Cannot remove virus Backdoor.Win32.Rbot.bll from my computer!!!

Greetings JohnGoodheart !

If you can, run Zone Alarm Security in Safe Mode to delete the virus.

Check if the virus is in System Restore file.  Disable System Restore and test if virus still shows.
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam

If no joy, use BitDefender or Kaspersky, but of which has ability to remove.

BitDefender
http://www.bitdefender.com/

Kaspersky
http://www.kaspersky.com/

Best wishes, war1

I suspect the Virus self restores from a carrier file, have a look for the following suspects via Search:
 %SYSTEM%\ iwghnotnzk.exe
  %system%\ wuauclt28.exe
  btorrent.exe
  id161.exe
  mybot.exe
  r1ne.exe
  rr1.exe
  rr3.exe
  steam.exe
  wave1.exe
  xwinupdaterarx.exe
  zzz.exe
  WinMIS.exe

Delete any of these, if btorrent or steam are 2 programs you use then download these again after you rid the virus.

Now boot into safemode with networking and go to http://www.pandasoftware.com/products/activescan

run the scan and hopefuly it should remove the trojan.

Hth

OK will try these when i get off from work

thank you

Can we look at a hijackthis log? RBot variants are also called SDBot by other scanners.
http://danborg.org/spy/hjt/alternativ.exe


This tool also removes SDBot/RBot/IRCBot variants.
Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and paste the contents of the results file "Report.txt" back

Sorry it's taken so long to get back to this!!!!     Prblems on the homestead.

Ok.  Ive tried everything from all 3 solutitions and no luck.  the virus is still there.  I run all the antivirus progams in safe mode,  disable system restore and run this program from rpggamergirl and this is the results    

SDFix: Version 1.94

Run by k on Tue 07/31/2007 at 06:01 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\k\Desktop\SDFix\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\svdhost.exe  - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.
 
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
 


                                 Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"="C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe:*:Enabled:TrueVector Service"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\BitTorrent_DNA\\dna.exe"="C:\\Program Files\\BitTorrent_DNA\\dna.exe:*:Enabled:DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------

Backups Folder: - C:\DOCUME~1\k\Desktop\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\WINDOWS\system32\svehost.exe.vzr
C:\NTBOOTDD.SYS
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

                                 Finished

Hi

I am convinced that this may have to do with the bittorrent exe, can you rename the following 2 files

bittorent.exe and dna.exe into .old files, run the remover again and reboot.

Trojan gone?

hth

I could not find those files even in c:/programs/bittorent.  Since that last list of files i have run spysweeper, spybot, adware,and couple of other programs.  maybe they remove that file?(bittorent.exe and dna.exe)

i will run the program again and post another list after i get back from seeing the simpsons movie.

the virus is still present according to zone alarm security suite

indows XP Professional  5.1.2600.2.1252.1.1033.18.True


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\wpcap.dll


(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


-------\NPF


(((((((((((((((((((((((((   Files Created from 2007-07-03 to 2007-08-03  )))))))))))))))))))))))))))))))


