Persistent malware infection, off-the-self security software fails to find/clean

Blade81 · Mar 3, 2010

Hi,

Print following instructions since you won't be able to access them in recovery console.

1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter:

cd system32\drivers

6. At the next prompt, type the following bolded text, and press Enter (you should see message "1 file(s) copied"):

copy iaStor.sys iaStor.sys.vir

7. At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading. Upload c:\windows\system32\drivers\iaStor.sys.vir file to http://www.virustotal.com and post back the results.

---

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code:
```
:filefind
atapi.sys
iaStor.sys
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

KPax23 · Mar 4, 2010

some updates

Hi!

So while I was at work today I had left my PC on. At some point NAV2010 started doing a routine system scan. This time it actually found something!

It found and claims to have quarantined:

Trojan.Zefarch in 2 affected areas
file c:\system volume information\_restore{97faff2f-dec1-4daa-aa00-642cc6bb0a68}\rp963\a0234505.dll
browser cache
Trojan.Zefarch!gen in 2 affected ares
file c:\system volume information\_restore{97faff2f-dec1-4daa-aa00-642cc6bb0a68}\rp963\a0233308.dll
browser cache

However, ZAPro is still showing some suspicious outgoing activity. So I don't think this fully cleaned up my system.

I'll go ahead with your last request now...

KPax23 · Mar 4, 2010

more updates

So I copied iaStor.sys to iaStor.sys.vir inside the Windows Recovery Console.
Then I booted back into Windows and tried to upload the file to VirusTotal.com.
Before I could do so NAV2010 flagged it and fully removed it!

These are the details:
Backdoor.Tidserv!inf detected
3 Files:
c:\windows\system32\drivers\iastor.sys.vir
c:\Documents and Settings\Chef\Desktop\Casino.url
c:\Documents and Settings\Chef\Desktop\Casino.url (listed twice for some reason)
1 Service:
spooler
1 Browser Cache
3 System Actions

So I guess NAV2010 finds this thing if it's anywhere else but in iaStor.sys itself. I presume this infection hides itself somehow while Windows is running.
Anyhow, I'll recopy the file, reboot again and disable NAV2010 immediately so I can upload the file to VirusTotal.com.

KPax23 · Mar 4, 2010

VirusTotal report for iaStor.sys.vir

Holy Crap! I think we hit the jackpot!

File iaStor.sys.vir received on 2010.03.04 04:53:57 (UTC)
Result: 23/42 (54.77%)

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.03.04 Rootkit.Win32.TDSS!IK
AhnLab-V3 5.0.0.2 2010.03.03 -
AntiVir 8.2.1.180 2010.03.03 TR/Patched.Gen
Antiy-AVL 2.0.3.7 2010.03.03 -
Authentium 5.2.0.5 2010.03.04 -
Avast 4.8.1351.0 2010.03.03 Win32:Alureon-FR
Avast5 5.0.332.0 2010.03.03 Win32:Alureon-FR
AVG 9.0.0.730 2010.03.04 Win32/Patched.CG
BitDefender 7.2 2010.03.04 Rootkit.Patched.TDSS.Gen
CAT-QuickHeal 10.00 2010.03.03 -
ClamAV 0.96.0.0-git 2010.03.04 -
Comodo 4091 2010.02.28 -
DrWeb 5.0.1.12222 2010.03.04 BackDoor.Tdss.2213
eSafe 7.0.17.0 2010.03.03 -
eTrust-Vet 35.2.7338 2010.03.03 -
F-Prot 4.5.1.85 2010.03.03 -
F-Secure 9.0.15370.0 2010.03.04 Rootkit.Patched.TDSS.Gen
Fortinet 4.0.14.0 2010.02.28 -
GData 19 2010.03.04 Rootkit.Patched.TDSS.Gen
Ikarus T3.1.1.80.0 2010.03.04 Rootkit.Win32.TDSS
Jiangmin 13.0.900 2010.03.03 Rootkit.TDSS.ded
K7AntiVirus 7.10.989 2010.03.03 -
Kaspersky 7.0.0.125 2010.03.04 Rootkit.Win32.Tdss.ai
McAfee 5909 2010.03.03 Patched-SYSFile.c
McAfee+Artemis 5909 2010.03.03 Patched-SYSFile.c
McAfee-GW-Edition 6.8.5 2010.03.03 Trojan.Patched.Gen
Microsoft 1.5502 2010.03.03 Virus:Win32/Alureon.G
NOD32 4913 2010.03.03 Win32/Olmarik.UJ
Norman 6.04.08 2010.03.03 W32/TDSS.drv.gen7
nProtect 2009.1.8.0 2010.03.03 -
Panda 10.0.2.2 2010.03.03 -
PCTools 7.0.3.5 2010.03.03 Backdoor.Tidserv
Prevx 3.0 2010.03.04 High Risk System Back Door
Rising 22.37.03.01 2010.03.04 -
Sophos 4.51.0 2010.03.04 Mal/TDSSRt-A
Sunbelt 5745 2010.03.04 -
Symantec 20091.2.0.41 2010.03.04 Backdoor.Tidserv!inf
TheHacker 6.5.1.7.220 2010.03.03 -
TrendMicro 9.120.0.1004 2010.03.04 PE_TDSS.MTR
VBA32 3.12.12.2 2010.03.02 -
ViRobot 2010.3.4.2211 2010.03.04 -
VirusBuster 5.0.27.0 2010.03.03 -
Additional information
File size: 247808 bytes
MD5...: c9141445ba8cb34e7011fc9c45e55d0d
SHA1..: 76d6afc7eb271a66a15e0bd37ed6aa0b65fa58ce
SHA256: 76f9a60c0bba617659a2c5034af99421ae46aa2375a0f49e6b2e7a9a48dc9e93
ssdeep: 3072:shOZudKhCd98ZxMUhSjLBsYKqWy0tTDjb/hmCI0AEdpMGG5ToKSTLLPrksb
:shOEdv6V4/KYKFVDjbA09MGG5ToKuL
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xb4014
timedatestamp.....: 0x4459102a (Wed May 03 20:18:50 2006)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x374d2 0x37600 6.56 5a9b5acb900e70f9c5cb9c5ab42d6d48
.rdata 0x39000 0xa64 0xc00 5.18 a1afc9134c5d81d914cefa17a0e4a10e
.data 0x3a000 0x78bac 0x1000 4.67 811bc031c2d1ebcc170717bc300e8c08
INIT 0xb3000 0xc32 0xe00 5.18 73aba893299215e5770f06ffcea44c1b
.rsrc 0xb4000 0x440 0x600 4.74 4fe920dd9968f7d672dd28df650c5b98
.reloc 0xb5000 0x1cf2 0x1e00 5.39 007b5d02d5c579210c0663366f8a7066

( 2 imports )
> ntoskrnl.exe: ZwClose, ZwQueryValueKey, DbgPrint, ZwOpenKey, RtlCreateRegistryKey, RtlCopyUnicodeString, memmove, KeInsertQueueDpc, MmGetPhysicalAddress, KeInitializeSpinLock, KefAcquireSpinLockAtDpcLevel, KefReleaseSpinLockFromDpcLevel, IoInvalidateDeviceRelations, IoFreeWorkItem, IoRequestDeviceEject, IoQueueWorkItem, IoAllocateWorkItem, ExInterlockedPopEntrySList, ExInterlockedPushEntrySList, IofCompleteRequest, IofCallDriver, IoGetDmaAdapter, RtlWriteRegistryValue, RtlAnsiStringToUnicodeString, RtlInitAnsiString, ZwCreateKey, swprintf, KeWaitForSingleObject, KeInitializeEvent, IoDisconnectInterrupt, IoGetConfigurationInformation, IoDeleteDevice, ExDeleteNPagedLookasideList, KeCancelTimer, IoFreeIrp, KeLeaveCriticalRegion, KeEnterCriticalRegion, IoDetachDevice, IoDeleteSymbolicLink, IoConnectInterrupt, IoReleaseRemoveLockAndWaitEx, strstr, strncat, sprintf, IoBuildDeviceIoControlRequest, PoSetPowerState, PoRegisterDeviceForIdleDetection, RtlCompareMemory, KeClearEvent, IoInitializeRemoveLockEx, ObfReferenceObject, KeSetTimer, IoWriteErrorLogEntry, IoAllocateErrorLogEntry, RtlInitUnicodeString, IoReleaseRemoveLockEx, KeSetEvent, _allmul, KeInitializeDpc, KeInitializeTimer, ObfDereferenceObject, IoGetAttachedDeviceReference, IoAllocateIrp, IoInvalidateDeviceState, strncpy, strncmp, PoRequestPowerIrp, IoFreeMdl, MmProbeAndLockPages, IoAllocateMdl, _except_handler3, MmMapLockedPagesSpecifyCache, KeBugCheck, KeRemoveQueueDpc, KeQuerySystemTime, PsTerminateSystemThread, KeWaitForMultipleObjects, KeSetPriorityThread, ObReferenceObjectByHandle, PsCreateSystemThread, ExInitializeNPagedLookasideList, MmMapIoSpace, ExRegisterCallback, ExCreateCallback, IoReportResourceForDetection, ExUnregisterCallback, MmUnmapIoSpace, RtlCheckRegistryKey, IoAttachDeviceToDeviceStack, IoCreateSymbolicLink, IoCreateDevice, RtlUnicodeStringToInteger, wcsncpy, wcsstr, _wcsupr, IoGetDeviceProperty, ZwCreateDirectoryObject, WRITE_REGISTER_ULONG, READ_REGISTER_ULONG, _alldiv, PoStartNextPowerIrp, PoCallDriver, _purecall, ExSystemTimeToLocalTime, KeDelayExecutionThread, KeSetTimerEx, KeInitializeTimerEx, wcslen, ExAllocatePoolWithTag, RtlAppendUnicodeToString, RtlAppendUnicodeStringToString, RtlQueryRegistryValues, IoAcquireRemoveLockEx, ExFreePoolWithTag
> HAL.dll: ExAcquireFastMutex, ExReleaseFastMutex, KfReleaseSpinLock, KfAcquireSpinLock, KeGetCurrentIrql, KeStallExecutionProcessor

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=AA4888AE00A3B876C8C403B0E5BD0900843A9911' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=AA4888AE00A3B876C8C403B0E5BD0900843A9911</a>
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

KPax23 · Mar 4, 2010

SystemLook results

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 20:59 on 03/03/2010 by Chef (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [06:20 19/09/2008] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [20:20 28/02/2010] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [05:59 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys ------ 96512 bytes [01:58 14/09/2006] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\i386\atapi.sys --a--- 86656 bytes [01:58 14/09/2006] [12:00 23/08/2001] A64013E98426E1877CB653685C5C0009

Searching for "iaStor.sys"
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys --a--- 486400 bytes [02:05 14/09/2006] [20:20 03/05/2006] E5F3A5225F6564A5FC383FDD3B53ABB0
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iaStor.sys --a--- 247808 bytes [02:05 14/09/2006] [20:18 03/05/2006] 6698FDEEA5CEBEF0B75AA29486CCB7E1
C:\WINDOWS\OemDir\iaStor.sys --a--- 247808 bytes [13:19 03/05/2006] [13:18 03/05/2006] 6698FDEEA5CEBEF0B75AA29486CCB7E1
C:\WINDOWS\system32\drivers\iaStor.sys ------ 247808 bytes [02:05 14/09/2006] [20:18 03/05/2006] (Unable to calculate MD5)
C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\iaStor.sys --a--- 247808 bytes [02:05 14/09/2006] [13:18 03/05/2006] 6698FDEEA5CEBEF0B75AA29486CCB7E1

-=End Of File=-

Blade81 · Mar 4, 2010

Looks promising

Click start->run->type cmd.exe and press enter. In command prompt type following command:

Code:

[B]copy C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\iaStor.sys c:\windows\system32\drivers\iaStor.sys.bak[/B]

Print following instructions since you won't be able to access them in recovery console.

