After running ComboFix, all previous symptoms of this Rootkit are gone except for some entries in the gmer log that still concern me... "section is executable" appears after several Windows system files in the log. Do you think I am still infected, or could I simply replace the files that show "section is executable" with legitimate files?

ComboFix 08-08-18.01 - Donald X 2008-08-18 18:11:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.540 [GMT -7:00]
Running from: C:\Documents and Settings\Donald X\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Donald X\Application Data\macromedia\Flash Player\#SharedObjects\B4ZNCTWT\interclick.com
C:\Documents and Settings\Donald X\Application Data\macromedia\Flash Player\#SharedObjects\B4ZNCTWT\interclick.com\ud.sol
C:\Documents and Settings\Donald X\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Donald X\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Donald X\Application Data\rhcp0gj0ec8a
C:\Documents and Settings\Donald X\UserData
C:\Documents and Settings\Donald X\UserData\7JGW49F7\oWindowsUpdate[1].xml
C:\Documents and Settings\Donald X\UserData\7JGW49F7\YL[1].xml
C:\Documents and Settings\Donald X\UserData\85EBOXYF\ps[1].xml
C:\Documents and Settings\Donald X\UserData\85EBOXYF\ps[2].xml
C:\Documents and Settings\Donald X\UserData\85EBOXYF\ps[3].xml
C:\Documents and Settings\Donald X\UserData\CHZI1GD2\oWindowsUpdate[1].xml
C:\Documents and Settings\Donald X\UserData\CHZI1GD2\oWindowsUpdate[2].xml
C:\Documents and Settings\Donald X\UserData\G5IR0DMJ\DraftMsgData[1].xml
C:\Documents and Settings\Donald X\UserData\G5IR0DMJ\oXMLStore[1].xml
C:\Documents and Settings\Donald X\UserData\G5IR0DMJ\ps[1].xml
C:\Documents and Settings\Donald X\UserData\H604ZO0U\dmtstore[1].xml
C:\Documents and Settings\Donald X\UserData\H604ZO0U\oWindowsUpdate[1].xml
C:\Documents and Settings\Donald X\UserData\index.dat
C:\Documents and Settings\Donald X\UserData\KDM3G9EF\CoronaRunOnce[1].xml
C:\Documents and Settings\Donald X\UserData\KDM3G9EF\ps[1].xml
C:\Documents and Settings\Donald X\UserData\KDM3G9EF\ps[2].xml
C:\Documents and Settings\Donald X\UserData\WD6N8D2R\oWindowsUpdate[1].xml
C:\Documents and Settings\Donald X\UserData\WD6N8D2R\ps[1].xml
C:\Documents and Settings\Donald X\UserData\ZBYEDVJL\oWindowsUpdate[1].xml
C:\Documents and Settings\Donald X\UserData\ZBYEDVJL\oWindowsUpdate[2].xml
C:\Documents and Settings\LocalService\Application Data\619615162.exe
C:\Documents and Settings\LocalService\Application Data\668311381.exe
C:\Documents and Settings\LocalService\Application Data\728739263.exe
C:\Documents and Settings\LocalService\Application Data\rhcp0gj0ec8a
C:\Program Files\Internet Explorer\setupapi.dll
C:\WINDOWS\system32\system
C:\WINDOWS\system32\system\msxml4.dll
C:\WINDOWS\system32\system\msxml4r.dll
C:\WINDOWS\winhelp.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_sysrest.sys


((((((((((((((((((((((((( Files Created from 2008-07-19 to 2008-08-19 )))))))))))))))))))))))))))))))
.