2007-08-02 19:36      51,200      --a------      C:\WINDOWS\nircmd.exe
2007-08-01 13:54      22,080      --a------      C:\WINDOWS\system32\drivers\sshrmd.sys
2007-08-01 13:54      21,056      --a------      C:\WINDOWS\system32\drivers\sskbfd.sys
2007-08-01 13:54      20,544      --a------      C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-08-01 13:54      144,960      --a------      C:\WINDOWS\system32\drivers\ssidrv.sys
2007-08-01 13:54      <DIR>      d--------      C:\Program Files\Webroot
2007-08-01 13:54      <DIR>      d--------      C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-08-01 13:54      <DIR>      d--------      C:\DOCUME~1\k\APPLIC~1\Webroot
2007-08-01 13:54      <DIR>      d--------      C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-07-31 23:34      <DIR>      d--hs----      C:\WINDOWS\CSC
2007-07-31 18:00      <DIR>      d--------      C:\WINDOWS\ERUNT
2007-07-20 22:30      983,083      --a------      C:\WINDOWS\system32\LXBAGF.DLL
2007-07-20 22:30      90,112      --a------      C:\WINDOWS\system32\LXBACUR.DLL
2007-07-20 22:30      86,016      --a------      C:\WINDOWS\system32\LXBAIH.EXE
2007-07-20 22:30      77,824      --a------      C:\WINDOWS\system32\LXBALCNP.DLL
2007-07-20 22:30      73,728      --a------      C:\WINDOWS\system32\lxbapwr.dll
2007-07-20 22:30      69,632      --a------      C:\WINDOWS\system32\LXBACU.DLL
2007-07-20 22:30      57,344      --a------      C:\WINDOWS\system32\lxbacinf.dll
2007-07-20 22:30      544,768      --a------      C:\WINDOWS\system32\LXBALSNT.EXE
2007-07-20 22:30      49,152      --a------      C:\WINDOWS\system32\lxbacoin.dll
2007-07-20 22:30      466,944      --a------      C:\WINDOWS\system32\LXBAJSWR.DLL
2007-07-20 22:30      40,960      --a------      C:\WINDOWS\system32\INSTMON.EXE
2007-07-20 22:30      303,104      --a------      C:\WINDOWS\system32\LEXBCES.EXE
2007-07-20 22:30      294,912      --a------      C:\WINDOWS\system32\LXBAUTIL.DLL
2007-07-20 22:30      286,720      --a------      C:\WINDOWS\system32\LXBAPMNT.DLL
2007-07-20 22:30      286,720      --a------      C:\WINDOWS\system32\lxbacomm.dll
2007-07-20 22:30      217,088      --a------      C:\WINDOWS\system32\LXBALCNT.DLL
2007-07-20 22:30      201,216      --a------      C:\WINDOWS\system32\LEXP2P32.DLL
2007-07-20 22:30      196,096      --a------      C:\WINDOWS\system32\LEX2KUSB.DLL
2007-07-20 22:30      192,512      --a------      C:\WINDOWS\system32\lexlmpm.dll
2007-07-20 22:30      174,592      --a------      C:\WINDOWS\system32\LEXPPS.EXE
2007-07-20 22:30      155,648      --a------      C:\WINDOWS\system32\LEXPING.EXE
2007-07-20 22:30      147,456      --a------      C:\WINDOWS\system32\LEXBCE.DLL
2007-07-20 22:30      126,976      --a------      C:\WINDOWS\system32\LXBACFG.EXE
2007-07-18 12:10      <DIR>      d--------      C:\Program Files\PTDD Group
2007-07-17 19:48      786,432      --ah-----      C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-07-17 18:47      <DIR>      d--------      C:\Program Files\PowerQuest
2007-07-17 15:52      <DIR>      d--------      C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-07-17 15:47      <DIR>      d--------      C:\WINDOWS\Prefetch
2007-07-17 15:41      9,728      --a--c---      C:\WINDOWS\system32\dllcache\rwnh.dll
2007-07-17 15:41      9,728      --a--c---      C:\WINDOWS\system32\dllcache\query.exe
2007-07-17 15:41      9,216      --a--c---      C:\WINDOWS\system32\dllcache\wamps51.dll
2007-07-17 15:41      86,073      --a--c---      C:\WINDOWS\system32\dllcache\voicesub.dll
2007-07-17 15:41      8,704      --a--c---      C:\WINDOWS\system32\dllcache\snmptrap.exe
2007-07-17 15:41      79,872      --a--c---      C:\WINDOWS\system32\dllcache\rwia330.dll
2007-07-17 15:41      79,872      --a--c---      C:\WINDOWS\system32\dllcache\rwia001.dll
2007-07-17 15:41      76,800      --a--c---      C:\WINDOWS\system32\dllcache\wam51.dll
2007-07-17 15:41      76,288      --a--c---      C:\WINDOWS\system32\dllcache\uniime.dll
2007-07-17 15:41      73,728      --a--c---      C:\WINDOWS\system32\dllcache\w3ext.dll
2007-07-17 15:41      70,144      --a--c---      C:\WINDOWS\system32\dllcache\pintlphr.exe
2007-07-17 15:41      7,680      --a--c---      C:\WINDOWS\system32\dllcache\pwsdata.dll
2007-07-17 15:41      7,168      --a--c---      C:\WINDOWS\system32\dllcache\EXCH_snprfdll.dll
