I was direct to S&D spybot for help with removing this virus. To tool detected and said it removed the various infections. On startup S&D is blocking a global sytem startup that is attempting to reistall the virus. With each rerunning the the scan the virus is redetected. I didn;t feel comforable following advice given on other inquires, because the machine is running Windows Server 2003. Not sure where to go from here. Any help you can provide will be appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:22:05 PM, on 12/27/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1526D07D-733E-4877-A04B-79E88AE645C0} - (no file)
O2 - BHO: {abb9eb9b-df0e-66a9-8704-0840c13b9f92} - {29f9b31c-0480-4078-9a66-e0fdb9be9bba} - C:\WINDOWS\system32\iiyqkg.dll
O2 - BHO: offersfortoday browser enhancer - {50F1780E-B50F-9AAA-1F1E-D0446C1BE92A} - C:\WINDOWS\system32\vjpmlznuaoeqk.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {9F1AD5CF-7A06-4EBD-A1B7-D81ABCE2D872} - (no file)
O2 - BHO: (no name) - {A9477A51-E71C-42AC-99DB-AE2A7B15333E} - C:\WINDOWS\system32\xxyvwVlM.dll
O2 - BHO: searchersmart search enhancer - {C1B3F9A2-759F-5E0B-C306-A3A5F54A6AD7} - C:\WINDOWS\system32\kybfkfgblkxentvn.dll (file missing)
O2 - BHO: (no name) - {c879213e-976e-4071-b3a7-feaf69f34c10} - C:\WINDOWS\system32\lelofayo.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E314B44C-422C-4C0A-84A7-6EE1465D11B9} - C:\WINDOWS\system32\jkkLFuro.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MRT] "C:\WINDOWS\system32\MRT.exe" /R
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [tabelovako] Rundll32.exe "C:\WINDOWS\system32\fobufelo.dll",s
O4 - HKLM\..\Policies\Explorer\Run: [QuickTime Task] C:\Program Files\WebMediaViewer\qttask.exe
O4 - HKUS\S-1-5-19\..\Run: [tabelovako] Rundll32.exe "C:\WINDOWS\system32\fobufelo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [tabelovako] Rundll32.exe "C:\WINDOWS\system32\fobufelo.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expresstoolie.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: Explorer Security - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expresstoolie.com/redirect.php (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O20 - AppInit_DLLs: C:\WINDOWS\system32\wutavoke.dll
O20 - Winlogon Notify: mlJDsTKE - C:\WINDOWS\SYSTEM32\mlJDsTKE.dll
O22 - SharedTaskScheduler: cacara - {341bd909-3367-4307-b37d-fb1cc56387ad} - C:\WINDOWS\system32\elmnplw.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6831 bytes

Hi


Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post them back to your topic.



Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file in your next reply.

DDS results - This tool does not your support your Operating System
Press any key to continue . . .

mbag log:
Malwarebytes' Anti-Malware 1.31
Database version: 1589
Windows 5.2.3790 Service Pack 2

1/1/2009 2:14:01 PM
mbam-log-2009-01-01 (14-14-01).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 81518
Time elapsed: 23 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 9
Registry Keys Infected: 28
Registry Values Infected: 6
Registry Data Items Infected: 7
Folders Infected: 3
Files Infected: 47

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\gykrltne.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\xxyvwVlM.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\gayelayi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tegowupa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\fomudaba.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\Administrator\Desktop\A0165C2C33FCC9C0\A0165C2C33FCC9C0.x86 (Rootkit.Zlob) -> Delete on reboot.
C:\WINDOWS\system32\iiyqkg.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\jkkLFuro.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\mlJDsTKE.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3878cd29-d7b8-4fe1-bd6f-bc67eb3b2f24} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{3878cd29-d7b8-4fe1-bd6f-bc67eb3b2f24} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c879213e-976e-4071-b3a7-feaf69f34c10} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c879213e-976e-4071-b3a7-feaf69f34c10} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c879213e-976e-4071-b3a7-feaf69f34c10} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3878cd29-d7b8-4fe1-bd6f-bc67eb3b2f24} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{29f9b31c-0480-4078-9a66-e0fdb9be9bba} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{29f9b31c-0480-4078-9a66-e0fdb9be9bba} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{29f9b31c-0480-4078-9a66-e0fdb9be9bba} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e314b44c-422c-4c0a-84a7-6ee1465d11b9} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e314b44c-422c-4c0a-84a7-6ee1465d11b9} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e314b44c-422c-4c0a-84a7-6ee1465d11b9} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljdstke (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{341bd909-3367-4307-b37d-fb1cc56387ad} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3b8fb116-d358-48a3-a5c7-db84f15cbb04} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{3b8fb116-d358-48a3-a5c7-db84f15cbb04} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{50f1780e-b50f-9aaa-1f1e-d0446c1be92a} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{50f1780e-b50f-9aaa-1f1e-d0446c1be92a} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c1b3f9a2-759f-5e0b-c306-a3a5f54a6ad7} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c1b3f9a2-759f-5e0b-c306-a3a5f54a6ad7} (Adware.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\20796049 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tabelovako (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{3b8fb116-d358-48a3-a5c7-db84f15cbb04} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{341bd909-3367-4307-b37d-fb1cc56387ad} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\QuickTime Task (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\xxyvwvlm -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\gayelayi.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\gayelayi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\gayelayi.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\xxyvwvlm -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\WebMediaViewer (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\xxyvwVlM.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\MlVwvyxx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MlVwvyxx.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dehugada.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\adaguhed.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\geviyagu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ugayiveg.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gykrltne.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\entlrkyg.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tivawigo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ogiwavit.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wadudure.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\erududaw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wudigewe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ewegiduw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wuyayeru.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ureyayuw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tegowupa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\fomudaba.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\gayelayi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\Administrator\Desktop\A0165C2C33FCC9C0\A0165C2C33FCC9C0.x86 (Rootkit.Zlob) -> Delete on reboot.
C:\WINDOWS\system32\iiyqkg.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\jkkLFuro.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\mlJDsTKE.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Administrator\Desktop\A0165C2C33FCC9C0\A0165C2C33FCC9C0 (Rootkit.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\qpgiqmsi1.exe (Zlob.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\qpgiqmsi2.exe (Rootkit.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\HRS59GQF\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pehuraba.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\deanwmrg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\djecrqxe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fsntiw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\logizako.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rerudoma.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\WebMediaViewer\myc.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\WebMediaViewer\myd.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\WebMediaViewer\mym.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\WebMediaViewer\myp.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\WebMediaViewer\myv.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\My Documents\My Documents.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Run Virus Scan.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\Run Virus Scan.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Online Spyware Test.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\Online Spyware Test.url (Rogue.Link) -> Quarantined and deleted successfully.

Hi

Please reboot if you haven't done so after mbam run.

Then please download OTListIt (http://oldtimer.geekstogo.com/OTListIt.exe)
Save it to the Desktop
Close all windows and double-click on the OTListIt.exe file
OK any warning about running OTListIt.
Place a check in the Scan All Users checkbox
Click the Run Scan button
When the scan is complete, two text files are produced on the Desktop: OTListIt.txt , and Extras.txt

Please post the OTListIt.txt and Extras.txt in your reply.

I've rebooted.

oldtimers.geekstogo.com/otlistit.exe is unavailable
oldtimers.geekstogo.com/ says it is coming soon.

I'll keep checking. If there is an alternate site, please provide.

And thank you. I appreciate the help your giving me.

