Darn Virtu Removal Question

Status
Not open for further replies.
G

gerieg

New member
I think I got it FINALLY but wanted to post the following logs to be sure:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:35:56 PM, on 11/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
I:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
I:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
I:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
I:\WINDOWS\system32\spoolsv.exe
I:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
I:\Program Files\Symantec AntiVirus\DefWatch.exe
I:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
I:\Program Files\Norton Ghost\Agent\VProSvc.exe
I:\WINDOWS\system32\nvsvc32.exe
I:\WINDOWS\system32\svchost.exe
I:\Program Files\Symantec AntiVirus\Rtvscan.exe
I:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
I:\PROGRA~1\SYMANT~1\VPTray.exe
I:\Program Files\Norton Ghost\Agent\VProTray.exe
I:\Program Files\Common Files\Symantec Shared\ccApp.exe
I:\Program Files\Microsoft ActiveSync\wcescomm.exe
I:\WINDOWS\system32\ctfmon.exe
I:\Program Files\Energizer FileSaver\Energizer FileSaver.exe
I:\PROGRA~1\MI3AA1~1\rapimgr.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\explorer.exe
I:\WINDOWS\system32\notepad.exe
I:\Program Files\Internet Explorer\iexplore.exe
I:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://drudgereport.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - I:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - I:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
O4 - HKLM\..\Run: [vptray] I:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Norton Ghost 12.0] "I:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [ccApp] "I:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [H/PC Connection Agent] "I:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Energizer FileSaver.lnk = I:\Program Files\Energizer FileSaver\Energizer FileSaver.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://I:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - I:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - I:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - I:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - I:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - I:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - I:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://atl.rexplorer.net
O15 - Trusted Zone: http://www.tdameritrade.com
O15 - Trusted Zone: *.tdameritrade.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {2FE68711-8830-417D-95E0-EAB307DB0447} (mpsPwLc7.PMWebSiteLogin) - https://prolog.c-b.com/pw/mpsPwLc7.CAB
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL...-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {F375116A-793C-11D2-BFE1-444553540001} (First American Res MapActiveX Control) - http://realist2.firstamres.com/mapviewer/mapviewer.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE825216-61D2-4E6A-825A-EE7EFD2B9B74}: NameServer = 207.69.188.186,207.69.188.187
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - I:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - I:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - I:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - I:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - I:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - I:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - I:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - I:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - I:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - I:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Ghost - Symantec Corporation - I:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - I:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - I:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 9547 bytes




AND:

ComboFix 08-11-07.01 - Gero 2008-11-07 15:21:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1489 [GMT -5:00]
Running from: i:\documents and settings\Gero\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

i:\documents and settings\Gero\Application Data\shcn7wj0en95
i:\windows\system32\_cbXrQHbb.dll
i:\windows\system32\_itphdq.dll
i:\windows\system32\_rvfgst.dll
i:\windows\system32\_tuvSJCsQ.dll
i:\windows\system32\_vtUmNHYs.dll
i:\windows\system32\adKQAJjl.ini
i:\windows\system32\bbHQrXbc.ini
i:\windows\system32\CbKSAJjl.ini
i:\windows\system32\ehRYyJlm.ini
i:\windows\system32\ffokvnfc.dll
i:\windows\system32\fwjmjnej.dll
i:\windows\system32\geBstroL.dll
i:\windows\system32\gmjblsmy.dll
i:\windows\system32\klUBHkkj.ini
i:\windows\system32\knoUCcdd.ini
i:\windows\system32\lSDJknmp.ini
i:\windows\system32\lSDJknmp.ini2
i:\windows\system32\mcrh.tmp
i:\windows\system32\MUDKUvut.ini
i:\windows\system32\nnnnKeCs.dll
i:\windows\system32\omvpkexs.dll
i:\windows\system32\phcg7wj0en95.bmp
i:\windows\system32\pmnkJDSl.dll
i:\windows\system32\QsCJSvut.ini
i:\windows\system32\sstpsyyy.ini
i:\windows\system32\sxxcpexu.ini
i:\windows\system32\sYHNmUtv.ini
i:\windows\system32\trfwjd.dll
i:\windows\system32\utevxdpy.dll
i:\windows\system32\uypkxysi.ini
i:\windows\system32\vbmryqvh.dll
i:\windows\system32\vGfMoUvw.ini
i:\windows\system32\wklhkktj.dll
i:\windows\system32\xfwnrafi.dll
i:\windows\system32\yymabmdx.dll

.
((((((((((((((((((((((((( Files Created from 2008-10-07 to 2008-11-07 )))))))))))))))))))))))))))))))
.

2008-11-06 22:16 . 2008-11-07 00:16 <DIR> d-------- i:\documents and settings\Gero\I386
2008-11-06 21:20 . 2008-11-06 21:40 <DIR> d-------- i:\program files\Spybot - Search & Destroy
2008-11-06 21:20 . 2008-11-06 22:07 <DIR> d-------- i:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-06 21:13 . 2001-08-23 15:00 11,037 --a------ i:\windows\system32\RUNDLL32.EX_
2008-11-06 19:30 . 2008-10-16 14:07 23,576 --a------ i:\windows\system32\wuapi.dll.mui
2008-11-06 06:40 . 2008-11-06 06:40 313,856 --a------ i:\windows\system32\_ddcCUonk.dll
2008-11-01 12:17 . 2001-08-17 14:56 66,048 --a--c--- i:\windows\system32\dllcache\s3legacy.dll
2008-10-14 18:40 . 2008-10-14 18:40 <DIR> d-------- i:\documents and settings\All Users\Application Data\Blizzard
2008-10-08 12:47 . 2008-11-05 23:29 4,196,675 --a------ i:\windows\pfirewall.log.old
2008-10-07 10:42 . 2008-10-07 10:42 99,584 --a------ i:\windows\system32\drivers\ndisio.sys
2008-10-07 10:42 . 2008-10-07 10:42 33,792 ---h----- i:\documents and settings\Gero\bvxmg.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-07 20:24 --------- d-----w i:\program files\Symantec AntiVirus
2008-11-07 20:17 --------- d-----w i:\documents and settings\Gero\Application Data\BitTorrent
2008-10-29 04:10 --------- d-----w i:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-06 23:25 --------- d-----w i:\program files\Common Files\Blizzard Entertainment
2008-10-03 05:29 --------- d-----w i:\program files\iTunes
2008-10-03 05:29 --------- d-----w i:\program files\iPod
2008-10-03 05:29 --------- d-----w i:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-03 05:28 --------- d-----w i:\program files\QuickTime
2008-10-03 05:28 --------- d-----w i:\program files\Common Files\Apple
2008-10-03 05:28 --------- d-----w i:\program files\Bonjour
2008-10-03 05:27 --------- d-----w i:\program files\Apple Software Update
2008-09-09 23:24 --------- d-----w i:\program files\DivX
2008-09-09 00:54 --------- d-----w i:\program files\WinISO
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="i:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"ctfmon.exe"="i:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="i:\progra~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"Norton Ghost 12.0"="i:\program files\Norton Ghost\Agent\VProTray.exe" [2008-01-10 2037088]
"ccApp"="i:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"NvCplDaemon"="i:\windows\system32\NvCpl.dll" [2007-12-05 8523776]

i:\documents and settings\All Users\Start Menu\Programs\Startup\
Energizer FileSaver.lnk - i:\program files\Energizer FileSaver\Energizer FileSaver.exe [2003-02-19 976896]

[HKLM\~\startupfolder\I:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=i:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=i:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2004-12-14 02:12 483328 i:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2008-10-12 21:22 287040 i:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:00 15360 i:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell MFP Color Laser Printer 3115cn Launcher]
--a------ 2006-12-23 14:38 635800 i:\program files\Dell Printers\Dell MFP Color Laser Printer 3115cn\Address Book Editor\Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLPSP]
--a------ 2006-12-07 16:52 340888 i:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpsp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 i:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 i:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
--a------ 2006-06-30 18:08 40960 i:\program files\Dell Printers\paperport\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 17:57 289576 i:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 14:40 155648 i:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 01:41 8523776 i:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-12-05 01:41 81920 i:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
--a------ 2006-06-30 18:08 36864 i:\program files\Dell Printers\paperport\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 i:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 i:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--------- 2003-10-14 10:22 155648 i:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 03:25 144784 i:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 i:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-12-05 01:41 1626112 i:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"WZCSVC"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"Adobe LM Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"i:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"i:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"i:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"i:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"i:\program files\Microsoft ActiveSync\rapimgr.exe"= i:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"i:\program files\Microsoft ActiveSync\wcescomm.exe"= i:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"i:\program files\Microsoft ActiveSync\WCESMgr.exe"= i:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"i:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\World of Warcraft\\BackgroundDownloader.exe"=
"i:\\Program Files\\iTunes\\iTunes.exe"=
"i:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\World of Warcraft\\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe"=
"c:\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"c:\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"i:\\WINDOWS\\explorer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"6881:TCP"= 6881:TCP:Blizzard Downloader: 6881
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader
"8086:TCP"= 8086:TCP:*:Disabled:Blizzard
"9081:TCP"= 9081:TCP:Blizzard
"9090:TCP"= 9090:TCP:Blizzard
"9097:TCP"= 9097:TCP:Blizzard
"9100:TCP"= 9100:TCP:Blizzard

R2 DLSDB;Dell Printer Status Database;i:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE [2006-12-07 140184]
.
Contents of the 'Scheduled Tasks' folder

2008-11-04 i:\windows\Tasks\AppleSoftwareUpdate.job
- i:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-07 i:\windows\Tasks\At1.job
- i:\windows\system32\TWA3V07x.exe []

2008-11-07 i:\windows\Tasks\At10.job
- i:\windows\system32\TWA3V07x.exe []

2008-11-07 i:\windows\Tasks\At11.job
- i:\windows\system32\TWA3V07x.exe []

2008-11-07 i:\windows\Tasks\At12.job
- i:\windows\system32\TWA3V07x.exe []

2008-11-07 i:\windows\Tasks\At13.job
- i:\windows\system32\TWA3V07x.exe []

2008-11-07 i:\windows\Tasks\At14.job
- i:\windows\system32\TWA3V07x.exe []

2008-11-07 i:\windows\Tasks\At15.job
- i:\windows\system32\TWA3V07x.exe []

2008-11-07 i:\windows\Tasks\At16.job
- i:\windows\system32\TWA3V07x.exe []

2008-11-06 i:\windows\Tasks\At17.job
- i:\windows\system32\TWA3V07x.exe []

2008-11-06 i:\windows\Tasks\At18.job
- i:\windows\system32\TWA3V07x.exe []

2008-11-06 i:\windows\Tasks\At19.job
- i:\windows\system32\TWA3V07x.exe []

2008-11-07 i:\windows\Tasks\At2.job
- i:\windows\system32\TWA3V07x.exe []

2008-11-07 i:\windows\Tasks\At20.job
- i:\windows\system32\TWA3V07x.exe []

2008-11-06 i:\windows\Tasks\At21.job
- i:\windows\system32\TWA3V07x.exe []

2008-11-07 i:\windows\Tasks\At22.job
- i:\windows\system32\TWA3V07x.exe []

2008-11-07 i:\windows\Tasks\At23.job
- i:\windows\system32\TWA3V07x.exe []

2008-11-07 i:\windows\Tasks\At24.job
- i:\windows\system32\TWA3V07x.exe []

2008-11-07 i:\windows\Tasks\At25.job
- i:\windows\system32\3F2s4tu4.exe []

2008-11-07 i:\windows\Tasks\At26.job
- i:\windows\system32\3F2s4tu4.exe []

2008-11-07 i:\windows\Tasks\At27.job
- i:\windows\system32\3F2s4tu4.exe []

2008-11-07 i:\windows\Tasks\At28.job
- i:\windows\system32\3F2s4tu4.exe []

2008-11-07 i:\windows\Tasks\At29.job
- i:\windows\system32\3F2s4tu4.exe []

2008-11-07 i:\windows\Tasks\At3.job
- i:\windows\system32\TWA3V07x.exe []

2008-11-07 i:\windows\Tasks\At30.job
- i:\windows\system32\3F2s4tu4.exe []

2008-11-07 i:\windows\Tasks\At31.job
- i:\windows\system32\3F2s4tu4.exe []

2008-11-07 i:\windows\Tasks\At32.job
- i:\windows\system32\3F2s4tu4.exe []

2008-11-07 i:\windows\Tasks\At33.job
- i:\windows\system32\3F2s4tu4.exe []

2008-11-07 i:\windows\Tasks\At34.job
- i:\windows\system32\3F2s4tu4.exe []

2008-11-07 i:\windows\Tasks\At35.job
- i:\windows\system32\3F2s4tu4.exe []

2008-11-07 i:\windows\Tasks\At36.job
- i:\windows\system32\3F2s4tu4.exe []

2008-11-07 i:\windows\Tasks\At37.job
- i:\windows\system32\3F2s4tu4.exe []

2008-11-07 i:\windows\Tasks\At38.job
- i:\windows\system32\3F2s4tu4.exe []

2008-11-07 i:\windows\Tasks\At39.job
- i:\windows\system32\3F2s4tu4.exe []

2008-11-07 i:\windows\Tasks\At4.job
- i:\windows\system32\TWA3V07x.exe []

2008-11-07 i:\windows\Tasks\At40.job
- i:\windows\system32\3F2s4tu4.exe []

2008-11-06 i:\windows\Tasks\At41.job
- i:\windows\system32\3F2s4tu4.exe []

2008-11-06 i:\windows\Tasks\At42.job
- i:\windows\system32\3F2s4tu4.exe []

2008-11-06 i:\windows\Tasks\At43.job
- i:\windows\system32\3F2s4tu4.exe []

2008-11-07 i:\windows\Tasks\At44.job
- i:\windows\system32\3F2s4tu4.exe []

2008-11-06 i:\windows\Tasks\At45.job
- i:\windows\system32\3F2s4tu4.exe []

2008-11-07 i:\windows\Tasks\At46.job
- i:\windows\system32\3F2s4tu4.exe []

2008-11-07 i:\windows\Tasks\At47.job
- i:\windows\system32\3F2s4tu4.exe []

2008-11-07 i:\windows\Tasks\At48.job
- i:\windows\system32\3F2s4tu4.exe []

2008-11-07 i:\windows\Tasks\At5.job
- i:\windows\system32\TWA3V07x.exe []

2008-11-07 i:\windows\Tasks\At6.job
- i:\windows\system32\TWA3V07x.exe []

2008-11-07 i:\windows\Tasks\At7.job
- i:\windows\system32\TWA3V07x.exe []

2008-11-07 i:\windows\Tasks\At8.job
- i:\windows\system32\TWA3V07x.exe []

2008-11-07 i:\windows\Tasks\At9.job
- i:\windows\system32\TWA3V07x.exe []

2008-11-03 i:\windows\Tasks\Backup.job
- i:\windows\system32\ntbackup.exe [2004-08-04 07:00]

2008-11-07 i:\windows\Tasks\backupincremental.job
- i:\windows\system32\ntbackup.exe [2004-08-04 07:00]
.
- - - - ORPHANS REMOVED - - - -

BHO-{069A035F-78BA-48CB-889A-64F07D2B7A29} - i:\windows\system32\pmnkJDSl.dll
BHO-{6ED59772-F4EB-4FDE-BBB3-E939952686BF} - i:\windows\system32\nnnnKeCs.dll
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
ShellExecuteHooks-{6ED59772-F4EB-4FDE-BBB3-E939952686BF} - i:\windows\system32\nnnnKeCs.dll
MSConfigStartUp-088bbec6 - i:\windows\system32\yymabmdx.dll
MSConfigStartUp-BitZip - Powered by Miro - i:\program files\Participatory Culture Foundation\Miro\Miro.exe
MSConfigStartUp-lphcg7wj0en95 - i:\windows\system32\lphcg7wj0en95.exe
MSConfigStartUp-mkymm - i:\windows\system32\mkymm.exe
MSConfigStartUp-SearchSettings - i:\program files\Search Settings\SearchSettings.exe
MSConfigStartUp-SMshcn7wj0en95 - i:\program files\shcn7wj0en95\shcn7wj0en95.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://drudgereport.com/
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O8 -: Convert link target to Adobe PDF - i:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - i:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - i:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - i:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - i:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - i:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - i:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert to existing PDF - i:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: E&xport to Microsoft Excel - i:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
O15 -: Trusted Zone: *.tdameritrade.com
O17 -: HKLM\CCS\Interface\{EE825216-61D2-4E6A-825A-EE7EFD2B9B74}: NameServer = 207.69.188.186,207.69.188.187

O16 -: {2FE68711-8830-417D-95E0-EAB307DB0447} - hxxps://prolog.c-b.com/pw/mpsPwLc7.CAB
i:\windows\Downloaded Program Files\mpsPwLc6.inf
i:\windows\system32\msvbvm60.dll
i:\windows\system32\oleaut32.dll
i:\windows\system32\olepro32.dll
i:\windows\system32\asycfilt.dll
i:\windows\system32\stdole2.tlb
i:\windows\system32\comcat.dll
i:\windows\Downloaded Program Files\mpsPwLc7.ocx

O16 -: {F375116A-793C-11D2-BFE1-444553540001} - hxxp://realist2.firstamres.com/mapviewer/mapviewer.cab
i:\windows\Downloaded Program Files\mapviewer.ocx
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-07 15:25:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
i:\program files\Common Files\Symantec Shared\ccSetMgr.exe
i:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
i:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
i:\program files\Lavasoft\Ad-Aware\aawservice.exe
i:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
i:\program files\Symantec AntiVirus\DefWatch.exe
i:\program files\Norton Ghost\Agent\VProSvc.exe
i:\windows\system32\nvsvc32.exe
i:\program files\Symantec AntiVirus\Rtvscan.exe
i:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpwdnt.exe
i:\progra~1\MI3AA1~1\rapimgr.exe
.
**************************************************************************
.
Completion time: 2008-11-07 15:28:10 - machine was rebooted [Gero]
ComboFix-quarantined-files.txt 2008-11-07 20:28:06

Pre-Run: 254,863,142,912 bytes free
Post-Run: 254,840,377,344 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
i:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

354 --- E O F --- 2008-10-29 02:14:49


THANK YOU SO MUCH IN ADVANCE!!!

Gerie
 
Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.
Click to expand...
Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
  1. Please Read All Instructions Carefully
  2. If you don't understand something, stop and ask! Don't keep going on.
  3. Please do not run any other tools or scans whilst I am helping you
  4. Please continue to respond until I give you the "All Clear"
    (Just because you can't see a problem doesn't mean it isn't there)
If you can do those few things, everything should go smoothly
laechel.gif


Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Download and Run RSIT
  • Please download Random's System Information Tool by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt will be opened maximized.
    • info.txt will be opened minimized.
  • Please post the contents of both log.txt and info.txt.
 
