Somehow picked up the virtumonde and even though I thought I had it licked (machine ran fine for two days) then the SOB came back! Arghh!! Based upon your forum, at least I'm not the only fool to get it. Any help would be appreciated. Following the instructions, below please the the HJT log with the Kaspersky log following:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:29:07 PM, on 5/16/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SAV\VPTray.exe
C:\Program Files\Dell\Dell Laser MFP 1815\NetworkScan\DNSCST.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Spybot\TeaTimer.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\SAV\DoScan.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\SAV\SavUI.exe
C:\Users\John\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://vpn.krupalaw.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {47487FAE-BDB2-40DE-9552-8EE5A569CE05} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {CA3D3CE6-FF7B-44B2-AEDF-1344FEF415C8} - C:\Windows\system32\cbXPiIBT.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\VPTray.exe
O4 - HKLM\..\Run: [DellNSCST_GRNCH] "C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe" /HIDEUI
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA353] command /c del "C:\Windows\System32\cbXPiIBT.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3991] cmd /c del "C:\Windows\System32\cbXPiIBT.dll"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O20 - AppInit_DLLs: C:\PROGRA~1\DVDXST~1\DVDXUT~1\DVDGhost\DVDGHO~1.DLL
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Feature Support (BthFilterHelper) - CSR, plc - C:\Program Files\CSR\Vista Profile Pack\BthFilterHelper.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\SAV\DefWatch.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Dell Internal Network Card Power Management (nicconfigsvc) - Dell Inc. - C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\SAV\SavRoam.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot\SDWinSec.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\SAV\Rtvscan.exe
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8865 bytes

Kaspersky Log:

KASPERSKY ONLINE SCANNER REPORT
Friday, May 16, 2008 8:54:24 PM
Operating System: Microsoft Windows Vista Professional, Service Pack 1 (Build 6001)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/05/2008
Kaspersky Anti-Virus database records: 779486
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
Z:\
Scan Statistics
Total number of scanned objects 115224
Number of viruses found 2
Number of infected objects 4
Number of suspicious objects 0
Duration of the scan process 01:04:05