2007-07-17 15:41      67,584      --a--c---      C:\WINDOWS\system32\dllcache\pmigrate.dll
2007-07-17 15:41      6,144      --a--c---      C:\WINDOWS\system32\dllcache\snmpmib.dll
2007-07-17 15:41      6,144      --a--c---      C:\WINDOWS\system32\dllcache\pmxgl.dll
2007-07-17 15:41      57,856      --a--c---      C:\WINDOWS\system32\dllcache\EXCH_scripto.dll
2007-07-17 15:41      53,760      --a--c---      C:\WINDOWS\system32\dllcache\pintlcsd.dll
2007-07-17 15:41      53,248      --a--c---      C:\WINDOWS\system32\dllcache\wamreg51.dll
2007-07-17 15:41      5,632      --a--c---      C:\WINDOWS\system32\dllcache\w3svapi.dll
2007-07-17 15:41      5,632      --a--c---      C:\WINDOWS\system32\dllcache\smimsgif.dll
2007-07-17 15:41      5,632      --a--c---      C:\WINDOWS\system32\dllcache\smierrsy.dll
2007-07-17 15:41      48,256      --a--c---      C:\WINDOWS\system32\dllcache\w32.dll
2007-07-17 15:41      46,592      --a--c---      C:\WINDOWS\system32\dllcache\svcext51.dll
2007-07-17 15:41      46,592      --a--c---      C:\WINDOWS\system32\dllcache\sspifilt.dll
2007-07-17 15:41      456,704      --a--c---      C:\WINDOWS\system32\dllcache\smtpsvc.dll
2007-07-17 15:41      455,168      --a--c---      C:\WINDOWS\system32\dllcache\tintsetp.exe
2007-07-17 15:41      45,056      --a--c---      C:\WINDOWS\system32\dllcache\ssinc51.dll
2007-07-17 15:41      44,032      --a--c---      C:\WINDOWS\system32\dllcache\tintlphr.exe
2007-07-17 15:41      426,041      --a--c---      C:\WINDOWS\system32\dllcache\voicepad.dll
2007-07-17 15:41      41,600      --a--c---      C:\WINDOWS\system32\dllcache\weitekp9.dll
2007-07-17 15:41      40,448      --a--c---      C:\WINDOWS\system32\dllcache\snmpthrd.dll
2007-07-17 15:41      4,608      --a--c---      C:\WINDOWS\system32\dllcache\w3ctrs51.dll
2007-07-17 15:41      4,096      --a--c---      C:\WINDOWS\system32\dllcache\rpcref.dll
2007-07-17 15:41      38,912      --a--c---      C:\WINDOWS\system32\dllcache\sm9aw.dll
2007-07-17 15:41      363,520      --a--c---      C:\WINDOWS\system32\dllcache\w3svc.dll
2007-07-17 15:41      36,927      --a--c---      C:\WINDOWS\system32\dllcache\padrs411.dll
2007-07-17 15:41      358,400      --a--c---      C:\WINDOWS\system32\dllcache\snmpincl.dll
2007-07-17 15:41      32,768      --a--c---      C:\WINDOWS\system32\dllcache\snmp.exe
2007-07-17 15:41      31,744      --a--c---      C:\WINDOWS\system32\dllcache\smb6w.dll
2007-07-17 15:41      31,744      --a--c---      C:\WINDOWS\system32\dllcache\sma3w.dll
2007-07-17 15:41      31,744      --a--c---      C:\WINDOWS\system32\dllcache\pagecnt.dll
2007-07-17 15:41      31,232      --a--c---      C:\WINDOWS\system32\dllcache\weitekp9.sys
2007-07-17 15:41      31,232      --a--c---      C:\WINDOWS\system32\dllcache\tools.dll
2007-07-17 15:41      30,208      --a--c---      C:\WINDOWS\system32\dllcache\sm87w.dll
2007-07-17 15:41      30,208      --a--c---      C:\WINDOWS\system32\dllcache\sm81w.dll
2007-07-17 15:41      29,184      --a--c---      C:\WINDOWS\system32\dllcache\sm8cw.dll
2007-07-17 15:41      26,624      --a--c---      C:\WINDOWS\system32\dllcache\sm93w.dll
2007-07-17 15:41      26,624      --a--c---      C:\WINDOWS\system32\dllcache\sm92w.dll
2007-07-17 15:41      26,624      --a--c---      C:\WINDOWS\system32\dllcache\rw330ext.dll
2007-07-17 15:41      26,112      --a--c---      C:\WINDOWS\system32\dllcache\sm90w.dll
2007-07-17 15:41      26,112      --a--c---      C:\WINDOWS\system32\dllcache\sm8dw.dll
2007-07-17 15:41      26,112      --a--c---      C:\WINDOWS\system32\dllcache\sm8aw.dll
2007-07-17 15:41      26,112      --a--c---      C:\WINDOWS\system32\dllcache\sm89w.dll
2007-07-17 15:41      26,112      --a--c---      C:\WINDOWS\system32\dllcache\EXCH_seos.dll
2007-07-17 15:41      259,072      --a--c---      C:\WINDOWS\system32\dllcache\snmpcl.dll
2007-07-17 15:41      25,088      --a--c---      C:\WINDOWS\system32\dllcache\sm59w.dll
2007-07-17 15:41      24,576      --a--c---      C:\WINDOWS\system32\dllcache\rw001ext.dll
2007-07-17 15:41      236,544      --a--c---      C:\WINDOWS\system32\dllcache\smi2smir.exe
2007-07-17 15:41      23,040      --a--c---      C:\WINDOWS\system32\dllcache\EXCH_regtrace.exe
2007-07-17 15:41      221,696      --a--c---      C:\WINDOWS\system32\dllcache\seo.dll


