Another computer needs cleaning - vundo, etc.(RESOLVED)

  1. 07-04-2008  #1
    jeffy
    jeffy is offline Junior Member

    Another computer needs cleaning - vundo, etc.(RESOLVED)

    Here's the log.

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 4:14:19 PM, on 4/7/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Safe mode with network support

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\hijack\HiJackThis_v2.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by KANSAS Dept. of Transportation
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = proxy.ksdot.org:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 10.*;*.ksdot.org;172.21.*;*fhwapap05*;*.softwaresp ectrum.com;*.boiseoffice.com;*appsnet.bentley.com; *fhwapap11*;*.kansasdot.loc;*.exor.co.uk;http://64.132.35.16:8080;*.kanroad.org;*.equipmentwatch.c om;allencc.blackboard.com;<local>
    O2 - BHO: (no name) - {45F34679-29BA-4553-BEFC-4E548CB14419} - C:\WINDOWS\system32\wvULFuuv.dll (file missing)
    O2 - BHO: (no name) - {460D95F9-F748-419C-9864-9E85AA6498F5} - C:\WINDOWS\system32\awtqrpmk.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: (no name) - {8E1BFC0E-8AD2-424D-AC8A-06038481516E} - C:\WINDOWS\system32\mlJYoLFu.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
    O4 - HKLM\..\Run: [AprvRemoveLegacyExcelKeys] "C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe" -k HKCU SOFTWARE\Microsoft\Office\Excel\Addins\OfficeAddIn .OfficeAddIn
    O4 - HKLM\..\Run: [AprvRemoveLegacyWordKeys] "C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe" -k HKCU SOFTWARE\Microsoft\Office\Word\Addins\OfficeAddIn. OfficeAddIn
    O4 - HKLM\..\Run: [ApproveItForOfficeSetup] "C:\Program Files\ApproveIt\Support\Tools\ApproveItForOfficeSe tup.exe " /1 /p "C:\Program Files\ApproveIt\"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [ec00b2d2] rundll32.exe "C:\WINDOWS\system32\mqyuchpj.dll",b
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [ND] subst N: Q:\geology
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
    O4 - .DEFAULT User Startup: OLE.cmd (User 'Default user')
    O4 - Startup: AprvReg.exe
    O4 - Startup: N.cmd
    O4 - Global Startup: ApproveIt StartUp.lnk = ?
    O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O4 - Global Startup: StickyNote.lnk = C:\Program Files\StickyNote\StickyNote.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (FormFlow Form Control) - https://kdotrwm.ksdot.org/intempo/Fo...se/FormCtl.cab
    O16 - DPF: {1469FF24-47F6-11D2-8805-006008C537E3} (FormFlow Mail Control) - https://kdotrwm.ksdot.org/intempo/fo...ase/ffmail.cab
    O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/S...dObjSigned.cab
    O16 - DPF: {19AB65CA-3E4E-11D2-A97F-080009B3CC88} (FormFlow Component Download Object) - https://kdotrwm.ksdot.org/codebase/jfcomp~1.cab
    O16 - DPF: {224F7DEA-B7C1-11D3-AB40-00902712A5C9} (PLSAddin Class) - https://kdotrwm.ksdot.org/intempo/fo...plsspeller.cab
    O16 - DPF: {292CBB36-AC91-11D1-B911-080009EF1192} (jfEnvelope Class) - https://kdotrwm.ksdot.org/intempo/Ca...velopeCtrl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1188497907421
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1188496778906
    O16 - DPF: {CDDCFBB3-4D93-11D2-B1A9-00A0C9B742BE} (FormFlowScriptObject Class) - https://kdotrwm.ksdot.org/intempo/fo...riptobject.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (FormFlow Soft Font Installer) - https://kdotrwm.ksdot.org/intempo/fo...tinstaller.cab
    O16 - DPF: {F4F6546F-FBA9-11D1-8AFB-080009ECFDC5} (FormFlow ListBox Control) - https://kdotrwm.ksdot.org/intempo/fo...se/listbox.cab
    O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - file://\\dt00mb01\Appsup\SupportTools\RCRSFix\Acgm.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ksdot.org
    O17 - HKLM\Software\..\Telephony: DomainName = ksdot.org
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ksdot.org
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ksdot.org
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ksdot.org
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: mlJYoLFu - C:\WINDOWS\SYSTEM32\mlJYoLFu.dll
    O21 - SSODL: qdnkewfa - {C100F7DB-C8C0-4E33-80D2-062B0E47C8F1} - C:\WINDOWS\qdnkewfa.dll
    O21 - SSODL: mgsvflkw - {EAFE107D-F5C2-42F2-9EB5-0C03CFF34FD9} - C:\WINDOWS\mgsvflkw.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: NightWatchman50 - 1E Ltd. - C:\Program Files\1E\NightWatchman50\NwmSvc.exe
    O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
    O23 - Service: ProjectWise IMF Printer Driver Service - Unknown owner - C:\win32app\ingr\ipshare\clntutil\bin\pidrpcs.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
    O23 - Service: SMSWUagent - 1E Ltd. - C:\Program Files\1E\SMSWakeUp50\SMSWUagent.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: VPRemote Install Bootstrap Service (VPREMOTE) - Unknown owner - C:\TEMP\Clt-Inst\vpremote.exe (file missing)

    --
    End of file - 10617 bytes

  3. 07-04-2008  #2
    Neal
    Neal is offline Dedicated Member
    Please download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.




    Please download Deckard's System Scanner (DSS) to your desktop.
    • Close all applications and windows.
    • Double-click on dss.exe to run it, and follow the prompts.
    • When the scan is complete, a text file will open - Main.txt
    • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of Main.txt in your thread in the HijackThis Log Help Forum.
    • An additional text file, Extra.txt,will also be available (by default) in the following FOLDER, C:\Deckard\System Scanner.
    • Please go to that FOLDER and also copy the contents of Extra.txt to your post as well.

    Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

    What DSS will do:
    • Create a new System Restore point in Windows XP and Vista.
    • Clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
    • Check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed.
    Post Logs:
    • DSS Scan Results: contents of:
      • 1) Main.txt
      • 2) Extra.txt


    New hijackthis log please, if it takes two posts to get everything here that is ok
  4. 08-04-2008  #3
    jeffy
    jeffy is offline Junior Member
    Here's the vundofix log. Other logs to follow.


    VundoFix V7.0.0

    Scan started at 8:22:35 PM 4/7/2008

    Listing files found while scanning....

    No infected files were found.


    VundoFix V7.0.0

    Scan started at 927 PM 4/7/2008

    Listing files found while scanning....


    VundoFix V7.0.0

    Scan started at 9:36:01 PM 4/7/2008

    Listing files found while scanning....

    C:\WINDOWS\system32\ildkgkmj.ini
    C:\WINDOWS\system32\jmkgkdli.dll

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\ildkgkmj.ini
    C:\WINDOWS\system32\ildkgkmj.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\jmkgkdli.dll
    C:\WINDOWS\system32\jmkgkdli.dll Could not be deleted.

    Performing Repairs to the registry.
    Done!

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\jmkgkdli.dll
    C:\WINDOWS\system32\jmkgkdli.dll Has been deleted!

    Performing Repairs to the registry.
    Done!
  5. 08-04-2008  #4
    jeffy
    jeffy is offline Junior Member
    Main.txt:


    Deckard's System Scanner v20071014.68
    Run by geist on 2008-04-07 22:41:34
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    -- System Restore --------------------------------------------------------------

    Successfully created a Deckard's System Scanner Restore Point.


    -- Last 5 Restore Point(s) --
    37: 2008-04-08 03:41:45 UTC - RP768 - Deckard's System Scanner Restore Point
    36: 2008-04-07 06:27:05 UTC - RP767 - Installed SUPERAntiSpyware Free Edition
    35: 2008-04-07 06:19:39 UTC - RP766 - Last known good configuration
    34: 2008-04-07 06:19:19 UTC - RP765 - System Checkpoint
    33: 2008-04-07 06:19:18 UTC - RP764 - Installed TIPCI


    -- First Restore Point --
    1: 2008-04-07 06:19:01 UTC - RP732 - Printer Driver ProjectWise InterPlot Organizer Printe Installed


    Backed up registry hives.
    Performed disk cleanup.



    -- HijackThis Clone ------------------------------------------------------------


    Emulating logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2008-04-07 22:44:47
    Platform: Windows XP Service Pack 2 (5.01.2600)
    MSIE: Internet Explorer (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\system32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\Program Files\1E\NightWatchman50\NwmSvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
    C:\win32app\ingr\ipshare\clntutil\bin\pidrpcs.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\1E\NightWatchman50\NwmCli.exe
    C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\CCM\clicomp\RemCtrl\Wuser32.ex e
    C:\WINDOWS\system32\CCM\CcmExec.exe
    C:\Program Files\1E\SMSWakeUp50\SMSWUagent.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\LOGI_MWX.EXE
    C:\Program Files\Symantec AntiVirus\VPTray.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft ActiveSync\wcescomm.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Microsoft ActiveSync\rapimgr.exe
    C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    C:\Program Files\palmOne\Hotsync.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\StickyNote\StickyNote.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Geist\Desktop\dss.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by KANSAS Dept. of Transportation
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = proxy.ksdot.org:8080
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    O2 - BHO: (no name) - {32F7E29D-38B4-495E-AA58-365C2096F59F} - C:\WINDOWS\system32\hgGyxYOe.dll
    O2 - BHO: (no name) - {45F34679-29BA-4553-BEFC-4E548CB14419} - C:\WINDOWS\system32\wvULFuuv.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: (no name) - {8E1BFC0E-8AD2-424D-AC8A-06038481516E} - C:\WINDOWS\system32\mlJYoLFu.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
    O4 - HKLM\..\Run: [AprvRemoveLegacyExcelKeys] "C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe" -k HKCU SOFTWARE\Microsoft\Office\Excel\Addins\OfficeAddIn .OfficeAddIn
    O4 - HKLM\..\Run: [AprvRemoveLegacyWordKeys] "C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe" -k HKCU SOFTWARE\Microsoft\Office\Word\Addins\OfficeAddIn. OfficeAddIn
    O4 - HKLM\..\Run: [ApproveItForOfficeSetup] "C:\Program Files\ApproveIt\Support\Tools\ApproveItForOfficeSe tup.exe " /1 /p "C:\Program Files\ApproveIt\"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [ND] subst N: Q:\geology
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
    O4 - Startup: AprvReg.exe
    O4 - Startup: N.cmd
    O4 - Global Startup: ApproveIt StartUp.lnk = ?
    O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    O4 - Global Startup: HotSync Manager.lnk = ?
    O4 - Global Startup: Logitech SetPoint.lnk = ?
    O4 - Global Startup: StickyNote.lnk = C:\Program Files\StickyNote\StickyNote.exe
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableTaskMgr=1
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: https://shop.boisoffice.com (HKLM)
    O15 - Trusted Zone: https://gem.compaq.com (HKLM)
    O15 - Trusted Zone: https://www.gem.compaq.com (HKLM)
    O15 - Trusted Zone: https://sharp.ks.gov (HKLM)
    O15 - Trusted Zone: https://www.lexis.com (HKLM)
    O15 - Trusted Zone: https://businessonline.motorola.com (HKLM)
    O15 - Trusted Zone: https://shop.softwarespectrum.com (HKLM)
    O15 - Trusted Zone: https://shop.softwarespectrum.com (HKLM)
    O15 - Trusted Zone: https://shop.boisoffice.com (HKCU)
    O15 - Trusted Zone: https://gem.compaq.com (HKCU)
    O15 - Trusted Zone: https://www.gem.compaq.com (HKCU)
    O15 - Trusted Zone: https://sharp.ks.gov (HKCU)
    O15 - Trusted Zone: https://www.lexis.com (HKCU)
    O15 - Trusted Zone: https://businessonline.motorola.com (HKCU)
    O15 - Trusted Zone: https://shop.softwarespectrum.com (HKCU)
    O15 - Trusted Zone: https://shop.softwarespectrum.com (HKCU)
    O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (FormFlow Form Control) - https://kdotrwm.ksdot.org/intempo/Fo...se/FormCtl.cab
    O16 - DPF: {1469FF24-47F6-11D2-8805-006008C537E3} (FormFlow Mail Control) - https://kdotrwm.ksdot.org/intempo/fo...ase/ffmail.cab
    O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/S...dObjSigned.cab
    O16 - DPF: {19AB65CA-3E4E-11D2-A97F-080009B3CC88} (FormFlow Component Download Object) - https://kdotrwm.ksdot.org/codebase/jfcomp~1.cab
    O16 - DPF: {224F7DEA-B7C1-11D3-AB40-00902712A5C9} (PLSAddin Class) - https://kdotrwm.ksdot.org/intempo/fo...plsspeller.cab
    O16 - DPF: {292CBB36-AC91-11D1-B911-080009EF1192} (jfEnvelope Class) - https://kdotrwm.ksdot.org/intempo/Ca...velopeCtrl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1188497907421
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1188496778906
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab
    O16 - DPF: {CDDCFBB3-4D93-11D2-B1A9-00A0C9B742BE} (FormFlowScriptObject Class) - https://kdotrwm.ksdot.org/intempo/fo...riptobject.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (FormFlow Soft Font Installer) - https://kdotrwm.ksdot.org/intempo/fo...tinstaller.cab
    O16 - DPF: {F4F6546F-FBA9-11D1-8AFB-080009ECFDC5} (FormFlow ListBox Control) - https://kdotrwm.ksdot.org/intempo/fo...se/listbox.cab
    O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - file://\\dt00mb01\Appsup\SupportTools\RCRSFix\Acgm.cab
    O17 - HKLM\Software\..\Telephony: DomainName = ksdot.org
    O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = ksdot.org
    O17 - HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: Domain = ksdot.org
    O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = ksdot.org
    O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: mlJYoLFu - C:\WINDOWS\system32\mlJYoLFu.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\system32\WRLogonNTF.dll (file missing)
    O21 - SSODL: qdnkewfa - {C100F7DB-C8C0-4E33-80D2-062B0E47C8F1} - C:\WINDOWS\qdnkewfa.dll
    O21 - SSODL: mgsvflkw - {EAFE107D-F5C2-42F2-9EB5-0C03CFF34FD9} - C:\WINDOWS\mgsvflkw.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE
    O23 - Service: NightWatchman50 - 1E Ltd. - C:\Program Files\1E\NightWatchman50\NwmSvc.exe
    O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft
    O23 - Service: ProjectWise IMF Printer Driver Service - Unknown owner - C:\win32app\ingr\ipshare\clntutil\bin\pidrpcs.exe
    O23 - Service: SavRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
    O23 - Service: SMSWUagent - 1E Ltd. - C:\Program Files\1E\SMSWakeUp50\SMSWUagent.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: VPRemote Install Bootstrap Service (VPREMOTE) - Unknown owner - C:\TEMP\Clt-Inst\vpremote.exe


    --
    End of file - 13167 bytes

    -- File Associations -----------------------------------------------------------

    .scr - MicroStation Resource - shell\open\command - unable to read value


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

    R2 Haspnt - c:\windows\system32\drivers\haspnt.sys <Not Verified; Aladdin Knowledge Systems; Windows NT HASP Kernel Device Driver>
    R2 Sentinel - c:\windows\system32\drivers\sentinel.sys <Not Verified; SafeNet, Inc.; Sentinel System Driver>
    R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

    S2 DS1410D - c:\windows\system32\drivers\ds1410d.sys (file missing)
    S2 Parclass - c:\windows\system32\drivers\parclass.sys <Not Verified; ; 64-Bit Driver>


    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

    R2 prfldsvc (Private Folder Service) - c:\program files\microsoft private folder 1.0\prfldsvc.exe
    R2 ProjectWise IMF Printer Driver Service - c:\win32app\ingr\ipshare\clntutil\bin\pidrpcs.exe

    S3 VPREMOTE (VPRemote Install Bootstrap Service) - c:\temp\clt-inst\vpremote.exe (file missing)


    -- Device Manager: Disabled ----------------------------------------------------

    No disabled devices found.