Infected Object Name Virus Name Last Action
C:\Boot\BCD Object is locked skipped
C:\Boot\BCD.LOG Object is locked skipped
C:\ElRawDisk.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\ProgramData\Dell\QuickSet\QSLLPSVCShare Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\04fcec753043ad5067d9b9ea0c5786db_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2c15336e403cc24f13cbe28549883a95_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2ee97d0b843316aad2a4e6579a8ed375_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\41c02e3670f61ad5512c1db0d9cab940_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\4c6e5f1102dccd1cdfd30bdc8ab053bc_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\627b6b1671cf8ab7b4fe92bf552a8694_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\65123cdd68bd72c22446c45eb0daee8b_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\6654dcdff3d675631ca298a6c2b262be_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\665a28ff361dad2e21d232f14b75cfa8_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\7acec044f38cd7b1b9bf28bed4cef1e5_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\8229242537bbd7ddbb3b13da138ff189_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\8353fb189c870faec2e2f77a3aedc8a4_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\881340ad2e5b66bcb2d0a64a7b4614f9_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\947ed9c567f0420369dd099f905edbd9_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\b2cfda2faa6e618f8668d882a37f4174_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\bd365433fe746d61d34b18274e8aac2a_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\bf47f2a83165f2135949f3d2ca8243dc_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\c0630ccacf4f6bb9c220f7094160893b_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\dell.txt Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\e0692f73af8c4d4a2f34bd1721e411ee_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\User Account Pictures\Laura.dat Object is locked skipped
C:\ProgramData\Symantec\Common Client\settings.bak Object is locked skipped
C:\ProgramData\Symantec\Common Client\settings.dat Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtETmp\03E30D06.TMP Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtETmp\3D58C63D.TMP Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\081C0001.VBN Infected: Trojan.Win32.KillAV.rf skipped
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\081C0003.VBN Infected: Trojan.Win32.KillAV.rf skipped
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\081C0005\483E233A.VBN Infected: Trojan.Win32.KillAV.rf skipped
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\085C0000.VBN Object is locked skipped
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08840000\48A79D45.VBN Object is locked skipped
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BE80000\4BEBA64F.VBN Object is locked skipped
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BFC0000\4BFEEA62.VBN Object is locked skipped
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D680000.VBN Object is locked skipped
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E040001\4E2F8038.VBN Object is locked skipped
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E880000\4EAFBAF5.VBN Object is locked skipped
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E880001\4EAFBB3E.VBN Object is locked skipped
C:\ProgramData\Wave Systems Corp\AuthManager\AuthPkg.txt Object is locked skipped
C:\ProgramData\Wave Systems Corp\AuthManager\biolsp.txt Object is locked skipped
C:\Temp\FXSAPIDebugLogFile.txt Object is locked skipped
C:\Temp\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Temp\TMP000000469F55E20A3F03BE04 Object is locked skipped
C:\Temp\TMP0000004B7D487CF1114F1F8D Object is locked skipped
C:\Temp\TMP0000004EAA48124866677E45 Object is locked skipped
C:\Temp\TMP000000502D8EF4AEFE9A77AD Object is locked skipped
C:\Temp\TMP000000540874379E698BCF69 Object is locked skipped
C:\Users\John\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Users\John\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\John\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\John\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\John\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\John\AppData\Local\Microsoft\Windows\UsrClass.dat{3c84701b-713d-11dc-9666-001a6bc62caa}.TM.blf Object is locked skipped
C:\Users\John\AppData\Local\Microsoft\Windows\UsrClass.dat{3c84701b-713d-11dc-9666-001a6bc62caa}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\John\AppData\Local\Microsoft\Windows\UsrClass.dat{3c84701b-713d-11dc-9666-001a6bc62caa}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\John\AppData\Local\Mozilla\Firefox\Profiles\5giovndv.default\Cache\_CACHE_001_ Object is locked skipped
C:\Users\John\AppData\Local\Mozilla\Firefox\Profiles\5giovndv.default\Cache\_CACHE_002_ Object is locked skipped
C:\Users\John\AppData\Local\Mozilla\Firefox\Profiles\5giovndv.default\Cache\_CACHE_003_ Object is locked skipped
C:\Users\John\AppData\Local\Mozilla\Firefox\Profiles\5giovndv.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\5giovndv.default\cert8.db Object is locked skipped
C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\5giovndv.default\formhistory.dat Object is locked skipped
C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\5giovndv.default\history.dat Object is locked skipped
C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\5giovndv.default\key3.db Object is locked skipped
C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\5giovndv.default\parent.lock Object is locked skipped
C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\5giovndv.default\search.sqlite Object is locked skipped
C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\5giovndv.default\urlclassifier2.sqlite Object is locked skipped
C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\5giovndv.default\webappsstore.sqlite Object is locked skipped
C:\Users\John\ntuser.dat Object is locked skipped
C:\Users\John\ntuser.dat.LOG1 Object is locked skipped
C:\Users\John\ntuser.dat.LOG2 Object is locked skipped
C:\Users\John\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TM.blf Object is locked skipped
C:\Users\John\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\John\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\bthservsdp.dat Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\Logs\CBS\CBS.log Object is locked skipped
C:\Windows\Logs\CBS\CBS.persist.log Object is locked skipped
C:\Windows\Logs\DPX\setupact.log Object is locked skipped
C:\Windows\Logs\DPX\setuperr.log Object is locked skipped
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe.config Object is locked skipped
C:\Windows\Panther\setupact.log Object is locked skipped
C:\Windows\Panther\setuperr.log Object is locked skipped
C:\Windows\Panther\UnattendGC\diagerr.xml Object is locked skipped
C:\Windows\Panther\UnattendGC\diagwrn.xml Object is locked skipped
C:\Windows\Panther\UnattendGC\setupact.bld Object is locked skipped
C:\Windows\Panther\UnattendGC\setupact.log Object is locked skipped
C:\Windows\Panther\UnattendGC\setuperr.bld Object is locked skipped
C:\Windows\Panther\UnattendGC\setuperr.log Object is locked skipped
C:\Windows\security\database\secedit.sdb Object is locked skipped
C:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\cbXPiIBT.dll Infected: Trojan.Win32.Zapchast.gr skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\restore\MachineGuid.txt Object is locked skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\sysprep\Panther\diagerr.xml Object is locked skipped
C:\Windows\System32\sysprep\Panther\diagwrn.xml Object is locked skipped
C:\Windows\System32\sysprep\Panther\setupact.bld Object is locked skipped
C:\Windows\System32\sysprep\Panther\setupact.log Object is locked skipped
C:\Windows\System32\sysprep\Panther\setuperr.bld Object is locked skipped
C:\Windows\System32\sysprep\Panther\setuperr.log Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\0296C47314AB746EC35476488248FCD9.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\040270F850D5C3C91057DDDA2DA294D8.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\0A9DBC92D554324656F61F9862679F27.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\0DF617D6737A7561E732F853792261C3.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\1E2E58C73053C7775EB226DB5E739137.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\26C097A9392F8C541AD42E89B7909073.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\2A811E5CCC22CC9D7AE2B04EF0402688.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\2AA23BB86A5EBD8BC2D820944E55B233.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\2CE523184A801AA7361A7039E2D6B41D.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\2D57A7682ACD19214C258D31A06D008F.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\3460B7617E0429A960E481B197F238A3.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\376786241A5443E41378D25CF812FCC1.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\3DC0BABDCA20E5E319117C21BD4BD795.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\43A7EEE279F15546EE900076CA8CC2C8.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\494C62FAA08CD5217399BAA555FF491B.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\4A01E0F376B5833EBA98F0D1D5F60CD1.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\4B471F64BAF831EC7945C820FD5A16E5.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\4CB32C0A77CD4D9B0C9618F73F786C32.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\5774C77265BE4C55B5C6C9718979E015.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\5966D45C7B25EACA46E87DD8E5703964.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\5B5D21CF62E70BACF9D085E6AA6CE143.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\6317F4B515BD547512FF3AE3ACD81242.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\69554D930FCA40B0304B9A43A8036F2D.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\72F867EF62976CE9F70993FF3E68A4EB.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\73798C03E4DE5FDCF5194ADA9EBFB859.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\75054C3771DF289038069A9BB1C1FB6E.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\7851AF96EA828F912853F32DB0D96138.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\7F417E1A6D819A9B2FEB55DA6858EA0A.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\87AA2A001CE3E89926688B93E4DC2992.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\8A94AF24F162D580E3D9889344A3A317.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\8C718B5AFD373885B68D2836088CAF9A.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\903E49C444C46FEF5F2C3A189C9CEF71.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\95CF8C2673B156E93407C44DA1171F14.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\96ABB1671705F680578FE240427CBD4F.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\9A72EE7775E8021F75961342B8AFD1B4.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\9AD3182A2F39A3E091E15109132EC6CC.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\9CD33F0956942860B50AA1B9330DEFAF.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\9E06E4FE97F0CBB8D659894823F805D7.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\A80FF2DC09487ECD60AFB147B262BDD7.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\AA6E0E396C238977CA909EFD82299737.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\AA742824DCADA846BA4B665D686DD5D6.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\BBF206490BAA431B592F9A13534F43F6.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\BE81B2C0741907C1FC1C42B6223E59AD.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\C6300BFE37ADE6B52EC023F66124985F.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\D1A1B12A7DA3F9675C01397A26DBF4B3.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\D4C4BA54B6A8FA6211E60E2ADFF7426A.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\D5D6BB480217F9DCEC357F57222DEE59.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\DE391013DA56ABA39FFF40A9ABDF052F.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\DF80FD3849FFF74B4BF43E2EA8ADEC8A.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\DFB9AD54AC2D3B8122567AAD3BF3EB7F.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\E04DE4CDFEC284A342159BB920976701.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\E478A5DB75C9721E744C05D78DBACFD3.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\E737DE61441445E1FDFCA45EF5E7D987.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\E9D8A460B2C986DD5FF19F299F4A27EC.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\EC45C70F2A3D9DED718E71631C38E2FE.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\F01326692CC5736EBAC31B9FC2381CF2.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\F81E6BEBC3067C406E6C491608474198.mof Object is locked skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Broadcom Wireless LAN.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Media Center.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Backup.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-BitLocker-DrivePreparationTool%4Admin.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-BitLocker-DrivePreparationTool%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CorruptedFileRecovery-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CorruptedFileRecovery-Server%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DateTimeControlPanel%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-MSDT%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-PLA%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Networking%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticResolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Forwarding%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Help%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WDI%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-MeetingSpace%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-MemoryDiagnostics-Results%4Debug.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ParentalControls%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Metrics.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RemoteAssistance%4Admin.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RemoteAssistance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-PnPDevices%4Admin.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-PnPDevices%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winsock-WS2HELP%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wired-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\ODiag.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\OSession.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Setup.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6000.16386_none_cef7ceb03914a67f\dnary.xsd Object is locked skipped
C:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6001.18000_none_d12e90ac35ffb753\dnary.xsd Object is locked skipped
Z:\Windows\security\database\secedit.sdb Object is locked skipped
Scan process completed.

Thanks again for your help.
jak167

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

I am not seeing Vundo (could be hidden?) I see this trojan:
C:\Windows\System32\cbXPiIBT.dll ------> Trojan.Win32.Zapchast.gr
and I can not find much information about it so we will try first manually and see what happens.

1) C:\Users\John\Desktop\HiJackThis.exe <<< this is unsafe, please right click the Desktop and create a NEW FOLDER called HJT and move the HJT.exe and log that is there into that folder for safety. Backups wil also store there, looks like this if done correctly:
C:\Users\John\Desktop\HJT\HiJackThis.exe

2) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

3) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {47487FAE-BDB2-40DE-9552-8EE5A569CE05} - (no file)
O2 - BHO: (no name) - {CA3D3CE6-FF7B-44B2-AEDF-1344FEF415C8} - C:\Windows\system32\cbXPiIBT.dll
O4 - HKLM\..\RunOnce: [SpybotDeletingA353] command /c del "C:\Windows\System32\cbXPiIBT.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3991] cmd /c del "C:\Windows\System32\cbXPiIBT.dll"

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Right click Start > Explore and navigate to these files/folders and delete them if there.