1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter:

cd system32\drivers

6. At the next prompt, type the following bolded text, and press Enter (allow overwriting):

copy iaStor.sys.bak iaStor.sys

7. At the next prompt, type the following bolded text, and press Enter:

exit

When back in normal mode, run ComboFix (let it update itself) and post back the resultant log.

KPax23 · Mar 5, 2010

update

OK, I copied iaStor.sys from the ReinstallBackups location to system32/drivers as per instructions.

Then I ran ComboFix. Following this I'll post the new log...

Thanks!

KPax23 · Mar 5, 2010

ComboFix log

ComboFix 10-03-04.02 - Chef 03/04/2010 21:37:54.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1331 [GMT -8:00]
Running from: c:\documents and settings\Chef\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://armmf.adobe.com
.
((((((((((((((((((((((((( Files Created from 2010-02-05 to 2010-03-05 )))))))))))))))))))))))))))))))
.

2010-03-05 05:28 . 2010-02-02 03:20 165240 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2010-03-05 05:21 . 2006-05-03 13:18 247808 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-03-05 04:45 . 2010-02-04 09:00 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100304.032\NAVENG.SYS
2010-03-05 04:45 . 2010-02-04 09:00 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100304.032\NAVEX15.SYS
2010-03-05 04:45 . 2009-12-09 09:00 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100304.032\CCERASER.DLL
2010-03-05 04:45 . 2009-09-22 08:00 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100304.032\ECMSVR32.DLL
2010-03-05 04:45 . 2009-08-26 08:00 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100304.032\EECTRL.SYS
2010-03-05 04:45 . 2009-08-26 08:00 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100304.032\ERASER.SYS
2010-03-05 04:45 . 2009-08-25 08:00 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100304.032\NAVENG32.DLL
2010-03-05 04:45 . 2009-08-25 08:00 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100304.032\NAVEX32A.DLL
2010-03-03 16:50 . 2010-03-03 16:50 -------- d-----w- c:\documents and settings\Chef\Application Data\Malwarebytes
2010-03-03 16:50 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-03 16:50 . 2010-03-03 16:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-03 16:50 . 2010-03-03 16:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-03 16:50 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-02 03:21 . 2010-03-02 03:24 -------- d-----w- c:\documents and settings\Chef\Application Data\Download Manager
2010-02-26 02:06 . 2010-02-26 02:07 -------- d-----w- c:\documents and settings\Chef\vw
2010-02-26 02:06 . 2010-02-26 02:06 -------- d-----w- c:\documents and settings\Chef\Visual IP Trace
2010-02-26 02:06 . 2010-02-26 02:06 -------- d-----w- c:\program files\Visual IP Trace 2009
2010-02-25 20:46 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSvix86.sys
2010-02-25 20:46 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSXpx86.sys
2010-02-25 20:46 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\Scxpx86.dll
2010-02-25 20:46 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSxpx86.dll
2010-02-25 20:46 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSviA64.sys
2010-02-22 09:12 . 2010-02-22 09:13 -------- d-----w- c:\program files\ERUNT
2010-02-21 01:02 . 2010-02-21 01:02 -------- d-----w- c:\program files\PHP
2010-02-21 00:59 . 2010-02-21 00:59 -------- d-----w- c:\documents and settings\Chef\blank
2010-02-21 00:53 . 2010-02-21 00:53 300616 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-02-21 00:53 . 2010-02-21 00:53 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-02-21 00:53 . 2010-02-21 00:53 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-02-21 00:53 . 2010-02-21 00:53 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-02-21 00:53 . 2010-02-21 00:53 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-02-21 00:53 . 2010-02-21 00:53 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-02-21 00:53 . 2010-02-21 00:53 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-02-21 00:53 . 2010-02-21 00:53 329312 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-02-21 00:53 . 2010-02-21 00:53 -------- d-----w- c:\program files\Common Files\xing shared
2010-02-20 20:26 . 2010-02-20 20:26 -------- d-----w- c:\program files\JRE
2010-02-20 19:46 . 2010-02-20 19:46 -------- d-----w- c:\program files\Sun
2010-02-20 19:44 . 2010-02-20 19:45 -------- d-----w- c:\program files\Java
2010-02-20 07:14 . 2010-02-20 07:14 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-02-20 00:40 . 2010-02-20 07:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-20 00:40 . 2010-02-20 06:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-19 23:58 . 2010-02-19 23:58 388096 ----a-r- c:\documents and settings\Chef\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-19 23:53 . 2010-02-21 07:07 -------- d-----w- c:\program files\Windows Live Safety Center
2010-02-19 22:36 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\Scxpx86.dll
2010-02-19 22:36 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSXpx86.sys
2010-02-19 22:36 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSvix86.sys
2010-02-19 22:36 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSxpx86.dll
2010-02-19 22:36 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSviA64.sys
2010-02-19 19:25 . 2010-02-19 19:25 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-02-19 19:17 . 2010-02-19 19:17 -------- d-----w- c:\documents and settings\Chef\Local Settings\Application Data\Symantec
2010-02-19 09:44 . 2010-02-20 06:32 120 ----a-w- c:\windows\Xhafituyih.dat
2010-02-19 09:44 . 2010-02-19 09:44 0 ----a-w- c:\windows\Qmibujabowixan.bin
2010-02-18 19:27 . 2010-02-18 19:27 -------- d-----w- c:\program files\Common Files\Config
2010-02-18 19:27 . 2010-02-18 19:27 5686272 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\19153-191714.dll
2010-02-17 02:06 . 2010-02-17 02:06 -------- d-----w- c:\program files\Lame for Audacity
2010-02-17 02:03 . 2010-02-17 02:03 -------- d-----w- c:\program files\Audacity
2010-02-16 04:44 . 2010-02-25 23:54 -------- d-----w- c:\documents and settings\Chef\Application Data\Bioshock2
2010-02-16 04:39 . 2009-09-05 01:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2010-02-16 04:39 . 2009-09-05 01:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-02-16 04:38 . 2010-02-16 04:38 -------- d-----w- c:\windows\Logs
2010-02-16 04:38 . 2010-02-16 04:39 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-02-16 04:38 . 2010-02-16 04:38 -------- d-----w- c:\windows\system32\xlive
2010-02-11 21:06 . 2010-02-11 21:06 -------- d-----w- c:\documents and settings\Chef\Local Settings\Application Data\Acupartner
2010-02-11 11:02 . 2010-02-11 11:02 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2010-02-10 21:34 . 2010-02-10 21:34 7410688 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191319-191429.dll
2010-02-10 21:33 . 2010-02-10 21:33 7032320 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191222-191319.dll
2010-02-10 21:33 . 2010-02-10 21:33 6301696 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191127-191222.dll
2010-02-10 21:32 . 2010-02-10 21:32 2776576 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191429-19153.dll
2010-02-10 21:30 . 2010-02-18 19:27 241512 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
2010-02-10 21:30 . 2010-02-10 21:30 230752 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\patchw32.dll
2010-02-10 21:30 . 2010-02-10 21:30 956 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\rebase.cmd
2010-02-10 21:30 . 2010-01-13 18:30 4199784 ----a-w- c:\windows\system32\cdintf400.dll
2010-02-10 21:30 . 2010-01-13 18:27 26472 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Sku\Premier\Custom\billmind.exe
2010-02-10 21:30 . 2010-01-13 18:27 26472 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Sku\Hab\Custom\billmind.exe
2010-02-10 21:30 . 2010-01-13 18:27 26472 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Sku\RPM\Custom\billmind.exe
2010-02-10 21:29 . 2010-02-18 19:27 -------- d-----w- c:\program files\Quicken
2010-02-10 07:11 . 2006-10-27 03:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2010-02-10 07:11 . 2008-11-10 19:41 32656 ----a-w- c:\windows\system32\msonpmon.dll
2010-02-10 07:10 . 2010-02-10 07:10 -------- d-----w- c:\program files\Microsoft.NET
2010-02-10 07:08 . 2010-02-10 07:08 -------- d-----w- c:\documents and settings\Chef\Local Settings\Application Data\Microsoft Help
2010-02-10 07:08 . 2010-02-17 09:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-10 07:07 . 2010-02-10 07:07 -------- d-----r- C:\MSOCache
2010-02-10 06:57 . 2010-02-10 07:05 -------- d-----w- c:\documents and settings\Chef\Application Data\GetRightToGo
2010-02-06 06:08 . 2010-02-06 06:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-02-05 22:41 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100204.001\Scxpx86.dll
2010-02-05 22:41 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100204.001\IDSvix86.sys
2010-02-05 22:41 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100204.001\IDSXpx86.sys
2010-02-05 22:41 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100204.001\IDSxpx86.dll
2010-02-05 22:41 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100204.001\IDSviA64.sys
2010-02-03 07:20 . 2010-02-03 07:20 -------- d-----w- c:\program files\iPod
2010-02-03 07:19 . 2010-02-03 07:20 -------- d-----w- c:\program files\iTunes
2010-02-03 07:17 . 2010-02-03 07:17 -------- d-----w- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-05 05:09 . 2010-03-05 05:15 5437440 ----a-w- c:\windows\Internet Logs\xDB1C.tmp
2010-03-05 05:09 . 2010-03-05 05:15 1195008 ----a-w- c:\windows\Internet Logs\xDB1B.tmp
2010-03-04 16:51 . 2006-09-17 21:38 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-03-04 16:13 . 2009-03-07 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-03-04 16:12 . 2008-07-07 06:26 1708435 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-03-02 03:01 . 2007-03-20 06:59 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-03-02 03:01 . 2007-10-30 07:43 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-02-28 19:18 . 2006-09-19 20:51 -------- d-----w- c:\program files\UseNeXT
2010-02-28 19:16 . 2007-03-03 20:02 -------- d-----w- c:\documents and settings\Chef\Application Data\BitTorrent
2010-02-27 22:13 . 2010-02-27 22:16 35840 ----a-w- c:\windows\Internet Logs\xDB19.tmp
2010-02-27 22:13 . 2010-02-27 22:16 4964352 ----a-w- c:\windows\Internet Logs\xDB1A.tmp
2010-02-27 21:43 . 2010-02-27 21:43 4961280 ----a-w- c:\windows\Internet Logs\xDB18.tmp
2010-02-27 21:43 . 2010-02-27 21:43 826880 ----a-w- c:\windows\Internet Logs\xDB17.tmp
