Please help me solve these problems--

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:46 PM, on 5/8/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\CAPM1RSK.EXE
C:\Program Files\Adobe\Acrobat 7.0 Professional\Distillr\Acrotray.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Maxtor\OneTouch\utils\mspm.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE
C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1SWK.EXE
C:\Program Files\Microsoft Office 2000\Office\1033\MSOFFICE.EXE
C:\WINNT\system32\TASKMGR.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whynotsearchhere.com/start.php
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0 Professional\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0 Professional\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mspm] C:\Program Files\Maxtor\OneTouch\utils\mspm.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe /h
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - .DEFAULT Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office 2000\Office\1033\MSOFFICE.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office 2000\Office\1033\MSOFFICE.EXE (User 'Default user')
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office 2000\Office\1033\MSOFFICE.EXE
O4 - Startup: TASKMGR.EXE.lnk = C:\WINNT\system32\TASKMGR.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0 Professional\Acrobat\acrobat_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Canon PC1200 iC D600 iR1200G Status Window.LNK = C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: O&O Defrag (OODefrag) - O&O Software GmbH - C:\WINNT\system32\oodag.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 7570 bytes
**********************
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, May 09, 2008 8:54:39 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/05/2008
Kaspersky Anti-Virus database records: 748843
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
H:\

Scan Statistics:
Total number of scanned objects: 48369
Number of viruses found: 11
Number of infected objects: 34
Number of suspicious objects: 1
Duration of the scan process: 08:23:07

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\18dwp1gp.slt\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\18dwp1gp.slt\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\18dwp1gp.slt\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\18dwp1gp.slt\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\18dwp1gp.slt\cert8.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\18dwp1gp.slt\history.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\18dwp1gp.slt\key3.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\18dwp1gp.slt\parent.lock Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\ѕуstem32\netdde.exe Infected: Trojan-Downloader.Win32.PurityScan.fj skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\ApplicationHistory\RetroExpress.exe.fe859fee.ini.inuse Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\winvsnet.exe Infected: not-a-virus:FraudTool.Win32.AntiSpywareMaster skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF9BF9.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\5CMZOFJ3\winvsnet[1].exe Infected: not-a-virus:FraudTool.Win32.AntiSpywareMaster skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\AFAO02N3\17PHolmes[1].cmt Infected: Trojan-Downloader.Win32.Homles.bm skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Z06URDEJ\snapsnet[1].exe/data0006 Infected: Trojan-Downloader.Win32.VB.edw skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Z06URDEJ\snapsnet[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-05-08_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\66C50000.VBN Suspicious: Exploit.HTML.Mht skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79590000.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\036C0000.VBN Infected: Trojan-Downloader.Win32.VB.edw skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03740000.VBN Infected: Trojan-Downloader.Win32.Zlob.fnr skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\039C0000.VBN Infected: Trojan-Downloader.Win32.Zlob.fnr skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04340000.VBN/run.exe Infected: Trojan-Downloader.Win32.Zlob.fnr skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04340000.VBN ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04340000.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05540000.VBN Infected: Trojan-Downloader.Win32.Zlob.fnr skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05640000.VBN Infected: Trojan-Downloader.Win32.Zlob.fnr skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05A80000.VBN Infected: Trojan-Downloader.Win32.Zlob.fnr skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07D80000.VBN Infected: Trojan-Downloader.Win32.VB.eer skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07D80001.VBN Infected: Trojan-Downloader.Win32.VB.eer skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07D80002.VBN Infected: Trojan-Downloader.Win32.Small.ved skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07D80003.VBN Infected: Trojan-Downloader.Win32.Small.ved skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07D80004.VBN Infected: Trojan-Downloader.Win32.VB.edw skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07D80005.VBN Infected: Trojan-Downloader.Win32.VB.edw skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07D80006.VBN Infected: Trojan.Win32.Agent.lom skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07D80007.VBN Infected: Trojan.Win32.Agent.lom skipped
C:\Program Files\winvi\update.exe/stream/Script Infected: Trojan.NSIS.StartPage.c skipped
C:\Program Files\winvi\update.exe/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\Program Files\winvi\update.exe NSIS: infected - 2 skipped
C:\WINNT\17PHolmes1000106.exe Infected: Trojan-Downloader.Win32.Homles.bm skipped
C:\WINNT\17PHolmes572.exe Infected: Trojan-Downloader.Win32.Homles.bm skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\cNF\srkcont3.exe/stream/data0007/stream/Script Infected: Trojan.NSIS.StartPage.c skipped
C:\WINNT\system32\cNF\srkcont3.exe/stream/data0007/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\WINNT\system32\cNF\srkcont3.exe/stream/data0007 Infected: Trojan.NSIS.StartPage.c skipped
C:\WINNT\system32\cNF\srkcont3.exe/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\WINNT\system32\cNF\srkcont3.exe NSIS: infected - 4 skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINNT\system32\drivers\seriall.sys Object is locked skipped
C:\WINNT\system32\Perflib_Perfdata_230.dat Object is locked skipped
C:\WINNT\system32\Perflib_Perfdata_528.dat Object is locked skipped