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-02 20:43      870688      --ahs----      C:\WINDOWS\system32\drivers\fidbox2.dat
2007-08-02 20:43      82760      --ahs----      C:\WINDOWS\system32\drivers\fidbox2.idx
2007-08-02 20:43      78088224      --ahs----      C:\WINDOWS\system32\drivers\fidbox.dat
2007-08-02 20:43      384      --a------      C:\WINDOWS\system32\DVCStateBkp-{00000002-00000000-00000004-00001102-00000004-20021102}.dat
2007-08-02 20:43      384      --a------      C:\WINDOWS\system32\DVCState-{00000002-00000000-00000004-00001102-00000004-20021102}.dat
2007-08-02 20:43      1051136      --ahs----      C:\WINDOWS\system32\drivers\fidbox.idx
2007-08-02 01:20      512      --a------      C:\ScanSectorLog.dat
2007-07-30 16:16      ---------      d--------      C:\DOCUME~1\k\APPLIC~1\MailFrontier
2007-07-20 22:30      ---------      d--------      C:\Program Files\Lexmark X5100 Series
2007-07-19 17:46      ---------      d--h-----      C:\Program Files\InstallShield Installation Information
2007-07-19 00:31      ---------      d--------      C:\DOCUME~1\k\APPLIC~1\Azureus
2007-07-19 00:29      ---------      d--------      C:\Program Files\Google
2007-07-19 00:29      ---------      d--------      C:\Program Files\Common Files\InstallShield
2007-07-17 15:53      ---------      d--------      C:\Program Files\InterActual
2007-07-17 15:36      23312      --a------      C:\WINDOWS\system32\emptyregdb.dat
2007-07-17 15:36      ---------      d--------      C:\Program Files\Messenger
2007-07-16 13:58      ---------      d--------      C:\Program Files\ProxyWay
2007-07-09 11:46      ---------      d--------      C:\DOCUME~1\k\APPLIC~1\Camfrog
2007-07-08 18:35      ---------      d--------      C:\DOCUME~1\k\APPLIC~1\LimeWire
2007-07-05 22:51      ---------      d--------      C:\Program Files\Azureus
2007-07-05 17:12      685816      --a------      C:\WINDOWS\system32\drivers\sptd.sys
2007-07-03 14:01      ---------      d--------      C:\Program Files\exPressit S.E. 2.1
2007-07-02 10:05      ---------      d--------      C:\DOCUME~1\k\APPLIC~1\Apple Computer
2007-06-25 18:06      ---------      d--------      C:\DOCUME~1\k\APPLIC~1\Creative
2007-06-25 17:55      ---------      d--------      C:\Program Files\Creative
2007-06-25 17:52      184      --a------      C:\WINDOWS\system32\e000002.dat
2007-06-25 17:51      ---------      d--------      C:\DOCUME~1\k\APPLIC~1\Creative ASR2
2007-06-16 20:04      ---------      d--------      C:\Program Files\Avi2Dvd
2007-06-16 19:57      ---------      d--------      C:\Program Files\AviSynth 2.5
2007-06-15 21:18      ---------      d--------      C:\DOCUME~1\k\APPLIC~1\Google
2007-05-29 19:58      73216      --a------      C:\WINDOWS\ST6UNST.EXE
2007-05-29 19:58      286720      --a------      C:\WINDOWS\SETUP1.EXE
2007-05-25 13:27      25088      --a------      C:\WINDOWS\system32\msxml3a.dll
2007-05-13 19:28      528      --a------      C:\WINDOWS\eReg.dat