2010-02-27 19:17 . 2006-09-18 01:26 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-02-25 21:54 . 2006-10-01 06:37 -------- d-----w- c:\program files\Steam
2010-02-24 09:26 . 2010-02-24 19:37 1065984 ----a-w- c:\windows\Internet Logs\xDB16.tmp
2010-02-22 09:07 . 2010-02-22 09:07 131697 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_02_21_13_45_47_small.dmp.zip
2010-02-21 21:29 . 2006-09-14 04:06 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-21 01:10 . 2006-09-14 03:00 69360 ----a-w- c:\documents and settings\Chef\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-21 00:53 . 2006-09-22 17:03 -------- d-----w- c:\program files\Common Files\Real
2010-02-21 00:53 . 2006-09-22 17:03 -------- d-----w- c:\program files\Real
2010-02-21 00:52 . 2003-03-19 05:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-02-21 00:52 . 2003-02-21 11:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-02-20 20:26 . 2009-08-01 20:13 -------- d-----w- c:\program files\OpenOffice.org 3
2010-02-20 19:45 . 2008-12-15 17:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-20 19:21 . 2006-09-18 20:10 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2010-02-20 19:21 . 2006-09-14 02:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-19 15:14 . 2009-09-18 09:55 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-18 15:20 . 2008-10-14 07:10 -------- d-----w- c:\documents and settings\Chef\Application Data\Online Backup
2010-02-18 05:44 . 2006-09-19 00:42 -------- d-----w- c:\documents and settings\Chef\Application Data\Canon
2010-02-17 01:35 . 2006-12-25 02:59 -------- d-----w- c:\program files\MediaMonkey
2010-02-16 00:27 . 2008-04-21 05:26 -------- d-----w- c:\documents and settings\Chef\Application Data\Bioshock
2010-02-14 10:50 . 2007-02-18 21:55 -------- d-----w- c:\documents and settings\Chef\Application Data\Skype
2010-02-13 19:32 . 2010-02-13 19:32 131857 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_02_13_11_27_23_small.dmp.zip
2010-02-13 10:21 . 2006-09-18 20:40 -------- d-----w- c:\program files\Microsoft Works
2010-02-12 09:58 . 2010-02-12 20:54 4721664 ----a-w- c:\windows\Internet Logs\xDB15.tmp
2010-02-12 09:58 . 2010-02-12 20:54 1842688 ----a-w- c:\windows\Internet Logs\xDB14.tmp
2010-02-06 06:10 . 2006-12-10 19:52 -------- d-----w- c:\program files\Google
2010-02-03 07:20 . 2008-12-30 05:21 -------- d-----w- c:\program files\Common Files\Apple
2010-01-23 21:03 . 2010-01-23 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-01-23 03:51 . 2010-01-23 03:51 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-18 19:31 . 2007-09-17 19:45 -------- d-----w- c:\documents and settings\Chef\Application Data\dvdcss
2010-01-17 07:04 . 2008-07-18 00:50 166705 ----a-w- c:\documents and settings\Chef\Application Data\Thunderbird\Profiles\dr464kb8.default\Mail\Local Folders\Business.sbd\F.sbd\Flashloaded.com
2010-01-13 18:26 . 2010-01-13 18:26 91 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\Pnf\Pas\reg.bat
2010-01-07 21:18 . 2009-08-16 19:46 -------- d-----w- c:\documents and settings\Flo\Application Data\Canon
2010-01-02 02:47 . 2009-08-04 02:05 1 ----a-w- c:\documents and settings\Chef\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-12-31 16:50 . 2001-08-23 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-28 08:10 . 2009-12-28 17:28 2948096 ----a-w- c:\windows\Internet Logs\xDB13.tmp
2009-12-21 19:14 . 2004-01-08 22:23 916480 ------w- c:\windows\system32\wininet.dll
2009-12-20 18:46 . 2009-12-20 18:46 20299200 ----a-w- c:\documents and settings\Chef\Application Data\TomTom\HOME\Profiles\sbrhqw6q.default\Updates\v2_7_3_1894_win.exe
2009-12-16 18:43 . 2006-09-14 01:42 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 07:08 . 2001-08-23 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2001-08-23 12:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2001-08-17 13:48 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-02-28_20.14.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-05 05:27 . 2010-03-05 05:27 16384 c:\windows\Temp\Perflib_Perfdata_5e0.dat
+ 2010-03-05 05:29 . 2010-03-05 05:29 16384 c:\windows\Temp\Perflib_Perfdata_4e0.dat
+ 2010-03-05 05:27 . 2010-03-05 05:27 16384 c:\windows\Temp\Perflib_Perfdata_1c4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@BackupScheduler"="c:\program files\Online Backup\OnlineBackup.exe" [2008-10-14 611768]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-11-13 247144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-05-03 151552]
"JMB36X Configure"="c:\windows\System32\JMRaidTool.exe" [2006-04-25 385024]
"RCSystem"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-17 49152]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-17 49152]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 196608]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2006-11-11 1051648]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 16143872]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-03-30 624248]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-17 1037192]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"StartupDelayer"="c:\program files\r2 Studios\Startup Delayer\Startup Launcher GUI.exe" [2009-03-08 147456]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2780432]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-21 202256]

c:\documents and settings\Chef\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2009-6-24 803176]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Conversion to PDF with ScanSnap Organizer.lnk - c:\program files\PFU\ScanSnap\Organizer\PfuSsOrgOcrChk.exe [2009-6-17 15360]
ScanSnap Manager.lnk - c:\program files\PFU\ScanSnap\Driver\PfuSsMon.exe [2009-6-17 1048576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ASUS WiFi-AP Solo.lnk]
backup=c:\windows\pss\ASUS WiFi-AP Solo.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Inc Messenger.lnk]
backup=c:\windows\pss\DataViz Inc Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Chef^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Chef^Start Menu^Programs^Startup^palmOne Registration.lnk]
backup=c:\windows\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ------r- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
2004-12-03 01:23 102400 ------w- c:\program files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
2003-06-18 08:00 45056 ------w- c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2007-04-11 22:32 56080 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 19:35 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 08:00 90112 ------w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"QBFCService"=3 (0x3)
"NBService"=3 (0x3)
"MDM"=2 (0x2)
"LVCOMSer"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Adobe Version Cue CS3"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\kav\\kav7\\setup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\peggle deluxe\\Peggle.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\bioshock 2\\SP\\Builds\\Binaries\\Bioshock2Launcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\bioshock 2\\MP\\Builds\\Binaries\\Bioshock2Launcher.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:Enabled

HCP Discovery Service

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1008000.029\SymEFA.sys [2/2/2010 11:21 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1008000.029\BHDrvx86.sys [2/2/2010 11:21 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1008000.029\cchpx86.sys [2/2/2010 11:20 AM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSXpx86.sys [2/25/2010 12:46 PM 329592]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [10/24/2006 6:34 PM 8576]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe [2/2/2010 11:20 AM 117640]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [11/13/2009 3:31 AM 92008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/26/2009 11:37 PM 102448]
S2 gupdate1c99f732a046a29;Google Update Service (gupdate1c99f732a046a29);c:\program files\Google\Update\GoogleUpdate.exe [3/7/2009 2:22 PM 133104]
S3 BS_DEF;BS_DEF;c:\program files\ASUS\AsusUpdate\BS_DEF.sys [3/19/2009 9:57 AM 12800]
S3 CLAVIAUSB;CLAVIAUSB;c:\windows\system32\drivers\ClaviaUSB.sys [10/5/2009 8:30 PM 19712]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [6/17/2009 4:20 AM 12648]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [9/13/2006 6:14 PM 332928]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-02-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-03-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-01 01:49]

2010-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-07 22:22]

2010-03-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-07 22:22]

2010-03-05 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-789336058-776561741-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-10 02:38]

2010-03-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-789336058-776561741-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-10 02:38]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Chef\Application Data\Mozilla\Firefox\Profiles\bf5ftzln.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.addthis.com/search?pco=fxe-3.0.0&locale=en-US&q=
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\Chef\Application Data\Mozilla\Firefox\Profiles\bf5ftzln.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-04 21:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:1a,3c,8b,f5,d5,be,b8,e7,56,1b,4f,f6,f0,76,c5,b5,57,93,fc,fa,a3,
12,f5,46,9b,0c,1f,ca,52,87,fc,c0,a4,2c,4b,bd,5c,1a,c2,db,da,6b,18,6c,48,4d,\

[HKEY_LOCAL_MACHINE\software\Classes\giffile\shell\Open\ddeexec]
@DACL=(02 0000)
@="\"file:%1\",,-1,,,,,"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:1a,3c,8b,f5,d5,be,b8,e7,56,1b,4f,f6,f0,76,c5,b5,57,93,fc,fa,a3,
12,f5,46,9b,0c,1f,ca,52,87,fc,c0,a4,2c,4b,bd,5c,1a,c2,db,da,6b,18,6c,48,4d,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1360)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-03-04 21:46:19
ComboFix-quarantined-files.txt 2010-03-05 05:46
ComboFix2.txt 2010-02-28 20:23

Pre-Run: 15,257,739,264 bytes free
Post-Run: 15,204,864,000 bytes free

- - End Of File - - E49EF65F97FF699E07CBA30845A28048

Blade81 · Mar 5, 2010

Hi again,

Open notepad and copy/paste the text in the quotebox below into it:

Code:

http://forums.spybot.info/showthread.php?t=55706&page=3
Collect::
c:\windows\Xhafituyih.dat
c:\windows\Qmibujabowixan.bin
c:\windows\system32\drivers\iaStor.sys.vir
Folder::
c:\program files\UseNeXT
c:\documents and settings\Chef\Application Data\BitTorrent
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000000

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows, disable antivirus protection and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Uninstall vulnerable Flash versions by following instructions here. Fresh version can be obtained here.