    -- Scheduled Tasks -------------------------------------------------------------

    2008-04-07 15:53:55 206 --a------ C:\WINDOWS\Tasks\Geology Backup.job


    -- Files created between 2008-03-07 and 2008-04-07 -----------------------------

    2008-04-07 20:28:30 0 dr-h----- C:\Documents and Settings\Geist\Recent
    2008-04-07 20:25:38 1566 --ahs---- C:\WINDOWS\system32\eOYxyGgh.ini2
    2008-04-07 20:25:31 267776 --a------ C:\WINDOWS\system32\hgGyxYOe.dll
    2008-04-07 16:10:35 272573 --ahs---- C:\WINDOWS\system32\kmprqtwa.ini2
    2008-04-07 07:57:05 0 d-------- C:\Documents and Settings\Geist\Application Data\TmpRecentIcons
    2008-04-07 01:35:39 0 d-------- C:\VundoFix Backups
    2008-04-07 01:32:56 0 d-------- C:\Program Files\PC-Cleaner
    2008-04-07 01:27:33 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-04-07 01:27:08 0 d-------- C:\Program Files\SUPERAntiSpyware
    2008-04-07 01:27:08 0 d-------- C:\Documents and Settings\Geist\Application Data\SUPERAntiSpyware.com
    2008-04-07 01:13:00 4096 --a------ C:\WINDOWS\userconfig9x.dll
    2008-04-07 01:13:00 4096 --a------ C:\WINDOWS\system32winlogonpc.exe
    2008-04-07 01:13:00 4096 --a------ C:\WINDOWS\FVProtect.exe
    2008-04-07 01:12:59 4096 --a------ C:\WINDOWS\system32mwin32.exe
    2008-04-07 01:12:59 4096 --a------ C:\WINDOWS\system32hoproxy.dll
    2008-04-07 01:12:59 4096 --a------ C:\WINDOWS\a.bat
    2008-04-07 01:12:58 4096 --a------ C:\WINDOWS\system32taack.exe
    2008-04-07 01:12:58 4096 --a------ C:\WINDOWS\system32taack.dat
    2008-04-07 01:12:58 4096 --a------ C:\WINDOWS\system32sncntr.exe
    2008-04-07 01:12:58 4096 --a------ C:\WINDOWS\system32hxiwlgpm.exe
    2008-04-07 01:12:58 4096 --a------ C:\WINDOWS\system32hxiwlgpm.dat
    2008-04-07 01:12:57 4096 --a------ C:\WINDOWS\system32psoft1.exe
    2008-04-07 01:12:57 4096 --a------ C:\WINDOWS\system32psof1.exe
    2008-04-07 01:12:57 4096 --a------ C:\WINDOWS\system32ps1.exe
    2008-04-07 01:12:57 4096 --a------ C:\WINDOWS\system32bsva-egihsg52.exe
    2008-04-07 01:12:57 4096 --a------ C:\WINDOWS\iTunesMusic.exe
    2008-04-07 01:12:56 4096 --a------ C:\WINDOWS\system32ssurf022.dll
    2008-04-07 01:12:56 0 d-------- C:\WINDOWS\system32smp
    2008-04-07 01:12:56 4096 --a------ C:\WINDOWS\system32msnbho.dll
    2008-04-07 01:12:56 4096 --a------ C:\WINDOWS\system32medup020.dll
    2008-04-07 01:12:56 4096 --a------ C:\WINDOWS\system32medup012.dll
    2008-04-07 01:12:55 4096 --a------ C:\WINDOWS\system32temp#01.exe
    2008-04-07 01:12:55 4096 --a------ C:\WINDOWS\system32netode.exe
    2008-04-07 01:12:55 4096 --a------ C:\WINDOWS\system32mtr2.exe
    2008-04-07 01:12:55 4096 --a------ C:\WINDOWS\system32msgp.exe
    2008-04-07 01:12:55 4096 --a------ C:\WINDOWS\system32h@tkeysh@@k.dll
    2008-04-07 01:12:55 94208 --a------ C:\WINDOWS\apoxqwfv.exe
    2008-04-07 01:12:55 0 d-------- C:\Program Files\Inet Delivery
    2008-04-07 01:12:54 4096 --a------ C:\WINDOWS\system32ssvchost.exe
    2008-04-07 01:12:54 4096 --a------ C:\WINDOWS\system32ssvchost.com
    2008-04-07 01:12:54 4096 --a------ C:\WINDOWS\system32regm64.dll
    2008-04-07 01:12:54 4096 --a------ C:\WINDOWS\system32regc64.dll
    2008-04-07 01:12:54 4096 --a------ C:\WINDOWS\system32msvchost.exe
    2008-04-07 01:12:54 4096 --a------ C:\WINDOWS\system32dpcproxy.exe
    2008-04-07 01:12:54 229376 --a------ C:\WINDOWS\qdnkewfa.dll
    2008-04-07 01:12:54 335872 --a------ C:\WINDOWS\mgsvflkw.dll
    2008-04-07 01:12:54 4096 --a------ C:\Documents and Settings\Geist\Desktopfilemanagerclient.exe
    2008-04-07 01:12:53 4096 --a------ C:\WINDOWS\winsystem.exe
    2008-04-07 01:12:53 4096 --a------ C:\WINDOWS\system32winsystem.exe
    2008-04-07 01:12:53 4096 --a------ C:\WINDOWS\system32vcatchpi.dll
    2008-04-07 01:12:53 4096 --a------ C:\WINDOWS\system32thun32.dll
    2008-04-07 01:12:53 4096 --a------ C:\WINDOWS\system32thun.dll
    2008-04-07 01:12:53 4096 --a------ C:\WINDOWS\system32Rundl1.exe
    2008-04-07 01:12:53 4096 --a------ C:\WINDOWS\system32newsd32.exe
    2008-04-07 01:12:53 4096 --a------ C:\WINDOWS\system32emesx.dll
    2008-04-07 01:12:53 4096 --a------ C:\WINDOWS\system32anticipator.dll
    2008-04-07 01:12:53 4096 --a------ C:\WINDOWS\system32akttzn.exe
    2008-04-07 01:12:53 4096 --a------ C:\WINDOWS\mssecu.exe
    2008-04-07 01:12:53 4096 --a------ C:\WINDOWS\bdn.com
    2008-04-07 01:12:53 4096 --a------ C:\Documents and Settings\Geist\DesktopFWebdEditor.exe
    2008-04-07 01:12:53 4096 --a------ C:\Documents and Settings\Geist\Desktopfwebd.exe
    2008-04-07 01:12:52 4096 --a------ C:\WINDOWS\system32WINWGPX.EXE
    2008-04-07 01:12:52 4096 --a------ C:\WINDOWS\system32vbsys2.dll
    2008-04-07 01:12:52 4096 --a------ C:\WINDOWS\system32sysreq.exe
    2008-04-07 01:12:52 4096 --a------ C:\WINDOWS\system32mssecu.exe
    2008-04-07 01:12:52 4096 --a------ C:\WINDOWS\system32bdn.com
    2008-04-07 01:12:52 4096 --a------ C:\WINDOWS\system32awtoolb.dll
    2008-04-07 01:12:52 0 d-------- C:\WINDOWS\mslagent
    2008-04-07 01:12:51 0 d-------- C:\Program Files\akl
    2008-04-07 01:12:34 0 d-------- C:\Documents and Settings\All Users\Application Data\wvidofmr
    2008-04-07 01:12:10 37376 --a------ C:\WINDOWS\system32\mlJYoLFu.dll
    2008-04-05 17:53:18 0 d------c- C:\WINDOWS\system32\DRVSTORE
    2008-04-05 17:53:12 0 d-------- C:\Program Files\Texas Instruments Inc
    2008-04-05 17:52:43 0 d-------- C:\SWSetup
    2008-03-24 10:13:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
    2008-03-07 15:30:54 0 d-------- C:\Program Files\ApproveIt


    -- Find3M Report ---------------------------------------------------------------

    2008-04-07 22:27:06 0 d-------- C:\Program Files\Symantec AntiVirus
    2008-04-07 22:24:37 8405015 --a------ C:\WINDOWS\TempFile
    2008-04-07 16:12:15 1324 --a------ C:\WINDOWS\system32\d3d9caps.dat
    2008-04-07 01:26:37 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-04-05 17:54:04 0 d--h----- C:\Program Files\InstallShield Installation Information
    2008-04-01 19:55:10 0 d-------- C:\Program Files\DivX
    2008-03-25 2259 0 d-------- C:\Program Files\Xvid
    2008-03-20 09:04:44 0 d-------- C:\Program Files\Java
    2008-03-18 2251 4780 --a------ C:\WINDOWS\mozver.dat
    2008-03-13 00:46:10 0 d-------- C:\Program Files\Winamp
    2008-03-13 00:45:17 0 d-------- C:\Documents and Settings\geist\Application Data\Winamp
    2008-03-05 11:02:57 0 d-------- C:\Program Files\Citrix
    2008-03-03 13:51:05 0 d-------- C:\Documents and Settings\geist\Application Data\Bentley
    2008-03-03 1249 0 d-------- C:\Program Files\Common Files\Bentley Shared
    2008-03-03 12:55:52 0 d-------- C:\Program Files\Common Files\InterPlot
    2008-03-03 12:55:44 0 d-------- C:\Program Files\InterPlot Client
    2008-03-03 12:17:07 0 d-------- C:\Program Files\Bentley
    2008-02-28 09:37:38 0 d-------- C:\Documents and Settings\geist\Application Data\Lavasoft
    2008-02-20 21:05:44 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
    2008-02-20 21:04:16 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
    2008-02-20 21:04:16 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
    2008-02-20 21:04:04 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
    2008-02-20 21:04:04 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
    2008-02-20 21:04:04 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
    2008-02-20 21:04:04 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
    2008-02-20 21:03:24 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
    2008-02-01 10:48:49 202827 --a------ C:\WINDOWS\system32\atasnt40.dll <Not Verified; WebEx Communications, Inc; WebEx Application Sharing>


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32F7E29D-38B4-495E-AA58-365C2096F59F}]
    04/07/2008 08:25 PM 267776 --a------ C:\WINDOWS\system32\hgGyxYOe.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45F34679-29BA-4553-BEFC-4E548CB14419}]
    C:\WINDOWS\system32\wvULFuuv.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E1BFC0E-8AD2-424D-AC8A-06038481516E}]
    04/07/2008 01:12 AM 37376 --a------ C:\WINDOWS\system32\mlJYoLFu.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
    "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [12/21/2004 07:16 AM]
    "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [05/20/2005 02:46 PM C:\WINDOWS\KHALMNPR.Exe]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [05/29/2007 06:33 PM]
    "Logitech Utility"="Logi_MwX.Exe" [12/17/2003 10:50 AM C:\WINDOWS\LOGI_MWX.EXE]
    "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [06/06/2007 03:25 PM]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [09/15/2007 03:27 AM]
    "SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [09/15/2007 03:29 AM]
    "AprvRemoveLegacyExcelKeys"="C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe" [12/20/2007 02:30 AM]
    "AprvRemoveLegacyWordKeys"="C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe" [12/20/2007 02:30 AM]
    "ApproveItForOfficeSetup"="C:\Program Files\ApproveIt\Support\Tools\ApproveItForOfficeSe tup.exe" [12/20/2007 01:40 AM]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
    "MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\M SConfig.exe" [08/04/2004 12:56 AM]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
    "ND"="subst N: Q:\geology" []
    "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [11/13/2006 01:39 PM]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/29/2008 04:03 PM]

    [HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run]
    "Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

    C:\Documents and Settings\Geist\Start Menu\Programs\Startup\
    AprvReg.exe [6/18/2001 12:20:06 PM]
    N.cmd [1/12/2007 12:39:05 PM]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    ApproveIt StartUp.lnk - C:\WINDOWS\Installer\{7E746FBC-58EF-4670-A528-7EE046D10322}\Icon9557F1BC1.ico [3/11/2008 4:25:41 AM]
    DataViz Inc Messenger.lnk - C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [2/16/2007 1025 AM]
    HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [6/9/2004 2:16:08 PM]
    Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [4/23/2007 3:27:27 PM]
    StickyNote.lnk - C:\Program Files\StickyNote\StickyNote.exe [4/18/2007 2:01:59 PM]