Thanks

For the prompt Response. Her eis the requested data:
Logfile of random's system information tool 1.04 (written by random/random)
Run by Gero at 2008-11-08 08:45:20
Microsoft Windows XP Professional Service Pack 2
System drive I: has 243 GB (80%) free of 305 GB
Total RAM: 2046 MB (70% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:45:23 AM, on 11/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
I:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
I:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
I:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
I:\WINDOWS\system32\spoolsv.exe
I:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
I:\Program Files\Symantec AntiVirus\DefWatch.exe
I:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
I:\Program Files\Norton Ghost\Agent\VProSvc.exe
I:\WINDOWS\system32\nvsvc32.exe
I:\WINDOWS\system32\svchost.exe
I:\Program Files\Symantec AntiVirus\Rtvscan.exe
I:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
I:\WINDOWS\Explorer.EXE
I:\PROGRA~1\SYMANT~1\VPTray.exe
I:\Program Files\Norton Ghost\Agent\VProTray.exe
I:\Program Files\Common Files\Symantec Shared\ccApp.exe
I:\Program Files\Microsoft ActiveSync\wcescomm.exe
I:\WINDOWS\system32\ctfmon.exe
I:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
I:\Program Files\Energizer FileSaver\Energizer FileSaver.exe
I:\PROGRA~1\MI3AA1~1\rapimgr.exe
I:\Program Files\Internet Explorer\iexplore.exe
I:\WINDOWS\system32\wuauclt.exe
I:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
I:\Documents and Settings\Gero\Desktop\RSIT.exe
I:\Program Files\Trend Micro\HijackThis\Gero.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://drudgereport.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=I:\WINDOWS\system32\userinit.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - I:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - I:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
O4 - HKLM\..\Run: [vptray] I:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Norton Ghost 12.0] "I:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [ccApp] "I:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [H/PC Connection Agent] "I:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] I:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Energizer FileSaver.lnk = I:\Program Files\Energizer FileSaver\Energizer FileSaver.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://I:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - I:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - I:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - I:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - I:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - I:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - I:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://atl.rexplorer.net
O15 - Trusted Zone: http://www.tdameritrade.com
O15 - Trusted Zone: *.tdameritrade.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {2FE68711-8830-417D-95E0-EAB307DB0447} (mpsPwLc7.PMWebSiteLogin) - https://prolog.c-b.com/pw/mpsPwLc7.CAB
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL...-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {F375116A-793C-11D2-BFE1-444553540001} (First American Res MapActiveX Control) - http://realist2.firstamres.com/mapviewer/mapviewer.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE825216-61D2-4E6A-825A-EE7EFD2B9B74}: NameServer = 207.69.188.186,207.69.188.187
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - I:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: nnnnKeCs - I:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - I:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - I:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - I:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - I:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - I:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - I:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - I:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - I:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - I:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Ghost - Symantec Corporation - I:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - I:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - I:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 9876 bytes

======Scheduled tasks folder======

I:\WINDOWS\tasks\AppleSoftwareUpdate.job
I:\WINDOWS\tasks\At1.job
I:\WINDOWS\tasks\At10.job
I:\WINDOWS\tasks\At11.job
I:\WINDOWS\tasks\At12.job
I:\WINDOWS\tasks\At13.job
I:\WINDOWS\tasks\At14.job
I:\WINDOWS\tasks\At15.job
I:\WINDOWS\tasks\At16.job
I:\WINDOWS\tasks\At17.job
I:\WINDOWS\tasks\At18.job
I:\WINDOWS\tasks\At19.job
I:\WINDOWS\tasks\At2.job
I:\WINDOWS\tasks\At20.job
I:\WINDOWS\tasks\At21.job
I:\WINDOWS\tasks\At22.job
I:\WINDOWS\tasks\At23.job
I:\WINDOWS\tasks\At24.job
I:\WINDOWS\tasks\At25.job
I:\WINDOWS\tasks\At26.job
I:\WINDOWS\tasks\At27.job
I:\WINDOWS\tasks\At28.job
I:\WINDOWS\tasks\At29.job
I:\WINDOWS\tasks\At3.job
I:\WINDOWS\tasks\At30.job
I:\WINDOWS\tasks\At31.job
I:\WINDOWS\tasks\At32.job
I:\WINDOWS\tasks\At33.job
I:\WINDOWS\tasks\At34.job
I:\WINDOWS\tasks\At35.job
I:\WINDOWS\tasks\At36.job
I:\WINDOWS\tasks\At37.job
I:\WINDOWS\tasks\At38.job
I:\WINDOWS\tasks\At39.job
I:\WINDOWS\tasks\At4.job
I:\WINDOWS\tasks\At40.job
I:\WINDOWS\tasks\At41.job
I:\WINDOWS\tasks\At42.job
I:\WINDOWS\tasks\At43.job
I:\WINDOWS\tasks\At44.job
I:\WINDOWS\tasks\At45.job
I:\WINDOWS\tasks\At46.job
I:\WINDOWS\tasks\At47.job
I:\WINDOWS\tasks\At48.job
I:\WINDOWS\tasks\At5.job
I:\WINDOWS\tasks\At6.job
I:\WINDOWS\tasks\At7.job
I:\WINDOWS\tasks\At8.job
I:\WINDOWS\tasks\At9.job
I:\WINDOWS\tasks\Backup.job
I:\WINDOWS\tasks\backupincremental.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - I:\Program Files\Java\jre1.6.0_05\bin\ssv.dll [2008-02-22 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 225280]
{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - SnagIt - I:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll [2008-05-15 161096]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"vptray"=I:\PROGRA~1\SYMANT~1\VPTray.exe [2006-09-27 125168]
"Norton Ghost 12.0"=I:\Program Files\Norton Ghost\Agent\VProTray.exe [2008-01-10 2037088]
"ccApp"=I:\Program Files\Common Files\Symantec Shared\ccApp.exe [2006-07-19 52896]
"NvCplDaemon"=I:\WINDOWS\system32\NvCpl.dll [2007-12-05 8523776]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"=I:\Program Files\Microsoft ActiveSync\wcescomm.exe [2006-11-13 1289000]
"ctfmon.exe"=I:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"SpybotSD TeaTimer"=I:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
I:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [2004-12-14 483328]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
I:\Program Files\DNA\btdna.exe [2008-10-12 287040]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
I:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell MFP Color Laser Printer 3115cn Launcher]
I:\Program Files\Dell Printers\Dell MFP Color Laser Printer 3115cn\Address Book Editor\Launcher.exe [2006-12-23 635800]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLPSP]
I:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE [2006-12-07 340888]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
I:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2006-10-27 31016]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
I:\Program Files\Microsoft ActiveSync\wcescomm.exe [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
I:\Program Files\Dell Printers\paperport\IndexSearch.exe [2006-06-30 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
I:\Program Files\iTunes\iTunesHelper.exe [2008-10-01 289576]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
I:\WINDOWS\system32\NeroCheck.exe [2006-01-12 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
I:\WINDOWS\system32\NvCpl.dll [2007-12-05 8523776]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
I:\WINDOWS\system32\NvMcTray.dll [2007-12-05 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
I:\Program Files\Dell Printers\paperport\pptd40nt.exe [2006-06-30 36864]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
I:\Program Files\QuickTime\qttask.exe [2008-09-06 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
I:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2004-11-02 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
I:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [2003-10-14 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
I:\Program Files\Java\jre1.6.0_05\bin\jusched.exe [2008-02-22 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
I:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\I:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
I:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-10-03 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3
"Apple Mobile Device"=2
"WZCSVC"=2
"FastUserSwitchingCompatibility"=3
"WMPNetworkSvc"=3
"ose"=3
"odserv"=3
"Microsoft Office Groove Audit Service"=3
"Adobe LM Service"=3

I:\Documents and Settings\All Users\Start Menu\Programs\Startup
Energizer FileSaver.lnk - I:\Program Files\Energizer FileSaver\Energizer FileSaver.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
I:\WINDOWS\system32\NavLogon.dll [2006-09-27 43760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnnKeCs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
I:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - I:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - I:\WINDOWS\system32\upnpui.dll [2004-08-04 239616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=I:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PSEXESVC]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=
"NoDrives"=
"NoDriveAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"I:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="I:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"I:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="I:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"I:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="I:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"I:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="I:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"I:\Program Files\Microsoft ActiveSync\rapimgr.exe"="I:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"I:\Program Files\Microsoft ActiveSync\wcescomm.exe"="I:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"I:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="I:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"I:\Program Files\BitTorrent\bittorrent.exe"="I:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\World of Warcraft\BackgroundDownloader.exe"="C:\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"I:\Program Files\iTunes\iTunes.exe"="I:\Program Files\iTunes\iTunes.exe:*:Disabled:iTunes"
"I:\Program Files\Yahoo!\Messenger\YServer.exe"="I:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\World of Warcraft\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe"="C:\World of Warcraft\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\World of Warcraft\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"="C:\World of Warcraft\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\World of Warcraft\WoW-1.12.0-enUS-downloader.exe"="C:\World of Warcraft\WoW-1.12.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"I:\WINDOWS\explorer.exe"="I:\WINDOWS\explorer.exe:*:Enabled:ENABLE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"I:\Program Files\Microsoft ActiveSync\rapimgr.exe"="I:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"I:\Program Files\Microsoft ActiveSync\wcescomm.exe"="I:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"I:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="I:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

======List of files/folders created in the last 1 months======

2008-11-08 08:45:20 ----D---- I:\rsit
2008-11-07 17:33:22 ----SHD---- I:\RECYCLER
2008-11-07 15:35:50 ----D---- I:\Program Files\Trend Micro
2008-11-07 15:28:11 ----A---- I:\ComboFix.txt
2008-11-07 15:20:40 ----A---- I:\Boot.bak
2008-11-07 15:20:37 ----RASHD---- I:\cmdcons
2008-11-07 15:19:42 ----D---- I:\ComboFix
2008-11-07 15:01:09 ----A---- I:\WINDOWS\zip.exe
2008-11-07 15:01:09 ----A---- I:\WINDOWS\SWREG.exe
2008-11-07 15:01:09 ----A---- I:\WINDOWS\NIRCMD.exe
2008-11-07 15:01:08 ----A---- I:\WINDOWS\VFIND.exe
2008-11-07 15:01:08 ----A---- I:\WINDOWS\SWXCACLS.exe
2008-11-07 15:01:08 ----A---- I:\WINDOWS\SWSC.exe
2008-11-07 15:01:08 ----A---- I:\WINDOWS\sed.exe
2008-11-07 15:01:08 ----A---- I:\WINDOWS\grep.exe
2008-11-07 15:01:08 ----A---- I:\WINDOWS\fdsv.exe
2008-11-07 15:01:04 ----D---- I:\WINDOWS\ERDNT
2008-11-07 15:01:04 ----D---- I:\Qoobox
2008-11-06 21:20:15 ----D---- I:\Program Files\Spybot - Search & Destroy
2008-11-06 21:20:15 ----D---- I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-06 19:34:42 ----D---- I:\WINDOWS\CSC
2008-11-06 19:34:36 ----A---- I:\WINDOWS\ntbtlog.txt
2008-11-06 19:30:54 ----A---- I:\WINDOWS\system32\wuapi.dll.mui
2008-11-06 06:40:50 ----A---- I:\WINDOWS\system32\_ddcCUonk.dll
2008-10-28 23:28:43 ----A---- I:\WINDOWS\system32\03a87ab8-.txt
2008-10-25 02:00:19 ----HDC---- I:\WINDOWS\$NtUninstallKB958644$
2008-10-16 02:02:04 ----HDC---- I:\WINDOWS\$NtUninstallKB956803$
2008-10-16 02:01:59 ----HDC---- I:\WINDOWS\$NtUninstallKB956391$
2008-10-16 02:01:55 ----HDC---- I:\WINDOWS\$NtUninstallKB957095$
2008-10-16 02:01:32 ----HDC---- I:\WINDOWS\$NtUninstallKB954211$
2008-10-16 02:01:21 ----HDC---- I:\WINDOWS\$NtUninstallKB956841$
2008-10-14 18:40:42 ----D---- I:\Documents and Settings\All Users\Application Data\Blizzard

======List of files/folders modified in the last 1 months======

2008-11-08 08:40:08 ----D---- I:\WINDOWS\Prefetch
2008-11-08 08:40:04 ----D---- I:\Program Files\Symantec AntiVirus
2008-11-08 08:39:31 ----D---- I:\WINDOWS\Temp
2008-11-07 21:43:45 ----A---- I:\WINDOWS\SchedLgU.Txt
2008-11-07 20:53:17 ----D---- I:\Documents and Settings\Gero\Application Data\BitTorrent
2008-11-07 16:59:11 ----D---- I:\WINDOWS
2008-11-07 15:35:50 ----RD---- I:\Program Files
2008-11-07 15:28:12 ----D---- I:\WINDOWS\system32\drivers
2008-11-07 15:28:12 ----D---- I:\WINDOWS\system32
2008-11-07 15:27:43 ----D---- I:\WINDOWS\system32\CatRoot2
2008-11-07 15:25:05 ----A---- I:\WINDOWS\system.ini
2008-11-07 15:22:40 ----D---- I:\WINDOWS\system32\config
2008-11-07 15:21:42 ----D---- I:\WINDOWS\AppPatch
2008-11-07 15:21:42 ----D---- I:\Program Files\Common Files
2008-11-07 15:20:40 ----RASH---- I:\boot.ini
2008-11-07 15:01:08 ----SHD---- I:\System Volume Information
2008-11-07 15:01:08 ----D---- I:\WINDOWS\system32\Restore
2008-11-07 00:59:30 ----A---- I:\WINDOWS\NeroDigital.ini
2008-11-07 00:22:57 ----RSHDC---- I:\WINDOWS\system32\dllcache
2008-11-07 00:11:03 ----A---- I:\WINDOWS\win.ini
2008-11-06 19:30:58 ----HD---- I:\WINDOWS\inf
2008-11-06 19:30:58 ----D---- I:\WINDOWS\Help
2008-11-06 02:00:39 ----D---- I:\WINDOWS\Registration
2008-11-02 12:29:29 ----A---- I:\WINDOWS\system32\PerfStringBackup.INI
2008-11-02 03:07:08 ----SD---- I:\WINDOWS\Tasks
2008-10-28 23:11:01 ----SHD---- I:\WINDOWS\Installer
2008-10-28 23:10:54 ----D---- I:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-10-25 02:00:25 ----A---- I:\WINDOWS\imsins.BAK
2008-10-25 02:00:16 ----HD---- I:\WINDOWS\$hf_mig$
2008-10-16 14:13:40 ----A---- I:\WINDOWS\system32\wuaueng.dll
2008-10-16 14:12:22 ----A---- I:\WINDOWS\system32\wucltui.dll
2008-10-16 14:12:20 ----A---- I:\WINDOWS\system32\wuapi.dll
2008-10-16 14:09:44 ----A---- I:\WINDOWS\system32\wups2.dll
2008-10-16 14:09:44 ----A---- I:\WINDOWS\system32\wuauclt.exe
2008-10-16 14:09:44 ----A---- I:\WINDOWS\system32\cdm.dll
2008-10-16 14:09:40 ----A---- I:\WINDOWS\system32\wucltui.dll.mui
2008-10-16 14:08:58 ----A---- I:\WINDOWS\system32\wups.dll
2008-10-16 14:07:14 ----A---- I:\WINDOWS\system32\wuaueng.dll.mui
2008-10-16 02:07:59 ----D---- I:\Program Files\Internet Explorer
2008-10-15 11:57:55 ----A---- I:\WINDOWS\system32\netapi32.dll
2008-10-12 21:27:32 ----D---- I:\WINDOWS\pss

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdPPM;AMD HwPState Processor Driver; I:\WINDOWS\system32\DRIVERS\AmdPPM.sys [2007-04-16 33792]
R1 eeCtrl;Symantec Eraser Control driver; \??\I:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 SAVRT;SAVRT; \??\I:\Program Files\Symantec AntiVirus\savrt.sys []
R1 SAVRTPEL;SAVRTPEL; \??\I:\Program Files\Symantec AntiVirus\Savrtpel.sys []
R1 SPBBCDrv;SPBBCDrv; \??\I:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
R1 SYMTDI;SYMTDI; I:\WINDOWS\System32\Drivers\SYMTDI.SYS [2006-08-07 195776]
R2 Aspi32;Aspi32; I:\WINDOWS\System32\drivers\aspi32.sys [2004-07-16 16512]
R2 v2imount;Symantec V2i Mount Driver; I:\WINDOWS\system32\DRIVERS\v2imount.sys [2007-03-28 37864]
R3 AgereSoftModem;Agere Systems Soft Modem; I:\WINDOWS\system32\DRIVERS\AGRSM.sys [2007-10-30 1201632]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\I:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 GEARAspiWDM;GEAR ASPI Filter Driver; I:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 hidusb;Microsoft HID Class Driver; I:\WINDOWS\system32\DRIVERS\hidusb.sys [2004-08-04 9600]
R3 NAVENG;NAVENG; \??\I:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081107.008\naveng.sys []
R3 NAVEX15;NAVEX15; \??\I:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081107.008\navex15.sys []
R3 nv;nv; I:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2007-12-05 7435392]
R3 Passthru;Service; I:\WINDOWS\system32\DRIVERS\ndisio.sys [2008-10-07 99584]
R3 SymEvent;SymEvent; \??\I:\Program Files\Symantec\SYMEVENT.SYS []
R3 usbaudio;USB Audio Driver (WDM); I:\WINDOWS\system32\drivers\usbaudio.sys [2004-08-03 59264]
R3 usbccgp;Microsoft USB Generic Parent Driver; I:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; I:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; I:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; I:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]
R3 usbprint;Microsoft USB PRINTER Class; I:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
R3 usbscan;USB Scanner Driver; I:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
R3 usbstor;USB Mass Storage Driver; I:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
R3 yukonwxp;NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller; I:\WINDOWS\system32\DRIVERS\yk51x86.sys [2007-12-06 285952]
S3 SMNDIS5;SMNDIS5 NDIS Protocol Driver; \??\I:\PROGRA~1\VERIZO~1\VZACCE~1\SMNDIS5.SYS []
S3 SYMREDRV;SYMREDRV; I:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2006-08-07 24768]
S3 usb_rndisx;USB RNDIS Adapter; I:\WINDOWS\system32\DRIVERS\usb8023x.sys [2005-10-20 12800]
S3 VProEventMonitor;Symantec Event Monitor Driver; I:\WINDOWS\system32\DRIVERS\vproeventmonitor.sys [2007-07-31 14072]
S3 wceusbsh;Windows CE USB Serial Host Driver; I:\WINDOWS\system32\DRIVERS\wceusbsh.sys [2006-11-06 28672]
S3 WimFltr;WimFltr; I:\WINDOWS\system32\DRIVERS\wimfltr.sys [2007-03-28 128104]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; I:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; I:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; I:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; I:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-06-08 611664]
R2 Automatic LiveUpdate Scheduler;Automatic LiveUpdate Scheduler; I:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2007-09-12 554352]
R2 ccEvtMgr;Symantec Event Manager; I:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2006-07-19 192160]
R2 ccSetMgr;Symantec Settings Manager; I:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2006-07-19 169632]
R2 DefWatch;Symantec AntiVirus Definition Watcher; I:\Program Files\Symantec AntiVirus\DefWatch.exe [2006-09-27 31472]
R2 DLPWD;Dell Printer Status Watcher; I:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE [2006-12-07 95128]
R2 DLSDB;Dell Printer Status Database; I:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE [2006-12-07 140184]
R2 Norton Ghost;Norton Ghost; I:\Program Files\Norton Ghost\Agent\VProSvc.exe [2008-01-10 3372384]
R2 NVSvc;NVIDIA Display Driver Service; I:\WINDOWS\system32\nvsvc32.exe [2007-12-05 155716]
R2 SPBBCSvc;Symantec SPBBCSvc; I:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe [2006-04-11 1160848]
R2 Symantec AntiVirus;Symantec AntiVirus; I:\Program Files\Symantec AntiVirus\Rtvscan.exe [2006-09-27 1813232]
S3 Adobe LM Service;Adobe LM Service; I:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2008-01-29 69632]
S3 aspnet_state;ASP.NET State Service; I:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 Bonjour Service;Bonjour Service; I:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; I:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; i:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2007-10-09 36864]
S3 IDriverT;InstallDriver Table Manager; I:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]
S3 idsvc;Windows CardSpace; I:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2007-10-11 864256]
S3 LiveUpdate;LiveUpdate; I:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2007-09-12 2999664]
S3 SavRoam;SAVRoam; I:\Program Files\Symantec AntiVirus\SavRoam.exe [2006-09-27 116464]
S3 SNDSrvc;Symantec Network Drivers Service; I:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2006-08-07 214720]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; I:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S4 Apple Mobile Device;Apple Mobile Device; I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-10-01 116040]
S4 iPod Service;iPod Service; I:\Program Files\iPod\bin\iPodService.exe [2008-10-01 536872]
S4 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; I:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2006-10-27 65824]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; I:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2007-10-11 122880]
S4 odserv;Microsoft Office Diagnostics Service; I:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S4 ose;Office Source Engine; I:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S4 WMPNetworkSvc;Windows Media Player Network Sharing Service; I:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------