Hi

Since OTListIt link seems to be down and most tools don't support 2003 server I can check hjt log only at this point. Please post fresh version of it.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:48:29 AM, on 1/2/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1526D07D-733E-4877-A04B-79E88AE645C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {9F1AD5CF-7A06-4EBD-A1B7-D81ABCE2D872} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MRT] "C:\WINDOWS\system32\MRT.exe" /R
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKUS\S-1-5-19\..\Run: [tabelovako] Rundll32.exe "C:\WINDOWS\system32\tegowupa.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [tabelovako] Rundll32.exe "C:\WINDOWS\system32\tegowupa.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 5349 bytes

Hi


Please download ***OTViewIt**** (http://oldtimer.geekstogo.com/OTViewIt.exe) by ***OldTimer**** and save it to your Desktop.
Close all applications and windows.
Double-click on the ***OTViewIt.exe****to start OTViewIt.
Place a checkmark in the blue-colored Scan All Users checkbox.
Click the blue Run Scan button.
OTViewIt will now start its scan.
When the scan is complete, two text files will be created, ***OTViewIt.Txt**** <- this one will be opened in Notepad and ***Extras.txt**** on Desktop.
Copy ***(Ctrl+A then Ctrl+C)**** and paste ***(Ctrl+V)**** the contents of ***OTViewIt.Txt**** and the Extras.txt to your post.

OTViewIt logfile created on: 1/3/2009 7:57:24 AM - Run 2
OTViewIt by OldTimer - Version 1.0.20.1 Folder = C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\VCR2PEVD
Windows Server 2003 Standard Edition Service Pack 2 (Version = 5.2.3790) - Type = NTServer
Internet Explorer (Version = 6.0.3790.3959)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

447.34 Mb Total Physical Memory | 169.51 Mb Available Physical Memory | 37.89% Memory free
1.04 Gb Paging File | 0.83 Gb Available in Paging File | 79.55% Paging File free
Paging file location(s): c:\pagefile.sys 670 1024;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 28.93 Gb Free Space | 38.82% Space Free | Partition Type: NTFS
Drive D: | 74.53 Gb Total Space | 12.20 Gb Free Space | 16.37% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ROME
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2004/03/23 11:49:08 | 00,397,312 | ---- | M] () -- C:\WINDOWS\system32\ati2evxx.exe
[2004/06/09 20:31:08 | 00,255,096 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
[2004/06/09 20:31:14 | 00,242,808 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
[2004/08/16 13:55:52 | 00,030,024 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
[2008/12/06 18:04:44 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
[2002/12/17 17:26:22 | 07,520,337 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
[2002/12/04 11:52:36 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
[2007/02/17 03:57:48 | 00,034,816 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rundll32.exe
[2004/06/09 20:31:06 | 00,066,680 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
[2008/12/06 18:04:45 | 00,136,600 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
[2006/11/21 18:16:02 | 00,724,992 | ---- | M] (Intuit, Inc.) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
[2002/12/17 17:23:32 | 00,074,308 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
[2007/02/17 04:09:46 | 00,207,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
[2007/02/17 03:57:48 | 00,034,816 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rundll32.exe
[2009/01/03 07:56:59 | 00,423,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\VCR2PEVD\OTViewIt[1].exe

========== (O23) Win32 Services ==========

[2004/03/23 11:49:08 | 00,397,312 | ---- | M] () -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller [Auto | Running])
[2004/06/09 20:31:08 | 00,255,096 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr [Auto | Running])
[2004/06/09 20:31:12 | 00,087,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc [On_Demand | Stopped])
[2004/06/09 20:31:14 | 00,242,808 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr [Auto | Running])
[2004/08/16 13:55:52 | 00,030,024 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch [Auto | Running])
[2007/02/17 02:50:02 | 00,164,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs [On_Demand | Stopped])
[2007/02/17 03:20:52 | 00,040,448 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ [Disabled | Stopped])
[2008/12/06 18:04:44 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
[2007/02/18 00:30:26 | 00,094,720 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService [Disabled | Stopped])
[2002/12/04 11:52:36 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe -- (MSSEARCH [Auto | Running])
[2002/12/17 17:26:22 | 07,520,337 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe -- (MSSQLSERVER [Auto | Running])
[2002/12/17 17:23:30 | 00,066,112 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe -- (MSSQLServerADHelper [On_Demand | Stopped])
[2007/02/17 03:41:50 | 00,792,064 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs [On_Demand | Stopped])
[2007/02/17 03:55:56 | 00,067,072 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv [On_Demand | Stopped])
[2004/08/02 19:36:36 | 00,173,392 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam [On_Demand | Stopped])
[2004/06/11 18:28:30 | 00,201,944 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc [On_Demand | Stopped])
[2002/12/17 17:23:30 | 00,311,872 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.exe -- (SQLSERVERAGENT [On_Demand | Stopped])
[2004/08/16 13:56:00 | 01,267,024 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus [On_Demand | Stopped])
[2007/02/17 04:07:00 | 00,071,168 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis [Disabled | Stopped])
[2007/02/17 04:08:32 | 00,039,424 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [On_Demand | Stopped])
[2007/02/18 00:36:40 | 00,352,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\vds.exe -- (vds [On_Demand | Stopped])

========== Driver Services ==========

[2004/03/23 11:59:52 | 00,701,440 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag [On_Demand | Running])
[2003/11/05 23:22:10 | 00,013,842 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\drivers\atisgkaf.SYS -- (caboagp [Boot | Running])
[2007/02/17 02:31:14 | 00,069,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\clusdisk.sys -- (ClusDisk [Disabled | Stopped])
[2004/05/04 11:42:04 | 00,818,432 | ---- | M] (C-Media Inc) -- C:\WINDOWS\system32\drivers\cmuda.sys -- (cmuda [On_Demand | Running])
[2007/02/17 02:34:58 | 00,017,920 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\crcdisk.sys -- (crcdisk [Boot | Running])
[2007/02/17 02:49:38 | 00,034,816 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\dfs.sys -- (DfsDriver [Boot | Running])
[2004/05/19 19:01:54 | 00,041,984 | ---- | M] (DeviceGuys, Inc.) -- C:\WINDOWS\system32\drivers\DgivEcp.sys -- (DgiVecp [Auto | Stopped])
[2004/03/23 12:05:36 | 00,045,568 | ---- | M] (VIA Networking Technologies, Inc. ) -- C:\WINDOWS\system32\drivers\getnd5b.sys -- (GETNDIS [On_Demand | Running])
[2008/12/25 04:00:00 | 00,089,104 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20081225.002\NAVENG.SYS -- (NAVENG [On_Demand | Running])
[2008/12/25 04:00:00 | 00,876,112 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20081225.002\NAVEX15.SYS -- (NAVEX15 [On_Demand | Running])
[2003/07/17 03:10:06 | 00,007,040 | R--- | M] (VIA Networking Technologies, Inc. ) -- C:\WINDOWS\system32\ntsim.sys -- (NTSIM [On_Demand | Stopped])
[2007/02/17 03:54:52 | 00,020,480 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2004/02/09 15:43:56 | 00,301,200 | R--- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT [System | Running])
[2004/02/09 15:43:56 | 00,037,008 | R--- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL [Auto | Running])
[2007/02/17 06:24:02 | 00,163,644 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2004/03/04 23:46:46 | 00,082,832 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])
[2004/06/11 18:28:08 | 00,016,280 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symredrv.sys -- (SYMREDRV [On_Demand | Stopped])
[2004/06/11 18:28:10 | 00,263,736 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symtdi.sys -- (SYMTDI [System | Running])
[2007/02/17 04:07:52 | 00,024,064 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\vgapnp.sys -- (vga [On_Demand | Stopped])
[2007/02/17 04:09:26 | 00,169,984 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\wlbs.sys -- (WLBS [On_Demand | Stopped])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
"Default_Search_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=res://shdoclc.dll/hardAdmin.htm
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.yahoo.com/

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
"provider"=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-21-4173798362-227457503-3234019532-500\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=res://shdoclc.dll/hardAdmin.htm
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.yahoo.com/

[HKEY_USERS\S-1-5-21-4173798362-227457503-3234019532-500\Software\Microsoft\Internet Explorer\SearchURL]
"provider"=

[HKEY_USERS\S-1-5-21-4173798362-227457503-3234019532-500\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-4173798362-227457503-3234019532-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
{1526D07D-733E-4877-A04B-79E88AE645C0} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{53707962-6F74-2D53-2644-206D7942484F} (HKLM) -- C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
{9F1AD5CF-7A06-4EBD-A1B7-D81ABCE2D872} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{DBC80044-A445-435b-BC74-9C25C1C588A9} (HKLM) -- C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{8E718888-423F-11D2-876E-00A0C9082467}" (HKLM) -- C:\WINDOWS\system32\msdxm.ocx ()