C:\Windows\system32\cbXPiIBT.dll <<< make sure that file is gone, if it gives you trouble, try this tool and instructions:

How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb

Notes for Windows Vista users from the tool creator:
On Windows Vista that "Windows Temp" is disabled, to empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator"
Prefetch has been disabled on Windows Vista. As I'm not sure the effects that emptying prefetch on Windows Vista will have for the time being it I won't enable that function.
6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post a new HJT log, let me know if it worked.

Thanks

I followed your instructions, however, once disabling teattimer and upon restart, my symatec av pickedup multiple attacks, windows defender got multiple requests to make changes, spybot on the startup scan found virtumode.dll, and as I've noticed previously a second "explorer.exe" process starts gobling at least one-half of all proccessor power as the nasties infect the hell out of the machine. Although I tries twice, could not delete the cbxpilbt file. Here's the HJT log. :-(

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:19:45 AM, on 5/17/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SAV\VPTray.exe
C:\Program Files\Dell\Dell Laser MFP 1815\NetworkScan\DNSCST.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Internet Explorer\IEUser.exe
c:\windows\system32\rundll32.exe
C:\Windows\Explorer.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\Explorer.exe
C:\Users\John\Desktop\HJT\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://vpn.krupalaw.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0871FA67-3DBE-48AB-8527-C42A2F014A49} - C:\Windows\system32\cbXPiIBT.dll
O2 - BHO: (no name) - {47487FAE-BDB2-40DE-9552-8EE5A569CE05} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\VPTray.exe
O4 - HKLM\..\Run: [DellNSCST_GRNCH] "C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe" /HIDEUI
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKCU\..\Run: [BM432863c3] Rundll32.exe "c:\temp\xtgatlfj.dll",s
O4 - HKCU\..\Run: [401b505f] rundll32.exe "c:\temp\svfpcrpn.dll",b
O8 - Extra context menu item: Convert link target to Adobe PDF - res://c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O20 - AppInit_DLLs: C:\PROGRA~1\DVDXST~1\DVDXUT~1\DVDGhost\DVDGHO~1.DLL
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Feature Support (BthFilterHelper) - CSR, plc - C:\Program Files\CSR\Vista Profile Pack\BthFilterHelper.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\SAV\DefWatch.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Dell Internal Network Card Power Management (nicconfigsvc) - Dell Inc. - C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\SAV\SavRoam.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot\SDWinSec.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\SAV\Rtvscan.exe
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8786 bytes

Thanks for the feedback...

1) Make sure TeaTimer is still disabled.

2) Windows Defender: Click on "Tools"
Click on "General Settings"
Scroll down to "Real-time protection options"
Uncheck "Turn on Real-time protection (recommended)"
Click "Save"
Make sure to turn your protection back on when you finish.

3) Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial if needed:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Windows Vista users can use their Windows CD to boot up into the Vista Recovery Environment.

Thanks

A quick note, when I ran HJT, it indicated that a program has denied write access to the Hosts file, HJT may not be able to fix the problems.

Heres the combofix log:

ComboFix 08-05-15.3 - John 2008-05-17 10:32:16.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.1163 [GMT -5:00]
Running from: C:\Users\John\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\cbXPiIBT.dll
C:\Windows\system32\chckshll.dll
C:\Windows\system32\sgrbanga.ini
C:\Windows\System32\TBIiPXbc.ini
C:\Windows\System32\TBIiPXbc.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-17 to 2008-05-17 )))))))))))))))))))))))))))))))
.