Is Adobe Acrobat used for other purposes than pdf conversion?

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.

Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

KPax23 · Mar 6, 2010

ComboFix log

ComboFix 10-03-04.06 - Chef 03/05/2010 9:22.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1408 [GMT -8:00]
Running from: c:\documents and settings\Chef\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chef\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

file zipped: c:\windows\Qmibujabowixan.bin
file zipped: c:\windows\Xhafituyih.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Chef\Application Data\BitTorrent
c:\program files\UseNeXT
c:\program files\UseNeXT\DevComponents.DotNetBar.dll
c:\program files\UseNeXT\groups.dat
c:\program files\UseNeXT\IXP.DLL
c:\program files\UseNeXT\language_de.txt
c:\program files\UseNeXT\language_en.txt
c:\program files\UseNeXT\language_es.txt
c:\program files\UseNeXT\language_fr.txt
c:\program files\UseNeXT\log.txt
c:\program files\UseNeXT\pp\gulli.ico
c:\program files\UseNeXT\unins000.exe
c:\windows\Qmibujabowixan.bin
c:\windows\Xhafituyih.dat

.
((((((((((((((((((((((((( Files Created from 2010-02-05 to 2010-03-05 )))))))))))))))))))))))))))))))
.

2010-03-05 15:58 . 2010-02-04 09:00 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100305.004\NAVENG.SYS
2010-03-05 15:58 . 2010-02-04 09:00 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100305.004\NAVEX15.SYS
2010-03-05 15:58 . 2009-08-25 08:00 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100305.004\NAVENG32.DLL
2010-03-05 15:58 . 2009-08-25 08:00 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100305.004\NAVEX32A.DLL
2010-03-05 15:58 . 2009-12-09 09:00 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100305.004\CCERASER.DLL
2010-03-05 15:58 . 2009-09-22 08:00 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100305.004\ECMSVR32.DLL
2010-03-05 15:58 . 2009-08-26 08:00 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100305.004\EECTRL.SYS
2010-03-05 15:58 . 2009-08-26 08:00 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100305.004\ERASER.SYS
2010-03-05 05:28 . 2010-02-02 03:20 165240 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2010-03-05 05:21 . 2006-05-03 13:18 247808 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-03-03 16:50 . 2010-03-03 16:50 -------- d-----w- c:\documents and settings\Chef\Application Data\Malwarebytes
2010-03-03 16:50 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-03 16:50 . 2010-03-03 16:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-03 16:50 . 2010-03-03 16:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-03 16:50 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-02 03:21 . 2010-03-02 03:24 -------- d-----w- c:\documents and settings\Chef\Application Data\Download Manager
2010-02-26 02:06 . 2010-02-26 02:07 -------- d-----w- c:\documents and settings\Chef\vw
2010-02-26 02:06 . 2010-02-26 02:06 -------- d-----w- c:\documents and settings\Chef\Visual IP Trace
2010-02-26 02:06 . 2010-02-26 02:06 -------- d-----w- c:\program files\Visual IP Trace 2009
2010-02-25 20:46 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSvix86.sys
2010-02-25 20:46 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSXpx86.sys
2010-02-25 20:46 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\Scxpx86.dll
2010-02-25 20:46 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSxpx86.dll
2010-02-25 20:46 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSviA64.sys
2010-02-22 09:12 . 2010-02-22 09:13 -------- d-----w- c:\program files\ERUNT
2010-02-21 01:02 . 2010-02-21 01:02 -------- d-----w- c:\program files\PHP
2010-02-21 00:59 . 2010-02-21 00:59 -------- d-----w- c:\documents and settings\Chef\blank
2010-02-21 00:53 . 2010-02-21 00:53 300616 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-02-21 00:53 . 2010-02-21 00:53 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-02-21 00:53 . 2010-02-21 00:53 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-02-21 00:53 . 2010-02-21 00:53 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-02-21 00:53 . 2010-02-21 00:53 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-02-21 00:53 . 2010-02-21 00:53 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-02-21 00:53 . 2010-02-21 00:53 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-02-21 00:53 . 2010-02-21 00:53 329312 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-02-21 00:53 . 2010-02-21 00:53 -------- d-----w- c:\program files\Common Files\xing shared
2010-02-20 20:26 . 2010-02-20 20:26 -------- d-----w- c:\program files\JRE
2010-02-20 19:46 . 2010-02-20 19:46 -------- d-----w- c:\program files\Sun
2010-02-20 19:44 . 2010-02-20 19:45 -------- d-----w- c:\program files\Java
2010-02-20 07:14 . 2010-02-20 07:14 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-02-20 00:40 . 2010-02-20 07:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-20 00:40 . 2010-02-20 06:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-19 23:58 . 2010-02-19 23:58 388096 ----a-r- c:\documents and settings\Chef\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-19 23:53 . 2010-02-21 07:07 -------- d-----w- c:\program files\Windows Live Safety Center
2010-02-19 22:36 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\Scxpx86.dll
2010-02-19 22:36 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSXpx86.sys
2010-02-19 22:36 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSvix86.sys
2010-02-19 22:36 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSxpx86.dll
2010-02-19 22:36 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSviA64.sys
2010-02-19 19:25 . 2010-02-19 19:25 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-02-19 19:17 . 2010-02-19 19:17 -------- d-----w- c:\documents and settings\Chef\Local Settings\Application Data\Symantec
2010-02-18 19:27 . 2010-02-18 19:27 -------- d-----w- c:\program files\Common Files\Config
2010-02-18 19:27 . 2010-02-18 19:27 5686272 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\19153-191714.dll
2010-02-17 02:06 . 2010-02-17 02:06 -------- d-----w- c:\program files\Lame for Audacity
2010-02-17 02:03 . 2010-02-17 02:03 -------- d-----w- c:\program files\Audacity
2010-02-16 04:44 . 2010-02-25 23:54 -------- d-----w- c:\documents and settings\Chef\Application Data\Bioshock2
2010-02-16 04:39 . 2009-09-05 01:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2010-02-16 04:39 . 2009-09-05 01:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-02-16 04:38 . 2010-02-16 04:38 -------- d-----w- c:\windows\Logs
2010-02-16 04:38 . 2010-02-16 04:39 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-02-16 04:38 . 2010-02-16 04:38 -------- d-----w- c:\windows\system32\xlive
2010-02-11 21:06 . 2010-02-11 21:06 -------- d-----w- c:\documents and settings\Chef\Local Settings\Application Data\Acupartner
2010-02-11 11:02 . 2010-02-11 11:02 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2010-02-10 21:34 . 2010-02-10 21:34 7410688 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191319-191429.dll
2010-02-10 21:33 . 2010-02-10 21:33 7032320 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191222-191319.dll
2010-02-10 21:33 . 2010-02-10 21:33 6301696 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191127-191222.dll
2010-02-10 21:32 . 2010-02-10 21:32 2776576 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191429-19153.dll
2010-02-10 21:30 . 2010-02-18 19:27 241512 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
2010-02-10 21:30 . 2010-02-10 21:30 230752 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\patchw32.dll
2010-02-10 21:30 . 2010-02-10 21:30 956 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\rebase.cmd
2010-02-10 21:30 . 2010-01-13 18:30 4199784 ----a-w- c:\windows\system32\cdintf400.dll
2010-02-10 21:30 . 2010-01-13 18:27 26472 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Sku\Premier\Custom\billmind.exe
2010-02-10 21:30 . 2010-01-13 18:27 26472 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Sku\Hab\Custom\billmind.exe
2010-02-10 21:30 . 2010-01-13 18:27 26472 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Sku\RPM\Custom\billmind.exe
2010-02-10 21:29 . 2010-02-18 19:27 -------- d-----w- c:\program files\Quicken
2010-02-10 07:11 . 2006-10-27 03:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2010-02-10 07:11 . 2008-11-10 19:41 32656 ----a-w- c:\windows\system32\msonpmon.dll
2010-02-10 07:10 . 2010-02-10 07:10 -------- d-----w- c:\program files\Microsoft.NET
2010-02-10 07:08 . 2010-02-10 07:08 -------- d-----w- c:\documents and settings\Chef\Local Settings\Application Data\Microsoft Help
2010-02-10 07:08 . 2010-02-17 09:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-10 07:07 . 2010-02-10 07:07 -------- d-----r- C:\MSOCache
2010-02-10 06:57 . 2010-02-10 07:05 -------- d-----w- c:\documents and settings\Chef\Application Data\GetRightToGo
2010-02-06 06:08 . 2010-02-06 06:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-02-05 22:41 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100204.001\Scxpx86.dll
2010-02-05 22:41 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100204.001\IDSvix86.sys
2010-02-05 22:41 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100204.001\IDSXpx86.sys
2010-02-05 22:41 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100204.001\IDSxpx86.dll
2010-02-05 22:41 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100204.001\IDSviA64.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-05 17:20 . 2008-07-07 06:26 9145652 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-03-05 17:15 . 2009-03-07 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-03-05 06:05 . 2006-09-17 21:38 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-03-05 05:09 . 2010-03-05 05:15 5437440 ----a-w- c:\windows\Internet Logs\xDB1C.tmp
2010-03-05 05:09 . 2010-03-05 05:15 1195008 ----a-w- c:\windows\Internet Logs\xDB1B.tmp
2010-03-02 03:01 . 2007-03-20 06:59 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-03-02 03:01 . 2007-10-30 07:43 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-02-27 22:13 . 2010-02-27 22:16 35840 ----a-w- c:\windows\Internet Logs\xDB19.tmp
2010-02-27 22:13 . 2010-02-27 22:16 4964352 ----a-w- c:\windows\Internet Logs\xDB1A.tmp
2010-02-27 21:43 . 2010-02-27 21:43 4961280 ----a-w- c:\windows\Internet Logs\xDB18.tmp
2010-02-27 21:43 . 2010-02-27 21:43 826880 ----a-w- c:\windows\Internet Logs\xDB17.tmp
2010-02-27 19:17 . 2006-09-18 01:26 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-02-25 21:54 . 2006-10-01 06:37 -------- d-----w- c:\program files\Steam