    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
    "HideLegacyLogonScripts"=1 (0x1)
    "NoDispScrSavPage"=1 (0x1)
    "DisableTaskMgr"=1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
    "NoWelcomeScreen"=1 (0x1)

    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
    "ClearRecentDocsOnExit"=01000000
    "DisallowRun"=1 (0x1)
    "NoSMBalloonTip"=1 (0x1)
    "NoDesktopCleanupWizard"=1 (0x1)
    "ForceStartMenuLogOff"=1 (0x1)
    "Intellimenus"=1 (0x1)
    "NoSMMyPictures"=1 (0x1)
    "NoStartMenuMyMusic"=1 (0x1)
    "NoAutoTrayNotify"=1 (0x1)
    "NoWelcomeScreen"=1 (0x1)

    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer\DisallowRun]
    "1"=agsatellite.exe
    "2"=AIM.exe
    "3"=bbsetuphom.exe
    "4"=comet.exe
    "5"=dssagent.exe
    "6"=gator.exe
    "7"=getright.exe
    "8"=gnutella.exe
    "9"=go.exe
    "10"=icq.exe
    "11"=iegator.exe
    "12"=javaw.exe
    "13"=minibuginstaller.exe
    "14"=napster.exe
    "15"=precisiontime.exe
    "16"=swebexec.exe
    "17"=tsadbot.exe
    "18"=weatherbug.exe
    "19"=websamp.exe
    "20"=webshotstray.exe
    "21"=whagent.exe
    "22"=winmx.exe
    "23"=WxBugSetup30.exe

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
    "{8E1BFC0E-8AD2-424D-AC8A-06038481516E}"= C:\WINDOWS\system32\mlJYoLFu.dll [04/07/2008 01:12 AM 37376]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad]
    "qdnkewfa"= {C100F7DB-C8C0-4E33-80D2-062B0E47C8F1} - C:\WINDOWS\qdnkewfa.dll [04/06/2008 02:18 PM 229376]
    "mgsvflkw"= {EAFE107D-F5C2-42F2-9EB5-0C03CFF34FD9} - C:\WINDOWS\mgsvflkw.dll [04/06/2008 02:18 PM 335872]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJYoLFu]
    mlJYoLFu.dll 04/07/2008 01:12 AM 37376 C:\WINDOWS\system32\mlJYoLFu.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
    "Authentication Packages"= msv1_0 C:\WINDOWS\system32\hgGyxYOe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\Machine\Scripts\Startup\0\0]
    "Script"=timereg.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-2080522925-720176762-1023178626-18875\Scripts\Logoff\0\0]
    "Script"=dbase.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-2080522925-720176762-1023178626-2737\Scripts\Logon\0\0]
    "Script"=KDOTSCR.CMD

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-2080522925-720176762-1023178626-2737\Scripts\Logon\1\0]
    "Script"=dist2.cmd

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-2080522925-720176762-1023178626-36066\Scripts\Logoff\0\0]
    "Script"=logoff.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-2080522925-720176762-1023178626-36066\Scripts\Logon\0\0]
    "Script"=KDOTSCR.CMD

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-2080522925-720176762-1023178626-36066\Scripts\Logon\1\0]
    "Script"=NightwatchmanSystemTra.cmd

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-2080522925-720176762-1023178626-36066\Scripts\Logon\2\0]
    "Script"=Computer services.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-2080522925-720176762-1023178626-36066\Scripts\Logon\3\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-2080522925-720176762-1023178626-4044\Scripts\Logon\0\0]
    "Script"=dist2.cmd

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\vds]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
    @="Volume shadow copy"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\brgikfee]
    C:\WINDOWS\system32\slozmhed.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ec00b2d2]
    rundll32.exe "C:\WINDOWS\system32\jmkgkdli.dll",b

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
    C:\Program Files\Picasa2\PicasaMediaDetector.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "C:\Program Files\QuickTime\qttask.exe" -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
    C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 Pml Driver HPZ12 Net Driver HPZ12


    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{f5b15df0-80b5-11dc-a602-0015002839cd}]
    AutoRun\command- E:\Autorun.exe /run
    Shell00\Command- E:\Autorun.exe /run
    Shell01\Command- E:\Autorun.exe /action
    Shell02\Command- E:\Autorun.exe /uninstall




    -- End of Deckard's System Scanner: finished at 2008-04-07 22:59:06 ------------



    extra.txt:

    inDeckard's System Scanner v20071014.68
    Extra logfile - please post this as an attachment with your post.
    --------------------------------------------------------------------------------

    -- System Information ----------------------------------------------------------

    Microsoft Windows XP Professional (build 2600) SP 2.0
    Architecture: X86; Language: English

    CPU 0: Intel(R) Pentium(R) M processor 2.00GHz
    Percentage of Memory in Use: 57%
    Physical Memory (total/avail): 1015.36 MiB / 430.98 MiB
    Pagefile Memory (total/avail): 2442.49 MiB / 1968.38 MiB
    Virtual Memory (total/avail): 2047.88 MiB / 1934.91 MiB

    C: is Fixed (NTFS) - 37.25 GiB total, 17.03 GiB free.
    D: is CDROM (No Media)

    \\.\PHYSICALDRIVE0 - HTS541040G9AT00 - 37.26 GiB - 1 partition
    \PARTITION0 (bootable) - Installable File System - 37.25 GiB - C:



    -- Security Center -------------------------------------------------------------

    Windows Internal Firewall is enabled.

    FirstRunDisabled is set.

    AV: Symantec AntiVirus Corporate Edition v10.1.6.6010 (Symantec Corporation)

    [HKLM\System\CurrentControlSet\Services\SharedAcces s\Parameters\FirewallPolicy\DomainProfile\Authoriz edApplications\List]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpSvc .exe"="C:\\WINDOWS\\pchealth\\helpctr\\binaries\\H elpSvc.exe:*:Enabled:HelpSvc.exe"
    "C:\\WINDOWS\\system32\\ftp.exe"="C:\\WINDOWS\\sys tem32\\ftp.exe:*:Enabled:File Transfer Program"
    "C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\ \system32\\sessmgr.exe:*:Enabled:@xpsp2res.dll,-22019"
    "C:\\WINDOWS\\system32\\ppRemoteService.exe"="C:\\ WINDOWS\\system32\\ppRemoteService.exe:*:EnabledpRemoteService.exe"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
    "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
    "C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
    "C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
    "C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
    "C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"="C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe:*:Enabled:Sentinel Protection Server"
    "C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe"="C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe:*:Enabled:Sentinel Keys Server"
    "C:\\Program Files\\Common Files\\gINT Software\\bin\\gintsoftwareupdater.exe"="C:\\Progr am Files\\Common Files\\gINT Software\\bin\\gintsoftwareupdater.exe:*:Enabled:g intsoftwareupdater.exe"
    "C:\\Program Files\\gINT\\bin\\gint8.exe"="C:\\Program Files\\gINT\\bin\\gint8.exe:*:Enabled:gint8.exe"
    "C:\\Program Files\\1E\\SMSWakeUp50\\SMSWUagent.exe"="C:\\Progr am Files\\1E\\SMSWakeUp50\\SMSWUagent.exe:*:Enabled:S MSWakeUp Agent"
    "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"

    [HKLM\System\CurrentControlSet\Services\SharedAcces s\Parameters\FirewallPolicy\StandardProfile\Author izedApplications\List]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpSvc .exe"="C:\\WINDOWS\\pchealth\\helpctr\\binaries\\H elpSvc.exe:*:Enabled:HelpSvc.exe"
    "C:\\WINDOWS\\system32\\ftp.exe"="C:\\WINDOWS\\sys tem32\\ftp.exe:*:Enabled:File Transfer Program"
    "C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\ \system32\\sessmgr.exe:*:Enabled:@xpsp2res.dll,-22019"
    "C:\\WINDOWS\\system32\\ppRemoteService.exe"="C:\\ WINDOWS\\system32\\ppRemoteService.exe:*:EnabledpRemoteService.exe"
    "C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*isabled:Firefox"
    "C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yah oo! Messenger"
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Progra m Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Ya hoo! FT Server"
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\ \Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*isabled:Yahoo! Messenger"
    "C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*isabled:Windows Media Player"
    "C:\\Documents and Settings\\Geist\\My Documents\\WS_FTP\\WS_FTP95.exe"="C:\\Documents and Settings\\Geist\\My Documents\\WS_FTP\\WS_FTP95.exe:*isabled:WS_FTP 95"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
    "C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*isabled:Internet Explorer"
    "C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
    "C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
    "C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
    "C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
    "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*isabled:Microsoft Office Outlook"


    -- Environment Variables -------------------------------------------------------

    ALLUSERSPROFILE=C:\Documents and Settings\All Users
    APPDATA=C:\Documents and Settings\geist\Application Data
    CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
    CommonProgramFiles=C:\Program Files\Common Files
    COMPUTERNAME=DT09A009
    ComSpec=C:\WINDOWS\system32\cmd.exe
    FP_NO_HOST_CHECK=NO
    HOMEDRIVE=C:
    HOMEPATH=\Documents and Settings\geist
    LOGONSERVER=\\DT00DC00
    NUMBER_OF_PROCESSORS=1
    OS=Windows_NT
    Path=C:\PROGRA~1\FileNET\IDM;C:\WINDOWS\system32;C :\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Progra~1\E!T CP;C:\Program Files\E!TCP;;C:\Program Files\Common Files\Bentley Shared\Mx;C:\Program Files\QuickTime\QTSystem\;C:\win32app\ingr\ipshare \bin;C:\Program Files\ApproveIt\;C:\Program Files\ApproveIt\ThirdParty\Bin\;C:\PROGRA~1\E!TCP
    PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WS F;.WSH
    PROCESSOR_ARCHITECTURE=x86
    PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
    PROCESSOR_LEVEL=6
    PROCESSOR_REVISION=0d08
    ProgramFiles=C:\Program Files
    PROMPT=$P$G
    QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
    SESSIONNAME=Console
    SystemDrive=C:
    SystemRoot=C:\WINDOWS
    TEMP=C:\DOCUME~1\geist\LOCALS~1\Temp
    TMP=C:\DOCUME~1\geist\LOCALS~1\Temp
    USERDNSDOMAIN=KSDOT.ORG
    USERDOMAIN=DTNT
    USERNAME=geist
    USERPROFILE=C:\Documents and Settings\geist
    windir=C:\WINDOWS


    -- User Profiles ---------------------------------------------------------------

    HelpAssistant (new local)
    coxadm (new local, admin, net ready)
    geist (admin)
    dstoltz (new local, admin, net ready)
    DougS (admin)