info.txt logfile of random's system information tool 1.04 2008-11-08 08:45:25

======Uninstall list======

-->I:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 I:\WINDOWS\INF\PCHealth.inf
3GP Player 2008-->"I:\Program Files\3GP Player\unins000.exe"
7-Zip 4.57-->"I:\Program Files\7-Zip\Uninstall.exe"
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 7.0 Professional-->msiexec /I {AC76BA86-1033-0000-7760-000000000002}
Adobe Flash Player ActiveX-->I:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Agere Systems PCI-SV92PP Soft Modem-->agrsmdel
Apple Mobile Device Support-->MsiExec.exe /I{976C2B2A-CE59-4AB3-83FB-BF895E28F2E6}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}
Coupon Printer for Windows-->"I:\Program Files\Coupons\uninstall.exe" "/U:I:\Program Files\Coupons\Uninstall\uninstall.xml"
Dell MFP Laser 3115cn ScanButton Manager Ver.1.1.0.0-->RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{8DA7286C-FBF6-48E4-A24A-FA9481EF4C0F}\setup.exe" -l0x9 UNINSTALL -removeonly
Dell MFP Laser 3115cn Scanner Driver Ver.1.1.6.0-->RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{FDEC0704-D15E-4DB8-A624-2256DD4C65D7}\setup.exe" -l0x9 UNINSTALL -removeonly
Dell MFP Laser 3115cn Utilities Ver.1.0.1.0-->RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{86CEBAE9-5752-414A-86BC-170154E30E2A}\setup.exe" -l0x9 UNINSTALL -removeonly
Dell Printer Software-->RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{105F3CE5-FE55-408E-BF30-E78F85BA0B12}\setup.exe" -l0x9 /UninstallOnly
DivX Codec-->I:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter-->I:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player-->I:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player-->I:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD Decrypter (Remove Only)-->"I:\Program Files\DVD Decrypter\uninstall.exe"
dvdSanta 4.00-->"I:\Program Files\dvdSanta\unins000.exe"
Energizer FileSaver 4.2.1-->"I:\Program Files\Energizer FileSaver\unins000.exe"
HijackThis 2.0.2-->"I:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.0 (KB932471)-->I:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {ECD292A0-0347-4244-8C24-5DBCE990FB40} /package {BAF78226-3200-4DB4-BE33-4D922A799840}
Hotfix for Windows Internet Explorer 7 (KB947864)-->"I:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"I:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"I:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB896344)-->"I:\WINDOWS\$NtUninstallKB896344$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB909394)-->"I:\WINDOWS\$NtUninstallKB909394$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB914440)-->"I:\WINDOWS\$NtUninstallKB914440$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB915865)-->"I:\WINDOWS\$NtUninstallKB915865$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB926239)-->"I:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"I:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
ImgBurn-->"I:\Program Files\ImgBurn\uninstall.exe"
iTunes-->MsiExec.exe /I{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843}
Java(TM) 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
LiveUpdate 3.2 (Symantec Corporation)-->"I:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Marvell Miniport Driver-->I:\Program Files\Marvell\Miniport Driver\Uninst.exe
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"I:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "I:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft .NET Framework 3.0 Service Pack 1-->MsiExec.exe /I{2BA00471-0328-3743-93BD-FA813353A783}
Microsoft ActiveSync-->MsiExec.exe /I{99052DB7-9592-4522-A558-5417BBAD48EE}
Microsoft Base Smart Card Cryptographic Service Provider Package-->"I:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP-->"I:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"I:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"I:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"I:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"I:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nero Media Player-->I:\WINDOWS\UNNMP.exe /UNINSTALL
Nero OEM-->I:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NeroVision Express 2-->I:\WINDOWS\UNNeroVision.exe /UNINSTALL
Norton Ghost-->MsiExec.exe /I{B0255743-165B-4BD5-8DA8-37DFB9930012}
NVIDIA Drivers-->I:\WINDOWS\system32\nvuide.exe UninstallGUI
PowerDVD-->RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
Quicken 2006-->MsiExec.exe /X{2818095F-FB6C-42C8-827E-0A406CC9AFF5}
QuickTime-->MsiExec.exe /I{8DC42D05-680B-41B0-8878-6C14D24602DB}
SAMSUNG Mobile USB DRIVER(4.40.7.0) v1.6-->I:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{E9ED0801-253D-4FE9-AB20-F63DEFE72547}
ScanSoft PaperPort 10-->MsiExec.exe /I{9C819486-7BC9-4423-9268-B484D9822B73}
Security Update for Windows Internet Explorer 7 (KB938127)-->"I:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"I:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"I:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"I:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"I:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"I:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB911564)-->"I:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"I:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"I:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 6.4 (KB925398)-->"I:\WINDOWS\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB936782)-->"I:\WINDOWS\$NtUninstallKB936782_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB890046)-->"I:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756)-->"I:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358)-->"I:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896423)-->"I:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428)-->"I:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587)-->"I:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899591)-->"I:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Security Update for Windows XP (KB900725)-->"I:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017)-->"I:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214)-->"I:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"I:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414)-->"I:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905749)-->"I:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908519)-->"I:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562)-->"I:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911927)-->"I:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913580)-->"I:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914388)-->"I:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914389)-->"I:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917344)-->"I:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918118)-->"I:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918439)-->"I:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Security Update for Windows XP (KB919007)-->"I:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920213)-->"I:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920670)-->"I:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920683)-->"I:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920685)-->"I:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921503)-->"I:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922819)-->"I:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923191)-->"I:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923414)-->"I:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->I:\WINDOWS\system32\MacroMed\Flash\genuinst.exe I:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB923980)-->"I:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924270)-->"I:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924496)-->"I:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924667)-->"I:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925902)-->"I:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926255)-->"I:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926436)-->"I:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927779)-->"I:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927802)-->"I:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928255)-->"I:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928843)-->"I:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929123)-->"I:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Security Update for Windows XP (KB930178)-->"I:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931261)-->"I:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931784)-->"I:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Security Update for Windows XP (KB932168)-->"I:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933729)-->"I:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935839)-->"I:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935840)-->"I:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Security Update for Windows XP (KB936021)-->"I:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Security Update for Windows XP (KB937894)-->"I:\WINDOWS\$NtUninstallKB937894$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938127)-->"I:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"I:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938829)-->"I:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941202)-->"I:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941568)-->"I:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"I:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941644)-->"I:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941693)-->"I:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"
Security Update for Windows XP (KB942615)-->"I:\WINDOWS\$NtUninstallKB942615$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943055)-->"I:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943460)-->"I:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943485)-->"I:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944653)-->"I:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB945553)-->"I:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946026)-->"I:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"I:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948590)-->"I:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948881)-->"I:\WINDOWS\$NtUninstallKB948881$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950749)-->"I:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"I:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"I:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"I:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"I:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"I:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"I:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"I:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"I:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"I:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"I:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"I:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"I:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"I:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"I:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"I:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"I:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
SnagIt 9-->MsiExec.exe /I{59991D18-A988-45AB-B1BF-5ADE6E64CD3F}
Spybot - Search & Destroy-->"I:\Program Files\Spybot - Search & Destroy\unins000.exe"
Super DVD Ripper (remove only)-->"I:\Program Files\Super DVD Ripper\sdvd-uninst.exe"
Symantec AntiVirus-->MsiExec.exe /I{33CFCF98-F8D6-4549-B469-6F4295676D83}
TeamSpeak 2 RC2-->"I:\Program Files\Teamspeak2_RC2\unins000.exe"
TurboTax Basic 2003-->I:\Program Files\TurboTax\Basic 2003\TaxUnst.EXE "I:\Program Files\TurboTax\Basic 2003\Uninstall.log" -NoGui
Update for Windows XP (KB894391)-->"I:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"I:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB900485)-->"I:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update for Windows XP (KB904942)-->"I:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
Update for Windows XP (KB908531)-->"I:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Update for Windows XP (KB910437)-->"I:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Update for Windows XP (KB911280)-->"I:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Update for Windows XP (KB916595)-->"I:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Update for Windows XP (KB920342)-->"I:\WINDOWS\$NtUninstallKB920342$\spuninst\spuninst.exe"
Update for Windows XP (KB920872)-->"I:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Update for Windows XP (KB922582)-->"I:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Update for Windows XP (KB925720)-->"I:\WINDOWS\$NtUninstallKB925720$\spuninst\spuninst.exe"
Update for Windows XP (KB925876)-->"I:\WINDOWS\$NtUninstallKB925876$\spuninst\spuninst.exe"
Update for Windows XP (KB927891)-->"I:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Update for Windows XP (KB930916)-->"I:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Update for Windows XP (KB932823-v3)-->"I:\WINDOWS\$NtUninstallKB932823-v3$\spuninst\spuninst.exe"
Update for Windows XP (KB938828)-->"I:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Update for Windows XP (KB942763)-->"I:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update for Windows XP (KB942840)-->"I:\WINDOWS\$NtUninstallKB942840$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"I:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Ventrilo Client-->MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
VideoLAN VLC media player 0.8.6e-->I:\Program Files\VideoLAN\VLC\uninstall.exe
VZAccess Manager-->I:\PROGRA~1\VERIZO~1\VZACCE~1\UNWISE.EXE I:\PROGRA~1\VERIZO~1\VZACCE~1\INSTALL.LOG
WexTech AnswerWorks-->RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}\setup.exe" -l0x9 -eliminate
Windows Imaging Component-->"I:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"I:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Internet Explorer 7-->"I:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"I:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"I:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122-->"I:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Media Player 11-->"I:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"I:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows XP Hotfix - KB873339-->I:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->I:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->I:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->I:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB887472-->I:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->I:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"I:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Hotfix - KB891781-->I:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
WinISO 5.3-->"I:\Program Files\WinISO\unins000.exe"
WinRAR archiver-->I:\Program Files\WinRAR\uninstall.exe
World of Warcraft-->I:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
Wrath of the Lich King Beta-->I:\Program Files\Common Files\Blizzard Entertainment\Wrath of the Lich King\Uninstall.exe
XviD MPEG-4 Video Codec-->I:\WINDOWS\system32\rundll32.exe setupapi,InstallHinfSection Remove_XviD 132 I:\WINDOWS\INF\xvid.inf
Yahoo! Messenger-->I:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U I:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG

======Security center information======

AV: Symantec AntiVirus Corporate Edition

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;I:\Program Files\QuickTime\QTSystem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 79 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=4f02
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;I:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
"QTJAVA"=I:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip

-----------------EOF-----------------
 
Step 1


Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total

Please visit Virustotal
Copy/paste the the following file path into the window
i:\windows\system32\drivers\ndisio.sys
Click Submit/Send File
Please post back, to let me know the results.

Please do the same for the following file
i:\windows\system32\RUNDLL32.EX_

If Virustotal is too busy please try Jotti

----------------------------------------------------------- -----------------------------------------------------------
Step 2


Disable Teatimer
First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.


----------------------------------------------------------- -----------------------------------------------------------
Step 3


Fix With HJT

Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines IF still present
F2 - REG:system.inC: UserInit=C:\WINDOWS\system32\userinit.exe
If you did not add these to your trusted zone, I recommend that you remove them
O15 - Trusted Zone: http://atl.rexplorer.net
O15 - Trusted Zone: http://www.tdameritrade.com
O15 - Trusted Zone: *.tdameritrade.com

O20 - Winlogon Notify: nnnnKeCs - C:\WINDOWS\
Click to expand...
- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis


----------------------------------------------------------- -----------------------------------------------------------
Step 4


OTMoveIt
Please download OTMoveIt3 by OldTimer and save it to your desktop
  • Double-click OTMoveIt3.exe to run it.
  • Copy the lines in the codebox below. ( Make sure you include :Files )
Code: 
:Reg
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"I:\Program Files\BitTorrent\bittorrent.exe"=-

:Files
i:\windows\system32\_ddcCUonk.dll
i:\windows\system32\drivers\ndisio.sys
i:\documents and settings\Gero\bvxmg.exe
i:\documents and settings\Gero\Application Data\BitTorrent
I:\WINDOWS\tasks\At*.job
:Commands
[Purity]
[EmptyTemp]
  • Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


----------------------------------------------------------- -----------------------------------------------------------
Step 5


Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

----------------------------------------------------------- -----------------------------------------------------------
Step 6

Logs/Information to Post in Reply
Please post the following logs/Information in your reply
  • Virus Total Results
  • MalwareBytes Log
  • A fresh RSIT log ( only one will be produced this time)

----------------------------------------------------------- -----------------------------------------------------------

Additional Notes


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location.

Now download and install Java Runtime Environment (JRE) .
 
Thanks Again

I will post the results as I work through your list.Here is the first upload results:
MD5: c51fe8b34b83ed73fad8c75dc876b1bd
First received: 10.26.2008 21:13:54 (CET)
Date: 11.07.2008 23:05:59 (CET) [<1D]
Results: 13/36
Permalink: analisis/6271994c6719f1e4451f911e3d9d43dd


File ndisio.sys received on 11.07.2008 23:05:17 (CET)
Current status: finished

Result: 13/36 (36.11%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.11.7.1 2008.11.07 -
AntiVir 7.9.0.26 2008.11.07 TR/Dropper.Gen
Authentium 5.1.0.4 2008.11.07 -
Avast 4.8.1248.0 2008.11.07 Win32:Rootkit-gen
AVG 8.0.0.161 2008.11.07 BackDoor.Generic10.WEO
BitDefender 7.2 2008.11.07 -
CAT-QuickHeal 9.50 2008.11.07 -
ClamAV 0.94.1 2008.11.07 -
DrWeb 4.44.0.09170 2008.11.07 Trojan.Spambot.3554
eSafe 7.0.17.0 2008.11.06 -
eTrust-Vet 31.6.6198 2008.11.07 -
Ewido 4.0 2008.11.07 -
F-Prot 4.4.4.56 2008.11.07 -
F-Secure 8.0.14332.0 2008.11.07 Rootkit.Win32.Agent.eqo
Fortinet 3.117.0.0 2008.11.07 PossibleThreat
GData 19 2008.11.07 Win32:Rootkit-gen
Ikarus T3.1.1.45.0 2008.11.07 Rootkit.Win32.Agent.eqo
K7AntiVirus 7.10.519 2008.11.07 -
Kaspersky 7.0.0.125 2008.11.07 Rootkit.Win32.Agent.eqo
McAfee 5427 2008.11.07 -
Microsoft 1.4104 2008.11.07 -
NOD32 3596 2008.11.07 -
Norman 5.80.02 2008.11.07 -
Panda 9.0.0.4 2008.11.07 Trj/Downloader.MDW
PCTools 4.4.2.0 2008.11.07 -
Prevx1 V2 2008.11.07 Malicious Software
Rising 21.02.42.00 2008.11.07 -
SecureWeb-Gateway 6.7.6 2008.11.07 Trojan.Dropper.Gen
Sophos 4.35.0 2008.11.07 -
Sunbelt 3.1.1783.2 2008.11.05 -
Symantec 10 2008.11.07 -
TheHacker 6.3.1.1.144 2008.11.07 -
TrendMicro 8.700.0.1004 2008.11.07 -
VBA32 3.12.8.9 2008.11.06 -
ViRobot 2008.11.7.1457 2008.11.07 Spyware.Agent.RootKit.99584
VirusBuster 4.5.11.0 2008.11.07 -
Additional information
File size: 99584 bytes
MD5...: c51fe8b34b83ed73fad8c75dc876b1bd
SHA1..: f5f3971422975061d72609f296b58b74741a7230
SHA256: bcfd0272261260ea38ea4fa70f4b5de62aebac03d99ee43d16bf5dc63cbe1eec
SHA512: db721b7debc7ca16fca424e9c928d17859585157057d74db7c6926a74936f8d5
bac97a8f207f08b37a8839359a5ed4d8b4dcd7902625aff4db8b2895ebce1d97
PEiD..: -
TrID..: File type identification
Clipper DOS Executable (33.4%)
Generic Win/DOS Executable (33.2%)
DOS Executable Generic (33.1%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x118e8
timedatestamp.....: 0x40753f8d (Thu Apr 08 12:03:25 2004)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2080 0x2080 2.64 e409c4a215b06fe786a58ff326485059
.data 0x3080 0x139c0 0x139c0 7.57 a3a366f8b85cd39226bca7c79c8fc6a7
.idata 0x16a40 0x380 0x380 5.51 f85e24233c6bd8f04ef66c811b11f835
.reloc 0x16dc0 0x1740 0x1740 0.02 c5ce4c6daf79e768e93bbfe89e378b7e

( 1 imports )
> ntoskrnl.exe: FsRtlMdlRead, NtNotifyChangeDirectoryFile, KeSetDmaIoCoherency, RtlUpcaseUnicodeChar, ZwFreeVirtualMemory, KeSetEventBoostPriority, ExLocalTimeToSystemTime, SeCaptureSubjectContext, PsCreateSystemThread, InbvNotifyDisplayOwnershipLost, wcscmp, RtlDecompressBuffer, ZwQuerySystemInformation, IoInitializeRemoveLockEx, ExFreePool, ExfInterlockedInsertHeadList, ZwUnloadDriver, IoGetRelatedDeviceObject, IoCreateDriver, NtOpenProcessToken, _itow, ExAllocatePool, LpcRequestWaitReplyPort, IoRegisterDriverReinitialization, ExNotifyCallback

( 0 exports )

Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=4DAF2C36003A89EB85030115AABBAB00AEAB4658


rundll32:

File RUNDLL32.EX_ received on 11.08.2008 18:19:02 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/36 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.11.7.1 2008.11.08 -
AntiVir 7.9.0.26 2008.11.07 -
Authentium 5.1.0.4 2008.11.07 -
Avast 4.8.1248.0 2008.11.08 -
AVG 8.0.0.161 2008.11.08 -
BitDefender 7.2 2008.11.08 -
CAT-QuickHeal 9.50 2008.11.08 -
ClamAV 0.94.1 2008.11.08 -
DrWeb 4.44.0.09170 2008.11.08 -
eSafe 7.0.17.0 2008.11.06 -
eTrust-Vet 31.6.6199 2008.11.08 -
Ewido 4.0 2008.11.08 -
F-Prot 4.4.4.56 2008.11.07 -
F-Secure 8.0.14332.0 2008.11.08 -
Fortinet 3.117.0.0 2008.11.08 -
GData 19 2008.11.08 -
Ikarus T3.1.1.45.0 2008.11.08 -
K7AntiVirus 7.10.520 2008.11.08 -
Kaspersky 7.0.0.125 2008.11.08 -
McAfee 5427 2008.11.07 -
Microsoft 1.4104 2008.11.08 -
NOD32 3596 2008.11.07 -
Norman 5.80.02 2008.11.07 -
Panda 9.0.0.4 2008.11.08 -
PCTools 4.4.2.0 2008.11.08 -
Prevx1 V2 2008.11.08 -
Rising 21.02.52.00 2008.11.08 -
SecureWeb-Gateway 6.7.6 2008.11.08 -
Sophos 4.35.0 2008.11.08 -
Sunbelt 3.1.1785.2 2008.11.08 -
Symantec 10 2008.11.08 -
TheHacker 6.3.1.1.145 2008.11.08 -
TrendMicro 8.700.0.1004 2008.11.07 -
VBA32 3.12.8.9 2008.11.07 -
ViRobot 2008.11.7.1457 2008.11.07 -
VirusBuster 4.5.11.0 2008.11.08 -
Additional information
File size: 11037 bytes
MD5...: 7a4640c229eb1464e2a3609cb70e5a57
SHA1..: ec179c1ca4d1f8b17b3ef0b4e9a52b680a8c46d1
SHA256: 518d5b9f6dd55a6eea85c650147e37c382e7634403e1e2fe292dd965e9c7ee7d
SHA512: df6eb2cbd7133a20e03b4f6eea95f1a3542282db1a36da1084a4e5c55fc369de
f78407030f3c508f0c19b7f6ad9f1c182f1c18cba70d693f42a801b240f834d1
PEiD..: -
TrID..: File type identification
Microsoft Cabinet Archive (99.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: -



Disabled Tea and restarting now
 
More of my to do list :)

Step 3 completed!

