Hi Bleep Computer Staff,
I have some spyware that I can't seem to get rid of.
I Run Spybot 1.5.2 with resident TeaTimer, PC was running very slow when I ran a Full System Scan and Virtumonde.dll was initially pickup which I removed and re started, only to find that as Windows XP restared I had Dos Windows Starting Up automatically and some scripts appeared to be executing.

Tea Timer would also start eventually, so slow and warned of Program 34401059 & BM377323c5 attempting to start up.
I rejected these and set to Deny and to remember these settings as I don't recognise these apps.
I can see both these App's in EasyCleaner 2.0 which I use to manage by Start Up list and monitor if anything new creeps in.
I could see both of the above Programs in Start Up List.
Program 34401059 is attemting to execute c:\Windows\system32\pkaybbbs.dll
Program BM377323c5 is attempting to execute c:\Windows\system32\aelitpob.dll

I ran Spybot again and during its scan, Symantec Antivirus Virus Detected Window Pane Pops Up and advised that I had a Virus called Trojan.Vundo, located in C:\Documents & Settings\Admin\Loc Sett\Temp Int Files\c_uz[1]
Whatever I tried I could not delete this file as it kept advising that it was in use.
Spybot also completed and again found Virtumonde.dll.

Even if I remove the suspect entries from Start Up they come back every time.

I then did some research on the Trojan and ran Symantec FixVundo & VundoFix by Artibune but neither picked up the Trojan.

At some point It appears the Trojan was deleted but I stll have all these TeaTimer messages filling up the Desktop about Registry Change Denied ( User Decision) and PC still slow.

I then discovered BleepingComputer and followed the steps and downloaded CombiFix and Windows XP Pro Recovery Console file and ran the app which completed succesfully and gave me an output which I will paste in when requested.

Please assist if possible I don't really want to reformat this PC is contains all my Photos as well as other apps.

Regards Alex

Hello Alex,

Welcome to Bleeping Computer

Have a read here, then we'll get you fixed up.
http://www.bleepingcomputer.com/forums/topic34773.html

Thanks,
tea

Hello Tea,

Thanks for the welcome, great to get a responce so fast.
I'm new to Forums as I;m ussually very carefull and resolve these issue for friends not myself, but I have to ask for assistance on this one as its driving me crazy
Nice to know there are Forums out there that are happy to assist.

I'm logged on at work ATM and will get home later tonigt and run the
Kaspersky Online Scanner as well as install Deckard's System Scanner and post both results back.
Would you prefer a new post or reply to this one.

BTW, I left the PC on last night, removed LAN Cable and let it run a Full Symantec Virus Scan, Full System Ad-Aware 2007 Scan and a Spybot 1.5.2 Scan, Virus and Ad-Aware came back clean, but Spybot found Virtumonde.dll again, so I attempted to remove it again.

Regards Alex

Just hit the Add Reply button whenever you're ready to post.

Hi Tea61,
Here are my results from both kaspersky & DSS

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 13, 2008 9:11:45 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 13/05/2008
Kaspersky Anti-Virus database records: 768228
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 17324
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 00:15:44

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\nnnmlMdC.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rcq skipped
C:\WINDOWS\TEMP\ZLT01c3e.TMP Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\IBM-OSJNTUO7I9X.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\$_hpcst$.hpc Object is locked skipped

Scan process completed.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 13, 2008 9:14:20 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 13/05/2008
Kaspersky Anti-Virus database records: 768228
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Memory:

Scan Statistics:
Total number of scanned objects: 1870
Number of viruses found: 1
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 00:01:06

Infected Object Name / Virus Name / Last Action
[0] [System Process] => C:\WINDOWS\system32\nnnmlMdC.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rcq skipped
[1212] WINLOGON.EXE => C:\WINDOWS\system32\nnnmlMdC.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rcq skipped
[1928] EXPLORER.EXE => C:\WINDOWS\system32\nnnmlMdC.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rcq skipped
[13348] IEXPLORE.EXE => C:\WINDOWS\system32\nnnmlMdC.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rcq skipped

Scan process completed.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 13, 2008 11:15:03 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 13/05/2008
Kaspersky Anti-Virus database records: 768228
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 70961
Number of viruses found: 3
Number of infected objects: 15
Number of suspicious objects: 0
Duration of the scan process: 01:49:29

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\nnnmlMdC.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rcq skipped
C:\WINDOWS\TEMP\ZLT01c3e.TMP Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\IBM-OSJNTUO7I9X.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\$_hpcst$.hpc Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008051320080514\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\h4vxn1nq.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\h4vxn1nq.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\h4vxn1nq.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\h4vxn1nq.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\h4vxn1nq.default\history.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\h4vxn1nq.default\cert8.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\h4vxn1nq.default\key3.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\h4vxn1nq.default\parent.lock Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\h4vxn1nq.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\h4vxn1nq.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Wise Installation Wizard\WIS7CF065E2781644409019034A2285F9DF_1_33.MSI/Cabs.w1.cab/txpupd.exe Infected: Backdoor.Win32.VB.dfe skipped
C:\Program Files\Common Files\Wise Installation Wizard\WIS7CF065E2781644409019034A2285F9DF_1_33.MSI/Cabs.w1.cab Infected: Backdoor.Win32.VB.dfe skipped
C:\Program Files\Common Files\Wise Installation Wizard\WIS7CF065E2781644409019034A2285F9DF_1_33.MSI Embedded: infected - 2 skipped
C:\Program Files\Zone Labs\Integrity Client\zlxeap.log Object is locked skipped
C:\Program Files\Aventail\Connect\aslog.lgf Object is locked skipped
C:\Program Files\Tweak-XP\txp-upd.exe Infected: Backdoor.Win32.VB.dfe skipped
C:\System Volume Information\_restore{C10C5713-2C9E-42DB-B59F-290BC8E011E7}\RP298\A0061767.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{C10C5713-2C9E-42DB-B59F-290BC8E011E7}\RP298\A0061768.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{C10C5713-2C9E-42DB-B59F-290BC8E011E7}\RP298\A0061769.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{C10C5713-2C9E-42DB-B59F-290BC8E011E7}\RP298\A0061770.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{C10C5713-2C9E-42DB-B59F-290BC8E011E7}\RP298\A0061771.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{C10C5713-2C9E-42DB-B59F-290BC8E011E7}\RP301\change.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hmbtuwbp.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\nliusccc.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qfrlynwj.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rfbwrwwu.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rwcfxsei.dll.vir Infected: Trojan.Win32.Monder.gen skipped

Scan process completed.

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Mobile Intel® Pentium® 4 - M CPU 2.40GHz
Percentage of Memory in Use: 60%
Physical Memory (total/avail): 510.98 MiB / 199.97 MiB
Pagefile Memory (total/avail): 1631.89 MiB / 1099.91 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1932.75 MiB

C: is Fixed (FAT32) - 37.24 GiB total, 10.22 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - HTS541040G9AT00 - 37.26 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 37.25 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.