    -- Add/Remove Programs ---------------------------------------------------------

    -SHAFT_v5 --> c:\Program Files\Ensoft\Shaft5\Un-SHAFT_v5.exe" Un-SHAFT_v5.cfg
    --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
    --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
    --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {2FF3E5A1-B544-405B-92DD-8FA8F468973A}
    --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
    2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
    2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
    2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
    2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
    2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
    2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
    2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
    2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
    2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
    2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
    2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
    2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
    2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
    2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
    Addit --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\070 1\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D3161124-2B4D-478F-901A-D21BCAD72C7E}\Setup.exe" -l0x9
    Adobe Acrobat 7.0.1 and Reader 7.0.1 Update --> MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000702}
    Adobe Acrobat 7.0.2 and Reader 7.0.2 Update --> MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000703}
    Adobe Acrobat 7.0.3 and Reader 7.0.3 Update --> MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000704}
    Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activ eX.exe
    Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugi n.exe
    Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7646-A70000000000}
    Adobe SVG Viewer 3.0 --> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
    AGI EarthImager 2D - 2.1.8.507 --> "C:\Program Files\AGI\EarthImager2D\unins000.exe"
    AGI SuperSting Administrator - 1.3.4.207 --> "C:\Program Files\AGI\SSAdmin\unins000.exe"
    ApproveIt Desktop 5.9 --> MsiExec.exe /I{7E746FBC-58EF-4670-A528-7EE046D10322}
    Baseball Mogul 2005 --> MsiExec.exe /I{9E44650F-7273-4FF7-B7D9-39868C7CA113}
    Bentley GEOPAK Suite - 2004 Edition (V 08.08.02.73) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\ 50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3C09673F-475B-4E41-8684-D5DF05F1B10E}\setup.exe" -l0x9 Uninstall -removeonly
    Bentley GEOPAK Suite - 2004 Edition (V 08.08.02.73) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\ 50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C50AD1B2-489D-4F96-84C0-12F376CE1D08}\setup.exe" -l0x9 Uninstall -removeonly
    Bentley GEOPAK Suite - XM Edition 08.09.04.37 --> MsiExec.exe /I{878836B2-A2BD-42BC-BE57-6C2ABB80EF48}
    Bentley License Client --> MsiExec.exe /I{BC58CB9E-99AA-4AB8-9ED6-8A51C7DFCB77}
    Bentley MicroStation (V 08.05.02.35) - 1 --> "C:\Program Files\InstallShield Installation Information\GUID.exe" -uninstall -guid"{8BD3BFEE-79BF-40A1-A69D-97A53F216412}_0"
    Bentley MicroStation V8 XM Edition 08.09.04.51 --> MsiExec.exe /I{AC8A37CB-39AD-46C2-9AB5-F6FBE037CC57}
    CacheStats --> MsiExec.exe /I{8FE73E6F-2D9B-428B-BCB2-1217F56A5E87}
    CADconform for MicroStation --> "C:\Program Files\Altiva Software\CADconform\unins000.exe"
    CardRd81 --> MsiExec.exe /I{54C8FE84-89C4-40E8-976C-439EB0729BD6}
    CCHelp --> MsiExec.exe /I{9D1CF8B6-17B3-4832-B062-2C2DD0B57B04}
    CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
    CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
    Civ3 Conquests v1.22 Full --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C2BF3B9-7E8A-49DE-B662-3656FE60BB01}\Setup.exe"
    Civilization III --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0AD84416-63A4-4CF3-BDDF-8FA866711FB0}\setup.exe"
    Civilization III: Conquests --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F31BC49F-AB7B-4A53-A399-EB7331B585BC}\setup.exe" -l0x9
    Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
    Convert --> MsiExec.exe /X{23970E31-948B-466E-8376-1224D32FDF0C}
    CR2 --> MsiExec.exe /I{432C3720-37BF-4BD7-8E49-F38E090246D0}
    DeepFdns --> MsiExec.exe /I{35A0CC34-4DF1-4D64-9B0F-BC66138E54A0}
    DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
    DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
    DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
    DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
    DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
    Documents To Go --> MsiExec.exe /X{EB807EB6-5179-48B7-98D4-7B4934A57A81}
    ESSAdpt --> MsiExec.exe /I{D15E9DB5-6BEB-4534-901E-80C0A29BAB97}
    ESSANUP --> MsiExec.exe /I{A6F18A67-B771-4191-8A33-36D2E742D6D9}
    ESSBrwr --> MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
    ESSCAM --> MsiExec.exe /I{469730CC-78DF-4CD3-B286-562D459EA619}
    ESSCDBK --> MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
    ESScore --> MsiExec.exe /I{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}
    ESSCT --> MsiExec.exe /I{8BB4B58A-A402-4DE8-8FCD-287E60B88DD8}
    ESSEMAIL --> MsiExec.exe /I{FEDE2483-87B7-44C1-A5BB-D75AEB8B6340}
    ESSgui --> MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
    ESShelp --> MsiExec.exe /I{87843A41-7808-4F2E-B13F-25C1E67CF2FD}
    ESSini --> MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
    ESSPCD --> MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
    ESSPDock --> MsiExec.exe /I{FCDB1C92-03C6-4C76-8625-371224256091}
    ESSSONIC --> MsiExec.exe /I{4F677FC7-7AA8-412B-A957-F13CBE1C7331}
    ESSTUTOR --> MsiExec.exe /I{CA60320D-6A16-49C8-A34F-84EEF4799567}
    ESSvpaht --> MsiExec.exe /I{A5B3EB8A-4071-42F0-8E8E-7A8342AA8E69}
    ESSvpot --> MsiExec.exe /I{48C82F7A-F100-4DAB-A310-8E18BF2159E1}
    EXTRA! Bundle for TCP/IP 32-bit --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\E!TCP\DeIsL1.isu" -C"C:\Program Files\E!TCP\uninst95.dll" -m"Attachmate_Uninstall"
    FileNet IDM Web Controls 4.0 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\FileNet\IDM\UnControls.isu" -c"C:\Program Files\FileNet\IDM\idmr.dll"
    GeoTrig --> C:\PROGRA~1\RockWare\UNWISE.EXE C:\PROGRA~1\RockWare\GEOTRIG.LOG
    gINT Software License Component --> MsiExec.exe /I{071F3258-4617-45F2-ABDA-B5B3630A77B3}
    gINT Software Updater --> MsiExec.exe /I{5D4546A7-EDB2-46BA-9229-BB40EA5FAC3A}
    gINT Version 8 --> MsiExec.exe /X{B6B92E02-1BA6-446A-A320-405AEE236035}
    Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
    GoToMeeting/GoToWebinar 3.0.0.198 --> C:\Program Files\Citrix\GoToMeeting\198\G2MUninstall.exe /uninstall
    GRLWEAP 2005 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{16A218B9-22D6-40CF-B165-27C9B8C0A34C}\Setup.exe" -l0x9
    GSAK 6.6.5.19 --> "C:\Program Files\GSAK\unins000.exe"
    HASP4 Device Drivers --> C:\WINDOWS\system32\UNWISE.EXE C:\WINDOWS\system32\HDD32.LOG
    HijackThis 2.0.2 --> "C:\hijack\HijackThis.exe" /uninstall
    HLPCCTR --> MsiExec.exe /I{F2D0C1B1-80FF-46F9-BA61-33B01A07FAFC}
    HLPIndex --> MsiExec.exe /I{38441BE7-79B0-42B8-8297-833704F949FE}
    HLPPDOCK --> MsiExec.exe /I{154508C0-07C5-4659-A7A0-E49968750D21}
    HLPSFO --> MsiExec.exe /I{8DD94CA3-BCD2-49C0-B537-F3B5D95FF0C8}
    Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spunins t.exe"
    InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
    InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
    Jakes Alarm Clock --> MsiExec.exe /I{831FE36D-A720-4E0D-A229-84DC8B304591}
    Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
    Keyspan USB Serial Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E97DE76-851A-48AA-A0D6-665860FAD9CA}\setup.exe" -l0x9
    Kodak EasyShare software --> C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_9_226b51ef\Setup. exe /APR-REMOVE
    KSU --> MsiExec.exe /I{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}
    LiveUpdate 3.1 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
    Logitech MouseWare 9.79.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5809E7CF-4DCF-11D4-9875-00105ACE7734}\Setup.exe" -l0x9 -l0009 UNINSTALL
    Logitech SetPoint --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\ 01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}\setup.exe" -l0x9 -removeonly
    LPILE Plus v5.0 --> "C:\Program Files\Ensoft\Shaft5\un_sh5-32u_17522.exe"
    Media Center Alarm Clock --> MsiExec.exe /I{8689A5F3-BEEC-407D-A6EB-B79F636229A3}
    Microsoft ActiveSync --> MsiExec.exe /I{99052DB7-9592-4522-A558-5417BBAD48EE}
    Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spu ninst.exe"
    Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
    Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
    Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
    Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
    Microsoft Office Live Meeting 2005 --> MsiExec.exe /I{7279647E-8661-48DF-998E-E7DCC3E6955D}
    Microsoft Office Live Meeting Add-in Pack --> MsiExec.exe /I{5D814210-65D3-4D2B-A7A3-9EDDD0C8A8CE}
    Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
    Microsoft Office PowerPoint 2003 Template Pack 1 --> MsiExec.exe /I{90AB0409-6000-11D3-8CFE-0150048383C9}
    Microsoft Office PowerPoint 2003 Template Pack 2 --> MsiExec.exe /I{90AC0409-6000-11D3-8CFE-0150048383C9}
    Microsoft Office PowerPoint 2003 Template Pack 3 --> MsiExec.exe /I{90AD0409-6000-11D3-8CFE-0150048383C9}
    Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
    Microsoft Office Professional Plus 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROPLUS /dll OSETUP.DLL
    Microsoft Office Professional Plus 2007 --> MsiExec.exe /X{90120000-0011-0000-0000-0000000FF1CE}
    Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
    Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
    Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
    Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
    Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
    Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
    Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
    Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
    Microsoft OpenType Font File Properties Extension --> MsiExec.exe /I{45EA11B5-874D-480E-89B9-2545505BBE3E}
    Microsoft Private Folder 1.0 --> MsiExec.exe /I{644EA08F-87D2-48C0-AE94-B327D1C85A97}
    Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs --> MsiExec.exe /X{90120000-00B2-0409-0000-0000000FF1CE}
    Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
    Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spunin st.exe"
    Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
    Mozilla Firefox (2.0.0.13) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
    MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
    NightWatchman50 --> MsiExec.exe /I{E1B6E405-E901-412D-9999-8882282B36AD}
    Notifier --> MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}
    OfotoXMI --> MsiExec.exe /I{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}
    One Stop VB System Files --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\One Stop VB System Files\ST6UNST.LOG"
    OTtBP --> MsiExec.exe /I{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}
    OTtBPSDK --> MsiExec.exe /I{3CA39B0C-BA85-4D42-AC0F-1FF5F60C3353}
    palmOne --> MsiExec.exe /X{FF8157AA-F640-45BD-B7C2-BAA1016B267A}
    PC-Cleaner --> C:\Program Files\PC-Cleaner\Uninstall.exe
    PCDLNCH --> MsiExec.exe /I{69BD6399-3D8F-45B7-81D9-819361F5101D}
    Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
    PLog Client --> MsiExec.exe /I{15022FEA-0886-49BA-B54F-DCD48A5AC8BF}
    PLog Server --> MsiExec.exe /I{28434A02-10A4-41D9-9F68-AE6A721E2A54}
    ProjectWise Explorer V8 XM Edition --> MsiExec.exe /I{482BA676-5C76-4B1C-98ED-11373B8C7CBD}
    ProjectWise InterPlot Organizer 08.09.04.73 --> C:\Program Files\InterPlot Client\bin\IPPROCFG.EXE -R
    QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\I Driver.exe /M{C21D5524-A970-42FA-AC8A-59B8C7CDCA31} /l1033
    RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
    Scorched3D 40 --> C:\Program Files\Scorched3D\uninst.exe
    Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
    Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
    Security Update for Excel 2007 (KB946974) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
    Security Update for Office 2007 (KB947801) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
    Security Update for Outlook 2007 (KB946983) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {66B9496E-C0C3-4065-9868-85CCA92126C3}
    Sentinel Protection Installer 7.3.2 --> MsiExec.exe /I{EDFE2142-CFB3-44AB-A961-DE85F6408A28}
    SFR --> MsiExec.exe /I{C354C9B6-A4E0-4BB0-A368-6DC6BCA0E314}
    SFR2 --> MsiExec.exe /I{A0AF08BA-3630-4505-BFB2-A41F3837B0D0}
    SMSWakeUp50 Agent --> MsiExec.exe /X{9FF7DAE0-1030-43C5-AE2E-D2815D206E85}
    StickyNote --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\StickyNote\Uninst.isu"
    SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
    Surfer 8 --> MsiExec.exe /I{18A64EE3-F1FE-46F3-AAE1-8CDB35B6038B}
    Symantec AntiVirus --> MsiExec.exe /I{50E125D1-88E5-48CE-80AE-98EC9698E639}
    Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUnin stall
    SyncToy --> MsiExec.exe /I{417E2AB7-FC4B-4357-8191-FB1C946D8F16}
    Texas Instruments PCIxx21/x515/xx12 drivers. --> C:\Program Files\InstallShield Installation Information\{AD7914E1-6453-4440-AEC7-02C72AD6FE5F}\setup.exe -runfromtemp -l0x0409
    Trimble Data Transfer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D2D40BAE-7B66-11D3-882B-00105A64914B}\Setup.exe" uninstall
    Trimble Geomatics Office v1.62 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8C5161B3-ECCB-4099-9D9B-CFCF5B7010E6}\setup.exe" -l0009
    Trimble Link Engine --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{35554E51-3A67-43B8-B71F-7D77F2CC2950}\Setup.exe" -l0009 uninstall
    Tweakui Powertoy for Windows XP --> MsiExec.exe /I{C7793EE8-F666-4E6B-9827-76468679480E}
    Update for Outlook 2007 Junk Email Filter (kb947945) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {E397056B-7AE5-4FF1-8B13-276BF8201847}
    VCAMCEN --> MsiExec.exe /I{10E98E14-832C-4AF7-A4D1-6A9EF83B282E}
    VERITAS Enterprise Vault User Extensions 6.0 --> MsiExec.exe /I{F4120546-F24C-47C1-A8C3-5FC9A02C56E9}
    VPRINTOL --> MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
    WebEx --> C:\PROGRA~1\MOZILL~1\plugins\atcliun.exe
    Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
    Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
    Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe "
    Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spunin st.exe"
    Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
    Windows Rights Management Client Backwards Compatibility SP2 --> MsiExec.exe /X{EC905264-BCFE-423B-9C42-C3A106266790}
    Windows Rights Management Client with Service Pack 2 --> MsiExec.exe /X{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}
    Windows XP Creativity Fun Packs - Windows Movie Maker 2 --> MsiExec.exe /X{DA2D4D11-1811-4A24-B719-BF9F048C6106}
    WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
    WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
    XML Paper Specification Shared Components Pack 1.0 -->
    Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


    -- Application Event Log -------------------------------------------------------

    Event Record #/Type16720 / Error
    Event Submitted/Written: 04/07/2008 10:25:31 PM
    Event ID/Source: 15 / AutoEnrollment
    Event Description:
    Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
    Enrollment will not be performed.

    Event Record #/Type16719 / Warning
    Event Submitted/Written: 04/07/2008 10:25:24 PM
    Event ID/Source: 4356 / EventSystem
    Event Description:
    The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{7E89FF0B-F649-4F9A-A9C3-F05DFAAA3DA1}. CoGetObject returned HRESULT 80070005.

    Event Record #/Type16714 / Error
    Event Submitted/Written: 04/07/2008 10:24:35 PM
    Event ID/Source: 1000 / UserInit
    Event Description:
    Could not execute the following script dist2.cmd. The system cannot find the file specified.
    .

    Event Record #/Type16713 / Error
    Event Submitted/Written: 04/07/2008 10:24:35 PM
    Event ID/Source: 1000 / UserInit
    Event Description:
    Could not execute the following script KDOTSCR.CMD. The system cannot find the file specified.
    .

    Event Record #/Type16712 / Error
    Event Submitted/Written: 04/07/2008 10:24:32 PM
    Event ID/Source: 1054 / Userenv
    Event Description:
    Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.



    -- Security Event Log ----------------------------------------------------------

    No Errors/Warnings found.


    -- System Event Log ------------------------------------------------------------

    Event Record #/Type42882 / Warning
    Event Submitted/Written: 04/07/2008 10:57:20 PM
    Event ID/Source: 11191 / DnsApi
    Event Description:
    The system failed to update and remove pointer (PTR) resource records (RRs)
    for network adapter
    with settings:


    Adapter Name : {507D9D58-E4CC-418E-B4FD-707816F8E5AE}

    Host Name : DT09A009

    Adapter-specific Domain Suffix : ksdot.org

    DNS server list :

    68.230.242.20, 68.230.242.29, 68.230.242.29

    Sent update to server : <?>

    IP Address : 172.1.1.1


    The system could not remove these PTR RRs because because of a system
    problem. For specific error code, see the record data displayed below.