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"=Ati2mdxx.exe (ATI Technologies, Inc.)
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" (Symantec Corporation)
"Cmaudio"=RunDll32 cmicnfg.cpl,CMICtrlWnd File not found
"MRT"="C:\WINDOWS\system32\MRT.exe" /R File not found
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tabelovako"=Rundll32.exe "C:\WINDOWS\system32\tegowupa.dll",s File not found

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tabelovako"=Rundll32.exe "C:\WINDOWS\system32\tegowupa.dll",s File not found

========== (O4) RunOnce Keys ==========

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"=%systemroot%\system32\tscupgrd.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"=%systemroot%\system32\tscupgrd.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"=%systemroot%\system32\tscupgrd.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"=%systemroot%\system32\tscupgrd.exe (Microsoft Corporation)

========== (O4) Startup Folders ==========

[2006/11/21 18:16:02 | 00,724,992 | ---- | M] (Intuit, Inc.) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
[2002/12/17 17:23:32 | 00,074,308 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"ShowSuperHidden"=1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"disablecad"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"scforceoption"=0
"shutdownwithoutlogon"=0
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=149

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=149

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=149

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=149

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=149

[HKEY_USERS\S-1-5-21-4173798362-227457503-3234019532-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=149

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- Reg Error: Key does not exist or could not be opened. File not found
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}: Menu: Spybot - Search & Destroy Configuration -- %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [2008/09/15 14:25:44 | 01,562,960 | RHS- | M] (Safer Networking Limited)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> [Sun Java Console] -> File not found
CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search & Destroy Configuration] -> [2008/09/15 14:25:44 | 01,562,960 | RHS- | M] (Safer Networking Limited)

[HKEY_USERS\S-1-5-21-4173798362-227457503-3234019532-500\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> [Sun Java Console] -> File not found
CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search & Destroy Configuration] -> [2008/09/15 14:25:44 | 01,562,960 | RHS- | M] (Safer Networking Limited)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
2 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-21-4173798362-227457503-3234019532-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
2 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{166B1BCA-3F9C-11CF-8075-444553540000}: http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab -- Shockwave ActiveX Control
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab -- Java Plug-in 1.6.0_11
{9F1C11AA-197B-4942-BA54-47A8489BB47F}: http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38318.6522800926 -- Reg Error: Key does not exist or could not be opened.
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}: http://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab -- Java Plug-in 1.6.0_11
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab -- Java Plug-in 1.6.0_11
{D27CDB6E-AE6D-11CF-96B8-444553540000}: http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab -- Shockwave Flash Object

========== (O17) DNS Name Servers ==========

{61E096E3-5DB6-46E4-9E6C-ED8ABB674314} (Servers: | Description: VIA Networking Velocity Family Giga-bit Ethernet Adapter)

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
NavLogon: "DllName" = C:\WINDOWS\system32\NavLogon.dll -- C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2004/11/27 18:27:56 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