Step 4 results:

========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\I:\Program Files\BitTorrent\bittorrent.exe deleted successfully.
========== FILES ==========
DllUnregisterServer procedure not found in i:\windows\system32\_ddcCUonk.dll
i:\windows\system32\_ddcCUonk.dll NOT unregistered.
i:\windows\system32\_ddcCUonk.dll moved successfully.
i:\windows\system32\drivers\ndisio.sys moved successfully.
i:\documents and settings\Gero\bvxmg.exe moved successfully.
i:\documents and settings\Gero\Application Data\BitTorrent moved successfully.
I:\WINDOWS\tasks\At1.job moved successfully.
I:\WINDOWS\tasks\At10.job moved successfully.
I:\WINDOWS\tasks\At11.job moved successfully.
I:\WINDOWS\tasks\At12.job moved successfully.
I:\WINDOWS\tasks\At13.job moved successfully.
I:\WINDOWS\tasks\At14.job moved successfully.
I:\WINDOWS\tasks\At15.job moved successfully.
I:\WINDOWS\tasks\At16.job moved successfully.
I:\WINDOWS\tasks\At17.job moved successfully.
I:\WINDOWS\tasks\At18.job moved successfully.
I:\WINDOWS\tasks\At19.job moved successfully.
I:\WINDOWS\tasks\At2.job moved successfully.
I:\WINDOWS\tasks\At20.job moved successfully.
I:\WINDOWS\tasks\At21.job moved successfully.
I:\WINDOWS\tasks\At22.job moved successfully.
I:\WINDOWS\tasks\At23.job moved successfully.
I:\WINDOWS\tasks\At24.job moved successfully.
I:\WINDOWS\tasks\At25.job moved successfully.
I:\WINDOWS\tasks\At26.job moved successfully.
I:\WINDOWS\tasks\At27.job moved successfully.
I:\WINDOWS\tasks\At28.job moved successfully.
I:\WINDOWS\tasks\At29.job moved successfully.
I:\WINDOWS\tasks\At3.job moved successfully.
I:\WINDOWS\tasks\At30.job moved successfully.
I:\WINDOWS\tasks\At31.job moved successfully.
I:\WINDOWS\tasks\At32.job moved successfully.
I:\WINDOWS\tasks\At33.job moved successfully.
I:\WINDOWS\tasks\At34.job moved successfully.
I:\WINDOWS\tasks\At35.job moved successfully.
I:\WINDOWS\tasks\At36.job moved successfully.
I:\WINDOWS\tasks\At37.job moved successfully.
I:\WINDOWS\tasks\At38.job moved successfully.
I:\WINDOWS\tasks\At39.job moved successfully.
I:\WINDOWS\tasks\At4.job moved successfully.
I:\WINDOWS\tasks\At40.job moved successfully.
I:\WINDOWS\tasks\At41.job moved successfully.
I:\WINDOWS\tasks\At42.job moved successfully.
I:\WINDOWS\tasks\At43.job moved successfully.
I:\WINDOWS\tasks\At44.job moved successfully.
I:\WINDOWS\tasks\At45.job moved successfully.
I:\WINDOWS\tasks\At46.job moved successfully.
I:\WINDOWS\tasks\At47.job moved successfully.
I:\WINDOWS\tasks\At48.job moved successfully.
I:\WINDOWS\tasks\At5.job moved successfully.
I:\WINDOWS\tasks\At6.job moved successfully.
I:\WINDOWS\tasks\At7.job moved successfully.
I:\WINDOWS\tasks\At8.job moved successfully.
I:\WINDOWS\tasks\At9.job moved successfully.
========== COMMANDS ==========
File delete failed. I:\DOCUME~1\Gero\LOCALS~1\Temp\Perflib_Perfdata_9fc.dat scheduled to be deleted on reboot.
File delete failed. I:\DOCUME~1\Gero\LOCALS~1\Temp\WCESLog.log scheduled to be deleted on reboot.
File delete failed. I:\DOCUME~1\Gero\LOCALS~1\Temp\~DFA2B9.tmp scheduled to be deleted on reboot.
File delete failed. I:\DOCUME~1\Gero\LOCALS~1\Temp\~DFA2C7.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. I:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. I:\WINDOWS\temp\Perflib_Perfdata_7d8.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.7.0 log created on 11082008_12303


Rebooting :)
 
Taking a while for Malwarebytes...post results in an hour or so

thanks so much for your help and expertise
 
Malwarebytes Log info

Malwarebytes' Anti-Malware 1.30
Database version: 1373
Windows 5.1.2600 Service Pack 2

11/8/2008 2:12:51 PM
mbam-log-2008-11-08 (14-12-51).txt

Scan type: Full Scan (C:\|I:\|)
Objects scanned: 161132
Time elapsed: 45 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 27

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)
Files Infected:
C:\Misc_Files\Windows Software\Sony Sound Forge v8.0\en.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
I:\Qoobox\Quarantine\I\WINDOWS\system32\fwjmjnej.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
I:\Qoobox\Quarantine\I\WINDOWS\system32\gmjblsmy.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
I:\Qoobox\Quarantine\I\WINDOWS\system32\omvpkexs.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
I:\Qoobox\Quarantine\I\WINDOWS\system32\pmnkJDSl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
I:\Qoobox\Quarantine\I\WINDOWS\system32\trfwjd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
I:\Qoobox\Quarantine\I\WINDOWS\system32\utevxdpy.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
I:\Qoobox\Quarantine\I\WINDOWS\system32\wklhkktj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
I:\Qoobox\Quarantine\I\WINDOWS\system32\xfwnrafi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
I:\Qoobox\Quarantine\I\WINDOWS\system32\yymabmdx.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
I:\Qoobox\Quarantine\I\WINDOWS\system32\_cbXrQHbb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
I:\Qoobox\Quarantine\I\WINDOWS\system32\_rvfgst.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
I:\Qoobox\Quarantine\I\WINDOWS\system32\_tuvSJCsQ.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
I:\System Volume Information\_restore{4585BB87-945B-4BB8-89A5-49C3FCECAB3D}\RP3\A0000068.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
I:\System Volume Information\_restore{4585BB87-945B-4BB8-89A5-49C3FCECAB3D}\RP3\A0000070.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
I:\System Volume Information\_restore{4585BB87-945B-4BB8-89A5-49C3FCECAB3D}\RP3\A0000071.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
I:\System Volume Information\_restore{4585BB87-945B-4BB8-89A5-49C3FCECAB3D}\RP3\A0000078.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
I:\System Volume Information\_restore{4585BB87-945B-4BB8-89A5-49C3FCECAB3D}\RP3\A0000085.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
I:\System Volume Information\_restore{4585BB87-945B-4BB8-89A5-49C3FCECAB3D}\RP3\A0000086.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
I:\System Volume Information\_restore{4585BB87-945B-4BB8-89A5-49C3FCECAB3D}\RP3\A0000091.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
I:\System Volume Information\_restore{4585BB87-945B-4BB8-89A5-49C3FCECAB3D}\RP3\A0000092.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
I:\System Volume Information\_restore{4585BB87-945B-4BB8-89A5-49C3FCECAB3D}\RP3\A0000096.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
I:\System Volume Information\_restore{4585BB87-945B-4BB8-89A5-49C3FCECAB3D}\RP3\A0000097.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
I:\System Volume Information\_restore{4585BB87-945B-4BB8-89A5-49C3FCECAB3D}\RP3\A0000080.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
I:\System Volume Information\_restore{4585BB87-945B-4BB8-89A5-49C3FCECAB3D}\RP3\A0000098.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
I:\_OTMoveIt\MovedFiles\11082008_123031\windows\system32\_ddcCUonk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
I:\Documents and Settings\Gero\Desktop\rundll32.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
 
Not Sure

What or where to get these:
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Virus Total Results
MalwareBytes Log
A fresh RSIT log ( only one will be produced this time)

new java installed!!

thanks!
 
Got it!

So waht did I manage to get into and how much was my system compromised?

Logfile of random's system information tool 1.04 (written by random/random)
Run by Gero at 2008-11-08 16:53:30
Microsoft Windows XP Professional Service Pack 2
System drive I: has 243 GB (80%) free of 305 GB
Total RAM: 2046 MB (74% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:53:32 PM, on 11/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
I:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
I:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
I:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
I:\WINDOWS\system32\spoolsv.exe
I:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
I:\Program Files\Symantec AntiVirus\DefWatch.exe
I:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
I:\Program Files\Norton Ghost\Agent\VProSvc.exe
I:\WINDOWS\system32\nvsvc32.exe
I:\WINDOWS\system32\svchost.exe
I:\Program Files\Symantec AntiVirus\Rtvscan.exe
I:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
I:\WINDOWS\Explorer.EXE
I:\PROGRA~1\SYMANT~1\VPTray.exe
I:\Program Files\Norton Ghost\Agent\VProTray.exe
I:\Program Files\Common Files\Symantec Shared\ccApp.exe
I:\Program Files\Microsoft ActiveSync\wcescomm.exe
I:\WINDOWS\system32\ctfmon.exe
I:\Program Files\Energizer FileSaver\Energizer FileSaver.exe
I:\PROGRA~1\MI3AA1~1\rapimgr.exe
I:\Program Files\Internet Explorer\iexplore.exe
I:\Documents and Settings\Gero\Desktop\RSIT.exe
I:\Program Files\Trend Micro\HijackThis\Gero.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://drudgereport.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - I:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - I:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
O4 - HKLM\..\Run: [vptray] I:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Norton Ghost 12.0] "I:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [ccApp] "I:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [H/PC Connection Agent] "I:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Energizer FileSaver.lnk = I:\Program Files\Energizer FileSaver\Energizer FileSaver.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://I:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - I:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - I:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - I:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - I:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - I:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - I:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://atl.rexplorer.net
O15 - Trusted Zone: http://www.tdameritrade.com
O15 - Trusted Zone: *.tdameritrade.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {2FE68711-8830-417D-95E0-EAB307DB0447} (mpsPwLc7.PMWebSiteLogin) - https://prolog.c-b.com/pw/mpsPwLc7.CAB
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL...-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {F375116A-793C-11D2-BFE1-444553540001} (First American Res MapActiveX Control) - http://realist2.firstamres.com/mapviewer/mapviewer.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE825216-61D2-4E6A-825A-EE7EFD2B9B74}: NameServer = 207.69.188.186,207.69.188.187
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - I:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - I:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - I:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - I:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - I:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - I:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - I:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - I:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - I:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - I:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Ghost - Symantec Corporation - I:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - I:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - I:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 9524 bytes

======Scheduled tasks folder======

I:\WINDOWS\tasks\AppleSoftwareUpdate.job
I:\WINDOWS\tasks\Backup.job
I:\WINDOWS\tasks\backupincremental.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - I:\Program Files\Java\jre1.6.0_05\bin\ssv.dll [2008-02-22 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 225280]
{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - SnagIt - I:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll [2008-05-15 161096]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"vptray"=I:\PROGRA~1\SYMANT~1\VPTray.exe [2006-09-27 125168]
"Norton Ghost 12.0"=I:\Program Files\Norton Ghost\Agent\VProTray.exe [2008-01-10 2037088]
"ccApp"=I:\Program Files\Common Files\Symantec Shared\ccApp.exe [2006-07-19 52896]
"NvCplDaemon"=I:\WINDOWS\system32\NvCpl.dll [2007-12-05 8523776]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"=I:\Program Files\Microsoft ActiveSync\wcescomm.exe [2006-11-13 1289000]
"ctfmon.exe"=I:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
I:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [2004-12-14 483328]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
I:\Program Files\DNA\btdna.exe [2008-10-12 287040]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
I:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell MFP Color Laser Printer 3115cn Launcher]
I:\Program Files\Dell Printers\Dell MFP Color Laser Printer 3115cn\Address Book Editor\Launcher.exe [2006-12-23 635800]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLPSP]
I:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE [2006-12-07 340888]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
I:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2006-10-27 31016]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
I:\Program Files\Microsoft ActiveSync\wcescomm.exe [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
I:\Program Files\Dell Printers\paperport\IndexSearch.exe [2006-06-30 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
I:\Program Files\iTunes\iTunesHelper.exe [2008-10-01 289576]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
I:\WINDOWS\system32\NeroCheck.exe [2006-01-12 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
I:\WINDOWS\system32\NvCpl.dll [2007-12-05 8523776]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
I:\WINDOWS\system32\NvMcTray.dll [2007-12-05 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
I:\Program Files\Dell Printers\paperport\pptd40nt.exe [2006-06-30 36864]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
I:\Program Files\QuickTime\qttask.exe [2008-09-06 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
I:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2004-11-02 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
I:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [2003-10-14 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
I:\Program Files\Java\jre1.6.0_05\bin\jusched.exe [2008-02-22 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
I:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\I:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
I:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-10-03 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3
"Apple Mobile Device"=2
"WZCSVC"=2
"FastUserSwitchingCompatibility"=3
"WMPNetworkSvc"=3
"ose"=3
"odserv"=3
"Microsoft Office Groove Audit Service"=3
"Adobe LM Service"=3

I:\Documents and Settings\All Users\Start Menu\Programs\Startup
Energizer FileSaver.lnk - I:\Program Files\Energizer FileSaver\Energizer FileSaver.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
I:\WINDOWS\system32\NavLogon.dll [2006-09-27 43760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
I:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - I:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - I:\WINDOWS\system32\upnpui.dll [2004-08-04 239616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=I:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PSEXESVC]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=
"NoDrives"=
"NoDriveAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"I:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="I:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"I:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="I:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"I:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="I:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"I:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="I:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"I:\Program Files\Microsoft ActiveSync\rapimgr.exe"="I:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"I:\Program Files\Microsoft ActiveSync\wcescomm.exe"="I:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"I:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="I:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\World of Warcraft\BackgroundDownloader.exe"="C:\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"I:\Program Files\iTunes\iTunes.exe"="I:\Program Files\iTunes\iTunes.exe:*:Disabled:iTunes"
"I:\Program Files\Yahoo!\Messenger\YServer.exe"="I:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\World of Warcraft\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe"="C:\World of Warcraft\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\World of Warcraft\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"="C:\World of Warcraft\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\World of Warcraft\WoW-1.12.0-enUS-downloader.exe"="C:\World of Warcraft\WoW-1.12.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"I:\WINDOWS\Explorer.EXE"="I:\WINDOWS\Explorer.EXE:*:Enabled:ENABLE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"I:\Program Files\Microsoft ActiveSync\rapimgr.exe"="I:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"I:\Program Files\Microsoft ActiveSync\wcescomm.exe"="I:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"I:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="I:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

======List of files/folders created in the last 1 months======

2008-11-08 12:39:04 ----D---- I:\Documents and Settings\Gero\Application Data\Malwarebytes
2008-11-08 12:39:00 ----D---- I:\Program Files\Malwarebytes' Anti-Malware
2008-11-08 12:39:00 ----D---- I:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-11-08 12:30:31 ----D---- I:\_OTMoveIt
2008-11-08 08:45:20 ----D---- I:\rsit
2008-11-07 17:33:22 ----SHD---- I:\RECYCLER
2008-11-07 15:35:50 ----D---- I:\Program Files\Trend Micro
2008-11-07 15:28:11 ----A---- I:\ComboFix.txt
2008-11-07 15:20:40 ----A---- I:\Boot.bak
2008-11-07 15:20:37 ----RASHD---- I:\cmdcons
2008-11-07 15:19:42 ----D---- I:\ComboFix
2008-11-07 15:01:09 ----A---- I:\WINDOWS\zip.exe
2008-11-07 15:01:09 ----A---- I:\WINDOWS\SWREG.exe
2008-11-07 15:01:09 ----A---- I:\WINDOWS\NIRCMD.exe
2008-11-07 15:01:08 ----A---- I:\WINDOWS\VFIND.exe
2008-11-07 15:01:08 ----A---- I:\WINDOWS\SWXCACLS.exe
2008-11-07 15:01:08 ----A---- I:\WINDOWS\SWSC.exe
2008-11-07 15:01:08 ----A---- I:\WINDOWS\sed.exe
2008-11-07 15:01:08 ----A---- I:\WINDOWS\grep.exe
2008-11-07 15:01:08 ----A---- I:\WINDOWS\fdsv.exe
2008-11-07 15:01:04 ----D---- I:\WINDOWS\ERDNT
2008-11-07 15:01:04 ----D---- I:\Qoobox
2008-11-06 21:20:15 ----D---- I:\Program Files\Spybot - Search & Destroy
2008-11-06 21:20:15 ----D---- I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-06 19:34:42 ----D---- I:\WINDOWS\CSC
2008-11-06 19:34:36 ----A---- I:\WINDOWS\ntbtlog.txt
2008-11-06 19:30:54 ----A---- I:\WINDOWS\system32\wuapi.dll.mui
2008-10-28 23:28:43 ----A---- I:\WINDOWS\system32\03a87ab8-.txt
2008-10-25 02:00:19 ----HDC---- I:\WINDOWS\$NtUninstallKB958644$
2008-10-16 02:02:04 ----HDC---- I:\WINDOWS\$NtUninstallKB956803$
2008-10-16 02:01:59 ----HDC---- I:\WINDOWS\$NtUninstallKB956391$
2008-10-16 02:01:55 ----HDC---- I:\WINDOWS\$NtUninstallKB957095$
2008-10-16 02:01:32 ----HDC---- I:\WINDOWS\$NtUninstallKB954211$
2008-10-16 02:01:21 ----HDC---- I:\WINDOWS\$NtUninstallKB956841$
2008-10-14 18:40:42 ----D---- I:\Documents and Settings\All Users\Application Data\Blizzard

======List of files/folders modified in the last 1 months======

2008-11-08 16:52:32 ----D---- I:\WINDOWS\Temp
2008-11-08 14:39:10 ----D---- I:\WINDOWS\Prefetch
2008-11-08 14:29:40 ----D---- I:\Program Files\Symantec AntiVirus
2008-11-08 14:27:54 ----A---- I:\WINDOWS\SchedLgU.Txt
2008-11-08 12:39:03 ----D---- I:\WINDOWS\system32\drivers
2008-11-08 12:39:00 ----RD---- I:\Program Files
2008-11-08 12:30:33 ----SD---- I:\WINDOWS\Tasks
2008-11-08 12:30:31 ----D---- I:\WINDOWS\system32
2008-11-07 16:59:11 ----D---- I:\WINDOWS
2008-11-07 15:27:43 ----D---- I:\WINDOWS\system32\CatRoot2
2008-11-07 15:25:05 ----A---- I:\WINDOWS\system.ini
2008-11-07 15:22:40 ----D---- I:\WINDOWS\system32\config
2008-11-07 15:21:42 ----D---- I:\WINDOWS\AppPatch
2008-11-07 15:21:42 ----D---- I:\Program Files\Common Files
2008-11-07 15:20:40 ----RASH---- I:\boot.ini
2008-11-07 15:01:08 ----SHD---- I:\System Volume Information
2008-11-07 15:01:08 ----D---- I:\WINDOWS\system32\Restore
2008-11-07 00:59:30 ----A---- I:\WINDOWS\NeroDigital.ini
2008-11-07 00:22:57 ----RSHDC---- I:\WINDOWS\system32\dllcache
2008-11-07 00:11:03 ----A---- I:\WINDOWS\win.ini
2008-11-06 19:30:58 ----HD---- I:\WINDOWS\inf
2008-11-06 19:30:58 ----D---- I:\WINDOWS\Help
2008-11-06 02:00:39 ----D---- I:\WINDOWS\Registration
2008-11-02 12:29:29 ----A---- I:\WINDOWS\system32\PerfStringBackup.INI
2008-10-28 23:11:01 ----SHD---- I:\WINDOWS\Installer
2008-10-28 23:10:54 ----D---- I:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-10-25 02:00:25 ----A---- I:\WINDOWS\imsins.BAK
2008-10-25 02:00:16 ----HD---- I:\WINDOWS\$hf_mig$
2008-10-16 14:13:40 ----A---- I:\WINDOWS\system32\wuaueng.dll
2008-10-16 14:12:22 ----A---- I:\WINDOWS\system32\wucltui.dll
2008-10-16 14:12:20 ----A---- I:\WINDOWS\system32\wuapi.dll
2008-10-16 14:09:44 ----A---- I:\WINDOWS\system32\wups2.dll
2008-10-16 14:09:44 ----A---- I:\WINDOWS\system32\wuauclt.exe
2008-10-16 14:09:44 ----A---- I:\WINDOWS\system32\cdm.dll
2008-10-16 14:09:40 ----A---- I:\WINDOWS\system32\wucltui.dll.mui
2008-10-16 14:08:58 ----A---- I:\WINDOWS\system32\wups.dll
2008-10-16 14:07:14 ----A---- I:\WINDOWS\system32\wuaueng.dll.mui
2008-10-16 02:07:59 ----D---- I:\Program Files\Internet Explorer
2008-10-15 11:57:55 ----A---- I:\WINDOWS\system32\netapi32.dll
2008-10-12 21:27:32 ----D---- I:\WINDOWS\pss

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdPPM;AMD HwPState Processor Driver; I:\WINDOWS\system32\DRIVERS\AmdPPM.sys [2007-04-16 33792]
R1 eeCtrl;Symantec Eraser Control driver; \??\I:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 SAVRT;SAVRT; \??\I:\Program Files\Symantec AntiVirus\savrt.sys []
R1 SAVRTPEL;SAVRTPEL; \??\I:\Program Files\Symantec AntiVirus\Savrtpel.sys []
R1 SPBBCDrv;SPBBCDrv; \??\I:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
R1 SYMTDI;SYMTDI; I:\WINDOWS\System32\Drivers\SYMTDI.SYS [2006-08-07 195776]
R2 Aspi32;Aspi32; I:\WINDOWS\System32\drivers\aspi32.sys [2004-07-16 16512]
R2 v2imount;Symantec V2i Mount Driver; I:\WINDOWS\system32\DRIVERS\v2imount.sys [2007-03-28 37864]
R3 AgereSoftModem;Agere Systems Soft Modem; I:\WINDOWS\system32\DRIVERS\AGRSM.sys [2007-10-30 1201632]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\I:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 GEARAspiWDM;GEAR ASPI Filter Driver; I:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 hidusb;Microsoft HID Class Driver; I:\WINDOWS\system32\DRIVERS\hidusb.sys [2004-08-04 9600]
R3 NAVENG;NAVENG; \??\I:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081107.008\naveng.sys []
R3 NAVEX15;NAVEX15; \??\I:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081107.008\navex15.sys []
R3 nv;nv; I:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2007-12-05 7435392]
R3 Passthru;Service; I:\WINDOWS\system32\DRIVERS\ndisio.sys [2008-11-08 99584]
R3 SymEvent;SymEvent; \??\I:\Program Files\Symantec\SYMEVENT.SYS []
R3 usbaudio;USB Audio Driver (WDM); I:\WINDOWS\system32\drivers\usbaudio.sys [2004-08-03 59264]
R3 usbccgp;Microsoft USB Generic Parent Driver; I:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; I:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; I:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; I:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]
R3 usbprint;Microsoft USB PRINTER Class; I:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
R3 usbscan;USB Scanner Driver; I:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
R3 usbstor;USB Mass Storage Driver; I:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
R3 yukonwxp;NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller; I:\WINDOWS\system32\DRIVERS\yk51x86.sys [2007-12-06 285952]
S3 SMNDIS5;SMNDIS5 NDIS Protocol Driver; \??\I:\PROGRA~1\VERIZO~1\VZACCE~1\SMNDIS5.SYS []
S3 SYMREDRV;SYMREDRV; I:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2006-08-07 24768]
S3 usb_rndisx;USB RNDIS Adapter; I:\WINDOWS\system32\DRIVERS\usb8023x.sys [2005-10-20 12800]
S3 VProEventMonitor;Symantec Event Monitor Driver; I:\WINDOWS\system32\DRIVERS\vproeventmonitor.sys [2007-07-31 14072]
S3 wceusbsh;Windows CE USB Serial Host Driver; I:\WINDOWS\system32\DRIVERS\wceusbsh.sys [2006-11-06 28672]
S3 WimFltr;WimFltr; I:\WINDOWS\system32\DRIVERS\wimfltr.sys [2007-03-28 128104]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; I:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; I:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; I:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; I:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-06-08 611664]
R2 Automatic LiveUpdate Scheduler;Automatic LiveUpdate Scheduler; I:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2007-09-12 554352]
R2 ccEvtMgr;Symantec Event Manager; I:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2006-07-19 192160]
R2 ccSetMgr;Symantec Settings Manager; I:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2006-07-19 169632]
R2 DefWatch;Symantec AntiVirus Definition Watcher; I:\Program Files\Symantec AntiVirus\DefWatch.exe [2006-09-27 31472]
R2 DLPWD;Dell Printer Status Watcher; I:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE [2006-12-07 95128]
R2 DLSDB;Dell Printer Status Database; I:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE [2006-12-07 140184]
R2 Norton Ghost;Norton Ghost; I:\Program Files\Norton Ghost\Agent\VProSvc.exe [2008-01-10 3372384]
R2 NVSvc;NVIDIA Display Driver Service; I:\WINDOWS\system32\nvsvc32.exe [2007-12-05 155716]
R2 SPBBCSvc;Symantec SPBBCSvc; I:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe [2006-04-11 1160848]
R2 Symantec AntiVirus;Symantec AntiVirus; I:\Program Files\Symantec AntiVirus\Rtvscan.exe [2006-09-27 1813232]
S3 Adobe LM Service;Adobe LM Service; I:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2008-01-29 69632]
S3 aspnet_state;ASP.NET State Service; I:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 Bonjour Service;Bonjour Service; I:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; I:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; i:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2007-10-09 36864]
S3 IDriverT;InstallDriver Table Manager; I:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]
S3 idsvc;Windows CardSpace; I:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2007-10-11 864256]
S3 LiveUpdate;LiveUpdate; I:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2007-09-12 2999664]
S3 SavRoam;SAVRoam; I:\Program Files\Symantec AntiVirus\SavRoam.exe [2006-09-27 116464]
S3 SNDSrvc;Symantec Network Drivers Service; I:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2006-08-07 214720]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; I:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S4 Apple Mobile Device;Apple Mobile Device; I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-10-01 116040]
S4 iPod Service;iPod Service; I:\Program Files\iPod\bin\iPodService.exe [2008-10-01 536872]
S4 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; I:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2006-10-27 65824]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; I:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2007-10-11 122880]
S4 odserv;Microsoft Office Diagnostics Service; I:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S4 ose;Office Source Engine; I:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S4 WMPNetworkSvc;Windows Media Player Network Sharing Service; I:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------
 
You got hit by Vundo, a run of the mill advertising infection. Nothing dramatic to worry about :)
Let's make sure we got it all.

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
 
Kaspersky

KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, November 9, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, November 08, 2008 23:15:42
Records in database: 1375848
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
Y:\

Scan statistics:
Files scanned: 120559
Threat name: 8
Infected objects: 24
Suspicious objects: 4
Duration of the scan: 04:29:07


File name / Threat name / Threats count
C:\Gerie's Backup\backup0405.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Gerie's Backup\Gerie Gilbert\My Documents\backup.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Gerie's Backup\Gerie Gilbert\My Documents\backup.pst Infected: Trojan-Spy.HTML.Bayfraud.hh 1
C:\Misc_Files\Windows Software\SolarWinds-TFTP-Server.exe Infected: not-a-virus:Server-FTP.Win32.PremierServer.Tftp.503 1
C:\RECYCLER\S-1-5-21-2025429265-1770027372-725345543-1003\Dd6.pst Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 3
C:\RECYCLER\S-1-5-21-2025429265-1770027372-725345543-1003\Dd6.pst Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 5
C:\RECYCLER\S-1-5-21-854245398-2111687655-725345543-1004\Dd8.pst Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 3
C:\RECYCLER\S-1-5-21-854245398-2111687655-725345543-1004\Dd8.pst Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 5
I:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D880000\4D8E1769.VBN Infected: Trojan.Win32.Agent.aljf 1
I:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D880001\4D8E4FCD.VBN Infected: Trojan.Win32.Agent.aljf 1
I:\Documents and Settings\Gero\Desktop\Outlook Backups\backup.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1
I:\Documents and Settings\Gero\Desktop\Outlook Backups\backup.pst Infected: Trojan-Spy.HTML.Bayfraud.hh 1
I:\Documents and Settings\Gero\Desktop\Outlook Backups\backup0405.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1
I:\WINDOWS\system32\drivers\ndisio.sys Infected: Rootkit.Win32.Agent.eqo 1
I:\_OTMoveIt\MovedFiles\11082008_123031\documents and settings\Gero\bvxmg.exe Infected: Trojan-PSW.Win32.Agent.kyh 1
I:\_OTMoveIt\MovedFiles\11082008_123031\windows\system32\drivers\ndisio.sys Infected: Rootkit.Win32.Agent.eqo 1

The selected area was scanned.
 
Download and Run ComboFix
Please delete the copy of ComboFix that you have and download an updated copy from one of the links below
  • Please visit this webpage for instructions on using ComboFix:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    ComboFix.exe 1
    ComboFix.exe 2
    ComboFix.exe 3
  • You must download it to and run it from your Desktop
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
ComboFix SHOULD NOT be used unless requested by a forum helper
 
more!

I did not fix anything with HJT

ComboFix 08-11-07.01 - Gero 2008-11-09 15:12:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1504 [GMT -5:00]
Running from: i:\documents and settings\Gero\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-10-09 to 2008-11-09 )))))))))))))))))))))))))))))))
.

2008-11-09 14:00 . 2008-09-17 23:55 201,050 --a------ i:\windows\system32\nvapps.nvb
2008-11-08 19:37 . 2008-11-08 22:56 <DIR> d-------- i:\documents and settings\Gero\Application Data\BitTorrent
2008-11-08 19:22 . 2008-11-08 19:22 410,976 --a------ i:\windows\system32\deploytk.dll
2008-11-08 16:59 . 2008-11-08 19:21 <DIR> d-------- i:\documents and settings\Gero\.SunDownloadManager
2008-11-08 12:39 . 2008-11-08 12:39 <DIR> d-------- i:\program files\Malwarebytes' Anti-Malware
2008-11-08 12:39 . 2008-11-08 12:39 <DIR> d-------- i:\documents and settings\Gero\Application Data\Malwarebytes
2008-11-08 12:39 . 2008-11-08 12:39 <DIR> d-------- i:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-08 12:39 . 2008-10-22 16:10 38,496 --a------ i:\windows\system32\drivers\mbamswissarmy.sys
2008-11-08 12:39 . 2008-10-22 16:10 15,504 --a------ i:\windows\system32\drivers\mbam.sys
2008-11-08 12:30 . 2008-11-08 12:30 <DIR> d-------- I:\_OTMoveIt
2008-11-08 08:45 . 2008-11-08 08:45 <DIR> d-------- I:\rsit
2008-11-07 15:35 . 2008-11-07 15:35 <DIR> d-------- i:\program files\Trend Micro
2008-11-06 22:16 . 2008-11-07 00:16 <DIR> d-------- i:\documents and settings\Gero\I386
2008-11-06 21:20 . 2008-11-06 21:40 <DIR> d-------- i:\program files\Spybot - Search & Destroy
2008-11-06 21:20 . 2008-11-06 22:07 <DIR> d-------- i:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-06 21:13 . 2001-08-23 15:00 11,037 --a------ i:\windows\system32\RUNDLL32.EX_
2008-11-06 19:30 . 2008-10-16 14:07 23,576 --a------ i:\windows\system32\wuapi.dll.mui
2008-11-01 12:17 . 2001-08-17 14:56 66,048 --a--c--- i:\windows\system32\dllcache\s3legacy.dll
2008-10-14 18:40 . 2008-10-14 18:40 <DIR> d-------- i:\documents and settings\All Users\Application Data\Blizzard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-09 20:12 --------- d-----w i:\program files\Symantec AntiVirus
2008-11-09 00:21 --------- d-----w i:\program files\Java
2008-11-08 17:30 99,584 ----a-w i:\windows\system32\drivers\ndisio.sys
2008-10-29 04:10 --------- d-----w i:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-16 19:13 1,809,944 ----a-w i:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w i:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w i:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w i:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w i:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w i:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w i:\windows\system32\wups.dll
2008-10-06 23:25 --------- d-----w i:\program files\Common Files\Blizzard Entertainment
2008-10-03 05:29 --------- d-----w i:\program files\iTunes
2008-10-03 05:29 --------- d-----w i:\program files\iPod
2008-10-03 05:29 --------- d-----w i:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-03 05:28 --------- d-----w i:\program files\QuickTime
2008-10-03 05:28 --------- d-----w i:\program files\Common Files\Apple
2008-10-03 05:28 --------- d-----w i:\program files\Bonjour
2008-10-03 05:27 --------- d-----w i:\program files\Apple Software Update
2008-09-15 11:57 1,846,016 ----a-w i:\windows\system32\win32k.sys
2008-09-09 23:24 --------- d-----w i:\program files\DivX
2008-09-09 00:54 --------- d-----w i:\program files\WinISO
2008-08-29 14:18 87,336 ----a-w i:\windows\system32\dns-sd.exe
2008-08-29 13:53 61,440 ----a-w i:\windows\system32\dnssd.dll
2008-08-26 07:24 826,368 ----a-w i:\windows\system32\wininet.dll
2008-08-14 10:00 2,180,352 ----a-w i:\windows\system32\ntoskrnl.exe
2008-08-14 09:22 2,057,728 ----a-w i:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((( snapshot@2008-11-07_15.27.51.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-31 18:17:40 54,824 ----a-w i:\windows\agrsmdel.exe
+ 2008-03-28 22:53:20 54,824 ----a-w i:\windows\agrsmdel.exe
- 2007-08-18 00:09:34 13,312 ----a-w i:\windows\system32\agrscoin.dll
+ 2007-12-11 21:40:56 13,312 ----a-w i:\windows\system32\agrscoin.dll
- 2007-09-26 23:24:42 12,800 ----a-w i:\windows\system32\agrsmsvc.exe
+ 2008-03-18 21:27:12 13,312 ----a-w i:\windows\system32\agrsmsvc.exe
- 2008-01-29 17:43:35 3,964,256 -c--a-w i:\windows\system32\dllcache\nv4_mini.sys
+ 2008-09-18 04:55:00 6,132,576 -c--a-w i:\windows\system32\dllcache\nv4_mini.sys
- 2007-10-31 00:54:04 1,201,632 ----a-w i:\windows\system32\drivers\AGRSM.sys
+ 2008-03-21 21:13:00 1,203,776 ----a-w i:\windows\system32\drivers\AGRSM.sys
- 2007-12-05 06:41:00 7,435,392 ----a-w i:\windows\system32\drivers\nv4_mini.sys
+ 2008-09-18 04:55:00 6,132,576 ----a-w i:\windows\system32\drivers\nv4_mini.sys
- 2008-02-22 05:23:35 135,168 ----a-w i:\windows\system32\java.exe
+ 2008-11-09 00:22:00 144,792 ----a-w i:\windows\system32\java.exe
- 2008-02-22 05:23:39 135,168 ----a-w i:\windows\system32\javaw.exe
+ 2008-11-09 00:22:00 144,792 ----a-w i:\windows\system32\javaw.exe
- 2008-02-22 06:33:32 139,264 ----a-w i:\windows\system32\javaws.exe
+ 2008-11-09 00:22:00 148,888 ----a-w i:\windows\system32\javaws.exe
- 2007-12-05 06:41:00 425,984 ----a-w i:\windows\system32\keystone.exe
+ 2008-09-18 04:55:00 436,768 ----a-w i:\windows\system32\keystone.exe
- 2007-12-05 06:41:00 5,773,568 ----a-w i:\windows\system32\nv4_disp.dll
+ 2008-09-18 04:55:00 6,057,472 ----a-w i:\windows\system32\nv4_disp.dll
- 2007-12-05 06:41:00 385,024 ----a-w i:\windows\system32\nvapi.dll
+ 2008-09-18 04:55:00 475,136 ----a-w i:\windows\system32\nvapi.dll
- 2007-12-05 06:41:00 442,368 ----a-w i:\windows\system32\nvappbar.exe
+ 2008-09-18 04:55:00 449,056 ----a-w i:\windows\system32\nvappbar.exe
- 2007-12-05 06:41:00 35,328 ----a-w i:\windows\system32\nvcod.dll
+ 2008-09-18 04:55:00 122,880 ----a-w i:\windows\system32\nvcod.dll
- 2007-12-05 06:41:00 35,328 ----a-w i:\windows\system32\nvcodins.dll
+ 2008-09-18 04:55:00 122,880 ----a-w i:\windows\system32\nvcodins.dll
- 2007-12-05 06:41:00 147,456 ----a-w i:\windows\system32\nvcolor.exe
+ 2008-09-18 04:55:00 143,360 ----a-w i:\windows\system32\nvcolor.exe
- 2007-12-05 06:41:00 8,523,776 ----a-w i:\windows\system32\nvcpl.dll
+ 2008-09-18 04:55:00 13,574,144 ----a-w i:\windows\system32\nvcpl.dll
- 2007-12-05 06:41:00 753,664 ----a-w i:\windows\system32\nvcplui.exe
+ 2008-09-18 04:55:00 797,216 ----a-w i:\windows\system32\nvcplui.exe
+ 2008-09-18 04:55:00 1,108,512 ----a-w i:\windows\system32\nvcpluir.dll
- 2007-12-05 06:41:00 1,089,536 ----a-w i:\windows\system32\nvcuda.dll
+ 2008-09-18 04:55:00 1,368,064 ----a-w i:\windows\system32\nvcuda.dll
- 2007-12-05 06:41:00 6,549,504 ----a-w i:\windows\system32\nvdisps.dll
+ 2008-09-18 04:55:00 3,989,504 ----a-w i:\windows\system32\nvdisps.dll
- 2008-01-29 17:42:30 5,255,168 ----a-w i:\windows\system32\nvdispsr.dll
+ 2008-09-18 04:55:00 5,799,936 ----a-w i:\windows\system32\nvdispsr.dll
- 2007-12-05 06:41:00 1,339,392 ----a-w i:\windows\system32\nvdspsch.exe
+ 2008-09-18 04:55:00 1,346,080 ----a-w i:\windows\system32\nvdspsch.exe
- 2007-12-05 06:41:00 3,420,160 ----a-w i:\windows\system32\nvgames.dll
+ 2008-09-18 04:55:00 3,444,736 ----a-w i:\windows\system32\nvgames.dll
- 2008-01-29 17:42:59 2,932,736 ----a-w i:\windows\system32\nvgamesr.dll
+ 2008-09-18 04:55:00 3,457,024 ----a-w i:\windows\system32\nvgamesr.dll
- 2007-12-05 06:41:00 1,474,560 ----a-w i:\windows\system32\nview.dll
+ 2008-09-18 04:55:00 1,503,232 ----a-w i:\windows\system32\nview.dll
- 2007-12-05 06:41:00 229,376 ----a-w i:\windows\system32\nvmccs.dll
+ 2008-09-18 04:55:00 229,376 ----a-w i:\windows\system32\nvmccs.dll
- 2007-12-05 06:41:00 45,056 ----a-w i:\windows\system32\nvmccsrs.dll
+ 2008-09-18 04:55:00 45,056 ----a-w i:\windows\system32\nvmccsrs.dll
- 2007-12-05 06:41:00 188,416 ----a-w i:\windows\system32\nvmccss.dll
+ 2008-09-18 04:55:00 188,416 ----a-w i:\windows\system32\nvmccss.dll
- 2008-01-29 17:42:52 458,752 ----a-w i:\windows\system32\nvmccssr.dll
+ 2008-09-18 04:55:00 458,752 ----a-w i:\windows\system32\nvmccssr.dll
- 2007-12-05 06:41:00 81,920 ----a-w i:\windows\system32\nvmctray.dll
+ 2008-09-18 04:55:00 86,016 ----a-w i:\windows\system32\nvmctray.dll
- 2007-12-05 06:41:00 1,228,800 ----a-w i:\windows\system32\nvmobls.dll
+ 2008-09-18 04:55:00 1,257,472 ----a-w i:\windows\system32\nvmobls.dll
- 2008-01-29 17:44:09 2,859,008 ----a-w i:\windows\system32\nvmoblsr.dll
+ 2008-09-18 04:55:00 2,854,912 ----a-w i:\windows\system32\nvmoblsr.dll
- 2007-12-05 06:41:00 286,720 ----a-w i:\windows\system32\nvnt4cpl.dll
+ 2008-09-18 04:55:00 286,720 ----a-w i:\windows\system32\nvnt4cpl.dll
- 2007-12-05 06:41:00 6,901,760 ----a-w i:\windows\system32\nvoglnt.dll
+ 2008-09-18 04:55:00 8,826,880 ----a-w i:\windows\system32\nvoglnt.dll
+ 2008-09-18 04:55:00 331,776 ----a-w i:\windows\system32\nvrsar.dll
+ 2008-09-18 04:55:00 245,760 ----a-w i:\windows\system32\nvrscs.dll
+ 2008-09-18 04:55:00 253,952 ----a-w i:\windows\system32\nvrsda.dll
+ 2008-09-18 04:55:00 278,528 ----a-w i:\windows\system32\nvrsde.dll
+ 2008-09-18 04:55:00 282,624 ----a-w i:\windows\system32\nvrsel.dll
+ 2008-09-18 04:55:00 245,760 ----a-w i:\windows\system32\nvrseng.dll
+ 2008-09-18 04:55:00 282,624 ----a-w i:\windows\system32\nvrses.dll
+ 2008-09-18 04:55:00 274,432 ----a-w i:\windows\system32\nvrsesm.dll
+ 2008-09-18 04:55:00 249,856 ----a-w i:\windows\system32\nvrsfi.dll
+ 2008-09-18 04:55:00 282,624 ----a-w i:\windows\system32\nvrsfr.dll
+ 2008-09-18 04:55:00 331,776 ----a-w i:\windows\system32\nvrshe.dll
+ 2008-09-18 04:55:00 258,048 ----a-w i:\windows\system32\nvrshu.dll
+ 2008-09-18 04:55:00 278,528 ----a-w i:\windows\system32\nvrsit.dll
+ 2008-09-18 04:55:00 270,336 ----a-w i:\windows\system32\nvrsja.dll
+ 2008-09-18 04:55:00 262,144 ----a-w i:\windows\system32\nvrsko.dll
+ 2008-09-18 04:55:00 274,432 ----a-w i:\windows\system32\nvrsnl.dll
+ 2008-09-18 04:55:00 253,952 ----a-w i:\windows\system32\nvrsno.dll
+ 2008-09-18 04:55:00 253,952 ----a-w i:\windows\system32\nvrspl.dll
+ 2008-09-18 04:55:00 270,336 ----a-w i:\windows\system32\nvrspt.dll
+ 2008-09-18 04:55:00 266,240 ----a-w i:\windows\system32\nvrsptb.dll
+ 2008-09-18 04:55:00 266,240 ----a-w i:\windows\system32\nvrsru.dll
+ 2008-09-18 04:55:00 258,048 ----a-w i:\windows\system32\nvrssk.dll
+ 2008-09-18 04:55:00 258,048 ----a-w i:\windows\system32\nvrssl.dll
+ 2008-09-18 04:55:00 253,952 ----a-w i:\windows\system32\nvrssv.dll
+ 2008-09-18 04:55:00 253,952 ----a-w i:\windows\system32\nvrsth.dll
+ 2008-09-18 04:55:00 253,952 ----a-w i:\windows\system32\nvrstr.dll
+ 2008-09-18 04:55:00 225,280 ----a-w i:\windows\system32\nvrszhc.dll
+ 2008-09-18 04:55:00 122,880 ----a-w i:\windows\system32\nvrszht.dll
- 2007-12-05 06:41:00 466,944 ----a-w i:\windows\system32\nvshell.dll
+ 2008-09-18 04:55:00 466,944 ----a-w i:\windows\system32\nvshell.dll
- 2007-12-05 06:41:00 155,716 ----a-w i:\windows\system32\nvsvc32.exe
+ 2008-09-18 04:55:00 163,908 ----a-w i:\windows\system32\nvsvc32.exe
- 2007-12-05 06:41:00 356,352 ----a-w i:\windows\system32\nvudisp.exe
+ 2008-09-18 04:55:00 453,152 ----a-w i:\windows\system32\nvudisp.exe
- 2007-12-05 07:53:08 356,352 ----a-w i:\windows\system32\NVUNINST.EXE
+ 2008-09-18 04:55:00 453,152 ----a-w i:\windows\system32\NVUNINST.EXE
- 2007-12-05 06:41:00 3,710,976 ----a-w i:\windows\system32\nvvitvs.dll
+ 2008-09-18 04:55:00 3,764,224 ----a-w i:\windows\system32\nvvitvs.dll
- 2008-01-29 17:44:06 2,969,600 ----a-w i:\windows\system32\nvvitvsr.dll
+ 2008-09-18 04:55:00 4,149,248 ----a-w i:\windows\system32\nvvitvsr.dll
- 2007-12-05 06:41:00 81,920 ----a-w i:\windows\system32\nvwddi.dll
+ 2008-09-18 04:55:00 81,920 ----a-w i:\windows\system32\nvwddi.dll
- 2007-12-05 06:41:00 1,703,936 ----a-w i:\windows\system32\nvwdmcpl.dll
+ 2008-09-18 04:55:00 1,724,416 ----a-w i:\windows\system32\nvwdmcpl.dll
- 2007-12-05 06:41:00 1,019,904 ----a-w i:\windows\system32\nvwimg.dll
+ 2008-09-18 04:55:00 1,101,824 ----a-w i:\windows\system32\nvwimg.dll
+ 2008-09-18 04:55:00 282,624 ----a-w i:\windows\system32\nvwrsar.dll
+ 2008-09-18 04:55:00 286,720 ----a-w i:\windows\system32\nvwrscs.dll
+ 2008-09-18 04:55:00 294,912 ----a-w i:\windows\system32\nvwrsda.dll
+ 2008-09-18 04:55:00 311,296 ----a-w i:\windows\system32\nvwrsde.dll
+ 2008-09-18 04:55:00 335,872 ----a-w i:\windows\system32\nvwrsel.dll
+ 2008-09-18 04:55:00 286,720 ----a-w i:\windows\system32\nvwrseng.dll
+ 2008-09-18 04:55:00 335,872 ----a-w i:\windows\system32\nvwrses.dll
+ 2008-09-18 04:55:00 327,680 ----a-w i:\windows\system32\nvwrsesm.dll
+ 2008-09-18 04:55:00 303,104 ----a-w i:\windows\system32\nvwrsfi.dll
+ 2008-09-18 04:55:00 327,680 ----a-w i:\windows\system32\nvwrsfr.dll
+ 2008-09-18 04:55:00 278,528 ----a-w i:\windows\system32\nvwrshe.dll
+ 2008-09-18 04:55:00 315,392 ----a-w i:\windows\system32\nvwrshu.dll
+ 2008-09-18 04:55:00 323,584 ----a-w i:\windows\system32\nvwrsit.dll
+ 2008-09-18 04:55:00 212,992 ----a-w i:\windows\system32\nvwrsja.dll
+ 2008-09-18 04:55:00 196,608 ----a-w i:\windows\system32\nvwrsko.dll
+ 2008-09-18 04:55:00 319,488 ----a-w i:\windows\system32\nvwrsnl.dll
+ 2008-09-18 04:55:00 299,008 ----a-w i:\windows\system32\nvwrsno.dll
+ 2008-09-18 04:55:00 294,912 ----a-w i:\windows\system32\nvwrspl.dll
+ 2008-09-18 04:55:00 323,584 ----a-w i:\windows\system32\nvwrspt.dll
+ 2008-09-18 04:55:00 319,488 ----a-w i:\windows\system32\nvwrsptb.dll
+ 2008-09-18 04:55:00 315,392 ----a-w i:\windows\system32\nvwrsru.dll
+ 2008-09-18 04:55:00 299,008 ----a-w i:\windows\system32\nvwrssk.dll
+ 2008-09-18 04:55:00 303,104 ----a-w i:\windows\system32\nvwrssl.dll
+ 2008-09-18 04:55:00 294,912 ----a-w i:\windows\system32\nvwrssv.dll
+ 2008-09-18 04:55:00 290,816 ----a-w i:\windows\system32\nvwrsth.dll
+ 2008-09-18 04:55:00 303,104 ----a-w i:\windows\system32\nvwrstr.dll
+ 2008-09-18 04:55:00 163,840 ----a-w i:\windows\system32\nvwrszhc.dll
+ 2008-09-18 04:55:00 167,936 ----a-w i:\windows\system32\nvwrszht.dll
- 2007-12-05 06:41:00 2,498,560 ----a-w i:\windows\system32\nvwss.dll
+ 2008-09-18 04:55:00 2,686,976 ----a-w i:\windows\system32\nvwss.dll
+ 2008-09-18 04:55:00 2,981,888 ----a-w i:\windows\system32\nvwssr.dll
- 2007-12-05 06:41:00 1,626,112 ----a-w i:\windows\system32\nwiz.exe
+ 2008-09-18 04:55:00 1,657,376 ----a-w i:\windows\system32\nwiz.exe
+ 2007-08-18 00:09:34 13,312 ----a-w i:\windows\system32\ReinstallBackups\0005\DriverFiles\agrscoin.dll
+ 2007-10-31 00:54:04 1,201,632 ----a-w i:\windows\system32\ReinstallBackups\0005\DriverFiles\AGRSM.sys
+ 2007-10-31 18:17:40 54,824 ----a-w i:\windows\system32\ReinstallBackups\0005\DriverFiles\agrsmdel.exe
+ 2007-09-26 23:24:42 12,800 ----a-w i:\windows\system32\ReinstallBackups\0005\DriverFiles\agrsmsvc.exe
+ 2007-12-05 06:41:00 5,773,568 ----a-w i:\windows\system32\ReinstallBackups\0006\DriverFiles\nv4_disp.dll
+ 2007-12-05 06:41:00 7,435,392 ----a-w i:\windows\system32\ReinstallBackups\0006\DriverFiles\nv4_mini.sys
+ 2007-12-05 06:41:00 385,024 ----a-w i:\windows\system32\ReinstallBackups\0006\DriverFiles\nvapi.dll
+ 2007-12-05 06:41:00 35,328 ----a-w i:\windows\system32\ReinstallBackups\0006\DriverFiles\nvcod.dll
+ 2007-12-05 06:41:00 8,523,776 ----a-w i:\windows\system32\ReinstallBackups\0006\DriverFiles\nvcpl.dll
+ 2007-12-05 06:41:00 1,089,536 ----a-w i:\windows\system32\ReinstallBackups\0006\DriverFiles\nvcuda.dll
+ 2007-12-05 06:41:00 6,549,504 ----a-w i:\windows\system32\ReinstallBackups\0006\DriverFiles\nvdisps.dll
+ 2007-12-05 06:41:00 3,420,160 ----a-w i:\windows\system32\ReinstallBackups\0006\DriverFiles\nvgames.dll
+ 2007-12-05 06:41:00 229,376 ----a-w i:\windows\system32\ReinstallBackups\0006\DriverFiles\nvmccs.dll
+ 2007-12-05 06:41:00 188,416 ----a-w i:\windows\system32\ReinstallBackups\0006\DriverFiles\nvmccss.dll
+ 2007-12-05 06:41:00 81,920 ----a-w i:\windows\system32\ReinstallBackups\0006\DriverFiles\nvmctray.dll
+ 2007-12-05 06:41:00 1,228,800 ----a-w i:\windows\system32\ReinstallBackups\0006\DriverFiles\nvmobls.dll
+ 2007-12-05 06:41:00 286,720 ----a-w i:\windows\system32\ReinstallBackups\0006\DriverFiles\nvnt4cpl.dll
+ 2007-12-05 06:41:00 6,901,760 ----a-w i:\windows\system32\ReinstallBackups\0006\DriverFiles\nvoglnt.dll
+ 2007-12-05 06:41:00 155,716 ----a-w i:\windows\system32\ReinstallBackups\0006\DriverFiles\nvsvc32.exe
+ 2007-12-05 06:41:00 3,710,976 ----a-w i:\windows\system32\ReinstallBackups\0006\DriverFiles\nvvitvs.dll
+ 2007-12-05 06:41:00 81,920 ----a-w i:\windows\system32\ReinstallBackups\0006\DriverFiles\nvwddi.dll
+ 2007-12-05 06:41:00 2,498,560 ----a-w i:\windows\system32\ReinstallBackups\0006\DriverFiles\nvwss.dll
+ 2008-11-09 19:28:54 16,384 ----atw i:\windows\Temp\Perflib_Perfdata_3d8.dat
+ 2008-11-09 19:28:54 16,384 ----atw i:\windows\Temp\Perflib_Perfdata_3e4.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="i:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"ctfmon.exe"="i:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="i:\progra~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"Norton Ghost 12.0"="i:\program files\Norton Ghost\Agent\VProTray.exe" [2008-01-10 2037088]
"ccApp"="i:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"NvCplDaemon"="i:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"SunJavaUpdateSched"="i:\program files\Java\jre6\bin\jusched.exe" [2008-11-08 136600]
"NvMediaCenter"="i:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"nwiz"="nwiz.exe" [2008-09-17 i:\windows\system32\nwiz.exe]

i:\documents and settings\All Users\Start Menu\Programs\Startup\
Energizer FileSaver.lnk - i:\program files\Energizer FileSaver\Energizer FileSaver.exe [2003-02-19 976896]

[HKLM\~\startupfolder\I:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=i:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=i:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2004-12-14 02:12 483328 i:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2008-10-12 21:22 287040 i:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:00 15360 i:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell MFP Color Laser Printer 3115cn Launcher]
--a------ 2006-12-23 14:38 635800 i:\program files\Dell Printers\Dell MFP Color Laser Printer 3115cn\Address Book Editor\Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLPSP]
--a------ 2006-12-07 16:52 340888 i:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpsp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 i:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 i:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
--a------ 2006-06-30 18:08 40960 i:\program files\Dell Printers\paperport\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 17:57 289576 i:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 14:40 155648 i:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-09-17 23:55 13574144 i:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-09-17 23:55 86016 i:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
--a------ 2006-06-30 18:08 36864 i:\program files\Dell Printers\paperport\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 i:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 i:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--------- 2003-10-14 10:22 155648 i:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 03:25 144784 i:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 i:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-09-17 23:55 1657376 i:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"WZCSVC"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"Adobe LM Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"i:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"i:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"i:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"i:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"i:\program files\Microsoft ActiveSync\rapimgr.exe"= i:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"i:\program files\Microsoft ActiveSync\wcescomm.exe"= i:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"i:\program files\Microsoft ActiveSync\WCESMgr.exe"= i:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\World of Warcraft\\BackgroundDownloader.exe"=
"i:\\Program Files\\iTunes\\iTunes.exe"=
"i:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\World of Warcraft\\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe"=
"c:\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"c:\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"i:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"6881:TCP"= 6881:TCP:Blizzard Downloader: 6881
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader
"8086:TCP"= 8086:TCP:Blizzard
"9081:TCP"= 9081:TCP:Blizzard
"9090:TCP"= 9090:TCP:Blizzard
"9097:TCP"= 9097:TCP:Blizzard
"9100:TCP"= 9100:TCP:Blizzard

R2 DLSDB;Dell Printer Status Database;i:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE [2006-12-07 140184]
R2 JavaQuickStarterService;Java Quick Starter;i:\program files\Java\jre6\bin\jqs.exe [2008-11-08 152984]
.
Contents of the 'Scheduled Tasks' folder

2008-11-04 i:\windows\Tasks\AppleSoftwareUpdate.job
- i:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-03 i:\windows\Tasks\Backup.job
- i:\windows\system32\ntbackup.exe [2004-08-04 07:00]

2008-11-09 i:\windows\Tasks\backupincremental.job
- i:\windows\system32\ntbackup.exe [2004-08-04 07:00]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://drudgereport.com/
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O8 -: Convert link target to Adobe PDF - i:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - i:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - i:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - i:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - i:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - i:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - i:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert to existing PDF - i:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: E&xport to Microsoft Excel - i:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
O15 -: Trusted Zone: *.tdameritrade.com
O17 -: HKLM\CCS\Interface\{EE825216-61D2-4E6A-825A-EE7EFD2B9B74}: NameServer = 207.69.188.186,207.69.188.187

O16 -: {2FE68711-8830-417D-95E0-EAB307DB0447} - hxxps://prolog.c-b.com/pw/mpsPwLc7.CAB
i:\windows\Downloaded Program Files\mpsPwLc6.inf
i:\windows\system32\msvbvm60.dll
i:\windows\system32\oleaut32.dll
i:\windows\system32\olepro32.dll
i:\windows\system32\asycfilt.dll
i:\windows\system32\stdole2.tlb
i:\windows\system32\comcat.dll
i:\windows\Downloaded Program Files\mpsPwLc7.ocx

O16 -: {F375116A-793C-11D2-BFE1-444553540001} - hxxp://realist2.firstamres.com/mapviewer/mapviewer.cab
i:\windows\Downloaded Program Files\mapviewer.ocx
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-09 15:14:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-09 15:14:31
ComboFix-quarantined-files.txt 2008-11-09 20:14:29
ComboFix2.txt 2008-11-07 20:28:11

Pre-Run: 254,401,060,864 bytes free
Post-Run: 254,493,876,224 bytes free

390 --- E O F --- 2008-10-29 02:14:49


AND HJT:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:15:38 PM, on 11/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
I:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
I:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
I:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
I:\WINDOWS\system32\spoolsv.exe
I:\WINDOWS\system32\agrsmsvc.exe
I:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
I:\Program Files\Symantec AntiVirus\DefWatch.exe
I:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
I:\Program Files\Java\jre6\bin\jqs.exe
I:\Program Files\Norton Ghost\Agent\VProSvc.exe
I:\WINDOWS\system32\nvsvc32.exe
I:\WINDOWS\system32\svchost.exe
I:\Program Files\Symantec AntiVirus\Rtvscan.exe
I:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
I:\PROGRA~1\SYMANT~1\VPTray.exe
I:\Program Files\Norton Ghost\Agent\VProTray.exe
I:\Program Files\Common Files\Symantec Shared\ccApp.exe
I:\Program Files\Java\jre6\bin\jusched.exe
I:\WINDOWS\system32\RUNDLL32.EXE
I:\Program Files\Microsoft ActiveSync\wcescomm.exe
I:\WINDOWS\system32\ctfmon.exe
I:\Program Files\Energizer FileSaver\Energizer FileSaver.exe
I:\PROGRA~1\MI3AA1~1\rapimgr.exe
I:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
I:\WINDOWS\explorer.exe
I:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://drudgereport.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - I:\Program Files\Java\jre6\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - I:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
O4 - HKLM\..\Run: [vptray] I:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Norton Ghost 12.0] "I:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [ccApp] "I:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "I:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE I:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [H/PC Connection Agent] "I:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Energizer FileSaver.lnk = I:\Program Files\Energizer FileSaver\Energizer FileSaver.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://I:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - I:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - I:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - I:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - I:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - I:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - I:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://atl.rexplorer.net
O15 - Trusted Zone: http://www.tdameritrade.com
O15 - Trusted Zone: *.tdameritrade.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {2FE68711-8830-417D-95E0-EAB307DB0447} (mpsPwLc7.PMWebSiteLogin) - https://prolog.c-b.com/pw/mpsPwLc7.CAB
O16 - DPF: {F375116A-793C-11D2-BFE1-444553540001} (First American Res MapActiveX Control) - http://realist2.firstamres.com/mapviewer/mapviewer.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE825216-61D2-4E6A-825A-EE7EFD2B9B74}: NameServer = 207.69.188.186,207.69.188.187
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - I:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - I:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - I:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - I:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - I:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - I:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - I:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - I:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - I:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - I:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - I:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - I:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Ghost - Symantec Corporation - I:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - I:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - I:\Program Files\Symantec AntiVirus\Rtvscan.exe

\

I cant thank you enough for helping me work through this!
 
Something has recreated one of the files we deleted ???

Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: 
    http://forums.spybot.info/showthread.php?p=251206#post251206
Comment:: Katana. File being recreated
Collect::[4]
i:\windows\system32\drivers\ndisio.sys

Folder::
i:\program files\Java\jre1.6.0_05
i:\program files\DNA
i:\documents and settings\Gero\Application Data\BitTorrent

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"i:\Program Files\BitTorrent\bittorrent.exe"=-
  • Save this as CFScript.txt and place it on your desktop.


    CFScriptb.gif


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
  • A window will open asking you to ensure you are connected to the internet, this is so a file can be submitted for analysis.
  • Click OK and follow the instructions to submit the file.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
 
Well Darn

That is frustrating..I know you are ready to be done with me!