2008-05-17 10:36 . 2008-05-17 10:36 <DIR> d-------- C:\Temp\Log
2008-05-17 10:36 . 2008-05-17 10:36 53,248 --a------ C:\Temp\catchme.dll
2008-05-16 19:33 . 2008-05-16 19:33 <DIR> d-------- C:\Windows\System32\Kaspersky Lab
2008-05-16 19:33 . 2008-05-16 19:33 <DIR> d-------- C:\Users\All Users\Kaspersky Lab
2008-05-16 19:33 . 2008-05-16 19:33 <DIR> d-------- C:\ProgramData\Kaspersky Lab
2008-05-12 20:43 . 2008-05-17 08:58 749 --a------ C:\Windows\wininit.ini
2008-05-12 14:29 . 2008-05-12 14:28 102,664 --a------ C:\Windows\System32\drivers\tmcomm.sys
2008-05-12 14:24 . 2008-05-12 22:23 <DIR> d-------- C:\Users\John\.housecall6.6
2008-05-11 08:54 . 2008-05-12 20:40 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-05-11 08:54 . 2008-05-12 20:40 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-05-11 08:54 . 2008-05-12 20:26 <DIR> d-------- C:\Program Files\Spybot
2008-05-05 21:38 . 2008-05-12 01:07 <DIR> d-------- C:\Users\John\AppData\Roaming\BitTorrent
2008-05-05 21:37 . 2008-05-10 09:29 <DIR> d-------- C:\Users\John\AppData\Roaming\DNA
2008-05-05 21:37 . 2008-05-05 21:37 <DIR> d-------- C:\Program Files\DNA
2008-05-05 21:37 . 2008-05-05 21:37 <DIR> d-------- C:\Program Files\BitTorrent
2008-05-05 18:31 . 2008-05-05 18:31 54,156 --ah----- C:\Windows\QTFont.qfn
2008-05-05 18:31 . 2008-05-05 18:31 1,409 --a------ C:\Windows\QTFont.for
2008-04-27 12:20 . 2008-04-27 12:20 <DIR> d-------- C:\PerfLogs
2008-04-27 12:03 . 2008-04-27 11:49 152,576 --a------ C:\Windows\System32\SPWizUI.dll
2008-04-27 12:03 . 2008-04-27 11:49 47,560 --a------ C:\Windows\System32\SPReview.exe
2008-04-27 11:54 . 2008-01-18 23:33 599,552 --a------ C:\Windows\System32\vsp1cln.exe
2008-04-27 11:54 . 2008-01-18 23:33 193,024 --a------ C:\Windows\System32\recdisc.exe
2008-04-27 11:54 . 2008-01-18 23:36 6,656 --a------ C:\Windows\System32\sdspres.dll
2008-04-27 11:51 . 2008-01-18 23:33 44,032 --a------ C:\Windows\System32\cbsra.exe
2008-04-27 11:49 . 2008-04-27 12:04 196,608 --a------ C:\Windows\SPInstall.etl
2008-04-27 11:12 . 2008-04-27 11:12 988,216 --a------ C:\Windows\System32\winload.exe
2008-04-27 11:12 . 2008-04-27 11:12 927,288 --a------ C:\Windows\System32\winresume.exe
2008-04-27 11:12 . 2008-04-27 11:12 615,992 --a------ C:\Windows\System32\ci.dll
2008-04-27 11:12 . 2008-04-27 11:12 378,368 --a------ C:\Windows\System32\srcore.dll
2008-04-27 11:12 . 2008-04-27 11:12 318,464 --a------ C:\Windows\System32\rstrui.exe
2008-04-27 11:12 . 2008-04-27 11:12 46,592 --a------ C:\Windows\System32\setbcdlocale.dll
2008-04-27 11:12 . 2008-04-27 11:12 40,960 --a------ C:\Windows\System32\srclient.dll
2008-04-27 11:12 . 2008-04-27 11:12 19,000 --a------ C:\Windows\System32\kd1394.dll
2008-04-27 11:12 . 2008-04-27 11:12 14,848 --a------ C:\Windows\System32\srdelayed.exe
2008-04-27 11:12 . 2008-04-27 11:12 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-04-27 11:11 . 2008-04-27 11:11 2,032,128 --a------ C:\Windows\System32\win32k.sys
2008-04-27 11:11 . 2008-04-27 11:11 678,408 --a------ C:\Windows\System32\gpprefcl.dll
2008-04-27 11:11 . 2008-04-27 11:11 295,936 --a------ C:\Windows\System32\gdi32.dll
2008-04-27 11:08 . 2008-04-27 11:08 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-04-27 11:08 . 2008-04-27 11:08 826,880 --a------ C:\Windows\System32\wininet.dll
2008-04-27 10:12 . 2008-04-27 10:12 <DIR> d-------- C:\Program Files\Synaptics
2008-04-27 10:01 . 2006-03-09 09:58 1,060,424 --a------ C:\Windows\System32\WdfCoInstaller01000.dll
2008-04-27 10:01 . 2007-10-26 14:01 196,608 --a------ C:\Windows\System32\SynCtrl.dll
2008-04-27 10:01 . 2007-10-26 14:39 193,456 --a------ C:\Windows\System32\drivers\SynTP.sys
2008-04-27 10:01 . 2007-10-26 14:01 163,840 --a------ C:\Windows\System32\SynCOM.dll
2008-04-27 10:01 . 2007-10-26 14:09 147,456 --a------ C:\Windows\System32\SynTPAPI.dll
2008-04-27 10:01 . 2007-10-26 14:38 110,592 --a------ C:\Windows\System32\SynTPCo4.dll
2008-04-27 10:00 . 2007-09-13 14:45 4,947,968 --a------ C:\Windows\System32\stacgui.cpl
2008-04-27 10:00 . 2007-04-10 17:02 1,601,536 --a------ C:\Windows\System32\stlang.dll
2008-04-27 10:00 . 2007-09-13 14:45 102,400 --a------ C:\Windows\System32\stacsv.exe
2008-04-27 09:59 . 2007-09-13 14:45 595,456 --a------ C:\Windows\System32\stapo.dll
2008-04-27 09:59 . 2007-09-13 14:46 330,240 --a------ C:\Windows\System32\drivers\stwrt.sys
2008-04-27 09:59 . 2007-09-13 14:45 328,704 --a------ C:\Windows\System32\stcplx.dll
2008-04-27 09:59 . 2007-09-13 14:44 299,520 --a------ C:\Windows\System32\stapi32.dll
2008-04-27 09:59 . 2007-09-13 14:45 146,944 --a------ C:\Windows\System32\st325614.dll
2008-04-27 09:58 . 2008-04-27 09:58 <DIR> d-------- C:\Windows\System32\Lang
2008-04-27 09:58 . 2006-11-10 09:25 319,456 --a------ C:\Windows\System32\difxapi.dll
2008-04-27 09:57 . 2008-04-27 09:57 <DIR> d-------- C:\Users\John\AppData\Roaming\InstallShield
2008-04-27 09:57 . 2008-04-27 09:57 <DIR> d-------- C:\Intel
2008-04-27 09:57 . 2007-04-25 12:17 277,784 --a------ C:\Windows\System32\drivers\iaStor.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-16 23:20 134,556 ----a-w C:\Users\John\AppData\Roaming\nvModes.dat
2008-05-16 22:18 27,335 ----a-w C:\Users\Laura\AppData\Roaming\nvModes.dat
2008-05-12 06:07 --------- d-----w C:\ProgramData\Microsoft Help
2008-05-12 06:07 --------- d-----w C:\Program Files\SimpleCenter
2008-05-12 06:07 --------- d-----w C:\Program Files\Microsoft Works
2008-05-12 03:08 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-10 15:52 --------- d-----w C:\Users\John\AppData\Roaming\com.zipeg
2008-05-05 23:49 --------- d-----w C:\ProgramData\Apple Computer
2008-04-27 18:41 107,888 ----a-w C:\Windows\System32\CmdLineExt.dll
2008-04-27 17:28 --------- d-----w C:\ProgramData\NVIDIA
2008-04-27 17:27 174 --sha-w C:\Program Files\desktop.ini
2008-04-27 17:20 --------- d-----w C:\Program Files\Windows Sidebar
2008-04-27 17:20 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-04-27 17:20 --------- d-----w C:\Program Files\Windows Mail
2008-04-27 17:20 --------- d-----w C:\Program Files\Windows Defender
2008-04-27 17:20 --------- d-----w C:\Program Files\Windows Collaboration
2008-04-27 17:20 --------- d-----w C:\Program Files\Windows Calendar
2008-04-27 17:09 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-04-27 17:09 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-04-27 16:33 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-27 15:03 --------- d-----w C:\Program Files\Dell
2008-04-27 14:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-14 01:16 --------- d-----w C:\Program Files\Netflix
2008-04-13 17:23 --------- d-----w C:\Program Files\Zipeg
2008-04-13 16:56 --------- d-----w C:\Program Files\myiHome
2008-04-13 14:57 --------- d-----w C:\Program Files\KGB Archiver
2008-04-08 01:40 56 --sha-w C:\Users\All Users\dc64vg9.sys
2008-04-08 01:40 56 --sha-w C:\ProgramData\dc64vg9.sys
2008-04-08 01:40 --------- d-----w C:\Program Files\Common Files\MainConcept
2008-04-08 01:38 --------- d-----w C:\Program Files\Common Files\i4j_jres
2008-04-04 15:56 --------- d-----w C:\Program Files\Disk Checker
2008-03-30 12:45 --------- d-----w C:\Program Files\Defraggler
2008-02-09 15:12 2,733,928 ----a-w C:\Users\John\ccsetup204.exe
2007-10-16 21:00 81,920 ----a-w C:\Users\John\AppData\Roaming\ezpinst.exe
2007-10-16 21:00 47,360 ----a-w C:\Users\John\AppData\Roaming\pcouffin.sys
2007-12-04 04:52 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-12-04 04:52 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-12-04 04:52 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-18 23:38 1008184]
"Broadcom Wireless Manager UI"="C:\Windows\system32\WLTRAY.exe" [2007-03-21 14:33 1548288]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 17:12 107112]
"vptray"="C:\PROGRA~1\SAV\VPTray.exe" [2006-11-28 06:34 134808]
"DellNSCST_GRNCH"="C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe" [2006-12-05 19:09 278528]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-04-25 12:18 174872]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-13 14:44 405504]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-10-04 22:24 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-10-04 22:24 8497696]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-10-04 22:24 81920]
"NVHotkey"="C:\Windows\system32\nvHotkey.dll" [2007-10-04 22:24 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\DVDXST~1\DVDXUT~1\DVDGhost\DVDGHO~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVD Ghost]
--a------ 2007-02-01 18:05 1536000 C:\Program Files\DVD X Studios\DVD X Utilities\DVDGhost\DVDGhost.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
--a------ 2007-10-04 22:24 86016 C:\Windows\system32\nvsvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{0670745B-6E02-4CC8-AB46-29C290A17037}C:\\program files\\atari\\nwn2\\nwn2main.exe"= UDP:C:\program files\atari\nwn2\nwn2main.exe:Neverwinter Nights 2
"UDP Query User{48D485D9-C752-48D0-A6A4-505DCD0EB137}C:\\program files\\atari\\nwn2\\nwn2main.exe"= TCP:C:\program files\atari\nwn2\nwn2main.exe:Neverwinter Nights 2
"{95F29892-ECB8-4834-ABEB-6DA6B4CE9FA9}"= UDP:Profile=Public|990:LocalSubnet:LocalSubnet|IF={802F4497-3A1E-427A-94CF-BFBFC9715B98}|C:\Windows\system32\svchost.exe|Svc=rapimgr:Windows Mobile-based device connectivity
"{79A1F9F3-77F3-43F5-8060-A2930FD086B5}"= Disabled:UDP:C:\Program Files\Atari\NWN2\nwn2main_amdxp.exe:Neverwinter Nights 2 AMD
"{9D5A0AF6-A8BB-4C67-A61C-6F094E2CF7A7}"= Disabled:TCP:C:\Program Files\Atari\NWN2\nwn2main_amdxp.exe:Neverwinter Nights 2 AMD
"{7AACEFB0-7FA2-460E-87BB-E8CE820ACF7E}"= Disabled:UDP:C:\Program Files\SAV\Rtvscan.exe:Symantec Antivirus
"{97FE007B-59E4-4BC2-B740-236714D0AC0F}"= Disabled:TCP:C:\Program Files\SAV\Rtvscan.exe:Symantec Antivirus
"{0AD44CB8-4F1B-41FA-87E9-5D1D68B1DBD6}"= Disabled:UDP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{8B085592-1115-4EDE-B6FE-A9AED4149AD2}"= Disabled:TCP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{F744A5DD-82D9-4820-B247-2C07A04A3BF2}"= Disabled:UDP:990:LocalSubnet:LocalSubnet|IF={802F4497-3A1E-427A-94CF-BFBFC9715B98}|C:\Windows\system32\svchost.exe|Svc=rapimgr:Windows Mobile-based device connectivity
"TCP Query User{1B1B017F-3676-41A8-A8ED-CF92E4775AD1}C:\\program files\\dell\\dell laser mfp 1815\\networkscan\\dnscst.exe"= UDP:C:\program files\dell\dell laser mfp 1815\networkscan\dnscst.exe:DNSCST Module
"UDP Query User{BF2550C2-C3CC-40D2-945B-2F03F17AA23B}C:\\program files\\dell\\dell laser mfp 1815\\networkscan\\dnscst.exe"= TCP:C:\program files\dell\dell laser mfp 1815\networkscan\dnscst.exe:DNSCST Module
"TCP Query User{D37DF3E2-4CBD-4FAD-9C9F-2896AA912ADE}C:\\program files\\dell\\dell laser mfp 1815\\networkscan\\dnscst.exe"= UDP:C:\program files\dell\dell laser mfp 1815\networkscan\dnscst.exe:DNSCST Module
"UDP Query User{0B41F79A-9FBC-4ECA-84FC-70FDF25DDD93}C:\\program files\\dell\\dell laser mfp 1815\\networkscan\\dnscst.exe"= TCP:C:\program files\dell\dell laser mfp 1815\networkscan\dnscst.exe:DNSCST Module
"{DF68EADD-5279-4513-B815-55695864C48E}"= UDP:C:\Program Files\Atari\NWN2\nwn2main.exe:Neverwinter Nights 2 Main
"{02B8DA99-1B18-42BE-B3D1-AD8AB7DC111A}"= TCP:C:\Program Files\Atari\NWN2\nwn2main.exe:Neverwinter Nights 2 Main
"{D0EFDA1A-B0D4-49B3-BA3B-DF2449C4DBAC}"= UDP:C:\Program Files\Atari\NWN2\nwn2server.exe:Neverwinter Nights 2 Server
"{9B1F8272-531E-4815-9361-A9C90DDF5302}"= TCP:C:\Program Files\Atari\NWN2\nwn2server.exe:Neverwinter Nights 2 Server
"{D18F42F0-8DF4-4F8C-9C0E-0436163C7284}"= UDP:C:\Program Files\Atari\NWN2\nwupdate.exe:Neverwinter Nights 2 Updater
"{6F8D3FC0-A844-445F-9217-8C504AA65B31}"= TCP:C:\Program Files\Atari\NWN2\nwupdate.exe:Neverwinter Nights 2 Updater
"{E206E443-08BE-4110-AAC3-B2B41EDBE5D8}"= Disabled:TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{DBBAF6F9-FF6C-40EF-A07B-2B77B982DE7A}"= Disabled:UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{1B78DC73-9B8D-47AD-96C6-B538329A33D1}"= Disabled:TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{61FE3E17-444A-46D4-92B7-3C7507E90426}"= Disabled:UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{EC07CC90-DBC4-44D2-9FF0-A174CFDD993D}"= Disabled:TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{48FAD791-E01F-4205-B2DE-B1512F01B168}C:\\program files\\acronis\\trueimageworkstation\\trueimage.exe"= Disabled:UDP:C:\program files\acronis\trueimageworkstation\trueimage.exe:TrueImage
"UDP Query User{AD306220-3B7A-4B40-B0D9-7E4F324E33D6}C:\\program files\\acronis\\trueimageworkstation\\trueimage.exe"= Disabled:TCP:C:\program files\acronis\trueimageworkstation\trueimage.exe:TrueImage