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 04:02]
"AsioReg"="REGSVR32.exe" [2004-08-03 18:56 C:\WINDOWS\system32\regsvr32.exe]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-07-02 10:03]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 01:00]
"CTHelper"="CTHELPER.EXE" [2003-06-19 23:55 C:\WINDOWS\system32\CTHELPER.EXE]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 18:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 13:54]
"Lexmark X5100 Series"="C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe" [2003-03-04 07:49]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 15:54]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-27 15:22]
"Hide IP Platinum"="C:\Program Files\Hide IP Platinum\hideippla.exe" []
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"RemoteCenter"="C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-06-12 09:47]
"ProxyWay"="C:\Program Files\ProxyWay\proxyway.exe" []
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-07-02 06:27]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 04:06]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Norton GoBack.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Norton GoBack.lnk
backup=C:\WINDOWS\pss\Norton GoBack.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
"C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X5100 Series]
"C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
C:\WINDOWS\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
"C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
R1 PQNTDrv;PQNTDrv;C:\WINDOWS\system32\drivers\PQNTDrv.sys
S3 pepifilter;Volume Adapter;C:\WINDOWS\system32\DRIVERS\lv302af.sys
S3 PID_08A0;QuickCam IM(PID_08A0);C:\WINDOWS\system32\DRIVERS\LV302AV.SYS
S3 TSP;TSP;\??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS
S4 RxFilter;RxFilter;C:\WINDOWS\system32\DRIVERS\RxFilter.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\launch.exe /a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{37a0186f-011f-11dc-bc61-0019d10c5e7f}]
AutoRun\command- L:\RunGame.exe


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-02 20:46:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\CLSID]
"\30 A?E?2?A?E?D?8?F?-?5?6?9?5?-?4?a?6?d?-?9?7?0?9?-?1?4?E?5?1?C?D?1?7?B?1?C?'?"=""

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-02 20:49:04 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-02 20:48


backdoor.win32.rbot.bll

this is the info.   Any questions?

The virus is still there.  Any suggestions anyone?