2008-08-18 17:29 . 2008-08-18 17:29 250 --a------ C:\WINDOWS\gmer.ini
2008-08-18 17:25 . 2008-08-18 17:26 <DIR> d-------- C:\Documents and Settings\Donald X 2\.SygateTmpYY
2008-08-18 17:23 . 2008-08-18 17:25 <DIR> d-------- C:\Documents and Settings\Donald X 2\Application Data\GTek
2008-08-18 17:22 . 2008-08-18 17:22 <DIR> d-------- C:\Documents and Settings\Donald X 2\Application Data\Symantec
2008-08-18 17:22 . 2004-02-03 13:52 <DIR> d-------- C:\Documents and Settings\Donald X 2\Application Data\Sonic
2008-08-18 17:22 . 2008-08-18 17:22 <DIR> d-------- C:\Documents and Settings\Donald X 2\Application Data\Share-to-Web Upload Folder
2008-08-18 17:22 . 2004-02-03 13:55 <DIR> d-------- C:\Documents and Settings\Donald X 2\Application Data\Jasc Software Inc
2008-08-18 17:22 . 2008-08-18 17:56 <DIR> d-------- C:\Documents and Settings\Donald X 2
2008-08-18 17:01 . 2008-08-18 17:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot2
2008-08-17 07:56 . 2006-10-04 07:06 1,197,294 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\sysmain.sdb
2008-08-17 07:56 . 2006-10-04 07:06 764,868 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\apph_sp.sdb
2008-08-17 07:56 . 2006-10-04 07:06 217,118 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\apphelp.sdb
2008-08-15 15:01 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-08-15 14:45 . 2008-08-15 15:32 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-15 14:45 . 2008-08-15 14:45 <DIR> d-------- C:\Documents and Settings\Donald X\Application Data\SUPERAntiSpyware.com
2008-08-15 14:45 . 2008-08-15 14:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-15 03:05 . 2008-08-15 03:05 137 --a------ C:\WINDOWS\SYSTEM32\MRT.INI
2008-08-14 15:08 . 2008-08-13 14:19 60,928 --a------ C:\WINDOWS\SYSTEM32\79B.tmp.ct
2008-08-14 14:41 . 2008-05-01 07:30 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll
2008-08-13 14:19 . 2008-08-13 14:19 27,136 --a------ C:\WINDOWS\SYSTEM32\sysrest32.exe.ct
2008-08-12 15:24 . 2008-08-14 15:08 70,144 --a------ C:\WINDOWS\SYSTEM32\blphct0gj0ec8a.scr.ct
2008-08-11 14:26 . 2008-08-11 14:26 245 --a------ C:\WINDOWS\tmp303093.bat
2008-08-06 16:31 . 2008-08-06 16:31 <DIR> d-------- C:\Webshots Data
2008-08-02 11:57 . 2008-08-02 11:57 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-19 00:28 45,056 ----a-w C:\WINDOWS\NCUNINST.EXE
2008-08-18 22:17 63 ----a-w C:\Documents and Settings\Donald X\audit.dat
2008-08-18 22:16 --------- d-----w C:\Program Files\ACT
2008-08-18 03:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-17 14:55 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-08-17 14:49 --------- d-----w C:\Program Files\Quicken
2008-08-16 22:30 --------- d-----w C:\Program Files\Apple Software Update
2008-08-16 14:06 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-15 22:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-15 22:32 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-15 22:08 --------- d-----w C:\Program Files\Common Files\Real
2008-08-15 22:01 --------- d-----w C:\Program Files\Java
2008-08-15 21:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-15 10:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-14 21:53 --------- d-----w C:\Program Files\Documents To Go
2008-08-03 15:05 --------- d-----w C:\Program Files\Norton SystemWorks
2008-08-02 18:57 --------- d-----w C:\Program Files\iTunes
2008-07-10 16:35 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-07-05 16:43 --------- d-----w C:\Program Files\Field Day 2.8
2008-07-05 16:27 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-07-05 16:27 249,856 ------w C:\WINDOWS\Setup1.exe
2008-06-21 23:25 --------- d-----w C:\Program Files\Safari
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 23:16 --------- d-----w C:\Program Files\DivX
2008-06-19 23:08 --------- d-----w C:\Program Files\QuickTime
2001-02-17 17:31 501 ----a-w C:\Program Files\UPDATE.LOG
2003-10-01 18:34 9,654,272 ----a-w C:\Program Files\internet explorer\plugins\axbqf32.dll
2004-09-17 21:58 56 --sh--r C:\WINDOWS\SYSTEM32\8691382995.sys
2004-10-05 22:46 1,682 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