========== Files/Folders - Created Within 30 Days ==========

========== Files/Folders - Created Within 30 Days ==========

[12 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2009/01/01 16:01:14 | 00,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Videos
[2009/01/01 13:13:38 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2009/01/01 13:13:33 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/01/01 13:13:33 | 00,000,703 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/01/01 13:13:30 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/01/01 13:13:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/01/01 13:13:28 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/01/01 13:11:02 | 00,369,663 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\dds.scr
[2009/01/01 12:54:38 | 00,132,608 | ---- | C] () -- C:\WINDOWS\System32\eyxhut.dll
[2009/01/01 12:54:37 | 00,132,608 | ---- | C] () -- C:\WINDOWS\System32\swtlfwlc.dll
[2008/12/31 10:57:33 | 01,262,918 | -HS- | C] () -- C:\WINDOWS\System32\emadisem.ini
[2008/12/30 22:57:23 | 01,262,900 | -HS- | C] () -- C:\WINDOWS\System32\oseyulim.ini
[2008/12/30 10:57:07 | 01,262,893 | -HS- | C] () -- C:\WINDOWS\System32\emutitar.ini
[2008/12/27 13:21:24 | 00,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe
[2008/12/25 23:11:40 | 00,001,374 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Security Configuration Wizard.lnk
[2008/12/25 23:11:40 | 00,000,099 | -HS- | C] () -- C:\Documents and Settings\All Users\Desktop\desktop.ini
[2008/12/25 23:09:25 | 00,138,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dpcdll.dll
[2008/12/25 23:09:25 | 00,138,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dpcdll.dll
[2008/12/25 23:09:15 | 00,203,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\whsbrand.dll
[2008/12/25 23:09:15 | 00,057,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\cd2chain.exe
[2008/12/25 23:09:14 | 00,000,000 | ---D | C] -- C:\WINDOWS\adam
[2008/12/25 23:09:12 | 00,057,344 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\ipmidrv.sys
[2008/12/25 23:09:12 | 00,036,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\uddisp.exe
[2008/12/25 23:09:12 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\ipmi
[2008/12/25 23:09:10 | 00,130,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\fltmgr.sys
[2008/12/25 23:09:10 | 00,048,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\gagp30kx.sys
[2008/12/25 23:09:10 | 00,043,520 | ---- | C] (Adaptec, Inc.) -- C:\WINDOWS\System32\drivers\arc.sys
[2008/12/25 23:09:10 | 00,036,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\intelppm.sys
[2008/12/25 23:09:10 | 00,036,352 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\ip6fw.sys
[2008/12/25 23:09:10 | 00,019,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\mssmbios.sys
[2008/12/25 23:09:10 | 00,007,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\amdide.sys
[2008/12/25 23:09:09 | 00,479,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\audiodev.dll
[2008/12/25 23:09:09 | 00,229,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\cfscommonuifx.dll
[2008/12/25 23:09:09 | 00,152,200 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\rdpwd.sys
[2008/12/25 23:09:09 | 00,122,368 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\usbvideo.sys
[2008/12/25 23:09:09 | 00,096,256 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\nv_agp.sys
[2008/12/25 23:09:09 | 00,047,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\uliagpkx.sys
[2008/12/25 23:09:09 | 00,046,080 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\uagp35.sys
[2008/12/25 23:09:09 | 00,032,256 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\rndismpx.sys
[2008/12/25 23:09:09 | 00,029,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\usbccid.sys
[2008/12/25 23:09:09 | 00,026,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\aelupsvc.dll
[2008/12/25 23:09:09 | 00,018,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\wpdusb.sys
[2008/12/25 23:09:09 | 00,015,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\cmsetacl.dll
[2008/12/25 23:09:09 | 00,014,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\usb8023x.sys
[2008/12/25 23:09:09 | 00,014,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\auditusr.exe
[2008/12/25 23:09:09 | 00,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\bitsprx3.dll
[2008/12/25 23:09:09 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\azrlreg.exe
[2008/12/25 23:09:08 | 02,949,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dfsmgmt.dll
[2008/12/25 23:09:08 | 01,690,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3d9.dll
[2008/12/25 23:09:08 | 00,720,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dfsobjectmodel.dll
[2008/12/25 23:09:08 | 00,040,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dimsroam.dll
[2008/12/25 23:09:08 | 00,019,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dimsntfy.dll
[2008/12/25 23:09:07 | 01,765,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dxdiagn.dll
[2008/12/25 23:09:07 | 00,424,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\html.iec
[2008/12/25 23:09:07 | 00,163,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drmupgds.exe
[2008/12/25 23:09:07 | 00,098,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fsmsnap.dll
[2008/12/25 23:09:07 | 00,088,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\firewall.cpl
[2008/12/25 23:09:07 | 00,082,432 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2008/12/25 23:09:07 | 00,065,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fwcfg.dll
[2008/12/25 23:09:07 | 00,062,464 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fsmmsg.dll
[2008/12/25 23:09:07 | 00,056,832 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\extmgr.dll
[2008/12/25 23:09:07 | 00,039,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\icacls.exe
[2008/12/25 23:09:07 | 00,038,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\hbaapi.dll
[2008/12/25 23:09:07 | 00,023,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fltmc.exe
[2008/12/25 23:09:07 | 00,020,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\encapi.dll
[2008/12/25 23:09:07 | 00,017,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fltlib.dll
[2008/12/25 23:09:06 | 00,364,544 | ---- | C] (Fraunhofer Institut Integrierte Schaltungen IIS) -- C:\WINDOWS\System32\l3codecp.acm
[2008/12/25 23:09:06 | 00,289,280 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\r2brand.dll
[2008/12/25 23:09:06 | 00,155,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\microsoft.storage.vds.dll
[2008/12/25 23:09:06 | 00,122,880 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msdadiag.dll
[2008/12/25 23:09:06 | 00,062,976 | ---- | C] () -- C:\WINDOWS\System32\mpeg2data.ax
[2008/12/25 23:09:06 | 00,046,080 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\netset03.exe
[2008/12/25 23:09:06 | 00,026,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\netsetup.cpl
[2008/12/25 23:09:06 | 00,010,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\oobechk.exe
[2008/12/25 23:09:06 | 00,010,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ntfrsutl.exe
[2008/12/25 23:09:06 | 00,007,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdsmsno.dll
[2008/12/25 23:09:06 | 00,007,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdsmsfi.dll
[2008/12/25 23:09:06 | 00,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdukx.dll
[2008/12/25 23:09:06 | 00,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdno1.dll
[2008/12/25 23:09:06 | 00,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdfi1.dll
[2008/12/25 23:09:06 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdpash.dll
[2008/12/25 23:09:06 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdnepr.dll
[2008/12/25 23:09:06 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdmlt48.dll
[2008/12/25 23:09:06 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdmlt47.dll
[2008/12/25 23:09:06 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdiultn.dll
[2008/12/25 23:09:06 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdbhc.dll
[2008/12/25 23:09:06 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdmaori.dll
[2008/12/25 23:09:05 | 00,331,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wmdrmdev.dll
[2008/12/25 23:09:05 | 00,282,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wmdrmnet.dll
[2008/12/25 23:09:05 | 00,060,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\secoobe.dll
[2008/12/25 23:09:05 | 00,047,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\uwdf.exe
[2008/12/25 23:09:05 | 00,039,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wdfmgr.exe
[2008/12/25 23:09:05 | 00,036,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\srmlib.dll
[2008/12/25 23:09:05 | 00,029,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\vidcap.ax
[2008/12/25 23:09:05 | 00,029,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\verclsid.exe
[2008/12/25 23:09:05 | 00,020,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\setupn.exe
[2008/12/25 23:09:05 | 00,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wdfapi.dll
[2008/12/25 23:09:05 | 00,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\smbinst.exe
[2008/12/25 23:09:05 | 00,007,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\tlsbln.exe
[2008/12/25 23:09:05 | 00,004,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\winshfhc.dll
[2008/12/25 23:09:04 | 01,592,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wmpencen.dll
[2008/12/25 23:09:04 | 01,512,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wmvadve.dll
[2008/12/25 23:09:04 | 01,215,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wmvadvd.dll
[2008/12/25 23:09:04 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wssbrand.dll
[2008/12/25 23:09:04 | 00,331,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wpdmtpdr.dll
[2008/12/25 23:09:04 | 00,327,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wpdsp.dll
[2008/12/25 23:09:04 | 00,175,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wmpsrcwp.dll
[2008/12/25 23:09:04 | 00,114,688 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wpdmtp.dll
[2008/12/25 23:09:04 | 00,066,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wpdmtpus.dll
[2008/12/25 23:09:04 | 00,062,464 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wpdconns.dll
[2008/12/25 23:09:04 | 00,038,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wpd_ci.dll
[2008/12/25 23:09:04 | 00,010,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wpdtrace.dll
[2008/12/25 23:09:03 | 02,897,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp2res.dll
[2008/12/25 23:09:03 | 01,041,920 | ---- | C] () -- C:\WINDOWS\adfs.msp
[2008/12/25 23:09:03 | 00,438,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpob2res.dll
[2008/12/25 23:09:03 | 00,131,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xmlprov.dll
[2008/12/25 23:09:03 | 00,121,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xmllite.dll
[2008/12/25 23:09:03 | 00,051,712 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xmlprovi.dll
[2008/12/25 23:09:03 | 00,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuauserv.dll
[2008/12/25 23:09:02 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2008/12/25 23:09:02 | 00,000,000 | ---D | C] -- C:\WINDOWS\adfs
[2008/12/25 23:08:54 | 00,000,000 | ---D | C] -- C:\Program Files\cmak