    Event Record #/Type42881 / Warning
    Event Submitted/Written: 04/07/2008 10:57:20 PM
    Event ID/Source: 11197 / DnsApi
    Event Description:
    The system failed to update and remove host (A) resource records (RRs)
    for network adapter
    with settings:


    Adapter Name : {507D9D58-E4CC-418E-B4FD-707816F8E5AE}

    Host Name : DT09A009

    Primary Domain Suffix : ksdot.org

    DNS server list :

    68.230.242.20, 68.230.242.29, 68.230.242.29

    Sent update to server : <?>

    IP Address(es) :

    172.16.199.150


    The reason the update request failed was because of a system problem.
    For specific error code, see the record data displayed below.

    Event Record #/Type42879 / Warning
    Event Submitted/Written: 04/07/2008 10:57:09 PM
    Event ID/Source: 4 / b57w2k
    Event Description:
    Broadcom NetXtreme Gigabit Ethernet: The network link is down. Check to make sure the network cable is properly connected.

    Event Record #/Type42878 / Warning
    Event Submitted/Written: 04/07/2008 1041 PM
    Event ID/Source: 8193 / LSASRV
    Event Description:
    The Security System could not establish a secured connection with the server DTNT\DT09A009$. No authentication protocol was available.

    Event Record #/Type42877 / Warning
    Event Submitted/Written: 04/07/2008 1041 PM
    Event ID/Source: 8192 / LSASRV
    Event Description:
    The Security System detected an attempted downgrade attack for
    server DTNT\DT09A009$. The failure code from authentication protocol Kerberos
    was "There are currently no logon servers available to service the logon request.
    (0xc000005e)".



    -- End of Deckard's System Scanner: finished at 2008-04-07 22:59:06 ------------
  6. 08-04-2008  #5
    jeffy
    jeffy is offline Junior Member
    HTJ Log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:10:22 PM, on 4/7/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\igfxtray.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\1E\NightWatchman50\NwmSvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
    C:\win32app\ingr\ipshare\clntutil\bin\pidrpcs.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\1E\NightWatchman50\NWMCLI.EXE
    C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.ex e
    C:\WINDOWS\system32\CCM\CcmExec.exe
    C:\Program Files\1E\SMSWakeUp50\SMSWUagent.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\Logi_MwX.Exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\PROGRA~1\MI3AA1~1\rapimgr.exe
    C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    C:\Program Files\palmOne\Hotsync.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\StickyNote\StickyNote.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\hijack\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by KANSAS Dept. of Transportation
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = proxy.ksdot.org:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 10.*;*.ksdot.org;172.21.*;*fhwapap05*;*.softwaresp ectrum.com;*.boiseoffice.com;*appsnet.bentley.com; *fhwapap11*;*.kansasdot.loc;*.exor.co.uk;http://64.132.35.16:8080;*.kanroad.org;*.equipmentwatch.c om;allencc.blackboard.com;<local>
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
    O4 - HKLM\..\Run: [AprvRemoveLegacyExcelKeys] "C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe" -k HKCU SOFTWARE\Microsoft\Office\Excel\Addins\OfficeAddIn .OfficeAddIn
    O4 - HKLM\..\Run: [AprvRemoveLegacyWordKeys] "C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe" -k HKCU SOFTWARE\Microsoft\Office\Word\Addins\OfficeAddIn. OfficeAddIn
    O4 - HKLM\..\Run: [ApproveItForOfficeSetup] "C:\Program Files\ApproveIt\Support\Tools\ApproveItForOfficeSe tup.exe " /1 /p "C:\Program Files\ApproveIt\"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [ND] subst N: Q:\geology
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
    O4 - .DEFAULT User Startup: OLE.cmd (User 'Default user')
    O4 - Startup: AprvReg.exe
    O4 - Startup: N.cmd
    O4 - Global Startup: ApproveIt StartUp.lnk = ?
    O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O4 - Global Startup: StickyNote.lnk = C:\Program Files\StickyNote\StickyNote.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (FormFlow Form Control) - https://kdotrwm.ksdot.org/intempo/Fo...se/FormCtl.cab
    O16 - DPF: {1469FF24-47F6-11D2-8805-006008C537E3} (FormFlow Mail Control) - https://kdotrwm.ksdot.org/intempo/fo...ase/ffmail.cab
    O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/S...dObjSigned.cab
    O16 - DPF: {19AB65CA-3E4E-11D2-A97F-080009B3CC88} (FormFlow Component Download Object) - https://kdotrwm.ksdot.org/codebase/jfcomp~1.cab
    O16 - DPF: {224F7DEA-B7C1-11D3-AB40-00902712A5C9} (PLSAddin Class) - https://kdotrwm.ksdot.org/intempo/fo...plsspeller.cab
    O16 - DPF: {292CBB36-AC91-11D1-B911-080009EF1192} (jfEnvelope Class) - https://kdotrwm.ksdot.org/intempo/Ca...velopeCtrl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1188497907421
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1188496778906
    O16 - DPF: {CDDCFBB3-4D93-11D2-B1A9-00A0C9B742BE} (FormFlowScriptObject Class) - https://kdotrwm.ksdot.org/intempo/fo...riptobject.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (FormFlow Soft Font Installer) - https://kdotrwm.ksdot.org/intempo/fo...tinstaller.cab
    O16 - DPF: {F4F6546F-FBA9-11D1-8AFB-080009ECFDC5} (FormFlow ListBox Control) - https://kdotrwm.ksdot.org/intempo/fo...se/listbox.cab
    O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - file://\\dt00mb01\Appsup\SupportTools\RCRSFix\Acgm.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ksdot.org
    O17 - HKLM\Software\..\Telephony: DomainName = ksdot.org
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ksdot.org
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ksdot.org
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ksdot.org
    O21 - SSODL: qdnkewfa - {C100F7DB-C8C0-4E33-80D2-062B0E47C8F1} - C:\WINDOWS\qdnkewfa.dll
    O21 - SSODL: mgsvflkw - {EAFE107D-F5C2-42F2-9EB5-0C03CFF34FD9} - C:\WINDOWS\mgsvflkw.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: NightWatchman50 - 1E Ltd. - C:\Program Files\1E\NightWatchman50\NwmSvc.exe
    O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
    O23 - Service: ProjectWise IMF Printer Driver Service - Unknown owner - C:\win32app\ingr\ipshare\clntutil\bin\pidrpcs.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
    O23 - Service: SMSWUagent - 1E Ltd. - C:\Program Files\1E\SMSWakeUp50\SMSWUagent.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: VPRemote Install Bootstrap Service (VPREMOTE) - Unknown owner - C:\TEMP\Clt-Inst\vpremote.exe (file missing)

    --
    End of file - 11255 bytes
  7. 08-04-2008  #6
    Neal
    Neal is offline Dedicated Member
    That is one infected computer, let's break out the big guns.



    If you have previously downloaded ComboFix,please delete that version now.

    Now download ComboFix and save to your desktop:

    Note:

    It is IMPORTANT that it is saved directly to your desktop

    Close any open browsers.

    Disconnect from the Internet.

    Please do not re-connect your machine back to the Internet until Combofix has completely finished.

    Disable your antivirus program and any realtime malware scanners now


    How To Disable



    Double click on combofix.exe and follow the prompts.

    When it's finished it will produce a log.
    Post the entire contents of C:\ComboFix.txt into your next reply.

    Note:
    Do not mouseclick combofix's window while it's running.

    That may cause the program to freeze/hang.

    Do NOT post the ComboFix-quarantined-files.txt unless I ask.

    Re-enable your anti-virus and re-connect back to the internet and post the combofix log.



    *Note*
    In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
    Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

    ComboFix SHOULD NOT be used unless requested by a forum helper.


    New hijackthis log please.
  8. 09-04-2008  #7
    jeffy
    jeffy is offline Junior Member
    As you can imagine, things were very slow to run. I was reluctant to have my computer connected to the internet anymore than absolutely possible. I was finally able to download and run adaware, which I did prior to reading your latest message. It killed a bunch of nasty things. Yikes! It really is a mess! I got combofix and ran it. Here is the log:

    ComboFix 08-04-08.7 - geist 2008-04-08 21:20:35.1 - NTFSx86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.677 [GMT -5:00]
    Running from: C:\Documents and Settings\geist\Desktop\ComboFix.exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    C:\Documents and Settings\geist\Desktop\Error Cleaner.url
    C:\Documents and Settings\geist\Desktop\Privacy Protector.url
    C:\Documents and Settings\geist\Desktop\Spyware&Malware Protection.url
    C:\Documents and Settings\Geist\Desktopblackbird.jpg
    C:\Documents and Settings\Geist\DesktopEditorFKWP1.5.exe
    C:\Documents and Settings\Geist\DesktopEditorFKWP2.0.exe
    C:\Documents and Settings\Geist\Desktopfilemanagerclient.exe
    C:\Documents and Settings\Geist\Desktopfkwp1.5.exe
    C:\Documents and Settings\Geist\Desktopfkwp2.0.exe
    C:\Documents and Settings\Geist\Desktopfwebd.exe
    C:\Documents and Settings\Geist\DesktopFWebdEditor.exe
    C:\Documents and Settings\Geist\DesktopTrojan.Win32.BlackBird.exe
    C:\Documents and Settings\geist\Favorites\Error Cleaner.url
    C:\Documents and Settings\geist\Favorites\Privacy Protector.url
    C:\Documents and Settings\geist\Favorites\Spyware&Malware Protection.url
    C:\Documents and Settings\Geist\g2mdlhlpx.exe
    C:\Program Files\akl
    C:\Program Files\akl\akl.dll
    C:\Program Files\akl\akl.exe
    C:\Program Files\akl\uninstall.exe
    C:\Program Files\akl\unsetup.exe
    C:\Program Files\Inet Delivery
    C:\Program Files\Inet Delivery\inetdl.exe
    C:\WINDOWS\a.bat
    C:\WINDOWS\base64.tmp
    C:\WINDOWS\bdn.com
    C:\WINDOWS\FVProtect.exe
    C:\WINDOWS\iTunesMusic.exe
    C:\WINDOWS\mslagent
    C:\WINDOWS\mslagent\2_mslagent.dll
    C:\WINDOWS\mslagent\mslagent.exe
    C:\WINDOWS\mslagent\uninstall.exe
    C:\WINDOWS\mssecu.exe
    C:\WINDOWS\system32\eOYxyGgh.ini
    C:\WINDOWS\system32\eOYxyGgh.ini2
    C:\WINDOWS\system32\hgGyxYOe.dll
    C:\WINDOWS\system32\kmprqtwa.ini
    C:\WINDOWS\system32\kmprqtwa.ini2
    C:\WINDOWS\system32\mcrh.tmp
    C:\WINDOWS\system32\mlJYoLFu.dll
    C:\WINDOWS\system32akttzn.exe
    C:\WINDOWS\system32anticipator.dll
    C:\WINDOWS\system32awtoolb.dll
    C:\WINDOWS\system32bdn.com
    C:\WINDOWS\system32bsva-egihsg52.exe
    C:\WINDOWS\system32dpcproxy.exe
    C:\WINDOWS\system32emesx.dll
    C:\WINDOWS\system32h@tkeysh@@k.dll
    C:\WINDOWS\system32hoproxy.dll
    C:\WINDOWS\system32hxiwlgpm.dat
    C:\WINDOWS\system32hxiwlgpm.exe
    C:\WINDOWS\system32medup012.dll
    C:\WINDOWS\system32medup020.dll
    C:\WINDOWS\system32msgp.exe
    C:\WINDOWS\system32msnbho.dll
    C:\WINDOWS\system32mssecu.exe
    C:\WINDOWS\system32msvchost.exe
    C:\WINDOWS\system32mtr2.exe
    C:\WINDOWS\system32mwin32.exe
    C:\WINDOWS\system32netode.exe
    C:\WINDOWS\system32newsd32.exe
    C:\WINDOWS\system32ps1.exe
    C:\WINDOWS\system32psof1.exe
    C:\WINDOWS\system32psoft1.exe
    C:\WINDOWS\system32regc64.dll
    C:\WINDOWS\system32regm64.dll
    C:\WINDOWS\system32Rundl1.exe
    C:\WINDOWS\system32smp
    C:\WINDOWS\system32smp\msrc.exe
    C:\WINDOWS\system32sncntr.exe
    C:\WINDOWS\system32ssurf022.dll
    C:\WINDOWS\system32ssvchost.com
    C:\WINDOWS\system32ssvchost.exe
    C:\WINDOWS\system32sysreq.exe
    C:\WINDOWS\system32taack.dat
    C:\WINDOWS\system32taack.exe
    C:\WINDOWS\system32temp#01.exe
    C:\WINDOWS\system32thun.dll
    C:\WINDOWS\system32thun32.dll
    C:\WINDOWS\system32VBIEWER.OCX
    C:\WINDOWS\system32vbsys2.dll
    C:\WINDOWS\system32vcatchpi.dll
    C:\WINDOWS\system32winlogonpc.exe
    C:\WINDOWS\system32winsystem.exe
    C:\WINDOWS\system32WINWGPX.EXE
    C:\WINDOWS\userconfig9x.dll
    C:\WINDOWS\Web\def.htm
    C:\WINDOWS\winsystem.exe
    C:\WINDOWS\zip1.tmp
    C:\WINDOWS\zip2.tmp
    C:\WINDOWS\zip3.tmp
    C:\WINDOWS\zipped.tmp

    ----- BITS: Possible infected sites -----

    hxxp://DT00MH15
    hxxp://DT00MB41
    .
    ((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
    .