R0 PBADRV;PBADRV;C:\Windows\system32\DRIVERS\PBADRV.sys [2006-08-28 15:00]
R1 ElRawDisk;ElRawDisk;C:\Windows\system32\drivers\elrawdsk.sys [2007-09-24 05:12]
R2 BthFilterHelper;Bluetooth Feature Support;"C:\Program Files\CSR\Vista Profile Pack\BthFilterHelper.exe" [2006-11-07 18:26]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot\SDWinSec.exe [2008-01-28 11:43]
R2 SSPORT;SSPORT;C:\Windows\system32\Drivers\SSPORT.sys [2006-11-22 15:02]
R2 WavxDMgr;WavxDMgr;C:\Windows\system32\DRIVERS\WavxDMgr.sys [2007-02-15 17:31]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2007-02-01 04:22]
R3 TcUsb;TC USB Kernel Driver;C:\Windows\system32\Drivers\tcusb.sys [2006-11-13 12:16]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2007-07-18 00:16]
S3 BTHFILT;Bluetooth Command Filter;C:\Windows\system32\DRIVERS\BthFilt.sys [2007-05-05 12:51]
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 02:36]
S3 RapiMgr;Windows Mobile-based device connectivity;C:\Windows\system32\svchost.exe [2008-01-18 23:33]
S3 SecureStorageService;SecureStorageService;"C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe" [2007-02-16 13:07]
S3 WcesComm;Windows Mobile 2003-based device connectivity;C:\Windows\system32\svchost.exe [2008-01-18 23:33]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
rsmsvcs REG_MULTI_SZ ntmssvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
GPSvcGroup REG_MULTI_SZ GPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8fd2dce5-f61e-11dc-b24a-c5d1412eb08b}]
\shell\AutoRun\command - I:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-05-17 15:30:04 C:\Windows\Tasks\User_Feed_Synchronization-{34F43F04-A6A9-4D06-B61A-D3F9848F1B8B}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-17 10:36:13
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\BCMWLTRY.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\SAV\DefWatch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\Windows\System32\stacsv.exe
C:\Program Files\SAV\Rtvscan.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
C:\Program Files\SAV\VPTray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
.
**************************************************************************
.
Completion time: 2008-05-17 10:38:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-17 15:38:35