------- Sigcheck -------

2002-08-29 04:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2004-08-04 00:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
2004-08-04 00:56 16896 4e06f50f95357b8cfbc81f5699e754b7 C:\WINDOWS\SYSTEM32\svchost.exe

2002-08-29 04:00 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 00:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2008-08-11 14:26 505856 e853481fef64a5be3fc3732d9d3d926a C:\WINDOWS\SYSTEM32\winlogon.exe

2007-06-13 03:23 1035264 90bdefa8740e66dee42c12eb1c30c789 C:\WINDOWS\explorer.exe
2003-05-11 22:12 996352 a73bc66a95cf4f7b597fc8975778a889 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2002-08-29 04:00 1004032 a82b28bfc2e4455fe43022a498c0ef0a C:\WINDOWS\$NtUninstallKB820291$\explorer.exe
2004-08-04 00:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2004-08-04 00:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\ServicePackFiles\i386\explorer.exe

2002-08-29 04:00 101376 e3df4a0252d287c44606ee55355e1623 C:\WINDOWS\$NtServicePackUninstall$\services.exe
2004-08-04 00:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\ServicePackFiles\i386\services.exe
2004-08-04 00:56 110080 5812a3513734517f8c2c5eab6b269864 C:\WINDOWS\SYSTEM32\services.exe

2002-08-29 04:00 11776 b2b6ba905d0e3f8a32a0eb3b4051807b C:\WINDOWS\$NtServicePackUninstall$\lsass.exe
2004-08-04 00:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\ServicePackFiles\i386\lsass.exe
2004-08-04 00:56 14336 c3e6b717e7b284e1fa89ba9f7a1be1ed C:\WINDOWS\SYSTEM32\lsass.exe

2002-08-29 04:00 51200 9b4155ba58192d4073082b8fc5d42612 C:\WINDOWS\$NtServicePackUninstall$\spoolsv.exe
2004-08-04 00:56 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2004-08-04 00:56 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe
2005-06-10 16:53 58368 44fce06d98349f92a39a9a242b88650f C:\WINDOWS\SYSTEM32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Norton SystemWorks"="C:\Program Files\Norton SystemWorks\cfgwiz.exe" [2004-09-09 19:12 132248]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-24 14:17 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 17:22 7618560]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 00:04 114741]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 09:27 28672]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 18:47 204800]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 21:05 323584]
"CoolSwitch"="C:\WINDOWS\System32\taskswitch.exe" [2002-03-19 18:30 45632]
"AcctMgr"="C:\Program Files\Norton Password Manager\AcctMgr.exe" [2004-08-18 13:41 586896]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-09-17 00:27 52848]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52 483328]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 02:01 110592]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-22 12:49 188416]
"vptray"="C:\PROGRA~1\SYMANT~2\SYMANT~1\vptray.exe" [2004-02-12 14:49 90224]
"HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" [2002-11-22 12:48 348160]
"HPHUPD04"="C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-11-22 12:50 49152]
"Share-to-Web Namespace Daemon"="C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 11:42 69632]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe" [2005-03-12 08:25 11776]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 02:01 135264]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 15:52 849280]
"itype"="c:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 17:08 813912]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 06:03 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 03:03 81920]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-06-01 17:22 86016]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 16:54 57344]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"nwiz"="nwiz.exe" [2006-06-01 17:22 1519616 C:\WINDOWS\SYSTEM32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="C:\PROGRA~1\SYMNET~1\SNDWarn.exe" [2004-10-29 09:52 218232]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 03:18 437160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SRUUninstall"="C:\WINDOWS\System32\msiexec.exe" [2005-03-21 15:00 78848]

