008-01-09 23:06 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-01-09 23:05 . 2008-01-09 23:05 11,776 --a------ C:\Windows\System32\sbunattend.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-02 17:48 --------- d-----w C:\ProgramData\Symantec
2008-02-02 17:43 --------- d-----w C:\Program Files\Java
2008-01-31 20:06 --------- d-----w C:\Program Files\Lx_cats
2008-01-26 23:06 --------- d-----w C:\Users\default.default-PC\AppData\Roaming\LimeWire
2008-01-15 09:54 10,537 ----a-w C:\Windows\system32\drivers\coh_mon.cat
2008-01-15 05:28 706 ----a-w C:\Windows\system32\drivers\COH_Mon.inf
2008-01-12 18:32 23,904 ----a-w C:\Windows\system32\drivers\COH_Mon.sys
2008-01-10 00:06 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-10 00:06 --------- d-----w C:\Program Files\Windows Mail
2008-01-09 23:06 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-01-09 23:06 449,024 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-01-09 23:06 2,143,744 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-01-09 23:06 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-01-03 07:22 --------- d-----w C:\Users\default.default-PC\AppData\Roaming\uTorrent
2008-01-01 20:17 --------- d-----w C:\Users\default.default-PC\AppData\Roaming\Media Player Classic
2008-01-01 18:28 --------- d-----w C:\Users\bkc\AppData\Roaming\AdobeUM
2007-12-26 14:53 --------- d-----w C:\Users\default.default-PC\AppData\Roaming\Orbit
2007-12-24 19:15 --------- d-----w C:\Users\default.default-PC\AppData\Roaming\Apple Computer
2007-12-24 13:31 --------- d-----w C:\Program Files\ElcomSoft
2007-12-21 16:13 --------- d-----w C:\ProgramData\Microsoft Help
2007-12-21 15:58 --------- d-----w C:\ProgramData\NVIDIA
2007-12-21 15:47 --------- d-----w C:\Program Files\SystemRequirementsLab
2007-12-20 22:57 --------- d-----w C:\Program Files\Norton Internet Security
2007-12-18 15:17 --------- d-----w C:\Users\default.default-PC\AppData\Roaming\CyberLink
2007-12-18 15:17 --------- d-----w C:\ProgramData\CyberLink
2007-12-13 01:14 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-13 01:14 824,832 ----a-w C:\Windows\System32\wininet.dll
2007-12-13 01:14 56,320 ----a-w C:\Windows\System32\iesetup.dll
2007-12-13 01:14 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2007-12-13 01:14 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2007-12-13 01:14 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-13 01:14 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-13 01:13 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2007-12-13 01:13 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2007-12-13 01:13 3,504,824 ----a-w C:\Windows\System32\ntkrnlpa.exe
2007-12-13 01:13 3,470,520 ----a-w C:\Windows\System32\ntoskrnl.exe
2007-12-13 01:13 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2007-12-13 01:13 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2007-12-11 18:52 356,352 ----a-w C:\Windows\System32\nvuninst.exe
2007-12-11 17:06 86,016 ----a-w C:\Windows\System32\nvsvc.dll
2007-12-11 17:06 81,920 ----a-w C:\Windows\System32\nvmctray.dll
2007-12-11 17:06 8,530,464 ----a-w C:\Windows\System32\nvcpl.dll
2007-12-11 17:06 8,238,688 ----a-w C:\Windows\system32\drivers\nvlddmkm.sys
2007-12-11 17:06 795,104 ----a-w C:\Windows\System32\dpinst.exe
2007-12-11 17:06 753,664 ----a-w C:\Windows\System32\nvcplui.exe
2007-12-11 17:06 7,098,368 ----a-w C:\Windows\System32\nvoglv32.dll
2007-12-11 17:06 6,549,504 ----a-w C:\Windows\System32\nvdisps.dll
2007-12-11 17:06 5,263,360 ----a-w C:\Windows\System32\nvd3dum.dll
2007-12-11 17:06 45,056 ----a-w C:\Windows\System32\nvmccsrs.dll
2007-12-11 17:06 385,024 ----a-w C:\Windows\System32\nvapi.dll
2007-12-11 17:06 356,352 ----a-w C:\Windows\System32\nvudisp.exe
2007-12-11 17:06 35,328 ----a-w C:\Windows\System32\nvcod100.dll
2007-12-11 17:06 35,328 ----a-w C:\Windows\System32\nvcod.dll
2007-12-11 17:06 307,200 ----a-w C:\Windows\System32\nvexpbar.dll
2007-12-11 17:06 3,710,976 ----a-w C:\Windows\System32\nvvitvs.dll
2007-12-11 17:06 3,420,160 ----a-w C:\Windows\System32\nvgames.dll
2007-12-11 17:06 229,376 ----a-w C:\Windows\System32\nvmccs.dll
2007-12-11 17:06 2,498,560 ----a-w C:\Windows\System32\nvwss.dll
2007-12-11 17:06 188,416 ----a-w C:\Windows\System32\nvmccss.dll
2007-12-11 17:06 147,456 ----a-w C:\Windows\System32\nvcolor.exe
2007-12-11 17:06 1,830,912 ----a-w C:\Windows\System32\nvwgf2um.dll