Pre-Run: 75,966,857,216 bytes free
Post-Run: 75,778,445,312 bytes free

239 --- E O F --- 2008-04-27 16:15:20

And the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:16 AM, on 5/17/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SAV\VPTray.exe
C:\Program Files\Dell\Dell Laser MFP 1815\NetworkScan\DNSCST.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\Explorer.exe
C:\Users\John\Desktop\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://vpn.krupalaw.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\VPTray.exe
O4 - HKLM\..\Run: [DellNSCST_GRNCH] "C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe" /HIDEUI
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O8 - Extra context menu item: Convert link target to Adobe PDF - res://c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O20 - AppInit_DLLs: C:\PROGRA~1\DVDXST~1\DVDXUT~1\DVDGhost\DVDGHO~1.DLL
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Feature Support (BthFilterHelper) - CSR, plc - C:\Program Files\CSR\Vista Profile Pack\BthFilterHelper.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\SAV\DefWatch.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Dell Internal Network Card Power Management (nicconfigsvc) - Dell Inc. - C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\SAV\SavRoam.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot\SDWinSec.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\SAV\Rtvscan.exe
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7914 bytes

Thanks for returning your information, you are running these tools as administrator? Be sure you are and let's see if we can get a look at the hosts file like this:

To view the Hosts file:
Start -> Run -> Copy the following to the box and hit enter:
C:\WINDOWS\System32\drivers\etc\HOSTS

A window opens, choose Notepad from the list and hit OK.
A notepad document opens, copy the contents to here.
I am assumimg it is the same for Vista as earlier Operating Systems?

C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\ <<< delete the contents of that quarantine folder.

This HJT log appear to be clean, any malware issues now?

Thanks

Yes, as Admin, and this was the first time that this message arose when running HJT.

not much there, only this

127.0.0.1 localhost


deleted all items from quarantine.

Did a manual search of the registry for the values that kept returning and I do not see them, however, two of the file names that kept returning and causing problems still exists on the computer. The file is named c:\bm432863c3.xml & txt No matter how many times I've deleted these files the keep returning. And the c:\windows\system32\cbxpilbt.dll has also returned. I have not attempted to or deleted these files yet b/c I wanted to wait to hear from you. I do not want to restart the computer yet b/c I fear that these files will just reinstall the crap you've kindly helped me remove.

That's the correct information for the hosts file.

According to "Other Deletions" this file was deleted: C:\Windows\system32\cbXPiIBT.dll

along with other junk. Post a new HJT log so I can see if the BHO returned. I will have to scan every file created in that month, and I do not have the time to do it now.
Make sure the spelling is correct on this one: c:\bm432863c3.xml
Scan it with one more more of these free scanners:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

scan this one also: C:\Windows\system32\cbXPiIBT.dll I know what it is supposed to be, let make sure.

Thanks

RE the "other deletions" that's part of the issue, no matter how many times you delete, it will return. Upon looking at the search of My Computer, I see mutiple copies of the cbxpilbt.dll, and one is marked as cbxpilbt.ddl.vir with a VIR extension. I will run the other AV programs and let you know the results.

Here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:42:57 AM, on 5/17/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SAV\VPTray.exe
C:\Program Files\Dell\Dell Laser MFP 1815\NetworkScan\DNSCST.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\Explorer.exe
C:\Users\John\Desktop\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://vpn.krupalaw.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\VPTray.exe
O4 - HKLM\..\Run: [DellNSCST_GRNCH] "C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe" /HIDEUI
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O8 - Extra context menu item: Convert link target to Adobe PDF - res://c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://c:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O20 - AppInit_DLLs: C:\PROGRA~1\DVDXST~1\DVDXUT~1\DVDGhost\DVDGHO~1.DLL
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Feature Support (BthFilterHelper) - CSR, plc - C:\Program Files\CSR\Vista Profile Pack\BthFilterHelper.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\SAV\DefWatch.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Dell Internal Network Card Power Management (nicconfigsvc) - Dell Inc. - C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\SAV\SavRoam.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot\SDWinSec.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\SAV\Rtvscan.exe
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7914 bytes

Using jotti.org:

bm432863c3.txt - nothing
bm432863c3.xml - file is 0 bytes, cant' scan
cbxpilbt.dll - no file exists

When I check the properties of the cbxpilbt.dll files (3) it shows that they exists in "(Archive Root Directory)" and the .vir version resides in c:\qoobox\quaratine

Hope this helps.

Thanks for the feedback, this last HJT log is clean of malware.

Archive Root Directory <<< not sure what that is? is there a pathway? The root is C:\ All of the junk may be in the Quarantine folder, take a look before you delete it.

"c:\qoobox\quaratine" = C:\Qoobox\Quarantine folder, that is where combofix moves the bad stuff in the event an error is made and something needs to be recovered. You may delete combofix and the C:\Qoobox\Quarantine folder from your computer.

Let's take the time to run a couple of scans to be sure we got all of the infection. Start with this one:

Download Malwarebytes' Anti-Malware to your desktop.
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file in your next reply.

Thanks

Weird thing, right after I began the Malabytes scan, my outlook 2007 kept opening. I don't use it on this machine so it's not configured, but regardless of the times I shut it down, it immediately popped back open again. It's never done that before, only after the Malabytes scan started. I checked task manager and seven outlook processes existed, none of them using any resources. I began closing them, and it opened three more while trying to shut them all down. Eventually I removed all of them and it has not come back (at least while I was writing this to you). Also, I still have not rebooted since we began the malware removal earlier today.

Once again, I greatly appreciate the help.