Scan process completed.


Thanks in advance for your assistance.

Hello

Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



[kill explorer]
C:\Documents and Settings\Administrator\Application Data\ѕуstem32\netdde.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\winvsnet.exe
C:\Program Files\winvi
C:\WINNT\17PHolmes572.exe
C:\WINNT\system32\cNF
purity
[start explorer]


Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

ComboFix 08-05-08.1 - Lord 05/09/2008 10:50:03.1 - NTFSx86
Running from: H:\Downloads continued\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINNT\17PHolmes1000106.exe
C:\WINNT\system32\drivers\core.cache.dsk
C:\WINNT\system32\drivers\seriall.sys
C:\WINNT\system32\pac.txt
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Legacy_SERIALL
-------\Legacy_TNIDRIVER
-------\Service_seriall


((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.

2008-05-09 11:05 . 08-05-09 11:05 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_4b4.dat
2008-05-08 21:23 . 08-05-08 21:23 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2008-05-08 21:23 . 08-05-08 21:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-08 20:56 . 08-05-08 20:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-08 09:08 . 08-05-08 09:08 8,192 --a------ C:\Documents and Settings\New
2008-05-07 21:36 . 08-05-08 20:07 259 --a------ C:\WINNT\wininit.ini
2008-05-07 13:43 . 08-05-07 21:54 <DIR> d--hs---- C:\WINNT\UGF0IFNoZWVoeQ
2008-05-07 13:43 . 08-05-07 19:09 <DIR> d-------- C:\WINNT\system32\din3
2008-05-07 13:43 . 08-05-07 21:08 <DIR> d-------- C:\WINNT\system32\cdTMP
2008-05-07 13:43 . 08-05-07 21:08 <DIR> d-------- C:\WINNT\system32\12033
2008-05-07 13:39 . 08-05-07 19:07 <DIR> d-------- C:\WINNT\system32\bkEur01
2008-05-07 13:39 . 08-05-07 13:43 <DIR> d-------- C:\Temp\maxsv15
2008-05-07 11:46 . 08-05-07 11:46 <DIR> d-------- C:\Documents and Settings\User\Application Data\DivX
2008-05-07 11:42 . 08-05-07 11:48 <DIR> d-------- C:\Documents and Settings\User\Application Data\Media Player Classic
2008-05-04 16:35 . 08-05-04 16:35 <DIR> d-------- C:\Documents and Settings\User\Application Data\PC Suite
2008-05-01 19:23 . 08-05-01 19:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-04-23 02:03 . 08-05-01 02:01 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-04-23 02:03 . 08-04-23 02:03 1,409 --a------ C:\WINNT\QTFont.for
2008-04-19 16:25 . 08-04-19 16:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-04-19 16:21 . 08-04-19 16:21 <DIR> d-------- C:\Program Files\DIFX
2008-04-19 16:21 . 08-04-19 16:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Nokia
2008-04-19 16:20 . 08-04-19 16:20 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-04-19 16:20 . 08-04-19 16:20 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-04-19 16:19 . 08-04-19 16:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Suite