2007-12-11 17:06 1,228,800 ----a-w C:\Windows\System32\nvmobls.dll
2007-12-08 13:43 805 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF
2007-12-08 13:43 123,952 ----a-w C:\Windows\system32\drivers\SYMEVENT.SYS
2007-12-08 13:43 10,740 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT
2007-12-08 13:43 --------- d-----w C:\Program Files\Symantec
2007-12-05 12:23 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-22 11:10 229,888 ----a-w C:\Windows\System32\msshsq.dll
2007-11-14 13:45 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2007-11-14 13:45 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2007-11-14 13:45 542,720 ----a-w C:\Windows\System32\sysmain.dll
2007-11-14 13:45 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2007-11-14 13:45 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2007-11-14 13:45 297,984 ----a-w C:\Windows\System32\wlansec.dll
2007-11-14 13:45 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2007-11-14 13:45 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2007-11-14 13:45 2,923,520 ----a-w C:\Windows\explorer.exe
2007-11-14 13:45 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2007-11-14 13:44 974,336 ----a-w C:\Windows\System32\crypt32.dll
2007-11-14 13:44 104,448 ----a-w C:\Windows\System32\DWWIN.EXE
2007-11-14 13:41 53,080 ----a-w C:\Windows\System32\wuauclt.exe
2007-11-14 13:41 43,352 ----a-w C:\Windows\System32\wups2.dll
2007-11-14 13:41 1,712,984 ----a-w C:\Windows\System32\wuaueng.dll
2007-11-14 13:41 1,524,224 ----a-w C:\Windows\System32\wucltux.dll
2007-11-14 13:40 80,896 ----a-w C:\Windows\System32\wudriver.dll
2007-11-14 13:40 549,720 ----a-w C:\Windows\System32\wuapi.dll
2007-11-14 13:40 33,624 ----a-w C:\Windows\System32\wups.dll
2007-11-14 13:40 31,232 ----a-w C:\Windows\System32\wuapp.exe
2007-11-14 13:40 163,000 ----a-w C:\Windows\System32\wuwebv.dll
2007-11-09 10:15 319,456 ----a-w C:\Windows\DIFxAPI.dll
2007-11-09 10:15 315,392 ----a-w C:\Windows\HideWin.exe
2007-11-09 10:13 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-25 03:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-01-31 09:24 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-25 03:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-09 23:05 1232896]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2008-01-17 16:44 5724184]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 12:34 2159104 C:\Windows\System32\oobefldr.dll]
"ElcomSoft DPR Server"="C:\Program Files\ElcomSoft\Distributed Password Recovery\esdprs.exe" [2007-10-20 09:28 304912]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 12:36 201728]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [ ]
"cmds"="C:\Users\DEFAUL~1.DEF\AppData\Local\Temp\urqol.dll" [2008-01-30 09:55 332288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-10-26 17:20 1006264]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 21:17 52256]
"RtHDVCpl"="RtHDVCpl.exe" [2007-09-03 18:39 4702208 C:\Windows\RtHDVCpl.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-08-25 05:07 51048]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"Net-It Launcher"="C:\Windows\system32\NILaunch.exe" [1998-02-05 19:16 24576]
"lxctmon.exe"="C:\Program Files\Lexmark 5400 Series\lxctmon.exe" [2006-11-22 10:11 291760]
"Lexmark 5400 Series Fax Server"="C:\Program Files\Lexmark 5400 Series\fm3032.exe" [2006-11-22 10:12 304048]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-12-11 17:06 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-12-11 17:06 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-12-11 17:06 81920]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]

C:\Users\bkc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 04:45:42 101784]

C:\Users\default.default-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 04:45:42 101784]

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\Windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
--a------ 2006-11-22 10:11 82864 C:\Program Files\Lexmark 5400 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2007-09-19 20:48 455968 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXCTCATS]
--a------ 2006-11-21 13:27 106496 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCTtime.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2007-03-14 20:01 71216 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe