Redirections and unsolicted sites still after many av scans

Hi skissh,

I'm kevinf80 and I will be helping with any issues you may have. Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.
Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.

Please proceed as follows :-

Step 1

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

Combofix

Don`t forget Combofix must be saved to your desktop. <--Very important

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <---Very important

Please include the C:\ComboFix.txt in your next reply for further review.

Examples of how to disable realtime protection available at the following link :-

Disable realtime protection

Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.

Step 2

Download Security Check by screen317 from HERE or HERE.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

What i`d like to see in your reply :

• Log from Combofix
• Log from Security Checks

Kevin.

Thanks Kevin for taking on my case. I have two computers so I am able to reply while Combofix is running on the infected computer. I have read all the instructions and don't have the 2 logs requested just yet. Combofix has been running for over 1.5 hrs with no stages complete.

I looked in Task Manager and could see that process, Cf3929.cfxxe was not useing any CPU time and the system is `89% idle. Task Manger shows the only application, AutoScan, to have a status of 'Running'. By the time I got your post I had uninstalled AVG, and AdAware thinking I had too many av programs running. I disabled Norton as you instructed before running Combofix. I did install Combfix twice,  once not on the desktop and then on the Desktop. I ran the Desktop one. The Windows recovery console was installed and the registry backup. I hope I didn't screw it up already.

To update my progress my computer froze and I did a hard reboot. When the computer restarted I noticed that even though I "disabled" Norton some of it components were on so I turned them off.

I restarted ComboFix and within 10 minutes all stages had completed and my computer was automatically restarted. After logging on Combofix started and after 15 minutes the log.txt was opened. I have tested the redirection problem and the links were no longer hijacked and as of yet I have not had any web pages open that I have not initiated. Here are the logs. Would you recommend reinstalling all the av programs I had before or should I just keep one? Which one or more do you use?

Thanks,

skissh

ComboFix 10-07-31.02 - skissh 07/31/2010  21:12:53.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3582.2703 [GMT -7:00]
Running from: c:\documents and settings\skissh\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\skissh\GoToAssistDownloadHelper.exe
c:\documents and settings\skissh\Local Settings\Application Data\Windows Server
c:\documents and settings\skissh\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\skissh\Local Settings\Application Data\Windows Server\uses32.dat
c:\windows\jestertb.dll
c:\windows\system32\Cache

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_npf


(((((((((((((((((((((((((   Files Created from 2010-07-01 to 2010-08-01  )))))))))))))))))))))))))))))))
.