ComboFix 08-11-07.01 - Gero 2008-11-09 16:49:44.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1468 [GMT -5:00]
Running from: i:\documents and settings\Gero\Desktop\ComboFix.exe
Command switches used :: i:\documents and settings\Gero\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

i:\documents and settings\Gero\Application Data\BitTorrent
i:\documents and settings\Gero\Application Data\BitTorrent\dht.dat
i:\documents and settings\Gero\Application Data\BitTorrent\Machine_Head-The_Blackening-(Limited_Edition)-2007-FTM.torrent
i:\documents and settings\Gero\Application Data\BitTorrent\resume.dat
i:\documents and settings\Gero\Application Data\BitTorrent\resume.dat.old
i:\documents and settings\Gero\Application Data\BitTorrent\settings.dat
i:\documents and settings\Gero\Application Data\BitTorrent\settings.dat.old
i:\program files\DNA
i:\program files\DNA\btdna.exe
i:\program files\DNA\DNAcpl.cpl
i:\program files\DNA\plugins\npbtdna.dll
i:\program files\Java\jre1.6.0_05
i:\program files\Java\jre1.6.0_05\bin\awt.dll
i:\program files\Java\jre1.6.0_05\bin\axbridge.dll
i:\program files\Java\jre1.6.0_05\bin\client\classes.jsa
i:\program files\Java\jre1.6.0_05\bin\client\jvm.dll
i:\program files\Java\jre1.6.0_05\bin\client\Xusage.txt
i:\program files\Java\jre1.6.0_05\bin\cmm.dll
i:\program files\Java\jre1.6.0_05\bin\dcpr.dll
i:\program files\Java\jre1.6.0_05\bin\deploy.dll
i:\program files\Java\jre1.6.0_05\bin\dt_shmem.dll
i:\program files\Java\jre1.6.0_05\bin\dt_socket.dll
i:\program files\Java\jre1.6.0_05\bin\fontmanager.dll
i:\program files\Java\jre1.6.0_05\bin\hpi.dll
i:\program files\Java\jre1.6.0_05\bin\hprof.dll
i:\program files\Java\jre1.6.0_05\bin\instrument.dll
i:\program files\Java\jre1.6.0_05\bin\ioser12.dll
i:\program files\Java\jre1.6.0_05\bin\j2pcsc.dll
i:\program files\Java\jre1.6.0_05\bin\j2pkcs11.dll
i:\program files\Java\jre1.6.0_05\bin\jaas_nt.dll
i:\program files\Java\jre1.6.0_05\bin\java-rmi.exe
i:\program files\Java\jre1.6.0_05\bin\java.dll
i:\program files\Java\jre1.6.0_05\bin\java.exe
i:\program files\Java\jre1.6.0_05\bin\java_crw_demo.dll
i:\program files\Java\jre1.6.0_05\bin\javacpl.cpl
i:\program files\Java\jre1.6.0_05\bin\javacpl.exe
i:\program files\Java\jre1.6.0_05\bin\javaw.exe
i:\program files\Java\jre1.6.0_05\bin\javaws.exe
i:\program files\Java\jre1.6.0_05\bin\jawt.dll
i:\program files\Java\jre1.6.0_05\bin\JdbcOdbc.dll
i:\program files\Java\jre1.6.0_05\bin\jdwp.dll
i:\program files\Java\jre1.6.0_05\bin\jli.dll
i:\program files\Java\jre1.6.0_05\bin\jpeg.dll
i:\program files\Java\jre1.6.0_05\bin\jpicom.dll
i:\program files\Java\jre1.6.0_05\bin\jpiexp.dll
i:\program files\Java\jre1.6.0_05\bin\jpinscp.dll
i:\program files\Java\jre1.6.0_05\bin\jpioji.dll
i:\program files\Java\jre1.6.0_05\bin\jpishare.dll
i:\program files\Java\jre1.6.0_05\bin\jsound.dll
i:\program files\Java\jre1.6.0_05\bin\jsoundds.dll
i:\program files\Java\jre1.6.0_05\bin\jucheck.exe
i:\program files\Java\jre1.6.0_05\bin\jureg.exe
i:\program files\Java\jre1.6.0_05\bin\jusched.exe
i:\program files\Java\jre1.6.0_05\bin\keytool.exe
i:\program files\Java\jre1.6.0_05\bin\kinit.exe
i:\program files\Java\jre1.6.0_05\bin\klist.exe
i:\program files\Java\jre1.6.0_05\bin\ktab.exe
i:\program files\Java\jre1.6.0_05\bin\management.dll
i:\program files\Java\jre1.6.0_05\bin\mlib_image.dll
i:\program files\Java\jre1.6.0_05\bin\msvcr71.dll
i:\program files\Java\jre1.6.0_05\bin\net.dll
i:\program files\Java\jre1.6.0_05\bin\nio.dll
i:\program files\Java\jre1.6.0_05\bin\npjava11.dll
i:\program files\Java\jre1.6.0_05\bin\npjava12.dll
i:\program files\Java\jre1.6.0_05\bin\npjava13.dll
i:\program files\Java\jre1.6.0_05\bin\npjava14.dll
i:\program files\Java\jre1.6.0_05\bin\npjava32.dll
i:\program files\Java\jre1.6.0_05\bin\npjpi160_05.dll
i:\program files\Java\jre1.6.0_05\bin\npoji610.dll
i:\program files\Java\jre1.6.0_05\bin\npt.dll
i:\program files\Java\jre1.6.0_05\bin\orbd.exe
i:\program files\Java\jre1.6.0_05\bin\pack200.exe
i:\program files\Java\jre1.6.0_05\bin\policytool.exe
i:\program files\Java\jre1.6.0_05\bin\regutils.dll
i:\program files\Java\jre1.6.0_05\bin\rmi.dll
i:\program files\Java\jre1.6.0_05\bin\rmid.exe
i:\program files\Java\jre1.6.0_05\bin\rmiregistry.exe
i:\program files\Java\jre1.6.0_05\bin\servertool.exe
i:\program files\Java\jre1.6.0_05\bin\splashscreen.dll
i:\program files\Java\jre1.6.0_05\bin\ssv.dll
i:\program files\Java\jre1.6.0_05\bin\sunmscapi.dll
i:\program files\Java\jre1.6.0_05\bin\tnameserv.exe
i:\program files\Java\jre1.6.0_05\bin\unpack.dll
i:\program files\Java\jre1.6.0_05\bin\unpack200.exe
i:\program files\Java\jre1.6.0_05\bin\verify.dll
i:\program files\Java\jre1.6.0_05\bin\w2k_lsa_auth.dll
i:\program files\Java\jre1.6.0_05\bin\wsdetect.dll
i:\program files\Java\jre1.6.0_05\bin\zip.dll
i:\program files\Java\jre1.6.0_05\COPYRIGHT
i:\program files\Java\jre1.6.0_05\lib\calendars.properties
i:\program files\Java\jre1.6.0_05\lib\classlist
i:\program files\Java\jre1.6.0_05\lib\cmm\CIEXYZ.pf
i:\program files\Java\jre1.6.0_05\lib\cmm\GRAY.pf
i:\program files\Java\jre1.6.0_05\lib\cmm\LINEAR_RGB.pf
i:\program files\Java\jre1.6.0_05\lib\cmm\sRGB.pf
i:\program files\Java\jre1.6.0_05\lib\content-types.properties
i:\program files\Java\jre1.6.0_05\lib\deploy.jar
i:\program files\Java\jre1.6.0_05\lib\deploy\ffjcext.zip
i:\program files\Java\jre1.6.0_05\lib\deploy\messages.properties
i:\program files\Java\jre1.6.0_05\lib\deploy\messages_de.properties
i:\program files\Java\jre1.6.0_05\lib\deploy\messages_es.properties
i:\program files\Java\jre1.6.0_05\lib\deploy\messages_fr.properties
i:\program files\Java\jre1.6.0_05\lib\deploy\messages_it.properties
i:\program files\Java\jre1.6.0_05\lib\deploy\messages_ja.properties
i:\program files\Java\jre1.6.0_05\lib\deploy\messages_ko.properties
i:\program files\Java\jre1.6.0_05\lib\deploy\messages_sv.properties
i:\program files\Java\jre1.6.0_05\lib\deploy\messages_zh_CN.properties
i:\program files\Java\jre1.6.0_05\lib\deploy\messages_zh_HK.properties
i:\program files\Java\jre1.6.0_05\lib\deploy\messages_zh_TW.properties
i:\program files\Java\jre1.6.0_05\lib\deploy\splash.jpg
i:\program files\Java\jre1.6.0_05\lib\ext\dnsns.jar
i:\program files\Java\jre1.6.0_05\lib\ext\meta-index
i:\program files\Java\jre1.6.0_05\lib\ext\QTJava.zip
i:\program files\Java\jre1.6.0_05\lib\ext\sunjce_provider.jar
i:\program files\Java\jre1.6.0_05\lib\ext\sunmscapi.jar
i:\program files\Java\jre1.6.0_05\lib\ext\sunpkcs11.jar
i:\program files\Java\jre1.6.0_05\lib\flavormap.properties
i:\program files\Java\jre1.6.0_05\lib\fontconfig.98.bfc
i:\program files\Java\jre1.6.0_05\lib\fontconfig.98.properties.src
i:\program files\Java\jre1.6.0_05\lib\fontconfig.bfc
i:\program files\Java\jre1.6.0_05\lib\fontconfig.properties.src
i:\program files\Java\jre1.6.0_05\lib\fonts\LucidaSansRegular.ttf
i:\program files\Java\jre1.6.0_05\lib\i386\jvm.cfg
i:\program files\Java\jre1.6.0_05\lib\im\indicim.jar
i:\program files\Java\jre1.6.0_05\lib\im\thaiim.jar
i:\program files\Java\jre1.6.0_05\lib\images\cursors\cursors.properties
i:\program files\Java\jre1.6.0_05\lib\images\cursors\invalid32x32.gif
i:\program files\Java\jre1.6.0_05\lib\images\cursors\win32_CopyDrop32x32.gif
i:\program files\Java\jre1.6.0_05\lib\images\cursors\win32_CopyNoDrop32x32.gif
i:\program files\Java\jre1.6.0_05\lib\images\cursors\win32_LinkDrop32x32.gif
i:\program files\Java\jre1.6.0_05\lib\images\cursors\win32_LinkNoDrop32x32.gif
i:\program files\Java\jre1.6.0_05\lib\images\cursors\win32_MoveDrop32x32.gif
i:\program files\Java\jre1.6.0_05\lib\images\cursors\win32_MoveNoDrop32x32.gif
i:\program files\Java\jre1.6.0_05\lib\javaws.jar
i:\program files\Java\jre1.6.0_05\lib\jce.jar
i:\program files\Java\jre1.6.0_05\lib\jsse.jar
i:\program files\Java\jre1.6.0_05\lib\jvm.hprof.txt
i:\program files\Java\jre1.6.0_05\lib\logging.properties
i:\program files\Java\jre1.6.0_05\lib\management-agent.jar
i:\program files\Java\jre1.6.0_05\lib\management\jmxremote.access
i:\program files\Java\jre1.6.0_05\lib\management\jmxremote.password.template
i:\program files\Java\jre1.6.0_05\lib\management\management.properties
i:\program files\Java\jre1.6.0_05\lib\management\snmp.acl.template
i:\program files\Java\jre1.6.0_05\lib\meta-index
i:\program files\Java\jre1.6.0_05\lib\net.properties
i:\program files\Java\jre1.6.0_05\lib\plugin.jar
i:\program files\Java\jre1.6.0_05\lib\psfont.properties.ja
i:\program files\Java\jre1.6.0_05\lib\psfontj2d.properties
i:\program files\Java\jre1.6.0_05\lib\resources.jar
i:\program files\Java\jre1.6.0_05\lib\rt.jar
i:\program files\Java\jre1.6.0_05\lib\security\cacerts
i:\program files\Java\jre1.6.0_05\lib\security\java.policy
i:\program files\Java\jre1.6.0_05\lib\security\java.security
i:\program files\Java\jre1.6.0_05\lib\security\javaws.policy
i:\program files\Java\jre1.6.0_05\lib\security\local_policy.jar
i:\program files\Java\jre1.6.0_05\lib\security\US_export_policy.jar
i:\program files\Java\jre1.6.0_05\lib\servicetag\jdk_header.png
i:\program files\Java\jre1.6.0_05\lib\sound.properties
i:\program files\Java\jre1.6.0_05\lib\tzmappings
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Abidjan
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Accra
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Addis_Ababa
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Algiers
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Asmara
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Bamako
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Bangui
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Banjul
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Bissau
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Blantyre
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Brazzaville
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Bujumbura
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Cairo
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Casablanca
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Ceuta
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Conakry
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Dakar
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Dar_es_Salaam
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Djibouti
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Douala
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\El_Aaiun
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Freetown
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Gaborone
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Harare
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Johannesburg
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Kampala
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Khartoum
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Kigali
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Kinshasa
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Lagos
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Libreville
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Lome
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Luanda
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Lubumbashi
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Lusaka
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Malabo
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Maputo
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Maseru
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Mbabane
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Mogadishu
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Monrovia
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Nairobi
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Ndjamena
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Niamey
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Nouakchott
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Ouagadougou
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Porto-Novo
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Sao_Tome
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Tripoli
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Tunis
i:\program files\Java\jre1.6.0_05\lib\zi\Africa\Windhoek
i:\program files\Java\jre1.6.0_05\lib\zi\America\Adak
i:\program files\Java\jre1.6.0_05\lib\zi\America\Anchorage
i:\program files\Java\jre1.6.0_05\lib\zi\America\Anguilla
i:\program files\Java\jre1.6.0_05\lib\zi\America\Antigua
i:\program files\Java\jre1.6.0_05\lib\zi\America\Araguaina
i:\program files\Java\jre1.6.0_05\lib\zi\America\Argentina\Buenos_Aires
i:\program files\Java\jre1.6.0_05\lib\zi\America\Argentina\Catamarca
i:\program files\Java\jre1.6.0_05\lib\zi\America\Argentina\Cordoba
i:\program files\Java\jre1.6.0_05\lib\zi\America\Argentina\Jujuy
i:\program files\Java\jre1.6.0_05\lib\zi\America\Argentina\La_Rioja
i:\program files\Java\jre1.6.0_05\lib\zi\America\Argentina\Mendoza
i:\program files\Java\jre1.6.0_05\lib\zi\America\Argentina\Rio_Gallegos
i:\program files\Java\jre1.6.0_05\lib\zi\America\Argentina\San_Juan
i:\program files\Java\jre1.6.0_05\lib\zi\America\Argentina\Tucuman
i:\program files\Java\jre1.6.0_05\lib\zi\America\Argentina\Ushuaia
i:\program files\Java\jre1.6.0_05\lib\zi\America\Aruba
i:\program files\Java\jre1.6.0_05\lib\zi\America\Asuncion
i:\program files\Java\jre1.6.0_05\lib\zi\America\Atikokan
i:\program files\Java\jre1.6.0_05\lib\zi\America\Bahia
i:\program files\Java\jre1.6.0_05\lib\zi\America\Barbados
i:\program files\Java\jre1.6.0_05\lib\zi\America\Belem
i:\program files\Java\jre1.6.0_05\lib\zi\America\Belize
i:\program files\Java\jre1.6.0_05\lib\zi\America\Blanc-Sablon
i:\program files\Java\jre1.6.0_05\lib\zi\America\Boa_Vista
i:\program files\Java\jre1.6.0_05\lib\zi\America\Bogota
i:\program files\Java\jre1.6.0_05\lib\zi\America\Boise
i:\program files\Java\jre1.6.0_05\lib\zi\America\Cambridge_Bay
i:\program files\Java\jre1.6.0_05\lib\zi\America\Campo_Grande
i:\program files\Java\jre1.6.0_05\lib\zi\America\Cancun
i:\program files\Java\jre1.6.0_05\lib\zi\America\Caracas
i:\program files\Java\jre1.6.0_05\lib\zi\America\Cayenne
i:\program files\Java\jre1.6.0_05\lib\zi\America\Cayman
i:\program files\Java\jre1.6.0_05\lib\zi\America\Chicago
i:\program files\Java\jre1.6.0_05\lib\zi\America\Chihuahua
i:\program files\Java\jre1.6.0_05\lib\zi\America\Costa_Rica
i:\program files\Java\jre1.6.0_05\lib\zi\America\Cuiaba
i:\program files\Java\jre1.6.0_05\lib\zi\America\Curacao
i:\program files\Java\jre1.6.0_05\lib\zi\America\Danmarkshavn
i:\program files\Java\jre1.6.0_05\lib\zi\America\Dawson
i:\program files\Java\jre1.6.0_05\lib\zi\America\Dawson_Creek
i:\program files\Java\jre1.6.0_05\lib\zi\America\Denver
i:\program files\Java\jre1.6.0_05\lib\zi\America\Detroit
i:\program files\Java\jre1.6.0_05\lib\zi\America\Dominica
i:\program files\Java\jre1.6.0_05\lib\zi\America\Edmonton
i:\program files\Java\jre1.6.0_05\lib\zi\America\Eirunepe
i:\program files\Java\jre1.6.0_05\lib\zi\America\El_Salvador
i:\program files\Java\jre1.6.0_05\lib\zi\America\Fortaleza
i:\program files\Java\jre1.6.0_05\lib\zi\America\Glace_Bay
i:\program files\Java\jre1.6.0_05\lib\zi\America\Godthab
i:\program files\Java\jre1.6.0_05\lib\zi\America\Goose_Bay
i:\program files\Java\jre1.6.0_05\lib\zi\America\Grand_Turk
i:\program files\Java\jre1.6.0_05\lib\zi\America\Grenada
i:\program files\Java\jre1.6.0_05\lib\zi\America\Guadeloupe
i:\program files\Java\jre1.6.0_05\lib\zi\America\Guatemala
i:\program files\Java\jre1.6.0_05\lib\zi\America\Guayaquil
i:\program files\Java\jre1.6.0_05\lib\zi\America\Guyana
i:\program files\Java\jre1.6.0_05\lib\zi\America\Halifax
i:\program files\Java\jre1.6.0_05\lib\zi\America\Havana
i:\program files\Java\jre1.6.0_05\lib\zi\America\Hermosillo
i:\program files\Java\jre1.6.0_05\lib\zi\America\Indiana\Indianapolis
i:\program files\Java\jre1.6.0_05\lib\zi\America\Indiana\Knox
i:\program files\Java\jre1.6.0_05\lib\zi\America\Indiana\Marengo
i:\program files\Java\jre1.6.0_05\lib\zi\America\Indiana\Petersburg
i:\program files\Java\jre1.6.0_05\lib\zi\America\Indiana\Tell_City
i:\program files\Java\jre1.6.0_05\lib\zi\America\Indiana\Vevay
i:\program files\Java\jre1.6.0_05\lib\zi\America\Indiana\Vincennes
i:\program files\Java\jre1.6.0_05\lib\zi\America\Indiana\Winamac
i:\program files\Java\jre1.6.0_05\lib\zi\America\Inuvik
i:\program files\Java\jre1.6.0_05\lib\zi\America\Iqaluit
i:\program files\Java\jre1.6.0_05\lib\zi\America\Jamaica
i:\program files\Java\jre1.6.0_05\lib\zi\America\Juneau
i:\program files\Java\jre1.6.0_05\lib\zi\America\Kentucky\Louisville
i:\program files\Java\jre1.6.0_05\lib\zi\America\Kentucky\Monticello
i:\program files\Java\jre1.6.0_05\lib\zi\America\La_Paz
i:\program files\Java\jre1.6.0_05\lib\zi\America\Lima
i:\program files\Java\jre1.6.0_05\lib\zi\America\Los_Angeles
i:\program files\Java\jre1.6.0_05\lib\zi\America\Maceio
i:\program files\Java\jre1.6.0_05\lib\zi\America\Managua
i:\program files\Java\jre1.6.0_05\lib\zi\America\Manaus
i:\program files\Java\jre1.6.0_05\lib\zi\America\Martinique
i:\program files\Java\jre1.6.0_05\lib\zi\America\Mazatlan
i:\program files\Java\jre1.6.0_05\lib\zi\America\Menominee
i:\program files\Java\jre1.6.0_05\lib\zi\America\Merida
i:\program files\Java\jre1.6.0_05\lib\zi\America\Mexico_City
i:\program files\Java\jre1.6.0_05\lib\zi\America\Miquelon
i:\program files\Java\jre1.6.0_05\lib\zi\America\Moncton
i:\program files\Java\jre1.6.0_05\lib\zi\America\Monterrey
i:\program files\Java\jre1.6.0_05\lib\zi\America\Montevideo
i:\program files\Java\jre1.6.0_05\lib\zi\America\Montreal
i:\program files\Java\jre1.6.0_05\lib\zi\America\Montserrat
i:\program files\Java\jre1.6.0_05\lib\zi\America\Nassau
i:\program files\Java\jre1.6.0_05\lib\zi\America\New_York
i:\program files\Java\jre1.6.0_05\lib\zi\America\Nipigon
i:\program files\Java\jre1.6.0_05\lib\zi\America\Nome
i:\program files\Java\jre1.6.0_05\lib\zi\America\Noronha
i:\program files\Java\jre1.6.0_05\lib\zi\America\North_Dakota\Center
i:\program files\Java\jre1.6.0_05\lib\zi\America\North_Dakota\New_Salem
i:\program files\Java\jre1.6.0_05\lib\zi\America\Panama
i:\program files\Java\jre1.6.0_05\lib\zi\America\Pangnirtung
i:\program files\Java\jre1.6.0_05\lib\zi\America\Paramaribo
i:\program files\Java\jre1.6.0_05\lib\zi\America\Phoenix
i:\program files\Java\jre1.6.0_05\lib\zi\America\Port-au-Prince
i:\program files\Java\jre1.6.0_05\lib\zi\America\Port_of_Spain
i:\program files\Java\jre1.6.0_05\lib\zi\America\Porto_Velho
i:\program files\Java\jre1.6.0_05\lib\zi\America\Puerto_Rico
i:\program files\Java\jre1.6.0_05\lib\zi\America\Rainy_River
i:\program files\Java\jre1.6.0_05\lib\zi\America\Rankin_Inlet
i:\program files\Java\jre1.6.0_05\lib\zi\America\Recife
i:\program files\Java\jre1.6.0_05\lib\zi\America\Regina
i:\program files\Java\jre1.6.0_05\lib\zi\America\Resolute
i:\program files\Java\jre1.6.0_05\lib\zi\America\Rio_Branco
i:\program files\Java\jre1.6.0_05\lib\zi\America\Santiago
i:\program files\Java\jre1.6.0_05\lib\zi\America\Santo_Domingo
i:\program files\Java\jre1.6.0_05\lib\zi\America\Sao_Paulo
i:\program files\Java\jre1.6.0_05\lib\zi\America\Scoresbysund
i:\program files\Java\jre1.6.0_05\lib\zi\America\St_Johns
i:\program files\Java\jre1.6.0_05\lib\zi\America\St_Kitts
i:\program files\Java\jre1.6.0_05\lib\zi\America\St_Lucia
i:\program files\Java\jre1.6.0_05\lib\zi\America\St_Thomas
i:\program files\Java\jre1.6.0_05\lib\zi\America\St_Vincent
i:\program files\Java\jre1.6.0_05\lib\zi\America\Swift_Current
i:\program files\Java\jre1.6.0_05\lib\zi\America\Tegucigalpa
i:\program files\Java\jre1.6.0_05\lib\zi\America\Thule
i:\program files\Java\jre1.6.0_05\lib\zi\America\Thunder_Bay
i:\program files\Java\jre1.6.0_05\lib\zi\America\Tijuana
i:\program files\Java\jre1.6.0_05\lib\zi\America\Toronto
i:\program files\Java\jre1.6.0_05\lib\zi\America\Tortola
i:\program files\Java\jre1.6.0_05\lib\zi\America\Vancouver
i:\program files\Java\jre1.6.0_05\lib\zi\America\Whitehorse
i:\program files\Java\jre1.6.0_05\lib\zi\America\Winnipeg
i:\program files\Java\jre1.6.0_05\lib\zi\America\Yakutat
i:\program files\Java\jre1.6.0_05\lib\zi\America\Yellowknife
i:\program files\Java\jre1.6.0_05\lib\zi\Antarctica\Casey
i:\program files\Java\jre1.6.0_05\lib\zi\Antarctica\Davis
i:\program files\Java\jre1.6.0_05\lib\zi\Antarctica\DumontDUrville
i:\program files\Java\jre1.6.0_05\lib\zi\Antarctica\Mawson
i:\program files\Java\jre1.6.0_05\lib\zi\Antarctica\McMurdo
i:\program files\Java\jre1.6.0_05\lib\zi\Antarctica\Palmer
i:\program files\Java\jre1.6.0_05\lib\zi\Antarctica\Rothera
i:\program files\Java\jre1.6.0_05\lib\zi\Antarctica\Syowa
i:\program files\Java\jre1.6.0_05\lib\zi\Antarctica\Vostok
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Aden
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Almaty
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Amman
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Anadyr
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Aqtau
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Aqtobe
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Ashgabat
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Baghdad
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Bahrain
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Baku
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Bangkok
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Beirut
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Bishkek
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Brunei
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Calcutta
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Choibalsan
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Chongqing
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Colombo
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Damascus
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Dhaka
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Dili
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Dubai
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Dushanbe
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Gaza
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Harbin
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Hong_Kong
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Hovd
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Irkutsk
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Jakarta
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Jayapura
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Jerusalem
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Kabul
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Kamchatka
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Karachi
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Kashgar
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Katmandu
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Krasnoyarsk
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Kuala_Lumpur
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Kuching
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Kuwait
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Macau
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Magadan
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Makassar
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Manila
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Muscat
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Nicosia
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Novosibirsk
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Omsk
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Oral
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Phnom_Penh
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Pontianak
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Pyongyang
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Qatar
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Qyzylorda
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Rangoon
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Riyadh
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Riyadh87
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Riyadh88
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Riyadh89
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Saigon
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Sakhalin
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Samarkand
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Seoul
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Shanghai
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Singapore
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Taipei
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Tashkent
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Tbilisi
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Tehran
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Thimphu
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Tokyo
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Ulaanbaatar
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Urumqi
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Vientiane
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Vladivostok
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Yakutsk
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Yekaterinburg
i:\program files\Java\jre1.6.0_05\lib\zi\Asia\Yerevan
i:\program files\Java\jre1.6.0_05\lib\zi\Atlantic\Azores
i:\program files\Java\jre1.6.0_05\lib\zi\Atlantic\Bermuda
i:\program files\Java\jre1.6.0_05\lib\zi\Atlantic\Canary
i:\program files\Java\jre1.6.0_05\lib\zi\Atlantic\Cape_Verde
i:\program files\Java\jre1.6.0_05\lib\zi\Atlantic\Faroe
i:\program files\Java\jre1.6.0_05\lib\zi\Atlantic\Madeira
i:\program files\Java\jre1.6.0_05\lib\zi\Atlantic\Reykjavik
i:\program files\Java\jre1.6.0_05\lib\zi\Atlantic\South_Georgia
i:\program files\Java\jre1.6.0_05\lib\zi\Atlantic\St_Helena
i:\program files\Java\jre1.6.0_05\lib\zi\Atlantic\Stanley
i:\program files\Java\jre1.6.0_05\lib\zi\Australia\Adelaide
i:\program files\Java\jre1.6.0_05\lib\zi\Australia\Brisbane
i:\program files\Java\jre1.6.0_05\lib\zi\Australia\Broken_Hill
i:\program files\Java\jre1.6.0_05\lib\zi\Australia\Currie
i:\program files\Java\jre1.6.0_05\lib\zi\Australia\Darwin
i:\program files\Java\jre1.6.0_05\lib\zi\Australia\Eucla
i:\program files\Java\jre1.6.0_05\lib\zi\Australia\Hobart
i:\program files\Java\jre1.6.0_05\lib\zi\Australia\Lindeman
i:\program files\Java\jre1.6.0_05\lib\zi\Australia\Lord_Howe
i:\program files\Java\jre1.6.0_05\lib\zi\Australia\Melbourne
i:\program files\Java\jre1.6.0_05\lib\zi\Australia\Perth
i:\program files\Java\jre1.6.0_05\lib\zi\Australia\Sydney
i:\program files\Java\jre1.6.0_05\lib\zi\CET
i:\program files\Java\jre1.6.0_05\lib\zi\CST6CDT
i:\program files\Java\jre1.6.0_05\lib\zi\EET
i:\program files\Java\jre1.6.0_05\lib\zi\EST
i:\program files\Java\jre1.6.0_05\lib\zi\EST5EDT
i:\program files\Java\jre1.6.0_05\lib\zi\Etc\GMT-1
i:\program files\Java\jre1.6.0_05\lib\zi\Etc\GMT-10
i:\program files\Java\jre1.6.0_05\lib\zi\Etc\GMT-11
i:\program files\Java\jre1.6.0_05\lib\zi\Etc\GMT-12
i:\program files\Java\jre1.6.0_05\lib\zi\Etc\GMT-13
i:\program files\Java\jre1.6.0_05\lib\zi\Etc\GMT-14
i:\program files\Java\jre1.6.0_05\lib\zi\Etc\GMT-2
i:\program files\Java\jre1.6.0_05\lib\zi\Etc\GMT-3
i:\program files\Java\jre1.6.0_05\lib\zi\Etc\GMT-4
i:\program files\Java\jre1.6.0_05\lib\zi\Etc\GMT-5
i:\program files\Java\jre1.6.0_05\lib\zi\Etc\GMT-6
i:\program files\Java\jre1.6.0_05\lib\zi\Etc\GMT-7
i:\program files\Java\jre1.6.0_05\lib\zi\Etc\GMT-8
i:\program files\Java\jre1.6.0_05\lib\zi\Etc\GMT-9
i:\program files\Java\jre1.6.0_05\lib\zi\Etc\GMT
i:\program files\Java\jre1.6.0_05\lib\zi\Etc\GMT+1
i:\program files\Java\jre1.6.0_05\lib\zi\Etc\GMT+10
i:\program files\Java\jre1.6.0_05\lib\zi\Etc\GMT+11
i:\program files\Java\jre1.6.0_05\lib\zi\Etc\GMT+12
i:\program files\Java\jre1.6.0_05\lib\zi\Etc\GMT+2
i:\program files\Java\jre1.6.0_05\lib\zi\Etc\GMT+3
i:\program files\Java\jre1.6.0_05\lib\zi\Etc\GMT+4
i:\program files\Java\jre1.6.0_05\lib\zi\Etc\GMT+5
i:\program files\Java\jre1.6.0_05\lib\zi\Etc\GMT+6
i:\program files\Java\jre1.6.0_05\lib\zi\Etc\GMT+7
i:\program files\Java\jre1.6.0_05\lib\zi\Etc\GMT+8
i:\program files\Java\jre1.6.0_05\lib\zi\Etc\GMT+9
i:\program files\Java\jre1.6.0_05\lib\zi\Etc\UCT
i:\program files\Java\jre1.6.0_05\lib\zi\Etc\UTC
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Amsterdam
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Andorra
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Athens
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Belgrade
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Berlin
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Brussels
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Bucharest
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Budapest
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Chisinau
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Copenhagen
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Dublin
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Gibraltar
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Helsinki
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Istanbul
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Kaliningrad
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Kiev
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Lisbon
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\London
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Luxembourg
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Madrid
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Malta
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Minsk
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Monaco
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Moscow
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Oslo
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Paris
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Prague
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Riga
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Rome
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Samara
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Simferopol
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Sofia
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Stockholm
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Tallinn
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Tirane
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Uzhgorod
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Vaduz
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Vienna
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Vilnius
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Volgograd
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Warsaw
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Zaporozhye
i:\program files\Java\jre1.6.0_05\lib\zi\Europe\Zurich
i:\program files\Java\jre1.6.0_05\lib\zi\GMT
i:\program files\Java\jre1.6.0_05\lib\zi\HST
i:\program files\Java\jre1.6.0_05\lib\zi\Indian\Antananarivo
i:\program files\Java\jre1.6.0_05\lib\zi\Indian\Chagos
i:\program files\Java\jre1.6.0_05\lib\zi\Indian\Christmas
i:\program files\Java\jre1.6.0_05\lib\zi\Indian\Cocos
i:\program files\Java\jre1.6.0_05\lib\zi\Indian\Comoro
i:\program files\Java\jre1.6.0_05\lib\zi\Indian\Kerguelen
i:\program files\Java\jre1.6.0_05\lib\zi\Indian\Mahe
i:\program files\Java\jre1.6.0_05\lib\zi\Indian\Maldives
i:\program files\Java\jre1.6.0_05\lib\zi\Indian\Mauritius
i:\program files\Java\jre1.6.0_05\lib\zi\Indian\Mayotte
i:\program files\Java\jre1.6.0_05\lib\zi\Indian\Reunion
i:\program files\Java\jre1.6.0_05\lib\zi\MET
i:\program files\Java\jre1.6.0_05\lib\zi\MST
i:\program files\Java\jre1.6.0_05\lib\zi\MST7MDT
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Apia
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Auckland
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Chatham
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Easter
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Efate
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Enderbury
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Fakaofo
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Fiji
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Funafuti
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Galapagos
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Gambier
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Guadalcanal
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Guam
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Honolulu
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Johnston
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Kiritimati
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Kosrae
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Kwajalein
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Majuro
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Marquesas
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Midway
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Nauru
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Niue
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Norfolk
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Noumea
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Pago_Pago
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Palau
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Pitcairn
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Ponape
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Port_Moresby
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Rarotonga
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Saipan
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Tahiti
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Tarawa
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Tongatapu
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Truk
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Wake
i:\program files\Java\jre1.6.0_05\lib\zi\Pacific\Wallis
i:\program files\Java\jre1.6.0_05\lib\zi\PST8PDT
i:\program files\Java\jre1.6.0_05\lib\zi\SystemV\AST4
i:\program files\Java\jre1.6.0_05\lib\zi\SystemV\AST4ADT
i:\program files\Java\jre1.6.0_05\lib\zi\SystemV\CST6
i:\program files\Java\jre1.6.0_05\lib\zi\SystemV\CST6CDT
i:\program files\Java\jre1.6.0_05\lib\zi\SystemV\EST5
i:\program files\Java\jre1.6.0_05\lib\zi\SystemV\EST5EDT
i:\program files\Java\jre1.6.0_05\lib\zi\SystemV\HST10
i:\program files\Java\jre1.6.0_05\lib\zi\SystemV\MST7
i:\program files\Java\jre1.6.0_05\lib\zi\SystemV\MST7MDT
i:\program files\Java\jre1.6.0_05\lib\zi\SystemV\PST8
i:\program files\Java\jre1.6.0_05\lib\zi\SystemV\PST8PDT
i:\program files\Java\jre1.6.0_05\lib\zi\SystemV\YST9
i:\program files\Java\jre1.6.0_05\lib\zi\SystemV\YST9YDT
i:\program files\Java\jre1.6.0_05\lib\zi\WET
i:\program files\Java\jre1.6.0_05\lib\zi\ZoneInfoMappings
i:\program files\Java\jre1.6.0_05\LICENSE
i:\program files\Java\jre1.6.0_05\PATCH.ERR
i:\program files\Java\jre1.6.0_05\README.txt
i:\program files\Java\jre1.6.0_05\THIRDPARTYLICENSEREADME.txt
i:\program files\Java\jre1.6.0_05\Welcome.html
i:\windows\system32\drivers\ndisio.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Passthru