2010-02-24 09:26 . 2010-02-24 19:37 1065984 ----a-w- c:\windows\Internet Logs\xDB16.tmp
2010-02-22 09:07 . 2010-02-22 09:07 131697 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_02_21_13_45_47_small.dmp.zip
2010-02-21 21:29 . 2006-09-14 04:06 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-21 01:10 . 2006-09-14 03:00 69360 ----a-w- c:\documents and settings\Chef\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-21 00:53 . 2006-09-22 17:03 -------- d-----w- c:\program files\Common Files\Real
2010-02-21 00:53 . 2006-09-22 17:03 -------- d-----w- c:\program files\Real
2010-02-21 00:52 . 2003-03-19 05:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-02-21 00:52 . 2003-02-21 11:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-02-20 20:26 . 2009-08-01 20:13 -------- d-----w- c:\program files\OpenOffice.org 3
2010-02-20 19:45 . 2008-12-15 17:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-20 19:21 . 2006-09-18 20:10 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2010-02-20 19:21 . 2006-09-14 02:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-19 15:14 . 2009-09-18 09:55 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-18 15:20 . 2008-10-14 07:10 -------- d-----w- c:\documents and settings\Chef\Application Data\Online Backup
2010-02-18 05:44 . 2006-09-19 00:42 -------- d-----w- c:\documents and settings\Chef\Application Data\Canon
2010-02-17 01:35 . 2006-12-25 02:59 -------- d-----w- c:\program files\MediaMonkey
2010-02-16 00:27 . 2008-04-21 05:26 -------- d-----w- c:\documents and settings\Chef\Application Data\Bioshock
2010-02-14 10:50 . 2007-02-18 21:55 -------- d-----w- c:\documents and settings\Chef\Application Data\Skype
2010-02-13 19:32 . 2010-02-13 19:32 131857 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_02_13_11_27_23_small.dmp.zip
2010-02-13 10:21 . 2006-09-18 20:40 -------- d-----w- c:\program files\Microsoft Works
2010-02-12 09:58 . 2010-02-12 20:54 4721664 ----a-w- c:\windows\Internet Logs\xDB15.tmp
2010-02-12 09:58 . 2010-02-12 20:54 1842688 ----a-w- c:\windows\Internet Logs\xDB14.tmp
2010-02-06 06:10 . 2006-12-10 19:52 -------- d-----w- c:\program files\Google
2010-02-03 07:20 . 2010-02-03 07:19 -------- d-----w- c:\program files\iTunes
2010-02-03 07:20 . 2010-02-03 07:20 -------- d-----w- c:\program files\iPod
2010-02-03 07:20 . 2008-12-30 05:21 -------- d-----w- c:\program files\Common Files\Apple
2010-02-03 07:17 . 2010-02-03 07:17 -------- d-----w- c:\program files\QuickTime
2010-01-23 21:03 . 2010-01-23 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-01-23 03:51 . 2010-01-23 03:51 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-18 19:31 . 2007-09-17 19:45 -------- d-----w- c:\documents and settings\Chef\Application Data\dvdcss
2010-01-17 07:04 . 2008-07-18 00:50 166705 ----a-w- c:\documents and settings\Chef\Application Data\Thunderbird\Profiles\dr464kb8.default\Mail\Local Folders\Business.sbd\F.sbd\Flashloaded.com
2010-01-13 18:26 . 2010-01-13 18:26 91 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\Pnf\Pas\reg.bat
2010-01-07 21:18 . 2009-08-16 19:46 -------- d-----w- c:\documents and settings\Flo\Application Data\Canon
2010-01-02 02:47 . 2009-08-04 02:05 1 ----a-w- c:\documents and settings\Chef\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-12-31 16:50 . 2001-08-23 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-28 08:10 . 2009-12-28 17:28 2948096 ----a-w- c:\windows\Internet Logs\xDB13.tmp
2009-12-21 19:14 . 2004-01-08 22:23 916480 ------w- c:\windows\system32\wininet.dll
2009-12-20 18:46 . 2009-12-20 18:46 20299200 ----a-w- c:\documents and settings\Chef\Application Data\TomTom\HOME\Profiles\sbrhqw6q.default\Updates\v2_7_3_1894_win.exe
2009-12-16 18:43 . 2006-09-14 01:42 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 07:08 . 2001-08-23 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2001-08-23 12:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2001-08-17 13:48 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-02-28_20.14.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-05 17:15 . 2010-03-05 17:15 16384 c:\windows\Temp\Perflib_Perfdata_7b8.dat
+ 2010-03-05 17:16 . 2010-03-05 17:16 16384 c:\windows\Temp\Perflib_Perfdata_1a0.dat
+ 2010-03-05 17:14 . 2010-03-05 17:14 16384 c:\windows\Temp\Perflib_Perfdata_138.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@BackupScheduler"="c:\program files\Online Backup\OnlineBackup.exe" [2008-10-14 611768]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-11-13 247144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-05-03 151552]
"JMB36X Configure"="c:\windows\System32\JMRaidTool.exe" [2006-04-25 385024]
"RCSystem"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-17 49152]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-17 49152]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 196608]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2006-11-11 1051648]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 16143872]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-03-30 624248]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-17 1037192]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"StartupDelayer"="c:\program files\r2 Studios\Startup Delayer\Startup Launcher GUI.exe" [2009-03-08 147456]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2780432]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-21 202256]

c:\documents and settings\Chef\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2009-6-24 803176]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Conversion to PDF with ScanSnap Organizer.lnk - c:\program files\PFU\ScanSnap\Organizer\PfuSsOrgOcrChk.exe [2009-6-17 15360]
ScanSnap Manager.lnk - c:\program files\PFU\ScanSnap\Driver\PfuSsMon.exe [2009-6-17 1048576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ASUS WiFi-AP Solo.lnk]
backup=c:\windows\pss\ASUS WiFi-AP Solo.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Inc Messenger.lnk]
backup=c:\windows\pss\DataViz Inc Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Chef^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Chef^Start Menu^Programs^Startup^palmOne Registration.lnk]
backup=c:\windows\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ------r- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
2004-12-03 01:23 102400 ------w- c:\program files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
2003-06-18 08:00 45056 ------w- c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2007-04-11 22:32 56080 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 19:35 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 08:00 90112 ------w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"QBFCService"=3 (0x3)
"NBService"=3 (0x3)
"MDM"=2 (0x2)
"LVCOMSer"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Adobe Version Cue CS3"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\kav\\kav7\\setup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\peggle deluxe\\Peggle.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\bioshock 2\\SP\\Builds\\Binaries\\Bioshock2Launcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\bioshock 2\\MP\\Builds\\Binaries\\Bioshock2Launcher.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:Enabled

HCP Discovery Service

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1008000.029\SymEFA.sys [2/2/2010 11:21 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1008000.029\BHDrvx86.sys [2/2/2010 11:21 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1008000.029\cchpx86.sys [2/2/2010 11:20 AM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSXpx86.sys [2/25/2010 12:46 PM 329592]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [10/24/2006 6:34 PM 8576]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe [2/2/2010 11:20 AM 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/26/2009 11:37 PM 102448]
S2 gupdate1c99f732a046a29;Google Update Service (gupdate1c99f732a046a29);c:\program files\Google\Update\GoogleUpdate.exe [3/7/2009 2:22 PM 133104]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [11/13/2009 3:31 AM 92008]
S3 BS_DEF;BS_DEF;c:\program files\ASUS\AsusUpdate\BS_DEF.sys [3/19/2009 9:57 AM 12800]
S3 CLAVIAUSB;CLAVIAUSB;c:\windows\system32\drivers\ClaviaUSB.sys [10/5/2009 8:30 PM 19712]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [6/17/2009 4:20 AM 12648]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [9/13/2006 6:14 PM 332928]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-02-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-03-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-01 01:49]

2010-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-07 22:22]

2010-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-07 22:22]

2010-03-05 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-789336058-776561741-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-10 02:38]

2010-03-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-789336058-776561741-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-10 02:38]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Chef\Application Data\Mozilla\Firefox\Profiles\bf5ftzln.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.addthis.com/search?pco=fxe-3.0.0&locale=en-US&q=
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\Chef\Application Data\Mozilla\Firefox\Profiles\bf5ftzln.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-05 09:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:1a,3c,8b,f5,d5,be,b8,e7,56,1b,4f,f6,f0,76,c5,b5,57,93,fc,fa,a3,
12,f5,46,9b,0c,1f,ca,52,87,fc,c0,a4,2c,4b,bd,5c,1a,c2,db,da,6b,18,6c,48,4d,\

[HKEY_LOCAL_MACHINE\software\Classes\giffile\shell\Open\ddeexec]
@DACL=(02 0000)
@="\"file:%1\",,-1,,,,,"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:1a,3c,8b,f5,d5,be,b8,e7,56,1b,4f,f6,f0,76,c5,b5,57,93,fc,fa,a3,
12,f5,46,9b,0c,1f,ca,52,87,fc,c0,a4,2c,4b,bd,5c,1a,c2,db,da,6b,18,6c,48,4d,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1380)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-03-05 09:32:30
ComboFix-quarantined-files.txt 2010-03-05 17:32
ComboFix2.txt 2010-03-05 05:46
ComboFix3.txt 2010-02-28 20:23

Pre-Run: 15,082,328,064 bytes free
Post-Run: 15,027,822,592 bytes free

- - End Of File - - B7AC17B2EA69E840EE8890AA17E372AE
Upload was successful

Blade81 · Mar 6, 2010

I'll get back to this after those other steps are ready

KPax23 · Mar 6, 2010

Yeah, sorry, I barely had a minute to work on this yesterday. Very busy day...