2008-04-19 16:18 . 08-04-19 16:21 <DIR> d----c--- C:\WINNT\system32\DRVSTORE
2008-04-19 16:18 . 08-04-19 16:19 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-04-19 16:17 . 07-02-22 10:15 90,624 --a------ C:\WINNT\system32\nmwcdcls.dll
2008-04-19 16:13 . 08-04-19 16:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2008-04-19 15:52 . 08-04-19 15:52 19 --a------ C:\WINNT\SoundConverter.INI
2008-04-19 15:27 . 06-06-10 23:58 43,136 -ra------ C:\WINNT\system32\drivers\ser2pl.sys
2008-04-19 15:21 . 08-04-19 15:21 <DIR> d-------- C:\Documents and Settings\Administrator\Phone Browser
2008-04-19 15:18 . 08-04-19 16:20 <DIR> d-------- C:\Program Files\Nokia
2008-04-09 10:52 . 08-04-09 10:52 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2008-04-09 10:51 . 08-04-09 10:51 <DIR> d-------- C:\Program Files\MSECACHE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-09 03:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\RetroExp
2008-05-08 04:16 --------- d-----w C:\Program Files\NavNT
2008-05-07 21:02 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-04-29 08:49 --------- d-----w C:\Program Files\Autoruns
2008-04-19 22:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-17 00:18 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-04-12 06:26 --------- d-----w C:\Documents and Settings\User\Application Data\Intuit
2008-04-08 05:15 12,888 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-04-07 19:57 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Intuit
2008-04-07 19:45 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-07 19:45 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-04-07 19:33 --------- d-----w C:\Program Files\g3torrent
2008-04-06 19:54 --------- d-----w C:\Program Files\uTorrent
2008-03-29 04:23 --------- d-----w C:\Program Files\freecommander
2007-03-30 22:52 12,888 ----a-w C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT
2006-03-17 08:49 271 ---ha-w C:\Program Files\desktop.ini
2006-03-17 08:49 21,952 ---ha-w C:\Program Files\folder.htt
2001-05-08 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
2005-05-14 00:12 217,073 --sha-r C:\WINNT\meta4.exe
2005-10-24 18:13 66,560 --sha-r C:\WINNT\MOTA113.exe
2005-10-14 04:27 422,400 --sha-r C:\WINNT\x2.64.exe
2005-10-08 02:14 308,224 --sha-r C:\WINNT\system32\avisynth.dll
2005-07-14 19:31 27,648 --sha-r C:\WINNT\system32\AVSredirect.dll
2005-06-26 22:32 616,448 --sha-r C:\WINNT\system32\cygwin1.dll
2005-06-22 05:37 45,568 --sha-r C:\WINNT\system32\cygz.dll
2004-01-25 07:00 70,656 --sha-r C:\WINNT\system32\i420vfw.dll
2006-04-27 17:24 2,945,024 --sha-r C:\WINNT\system32\Smab.dll
2005-02-28 20:16 240,128 --sha-r C:\WINNT\system32\x.264.exe
2004-01-25 07:00 70,656 --sha-r C:\WINNT\system32\yv12vfw.dll
2005-07-29 23:24 472 --sha-r C:\WINNT\UGF0IFNoZWVoeQ\o3IXKIhCtqpCyk.vbs
.