((((((((((((((((((((((((( Files Created from 2008-10-09 to 2008-11-09 )))))))))))))))))))))))))))))))
.

2008-11-09 14:00 . 2008-09-17 23:55 201,050 --a------ i:\windows\system32\nvapps.nvb
2008-11-08 19:22 . 2008-11-08 19:22 410,976 --a------ i:\windows\system32\deploytk.dll
2008-11-08 16:59 . 2008-11-08 19:21 <DIR> d-------- i:\documents and settings\Gero\.SunDownloadManager
2008-11-08 12:39 . 2008-11-08 12:39 <DIR> d-------- i:\program files\Malwarebytes' Anti-Malware
2008-11-08 12:39 . 2008-11-08 12:39 <DIR> d-------- i:\documents and settings\Gero\Application Data\Malwarebytes
2008-11-08 12:39 . 2008-11-08 12:39 <DIR> d-------- i:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-08 12:39 . 2008-10-22 16:10 38,496 --a------ i:\windows\system32\drivers\mbamswissarmy.sys
2008-11-08 12:39 . 2008-10-22 16:10 15,504 --a------ i:\windows\system32\drivers\mbam.sys
2008-11-08 12:30 . 2008-11-08 12:30 <DIR> d-------- I:\_OTMoveIt
2008-11-08 08:45 . 2008-11-08 08:45 <DIR> d-------- I:\rsit
2008-11-07 15:35 . 2008-11-07 15:35 <DIR> d-------- i:\program files\Trend Micro
2008-11-06 22:16 . 2008-11-07 00:16 <DIR> d-------- i:\documents and settings\Gero\I386
2008-11-06 21:20 . 2008-11-06 21:40 <DIR> d-------- i:\program files\Spybot - Search & Destroy
2008-11-06 21:20 . 2008-11-06 22:07 <DIR> d-------- i:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-06 21:13 . 2001-08-23 15:00 11,037 --a------ i:\windows\system32\RUNDLL32.EX_
2008-11-06 19:30 . 2008-10-16 14:07 23,576 --a------ i:\windows\system32\wuapi.dll.mui
2008-11-01 12:17 . 2001-08-17 14:56 66,048 --a--c--- i:\windows\system32\dllcache\s3legacy.dll
2008-10-14 18:40 . 2008-10-14 18:40 <DIR> d-------- i:\documents and settings\All Users\Application Data\Blizzard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-09 21:53 --------- d-----w i:\program files\Symantec AntiVirus
2008-11-09 21:50 --------- d-----w i:\program files\Java
2008-10-29 04:10 --------- d-----w i:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-06 23:25 --------- d-----w i:\program files\Common Files\Blizzard Entertainment
2008-10-03 05:29 --------- d-----w i:\program files\iTunes
2008-10-03 05:29 --------- d-----w i:\program files\iPod
2008-10-03 05:29 --------- d-----w i:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-03 05:28 --------- d-----w i:\program files\QuickTime
2008-10-03 05:28 --------- d-----w i:\program files\Common Files\Apple
2008-10-03 05:28 --------- d-----w i:\program files\Bonjour
2008-10-03 05:27 --------- d-----w i:\program files\Apple Software Update
2008-09-18 04:55 6,132,576 ----a-w i:\windows\system32\drivers\nv4_mini.sys
2008-09-09 23:24 --------- d-----w i:\program files\DivX
2008-09-09 00:54 --------- d-----w i:\program files\WinISO
.

((((((((((((((((((((((((((((( snapshot_2008-11-09_15.14.18.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-09 21:53:29 16,384 ----atw i:\windows\Temp\Perflib_Perfdata_158.dat
+ 2008-11-09 21:53:29 16,384 ----atw i:\windows\Temp\Perflib_Perfdata_f4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="i:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"ctfmon.exe"="i:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="i:\progra~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"Norton Ghost 12.0"="i:\program files\Norton Ghost\Agent\VProTray.exe" [2008-01-10 2037088]
"ccApp"="i:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"NvCplDaemon"="i:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"SunJavaUpdateSched"="i:\program files\Java\jre6\bin\jusched.exe" [2008-11-08 136600]
"NvMediaCenter"="i:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"nwiz"="nwiz.exe" [2008-09-17 i:\windows\system32\nwiz.exe]

i:\documents and settings\All Users\Start Menu\Programs\Startup\
Energizer FileSaver.lnk - i:\program files\Energizer FileSaver\Energizer FileSaver.exe [2003-02-19 976896]

[HKLM\~\startupfolder\I:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=i:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=i:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2004-12-14 02:12 483328 i:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:00 15360 i:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell MFP Color Laser Printer 3115cn Launcher]
--a------ 2006-12-23 14:38 635800 i:\program files\Dell Printers\Dell MFP Color Laser Printer 3115cn\Address Book Editor\Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLPSP]
--a------ 2006-12-07 16:52 340888 i:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpsp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 i:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 i:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
--a------ 2006-06-30 18:08 40960 i:\program files\Dell Printers\paperport\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 17:57 289576 i:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 14:40 155648 i:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-09-17 23:55 13574144 i:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-09-17 23:55 86016 i:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
--a------ 2006-06-30 18:08 36864 i:\program files\Dell Printers\paperport\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 i:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 i:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--------- 2003-10-14 10:22 155648 i:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 i:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-09-17 23:55 1657376 i:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"WZCSVC"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"Adobe LM Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"i:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"i:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"i:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"i:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"i:\program files\Microsoft ActiveSync\rapimgr.exe"= i:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"i:\program files\Microsoft ActiveSync\wcescomm.exe"= i:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"i:\program files\Microsoft ActiveSync\WCESMgr.exe"= i:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\World of Warcraft\\BackgroundDownloader.exe"=
"i:\\Program Files\\iTunes\\iTunes.exe"=
"i:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\World of Warcraft\\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe"=
"c:\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"c:\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"i:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"6881:TCP"= 6881:TCP:Blizzard Downloader: 6881
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader
"8086:TCP"= 8086:TCP:Blizzard
"9081:TCP"= 9081:TCP:Blizzard
"9090:TCP"= 9090:TCP:Blizzard
"9097:TCP"= 9097:TCP:Blizzard
"9100:TCP"= 9100:TCP:Blizzard

R2 DLSDB;Dell Printer Status Database;i:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE [2006-12-07 140184]
R2 JavaQuickStarterService;Java Quick Starter;i:\program files\Java\jre6\bin\jqs.exe [2008-11-08 152984]
.
Contents of the 'Scheduled Tasks' folder

2008-11-04 i:\windows\Tasks\AppleSoftwareUpdate.job
- i:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-03 i:\windows\Tasks\Backup.job
- i:\windows\system32\ntbackup.exe [2004-08-04 07:00]

2008-11-09 i:\windows\Tasks\backupincremental.job
- i:\windows\system32\ntbackup.exe [2004-08-04 07:00]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-09 16:54:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
i:\program files\Common Files\Symantec Shared\ccSetMgr.exe
i:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
i:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
i:\program files\Lavasoft\Ad-Aware\aawservice.exe
i:\windows\system32\agrsmsvc.exe
i:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
i:\program files\Symantec AntiVirus\DefWatch.exe
i:\program files\Norton Ghost\Agent\VProSvc.exe
i:\windows\system32\nvsvc32.exe
i:\program files\Symantec AntiVirus\Rtvscan.exe
i:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpwdnt.exe
i:\windows\system32\rundll32.exe
i:\progra~1\MI3AA1~1\rapimgr.exe
.
**************************************************************************
.
Completion time: 2008-11-09 16:56:54 - machine was rebooted [Gero]
ComboFix-quarantined-files.txt 2008-11-09 21:56:49
ComboFix2.txt 2008-11-09 20:14:33
ComboFix3.txt 2008-11-07 20:28:11

Pre-Run: 254,440,939,520 bytes free
Post-Run: 254,422,294,528 bytes free

802 --- E O F --- 2008-10-29 02:14:49
 
gerieg said:
That is frustrating..I know you are ready to be done with me!
Click to expand...

More curious than frustrating :)
And no, I will not be done with you until your machine is clean :police:

Let's make sure it's all gone now ..


Active Scan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Please go to this site Link >> ActiveScan << LINK
  • Click the Scan Now button
  • Follow the prompts to install the Active X if necessary
  • Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
  • When the scan is finished, a report will be generated
  • Next to Scan Details click the small Save button and save the report to your desktop.
  • Please post the report in your reply.
 
Status
Not open for further replies.
Back
Top