[2008/12/25 23:08:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\my music
[2008/12/25 23:08:53 | 00,000,000 | ---D | C] -- C:\WINDOWS\provisioning
[2008/12/25 23:05:51 | 00,000,000 | ---D | C] -- C:\WINDOWS\ServicePackFiles
[2008/12/25 23:05:48 | 00,041,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\sainstall.dll
[2008/12/25 23:05:48 | 00,023,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rassfm.dll
[2008/12/25 23:05:15 | 01,053,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
[2008/12/25 23:05:14 | 00,200,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\activeds.dll
[2008/12/25 23:05:14 | 00,098,816 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\actxprxy.dll
[2008/12/25 23:05:12 | 00,153,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\adsldpc.dll
[2008/12/25 23:05:12 | 00,100,352 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\advpack.dll
[2008/12/25 23:05:11 | 00,148,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\apphelp.dll
[2008/12/25 23:05:10 | 00,070,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\authz.dll
[2008/12/25 23:05:10 | 00,052,736 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\basesrv.dll
[2008/12/25 23:05:10 | 00,041,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\audiosrv.dll
[2008/12/25 23:05:09 | 01,033,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\browseui.dll
[2008/12/25 23:05:09 | 00,078,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\browser.dll
[2008/12/25 23:05:09 | 00,032,256 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\batmeter.dll
[2008/12/25 23:05:08 | 00,233,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\certcli.dll
[2008/12/25 23:05:07 | 00,510,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\clbcatq.dll
[2008/12/25 23:05:06 | 00,060,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\clusapi.dll
[2008/12/25 23:05:06 | 00,047,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\cnbjmon.dll
[2008/12/25 23:05:05 | 01,295,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\comsvcs.dll
[2008/12/25 23:05:05 | 00,797,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\comres.dll
[2008/12/25 23:05:05 | 00,026,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\conime.exe
[2008/12/25 23:05:04 | 00,595,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\crypt32.dll
[2008/12/25 23:05:04 | 00,506,880 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\cryptui.dll
[2008/12/25 23:05:04 | 00,165,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\credui.dll
[2008/12/25 23:05:04 | 00,062,464 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\cryptnet.dll
[2008/12/25 23:05:04 | 00,056,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\cryptsvc.dll
[2008/12/25 23:05:04 | 00,033,280 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\cryptdll.dll
[2008/12/25 23:05:03 | 00,326,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\cscui.dll
[2008/12/25 23:05:03 | 00,101,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\cscdll.dll
[2008/12/25 23:05:03 | 00,033,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\csrsrv.dll
[2008/12/25 23:05:02 | 00,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\davclnt.dll
[2008/12/25 23:05:01 | 00,164,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dfssvc.exe
[2008/12/25 23:04:59 | 00,160,256 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dnsapi.dll
[2008/12/25 23:04:59 | 00,045,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dnsrslvr.dll
[2008/12/25 23:04:59 | 00,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dmserver.dll
[2008/12/25 23:04:58 | 00,014,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drprov.dll
[2008/12/25 23:04:56 | 00,147,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dssenh.dll
[2008/12/25 23:04:55 | 01,044,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\esent.dll
[2008/12/25 23:04:55 | 00,238,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\es.dll
[2008/12/25 23:04:55 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ersvc.dll
[2008/12/25 23:04:54 | 00,068,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\eventlog.dll
[2008/12/25 23:04:52 | 00,546,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\hhctrl.ocx
[2008/12/25 23:04:52 | 00,355,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\hnetcfg.dll
[2008/12/25 23:04:51 | 00,012,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\icaapi.dll
[2008/12/25 23:04:50 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\imm32.dll
[2008/12/25 23:04:50 | 00,076,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\inetpp.dll
[2008/12/25 23:04:49 | 00,188,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ipsecsvc.dll
[2008/12/25 23:04:49 | 00,095,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\iphlpapi.dll
[2008/12/25 23:04:49 | 00,003,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\iprop.dll
[2008/12/25 23:04:47 | 00,350,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kerberos.dll
[2008/12/25 23:04:47 | 00,219,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kdcsvc.dll
[2008/12/25 23:04:47 | 00,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\jsproxy.dll
[2008/12/25 23:04:46 | 01,037,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kernel32.dll
[2008/12/25 23:04:46 | 00,019,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\linkinfo.dll
[2008/12/25 23:04:45 | 00,118,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mdminst.dll
[2008/12/25 23:04:44 | 01,163,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mfc42u.dll
[2008/12/25 23:04:44 | 00,018,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\midimap.dll
[2008/12/25 23:04:43 | 00,146,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\modemui.dll
[2008/12/25 23:04:43 | 00,057,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mpr.dll
[2008/12/25 23:04:42 | 00,090,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mprapi.dll
[2008/12/25 23:04:40 | 00,071,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msacm32.dll
[2008/12/25 23:04:40 | 00,057,344 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msasn1.dll
[2008/12/25 23:04:40 | 00,022,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msacm32.drv
[2008/12/25 23:04:39 | 00,468,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msdtcprx.dll
[2008/12/25 23:04:39 | 00,106,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msdart.dll
[2008/12/25 23:04:39 | 00,076,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msdtclog.dll
[2008/12/25 23:04:39 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msdtc.exe
[2008/12/25 23:04:38 | 01,019,392 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msdtctm.dll
[2008/12/25 23:04:37 | 01,208,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msgina.dll
[2008/12/25 23:04:36 | 02,848,256 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msi.dll
[2008/12/25 23:04:36 | 00,884,736 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msimsg.dll
[2008/12/25 23:04:36 | 00,271,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msihnd.dll
[2008/12/25 23:04:36 | 00,078,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msiexec.exe
[2008/12/25 23:04:36 | 00,006,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msidle.dll
[2008/12/25 23:04:35 | 00,015,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msisip.dll
[2008/12/25 23:04:33 | 00,119,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mstlsapi.dll
[2008/12/25 23:04:32 | 00,402,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcp60.dll
[2008/12/25 23:04:32 | 00,348,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcrt.dll
[2008/12/25 23:04:32 | 00,143,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msv1_0.dll
[2008/12/25 23:04:31 | 01,131,520 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msxml3.dll
[2008/12/25 23:04:31 | 00,256,000 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mswsock.dll
[2008/12/25 23:04:31 | 00,044,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msxml3r.dll
[2008/12/25 23:04:30 | 00,111,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mtxoci.dll
[2008/12/25 23:04:30 | 00,079,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mtxclu.dll
[2008/12/25 23:04:30 | 00,036,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ncobjapi.dll
[2008/12/25 23:04:30 | 00,017,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\nddeapi.dll
[2008/12/25 23:04:29 | 00,430,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\netlogon.dll
[2008/12/25 23:04:29 | 00,345,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\netapi32.dll
[2008/12/25 23:04:29 | 00,263,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\netman.dll
[2008/12/25 23:04:28 | 01,809,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\netshell.dll
[2008/12/25 23:04:28 | 00,255,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\newdev.dll
[2008/12/25 23:04:27 | 01,522,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ntdsa.dll
[2008/12/25 23:04:26 | 00,121,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ntmarta.dll
[2008/12/25 23:04:26 | 00,071,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ntdsapi.dll
[2008/12/25 23:04:26 | 00,044,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ntlanman.dll
[2008/12/25 23:04:26 | 00,030,208 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ntdsatq.dll
[2008/12/25 23:04:25 | 00,352,256 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\oakley.dll
[2008/12/25 23:04:25 | 00,245,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\odbc32.dll
[2008/12/25 23:04:25 | 00,142,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ntshrui.dll
[2008/12/25 23:04:25 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\odbcbcp.dll
[2008/12/25 23:04:24 | 01,267,200 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ole32.dll
[2008/12/25 23:04:24 | 00,094,208 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\odbcint.dll
[2008/12/25 23:04:23 | 00,180,224 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\oleacc.dll
[2008/12/25 23:04:23 | 00,124,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\oledlg.dll
[2008/12/25 23:04:23 | 00,076,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\olecli32.dll
[2008/12/25 23:04:23 | 00,074,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\olethk32.dll
[2008/12/25 23:04:22 | 00,299,520 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\pdh.dll
[2008/12/25 23:04:21 | 00,028,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\perfdisk.dll
[2008/12/25 23:04:21 | 00,027,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\perfos.dll
[2008/12/25 23:04:21 | 00,022,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\profmap.dll
[2008/12/25 23:04:21 | 00,016,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\powrprof.dll
[2008/12/25 23:04:21 | 00,015,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\pjlmon.dll
[2008/12/25 23:04:20 | 00,086,016 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\psbase.dll
[2008/12/25 23:04:20 | 00,025,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\pstorsvc.dll
[2008/12/25 23:04:20 | 00,020,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\psapi.dll
[2008/12/25 23:04:19 | 00,380,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\qmgr.dll
[2008/12/25 23:04:19 | 00,122,368 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\raschap.dll
[2008/12/25 23:04:19 | 00,007,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rasadhlp.dll