Since then I have:

uninstalled Flash (thought for some reason I'm no able to reinstall it freshly. All kinds of problems about missing plugins and needing to manually install gp.xpi (application/getplusplusadbobe16263)...have to figure that out later.
ran ATF cleaner with the settings you specified
ran Kaspersky Online Scanner over night. It found and flagged something in a CygWin file off on my data drive where I keep my installers. Subsequently I fed that file into VirusTotal.com. I'll post that log after this. I was surprised to see some sort of infection in the CygWin installer...

To answer your question regarding Adobe Acrobat: I have it because I regular print things to PDF files instead of to printer and because sometimes I edit PDF files. I know it's an older version. I guess I should spend the money and update.

Anyhow, following this the VirusTotal log for what Kaspersky Online Scanner found. After that I'll post with the fresh DDS log.
After

KPax23 · Mar 6, 2010

VirusTotal report for suspicious file found by Kaspersky Online Scanner

Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.11.14 -
AhnLab-V3 5.0.0.2 2009.11.13 -
AntiVir 7.9.1.65 2009.11.13 -
Antiy-AVL 2.0.3.7 2009.11.13 NetTool/Win32.Proxy
Authentium 5.2.0.5 2009.11.14 -
Avast 4.8.1351.0 2009.11.14 -
AVG 8.5.0.425 2009.11.14 -
BitDefender 7.2 2009.11.15 -
CAT-QuickHeal 10.00 2009.11.13 -
ClamAV 0.94.1 2009.11.14 -
Comodo 2957 2009.11.15 -
DrWeb 5.0.0.12182 2009.11.15 -
eSafe 7.0.17.0 2009.11.12 -
eTrust-Vet 35.1.7121 2009.11.14 -
F-Prot 4.5.1.85 2009.11.14 -
F-Secure 9.0.15370.0 2009.11.11 -
Fortinet 3.120.0.0 2009.11.15 -
GData 19 2009.11.15 -
Ikarus T3.1.1.74.0 2009.11.14 not-a-virus:NetTool.Win32.Proxy
Jiangmin 11.0.800 2009.11.12 -
K7AntiVirus 7.10.896 2009.11.13 -
Kaspersky 7.0.0.125 2009.11.15 not-a-virus:NetTool.Win32.Proxy.g
McAfee 5802 2009.11.14 -
McAfee+Artemis 5802 2009.11.14 -
McAfee-GW-Edition 6.8.5 2009.11.14 -
Microsoft 1.5202 2009.11.14 -
NOD32 4608 2009.11.14 -
Norman 6.03.02 2009.11.14 -
nProtect 2009.1.8.0 2009.11.14 -
Panda 10.0.2.2 2009.11.14 -
PCTools 7.0.3.5 2009.11.13 -
Prevx 3.0 2009.11.15 -
Rising 22.21.05.04 2009.11.14 -
Sophos 4.47.0 2009.11.15 -
Sunbelt 3.2.1858.2 2009.11.12 -
Symantec 1.4.4.12 2009.11.15 -
TheHacker 6.5.0.2.070 2009.11.14 -
TrendMicro 9.0.0.1003 2009.11.14 -
VBA32 3.12.10.11 2009.11.13 -
ViRobot 2009.11.14.2037 2009.11.14 -
VirusBuster 4.6.5.0 2009.11.14 -
Additional information
File size: 16427 bytes
MD5 : 7824718e945b4c83d84a9ba8c554f7ca
SHA1 : d81102c734696877cdad239cb6e6b442f25221fa
SHA256: 5b62c78ee7ea1f97fc191afc3d7513d6f92f048c817c9a96971cedd64e52be04
TrID : File type identification
bzip2 compressed archive (100.0%)
ssdeep: 384:91DiWtSMAJnDlO9nqkU1TOy17aycF4S0im2TJdcm9T3CeNnH:91mWEnJnDlInqkGTOyZaaWcm97CeNH
PEiD : -
packers (F-Prot): packed
RDS : NSRL Reference Data Set

KPax23 · Mar 6, 2010

new DDS.txt (DDS)

DDS (Ver_09-12-01.01) - NTFSx86
Run by Chef at 12:53:13.54 on Sat 03/06/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1376 [GMT -8:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Online Backup\OnlineBackup.exe
c:\program files\real\realplayer\RealPlay.exe
C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Chef\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uInternet Settings,ProxyOverride = *.local
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: VIPTToolbarManager Class: {1a2641ae-2c42-4c51-a05f-8ecec3fdc94d} - c:\program files\visual ip trace 2009\VisualIPTraceIE.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.8.0.41\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: Visual IP Trace: {e70c26ae-dff1-40a8-8d37-19180f56f0aa} - c:\program files\visual ip trace 2009\VisualIPTraceIE.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [@BackupScheduler] c:\program files\online backup\OnlineBackup.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [JMB36X Configure] "c:\windows\system32\JMRaidTool.exe" boot
mRun: [RCSystem] "c:\program files\creative\shared files\module loader\DLLML.exe" RCSystem * -Startup
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [InCD] "c:\program files\nero\nero 7\incd\InCD.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [StartupDelayer] "c:\program files\r2 studios\startup delayer\Startup Launcher GUI.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
StartupFolder: c:\docume~1\chef\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\conver~1.lnk - c:\program files\pfu\scansnap\organizer\PfuSsOrgOcrChk.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\scansn~1.lnk - c:\program files\pfu\scansnap\driver\PfuSsMon.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - hxxp://inst.c-wss.com/n019p/EN/install/gtdownlr.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1158200459132
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158201002655
DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} - hxxps://accounting.quickbooks.com/c5/v19.108/qboax10.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chef\applic~1\mozilla\firefox\profiles\bf5ftzln.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.addthis.com/search?pco=fxe-3.0.0&locale=en-US&q=
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\chef\application data\mozilla\firefox\profiles\bf5ftzln.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1008000.029\SymEFA.sys [2010-2-2 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1008000.029\BHDrvx86.sys [2010-2-2 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1008000.029\cchpx86.sys [2010-2-2 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100224.002\IDSXpx86.sys [2010-2-25 329592]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2006-10-24 8576]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-2-3 486280]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\engine\16.8.0.41\ccSvcHst.exe [2010-2-2 117640]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-26 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100306.004\NAVENG.SYS [2010-3-6 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100306.004\NAVEX15.SYS [2010-3-6 1324720]
S2 gupdate1c99f732a046a29;Google Update Service (gupdate1c99f732a046a29);c:\program files\google\update\GoogleUpdate.exe [2009-3-7 133104]
S3 BS_DEF;BS_DEF;c:\program files\asus\asusupdate\BS_DEF.sys [2009-3-19 12800]
S3 CLAVIAUSB;CLAVIAUSB;c:\windows\system32\drivers\ClaviaUSB.sys [2009-10-5 19712]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2006-9-13 332928]

=============== Created Last 30 ================

2010-03-05 05:21:34 247808 ----a-w- c:\windows\system32\drivers\iaStor.sys.bak
2010-03-05 05:21:34 247808 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-03-03 16:50:45 0 d-----w- c:\docume~1\chef\applic~1\Malwarebytes
2010-03-03 16:50:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-03 16:50:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-03 16:50:33 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-03 16:50:33 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-28 19:43:27 0 d-sha-r- C:\cmdcons
2010-02-28 19:41:57 98816 ----a-w- c:\windows\sed.exe
2010-02-28 19:41:57 77312 ----a-w- c:\windows\MBR.exe
2010-02-28 19:41:57 261632 ----a-w- c:\windows\PEV.exe
2010-02-28 19:41:57 161792 ----a-w- c:\windows\SWREG.exe
2010-02-26 02:06:21 0 d-----w- c:\documents and settings\chef\vw
2010-02-26 02:06:21 0 d-----w- c:\documents and settings\chef\Visual IP Trace
2010-02-26 02:06:17 37 ----a-w- c:\documents and settings\chef\Visual IP Trace-Path
2010-02-26 02:06:14 0 d-----w- c:\program files\Visual IP Trace 2009
2010-02-21 01:02:16 0 d-----w- c:\program files\PHP
2010-02-21 00:59:41 0 d-----w- c:\documents and settings\chef\blank
2010-02-21 00:53:07 0 d-----w- c:\program files\common files\xing shared
2010-02-20 20:26:57 0 d-----w- c:\program files\JRE
2010-02-20 19:46:26 0 d-----w- c:\program files\Sun
2010-02-20 19:46:05 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-02-20 07:14:30 0 d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2010-02-20 00:40:11 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-02-20 00:40:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-02-18 19:27:57 0 d-----w- c:\program files\common files\Config
2010-02-17 02:06:10 0 d-----w- c:\program files\Lame for Audacity
2010-02-17 02:03:37 0 d-----w- c:\program files\Audacity
2010-02-16 04:44:42 0 d-----w- c:\docume~1\chef\applic~1\Bioshock2
2010-02-16 04:39:04 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2010-02-16 04:39:04 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-02-16 04:38:58 0 d-----w- c:\windows\Logs
2010-02-16 04:38:54 0 d-----w- c:\windows\system32\xlive
2010-02-16 04:38:54 0 d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-02-10 21:30:04 4199784 ----a-w- c:\windows\system32\cdintf400.dll
2010-02-10 21:29:04 0 d-----w- c:\program files\Quicken
2010-02-10 07:11:48 32656 ----a-w- c:\windows\system32\msonpmon.dll
2010-02-10 06:57:42 0 d-----w- c:\docume~1\chef\applic~1\GetRightToGo

==================== Find3M ====================

2010-03-05 06:05:32 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-03-02 03:01:49 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-03-02 03:01:43 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-02-21 00:52:29 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-02-21 00:52:29 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-02-20 19:45:45 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-21 19:14:05 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 19:15:14 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2008-09-19 06:36:15 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091820080919\index.dat

============= FINISH: 12:54:37.18 ===============

KPax23 · Mar 6, 2010

new Attach.txt (DDS)

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/13/2006 6:45:19 PM
System Uptime: 3/6/2010 12:43:37 PM (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | P5W DH Deluxe
Processor: Intel(R) Core(TM)2 CPU 6700 @ 2.66GHz | Socket 775 | 2671/266mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 117 GiB total, 13.915 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 932 GiB total, 256.672 GiB free.