Here's the log from the Malwarebyte scan:

Malwarebytes' Anti-Malware 1.12
Database version: 760

Scan type: Full Scan (C:\|Z:\|)
Objects scanned: 165664
Time elapsed: 35 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Disk Checker\IDEINFO.VXD (Adware.Winad) -> Quarantined and deleted successfully.

Thanks for returning your scan results and the feedback. I have not heard that before during a MBAM run but malware does change settings, and MBAM did find a few issues. Keep an eye on things to make sure it does not occur again. Watch for any error messages and record them word for word. Let's run Kaspersky for a final check.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here <<< no need to post a clean scan result.

I will post this information for you now so you can benefit from it.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

Here's the log from the Kaspersky scan. It seems it's picked up the items quarantined by the other checks. What's the best way to delete these files. Also, do you want me to reenable tea timer and windows defender? Thanks

KASPERSKY ONLINE SCANNER REPORT
Sunday, May 18, 2008 4:06:03 PM
Operating System: Microsoft Windows Vista Professional, Service Pack 1 (Build 6001)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/05/2008
Kaspersky Anti-Virus database records: 782869
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
Z:\
Scan Statistics
Total number of scanned objects 115314
Number of viruses found 1
Number of infected objects 3
Number of suspicious objects 0
Duration of the scan process 01:02:20

Infected Object Name Virus Name Last Action
C:\Boot\BCD Object is locked skipped
C:\Boot\BCD.LOG Object is locked skipped
C:\ElRawDisk.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\ProgramData\Dell\QuickSet\QSLLPSVCShare Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\04fcec753043ad5067d9b9ea0c5786db_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2c15336e403cc24f13cbe28549883a95_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2ee97d0b843316aad2a4e6579a8ed375_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\41c02e3670f61ad5512c1db0d9cab940_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\4c6e5f1102dccd1cdfd30bdc8ab053bc_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\627b6b1671cf8ab7b4fe92bf552a8694_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\65123cdd68bd72c22446c45eb0daee8b_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\6654dcdff3d675631ca298a6c2b262be_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\665a28ff361dad2e21d232f14b75cfa8_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\7acec044f38cd7b1b9bf28bed4cef1e5_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\8229242537bbd7ddbb3b13da138ff189_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\8353fb189c870faec2e2f77a3aedc8a4_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\881340ad2e5b66bcb2d0a64a7b4614f9_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\947ed9c567f0420369dd099f905edbd9_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\b2cfda2faa6e618f8668d882a37f4174_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\bd365433fe746d61d34b18274e8aac2a_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\bf47f2a83165f2135949f3d2ca8243dc_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\c0630ccacf4f6bb9c220f7094160893b_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\dell.txt Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\e0692f73af8c4d4a2f34bd1721e411ee_5ae3ad01-a64a-4ddd-84ef-70ef1f2e9c09 Object is locked skipped
C:\ProgramData\Microsoft\User Account Pictures\Laura.dat Object is locked skipped
C:\ProgramData\Symantec\Common Client\settings.bak Object is locked skipped
C:\ProgramData\Symantec\Common Client\settings.dat Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtETmp\3CC063D6.TMP Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtETmp\AFD070FF.TMP Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\085C0000.VBN Object is locked skipped
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08840000\48A79D45.VBN Object is locked skipped
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BE80000\4BEBA64F.VBN Object is locked skipped
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BFC0000\4BFEEA62.VBN Object is locked skipped
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D680000.VBN Object is locked skipped
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E040001\4E2F8038.VBN Object is locked skipped
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E880000\4EAFBAF5.VBN Object is locked skipped
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E880001\4EAFBB3E.VBN Object is locked skipped
C:\ProgramData\Wave Systems Corp\AuthManager\AuthPkg.txt Object is locked skipped
C:\ProgramData\Wave Systems Corp\AuthManager\biolsp.txt Object is locked skipped
C:\QooBox\Quarantine\catchme2008-05-17_103400.30.zip/cbXPiIBT.dll Infected: Trojan.Win32.Zapchast.gr skipped
C:\QooBox\Quarantine\catchme2008-05-17_103400.30.zip ZIP: infected - 1 skipped
C:\Temp\FXSAPIDebugLogFile.txt Object is locked skipped
C:\Temp\hsperfdata_John\3644 Object is locked skipped
C:\Temp\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\John\AppData\Local\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Users\John\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Users\John\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\John\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008051820080519\index.dat Object is locked skipped
C:\Users\John\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\John\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\John\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\John\AppData\Local\Microsoft\Windows\UsrClass.dat{3c84701b-713d-11dc-9666-001a6bc62caa}.TM.blf Object is locked skipped
C:\Users\John\AppData\Local\Microsoft\Windows\UsrClass.dat{3c84701b-713d-11dc-9666-001a6bc62caa}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\John\AppData\Local\Microsoft\Windows\UsrClass.dat{3c84701b-713d-11dc-9666-001a6bc62caa}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\John\AppData\Local\Mozilla\Firefox\Profiles\5giovndv.default\Cache\_CACHE_001_ Object is locked skipped
C:\Users\John\AppData\Local\Mozilla\Firefox\Profiles\5giovndv.default\Cache\_CACHE_002_ Object is locked skipped
C:\Users\John\AppData\Local\Mozilla\Firefox\Profiles\5giovndv.default\Cache\_CACHE_003_ Object is locked skipped
C:\Users\John\AppData\Local\Mozilla\Firefox\Profiles\5giovndv.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\5giovndv.default\cert8.db Object is locked skipped
C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\5giovndv.default\formhistory.dat Object is locked skipped
C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\5giovndv.default\history.dat Object is locked skipped
C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\5giovndv.default\key3.db Object is locked skipped
C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\5giovndv.default\parent.lock Object is locked skipped
C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\5giovndv.default\search.sqlite Object is locked skipped
C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\5giovndv.default\urlclassifier2.sqlite Object is locked skipped
C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\5giovndv.default\webappsstore.sqlite Object is locked skipped
C:\Users\John\Desktop\HJT\backups\backup-20080517-090301-207.dll Infected: Trojan.Win32.Zapchast.gr skipped
C:\Users\John\ntuser.dat Object is locked skipped
C:\Users\John\ntuser.dat.LOG1 Object is locked skipped
C:\Users\John\ntuser.dat.LOG2 Object is locked skipped
C:\Users\John\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TM.blf Object is locked skipped
C:\Users\John\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\John\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\bthservsdp.dat Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\Logs\CBS\CBS.log Object is locked skipped
C:\Windows\Logs\CBS\CBS.persist.log Object is locked skipped
C:\Windows\Logs\DPX\setupact.log Object is locked skipped
C:\Windows\Logs\DPX\setuperr.log Object is locked skipped
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe.config Object is locked skipped
C:\Windows\Panther\setupact.log Object is locked skipped
C:\Windows\Panther\setuperr.log Object is locked skipped
C:\Windows\Panther\UnattendGC\diagerr.xml Object is locked skipped
C:\Windows\Panther\UnattendGC\diagwrn.xml Object is locked skipped
C:\Windows\Panther\UnattendGC\setupact.bld Object is locked skipped
C:\Windows\Panther\UnattendGC\setupact.log Object is locked skipped
C:\Windows\Panther\UnattendGC\setuperr.bld Object is locked skipped
C:\Windows\Panther\UnattendGC\setuperr.log Object is locked skipped
C:\Windows\security\database\secedit.sdb Object is locked skipped
C:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\restore\MachineGuid.txt Object is locked skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\sysprep\Panther\diagerr.xml Object is locked skipped
C:\Windows\System32\sysprep\Panther\diagwrn.xml Object is locked skipped
C:\Windows\System32\sysprep\Panther\setupact.bld Object is locked skipped
C:\Windows\System32\sysprep\Panther\setupact.log Object is locked skipped
C:\Windows\System32\sysprep\Panther\setuperr.bld Object is locked skipped
C:\Windows\System32\sysprep\Panther\setuperr.log Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\0296C47314AB746EC35476488248FCD9.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\040270F850D5C3C91057DDDA2DA294D8.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\0A9DBC92D554324656F61F9862679F27.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\0DF617D6737A7561E732F853792261C3.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\1E2E58C73053C7775EB226DB5E739137.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\26C097A9392F8C541AD42E89B7909073.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\2A811E5CCC22CC9D7AE2B04EF0402688.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\2AA23BB86A5EBD8BC2D820944E55B233.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\2CE523184A801AA7361A7039E2D6B41D.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\2D57A7682ACD19214C258D31A06D008F.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\3460B7617E0429A960E481B197F238A3.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\376786241A5443E41378D25CF812FCC1.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\3DC0BABDCA20E5E319117C21BD4BD795.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\43A7EEE279F15546EE900076CA8CC2C8.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\494C62FAA08CD5217399BAA555FF491B.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\4A01E0F376B5833EBA98F0D1D5F60CD1.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\4B471F64BAF831EC7945C820FD5A16E5.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\4CB32C0A77CD4D9B0C9618F73F786C32.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\5774C77265BE4C55B5C6C9718979E015.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\5966D45C7B25EACA46E87DD8E5703964.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\5B5D21CF62E70BACF9D085E6AA6CE143.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\6317F4B515BD547512FF3AE3ACD81242.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\69554D930FCA40B0304B9A43A8036F2D.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\72F867EF62976CE9F70993FF3E68A4EB.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\73798C03E4DE5FDCF5194ADA9EBFB859.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\75054C3771DF289038069A9BB1C1FB6E.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\7851AF96EA828F912853F32DB0D96138.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\7F417E1A6D819A9B2FEB55DA6858EA0A.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\87AA2A001CE3E89926688B93E4DC2992.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\8A94AF24F162D580E3D9889344A3A317.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\8C718B5AFD373885B68D2836088CAF9A.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\903E49C444C46FEF5F2C3A189C9CEF71.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\95CF8C2673B156E93407C44DA1171F14.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\96ABB1671705F680578FE240427CBD4F.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\9A72EE7775E8021F75961342B8AFD1B4.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\9AD3182A2F39A3E091E15109132EC6CC.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\9CD33F0956942860B50AA1B9330DEFAF.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\9E06E4FE97F0CBB8D659894823F805D7.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\A80FF2DC09487ECD60AFB147B262BDD7.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\AA6E0E396C238977CA909EFD82299737.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\AA742824DCADA846BA4B665D686DD5D6.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\BBF206490BAA431B592F9A13534F43F6.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\BE81B2C0741907C1FC1C42B6223E59AD.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\C6300BFE37ADE6B52EC023F66124985F.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\D1A1B12A7DA3F9675C01397A26DBF4B3.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\D4C4BA54B6A8FA6211E60E2ADFF7426A.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\D5D6BB480217F9DCEC357F57222DEE59.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\DE391013DA56ABA39FFF40A9ABDF052F.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\DF80FD3849FFF74B4BF43E2EA8ADEC8A.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\DFB9AD54AC2D3B8122567AAD3BF3EB7F.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\E04DE4CDFEC284A342159BB920976701.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\E478A5DB75C9721E744C05D78DBACFD3.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\E737DE61441445E1FDFCA45EF5E7D987.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\E9D8A460B2C986DD5FF19F299F4A27EC.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\EC45C70F2A3D9DED718E71631C38E2FE.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\F01326692CC5736EBAC31B9FC2381CF2.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\F81E6BEBC3067C406E6C491608474198.mof Object is locked skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Broadcom Wireless LAN.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Media Center.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Backup.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-BitLocker-DrivePreparationTool%4Admin.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-BitLocker-DrivePreparationTool%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CorruptedFileRecovery-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CorruptedFileRecovery-Server%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DateTimeControlPanel%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-MSDT%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-PLA%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Networking%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticResolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Forwarding%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Help%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WDI%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-MeetingSpace%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-MemoryDiagnostics-Results%4Debug.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ParentalControls%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Metrics.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RemoteAssistance%4Admin.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RemoteAssistance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-PnPDevices%4Admin.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-PnPDevices%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winsock-WS2HELP%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wired-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\ODiag.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\OSession.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Setup.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6000.16386_none_cef7ceb03914a67f\dnary.xsd Object is locked skipped
C:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6001.18000_none_d12e90ac35ffb753\dnary.xsd Object is locked skipped
Z:\Windows\security\database\secedit.sdb Object is locked skipped
Scan process completed.