[2008/12/25 23:04:18 | 00,185,344 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rastls.dll
[2008/12/25 23:04:18 | 00,104,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdpwsx.dll
[2008/12/25 23:04:18 | 00,100,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdpdd.dll
[2008/12/25 23:04:17 | 00,069,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\regsvc.dll
[2008/12/25 23:04:17 | 00,056,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\regapi.dll
[2008/12/25 23:04:16 | 00,642,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rpcrt4.dll
[2008/12/25 23:04:16 | 00,481,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rpcss.dll
[2008/12/25 23:04:16 | 00,443,392 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\riched20.dll
[2008/12/25 23:04:16 | 00,063,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\resutils.dll
[2008/12/25 23:04:15 | 00,213,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rsaenh.dll
[2008/12/25 23:04:15 | 00,034,816 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rundll32.exe
[2008/12/25 23:04:15 | 00,034,816 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rtutils.dll
[2008/12/25 23:04:14 | 00,334,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\scesrv.dll
[2008/12/25 23:04:14 | 00,202,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\schedsvc.dll
[2008/12/25 23:04:14 | 00,188,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\scecli.dll
[2008/12/25 23:04:14 | 00,146,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\schannel.dll
[2008/12/25 23:04:13 | 00,065,024 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\secur32.dll
[2008/12/25 23:04:13 | 00,037,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\sens.dll
[2008/12/25 23:04:13 | 00,018,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\seclogon.dll
[2008/12/25 23:04:13 | 00,006,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\sensapi.dll
[2008/12/25 23:04:12 | 00,141,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\sfc_os.dll
[2008/12/25 23:04:11 | 08,359,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\shell32.dll
[2008/12/25 23:04:11 | 01,508,352 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\shdocvw.dll
[2008/12/25 23:04:10 | 00,320,000 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\shlwapi.dll
[2008/12/25 23:04:10 | 00,048,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\shimeng.dll
[2008/12/25 23:04:10 | 00,025,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\shfolder.dll
[2008/12/25 23:04:09 | 00,135,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\shsvcs.dll
[2008/12/25 23:04:09 | 00,019,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\snmpapi.dll
[2008/12/25 23:04:08 | 00,180,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\sqlunirl.dll
[2008/12/25 23:04:08 | 00,122,880 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\stobject.dll
[2008/12/25 23:04:08 | 00,086,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spoolss.dll
[2008/12/25 23:04:08 | 00,057,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spoolsv.exe
[2008/12/25 23:04:07 | 00,762,368 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\sxs.dll
[2008/12/25 23:04:07 | 00,014,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\svchost.exe
[2008/12/25 23:04:06 | 00,183,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\tapi32.dll
[2008/12/25 23:04:06 | 00,168,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\taskmgr.exe
[2008/12/25 23:04:05 | 00,386,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\themeui.dll
[2008/12/25 23:04:05 | 00,245,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\termsrv.dll
[2008/12/25 23:04:05 | 00,048,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\tcpmon.dll
[2008/12/25 23:04:04 | 00,128,000 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\umpnpmgr.dll
[2008/12/25 23:04:04 | 00,086,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\trkwks.dll
[2008/12/25 23:04:03 | 00,697,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\urlmon.dll
[2008/12/25 23:04:03 | 00,207,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\unimdm.tsp
[2008/12/25 23:04:03 | 00,075,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\unimdmat.dll
[2008/12/25 23:04:03 | 00,037,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\url.dll
[2008/12/25 23:04:03 | 00,013,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\uniplat.dll
[2008/12/25 23:04:02 | 00,206,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\uxtheme.dll
[2008/12/25 23:04:02 | 00,029,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\utildll.dll
[2008/12/25 23:04:02 | 00,017,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\usbmon.dll
[2008/12/25 23:04:01 | 00,561,664 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\vssapi.dll
[2008/12/25 23:04:01 | 00,018,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\version.dll
[2008/12/25 23:04:00 | 00,276,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\webcheck.dll
[2008/12/25 23:04:00 | 00,227,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\w32time.dll
[2008/12/25 23:04:00 | 00,076,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wdigest.dll
[2008/12/25 23:04:00 | 00,023,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wdmaud.drv
[2008/12/25 23:03:59 | 00,670,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wininet.dll
[2008/12/25 23:03:59 | 00,033,280 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wiarpc.dll
[2008/12/25 23:03:58 | 00,528,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\winlogon.exe
[2008/12/25 23:03:58 | 00,174,080 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\winmm.dll
[2008/12/25 23:03:58 | 00,099,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\winscard.dll
[2008/12/25 23:03:58 | 00,036,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\winipsec.dll
[2008/12/25 23:03:58 | 00,017,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\winrnr.dll
[2008/12/25 23:03:57 | 00,165,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wintrust.dll
[2008/12/25 23:03:57 | 00,083,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wlbsctrl.dll
[2008/12/25 23:03:57 | 00,056,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\winsta.dll
[2008/12/25 23:03:56 | 00,179,712 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wldap32.dll
[2008/12/25 23:03:56 | 00,096,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wlnotify.dll
[2008/12/25 23:03:54 | 00,285,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wow32.dll
[2008/12/25 23:03:53 | 00,083,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ws2_32.dll
[2008/12/25 23:03:53 | 00,044,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wsnmp32.dll
[2008/12/25 23:03:53 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wshqos.dll
[2008/12/25 23:03:53 | 00,019,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ws2help.dll
[2008/12/25 23:03:53 | 00,018,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wshtcpip.dll
[2008/12/25 23:03:52 | 00,489,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wzcsvc.dll
[2008/12/25 23:03:52 | 00,043,008 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wzcsapi.dll
[2008/12/25 23:03:52 | 00,019,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wtsapi32.dll
[2008/12/25 23:03:51 | 00,010,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xolehlp.dll
[2008/12/25 22:58:30 | 00,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstall$
[2008/12/25 22:58:28 | 00,000,000 | ---D | C] -- C:\WINDOWS\PolicyBackup
[2008/12/25 19:05:15 | 00,000,940 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Spybot - Search & Destroy.lnk
[2008/12/25 19:05:07 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2008/12/25 19:05:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2008/12/25 18:59:29 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2008/12/19 21:22:20 | 00,000,326 | ---- | C] () -- C:\WINDOWS\tasks\ppijyerz.job
[2008/12/06 20:02:18 | 00,000,000 | ---D | C] -- C:\test
[2008/12/06 18:22:04 | 00,000,000 | ---D | C] -- C:\Program Files\MSXML 4.0
[2008/12/06 18:20:54 | 00,000,197 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/12/06 16:45:59 | 00,000,138 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Online Casino.url
[2008/12/06 16:45:59 | 00,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Videos
[2008/12/06 16:45:59 | 00,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Pictures
[2008/12/06 16:45:55 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\Desktop\A0165C2C33FCC9C0
[2008/12/06 14:45:15 | 00,301,056 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\winsrv.dll
[2008/12/06 14:45:15 | 00,301,056 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\winsrv.dll
[2008/12/06 14:45:10 | 00,282,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\gdi32.dll
[2008/12/06 14:45:10 | 00,282,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\gdi32.dll
[2008/12/06 14:45:10 | 00,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mf3216.dll
[2008/12/06 14:45:09 | 01,845,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\win32k.sys
[2008/12/06 14:45:09 | 01,845,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\win32k.sys
[2008/12/06 14:45:09 | 00,583,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\user32.dll
[2008/12/06 14:45:09 | 00,583,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\user32.dll
[2008/12/06 14:43:37 | 02,469,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlmp.exe
[2008/12/06 14:43:37 | 02,430,464 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntoskrnl.exe
[2008/12/06 14:43:36 | 02,280,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlpa.exe
[2008/12/06 14:43:35 | 02,321,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrpamp.exe
[2008/12/06 14:42:53 | 00,812,544 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ws03res.dll
[2008/12/06 14:42:53 | 00,453,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\w03a2409.dll
[2008/12/06 14:42:53 | 00,058,880 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\agentdpv.dll
[2008/12/06 14:40:51 | 00,031,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wucltui.dll.mui
[2008/12/06 14:40:51 | 00,023,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuaucpl.cpl.mui
[2008/12/06 14:40:51 | 00,023,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuapi.dll.mui
[2008/12/06 14:40:51 | 00,018,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuaueng.dll.mui
[2008/12/06 14:40:51 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\SoftwareDistribution
[2008/12/06 14:39:36 | 00,000,000 | ---D | C] -- C:\WINDOWS\SoftwareDistribution
[2008/12/06 14:39:28 | 00,561,688 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuapi.dll
[2008/12/06 14:39:28 | 00,323,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wucltui.dll
[2008/12/06 14:39:28 | 00,213,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuaucpl.cpl
[2008/12/06 14:39:28 | 00,202,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuweb.dll
[2008/12/06 14:39:28 | 00,194,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuaueng1.dll
[2008/12/06 14:39:28 | 00,172,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuauclt1.exe
[2008/12/06 14:39:28 | 00,043,544 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wups2.dll
[2008/12/06 14:39:28 | 00,034,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wups.dll