------- Sigcheck -------


.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mozilla Quick Launch"="C:\Program Files\Netscape\Netscape\Netscp.exe" [04-08-04 16:41 526224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 C:\WINNT\system32\mobsync.exe]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [01-07-09 10:50 155648]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0 Professional\Distillr\Acrotray.exe" [04-12-14 02:12 483328]
"vptray"="C:\Program Files\NavNT\vptray.exe" [01-09-24 07:59 73728]
"MaxtorOneTouch"="C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" [06-03-27 16:04 712704]
"mspm"="C:\Program Files\Maxtor\OneTouch\utils\mspm.exe" [05-09-03 04:10 225280]
"RetroExpress"="C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe" [06-02-06 09:22 18583552]
"Dit"="Dit.exe" [02-03-12 16:10 23026 C:\WINNT\Dit.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 12:05 186640]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
Microsoft Office Shortcut Bar.lnk - C:\Program Files\Microsoft Office 2000\Office\1033\MSOFFICE.EXE [1999-02-01 16:53:24 405560]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
Microsoft Office Shortcut Bar.lnk - C:\Program Files\Microsoft Office 2000\Office\1033\MSOFFICE.EXE [1999-02-01 16:53:24 405560]
Task Manager.lnk - C:\WINNT\system32\TASKMGR.EXE [2006-04-17 00:39:02 87312]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Microsoft Office Shortcut Bar.lnk - C:\Program Files\Microsoft Office 2000\Office\1033\MSOFFICE.EXE [1999-02-01 16:53:24 405560]
TASKMGR.EXE.lnk - C:\WINNT\system32\TASKMGR.EXE [2006-04-17 00:39:02 87312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINNT\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-07-07 09:45:30 25214]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-04-30 23:19:28 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Canon PC1200 iC D600 iR1200G Status Window.LNK - C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE [2006-04-19 12:11:59 30208]
Microsoft Office.lnk - C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE [2000-01-21 01:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"vidc.I420"= i420vfw.dll
"vidc.VP31"= vp31vfw.dll

R0 ROFF;ROFF;C:\WINNT\system32\drivers\ROFF.sys [03-06-09 10:00 ]
R2 RapidPortM1;RapidPortM1;C:\WINNT\system32\Drivers\CAPM1LP.SYS [01-12-06 08:00 ]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys [99-10-23 05:22 ]
S3 OODefrag;O&O Defrag;C:\WINNT\system32\oodag.exe [02-02-08 13:15 ]

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 11:05:09
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINNT\system32\Perflib_Perfdata_404.dat 16384 bytes
C:\WINNT\system32\Perflib_Perfdata_4b4.dat 16384 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\system32\winlogon.exe
-> C:\WINNT\system32\NavLogon.dll
.
Completion time: 2008-05-09 11:11:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-09 18:11:20

Pre-Run: 1,251,348,480 bytes free
Post-Run: 1,278,988,288 bytes free

159
******************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:35 AM, on 5/9/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\CAPM1RSK.EXE
C:\Program Files\Adobe\Acrobat 7.0 Professional\Distillr\Acrotray.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Maxtor\OneTouch\utils\mspm.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE
C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1SWK.EXE
C:\Program Files\Microsoft Office 2000\Office\1033\MSOFFICE.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINNT\system32\TASKMGR.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whynotsearchhere.com/start.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0 Professional\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0 Professional\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mspm] C:\Program Files\Maxtor\OneTouch\utils\mspm.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe /h
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - .DEFAULT Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office 2000\Office\1033\MSOFFICE.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office 2000\Office\1033\MSOFFICE.EXE (User 'Default user')
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office 2000\Office\1033\MSOFFICE.EXE
O4 - Startup: TASKMGR.EXE.lnk = C:\WINNT\system32\TASKMGR.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0 Professional\Acrobat\acrobat_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Canon PC1200 iC D600 iR1200G Status Window.LNK = C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: O&O Defrag (OODefrag) - O&O Software GmbH - C:\WINNT\system32\oodag.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe

--
End of file - 7653 bytes

*******************
What do you advise?

Thank you.

note: this was done as per your instructions



Explorer killed successfully
File/Folder C:\Documents and Settings\Administrator\Application Data\??stem32\netdde.exe not found.
C:\Documents and Settings\Administrator\Local Settings\Temp\winvsnet.exe moved successfully.
C:\Program Files\winvi\dsktp moved successfully.
C:\Program Files\winvi moved successfully.
C:\WINNT\17PHolmes572.exe moved successfully.
C:\WINNT\system32\cNF moved successfully.
< purity >
C:\Documents and Settings\Administrator\Application Data\ѕуstem32\ѕуstem32 moved successfully.
C:\Documents and Settings\Administrator\Application Data\ѕуstem32 moved successfully.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05092008_100615

Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.