F: is CDROM ()
K: is NetworkDisk (NTFS) - 2742 GiB total, 2403.008 GiB free.
M: is NetworkDisk (NTFS) - 2742 GiB total, 2403.008 GiB free.
P: is NetworkDisk (NTFS) - 2742 GiB total, 2403.008 GiB free.
S: is NetworkDisk (NTFS) - 2742 GiB total, 2403.008 GiB free.
V: is NetworkDisk (NTFS) - 2742 GiB total, 2403.008 GiB free.
Y: is NetworkDisk (NTFS) - 2742 GiB total, 2403.008 GiB free.
Z: is NetworkDisk (NTFS) - 2742 GiB total, 2403.008 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller
Device ID: PCI\VEN_11AB&DEV_4362&SUBSYS_81421043&REV_20\4&8D68EE5&0&00E4
Manufacturer: Marvell
Name: Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller
PNP Device ID: PCI\VEN_11AB&DEV_4362&SUBSYS_81421043&REV_20\4&8D68EE5&0&00E4
Service: yukonwxp

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter
Device ID: USB\VID_0BDA&PID_8187\0015AF035648
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter
PNP Device ID: USB\VID_0BDA&PID_8187\0015AF035648
Service: RTLWUSB

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA

==== System Restore Points ===================

RP945: 2/9/2010 11:07:20 PM - Installed Microsoft Office Home and Student 2007
RP946: 2/9/2010 11:11:40 PM - Printer Driver Send To Microsoft OneNote Driver Installed
RP947: 2/9/2010 11:20:30 PM - Configured Microsoft Office Home and Student 2007
RP948: 2/10/2010 1:30:14 PM - Printer Driver Amyuni Document Converter 400 Installed
RP949: 2/11/2010 3:00:21 AM - Software Distribution Service 3.0
RP950: 2/11/2010 1:05:42 PM - Installed AcuPartner Professional
RP951: 2/12/2010 5:39:10 PM - Software Distribution Service 3.0
RP952: 2/13/2010 2:19:22 AM - Software Distribution Service 3.0
RP953: 2/13/2010 11:17:32 AM - Software Distribution Service 3.0
RP954: 2/14/2010 12:11:26 PM - System Checkpoint
RP955: 2/15/2010 8:36:24 PM - Installed DirectX
RP956: 2/15/2010 8:37:15 PM - Removed Microsoft Visual C++ 2005 Redistributable
RP957: 2/15/2010 8:37:51 PM - Removed Microsoft Visual C++ 2005 Redistributable
RP958: 2/15/2010 8:38:15 PM - Installed Microsoft Visual C++ 2005 Redistributable
RP959: 2/15/2010 8:39:02 PM - Installed DirectX
RP960: 2/15/2010 8:59:27 PM - Installed BioShock 2
RP961: 2/17/2010 1:10:01 AM - Software Distribution Service 3.0
RP962: 2/18/2010 10:44:31 PM - System Checkpoint
RP963: 2/19/2010 3:57:57 PM - Installed HiJackThis
RP964: 2/20/2010 10:31:13 AM - Revo Uninstaller's restore point - AcuPartner Professional
RP965: 2/20/2010 10:32:53 AM - Removed AcuPartner Professional
RP966: 2/20/2010 10:49:42 AM - Revo Uninstaller's restore point - AnswerWorks 5.0 English Runtime
RP967: 2/20/2010 10:51:19 AM - Revo Uninstaller's restore point - Avanquest update
RP968: 2/20/2010 10:55:40 AM - Revo Uninstaller's restore point - Documents To Go
RP969: 2/20/2010 10:55:58 AM - Removed Documents To Go
RP970: 2/20/2010 11:02:32 AM - Revo Uninstaller's restore point - GLOBEtrotter FLEXid Drivers
RP971: 2/20/2010 11:03:12 AM - Revo Uninstaller's restore point - GLOBEtrotter FLEXid Drivers
RP972: 2/20/2010 11:34:34 AM - Revo Uninstaller's restore point - Java(TM) 6 Update 13
RP973: 2/20/2010 11:35:27 AM - Revo Uninstaller's restore point - Java(TM) 6 Update 15
RP974: 2/20/2010 11:35:35 AM - Removed Java(TM) 6 Update 14
RP975: 2/20/2010 11:37:39 AM - Revo Uninstaller's restore point - Adobe AIR
RP976: 2/20/2010 11:39:24 AM - Revo Uninstaller's restore point - WebEx Support Manager for Internet Explorer
RP977: 2/20/2010 11:39:40 AM - Removed WebEx Support Manager for Internet Explorer
RP978: 2/20/2010 11:44:19 AM - Installed Java(TM) SE Development Kit 6 Update 18
RP979: 2/20/2010 11:45:36 AM - Installed Java(TM) 6 Update 18
RP980: 2/20/2010 11:51:52 AM - Removed Adobe Reader 9.1.3.
RP981: 2/20/2010 11:52:27 AM - Installed Adobe Reader 9.3.