========== Files - Modified Within 30 Days ==========

[12 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2009/01/01 16:03:08 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/01/01 15:00:00 | 00,000,326 | ---- | M] () -- C:\WINDOWS\tasks\ppijyerz.job
[2009/01/01 14:21:13 | 00,471,728 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/01/01 14:21:13 | 00,405,718 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/01/01 14:21:13 | 00,059,050 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/01/01 14:17:01 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/01/01 14:16:58 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/01/01 14:09:40 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\kiwofiku
[2009/01/01 13:13:33 | 00,000,703 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/01/01 13:11:03 | 00,369,663 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\dds.scr
[2009/01/01 12:54:38 | 00,132,608 | ---- | M] () -- C:\WINDOWS\System32\swtlfwlc.dll
[2009/01/01 12:54:38 | 00,132,608 | ---- | M] () -- C:\WINDOWS\System32\eyxhut.dll
[2009/01/01 12:48:17 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/01/01 12:47:03 | 00,083,638 | -HS- | M] () -- C:\WINDOWS\System32\tepenune.dll
[2009/01/01 12:01:06 | 00,083,645 | -HS- | M] () -- C:\WINDOWS\System32\dasusuzo.dll
[2009/01/01 11:38:21 | 00,083,770 | -HS- | M] () -- C:\WINDOWS\System32\kijijuvu.dll
[2009/01/01 11:15:49 | 00,086,091 | -HS- | M] () -- C:\WINDOWS\System32\juzibogo.dll
[2008/12/31 16:28:58 | 01,262,918 | -HS- | M] () -- C:\WINDOWS\System32\emadisem.ini
[2008/12/30 22:57:28 | 01,262,900 | -HS- | M] () -- C:\WINDOWS\System32\oseyulim.ini
[2008/12/30 10:57:17 | 01,262,893 | -HS- | M] () -- C:\WINDOWS\System32\emutitar.ini
[2008/12/27 22:56:16 | 00,061,188 | -HS- | M] () -- C:\WINDOWS\System32\gusehuto.dll
[2008/12/27 13:21:26 | 00,401,720 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe
[2008/12/25 23:35:25 | 00,000,084 | -HS- | M] () -- C:\Documents and Settings\Administrator\My Documents\desktop.ini
[2008/12/25 23:33:03 | 00,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2008/12/25 23:30:40 | 00,097,456 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/12/25 23:11:40 | 00,001,374 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Security Configuration Wizard.lnk
[2008/12/25 23:11:40 | 00,000,099 | -HS- | M] () -- C:\Documents and Settings\All Users\Desktop\desktop.ini
[2008/12/25 23:09:58 | 00,000,208 | RHS- | M] () -- C:\boot.ini
[2008/12/25 23:03:28 | 00,297,072 | RHS- | M] () -- C:\ntldr
[2008/12/25 23:03:28 | 00,047,772 | RHS- | M] () -- C:\NTDETECT.COM
[2008/12/25 19:51:05 | 00,000,153 | ---- | M] () -- C:\WINDOWS\Wininit.ini
[2008/12/25 19:05:15 | 00,000,940 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Spybot - Search & Destroy.lnk
[2008/12/23 12:06:28 | 00,062,255 | -HS- | M] () -- C:\WINDOWS\System32\hituyake.dll
[2008/12/20 18:23:00 | 06,933,964 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2008/12/06 18:21:58 | 00,003,423 | ---- | M] () -- C:\WINDOWS\imsins.BAK

OTViewIt Extras logfile created on: 1/3/2009 7:57:24 AM - Run 2
OTViewIt by OldTimer - Version 1.0.20.1 Folder = C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\VCR2PEVD
Windows Server 2003 Standard Edition Service Pack 2 (Version = 5.2.3790) - Type = NTServer
Internet Explorer (Version = 6.0.3790.3959)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

447.34 Mb Total Physical Memory | 169.51 Mb Available Physical Memory | 37.89% Memory free
1.04 Gb Paging File | 0.83 Gb Available in Paging File | 79.55% Paging File free
Paging file location(s): c:\pagefile.sys 670 1024;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 28.93 Gb Free Space | 38.82% Space Free | Partition Type: NTFS
Drive D: | 74.53 Gb Total Space | 12.20 Gb Free Space | 16.37% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ROME
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify"=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
@ivt -- @ivt protocol not assigned
file -- file protocol not assigned
ftp -- ftp protocol not assigned
http -- http protocol not assigned
https -- https protocol not assigned
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
@ivt -- @ivt protocol not assigned
file -- file protocol not assigned
ftp -- ftp protocol not assigned
http -- http protocol not assigned
https -- https protocol not assigned
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
@ivt -- @ivt protocol not assigned
file -- file protocol not assigned
ftp -- ftp protocol not assigned
http -- http protocol not assigned
https -- https protocol not assigned
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
@ivt -- @ivt protocol not assigned
file -- file protocol not assigned
ftp -- ftp protocol not assigned
http -- http protocol not assigned
https -- https protocol not assigned
shell -- shell protocol not assigned

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}"=Java(TM) 6 Update 11
"{2b02f824-a9b9-458c-80e5-3ea8c0de8471}"=QuickBooks Premier Edition 2004
"{75CBE62D-E961-42B4-0084-2314E5B00035}"=Symantec Ghost Standard Tools
"{848AC794-8B81-440A-81AE-6474337DB527}"=Symantec AntiVirus
"{90F1943D-EA4A-4460-B59F-30023F3BA69A}"=SmarThru 4
"{9BFFB382-0B2C-11D6-AB3E-000102B0F79A}"=Readiris Pro 7.5
"{AC76BA86-0000-0000-0000-6028747ADE01}"=Adobe Acrobat - Reader 6.0.2 Update
"{AC76BA86-7AD7-1033-7B44-A00000000001}"=Adobe Reader 6.0.1
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1"=Spybot - Search & Destroy
"{F840E2F3-138C-4307-83F7-D0A5DD75B6CE}"=Samsung SCX-4100 Series
"Adobe Flash Player ActiveX"=Adobe Flash Player 10 ActiveX
"All ATI Software"=ATI - Software Uninstall Utility
"ATI Display Driver"=ATI Display Driver
"C-Media Audio"=C-Media 3D Audio
"DC++"=DC++ 0.707
"HijackThis"=HijackThis 2.0.2
"LiveUpdate"=LiveUpdate 2.0 (Symantec Corporation)
"Macromedia Shockwave Player"=Macromedia Shockwave Player
"Malwarebytes' Anti-Malware_is1"=Malwarebytes' Anti-Malware
"Microsoft SQL Server 2000"=Microsoft SQL Server 2000
"Nero - Burning Rom!UninstallKey"=Nero 6 Ultra Edition
"Windows Server 2003 Service Pack"=Windows Server 2003 Service Pack 2

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/25/2008 11:41:43 PM | Computer Name = ROME | Source = MSSQLServer | ID = 19011
Description = SuperSocket info: gethostbyname(MSAFD Tcpip [TCP/IP]) : Error 11004.

Error - 12/27/2008 1:21:49 PM | Computer Name = ROME | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 6.0.3790.3959, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/27/2008 3:23:04 PM | Computer Name = ROME | Source = Application Hang | ID = 1002
Description = Hanging application taskmgr.exe, version 5.2.3790.3959, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/27/2008 3:23:40 PM | Computer Name = ROME | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 6.0.3790.3959, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/1/2009 1:44:33 PM | Computer Name = ROME | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 6.0.3790.3959, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/1/2009 1:45:29 PM | Computer Name = ROME | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 6.0.3790.3959, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/1/2009 1:50:26 PM | Computer Name = ROME | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 6.0.3790.3959, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/1/2009 1:51:57 PM | Computer Name = ROME | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 6.0.3790.3959, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/1/2009 1:54:51 PM | Computer Name = ROME | Source = Application Error | ID = 1000
Description = Faulting application rundll32.exe, version 5.2.3790.3959, faulting
module eyxhut.dll, version 1.2.626.1, fault address 0x00016366.

Error - 1/1/2009 1:56:18 PM | Computer Name = ROME | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 6.0.3790.3959, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 12/25/2008 2:03:58 PM | Computer Name = ROME | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.106 for the Network Card with network
address 00502C0A3912 has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).

Error - 12/25/2008 7:58:30 PM | Computer Name = ROME | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 12/25/2008 8:08:04 PM | Computer Name = ROME | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 12/25/2008 8:08:07 PM | Computer Name = ROME | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 12/25/2008 8:09:01 PM | Computer Name = ROME | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 12/25/2008 8:09:03 PM | Computer Name = ROME | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 12/25/2008 11:43:02 PM | Computer Name = ROME | Source = Service Control Manager | ID = 7000
Description = The Automatic Updates service failed to start due to the following
error: %%1079

Error - 12/25/2008 11:43:49 PM | Computer Name = ROME | Source = Service Control Manager | ID = 7000
Description = The Automatic Updates service failed to start due to the following
error: %%1079

Error - 12/27/2008 11:55:45 AM | Computer Name = ROME | Source = EventLog | ID = 6008
Description = The previous system shutdown at 7:11:34 AM on 12/26/2008 was unexpected.