C:\Documents and Settings\Donald X\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [2004-04-13 17:03:10 299008]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 04:45:42 101784]
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2004-02-09 16:04:05 45056]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-03-04 22:37:45 25214]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-06-18 16:37:42 110592]
Dataviz Messenger.lnk - C:\WINDOWS\DvzCommon\DvzMsgr.exe [2003-02-06 20:06:30 24576]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-04-13 16:42:42 124400]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 11:40:44 282624]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2002-02-15 11:51 24638 C:\WINDOWS\SYSTEM32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\system32\ctmp3.acm

[HKLM\~\startupfolder\C:^Documents and Settings^Donald X^Start Menu^Programs^Startup^Webshots.lnk]
path=C:\Documents and Settings\Donald X\Start Menu\Programs\Startup\Webshots.lnk
backup=C:\WINDOWS\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MS Remote Access\\NetClient.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 AppnApi;AppnApi;C:\WINDOWS\system32\drivers\appnapi.sys [2001-01-15 06:01]
R2 IBM_LLC2;IBM Personal Communications LLC2 Driver;C:\WINDOWS\system32\DRIVERS\llc2.sys [2001-01-15 06:01]
R2 io.sys;IO.DLL Driver;C:\WINDOWS\system32\drivers\io.sys [2005-02-10 17:53]
R2 NsTrcNT;NsTrcNT;C:\WINDOWS\system32\drivers\nstrcnt.sys [2001-01-15 06:01]
R2 pcscoax;3270 Coax Driver;C:\WINDOWS\system32\drivers\pcscoax.sys [2001-01-15 06:01]
R2 pdlnctdl;Twinax CUT Adapter;C:\WINDOWS\system32\drivers\pdlnctdl.sys [2001-01-15 06:01]
R2 pdlndldl;IBM Enterprise Extender (HPR/IP);C:\WINDOWS\system32\drivers\pdlndldl.sys [2001-01-15 06:01]
R3 ABVPN2K;Net Firewall Miniport Interface;C:\WINDOWS\system32\DRIVERS\abvpn2k.sys [2004-08-04 15:03]
R3 Anydlc;Anydlc;C:\WINDOWS\system32\drivers\anydlc.sys [2001-01-15 06:01]
R3 Appn;Appn;C:\WINDOWS\system32\drivers\appn.sys [2001-01-15 06:01]
R3 AppnBase;AppnBase;C:\WINDOWS\system32\drivers\AppnBase.sys [2001-01-15 06:01]
R3 avpnnic;AGN Virtual Network Adapter;C:\WINDOWS\system32\DRIVERS\avpnnic.sys [2003-04-04 13:48]
R3 KLOGNT;KLOGNT;C:\WINDOWS\system32\drivers\klognt.sys [2001-01-15 06:01]
R3 pdlnacom;PDLC Adapter -- COM;C:\WINDOWS\system32\drivers\pdlnacom.sys [2001-01-15 06:01]
R3 pdlnafac;PDLC Adapter Factory;C:\WINDOWS\system32\drivers\pdlnafac.sys [2001-01-15 06:01]
R3 pdlnampa;PDLC Adapter -- MultiProtocol Adapter;C:\WINDOWS\system32\drivers\pdlnampa.sys [2001-01-15 06:01]