RP982: 2/20/2010 12:22:58 PM - Removed OpenOffice.org 3.1
RP983: 2/20/2010 12:26:32 PM - Installed OpenOffice.org 3.2
RP984: 2/20/2010 4:47:24 PM - Revo Uninstaller's restore point - Adobe SVG Viewer 3.0
RP985: 2/20/2010 5:02:16 PM - Installed PHP 5.3.1
RP986: 2/23/2010 1:18:53 PM - Software Distribution Service 3.0
RP987: 2/28/2010 11:14:00 AM - Revo Uninstaller's restore point - BitTorrent 5.0.7
RP988: 2/28/2010 11:16:28 AM - Revo Uninstaller's restore point - UseNeXT
RP989: 3/4/2010 8:28:48 AM - System Checkpoint

==== Installed Programs ======================

ABBYY FineReader for ScanSnap (TM) 4.0
Acrobat.com
Active GPX
Add or Remove Adobe Creative Suite 3 Master Collection
Adobe Acrobat 8 Professional
Adobe After Effects CS3
Adobe After Effects CS3 Presets
Adobe After Effects CS3 Template Projects & Footage
Adobe After Effects CS3 Third Party Content
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Contribute CS3
Adobe Creative Suite 3 Master Collection
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Download Manager
Adobe Dreamweaver CS3
Adobe Encore CS3
Adobe Encore CS3 Library
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Fireworks CS3
Adobe Flash CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop Lightroom
Adobe Premiere Pro CS3
Adobe Premiere Pro CS3 Functional Content
Adobe Premiere Pro CS3 Third Party Content
Adobe Reader 9.3.1
Adobe Setup
Adobe Shockwave Player 11.5
Adobe SING CS3
Adobe Soundbooth CS3
Adobe Soundbooth CS3 Codecs
Adobe Soundbooth CS3 Scores
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Version Cue CS3 Server
Adobe Video Profiles
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
AHV content for Acrobat and Flash
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoBase 3
ASUS WiFi-AP Solo
AsusUpdate
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATI HYDRAVISION
ATI Problem Report Wizard
Audacity 1.2.6
Autodesk DirectConnect 2.0
Bioshock
BioShock 2
BOINC
Bonjour
BootLog XP
Canon CanoScan Toolbox 4.9
Canon i950
Canon Utilities Easy-PhotoPrint
CardMinder
CardMinder V4.0
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
CDDRV_Installer
Cheat Engine 5.5
Cisco Systems VPN Client 5.0.02.0090
Creative Jukebox Driver
Creative Media Toolbox
Creative MediaSource
Creative System Information
Critical Update for Windows Media Player 11 (KB959772)
DiskCheckup V2.1
Diskeeper 2009 Professional
DVD Decrypter (Remove Only)
EAX4 Unified Redist
Eraser 5.8
ERUNT 1.1j
ExamDiff 1.6m
FLAC Installer 1.1.3b (remove only)
FreeMind
FW LiveUpdate
GameShadow
Garmin Communicator Plugin
Garmin MapSource
Garmin Trip and Waypoint Manager v5
Garmin USB Drivers
Google Earth
Google Update Helper
Google Updater
Half-Life 2: Episode Two
High Definition Audio Driver Package - KB888111
HiJackThis
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Intel(R) Matrix Storage Manager
iPhone Configuration Utility
iTunes
Java DB 10.5.3.0
Java(TM) 6 Update 18
Java(TM) SE Development Kit 6 Update 18
Jitbit Macro Recorder
JLIP VideoCapture3.1
JRAID
KhalInstallWrapper
LADSPA_plugins-win-0.4.15
LAME v3.98.2 for Audacity
LightScribe 1.4.124.1
Logitech Harmony Remote Software 7
Logitech Legacy USB Camera Driver Package
Logitech QuickCam Driver Package
Logitech SetPoint
Logitech Updater
Logitech Webcam Software
Malwarebytes' Anti-Malware
Manual CanoScan 9900F
Marvell Miniport Driver
Maya 2008
Maya 2008 Documentation (en_US)
MediaMonkey 3.2
MediaMonkey AAC Plug-in 1.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft IntelliType Pro 5.3
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 2003 Setup Launcher
Microsoft Works 7.0
Microsoft Works Suite Add-in for Microsoft Word
MobileMe Control Panel
Motorola Driver Installation 3.7.0
Motorola Phone Tools
Motorola Software Update
Mozilla Firefox (3.6)
Mozilla Thunderbird (2.0.0.23)
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
Nero 7 Ultra Edition
NOMAD Explorer
Nord Sample Editor v2.00
Nord Sound Manager v5.02
Nord Wave Manager v1.16
Norton AntiVirus
OGA Notifier 2.0.0048.0
oggcodecs 0.71.0946
Online Backup
OpenOffice.org 3.2
palmOne
palmOne VersaMail(tm)
PC Probe II
PDF Settings
Peggle Deluxe Demo
Peggle Extreme
PhoneTools
PHP 5.3.1
Picasa 3
Portal
PuTTY version 0.60
Python 2.5
Python 2.5 py2exe-0.6.5
QuickBooks Premier: Nonprofit Edition 2007
QuickBooks Product Listing Service
Quicken 2010
QuickPar 0.9
QuickTime
Rack2-Filer
Rack2-Viewer (This application may be deleted by deleting Rack2-Filer)
Rack2 Folder Monitor Software
RealPlayer
Realtek High Definition Audio Driver
RealUpgrade 1.0
Registry Mechanic 5.0
Remote Control USB Driver
Remove Empty Directories 2.1
Revo Uninstaller 1.85
ScanSnap
ScanSnap Manager
ScanSnap Organizer
Secunia PSI
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Sentinel System Driver
Skins
Skype™ 4.1
Soldier of Fortune II - Double Helix GOLD
Soldier of Fortune Payback
Sony DVD Architect 4.0
Sony Media Manager 2.2
Sony Vegas 7.0
Sound Blaster X-Fi
Spybot - Search & Destroy
Startup Delayer v2.5 (build 138)
Steam
SuperCollider
SupportSoft Assisted Service
Symantec KB-DocID:2003093015493306
Synology Assistant
Team Fortress 2
Tom Clancy's Splinter Cell Double Agent
TomTom HOME 2.7.3.1894
TomTom HOME Visual Studio Merge Modules
TrueCrypt
U.S. Robotics ControlCenter
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974631)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC 9.0 Runtime
VC80
Virtual Cable Tester
Visual IP Trace
VLC media player 0.9.8a
WebFldrs XP
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows PowerShell(TM) 1.0
Windows PowerShell(TM) 1.0 MUI pack
Windows Presentation Foundation
Windows XP Service Pack 3
WinRAR archiver
Works Suite OS Pack
wxPython 2.7.2.0 (ansi) for Python 2.5
wxPython Docs and Demos 2.7.2.0
XML Paper Specification Shared Components Pack 1.0
XviD 1.1 final uninstall
ZoneAlarm Pro

==== Event Viewer Messages From Past Week ========

3/5/2010 1:40:39 AM, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for ImagePath with the following error: Access is denied.
3/4/2010 9:35:38 PM, error: Service Control Manager [7034] - The FLEXnet Licensing Service service terminated unexpectedly. It has done this 1 time(s).
3/3/2010 8:27:49 PM, error: Service Control Manager [7000] - The hardlock service failed to start due to the following error: Access is denied.
3/3/2010 7:58:40 PM, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Start with the following error: Access is denied.
3/1/2010 8:41:03 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
3/1/2010 8:41:03 PM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
3/1/2010 7:06:48 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the FLEXnet Licensing Service service to connect.
3/1/2010 7:06:48 PM, error: Service Control Manager [7000] - The FLEXnet Licensing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
3/1/2010 7:05:14 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Image Acquisition (WIA) service to connect.
3/1/2010 7:05:14 PM, error: Service Control Manager [7000] - The Windows Image Acquisition (WIA) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2/28/2010 11:41:52 AM, error: Service Control Manager [7034] - The Process Monitor service terminated unexpectedly. It has done this 1 time(s).
2/28/2010 11:40:38 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
2/28/2010 11:12:08 AM, error: Service Control Manager [7034] - The TomTomHOMEService service terminated unexpectedly. It has done this 1 time(s).
2/28/2010 11:11:50 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
2/28/2010 11:11:42 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
2/28/2010 11:10:51 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
2/28/2010 11:10:33 AM, error: Service Control Manager [7000] - The DS1410D service failed to start due to the following error: The system cannot find the file specified.
2/28/2010 11:06:48 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
2/28/2010 11:06:48 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
2/27/2010 1:43:42 PM, error: Service Control Manager [7034] - The TrueVector Internet Monitor service terminated unexpectedly. It has done this 1 time(s).
2/27/2010 1:36:02 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the TrueVector Internet Monitor service to connect.
2/27/2010 1:36:02 PM, error: Service Control Manager [7000] - The TrueVector Internet Monitor service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================

Blade81 · Mar 7, 2010

Hi,

You can ignore those Cygwin related findings. How is the system running now? Any symptoms left?

KPax23 · Mar 7, 2010

good news (i think)

Well, it seems like I don't have any obvious symptoms anymore at this point.
My ZAPro logs are clean and I don't see any suspicious activity such as browser hijacking.

Could this be it?
YAY! Thank you so much for all your help. You guys rock!!
:bow:

After reading through "So how did I get infected in the first place" in this malware removal forum I'm considering switching from ZAPro to one of the 2 highest rated software firewalls listed on Matousec.com. Unfortunately I haven't seen any links to similar independent testing pages for Antivirus packages. There's a general unspecific recommendation for Avast and Antivir but I'd be interested in seeing some sort of trustworthy independent test results for the anti virus packages similar to Matousec's firewall tests. Do you happen to know of such a resource? Or do you have any personal recommendations what I should replace NAV2010 with?

Another question: this whole process was really fascinating. What resources are there to learn how to use all these tools and how to interpret the results? While I'm obviously not a Windows system administrator or security expert I do have a professional background in tool development, programming, scripting and support and I've always built and installed my PCs myself. So I have a basic limited understanding of things and I'd love to expand that and learn more about it all.

Thanks again for all your help. I had gotten quite close to a point where I was going to just wipe the system clean with Eraser and start over.
:thanks:

Blade81 · Mar 8, 2010

Hi,

There's a general unspecific recommendation for Avast and Antivir but I'd be interested in seeing some sort of trustworthy independent test results for the anti virus packages similar to Matousec's firewall tests. Do you happen to know of such a resource? Or do you have any personal recommendations what I should replace NAV2010 with?

AV-Comparatives does some comparing

Another question: this whole process was really fascinating. What resources are there to learn how to use all these tools and how to interpret the results? While I'm obviously not a Windows system administrator or security expert I do have a professional background in tool development, programming, scripting and support and I've always built and installed my PCs myself. So I have a basic limited understanding of things and I'd love to expand that and learn more about it all.

Here's a list (in alphabetical order) of sites that have malware removal school:
Bleeping Computer
Geeks to Go
Malware Removal
SpywareHammer
Spywareinfoforum
Tech Support Forum
What the Tech

Please find some final steps below

THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis

Now lets uninstall ComboFix:

Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK

Please download OTC and save it to desktop.

Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

hosts file:
- Every version of windows has a hosts file as part of them.
- In a very basic sense, they are used to locate webpages.
- We can customize a hosts file so that it blocks certain webpages.
- However, it can slow down certain computers.
- This is why using a hosts file is optional!!
Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
1. [*]Click the start button (at the lower left hand corner of your screen) [*]Click run [*]In the dialog box, type services.msc [*]hit enter, then locate dns client [*]Highlight it, then double-click it. [*]On the dropdown box, change the setting from automatic to manual. [*]Click ok
Run Secunia vulnerability check here and fix its findings.

Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade

KPax23 · Mar 9, 2010

Sorry for the delay...

Hi!

Sorry I'm taking so long to get around to your last set of instructions. It's been a busy week so far. I'll probably be able to get to it tonight.

Thanks!

KPax23 · Mar 10, 2010

Thank you!!!!

OK, finally had time to finish this up...
I followed all the cleanup instructions and installed the hosts file.
I actually have Secunia installed anyway so that's something I do regularly already. Have applied the various security settings you recommended.

So far everything looks good. No signs of infection anywhere.

Thank you so much for helping me resolve this. Can't tell you how much I appreciate this. The only alternative would've been to wipe and reinstall.

I'll start digging through those links. Hopefully I'll learn how to do this myself.

Thanks again for the help and for all the info!

:laugh:

KPax23

Persistent malware infection, off-the-self security software fails to find/clean

Security Expert: Emeritus

New member

New member

New member

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

New member

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

New member