FW: Integrity Flex Firewall v6.0.202.000 (Zone Labs, Inc.)
AV: Symantec AntiVirus Corporate Edition v9.0.3.1000 (Symantec Corporation) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe"="C:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe:*:Enabled:CyberLink PowerCinema NE for Everio"
"C:\\Program Files\\CyberLink\\PCM4Everio\\EverioService.exe"="C:\\Program Files\\CyberLink\\PCM4Everio\\EverioService.exe:*:Enabled:CyberLink PowerCinema NE for Everio Resident Program"
"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"="C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE:*:Enabled:Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"="C:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE:*:Enabled:ActiveSync Application"
"C:\\Program Files\\AT&T Network Client\\NetClient.exe"="C:\\Program Files\\AT&T Network Client\\NetClient.exe:*:Enabled:Network access client"
"C:\\Downloads\\utorrent.exe"="C:\\Downloads\\utorrent.exe:*:Enabled:µTorrent"
"C:\\WINDOWS\\System32\\ZoneLabs\\vsmon.exe"="C:\\WINDOWS\\System32\\ZoneLabs\\vsmon.exe:*:Enabled:TrueVector Service"
"C:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"="C:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE:*:Enabled:Firefox"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLASSPATH=C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=IBM-OSJNTUO7I9X
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\IBM-OSJNTUO7I9X
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Support Tools;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\QuickTime\QTSystem;C:\;C:\IBMWORK;C:\IBMWORK\TOOLS
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SOUNDPATH=C:\WINDOWS\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
tvdebugflags=0x260
tvlogsessioncount=5000
USERDOMAIN=IBM-OSJNTUO7I9X
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 6.0 Professional --> MsiExec.exe /I{AC76BA86-1033-0000-7760-000000000001}
Adobe Flash Player 9 ActiveX --> MsiExec.exe /X{BB65C393-C76E-4F06-9B0C-2124AA8AF97B}
AT&T Network Client --> C:\Program Files\AT&T Network Client\NetUN.exe
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Aventail Connect 5.30 --> MsiExec.exe /X{E4944F56-5C8A-41F9-A747-A9EDFD6BC6D4}
Canon Camera Access Library --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{901F8ED7-13E8-43EF-B738-2FE89B0588EB} /l1033
Canon Camera Support Core Library --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{A1D0D14A-B776-4907-BC00-5149F2298086} /l1033
Canon Camera Window DC_DV 5 for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{A2EB8F2E-6D9B-4F8B-96EB-F976D33F416F}
Canon Camera Window DC_DV 6 for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{50E25180-3BDC-4B6D-80A2-3F1F0C9CF39D}
Canon Camera Window DSLR 5 for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{0A146245-DB79-4197-BF5D-FE1A699A2CC7}
Canon Camera Window MC 6 for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{6C3A75A6-9A90-44A3-A703-82AC1EA6A85D}
Canon MovieEdit Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4DBBF091-FACD-422C-B43C-786335BD5398}
Canon PhotoRecord --> MsiExec.exe /X{BBBC2B89-E193-4348-A83C-C8DD8210A4AC}
Canon RAW Image Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BAA43DA2-B6C5-46EC-B163-0E8EEAF975A4}
Canon Utilities PhotoStitch 3.1 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{874E44F3-B9A7-4AA1-B4BA-83E5684ED9C6}
Canon ZoomBrowser EX (E) --> MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
CleanUp! --> C:\Program Files\CleanUp!\uninstall.exe
Desktop Currency Converter --> C:\Program Files\Desktop Currency Converter\maintenance.exe
EasyCleaner --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{89645C14-8FCE-42C3-81DC-480FB004186E}\setup.exe" -l0x9
EPSON CardMonitor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{109D28C7-FB38-483A-9C91-001CB59E2699}\SETUP.EXE" -l0x9 uninst
EPSON PhotoQuicker3.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{65F5B7AF-3363-11D7-BB6B-00018021113F}\SETUP.EXE" -l0x9 uninst
EPSON PhotoStarter3.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C48817E7-AA05-4151-A99D-1E1E550CE801}\SETUP.EXE" -l0x9 uninst
EPSON Print CD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF477885-5EA8-40D0-ADF3-D4C1B86FAEA4}\SETUP.EXE" -l0x9 -SYSTEM
EPSON PRINT Image Framer Tool2.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{23B59ED4-C360-11D7-875B-0090CC005647}\SETUP.EXE" -l0x9 anything
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
ESPR310 Reference Guide --> C:\Program Files\EPSON\ESPR310\REF_G\DOCUNINS.EXE
ESPR310 Software Guide --> C:\Program Files\EPSON\ESPR310\PQU_G\DOCUNINS.EXE
ewido anti-spyware 4.0 --> C:\Program Files\ewido anti-spyware 4.0\Uninstall.exe
Excel XP Introduction & Intermediate --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Training A Multimedia Training\EXCELXPCB1.isu"
ffdshow [rev 1058+] [2007-03-22] --> "C:\Program Files\ffdshow\unins000.exe"
High Rate Wireless LAN Mini-PCI Adapter with Modem II for Windows --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D75BEE78-1859-4616-9376-05550126EA60}\SETUP.EXE" -l0x9 -J
IBM Mail Template Notes6V1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6D98604A-7A25-11D7-8B4A-0004ACEE5F8E}\Setup.exe" -l0x9
IBM ThinkPad Battery MaxiMiser and Power Management Features --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\Unbmm.isu -c"C:\Program Files\ThinkPad\Utilities\Tpinsbmm.dll"
IBM ThinkPad Configuration --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\UNTPUW.ISU -c"C:\Program Files\ThinkPad\Utilities\Tpinswin.dll"
IBM ThinkPad UltraNav Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Integrity Client --> C:\Program Files\Zone Labs\Integrity Client\zauninst.exe
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
JiWire Hotspot Finder for Skype™ --> C:\Program Files\JiWire\BOT Mapping\uninstall.exe
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Kodak DVC325 Digital Video Camera Software Installation --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\UnDVC.isu
Lexmark Printer Software Uninstall --> C:\Program Files\Lexmark\Install\Uninstall.exe
LiveUpdate 2.0 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Magic ISO Maker v5.4 (build 0251) --> C:\PROGRA~1\MAGICISO\UNWISE.EXE C:\PROGRA~1\MAGICISO\INSTALL.LOG
Matroska (remove only) --> "C:\Program Files\Matroska\uninstall.exe"
Microsoft ActiveSync 3.7 --> "C:\WINDOWS\ISUNINST.EXE" -f"C:\Program Files\Microsoft ActiveSync\DeIsL1.isu" -c"C:\Program Files\Microsoft ActiveSync\ceuninst.dll"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Tool Web Package:WntIpcfg.exe --> MsiExec.exe /X{EA82FF50-E258-4DFE-839B-8F26A01A34A7}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MP3 Player Utilities V1.28 --> MsiExec.exe /I{5BBFB0E4-2250-49C3-A8A3-65BE2197D13B}
Nero 6 Enterprise Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
PIF DESIGNER2.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BBAB8CE2-6AE2-497C-A745-67A61134E72C}\SETUP.EXE" -l0x9 anything
PowerCinema NE for Everio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{39CEE1F2-12B6-4C50-9131-04BFCA110578}\setup.exe" -uninstall
PowerDirector Express --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EDE721EC-870A-11D8-9D75-000129760D75}\setup.exe" -uninstall
PowerProducer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\setup.exe" -uninstall
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{3868A8EE-5051-4DB0-8DF6-4F4B8A98D083} /l1033
SkypeMate --> "C:\Program Files\SkypeMate\uninstall.exe"
Skype™ 3.2 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\SETUP.exe" -l0x9 -removeonly
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
Sun Times v6.0 --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\Sun Times v6.1\ST6UNST.LOG"
Symantec AntiVirus --> MsiExec.exe /I{848AC794-8B81-440A-81AE-6474337DB527}
ThinkPad UltraNav Wizard --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{82512BC9-BD5D-4C50-BE4D-B98E7DF78687}\SETUP.EXE" -l0x9 UNINSTALL
Tweak-XP --> MsiExec.exe /I{7CF065E2-7816-4440-9019-034A2285F9DF}
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Support Tools --> MsiExec.exe /I{8398B542-3CC4-44D9-83DF-696CCE70124B}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Zoom Player (remove only) --> "C:\Program Files\Zoom Player\uninstall.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type6244 / Warning
Event Submitted/Written: 05/13/2008 02:20:32 AM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Could not scan 1 files inside C:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\YH561403.CAB due to extraction errors encountered by the Decomposer Engines.