R3 pdlnatcm;Twinax Adapter Common;C:\WINDOWS\system32\drivers\pdlnatcm.sys [2001-01-15 06:01]
R3 pdlnatdl;Twinax Adapter;C:\WINDOWS\system32\drivers\pdlnatdl.sys [2001-01-15 06:01]
R3 pdlnatnm;Twinax Adapter Namakan;C:\WINDOWS\system32\drivers\pdlnatnm.sys [2001-01-15 06:01]
R3 pdlnatsn;Twinax Adapter Snow;C:\WINDOWS\system32\drivers\pdlnatsn.sys [2001-01-15 06:01]
R3 pdlnawac;PDLC Adapter -- WACType;C:\WINDOWS\system32\drivers\pdlnawac.sys [2001-01-15 06:01]
R3 pdlncbas;PDLC CxM Classes;C:\WINDOWS\system32\drivers\pdlncbas.sys [2001-01-15 06:01]
R3 pdlncfwk;PDLC Connection Manager;C:\WINDOWS\system32\drivers\pdlncfwk.sys [2001-01-15 06:01]
R3 pdlndint;PDLC DLC Classes;C:\WINDOWS\system32\drivers\pdlndint.sys [2001-01-15 06:01]
R3 pdlndlpb;PDLC LAPB;C:\WINDOWS\system32\drivers\pdlndlpb.sys [2001-01-15 06:01]
R3 pdlndoem;PDLC OEM Interface;C:\WINDOWS\system32\drivers\pdlndoem.sys [2001-01-15 06:01]
R3 pdlndqll;PDLC QLLC;C:\WINDOWS\system32\drivers\pdlndqll.sys [2001-01-15 06:01]
R3 pdlndsdl;PDLC SDLC;C:\WINDOWS\system32\drivers\pdlndsdl.sys [2001-01-15 06:01]
R3 pdlndtdl;Twinax DLC;C:\WINDOWS\system32\drivers\pdlndtdl.sys [2001-01-15 06:01]
R3 pdlnebas;PDLC Environment;C:\WINDOWS\system32\drivers\pdlnebas.sys [2001-01-15 06:01]
R3 pdlnecfg;PDLC Configuration;C:\WINDOWS\system32\drivers\pdlnecfg.sys [2001-01-15 06:01]
R3 pdlnemap;PDLC Mapper;C:\WINDOWS\system32\drivers\pdlnemap.sys [2001-01-15 06:01]
R3 pdlnemsg;PDLC Message Driver;C:\WINDOWS\system32\drivers\pdlnemsg.sys [2001-01-15 06:01]
R3 pdlnepkt;PDLC Buffer Manager;C:\WINDOWS\system32\drivers\pdlnepkt.sys [2001-01-15 06:01]
R3 pdlnshay;PDLC Hayes At signalling;C:\WINDOWS\system32\drivers\pdlnshay.sys [2001-01-15 06:01]
R3 pdlnslea;PDLC SDLC Leased;C:\WINDOWS\system32\drivers\pdlnslea.sys [2001-01-15 06:01]
R3 pdlnsv25;PDLC V25bis signalling;C:\WINDOWS\system32\drivers\pdlnsv25.sys [2001-01-15 06:01]
R3 pdlnsx25;PDLC X.25;C:\WINDOWS\system32\drivers\pdlnsx25.sys [2001-01-15 06:01]
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys [2001-10-05 08:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20ed9322-5b3f-11d8-938a-00038a000015}]
\Shell\AutoRun\command - H:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0344117-6e1d-11dc-9b07-000cf191f4cf}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-08-16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-08-19 C:\WINDOWS\Tasks\HP Usg Daily.job
- C:\Program Files\hp photosmart 11\printer\Hphusg04.exe [2002-11-22 12:50]

2008-08-19 C:\WINDOWS\Tasks\HP Usg Login.job
- C:\Program Files\hp photosmart 11\printer\Hphusg04.exe [2002-11-22 12:50]