1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:


File::

Folder::
C:\WINNT\UGF0IFNoZWVoeQ
C:\WINNT\system32\din3
C:\WINNT\system32\cdTMP
C:\WINNT\system32\12033
C:\WINNT\system32\bkEur01
C:\Temp\maxsv15

Registry::

Driver::



Save this as CFScript.txt, in the same location as ComboFix.exe


http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall





Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Also tell me how your PC is running

HijackThis--system scan only:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:49 PM, on 5/9/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\CAPM1RSK.EXE
C:\Program Files\Adobe\Acrobat 7.0 Professional\Distillr\Acrotray.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Maxtor\OneTouch\utils\mspm.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE
C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1SWK.EXE
C:\Program Files\Microsoft Office 2000\Office\1033\MSOFFICE.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\TASKMGR.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whynotsearchhere.com/start.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0 Professional\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0 Professional\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mspm] C:\Program Files\Maxtor\OneTouch\utils\mspm.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe /h
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - .DEFAULT Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office 2000\Office\1033\MSOFFICE.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office 2000\Office\1033\MSOFFICE.EXE (User 'Default user')
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office 2000\Office\1033\MSOFFICE.EXE
O4 - Startup: TASKMGR.EXE.lnk = C:\WINNT\system32\TASKMGR.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0 Professional\Acrobat\acrobat_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Canon PC1200 iC D600 iR1200G Status Window.LNK = C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: O&O Defrag (OODefrag) - O&O Software GmbH - C:\WINNT\system32\oodag.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe

--
End of file - 7622 bytes

******************
selected both "06" problems and fixed them. Exited HijackThis.


******************
created CFScript.txt and dragged into ComboFix.exe.
ComboFix.txt:

ComboFix 08-05-08.1 - Lord 05/09/2008 12:39:01.2 - NTFSx86
Running from: H:\Downloads continued\virus fix_5-8-08\ComboFix\ComboFix.exe
Command switches used :: H:\Downloads continued\virus fix_5-8-08\ComboFix\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\maxsv15
C:\Temp\maxsv15\rLCubd.log
C:\WINNT\system32\12033
C:\WINNT\system32\bkEur01
C:\WINNT\system32\cdTMP
C:\WINNT\system32\din3
C:\WINNT\UGF0IFNoZWVoeQ
C:\WINNT\UGF0IFNoZWVoeQ\o3IXKIhCtqpCyk.vbs

.
((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.