Event Record #/Type6243 / Warning
Event Submitted/Written: 05/13/2008 02:19:31 AM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Could not scan 8 files inside C:\Downloads\suntimesvb\suntimesvb.zip due to extraction errors encountered by the Decomposer Engines.

Event Record #/Type6242 / Warning
Event Submitted/Written: 05/13/2008 02:19:23 AM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Could not scan 1 files inside C:\Downloads\suntimesvb\SunTim8.CAB due to extraction errors encountered by the Decomposer Engines.

Event Record #/Type6241 / Warning
Event Submitted/Written: 05/13/2008 02:19:21 AM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Could not scan 1 files inside C:\Downloads\suntimesvb\SunTim7.CAB due to extraction errors encountered by the Decomposer Engines.

Event Record #/Type6240 / Warning
Event Submitted/Written: 05/13/2008 02:19:20 AM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Could not scan 1 files inside C:\Downloads\suntimesvb\SunTim6.CAB due to extraction errors encountered by the Decomposer Engines.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type31400 / Error
Event Submitted/Written: 05/13/2008 11:33:18 PM
Event ID/Source: 7016 / Service Control Manager
Event Description:
The Aventail Connect service has reported an invalid current state 0.

Event Record #/Type31379 / Error
Event Submitted/Written: 05/13/2008 00:21:45 AM
Event ID/Source: 4 / E100B
Event Description:
Adapter Intel® PRO/100 VE Network Connection: Adapter Link Down

Event Record #/Type31378 / Error
Event Submitted/Written: 05/12/2008 11:41:10 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.0.7 for the Network Card with network address 000D60FAF52C has been
denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type31374 / Error
Event Submitted/Written: 05/12/2008 11:40:44 PM
Event ID/Source: 4 / E100B
Event Description:
Adapter Intel® PRO/100 VE Network Connection: Adapter Link Down

Event Record #/Type31373 / Error
Event Submitted/Written: 05/12/2008 11:30:57 PM
Event ID/Source: 8032 / BROWSER
Event Description:
The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{09BFF8BE-61EF-4666-90C5-9DF6C20D8217}.
The backup browser is stopping.



-- End of Deckard's System Scanner: finished at 2008-05-13 23:35:20 ------------



This evening my PC was set to AutoStart Spybot 1.5.2 and again its found 4 Enties which were deleted this time before Windows XP Started.

Thanks Alex

Hi Tea,
Ran DSS a Second time and received a different output, pasted below.


Deckard's System Scanner v20071014.68
Run by Administrator on 2008-05-13 23:44:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45:17 PM, on 13/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Aventail\Connect\as32svc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\AT&TNE~1\NETCFGSV.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\ADMINI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {30818337-2C11-44A7-976C-A4D2D4A5F189} - C:\WINDOWS\system32\vtUklkHB.dll (file missing)
O2 - BHO: (no name) - {4F1AF017-22DC-4DDD-8711-F62BEE6567CB} - C:\WINDOWS\system32\iiffGXom.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5FD01559-B0C3-4C55-B534-4224E219C770} - C:\WINDOWS\system32\nnnmjgEX.dll (file missing)
O2 - BHO: (no name) - {6C23AB0C-0244-4B01-8253-BEE724D0D2EC} - C:\WINDOWS\system32\nnnmlMdC.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {9505DD96-F621-460F-A2F6-F4CB9419BA07} - C:\WINDOWS\system32\tuvWmKbc.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {EF726AC8-9FEE-40F2-ADBF-E2CCB5FBC3C4} - C:\WINDOWS\system32\qoMcyYoN.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"
O4 - HKLM\..\Run: [BM377323c5] Rundll32.exe "C:\WINDOWS\system32\aelitpob.dll",s
O4 - HKLM\..\Run: [34401059] rundll32.exe "C:\WINDOWS\system32\pkaybbbs.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA620] command /c del "C:\WINDOWS\system32\qoMcyYoN.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7812] cmd /c del "C:\WINDOWS\system32\qoMcyYoN.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9969] command /c del "C:\WINDOWS\system32\iiffGXom.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9356] cmd /c del "C:\WINDOWS\system32\iiffGXom.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1145756151137
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: nnnmlMdC - C:\WINDOWS\SYSTEM32\nnnmlMdC.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Aventail Connect (As32Svc) - Aventail Corporation - C:\Program Files\Aventail\Connect\as32svc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ISSI EZUpdate (ISSIMon) - Unknown owner - c:\sdwork\issimsvc.exe (file missing)
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TNE~1\NETCFGSV.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10381 bytes

-- Files created between 2008-04-13 and 2008-05-13 -----------------------------

2008-05-13 20:03:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-13 20:03:34 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-13 20:03:31 0 d-------- C:\WINDOWS\LastGood
2008-05-13 18:45:17 1840 --ahs---- C:\WINDOWS\system32\NoYycMoq.ini2
2008-05-12 23:21:36 457 --ahs---- C:\WINDOWS\system32\moXGffii.ini2
2008-05-12 23:02:29 0 d-------- C:\cmdcons
2008-05-12 22:53:45 68096 --a------ C:\WINDOWS\zip.exe
2008-05-12 22:53:45 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-12 22:53:45 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-12 22:53:45 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-12 22:53:45 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-12 22:53:45 98816 --a------ C:\WINDOWS\sed.exe
2008-05-12 22:53:45 80412 --a------ C:\WINDOWS\grep.exe
2008-05-12 22:53:45 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-12 20:53:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-12 19:06:40 2048 --a------ C:\WINDOWS\system32\elmncmxs.exe
2008-05-12 19:03:58 115712 --a------ C:\WINDOWS\system32\yeieewqq.dll
2008-05-12 18:59:24 0 d-------- C:\VundoFix Backups
2008-05-12 18:58:54 125952 --a------ C:\WINDOWS\system32\aelitpob.dll
2008-05-11 22:23:22 2048 --a------ C:\WINDOWS\system32\magqkjpl.exe
2008-05-11 22:20:22 116736 --a------ C:\WINDOWS\system32\etebupjt.dll
2008-05-11 22:15:52 126976 --a------ C:\WINDOWS\system32\cdrfbspf.dll
2008-05-11 22:01:32 2048 --a------ C:\WINDOWS\system32\iatguhmo.exe
2008-05-11 21:55:32 116736 --a------ C:\WINDOWS\system32\ndgcepex.dll
2008-05-11 21:52:32 126976 --a------ C:\WINDOWS\system32\axlsulqe.dll
2008-05-11 20:29:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-05-11 20:10:40 126976 --a------ C:\WINDOWS\system32\mliorlik.dll
2008-05-11 12:54:10 2048 --a------ C:\WINDOWS\system32\kjudwqki.exe
2008-05-11 12:49:03 125440 --a------ C:\WINDOWS\system32\fprtojfa.dll
2008-05-10 13:55:14 0 d-------- C:\WINDOWS\system32\DRVSTORE
2008-05-10 13:50:34 57344 --a------ C:\WINDOWS\system32\nnnmlMdC.dll