2008-08-19 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Sonic RecordNow! - (no file)
ShellExecuteHooks-{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Donald X\Application Data\Mozilla\Firefox\Profiles\f7rci9ei.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.cnn.com/
FF -: plugin - C:\Program Files\Google\Google Updater\2.2.1172.2021\npCIDetect11.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npagent.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPTURNMED.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npvirtools.dll
FF -: plugin - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-18 18:20:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SYSTEM32\DRIVERS\trcboot.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\SYSTEM32\CTsvcCDA.EXE
C:\PROGRA~1\SYMANT~2\SYMANT~1\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ldlcserv.exe
C:\Program Files\Personal Communications\pcs_agnt.exe
C:\PROGRA~1\MSREMO~1\NetCfgSv.EXE
C:\PROGRA~1\NO995A~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\SYSTEM32\HPZipm12.exe
C:\PROGRA~1\NO995A~1\NORTON~1\SPEEDD~1\NOPDB.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\WINDOWS\SYSTEM32\hphipm11.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\WINDOWS\webshots.scr
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-08-18 18:28:15 - machine was rebooted [Donald X]
ComboFix-quarantined-files.txt 2008-08-19 01:27:18

Pre-Run: 83,111,362,560 bytes free
Post-Run: 83,163,668,480 bytes free

338 --- E O F --- 2008-08-15 21:56:34







GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-18 18:33:55
Windows 5.1.2600 Service Pack 2



---- Kernel code sections - GMER 1.0.14 ----

? Combo-Fix.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.rsrc C:\WINDOWS\System32\svchost.exe[292] C:\WINDOWS\System32\svchost.exe section is executable [0x01005000, 0x2000, 0x60000060]
.rsrc C:\WINDOWS\system32\svchost.exe[540] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x2000, 0x60000060]
.rsrc C:\WINDOWS\system32\winlogon.exe[1188] C:\WINDOWS\system32\winlogon.exe section is executable [0x01076000, 0xB000, 0x60000060]
.rsrc C:\WINDOWS\system32\services.exe[1232] C:\WINDOWS\system32\services.exe section is executable [0x0101B000, 0x2000, 0x60000060]
.rsrc C:\WINDOWS\system32\svchost.exe[1472] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x2000, 0x60000060]
.rsrc C:\WINDOWS\system32\svchost.exe[1564] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x2000, 0x60000060]
.rsrc C:\WINDOWS\System32\svchost.exe[1668] C:\WINDOWS\System32\svchost.exe section is executable [0x01005000, 0x2000, 0x60000060]
.rsrc C:\WINDOWS\System32\svchost.exe[1988] C:\WINDOWS\System32\svchost.exe section is executable [0x01005000, 0x2000, 0x60000060]
.reloc C:\WINDOWS\explorer.exe[4088] C:\WINDOWS\explorer.exe section is executable [0x010FB000, 0x5000, 0x62000060]

---- Devices - GMER 1.0.14 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)
Device tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

Here's the writeup:
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=147500

Gmer is not flagging those hidden files or registry entries so it looks like CF got them.

I'm not sure what this is:
2008-08-11 14:26 . 2008-08-11 14:26 245 --a------ C:\WINDOWS\tmp303093.bat

You can inspect it in notepad, right-click it and select
edit.

Also, do a complete system scan with an updated AV and an anitspyware program as a followup.

_________________
Negster22 - MS MVP - Consumer Security 2006-2008

Thanks. Looks like I missed that batch file.

Right before I read your reply I advised the client to update to XP SP3 which should replace explorer.exe, services.exe, svchost.exe and winlogon.exe with clean versions of those files.

I'm guessing that the SP2 versions were compromised and somehow Windows SFP wasn't detecting them - or possible SFP was disabled?

Thanks.

I doubt that those were counterfeit copies or any AV would easily pick that up. Also, Combofix is able to recognize many infections where system files are compromised and it often replaces them which is why you should install RC for recovery purposes.

User Code sections just means that code in those EXEs refers to code executable code which exists elsewhere but it does not mean that that external code is necessarily malicious.

_________________
Negster22 - MS MVP - Consumer Security 2006-2008

I had not seen those Windows EXEs show up in the gmer log on other PCs I've scanned - so that's why I was concerned that those files may still be vulnerable.