2010-07-31 19:06 . 2010-07-31 21:59    0    ----a-w-    c:\documents and settings\skissh\Local Settings\Application Data\prvlcl.dat
2010-07-31 19:00 . 2010-07-31 19:00    --------    d-----w-    c:\program files\Trend Micro
2010-07-30 02:13 . 2010-07-30 02:13    --------    d-----w-    c:\documents and settings\All Users\Application Data\MemeoCommon
2010-07-30 02:04 . 2010-07-30 02:04    --------    d-----w-    c:\documents and settings\skissh\Application Data\WD
2010-07-30 02:04 . 2010-07-30 02:04    --------    d-----w-    c:\documents and settings\LocalService\Local Settings\Application Data\ServiceTest
2010-07-30 02:04 . 2010-07-30 02:04    --------    d-----w-    c:\program files\Common Files\eSellerate
2010-07-30 02:04 . 2010-07-30 02:04    --------    d-----w-    c:\program files\WD
2010-07-30 01:49 . 2010-07-30 01:49    --------    d-----w-    c:\program files\Western Digital
2010-07-26 15:48 . 2010-07-26 15:48    --------    d-----w-    c:\documents and settings\All Users\Application Data\NOS
2010-07-26 15:48 . 2010-07-26 15:48    --------    d-----w-    c:\program files\NOS
2010-07-24 21:43 . 2010-07-24 21:43    95024    ----a-w-    c:\windows\system32\drivers\SBREDrv.sys
2010-07-24 21:29 . 2010-07-24 21:29    --------    d-----w-    c:\documents and settings\skissh\Local Settings\Application Data\Sunbelt Software
2010-07-24 21:19 . 2010-07-31 21:52    --------    d-----w-    c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-24 18:07 . 2010-07-24 18:07    --------    d-----w-    c:\program files\Common Files\Skype
2010-07-13 21:32 . 2010-07-13 21:32    --------    d-----w-    C:\IAI USB
2010-07-13 21:32 . 2006-07-31 15:27    89808    ----a-w-    c:\windows\system32\drivers\slabser.sys
2010-07-13 21:32 . 2006-07-31 15:27    6144    ----a-w-    c:\windows\system32\drivers\slabcmnt.sys
2010-07-13 21:32 . 2006-07-31 15:27    6144    ----a-w-    c:\windows\system32\drivers\slabcm.sys
2010-07-13 21:32 . 2006-07-31 15:27    5776    ----a-w-    c:\windows\system32\drivers\slabwhnt.sys
2010-07-13 21:32 . 2006-07-31 15:27    5776    ----a-w-    c:\windows\system32\drivers\slabwh.sys
2010-07-13 21:32 . 2006-07-31 15:27    55312    ----a-w-    c:\windows\system32\drivers\slabbus.sys
2010-07-13 21:32 . 2006-07-31 15:27    47616    ----a-w-    c:\windows\system32\IAIunin2k.exe
2010-07-13 21:09 . 2010-07-13 21:09    --------    d-----w-    c:\program files\IAI Corporation
2010-07-10 22:47 . 2010-07-10 22:47    --------    d-----w-    c:\documents and settings\skissh\Application Data\Malwarebytes
2010-07-10 22:47 . 2010-04-29 22:39    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-10 22:47 . 2010-07-10 22:47    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-10 22:47 . 2010-04-29 22:39    20952    ----a-w-    c:\windows\system32\drivers\mbam.sys
2010-07-10 22:47 . 2010-07-10 22:47    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2010-07-06 05:03 . 2010-07-06 05:03    --------    d-----w-    c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-07-03 07:04 . 2010-07-03 07:04    664    ----a-w-    c:\windows\system32\d3d9caps.dat
2010-07-03 00:01 . 2010-07-03 00:01    --------    d-----w-    c:\windows\system32\wbem\Repository