    2008-04-08 17:31 . 2008-04-08 17:31 <DIR> d-------- C:\Program Files\Lavasoft
    2008-04-08 17:31 . 2008-04-08 17:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-04-08 17:01 . 2008-04-08 17:01 133,936 --a------ C:\WINDOWS\~GLC0000.TMP
    2008-04-07 21:41 . 2008-04-07 21:41 <DIR> d-------- C:\Deckard
    2008-04-07 07:57 . 2008-04-08 06:56 <DIR> d-------- C:\Documents and Settings\Geist\Application Data\TmpRecentIcons
    2008-04-07 01:35 . 2008-04-07 22:17 <DIR> d-------- C:\VundoFix Backups
    2008-04-07 01:32 . 2008-04-07 01:33 <DIR> d-------- C:\Program Files\PC-Cleaner
    2008-04-07 01:27 . 2008-04-07 16:05 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2008-04-07 01:27 . 2008-04-07 01:27 <DIR> d-------- C:\Documents and Settings\Geist\Application Data\SUPERAntiSpyware.com
    2008-04-07 01:27 . 2008-04-07 01:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-04-07 01:12 . 2008-04-07 07:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\wvidofmr
    2008-04-07 01:12 . 2008-04-06 14:18 335,872 --a------ C:\WINDOWS\mgsvflkw.dll
    2008-04-07 01:12 . 2008-04-06 14:18 229,376 --a------ C:\WINDOWS\qdnkewfa.dll
    2008-04-07 01:12 . 2008-04-06 14:18 94,208 --a------ C:\WINDOWS\apoxqwfv.exe
    2008-04-05 17:53 . 2008-04-05 17:53 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
    2008-04-05 17:53 . 2008-04-05 17:53 <DIR> d-------- C:\Program Files\Texas Instruments Inc
    2008-04-05 17:53 . 2006-07-06 13:44 168,448 --a------ C:\WINDOWS\system32\drivers\tifm21.sys
    2008-04-05 17:53 . 2006-04-06 15:49 88,192 --a------ C:\WINDOWS\system32\drivers\gtipci21.sys
    2008-04-05 17:53 . 2004-03-23 11:45 28,672 --a------ C:\WINDOWS\cttib1.dll
    2008-04-05 17:53 . 2005-01-14 17:28 17,120 --a------ C:\WINDOWS\system32\drivers\tiscfw.deb
    2008-04-05 17:52 . 2008-04-05 17:52 <DIR> d-------- C:\SWSetup
    2008-03-13 23:11 . 2008-03-24 21:25 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-03-13 23:11 . 2008-03-13 23:11 1,409 --a------ C:\WINDOWS\QTFont.for

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
    .
    2008-04-09 01:55 --------- d-----w C:\Program Files\Symantec AntiVirus
    2008-04-08 22:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2008-04-08 22:01 133,936 ----a-w C:\WINDOWS\~GLC0000.TMP
    2008-04-05 22:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-04-02 00:55 --------- d-----w C:\Program Files\DivX
    2008-03-26 03:21 --------- d-----w C:\Program Files\Xvid
    2008-03-20 14:04 --------- d-----w C:\Program Files\Java
    2008-03-18 22:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
    2008-03-13 05:46 --------- d-----w C:\Program Files\Winamp
    2008-03-13 05:45 --------- d-----w C:\Documents and Settings\geist\Application Data\Winamp
    2008-03-07 20:31 --------- d-----w C:\Program Files\ApproveIt
    2008-03-05 16:02 --------- d-----w C:\Program Files\Citrix
    2008-03-03 18:51 --------- d-----w C:\Documents and Settings\geist\Application Data\Bentley
    2008-03-03 17:56 --------- d-----w C:\Program Files\Common Files\Bentley Shared
    2008-03-03 17:55 --------- d-----w C:\Program Files\InterPlot Client
    2008-03-03 17:55 --------- d-----w C:\Program Files\Common Files\InterPlot
    2008-03-03 17:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bentley
    2008-03-03 17:20 --------- d-----w C:\Documents and Settings\coxadm\Application Data\Bentley
    2008-03-03 17:17 --------- d-----w C:\Program Files\Bentley
    2008-03-03 16:08 --------- d-----w C:\Documents and Settings\coxadm\Application Data\Logitech
    2008-03-03 16:08 --------- d-----w C:\Documents and Settings\coxadm\Application Data\HotSync
    2008-02-28 14:37 --------- d-----w C:\Documents and Settings\geist\Application Data\Lavasoft
    2007-11-13 20:03 40,352 ----a-w C:\WINDOWS\inf\Usbkey.sys
    2001-06-18 17:20 103,793 ----a-w C:\Documents and Settings\All Users\AprvReg.exe
    2008-02-01 15:48 44,360 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcdec.dll
    2008-02-01 15:48 107,928 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcext.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45F34679-29BA-4553-BEFC-4E548CB14419}]
    C:\WINDOWS\system32\wvULFuuv.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
    "ND"="subst N: Q:\geology" [ ]
    "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
    "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-12-21 07:16 155648]
    "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-05-20 14:46 28160 C:\WINDOWS\KHALMNPR.Exe]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 18:33 52840]
    "Logitech Utility"="Logi_MwX.Exe" [2003-12-17 10:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
    "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-06-06 15:25 125632]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 03:27 1015808]
    "SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 03:29 102400]
    "AprvRemoveLegacyExcelKeys"="C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe" [2007-12-20 02:30 73728]
    "AprvRemoveLegacyWordKeys"="C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe" [2007-12-20 02:30 73728]
    "ApproveItForOfficeSetup"="C:\Program Files\ApproveIt\Support\Tools\ApproveItForOfficeSe tup.exe" [2007-12-20 01:40 155648]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
    "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 16:18 443968]

    C:\Documents and Settings\DT09A009\HelpAssistant\Start Menu\Programs\Startup\
    OLE.cmd [2004-09-02 1424 250]

    C:\Documents and Settings\Geist\Start Menu\Programs\Startup\
    AprvReg.exe [2001-06-18 12:20:06 103793]
    N.cmd [2007-01-12 12:39:05 21]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    ApproveIt StartUp.lnk - C:\WINDOWS\Installer\{7E746FBC-58EF-4670-A528-7EE046D10322}\Icon9557F1BC1.ico [2008-03-11 04:25:41 9216]
    DataViz Inc Messenger.lnk - C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [2007-02-16 1025 28672]
    HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:16:08 471040]
    Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-04-23 15:27:27 450560]
    StickyNote.lnk - C:\Program Files\StickyNote\StickyNote.exe [2007-04-18 14:01:59 318976]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
    "NoWelcomeScreen"= 1 (0x1)

    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
    "NoSMBalloonTip"= 1 (0x1)
    "NoDesktopCleanupWizard"= 1 (0x1)
    "ForceStartMenuLogOff"= 1 (0x1)
    "Intellimenus"= 1 (0x1)
    "NoSMMyPictures"= 1 (0x1)
    "NoStartMenuMyMusic"= 1 (0x1)
    "NoAutoTrayNotify"= 1 (0x1)
    "NoWelcomeScreen"= 1 (0x1)

    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer\disallowrun]
    "1"= agsatellite.exe
    "2"= AIM.exe
    "3"= bbsetuphom.exe
    "4"= comet.exe
    "5"= dssagent.exe
    "6"= gator.exe
    "7"= getright.exe
    "8"= gnutella.exe
    "9"= go.exe
    "10"= icq.exe
    "11"= iegator.exe
    "12"= javaw.exe
    "13"= minibuginstaller.exe
    "14"= napster.exe
    "15"= precisiontime.exe
    "16"= swebexec.exe
    "17"= tsadbot.exe
    "18"= weatherbug.exe
    "19"= websamp.exe
    "20"= webshotstray.exe
    "21"= whagent.exe
    "22"= winmx.exe
    "23"= WxBugSetup30.exe

    [hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad]
    "qdnkewfa"= {C100F7DB-C8C0-4E33-80D2-062B0E47C8F1} - C:\WINDOWS\qdnkewfa.dll [2008-04-06 14:18 229376]
    "mgsvflkw"= {EAFE107D-F5C2-42F2-9EB5-0C03CFF34FD9} - C:\WINDOWS\mgsvflkw.dll [2008-04-06 14:18 335872]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJYoLFu]
    mlJYoLFu.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\Machine\Scripts\Startup\0\0]
    "Script"=timereg.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-2080522925-720176762-1023178626-18875\Scripts\Logoff\0\0]
    "Script"=dbase.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-2080522925-720176762-1023178626-2737\Scripts\Logon\0\0]
    "Script"=KDOTSCR.CMD

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-2080522925-720176762-1023178626-2737\Scripts\Logon\1\0]
    "Script"=dist2.cmd

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-2080522925-720176762-1023178626-36066\Scripts\Logoff\0\0]
    "Script"=logoff.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-2080522925-720176762-1023178626-36066\Scripts\Logon\0\0]
    "Script"=KDOTSCR.CMD

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-2080522925-720176762-1023178626-36066\Scripts\Logon\1\0]
    "Script"=NightwatchmanSystemTra.cmd

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-2080522925-720176762-1023178626-36066\Scripts\Logon\2\0]
    "Script"=Computer services.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-2080522925-720176762-1023178626-36066\Scripts\Logon\3\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-2080522925-720176762-1023178626-4044\Scripts\Logon\0\0]
    "Script"=dist2.cmd

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\brgikfee]
    C:\WINDOWS\system32\slozmhed.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ec00b2d2]
    C:\WINDOWS\system32\jmkgkdli.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
    --a------ 2007-10-23 16:18 443968 C:\Program Files\Picasa2\PicasaMediaDetector.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2006-05-18 12:31 282624 C:\Program Files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    --a------ 2006-10-25 00:51 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
    -ra------ 2004-11-22 08:18 307200 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    --a------ 2007-01-19 13:49 4670968 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpSvc .exe"=
    "C:\\WINDOWS\\system32\\ftp.exe"=
    "C:\\WINDOWS\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
    "C:\\Documents and Settings\\Geist\\My Documents\\WS_FTP\\WS_FTP95.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Internet Explorer\\iexplore.exe"=
    "C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

    [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
    "80:TCP"= 80:TCP:80 tcp
    "80:UDP"= 80:UDP:80 udp
    "389:UDP"= 389:UDP:SMS LDAP Ping
    "389:TCP"= 389:TCP:SMS LDAP
    "636:TCP"= 636:TCP:SMS LDAP SSL Connection
    "3268:TCP"= 3268:TCP:SMS Global Catalog
    "2967:UDP"= 2967:UDP:Symantec AntiVirus UDP 2967
    "38293:UDP"= 38293:UDP:Symantec AntiVirus UDP 38293
    "139:TCP"= 139:TCP:10.8.0.0/255.255.0.0,10.132.0.0/255.255.0.0,10.194.0.0/255.255.0.0,172.16.0.0/255.255.0.0,172.21.0.0/255.255.0.0,192.168.1.0/255.255.255.0:Enabled:@xpsp2res.dll,-22004
    "445:TCP"= 445:TCP:10.8.0.0/255.255.0.0,10.132.0.0/255.255.0.0,10.194.0.0/255.255.0.0,172.16.0.0/255.255.0.0,172.21.0.0/255.255.0.0,192.168.1.0/255.255.255.0:Enabled:@xpsp2res.dll,-22005
    "137:UDP"= 137:UDP:10.8.0.0/255.255.0.0,10.132.0.0/255.255.0.0,10.194.0.0/255.255.0.0,172.16.0.0/255.255.0.0,172.21.0.0/255.255.0.0,192.168.1.0/255.255.255.0:Enabled:@xpsp2res.dll,-22001
    "138:UDP"= 138:UDP:10.8.0.0/255.255.0.0,10.132.0.0/255.255.0.0,10.194.0.0/255.255.0.0,172.16.0.0/255.255.0.0,172.21.0.0/255.255.0.0,192.168.1.0/255.255.255.0:Enabled:@xpsp2res.dll,-22002
    "135:TCP"= 135:TCP:Remote Assistance - Port 135 TCP
    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

    R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe [2007-04-13 03:50]
    R2 NightWatchman50;NightWatchman50;"C:\Program Files\1E\NightWatchman50\NwmSvc.exe" [2007-11-13 14:05]
    R2 ProjectWise IMF Printer Driver Service;ProjectWise IMF Printer Driver Service;C:\win32app\ingr\ipshare\clntutil\bin\pidr pcs.exe [2008-01-03 17:41]
    R2 Prvflder;Prvflder;C:\WINDOWS\system32\DRIVERS\prvf lder.sys [2006-04-21 08:22]
    R2 SentinelKeysServer;Sentinel Keys Server;"C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe" [2006-08-22 01:00]
    R2 SMSWUagent;SMSWUagent;"C:\Program Files\1E\SMSWakeUp50\SMSWUagent.exe" [2007-08-14 15:48]
    R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtip ci21.sys [2006-04-06 15:49]
    R3 prepdrvr;SMS Process Event Driver;C:\WINDOWS\system32\CCM\prepdrv.sys [2007-04-13 03:50]
    S2 Parclass;Parclass;C:\WINDOWS\system32\Drivers\Parc lass.sys [2007-11-13 15:03]
    S3 USA19H;USA19H;C:\WINDOWS\system32\DRIVERS\USA19H2k .sys [2003-06-24 20:30]
    S3 USA19H2KP;Keyspan USB Serial Port Driver;C:\WINDOWS\system32\DRIVERS\USA19H2kp.SYS [2003-06-24 20:21]
    S3 VPREMOTE;VPRemote Install Bootstrap Service;C:\TEMP\Clt-Inst\vpremote.exe []

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{f5b15df0-80b5-11dc-a602-0015002839cd}]
    \Shell\AutoRun\command - E:\Autorun.exe /run
    \Shell\Shell00\Command - E:\Autorun.exe /run
    \Shell\Shell01\Command - E:\Autorun.exe /action
    \Shell\Shell02\Command - E:\Autorun.exe /uninstall

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-04-07 20:53:55 C:\WINDOWS\Tasks\Geology Backup.job"
    - C:\Geology Backup.cmd
    .
    ************************************************** ************************

    catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-08 21:36:27
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    ************************************************** ************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\System32\SCardSvr.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\1E\NightWatchman50\NWMCLI.EXE
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\PROGRA~1\MI3AA1~1\rapimgr.exe
    C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.ex e
    C:\WINDOWS\system32\msiexec.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    .
    ************************************************** ************************
    .
    Completion time: 2008-04-08 21:41:26 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-04-09 02:41:17
    Pre-Run: 18,068,840,448 bytes free
    Post-Run: 17,957,171,200 bytes free
    .
    2008-03-14 19:55:09 --- E O F ---