-- Find3M Report ---------------------------------------------------------------

2008-04-08 23:35:06 2359350 --a------ C:\Documents and Settings\Administrator\Application Data\ZBWallpaper_24.bmp
2008-04-08 23:33:32 2359350 --a------ C:\Documents and Settings\Administrator\Application Data\ZBWallpaper_23.bmp
2008-04-08 23:32:34 2359350 --a------ C:\Documents and Settings\Administrator\Application Data\ZBWallpaper_22.bmp
2008-04-08 23:21:32 2359350 --a------ C:\Documents and Settings\Administrator\Application Data\ZBWallpaper_21.bmp
2008-04-08 23:20:52 300345 --a------ C:\WINDOWS\system32\ZBScreenSaver_5.scr <Not Verified; ; ZbScreenSaver Application>
2008-04-08 23:20:22 300345 --a------ C:\WINDOWS\system32\ZBScreenSaver_4.scr <Not Verified; ; ZbScreenSaver Application>
2008-04-07 21:40:20 2558 --a------ C:\WINDOWS\unins000.dat
2008-04-07 21:37:52 691545 --a------ C:\WINDOWS\unins000.exe
2008-02-24 23:22:54 2359350 --a------ C:\Documents and Settings\Administrator\Application Data\ZBWallpaper_20.bmp
2008-02-14 14:19:28 2359350 --a------ C:\Documents and Settings\Administrator\Application Data\ZBWallpaper_19.bmp
2008-02-14 14:17:42 2359350 --a------ C:\Documents and Settings\Administrator\Application Data\ZBWallpaper_18.bmp


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30818337-2C11-44A7-976C-A4D2D4A5F189}]
C:\WINDOWS\system32\vtUklkHB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4F1AF017-22DC-4DDD-8711-F62BEE6567CB}]
C:\WINDOWS\system32\iiffGXom.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5FD01559-B0C3-4C55-B534-4224E219C770}]
C:\WINDOWS\system32\nnnmjgEX.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C23AB0C-0244-4B01-8253-BEE724D0D2EC}]
10/05/2008 01:50 PM 57344 --a------ C:\WINDOWS\system32\nnnmlMdC.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9505DD96-F621-460F-A2F6-F4CB9419BA07}]
C:\WINDOWS\system32\tuvWmKbc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF726AC8-9FEE-40F2-ADBF-E2CCB5FBC3C4}]
C:\WINDOWS\system32\qoMcyYoN.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [10/12/2004 06:02 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [30/12/2004 02:19 PM]
"ATIPTA"="C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE" [16/11/2006 09:00 PM]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [24/06/2003 02:34 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [24/06/2003 02:33 PM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [01/04/2004 10:52 AM]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [20/04/2005 01:38 AM]
"EverioService"="C:\Program Files\CyberLink\PCM4Everio\EverioService.exe" [22/11/2006 09:10 PM]
"BM377323c5"="C:\WINDOWS\system32\aelitpob.dll" [12/05/2008 06:58 PM]
"34401059"="C:\WINDOWS\system32\pkaybbbs.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TransparentIcons"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:56 AM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [23/04/2003 10:43 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 11:43 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Spybot - Search & Destroy"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
"SpybotDeletingA620"=command /c del "C:\WINDOWS\system32\qoMcyYoN.dll_old"
"SpybotDeletingC7812"=cmd /c del "C:\WINDOWS\system32\qoMcyYoN.dll_old"
"SpybotDeletingA9969"=command /c del "C:\WINDOWS\system32\iiffGXom.dll_old"
"SpybotDeletingC9356"=cmd /c del "C:\WINDOWS\system32\iiffGXom.dll_old"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6C23AB0C-0244-4B01-8253-BEE724D0D2EC}"= C:\WINDOWS\system32\nnnmlMdC.dll [10/05/2008 01:50 PM 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnmlMdC]
nnnmlMdC.dll 10/05/2008 01:50 PM 57344 C:\WINDOWS\system32\nnnmlMdC.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\qoMcyYoN

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-05-13 23:47:31 ------------



Cheers Alex

Hello there,

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with the fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea

Hi Tea,
I already ran CombiFix, it was one of the first things I ran, before I logged onto Bleeping and created account, I just refrained from Uploading the Output until it was requested. I'm sure I had mentioned this in the original post.

Would you prefer I run again with TeaTimer Disabled or just upload what I already have?

Regards Alex

Hello,

If you have the original report I'd like to see it please.

Hello Tea,

Combofix Output bellow.

ComboFix 08-05-11.1 - Administrator 2008-05-12 23:02:54.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.152 [GMT 10:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\BHklkUtv.ini
C:\WINDOWS\system32\BHklkUtv.ini2
C:\WINDOWS\system32\cbKmWvut.ini
C:\WINDOWS\system32\cbKmWvut.ini2
C:\WINDOWS\system32\hmbtuwbp.dll
C:\WINDOWS\system32\KkSYyyay.ini
C:\WINDOWS\system32\KkSYyyay.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\moXGffii.ini
C:\WINDOWS\system32\moXGffii.ini2
C:\WINDOWS\system32\nliusccc.dll
C:\WINDOWS\system32\qfrlynwj.dll
C:\WINDOWS\system32\qqweeiey.ini
C:\WINDOWS\system32\rfbwrwwu.dll
C:\WINDOWS\system32\rwcfxsei.dll
C:\WINDOWS\system32\sbbbyakp.ini
C:\WINDOWS\system32\tjpubete.ini
C:\WINDOWS\system32\XEgjmnnn.ini
C:\WINDOWS\system32\XEgjmnnn.ini2
C:\WINDOWS\system32\xepecgdn.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