2008-05-09 12:39 . 05/09/08 12:39p 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_2b8.dat
2008-05-09 11:05 . 05/09/08 11:05a 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_4b4.dat
2008-05-09 11:05 . 05/09/08 11:05a 0 --a----t- C:\WINNT\system32\Perflib_Perfdata_404.dat
2008-05-08 21:23 . 05/08/08 09:23p <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2008-05-08 21:23 . 05/08/08 09:23p <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-08 20:56 . 05/08/08 08:56p <DIR> d-------- C:\Program Files\Trend Micro
2008-05-08 09:08 . 05/08/08 09:08a 8,192 --a------ C:\Documents and Settings\New
2008-05-07 21:36 . 05/08/08 08:07p 259 --a------ C:\WINNT\wininit.ini
2008-05-07 11:46 . 05/07/08 11:46a <DIR> d-------- C:\Documents and Settings\User\Application Data\DivX
2008-05-07 11:42 . 05/07/08 11:48a <DIR> d-------- C:\Documents and Settings\User\Application Data\Media Player Classic
2008-05-04 16:35 . 05/04/08 04:35p <DIR> d-------- C:\Documents and Settings\User\Application Data\PC Suite
2008-05-01 19:23 . 05/01/08 07:23p <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-04-23 02:03 . 05/01/08 02:01a 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-04-23 02:03 . 04/23/08 02:03a 1,409 --a------ C:\WINNT\QTFont.for
2008-04-19 16:25 . 04/19/08 04:25p <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-04-19 16:21 . 04/19/08 04:21p <DIR> d-------- C:\Program Files\DIFX
2008-04-19 16:21 . 04/19/08 04:27p <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Nokia
2008-04-19 16:20 . 04/19/08 04:20p <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-04-19 16:20 . 04/19/08 04:20p <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-04-19 16:19 . 04/19/08 04:26p <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Suite
2008-04-19 16:18 . 04/19/08 04:21p <DIR> d----c--- C:\WINNT\system32\DRVSTORE
2008-04-19 16:18 . 04/19/08 04:19p <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-04-19 16:17 . 02/22/07 10:15a 90,624 --a------ C:\WINNT\system32\nmwcdcls.dll
2008-04-19 16:13 . 04/19/08 04:14p <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2008-04-19 15:52 . 04/19/08 03:52p 19 --a------ C:\WINNT\SoundConverter.INI
2008-04-19 15:27 . 06/10/06 11:58p 43,136 -ra------ C:\WINNT\system32\drivers\ser2pl.sys
2008-04-19 15:21 . 04/19/08 03:21p <DIR> d-------- C:\Documents and Settings\Administrator\Phone Browser
2008-04-19 15:18 . 04/19/08 04:20p <DIR> d-------- C:\Program Files\Nokia
2008-04-09 10:52 . 04/09/08 10:52a <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2008-04-09 10:51 . 04/09/08 10:51a <DIR> d-------- C:\Program Files\MSECACHE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-09 18:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\RetroExp
2008-05-08 04:16 --------- d-----w C:\Program Files\NavNT
2008-05-07 21:02 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-04-29 08:49 --------- d-----w C:\Program Files\Autoruns
2008-04-19 22:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-17 00:18 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-04-12 06:26 --------- d-----w C:\Documents and Settings\User\Application Data\Intuit
2008-04-08 05:15 12,888 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-04-07 19:57 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Intuit
2008-04-07 19:45 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-07 19:45 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-04-07 19:33 --------- d-----w C:\Program Files\g3torrent
2008-04-06 19:54 --------- d-----w C:\Program Files\uTorrent
2008-03-29 04:23 --------- d-----w C:\Program Files\freecommander
2007-03-30 22:52 12,888 ----a-w C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT
2006-03-17 08:49 271 ---ha-w C:\Program Files\desktop.ini
2006-03-17 08:49 21,952 ---ha-w C:\Program Files\folder.htt
2001-05-08 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
2005-05-14 00:12 217,073 --sha-r C:\WINNT\meta4.exe
2005-10-24 18:13 66,560 --sha-r C:\WINNT\MOTA113.exe
2005-10-14 04:27 422,400 --sha-r C:\WINNT\x2.64.exe
2005-10-08 02:14 308,224 --sha-r C:\WINNT\system32\avisynth.dll
2005-07-14 19:31 27,648 --sha-r C:\WINNT\system32\AVSredirect.dll
2005-06-26 22:32 616,448 --sha-r C:\WINNT\system32\cygwin1.dll
2005-06-22 05:37 45,568 --sha-r C:\WINNT\system32\cygz.dll
2004-01-25 07:00 70,656 --sha-r C:\WINNT\system32\i420vfw.dll
2006-04-27 17:24 2,945,024 --sha-r C:\WINNT\system32\Smab.dll
2005-02-28 20:16 240,128 --sha-r C:\WINNT\system32\x.264.exe
2004-01-25 07:00 70,656 --sha-r C:\WINNT\system32\yv12vfw.dll
.