    Here is the hijackthis log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 21:49, on 2008-04-08
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\1E\NightWatchman50\NwmSvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
    C:\win32app\ingr\ipshare\clntutil\bin\pidrpcs.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\1E\NightWatchman50\NWMCLI.EXE
    C:\WINDOWS\Logi_MwX.Exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\PROGRA~1\MI3AA1~1\rapimgr.exe
    C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.ex e
    C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    C:\WINDOWS\system32\CCM\CcmExec.exe
    C:\Program Files\1E\SMSWakeUp50\SMSWUagent.exe
    C:\Program Files\palmOne\Hotsync.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\StickyNote\StickyNote.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\hijack\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = proxy.ksdot.org:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 10.*;*.ksdot.org;172.21.*;*fhwapap05*;*.softwaresp ectrum.com;*.boiseoffice.com;*appsnet.bentley.com; *fhwapap11*;*.kansasdot.loc;*.exor.co.uk;http://64.132.35.16:8080;*.kanroad.org;*.equipmentwatch.c om;allencc.blackboard.com;<local>
    O2 - BHO: (no name) - {45F34679-29BA-4553-BEFC-4E548CB14419} - C:\WINDOWS\system32\wvULFuuv.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
    O4 - HKLM\..\Run: [AprvRemoveLegacyExcelKeys] "C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe" -k HKCU SOFTWARE\Microsoft\Office\Excel\Addins\OfficeAddIn .OfficeAddIn
    O4 - HKLM\..\Run: [AprvRemoveLegacyWordKeys] "C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe" -k HKCU SOFTWARE\Microsoft\Office\Word\Addins\OfficeAddIn. OfficeAddIn
    O4 - HKLM\..\Run: [ApproveItForOfficeSetup] "C:\Program Files\ApproveIt\Support\Tools\ApproveItForOfficeSe tup.exe " /1 /p "C:\Program Files\ApproveIt\"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [ND] subst N: Q:\geology
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
    O4 - .DEFAULT User Startup: OLE.cmd (User 'Default user')
    O4 - Startup: AprvReg.exe
    O4 - Startup: N.cmd
    O4 - Global Startup: ApproveIt StartUp.lnk = ?
    O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O4 - Global Startup: StickyNote.lnk = C:\Program Files\StickyNote\StickyNote.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (FormFlow Form Control) - https://kdotrwm.ksdot.org/intempo/Fo...se/FormCtl.cab
    O16 - DPF: {1469FF24-47F6-11D2-8805-006008C537E3} (FormFlow Mail Control) - https://kdotrwm.ksdot.org/intempo/fo...ase/ffmail.cab
    O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/S...dObjSigned.cab
    O16 - DPF: {19AB65CA-3E4E-11D2-A97F-080009B3CC88} (FormFlow Component Download Object) - https://kdotrwm.ksdot.org/codebase/jfcomp~1.cab
    O16 - DPF: {224F7DEA-B7C1-11D3-AB40-00902712A5C9} (PLSAddin Class) - https://kdotrwm.ksdot.org/intempo/fo...plsspeller.cab
    O16 - DPF: {292CBB36-AC91-11D1-B911-080009EF1192} (jfEnvelope Class) - https://kdotrwm.ksdot.org/intempo/Ca...velopeCtrl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1188497907421
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1188496778906
    O16 - DPF: {CDDCFBB3-4D93-11D2-B1A9-00A0C9B742BE} (FormFlowScriptObject Class) - https://kdotrwm.ksdot.org/intempo/fo...riptobject.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (FormFlow Soft Font Installer) - https://kdotrwm.ksdot.org/intempo/fo...tinstaller.cab
    O16 - DPF: {F4F6546F-FBA9-11D1-8AFB-080009ECFDC5} (FormFlow ListBox Control) - https://kdotrwm.ksdot.org/intempo/fo...se/listbox.cab
    O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - file://\\dt00mb01\Appsup\SupportTools\RCRSFix\Acgm.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ksdot.org
    O17 - HKLM\Software\..\Telephony: DomainName = ksdot.org
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ksdot.org
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ksdot.org
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ksdot.org
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: mlJYoLFu - mlJYoLFu.dll (file missing)
    O21 - SSODL: qdnkewfa - {C100F7DB-C8C0-4E33-80D2-062B0E47C8F1} - C:\WINDOWS\qdnkewfa.dll
    O21 - SSODL: mgsvflkw - {EAFE107D-F5C2-42F2-9EB5-0C03CFF34FD9} - C:\WINDOWS\mgsvflkw.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: NightWatchman50 - 1E Ltd. - C:\Program Files\1E\NightWatchman50\NwmSvc.exe
    O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
    O23 - Service: ProjectWise IMF Printer Driver Service - Unknown owner - C:\win32app\ingr\ipshare\clntutil\bin\pidrpcs.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
    O23 - Service: SMSWUagent - 1E Ltd. - C:\Program Files\1E\SMSWakeUp50\SMSWUagent.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: VPRemote Install Bootstrap Service (VPREMOTE) - Unknown owner - C:\TEMP\Clt-Inst\vpremote.exe (file missing)

    --
    End of file - 11557 bytes
  9. 09-04-2008  #8
    Neal
    Neal is offline Dedicated Member
    Yikes is right!!!


    Plese uninstall PC Cleaner if in add/remove program, reboot after.


    Open notepad(Must be NotePad) and copy/paste the text in the quotebox below into it:NOT THE WORD QUOTE


    File::
    C:\WINDOWS\mgsvflkw.dll
    C:\WINDOWS\qdnkewfa.dll
    C:\WINDOWS\apoxqwfv.exe
    C:\WINDOWS\system32\wvULFuuv.dll
    C:\WINDOWS\system32\slozmhed.exe
    C:\WINDOWS\system32\jmkgkdli.dll

    Folder::
    C:\VundoFix Backups
    C:\Program Files\PC-Cleaner
    C:\Documents and Settings\All Users\Application Data\wvidofmr

    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45F34679-29BA-4553-BEFC-4E548CB14419}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad]
    "qdnkewfa"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad]
    "mgsvflkw"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJYoLFu]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\brgikfee]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ec00b2d2]

    Save this as CFScript

    Then drag the CFScript into ComboFix.exe as you see in the screenshot below.






    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  10. 09-04-2008  #9
    jeffy
    jeffy is offline Junior Member
    PC Cleaner wasn't in my add/remove programs. Did you mean CCleaner? I uninstalled it just in case that's what you meant. If CCleaner is what you meant, could you tell me if that has some spyware with it, or if there is simply a possible conflict?

    Here is my log for combofix:

    ComboFix 08-04-08.7 - geist 2008-04-08 16:44:36.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503 [GMT -5:00]
    Running from: C:\Documents and Settings\geist\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\geist\Desktop\CFScript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    C:\WINDOWS\apoxqwfv.exe
    C:\WINDOWS\mgsvflkw.dll
    C:\WINDOWS\qdnkewfa.dll
    C:\WINDOWS\system32\jmkgkdli.dll
    C:\WINDOWS\system32\slozmhed.exe
    C:\WINDOWS\system32\wvULFuuv.dll
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data\wvidofmr
    C:\Program Files\PC-Cleaner
    C:\Program Files\PC-Cleaner\PC-Cleaner.db
    C:\Program Files\PC-Cleaner\pccleaner.pkg
    C:\Program Files\PC-Cleaner\program.info
    C:\VundoFix Backups
    C:\VundoFix Backups\ildkgkmj.ini.bad
    C:\VundoFix Backups\jmkgkdli.dll.bad
    C:\VundoFix Backups\jphcuyqm.ini.bad
    C:\VundoFix Backups\mqyuchpj.dll.bad
    C:\VundoFix Backups\vuuFLUvw.ini.bad
    C:\VundoFix Backups\vuuFLUvw.ini2.bad
    C:\VundoFix Backups\wvULFuuv.dll.bad
    C:\WINDOWS\apoxqwfv.exe
    C:\WINDOWS\mgsvflkw.dll
    C:\WINDOWS\qdnkewfa.dll

    .
    ((((((((((((((((((((((((( Files Created from 2008-03-08 to 2008-04-08 )))))))))))))))))))))))))))))))
    .

    2008-04-08 17:31 . 2008-04-08 17:31 <DIR> d-------- C:\Program Files\Lavasoft
    2008-04-08 17:31 . 2008-04-08 17:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-04-08 17:01 . 2008-04-08 17:01 133,936 --a------ C:\WINDOWS\~GLC0000.TMP
    2008-04-07 21:41 . 2008-04-07 21:41 <DIR> d-------- C:\Deckard
    2008-04-07 07:57 . 2008-04-08 06:56 <DIR> d-------- C:\Documents and Settings\Geist\Application Data\TmpRecentIcons
    2008-04-07 01:27 . 2008-04-07 16:05 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2008-04-07 01:27 . 2008-04-07 01:27 <DIR> d-------- C:\Documents and Settings\Geist\Application Data\SUPERAntiSpyware.com
    2008-04-07 01:27 . 2008-04-07 01:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-04-05 17:53 . 2008-04-05 17:53 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
    2008-04-05 17:53 . 2008-04-05 17:53 <DIR> d-------- C:\Program Files\Texas Instruments Inc
    2008-04-05 17:53 . 2006-07-06 13:44 168,448 --a------ C:\WINDOWS\system32\drivers\tifm21.sys
    2008-04-05 17:53 . 2006-04-06 15:49 88,192 --a------ C:\WINDOWS\system32\drivers\gtipci21.sys
    2008-04-05 17:53 . 2004-03-23 11:45 28,672 --a------ C:\WINDOWS\cttib1.dll
    2008-04-05 17:53 . 2005-01-14 17:28 17,120 --a------ C:\WINDOWS\system32\drivers\tiscfw.deb
    2008-04-05 17:52 . 2008-04-05 17:52 <DIR> d-------- C:\SWSetup
    2008-03-13 23:11 . 2008-03-24 21:25 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-03-13 23:11 . 2008-03-13 23:11 1,409 --a------ C:\WINDOWS\QTFont.for

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
    .
    2008-04-08 22:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2008-04-08 22:01 133,936 ----a-w C:\WINDOWS\~GLC0000.TMP
    2008-04-08 21:39 --------- d-----w C:\Program Files\Symantec AntiVirus
    2008-04-05 22:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-04-02 00:55 --------- d-----w C:\Program Files\DivX
    2008-03-26 03:21 --------- d-----w C:\Program Files\Xvid
    2008-03-20 14:04 --------- d-----w C:\Program Files\Java
    2008-03-18 22:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
    2008-03-13 05:46 --------- d-----w C:\Program Files\Winamp
    2008-03-13 05:45 --------- d-----w C:\Documents and Settings\geist\Application Data\Winamp
    2008-03-07 20:31 --------- d-----w C:\Program Files\ApproveIt
    2008-03-05 16:02 --------- d-----w C:\Program Files\Citrix
    2008-03-03 18:51 --------- d-----w C:\Documents and Settings\geist\Application Data\Bentley
    2008-03-03 17:56 --------- d-----w C:\Program Files\Common Files\Bentley Shared
    2008-03-03 17:55 --------- d-----w C:\Program Files\InterPlot Client
    2008-03-03 17:55 --------- d-----w C:\Program Files\Common Files\InterPlot
    2008-03-03 17:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bentley
    2008-03-03 17:20 --------- d-----w C:\Documents and Settings\coxadm\Application Data\Bentley
    2008-03-03 17:17 --------- d-----w C:\Program Files\Bentley
    2008-03-03 16:08 --------- d-----w C:\Documents and Settings\coxadm\Application Data\Logitech
    2008-03-03 16:08 --------- d-----w C:\Documents and Settings\coxadm\Application Data\HotSync
    2008-02-28 14:37 --------- d-----w C:\Documents and Settings\geist\Application Data\Lavasoft
    2008-02-21 02:05 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
    2008-02-21 02:05 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
    2008-02-21 02:05 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
    2008-02-21 02:05 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
    2008-02-21 02:04 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
    2008-02-21 02:04 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
    2008-02-21 02:04 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
    2008-02-21 02:04 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
    2008-02-21 02:04 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
    2008-02-21 02:04 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
    2008-02-21 02:04 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
    2008-02-21 02:04 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
    2008-02-21 02:04 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
    2008-02-21 02:04 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
    2008-02-21 02:04 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
    2008-02-21 02:04 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
    2008-02-21 02:03 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
    2008-02-21 02:03 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
    2008-02-01 15:48 202,827 ----a-w C:\WINDOWS\system32\atasnt40.dll
    2007-11-13 20:03 40,352 ----a-w C:\WINDOWS\inf\Usbkey.sys
    2001-06-18 17:20 103,793 ----a-w C:\Documents and Settings\All Users\AprvReg.exe
    2008-02-01 15:48 44,360 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcdec.dll
    2008-02-01 15:48 107,928 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcext.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
    "ND"="subst N: Q:\geology" [ ]
    "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
    "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-12-21 07:16 155648]
    "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-05-20 14:46 28160 C:\WINDOWS\KHALMNPR.Exe]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 18:33 52840]
    "Logitech Utility"="Logi_MwX.Exe" [2003-12-17 10:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
    "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-06-06 15:25 125632]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 03:27 1015808]
    "SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 03:29 102400]
    "AprvRemoveLegacyExcelKeys"="C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe" [2007-12-20 02:30 73728]
    "AprvRemoveLegacyWordKeys"="C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe" [2007-12-20 02:30 73728]
    "ApproveItForOfficeSetup"="C:\Program Files\ApproveIt\Support\Tools\ApproveItForOfficeSe tup.exe" [2007-12-20 01:40 155648]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
    "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 16:18 443968]

    C:\Documents and Settings\DT09A009\HelpAssistant\Start Menu\Programs\Startup\
    OLE.cmd [2004-09-02 1424 250]