2008-05-12 20:53 . 2008-05-12 20:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-12 19:06 . 2008-05-12 19:06 2,048 --a------ C:\WINDOWS\system32\elmncmxs.exe
2008-05-12 19:03 . 2008-05-12 19:04 115,712 --a------ C:\WINDOWS\system32\yeieewqq.dll
2008-05-12 18:59 . 2008-05-12 18:59 <DIR> d-------- C:\VundoFix Backups
2008-05-12 18:58 . 2008-05-12 18:58 125,952 --a------ C:\WINDOWS\system32\aelitpob.dll
2008-05-12 18:57 . 2008-05-12 18:57 371,712 --a------ C:\WINDOWS\system32\iiffGXom.dll
2008-05-11 22:23 . 2008-05-11 22:23 2,048 --a------ C:\WINDOWS\system32\magqkjpl.exe
2008-05-11 22:20 . 2008-05-11 22:20 116,736 --a------ C:\WINDOWS\system32\etebupjt.dll
2008-05-11 22:15 . 2008-05-11 22:15 126,976 --a------ C:\WINDOWS\system32\cdrfbspf.dll
2008-05-11 22:01 . 2008-05-11 22:01 2,048 --a------ C:\WINDOWS\system32\iatguhmo.exe
2008-05-11 21:55 . 2008-05-11 21:55 116,736 --a------ C:\WINDOWS\system32\ndgcepex.dll
2008-05-11 21:52 . 2008-05-11 21:52 126,976 --a------ C:\WINDOWS\system32\axlsulqe.dll
2008-05-11 20:29 . 2008-05-11 20:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-05-11 20:10 . 2008-05-11 20:10 126,976 --a------ C:\WINDOWS\system32\mliorlik.dll
2008-05-11 14:54 . 2008-05-12 08:04 327 --a------ C:\WINDOWS\wininit.ini
2008-05-11 12:54 . 2008-05-11 12:54 2,048 --a------ C:\WINDOWS\system32\kjudwqki.exe
2008-05-11 12:49 . 2008-05-11 12:49 125,440 --a------ C:\WINDOWS\system32\fprtojfa.dll
2008-05-11 12:49 . 2008-05-12 23:14 109,816 --a------ C:\WINDOWS\BM377323c5.xml
2008-05-10 13:55 . 2008-05-10 13:55 <DIR> d-------- C:\WINDOWS\system32\DRVSTORE
2008-05-10 13:50 . 2008-05-10 13:50 57,344 --a------ C:\WINDOWS\system32\nnnmlMdC.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 13:20 300,345 ----a-w C:\WINDOWS\system32\ZBScreenSaver_5.scr
2008-04-08 13:20 300,345 ----a-w C:\WINDOWS\system32\ZBScreenSaver_4.scr
2008-04-07 11:37 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-01 08:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-04-22 14:41 81,920 ----a-w C:\Documents and Settings\Administrator\Application Data\ezpinst.exe
2007-04-22 14:41 47,360 ----a-w C:\Documents and Settings\Administrator\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18968DC3-E2E0-4F85-9119-997FF347062D}]
2008-05-12 18:57 371712 --a------ C:\WINDOWS\system32\iiffGXom.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30818337-2C11-44A7-976C-A4D2D4A5F189}]
C:\WINDOWS\system32\vtUklkHB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A9014A2-B307-4CD6-B909-FD7FDB510E49}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{52FCB408-18EC-42AA-831C-E4209A20EA6C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5FD01559-B0C3-4C55-B534-4224E219C770}]
C:\WINDOWS\system32\nnnmjgEX.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C23AB0C-0244-4B01-8253-BEE724D0D2EC}]
2008-05-10 13:50 57344 --a------ C:\WINDOWS\system32\nnnmlMdC.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9505DD96-F621-460F-A2F6-F4CB9419BA07}]
C:\WINDOWS\system32\tuvWmKbc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B2E72F60-6A80-45AA-894F-AF65877EFEC1}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BlockAds"="" []
"Tweak-XP"="" []
"TransparentIcons"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-04-23 10:43 413775]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-10 18:02 67184]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-12-30 14:19 120640]
"ATIPTA"="C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE" [2006-11-16 21:00 344064]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-06-24 14:34 126976]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-06-24 14:33 561152]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 10:52 1368064]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 01:38 20480]
"EverioService"="C:\Program Files\CyberLink\PCM4Everio\EverioService.exe" [2006-11-22 21:10 151552]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 08:53 88363 C:\WINDOWS\AGRSMMSG.exe]
"34401059"="C:\WINDOWS\system32\pkaybbbs.dll" [ ]
"BM377323c5"="C:\WINDOWS\system32\aelitpob.dll" [2008-05-12 18:58 125952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 12:17 443968]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6C23AB0C-0244-4B01-8253-BEE724D0D2EC}"= C:\WINDOWS\system32\nnnmlMdC.dll [2008-05-10 13:50 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnmlMdC]
nnnmlMdC.dll 2008-05-10 13:50 57344 C:\WINDOWS\system32\nnnmlMdC.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VQC2"= vqdecode.dll
"VIDC.VQC1"= vqdecode.dll
"MSACM.CEGSM"= mobilev.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"IBMconfig"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe"=
"C:\\Program Files\\CyberLink\\PCM4Everio\\EverioService.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"C:\\Program Files\\AT&T Network Client\\NetClient.exe"=
"C:\\Downloads\\utorrent.exe"=
"C:\\WINDOWS\\System32\\ZoneLabs\\vsmon.exe"=
"C:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2005-04-20 01:38]
R3 ABVPN2K;Net Firewall Miniport Interface;C:\WINDOWS\system32\DRIVERS\abvpn2k.sys [2004-06-03 17:47]
R3 Astdi;Astdi;C:\Program Files\Aventail\Connect\asnttdi.sys [2003-12-07 18:15]
R3 avpnnic;AGN Virtual Network Adapter;C:\WINDOWS\system32\DRIVERS\avpnnic.sys [2003-04-04 12:48]
S3 Ascrypto;Ascrypto;C:\Program Files\Aventail\Connect\ascrypto.sys [2003-12-07 18:15]
S3 DCamUSBLTN;Kodak DVC325 Digital Video Camera;C:\WINDOWS\system32\DRIVERS\dvc325.sys [2000-04-17 23:53]
S3 gwiopm;gwiopm;C:\Program Files\wst\gwiopm.sys []
S3 IMWEB51;High Rate Wireless LAN Mini-PCI LAN Driver;C:\WINDOWS\system32\DRIVERS\IMWEBN51.sys [2003-06-04 15:33]
S4 ISAMSvc;IBM Standard Asset Manager Service;C:\Program Files\C4ebreg\c4ebreg.exe [2006-12-15 07:17]

.
Contents of the 'Scheduled Tasks' folder
"2007-08-12 11:54:50 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 23:15:13
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\nnnmlMdC.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\aelitpob.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\IBMPMSVC.EXE
C:\WINDOWS\SYSTEM32\ATI2EVXX.EXE
C:\PROGRAM FILES\AVENTAIL\CONNECT\AS32SVC.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\SYSTEM32\ATI2EVXX.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\PROGRAM FILES\EWIDO ANTI-SPYWARE 4.0\GUARD.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\PROGRAM FILES\AT&T NETWORK CLIENT\NETCFGSV.EXE
C:\PROGRAM FILES\CYBERLINK\SHARED FILES\RICHVIDEO.EXE
C:\PROGRAM FILES\ANALOG DEVICES\SOUNDMAX\SMAGENT.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\RTVSCAN.EXE
C:\WINDOWS\SYSTEM32\WDFMGR.EXE
C:\WINDOWS\SYSTEM32\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\CANON\CAL\CALMAIN.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-05-12 23:19:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-12 13:19:28

Pre-Run: 11,421,712,384 bytes free
Post-Run: 11,304,501,248 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

210 --- E O F --- 2008-05-03 12:17:59

Regards Alex

Hi Tea,

My previous post had the orginal CombiFix before I joined the Bleeping Computer Forum and before I ran Hijackthis.