Error - 12/27/2008 12:58:02 PM | Computer Name = ROME | Source = EventLog | ID = 6008
Description = The previous system shutdown at 11:56:49 AM on 12/27/2008 was unexpected.


< End of report >

[2008/12/06 18:20:54 | 00,000,197 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2008/12/06 16:45:59 | 00,000,138 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Online Casino.url
< End of report >

Hi

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.


DC++


I'd like you to read the this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Delete these folders afterwards:

C:\Program Files\DC++

Empty Recycle Bin.

After that:

Uninstall old Adobe Reader versions and get the latest one here (http://www.filehippo.com/download_adobe_reader/) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader!


We need to execute an OTMoveIt3 script
Please download OTMoveIt3 by OldTimer (http://oldtimer.geekstogo.com/OTMoveIt3.exe) and save it to your desktop.
Double click theOTMoveIt3 icon on your desktop.
Paste the following code under the Paste Fix Here area. Do not include the word
Code
.

:Files
C:\WINDOWS\System32\eyxhut.dll
C:\WINDOWS\System32\swtlfwlc.dll
C:\WINDOWS\System32\emadisem.ini
C:\WINDOWS\System32\oseyulim.ini
C:\WINDOWS\System32\emutitar.ini
C:\WINDOWS\tasks\ppijyerz.job
C:\Documents and Settings\Administrator\My Documents\Online Casino.url
C:\WINDOWS\System32\kiwofiku
C:\WINDOWS\System32\tepenune.dll
C:\WINDOWS\System32\dasusuzo.dll
C:\WINDOWS\System32\kijijuvu.dll
C:\WINDOWS\System32\juzibogo.dll
C:\WINDOWS\System32\gusehuto.dll
C:\WINDOWS\System32\hituyake.dll

:reg
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1526D07D-733E-4877-A04B-79E88AE645C0}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9F1AD5CF-7A06-4EBD-A1B7-D81ABCE2D872}]
[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tabelovako"=-
[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tabelovako"=-

Push the large MoveIt button.
OTMI3 may ask to reboot the machine. Please do so if asked.
Copy/Paste the contents under the Results line here in your next reply with a fresh hjt log.
If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



Kaspersky Online Scanner (
http://www.kaspersky.com/kos/eng/partner/us/languages/english/check.html?n=1225554235248
)

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.



Read the requirements and privacy statement then click on the Accept button.



The program will launch and start to download the latest definition files.



You will be prompted to install an application from Kaspersky. Click Run



Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives



Click on My Computer under Scan.



Once the scan is complete, it will display the results. Click on View Scan Report.



Click on Save Report As....



Change the Files of type to Text file (.txt) before clicking on the Save button.



Save this report to a convenient place.



Copy and paste that information into your topic.



The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.

If you need a tutorial, see here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)

========== FILES ==========
DllUnregisterServer procedure not found in C:\WINDOWS\System32\eyxhut.dll
C:\WINDOWS\System32\eyxhut.dll NOT unregistered.
C:\WINDOWS\System32\eyxhut.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\swtlfwlc.dll
C:\WINDOWS\System32\swtlfwlc.dll NOT unregistered.
C:\WINDOWS\System32\swtlfwlc.dll moved successfully.
C:\WINDOWS\System32\emadisem.ini moved successfully.
C:\WINDOWS\System32\oseyulim.ini moved successfully.
C:\WINDOWS\System32\emutitar.ini moved successfully.
C:\WINDOWS\tasks\ppijyerz.job moved successfully.
C:\Documents and Settings\Administrator\My Documents\Online Casino.url moved successfully.
C:\WINDOWS\System32\kiwofiku moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\tepenune.dll
C:\WINDOWS\System32\tepenune.dll NOT unregistered.
C:\WINDOWS\System32\tepenune.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\dasusuzo.dll
C:\WINDOWS\System32\dasusuzo.dll NOT unregistered.
C:\WINDOWS\System32\dasusuzo.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\kijijuvu.dll
C:\WINDOWS\System32\kijijuvu.dll NOT unregistered.
C:\WINDOWS\System32\kijijuvu.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\juzibogo.dll
C:\WINDOWS\System32\juzibogo.dll NOT unregistered.
C:\WINDOWS\System32\juzibogo.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\gusehuto.dll
C:\WINDOWS\System32\gusehuto.dll NOT unregistered.
C:\WINDOWS\System32\gusehuto.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\hituyake.dll
C:\WINDOWS\System32\hituyake.dll NOT unregistered.
C:\WINDOWS\System32\hituyake.dll moved successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1526D07D-733E-4877-A04B-79E88AE645C0}\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9F1AD5CF-7A06-4EBD-A1B7-D81ABCE2D872}\\ deleted successfully.
Registry value HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\tabelovako deleted successfully.
Registry value HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\tabelovako deleted successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01032009_201109

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:15:05 PM, on 1/3/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MRT] "C:\WINDOWS\system32\MRT.exe" /R
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 4863 bytes

Hi

Were you able to run Kaspersky online scanner? If you did I'd like to see its report too :)

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, January 4, 2009
Operating System: Microsoft Windows Server 2003, Standard Edition Service Pack 2 (build 3790)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, January 03, 2009 23:55:52
Records in database: 1555574
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 37791
Threat name: 16
Infected objects: 21
Suspicious objects: 0
Duration of the scan: 01:23:33


File name / Threat name / Threats count
C:\Documents and Settings\Administrator\Local Settings\Temp\yyy15822.exe Infected: Trojan.Win32.Agent.ayei 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00CC0000.VBN Infected: Trojan-Downloader.Win32.Agent.awfh 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00CC0001.VBN Infected: Trojan-Downloader.Win32.Agent.awfh 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02180000.VBN Infected: Trojan-Downloader.Win32.Small.aguh 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02180002.VBN Infected: Trojan.Win32.FraudPack.hcv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02180004.VBN Infected: Trojan.Win32.FraudPack.hcv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0218000A.VBN Infected: Trojan-Dropper.Win32.Agent.acog 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0218000C.VBN Infected: Trojan.Win32.Agent.baod 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0218000E.VBN Infected: Trojan-Downloader.Win32.Agent.atfv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02180012.VBN Infected: Trojan.Win32.Agent.bamy 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02180014.VBN Infected: Trojan.Win32.Agent.asjk 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\070C0000.VBN Infected: Backdoor.Win32.Agent.xbp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\070C0001.VBN Infected: Trojan.Win32.Agent.bbdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\070C0003.VBN Infected: Backdoor.Win32.Agent.xbp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08540000.VBN Infected: Hoax.Win32.Agent.hf 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09940001.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.fqi 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09940002.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.fqi 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09940003.VBN Infected: Trojan.Win32.Monder.aehd 1
C:\_OTMoveIt\MovedFiles\01032009_201109\WINDOWS\System32\eyxhut.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.fqb 1
C:\_OTMoveIt\MovedFiles\01032009_201109\WINDOWS\System32\swtlfwlc.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.fqb 1
D:\utilities\divx\DivXPro502GAINBundle.exe Infected: not-a-virus:AdWare.Win32.Gator.3202 1

The selected area was scanned.

Hi


Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.


Delete following files:
C:\Documents and Settings\Administrator\Local Settings\Temp\yyy15822.exe
D:\utilities\divx\DivXPro502GAINBundle.exe

And files in C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine folder.

Reboot and post a fresh hjt log. How's the system running?

I haven't been running much on this machine to limit what could spread the virus further. Preliminarilly, they system seems to be running well. This is the latest HJT file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:27:16 PM, on 1/4/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MRT] "C:\WINDOWS\system32\MRT.exe" /R
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 4797 bytes

Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis



Next we remove all used tools.


Double-click OTMoveIt3.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, please allow it to do so.



UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.


hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free (http://www.tallemu.com/free-firewall-protection-software.html) or Comodo Firewall Pro (http://www.personalfirewall.comodo.com/download_firewall.html#fw3.0) (If you choose Comodo: Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and install firewall ONLY!).



Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.