------- Sigcheck -------


.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mozilla Quick Launch"="C:\Program Files\Netscape\Netscape\Netscp.exe" [08/04/04 04:41p 526224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 12:05p 111376 C:\WINNT\system32\mobsync.exe]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [07/09/01 10:50a 155648]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0 Professional\Distillr\Acrotray.exe" [12/14/04 02:12a 483328]
"vptray"="C:\Program Files\NavNT\vptray.exe" [09/24/01 07:59a 73728]
"MaxtorOneTouch"="C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" [03/27/06 04:04p 712704]
"mspm"="C:\Program Files\Maxtor\OneTouch\utils\mspm.exe" [09/03/05 04:10a 225280]
"RetroExpress"="C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe" [02/06/06 09:22a 18583552]
"Dit"="Dit.exe" [03/12/02 04:10p 23026 C:\WINNT\Dit.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [06/19/03 12:05p 186640]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
Microsoft Office Shortcut Bar.lnk - C:\Program Files\Microsoft Office 2000\Office\1033\MSOFFICE.EXE [1999-02-01 16:53:24 405560]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
Microsoft Office Shortcut Bar.lnk - C:\Program Files\Microsoft Office 2000\Office\1033\MSOFFICE.EXE [1999-02-01 16:53:24 405560]
Task Manager.lnk - C:\WINNT\system32\TASKMGR.EXE [2006-04-17 00:39:02 87312]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Microsoft Office Shortcut Bar.lnk - C:\Program Files\Microsoft Office 2000\Office\1033\MSOFFICE.EXE [1999-02-01 16:53:24 405560]
TASKMGR.EXE.lnk - C:\WINNT\system32\TASKMGR.EXE [2006-04-17 00:39:02 87312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINNT\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-07-07 09:45:30 25214]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-04-30 23:19:28 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Canon PC1200 iC D600 iR1200G Status Window.LNK - C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE [2006-04-19 12:11:59 30208]
Microsoft Office.lnk - C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE [2000-01-21 01:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"vidc.I420"= i420vfw.dll
"vidc.VP31"= vp31vfw.dll

R0 ROFF;ROFF;C:\WINNT\system32\drivers\ROFF.sys [06/09/03 10:00a]
R2 RapidPortM1;RapidPortM1;C:\WINNT\system32\Drivers\CAPM1LP.SYS [12/06/01 08:00a]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys [10/23/99 05:22a]
S3 OODefrag;O&O Defrag;C:\WINNT\system32\oodag.exe [02/08/02 01:15p]

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 12:43:12
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\system32\winlogon.exe
-> C:\WINNT\system32\NavLogon.dll
.
Completion time: 05/09/2008 12:47:11
ComboFix-quarantined-files.txt 2008-05-09 19:47:01
ComboFix2.txt 2008-05-09 18:11:31

Pre-Run: 1,245,913,088 bytes free
Post-Run: 1,240,752,128 bytes free

147
****************************************




Malwarebytes' Anti-Malware:
quickscan and selected the 5 errors to fix.
report:
Malwarebytes' Anti-Malware 1.12
Database version: 737

Scan type: Quick Scan
Objects scanned: 31739
Time elapsed: 10 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\AntiSpywareMaster (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winvi (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\winvi (Adware.SoftMate) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiSpywareMaster.lnk (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.
*********************************


How is my PC running?
After reboot:
Whenever I R-click on the Start menu to bring up explorer, or double-click the "My Computer" icon on the desktop, Nokia Phone Browser task starts up and I get a dialog box saying, "The operation could not be completed." Then the explorer or My Computer window appears. I need to fix this. Any ideas?

By the way, what does OTMoveIt2 do, move the files? Where? Or does it delete the files?

And thank you for all your help. I no longer have automatically generated IExplorer windows every few minutes. I no longer see suspicious processes
appear and then then disappear in Task Manager.

It quarantines them

Follow these steps to uninstall Combofix and tools used in the removal of malware

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png





Make sure you have an Internet Connection.
Double-click OTMoveIt2.exe to run it.
Click on the CleanUp! button
A list of tool components used in the Cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
Click Yes to beging the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.




Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com/products/acrobat/readstep2.html




Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html) protects against bad ActiveX
IE-SPYAD (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe) puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)

* SpywareGuard (http://www.javacoolsoftware.com/sgdownload.html) offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure

Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.


* MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here (http://www.mozilla.org/products/firefox/)

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here (http://forums.spywareinfo.com/index.php?showtopic=60955)

Thank you for your patience, and performing all of the procedures requested.

After reboot:
Whenever I R-click on the Start menu to bring up explorer, or double-click the "My Computer" icon on the desktop, Nokia Phone Browser task starts up and I get a dialog box saying, "The operation could not be completed." Then the explorer or My Computer window appears.

I need to fix this. Any ideas?

This may be causing that

Fix this entry with HijackThis

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon


Let me know if that helps

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.