What I have posted in this update is a New Output of ComboFix and Hijackthis after I have disabled S&D Tea Timer.

What I also noticed is once DSS Retrieved the new Hijackthis report I also received another Symantec Avtivirus Notification and pasted its output below.
Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Trojan.Vundo
File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NKJ2DWZB\c_uz[1]
Location: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NKJ2DWZB
Computer: IBM-OSJNTUO7I9X
User: Administrator
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Friday, May 16, 2008 9:12:47 AM.

I never got the Extra.txt from Hijackthis just the Main.txt.

Anyway both new files below.
ComboFix 08-05-11.1 - Administrator 2008-05-16 8:45:38.2 - FAT32x86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\dwdyikhd.ini
C:\WINDOWS\system32\kSCcdfii.ini
C:\WINDOWS\system32\kSCcdfii.ini2
C:\WINDOWS\system32\moXGffii.ini
C:\WINDOWS\system32\moXGffii.ini2
C:\WINDOWS\system32\NoYycMoq.ini
C:\WINDOWS\system32\NoYycMoq.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-15 to 2008-05-15 )))))))))))))))))))))))))))))))
.

2008-05-16 08:33 . 2008-05-16 08:51 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-16 08:33 . 2008-05-16 08:51 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-16 08:30 . 2008-05-16 08:30 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-05-16 00:44 . 2008-05-16 00:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-05-16 00:43 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-05-16 00:43 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-05-15 23:43 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-05-14 00:24 . 2008-05-14 00:24 2,112 --a------ C:\WINDOWS\system32\qvycgbfl.exe
2008-05-13 23:20 . 2008-05-13 23:20 <DIR> d-------- C:\Deckard
2008-05-13 20:03 . 2008-05-13 20:03 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-13 20:03 . 2008-05-13 20:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-12 20:53 . 2008-05-12 20:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-12 19:06 . 2008-05-12 19:06 2,048 --a------ C:\WINDOWS\system32\elmncmxs.exe
2008-05-12 19:03 . 2008-05-12 19:04 115,712 --a------ C:\WINDOWS\system32\yeieewqq.dll
2008-05-12 18:59 . 2008-05-12 18:59 <DIR> d-------- C:\VundoFix Backups
2008-05-12 18:58 . 2008-05-12 18:58 125,952 --a------ C:\WINDOWS\system32\aelitpob.dll
2008-05-11 22:23 . 2008-05-11 22:23 2,048 --a------ C:\WINDOWS\system32\magqkjpl.exe
2008-05-11 22:20 . 2008-05-11 22:20 116,736 --a------ C:\WINDOWS\system32\etebupjt.dll
2008-05-11 22:15 . 2008-05-11 22:15 126,976 --a------ C:\WINDOWS\system32\cdrfbspf.dll
2008-05-11 22:01 . 2008-05-11 22:01 2,048 --a------ C:\WINDOWS\system32\iatguhmo.exe
2008-05-11 21:55 . 2008-05-11 21:55 116,736 --a------ C:\WINDOWS\system32\ndgcepex.dll
2008-05-11 21:52 . 2008-05-11 21:52 126,976 --a------ C:\WINDOWS\system32\axlsulqe.dll
2008-05-11 20:29 . 2008-05-11 20:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-05-11 20:10 . 2008-05-11 20:10 126,976 --a------ C:\WINDOWS\system32\mliorlik.dll
2008-05-11 14:54 . 2008-05-15 22:51 675 --a------ C:\WINDOWS\wininit.ini
2008-05-11 12:54 . 2008-05-11 12:54 2,048 --a------ C:\WINDOWS\system32\kjudwqki.exe
2008-05-11 12:49 . 2008-05-11 12:49 125,440 --a------ C:\WINDOWS\system32\fprtojfa.dll
2008-05-11 12:49 . 2008-05-14 22:20 109,834 --a------ C:\WINDOWS\BM377323c5.xml
2008-05-10 13:55 . 2008-05-10 13:55 <DIR> d-------- C:\WINDOWS\system32\DRVSTORE
2008-05-10 13:50 . 2008-05-10 13:50 57,344 --a------ C:\WINDOWS\system32\nnnmlMdC.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 13:20 300,345 ----a-w C:\WINDOWS\system32\ZBScreenSaver_5.scr
2008-04-08 13:20 300,345 ----a-w C:\WINDOWS\system32\ZBScreenSaver_4.scr
2008-04-07 11:37 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-01 08:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-04-22 14:41 81,920 ----a-w C:\Documents and Settings\Administrator\Application Data\ezpinst.exe
2007-04-22 14:41 47,360 ----a-w C:\Documents and Settings\Administrator\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-12_23.18.12.70 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-12 13:12:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-15 22:52:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-12 10:54:28 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
+ 2008-05-15 14:23:16 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
- 2008-05-12 10:54:28 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
+ 2008-05-15 14:23:22 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
- 2008-05-12 10:54:28 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
+ 2008-05-15 14:23:20 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
- 2008-05-12 10:54:28 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
+ 2008-05-15 14:23:22 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
- 2007-07-11 04:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-07-11 03:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
- 2007-08-07 03:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2007-08-07 02:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2007-07-19 05:10:28 127,768 ----a-w C:\WINDOWS\system32\drivers\klif.sys
- 2007-08-07 03:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
+ 2007-08-07 02:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
+ 2005-05-24 02:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 05:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 05:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2007-12-14 02:32:52 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
+ 2007-12-14 01:32:52 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
- 2006-02-15 08:49:54 75,520 ----a-w C:\WINDOWS\system32\vsdata.dll
+ 2007-11-14 06:04:52 83,432 ----a-w C:\WINDOWS\system32\vsdata.dll
- 2006-02-15 08:49:58 281,408 ----a-w C:\WINDOWS\system32\vsdatant.sys
+ 2007-11-14 06:05:16 394,952 ----a-w C:\WINDOWS\system32\vsdatant.sys
- 2006-02-15 08:50:06 128,768 ----a-w C:\WINDOWS\system32\vsinit.dll
+ 2007-11-14 06:04:52 157,160 ----a-w C:\WINDOWS\system32\vsinit.dll
- 2006-02-15 08:50:16 108,288 ----a-w C:\WINDOWS\system32\vsmonapi.dll
+ 2007-11-14 06:04:52 103,912 ----a-w C:\WINDOWS\system32\vsmonapi.dll
- 2006-02-15 08:50:20 198,400 ----a-w C:\WINDOWS\system32\vspubapi.dll
+ 2007-11-14 06:04:52 275,944 ----a-w C:\WINDOWS\system32\vspubapi.dll
+ 2007-11-14 06:04:52 71,144 ----a-w C:\WINDOWS\system32\vsregexp.dll
- 2006-02-15 08:50:36 354,048 ----a-w C:\WINDOWS\system32\vsutil.dll
+ 2007-11-14 06:04:54 472,552 ----a-w C:\WINDOWS\system32\vsutil.dll
+ 2007-11-14 06:04:54 46,568 ----a-w C:\WINDOWS\system32\vswmi.dll
- 2006-02-15 08:50:44 100,088 ----a-w C:\WINDOWS\system32\vsxml.dll
+ 2007-11-14 06:04:54 99,816 ----a-w C:\WINDOWS\system32\vsxml.dll
- 2006-02-15 08:51:04 75,520 ----a-w C:\WINDOWS\system32\zlcomm.dll
+ 2007-11-14 06:04:56 83,432 ----a-w C:\WINDOWS\system32\zlcomm.dll
- 2006-02-15 08:51:08 71,424 ----a-w C:\WINDOWS\system32\ZLCommDB.dll
+ 2007-11-14 06:04:56 71,144 ----a-w C:\WINDOWS\system32\zlcommdb.dll
- 2006-09-12 23:48:42 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
+ 2008-05-15 22:30:46 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
+ 2007-11-14 06:04:44 370,208 ----a-w C:\WINDOWS\system32\ZoneLabs\av.dll
+ 2007-05-30 14:03:30 65,248 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\aphish.dat
+ 2006-06-30 04:47:36 21,568 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\avcmhk4.dll
+ 2007-05-30 14:03:30 1,628 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\pdmkl.dat
+ 2007-05-30 14:03:16 77,824 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHComm.dll
+ 2007-05-30 14:03:16 110,592 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHrule.dll
+ 2007-05-30 14:03:16 331,776 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHUM.dll
+ 2007-05-30 14:03:16 38,400 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\FSSync.dll
+ 2007-07-19 05:10:32 110,360 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\w2kxp32\kl1.sys