    C:\Documents and Settings\Geist\Start Menu\Programs\Startup\
    AprvReg.exe [2001-06-18 12:20:06 103793]
    N.cmd [2007-01-12 12:39:05 21]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    ApproveIt StartUp.lnk - C:\WINDOWS\Installer\{7E746FBC-58EF-4670-A528-7EE046D10322}\Icon9557F1BC1.ico [2008-03-11 04:25:41 9216]
    DataViz Inc Messenger.lnk - C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [2007-02-16 1025 28672]
    HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:16:08 471040]
    Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-04-23 15:27:27 450560]
    StickyNote.lnk - C:\Program Files\StickyNote\StickyNote.exe [2007-04-18 14:01:59 318976]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
    "NoWelcomeScreen"= 1 (0x1)

    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
    "NoSMBalloonTip"= 1 (0x1)
    "NoDesktopCleanupWizard"= 1 (0x1)
    "ForceStartMenuLogOff"= 1 (0x1)
    "Intellimenus"= 1 (0x1)
    "NoSMMyPictures"= 1 (0x1)
    "NoStartMenuMyMusic"= 1 (0x1)
    "NoAutoTrayNotify"= 1 (0x1)
    "NoWelcomeScreen"= 1 (0x1)

    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer\disallowrun]
    "1"= agsatellite.exe
    "2"= AIM.exe
    "3"= bbsetuphom.exe
    "4"= comet.exe
    "5"= dssagent.exe
    "6"= gator.exe
    "7"= getright.exe
    "8"= gnutella.exe
    "9"= go.exe
    "10"= icq.exe
    "11"= iegator.exe
    "12"= javaw.exe
    "13"= minibuginstaller.exe
    "14"= napster.exe
    "15"= precisiontime.exe
    "16"= swebexec.exe
    "17"= tsadbot.exe
    "18"= weatherbug.exe
    "19"= websamp.exe
    "20"= webshotstray.exe
    "21"= whagent.exe
    "22"= winmx.exe
    "23"= WxBugSetup30.exe

    [hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad]
    "qdnkewfa"= {C100F7DB-C8C0-4E33-80D2-062B0E47C8F1} - C:\WINDOWS\qdnkewfa.dll [ ]
    "mgsvflkw"= {EAFE107D-F5C2-42F2-9EB5-0C03CFF34FD9} - C:\WINDOWS\mgsvflkw.dll [ ]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\Machine\Scripts\Startup\0\0]
    "Script"=timereg.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-2080522925-720176762-1023178626-18875\Scripts\Logoff\0\0]
    "Script"=dbase.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-2080522925-720176762-1023178626-2737\Scripts\Logon\0\0]
    "Script"=KDOTSCR.CMD

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-2080522925-720176762-1023178626-2737\Scripts\Logon\1\0]
    "Script"=dist2.cmd

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-2080522925-720176762-1023178626-36066\Scripts\Logoff\0\0]
    "Script"=logoff.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-2080522925-720176762-1023178626-36066\Scripts\Logon\0\0]
    "Script"=KDOTSCR.CMD

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-2080522925-720176762-1023178626-36066\Scripts\Logon\1\0]
    "Script"=NightwatchmanSystemTra.cmd

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-2080522925-720176762-1023178626-36066\Scripts\Logon\2\0]
    "Script"=Computer services.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-2080522925-720176762-1023178626-36066\Scripts\Logon\3\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-2080522925-720176762-1023178626-4044\Scripts\Logon\0\0]
    "Script"=dist2.cmd

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
    --a------ 2007-10-23 16:18 443968 C:\Program Files\Picasa2\PicasaMediaDetector.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2006-05-18 12:31 282624 C:\Program Files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    --a------ 2006-10-25 00:51 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
    -ra------ 2004-11-22 08:18 307200 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    --a------ 2007-01-19 13:49 4670968 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpSvc .exe"=
    "C:\\WINDOWS\\system32\\ftp.exe"=
    "C:\\WINDOWS\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
    "C:\\Documents and Settings\\Geist\\My Documents\\WS_FTP\\WS_FTP95.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Internet Explorer\\iexplore.exe"=
    "C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

    [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
    "80:TCP"= 80:TCP:80 tcp
    "80:UDP"= 80:UDP:80 udp
    "389:UDP"= 389:UDP:SMS LDAP Ping
    "389:TCP"= 389:TCP:SMS LDAP
    "636:TCP"= 636:TCP:SMS LDAP SSL Connection
    "3268:TCP"= 3268:TCP:SMS Global Catalog
    "2967:UDP"= 2967:UDP:Symantec AntiVirus UDP 2967
    "38293:UDP"= 38293:UDP:Symantec AntiVirus UDP 38293
    "139:TCP"= 139:TCP:10.8.0.0/255.255.0.0,10.132.0.0/255.255.0.0,10.194.0.0/255.255.0.0,172.16.0.0/255.255.0.0,172.21.0.0/255.255.0.0,192.168.1.0/255.255.255.0:Enabled:@xpsp2res.dll,-22004
    "445:TCP"= 445:TCP:10.8.0.0/255.255.0.0,10.132.0.0/255.255.0.0,10.194.0.0/255.255.0.0,172.16.0.0/255.255.0.0,172.21.0.0/255.255.0.0,192.168.1.0/255.255.255.0:Enabled:@xpsp2res.dll,-22005
    "137:UDP"= 137:UDP:10.8.0.0/255.255.0.0,10.132.0.0/255.255.0.0,10.194.0.0/255.255.0.0,172.16.0.0/255.255.0.0,172.21.0.0/255.255.0.0,192.168.1.0/255.255.255.0:Enabled:@xpsp2res.dll,-22001
    "138:UDP"= 138:UDP:10.8.0.0/255.255.0.0,10.132.0.0/255.255.0.0,10.194.0.0/255.255.0.0,172.16.0.0/255.255.0.0,172.21.0.0/255.255.0.0,192.168.1.0/255.255.255.0:Enabled:@xpsp2res.dll,-22002
    "135:TCP"= 135:TCP:Remote Assistance - Port 135 TCP
    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

    R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe [2007-04-13 03:50]
    R2 NightWatchman50;NightWatchman50;"C:\Program Files\1E\NightWatchman50\NwmSvc.exe" [2007-11-13 14:05]
    R2 ProjectWise IMF Printer Driver Service;ProjectWise IMF Printer Driver Service;C:\win32app\ingr\ipshare\clntutil\bin\pidr pcs.exe [2008-01-03 17:41]
    R2 Prvflder;Prvflder;C:\WINDOWS\system32\DRIVERS\prvf lder.sys [2006-04-21 08:22]
    R2 SentinelKeysServer;Sentinel Keys Server;"C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe" [2006-08-22 01:00]
    R2 SMSWUagent;SMSWUagent;"C:\Program Files\1E\SMSWakeUp50\SMSWUagent.exe" [2007-08-14 15:48]
    R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtip ci21.sys [2006-04-06 15:49]
    R3 prepdrvr;SMS Process Event Driver;C:\WINDOWS\system32\CCM\prepdrv.sys [2007-04-13 03:50]
    S2 Parclass;Parclass;C:\WINDOWS\system32\Drivers\Parc lass.sys [2007-11-13 15:03]
    S3 USA19H;USA19H;C:\WINDOWS\system32\DRIVERS\USA19H2k .sys [2003-06-24 20:30]
    S3 USA19H2KP;Keyspan USB Serial Port Driver;C:\WINDOWS\system32\DRIVERS\USA19H2kp.SYS [2003-06-24 20:21]
    S3 VPREMOTE;VPRemote Install Bootstrap Service;C:\TEMP\Clt-Inst\vpremote.exe []

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{f5b15df0-80b5-11dc-a602-0015002839cd}]
    \Shell\AutoRun\command - E:\Autorun.exe /run
    \Shell\Shell00\Command - E:\Autorun.exe /run
    \Shell\Shell01\Command - E:\Autorun.exe /action
    \Shell\Shell02\Command - E:\Autorun.exe /uninstall

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-04-07 20:53:55 C:\WINDOWS\Tasks\Geology Backup.job"
    - C:\Geology Backup.cmd
    .
    ************************************************** ************************

    catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-08 16:48:35
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    ************************************************** ************************
    .
    Completion time: 2008-04-08 16:49:34
    ComboFix-quarantined-files.txt 2008-04-08 21:49:17
    ComboFix2.txt 2008-04-09 02:41:27
    Pre-Run: 17,868,550,144 bytes free
    Post-Run: 17,849,618,432 bytes free
    .
    2008-03-14 19:55:09 --- E O F ---


    Here's the Hijackthis log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 16:57, on 2008-04-08
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\1E\NightWatchman50\NwmSvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
    C:\win32app\ingr\ipshare\clntutil\bin\pidrpcs.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\1E\NightWatchman50\NWMCLI.EXE
    C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.ex e
    C:\WINDOWS\system32\CCM\CcmExec.exe
    C:\Program Files\1E\SMSWakeUp50\SMSWUagent.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\Logi_MwX.Exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\PROGRA~1\MI3AA1~1\rapimgr.exe
    C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    C:\Program Files\palmOne\Hotsync.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\StickyNote\StickyNote.exe
    C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\hijack\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = proxy.ksdot.org:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 10.*;*.ksdot.org;172.21.*;*fhwapap05*;*.softwaresp ectrum.com;*.boiseoffice.com;*appsnet.bentley.com; *fhwapap11*;*.kansasdot.loc;*.exor.co.uk;http://64.132.35.16:8080;*.kanroad.org;*.equipmentwatch.c om;allencc.blackboard.com;<local>
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
    O4 - HKLM\..\Run: [AprvRemoveLegacyExcelKeys] "C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe" -k HKCU SOFTWARE\Microsoft\Office\Excel\Addins\OfficeAddIn .OfficeAddIn
    O4 - HKLM\..\Run: [AprvRemoveLegacyWordKeys] "C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe" -k HKCU SOFTWARE\Microsoft\Office\Word\Addins\OfficeAddIn. OfficeAddIn
    O4 - HKLM\..\Run: [ApproveItForOfficeSetup] "C:\Program Files\ApproveIt\Support\Tools\ApproveItForOfficeSe tup.exe " /1 /p "C:\Program Files\ApproveIt\"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [ND] subst N: Q:\geology
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
    O4 - .DEFAULT User Startup: OLE.cmd (User 'Default user')
    O4 - Startup: AprvReg.exe
    O4 - Startup: N.cmd
    O4 - Global Startup: ApproveIt StartUp.lnk = ?
    O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O4 - Global Startup: StickyNote.lnk = C:\Program Files\StickyNote\StickyNote.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (FormFlow Form Control) - https://kdotrwm.ksdot.org/intempo/Fo...se/FormCtl.cab
    O16 - DPF: {1469FF24-47F6-11D2-8805-006008C537E3} (FormFlow Mail Control) - https://kdotrwm.ksdot.org/intempo/fo...ase/ffmail.cab
    O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/S...dObjSigned.cab
    O16 - DPF: {19AB65CA-3E4E-11D2-A97F-080009B3CC88} (FormFlow Component Download Object) - https://kdotrwm.ksdot.org/codebase/jfcomp~1.cab
    O16 - DPF: {224F7DEA-B7C1-11D3-AB40-00902712A5C9} (PLSAddin Class) - https://kdotrwm.ksdot.org/intempo/fo...plsspeller.cab
    O16 - DPF: {292CBB36-AC91-11D1-B911-080009EF1192} (jfEnvelope Class) - https://kdotrwm.ksdot.org/intempo/Ca...velopeCtrl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1188497907421
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1188496778906
    O16 - DPF: {CDDCFBB3-4D93-11D2-B1A9-00A0C9B742BE} (FormFlowScriptObject Class) - https://kdotrwm.ksdot.org/intempo/fo...riptobject.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (FormFlow Soft Font Installer) - https://kdotrwm.ksdot.org/intempo/fo...tinstaller.cab
    O16 - DPF: {F4F6546F-FBA9-11D1-8AFB-080009ECFDC5} (FormFlow ListBox Control) - https://kdotrwm.ksdot.org/intempo/fo...se/listbox.cab
    O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - file://\\dt00mb01\Appsup\SupportTools\RCRSFix\Acgm.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ksdot.org
    O17 - HKLM\Software\..\Telephony: DomainName = ksdot.org
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ksdot.org
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ksdot.org
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ksdot.org
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O21 - SSODL: qdnkewfa - {C100F7DB-C8C0-4E33-80D2-062B0E47C8F1} - C:\WINDOWS\qdnkewfa.dll (file missing)
    O21 - SSODL: mgsvflkw - {EAFE107D-F5C2-42F2-9EB5-0C03CFF34FD9} - C:\WINDOWS\mgsvflkw.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: NightWatchman50 - 1E Ltd. - C:\Program Files\1E\NightWatchman50\NwmSvc.exe
    O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
    O23 - Service: ProjectWise IMF Printer Driver Service - Unknown owner - C:\win32app\ingr\ipshare\clntutil\bin\pidrpcs.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
    O23 - Service: SMSWUagent - 1E Ltd. - C:\Program Files\1E\SMSWakeUp50\SMSWUagent.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: VPRemote Install Bootstrap Service (VPREMOTE) - Unknown owner - C:\TEMP\Clt-Inst\vpremote.exe (file missing)

    --
    End of file - 11464 bytes
  11. 10-04-2008  #10
    Neal
    Neal is offline Dedicated Member
    Save 20% on AVG Internet Security 2012 Suite!
    Run hijackthis and click on "scan system only" button and put checks next to these:


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

    O21 - SSODL: qdnkewfa - {C100F7DB-C8C0-4E33-80D2-062B0E47C8F1} - C:\WINDOWS\qdnkewfa.dll (file missing)
    O21 - SSODL: mgsvflkw - {EAFE107D-F5C2-42F2-9EB5-0C03CFF34FD9} - C:\WINDOWS\mgsvflkw.dll (file missing)




    Please close ALL browser windows (including this one).

    Everything closed out but hijackthis and click on "fix checked"


    Reboot your PC


    Don't worry about PC Cleaner I got it in the last fix, CCleaner is good program.

    How are things now?
+ Reply to Thread
Page 1 of 2 1 2 LastLast
« error loading c:\WINDOWS\system32\winsys16_061230.dll | hijack this log »