Also, do you want me to reenable tea timer and windows defender? Thanks
You may enabled Windows after each tool if you wish, but TeaTimer needs to be out of the way until I say you are clean which should be right after the KOS, let's see.

C:\QooBox\Quarantine\ <<< delete that folder and contents

C:\Users\John\Desktop\HJT\backups\backup-20080517-090301-207.dll ------> Trojan.Win32.Zapchast.gr
Instructions for removing the HJT backups are here:
http://www.bleepingcomputer.com/tutorials/tutorial42.html#HTRestore

Once you do that, empty the Recyle Bin and go into operation as usual. I strongly suggest you review the links I posted, the information will help you avoid infections and improve performance. If you have issues with TT when enable, let me know, otherwise I will wish you safe surfing:bigthumb:

Thanks...Phil

Sorry for the late response, wife and kids keeping me hopping :D:

Deleted the files as requested. did a reboot to safe mode, just in case, ran spybot and AV again and found nothing. restarted and machine running ok. Restarted tea timer and rebooted again and thing again seem fine. Machine has run for a day with no issues (knock on wood).

I am going to read all of those links. I thought I was being safe, but it's never to late to learn more hehehe

Thanks again for your help. I've never had to use a forum like this for help and I am very glad you could help and gracious that you would help me. If you ever need anything in the Chicagoland area, let me know. BTW, could you please forward the link again for donations, you deserve one.

sincerely, jak167

Thanks for the feedback and your kind words. We volunteer our services but I am sure Patrick (creator of FREE Spybot S&D) has hugh expenses running a forum like this and can use all of the donations he can get. That link is near the end of my closing information in my post #14

Safe surfing:laugh:

Phil