+ 2007-07-19 05:10:32 186,128 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\w2kxp32\klif.sys
+ 2007-05-30 14:03:48 110,360 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\kl1.sys
+ 2007-07-19 05:10:28 127,768 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\klif.sys
+ 2007-05-30 14:03:50 45,056 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\regcat.exe
+ 2006-09-19 13:12:14 208,960 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\inv.dll
+ 2007-09-11 11:09:16 274,432 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\kave.dll
+ 2006-12-19 08:13:52 1,093,632 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\libeay32.dll
+ 2007-05-30 14:03:20 548,864 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\msvcp80.dll
+ 2007-05-30 14:03:20 626,688 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\msvcr80.dll
+ 2007-05-30 14:03:18 184,320 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\prloader.dll
+ 2007-05-30 14:03:22 90,112 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\prremote.dll
+ 2007-09-11 11:09:16 135,168 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
+ 2006-12-19 08:13:52 200,704 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\ssleay32.dll
+ 2007-11-14 06:04:44 99,816 ----a-w C:\WINDOWS\system32\ZoneLabs\camupd.dll
+ 2004-01-30 02:35:08 813,568 ----a-w C:\WINDOWS\system32\ZoneLabs\dbghelp.dll
+ 2007-11-14 06:04:46 128,480 ----a-w C:\WINDOWS\system32\ZoneLabs\fbl.dll
+ 2007-11-14 06:04:46 38,376 ----a-w C:\WINDOWS\system32\ZoneLabs\featuremap.dll
+ 2007-11-14 06:04:46 321,016 ----a-w C:\WINDOWS\system32\ZoneLabs\imsecure.dll
+ 2007-11-14 06:05:18 288,144 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\ConfigWizard.zip.dll
+ 2007-11-14 06:05:18 152,976 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\licenseui.zip.dll
+ 2007-11-14 06:05:18 26,000 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zlsvc.zip.dll
+ 2007-11-14 06:05:18 1,361,296 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zpy.zip.dll
+ 2007-11-14 06:05:20 71,056 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zui.zip.dll
+ 2007-11-14 06:06:34 30,184 ----a-w C:\WINDOWS\system32\ZoneLabs\plugins\rpc_server\rpc_server.dll
+ 2007-11-14 06:06:36 30,216 ----a-w C:\WINDOWS\system32\ZoneLabs\plugins\vsmon_plugin\vsmon_plugin.dll
+ 2007-10-18 10:18:38 714,208 ----a-w C:\WINDOWS\system32\ZoneLabs\qrbase.dll
+ 2007-10-18 10:18:38 787,936 ----a-w C:\WINDOWS\system32\ZoneLabs\qrsrecl.dll
+ 2007-11-14 06:04:48 173,544 ----a-w C:\WINDOWS\system32\ZoneLabs\scheduler.dll
+ 2007-01-11 01:12:08 2,432,259 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2007-10-18 10:18:40 1,500,640 ----a-w C:\WINDOWS\system32\ZoneLabs\srescan.dll
+ 2007-10-18 10:18:44 51,176 ----a-w C:\WINDOWS\system32\ZoneLabs\srescan.sys
- 2006-02-15 08:49:26 452,352 ------r C:\WINDOWS\system32\ZoneLabs\ssleay32.dll
+ 2007-11-14 06:04:50 456,168 ----a-w C:\WINDOWS\system32\ZoneLabs\ssleay32.dll
+ 2007-11-14 06:06:36 214,528 ----a-w C:\WINDOWS\system32\ZoneLabs\streamapi\httpblocker\httpblocker.dll
+ 2007-11-14 06:06:36 3,266,040 ----a-w C:\WINDOWS\system32\ZoneLabs\streamapi\imslsp\imslsp.dll
+ 2006-09-04 10:59:14 503,875 ----a-w C:\WINDOWS\system32\ZoneLabs\upd_core.dll
+ 2007-10-11 06:50:32 832,984 ----a-w C:\WINDOWS\system32\ZoneLabs\updating.dll
+ 2007-11-14 06:05:06 144,936 ----a-w C:\WINDOWS\system32\ZoneLabs\updclient.exe
+ 2007-01-11 07:31:06 286,787 ----a-w C:\WINDOWS\system32\ZoneLabs\updtrsdk.dll
- 2006-02-15 08:49:50 83,712 ------r C:\WINDOWS\system32\ZoneLabs\vsavpro.dll
+ 2007-11-14 06:04:52 108,008 ----a-w C:\WINDOWS\system32\ZoneLabs\vsavpro.dll
- 2006-02-15 08:50:02 79,608 ------r C:\WINDOWS\system32\ZoneLabs\vsdb.dll
+ 2007-11-14 06:04:52 83,432 ----a-w C:\WINDOWS\system32\ZoneLabs\vsdb.dll
- 2006-02-15 08:50:12 1,275,640 ------r C:\WINDOWS\system32\ZoneLabs\vsmon.exe
+ 2007-11-14 06:05:06 75,304 ----a-w C:\WINDOWS\system32\ZoneLabs\vsmon.exe
+ 2007-11-14 06:04:52 2,029,032 ----a-w C:\WINDOWS\system32\ZoneLabs\vsmondll.dll
- 2006-02-15 08:50:28 1,054,464 ------r C:\WINDOWS\system32\ZoneLabs\vsruledb.dll
+ 2007-11-14 06:04:54 1,361,384 ----a-w C:\WINDOWS\system32\ZoneLabs\vsruledb.dll
+ 2007-11-14 06:04:54 239,080 ----a-w C:\WINDOWS\system32\ZoneLabs\vsvault.dll
+ 2007-01-11 01:12:08 2,432,259 ----a-w C:\WINDOWS\system32\ZoneLabs\zlasdbup.dat
- 2006-02-15 08:51:20 177,920 ------r C:\WINDOWS\system32\ZoneLabs\zlparser.dll
+ 2007-11-14 06:04:56 177,640 ----a-w C:\WINDOWS\system32\ZoneLabs\zlparser.dll
+ 2007-11-14 06:04:56 79,344 ----a-w C:\WINDOWS\system32\ZoneLabs\zlquarantine.dll
+ 2007-11-14 06:04:58 382,440 ----a-w C:\WINDOWS\system32\ZoneLabs\zlsre.dll
+ 2007-11-14 06:04:58 120,296 ----a-w C:\WINDOWS\system32\ZoneLabs\zlupdate.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30818337-2C11-44A7-976C-A4D2D4A5F189}]
C:\WINDOWS\system32\vtUklkHB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4F1AF017-22DC-4DDD-8711-F62BEE6567CB}]
C:\WINDOWS\system32\iiffGXom.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5FD01559-B0C3-4C55-B534-4224E219C770}]
C:\WINDOWS\system32\nnnmjgEX.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C23AB0C-0244-4B01-8253-BEE724D0D2EC}]
2008-05-10 13:50 57344 --a------ C:\WINDOWS\system32\nnnmlMdC.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9505DD96-F621-460F-A2F6-F4CB9419BA07}]
C:\WINDOWS\system32\tuvWmKbc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EB2AE7AF-B9B7-43BF-BEFB-74E78234B5C3}]
C:\WINDOWS\system32\iifdcCSk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF726AC8-9FEE-40F2-ADBF-E2CCB5FBC3C4}]
C:\WINDOWS\system32\qoMcyYoN.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2008-05-16 08:30 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-04-23 10:43 413775]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-10 18:02 67184]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-12-30 14:19 120640]
"ATIPTA"="C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE" [2006-11-16 21:00 344064]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-06-24 14:34 126976]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-06-24 14:33 561152]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 10:52 1368064]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 01:38 20480]
"EverioService"="C:\Program Files\CyberLink\PCM4Everio\EverioService.exe" [2006-11-22 21:10 151552]
"34401059"="C:\WINDOWS\system32\pkaybbbs.dll" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 12:17 443968]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6C23AB0C-0244-4B01-8253-BEE724D0D2EC}"= C:\WINDOWS\system32\nnnmlMdC.dll [2008-05-10 13:50 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnmlMdC]
nnnmlMdC.dll 2008-05-10 13:50 57344 C:\WINDOWS\system32\nnnmlMdC.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VQC2"= vqdecode.dll
"VIDC.VQC1"= vqdecode.dll
"MSACM.CEGSM"= mobilev.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"IBMconfig"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe"=
"C:\\Program Files\\CyberLink\\PCM4Everio\\EverioService.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"C:\\Program Files\\AT&T Network Client\\NetClient.exe"=
"C:\\Downloads\\utorrent.exe"=
"C:\\WINDOWS\\System32\\ZoneLabs\\vsmon.exe"=
"C:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2005-04-20 01:38]
R3 ABVPN2K;Net Firewall Miniport Interface;C:\WINDOWS\system32\DRIVERS\abvpn2k.sys [2004-06-03 17:47]
R3 Astdi;Astdi;C:\Program Files\Aventail\Connect\asnttdi.sys [2003-12-07 18:15]
R3 avpnnic;AGN Virtual Network Adapter;C:\WINDOWS\system32\DRIVERS\avpnnic.sys [2003-04-04 12:48]
S3 Ascrypto;Ascrypto;C:\Program Files\Aventail\Connect\ascrypto.sys [2003-12-07 18:15]
S3 DCamUSBLTN;Kodak DVC325 Digital Video Camera;C:\WINDOWS\system32\DRIVERS\dvc325.sys [2000-04-17 23:53]
S3 gwiopm;gwiopm;C:\Program Files\wst\gwiopm.sys []
S3 IMWEB51;High Rate Wireless LAN Mini-PCI LAN Driver;C:\WINDOWS\system32\DRIVERS\IMWEBN51.sys [2003-06-04 15:33]
S4 ISAMSvc;IBM Standard Asset Manager Service;C:\Program Files\C4ebreg\c4ebreg.exe [2006-12-15 07:17]