I hadn't realized that ComboFix would use the Recovery Console for recovery. I will install RC in future scans - thanks for the tip.

FYI, I've been following another interesting forum thread that I found when I searched for "Explorer.exe section is executable" http://www.bluetack.co.uk/forums/index.php?showtopic=18064&st=120 Looks like we'll be seeing more of this Rootkit infection.

Yes, Kimberly could give Mark R a run for his money! She is a great security researcher.

If you suspect malware and you have the system in front of you, then always check your firewall log for suspicious activity, and it's also beneficial to use a port to process mapping program like TCPView, or Port Explorer.

What I like to do is run sigcheck if I suspect an altered Windows file to verify whether it has a valid digital signature.

When I gave your CF log a better look, something appears amiss but it would be correctible with an SP3 install:

These appear to be flagged by CF as unsigned (sigcheck is utilized by CF), so I am now wondering if your client has a legit copy of Windows. That is pretty easily verifiable with MGADiag.

Please run the MGA Diagnostic Tool by doing the following:

• Download MGADiag to your desktop.
  
• Double-click on MGADiag.exe to launch the program
  
• Click "Continue"
  
• Ensure that the "Windows" tab is selected (it should be by default).
  
• Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
  
• Paste the MGA Diagnostic Report back here in your next reply.

Now, if the Windows install proves to be unauthentic, then your client will not be able to install SP3.

_________________
Negster22 - MS MVP - Consumer Security 2006-2008

That Gmer log looks OK. I have seen those hooks before.

That batch file is rather telling considering those files represent all the replaced system files. You can tell by the date on the batch when the infection took hold:
2008-08-11

I am wondering if one of the two scanners that correctly flagged the file as patched was Microsoft. You can also try VirusTotal which has the MS scanner included - I'm not sure if Jotti does.

You may want to run this tool which targets backdoors, bots, and rootkits:

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to your operating system drive (the drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode and then launch SDFix, by doing the following :

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
  
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.
  
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  
• Press any Key and it will restart the PC.
  
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also be saved into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  
• You should paste the contents of the Report.txt in your next reply.

_________________
Negster22 - MS MVP - Consumer Security 2006-2008

Thanks for the reply. I will try SDFix, and add it to my tools.

I tried Malwarebytes yesterday on a different PC, and it did surprisingly well.

I submitted one of the patched files to VirusTotal. 24/34 of the scanners detected it as something with "Patched" in the name - including MS. The same file through Jotti still only had 3/20.

Kaspersky and BitDefender are on both sites - it was detected by them on VirusTotal, but not on Jotti. Jotti must not be using current definitions.

Sorry for the late reply, I didn't get a topic reply notification on your last response.

If many of the scanners overlap between Jotti and VT, I guess that shows you which site has the most current defs.

Do you still have the samples (infected files) - let me know because I'd like a zipped folder of them along with the VT scan reports. If you have them, I'll let you know how to accomplish that transfer.

The rootkit driver you have can accompany Rogue (fake) security programs and MBAM targets those very well.
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=147500

_________________
Negster22 - MS MVP - Consumer Security 2006-2008

Yes I still have the infected files. Feel free to PM me and I will zip and send them.

We actually have a forum for unknown files at CC where staff can access them for research and reporting purposes.

Please go here:
/f81-Unknown_Files.html

Here is the companion FAQ:
/t27288-FAQ_on_Unknown_or_Malware_Files.html

Then use the "Post Reply" button - instead of the Quick Reply one.

You will be able to attach the infected folder that way.

Label the topic appropriately and include a link to this topic in the content of your reply. If you have any VT reports on the individual files it would be helpful if your include them as well (condense the positive results). I will look for your post.

Thank you for helping the cause, W_G!

_________________
Negster22 - MS MVP - Consumer Security 2006-2008

Done!