.
Contents of the 'Scheduled Tasks' folder
"2007-08-12 11:54:50 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-16 08:55:23
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\nnnmlMdC.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\IBMPMSVC.EXE
C:\WINDOWS\SYSTEM32\ATI2EVXX.EXE
C:\PROGRAM FILES\AVENTAIL\CONNECT\AS32SVC.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 2007\AAWSERVICE.EXE
C:\WINDOWS\SYSTEM32\ATI2EVXX.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\PROGRAM FILES\EWIDO ANTI-SPYWARE 4.0\GUARD.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\PROGRAM FILES\AT&T NETWORK CLIENT\NETCFGSV.EXE
C:\PROGRAM FILES\CYBERLINK\SHARED FILES\RICHVIDEO.EXE
C:\PROGRAM FILES\ANALOG DEVICES\SOUNDMAX\SMAGENT.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\RTVSCAN.EXE
C:\WINDOWS\SYSTEM32\WDFMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\CANON\CAL\CALMAIN.EXE
.
**************************************************************************
.
Completion time: 2008-05-16 8:58:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-15 22:57:52
ComboFix2.txt 2008-05-12 13:19:54

Pre-Run: 11,311,513,600 bytes free
Post-Run: 11,458,019,328 bytes free

299 --- E O F --- 2008-05-03 12:17:59

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-05-16 09:09:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 78% (more than 75%).
Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:27 AM, on 16/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Aventail\Connect\as32svc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\AT&TNE~1\NETCFGSV.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\explorer.exe
C:\Downloads\Security\dss.exe
C:\PROGRA~1\HIJACK~1\ADMINI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {30818337-2C11-44A7-976C-A4D2D4A5F189} - C:\WINDOWS\system32\vtUklkHB.dll (file missing)
O2 - BHO: (no name) - {4F1AF017-22DC-4DDD-8711-F62BEE6567CB} - C:\WINDOWS\system32\iiffGXom.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5FD01559-B0C3-4C55-B534-4224E219C770} - C:\WINDOWS\system32\nnnmjgEX.dll (file missing)
O2 - BHO: (no name) - {6C23AB0C-0244-4B01-8253-BEE724D0D2EC} - C:\WINDOWS\system32\nnnmlMdC.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {9505DD96-F621-460F-A2F6-F4CB9419BA07} - C:\WINDOWS\system32\tuvWmKbc.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {EB2AE7AF-B9B7-43BF-BEFB-74E78234B5C3} - C:\WINDOWS\system32\iifdcCSk.dll (file missing)
O2 - BHO: (no name) - {EF726AC8-9FEE-40F2-ADBF-E2CCB5FBC3C4} - C:\WINDOWS\system32\qoMcyYoN.dll (file missing)
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.e