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-01 04:31 . 2010-06-28 21:32    7304    ----a-w-    c:\windows\TMP0001.TMP
2010-08-01 03:55 . 2010-06-28 21:23    57480    ----a-w-    c:\windows\system32\nvModes.dat
2010-07-31 22:13 . 2009-06-26 20:09    --------    d-----w-    c:\documents and settings\skissh\Application Data\Wave Systems Corp
2010-07-31 18:36 . 2010-07-31 18:36    503808    ----a-w-    c:\documents and settings\skissh\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-57b0cd63-n\msvcp71.dll
2010-07-31 18:36 . 2010-07-31 18:36    499712    ----a-w-    c:\documents and settings\skissh\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-57b0cd63-n\jmc.dll
2010-07-31 18:36 . 2010-07-31 18:36    348160    ----a-w-    c:\documents and settings\skissh\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-57b0cd63-n\msvcr71.dll
2010-07-27 19:43 . 2008-07-14 21:34    --------    d-----w-    c:\program files\AVG
2010-07-27 18:02 . 2009-11-04 23:05    --------    d-----w-    c:\documents and settings\skissh\Application Data\IDMComp
2010-07-25 16:42 . 2009-07-03 01:23    --------    d-----w-    c:\program files\CCleaner
2010-07-25 15:21 . 2007-11-07 22:47    --------    d-----w-    c:\documents and settings\NetworkService\Application Data\VMware
2010-07-25 15:17 . 2009-07-06 01:51    --------    d-----w-    c:\documents and settings\skissh\Application Data\Skype
2010-07-24 23:09 . 2009-07-06 01:53    --------    d-----w-    c:\documents and settings\skissh\Application Data\skypePM
2010-07-24 21:21 . 2007-10-31 22:51    --------    d-----w-    c:\program files\Google
2010-07-24 18:07 . 2007-11-07 18:29    --------    d-----r-    c:\program files\Skype
2010-07-24 18:07 . 2007-11-07 18:29    --------    d-----w-    c:\documents and settings\All Users\Application Data\Skype
2010-07-24 16:40 . 2007-11-07 22:45    --------    d-----w-    c:\documents and settings\All Users\Application Data\VMware
2010-07-17 14:07 . 2007-11-07 16:24    --------    d-----w-    c:\program files\Common Files\Adobe
2010-07-17 13:55 . 2009-07-06 21:38    --------    d-----w-    c:\documents and settings\skissh\Application Data\AdobeUM
2010-07-13 23:36 . 2010-07-13 23:36    45056    ----a-w-    c:\documents and settings\All Users\Application Data\Rockwell\RSLogix 5000\root\752098ec\379a2c37\nxynxlgk.dll
2010-07-13 23:36 . 2010-07-13 23:36    45056    ----a-w-    c:\documents and settings\All Users\Application Data\Rockwell\RSLogix 5000\root\752098ec\379a2c37\c_pm_sy4.dll
2010-07-07 21:07 . 2009-12-07 22:44    --------    d-----w-    c:\program files\Allen-Bradley
2010-07-07 21:07 . 2007-10-31 22:35    --------    d--h--w-    c:\program files\InstallShield Installation Information
2010-07-06 04:54 . 2009-06-26 20:55    --------    d-----w-    c:\documents and settings\skissh\Application Data\VMware
2010-07-01 23:40 . 2010-07-01 23:39    --------    d-----w-    c:\documents and settings\Administrator\Application Data\Teleca
2010-07-01 23:40 . 2010-07-01 23:40    --------    d-----w-    c:\documents and settings\Administrator\Application Data\Dell
2010-07-01 23:39 . 2008-07-03 19:44    --------    d-----w-    c:\documents and settings\Administrator\Application Data\Wave Systems Corp
2010-07-01 20:52 . 2010-07-03 22:37    1496064    ----a-w-    c:\documents and settings\skissh\Application Data\Mozilla\Firefox\Profiles\6iztyhpi.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-07-01 20:51 . 2010-07-03 22:37    43008    ----a-w-    c:\documents and settings\skissh\Application Data\Mozilla\Firefox\Profiles\6iztyhpi.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-07-01 20:51 . 2010-07-03 22:37    338944    ----a-w-    c:\documents and settings\skissh\Application Data\Mozilla\Firefox\Profiles\6iztyhpi.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-07-01 20:51 . 2010-07-03 22:37    346112    ----a-w-    c:\documents and settings\skissh\Application Data\Mozilla\Firefox\Profiles\6iztyhpi.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-06-29 22:26 . 2007-11-16 18:16    --------    d-----w-    c:\program files\Symantec
2010-06-29 22:26 . 2009-06-26 23:19    805    ----a-w-    c:\windows\system32\drivers\SYMEVENT.INF
2010-06-29 22:26 . 2009-06-26 23:19    7443    ----a-w-    c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-29 22:26 . 2009-06-26 23:19    124976    ----a-w-    c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-29 22:26 . 2007-11-16 18:16    60808    ----a-w-    c:\windows\system32\S32EVNT1.DLL
2010-06-29 22:22 . 2010-06-29 22:19    96307688    ----a-w-    C:\NAV-UPGRADE-ESD-17-6-0-32-EN.exe
2010-06-28 20:59 . 2009-02-07 01:52    --------    d-----w-    c:\program files\QuickTime
2010-06-28 18:47 . 2010-06-28 18:47    --------    d-----w-    c:\program files\NortonVRQ
2010-06-28 18:47 . 2010-06-28 18:47    --------    d-----w-    c:\documents and settings\All Users\Application Data\Norton VRQ
2010-06-28 18:47 . 2009-06-26 23:18    --------    d-----w-    c:\program files\NortonInstaller
2010-06-28 17:30 . 2009-06-22 21:16    --------    d-----w-    c:\documents and settings\All Users\Application Data\Norton
2010-06-21 19:53 . 2008-06-19 23:03    --------    d-----w-    c:\program files\Microsoft Silverlight
2010-06-07 23:16 . 2010-07-17 15:07    3887480    ----a-w-    c:\documents and settings\skissh\Application Data\Microsoft\Internet Explorer\Quick Launch\procexp.exe
2010-06-07 16:07 . 2007-11-06 22:27    --------    d-----w-    c:\windows\system32\config\systemprofile\Application Data\Wave Systems Corp
2010-05-06 10:41 . 2004-08-11 23:00    916480    ----a-w-    c:\windows\system32\wininet.dll
2010-05-06 04:01 . 2010-06-30 02:05    361904    ----a-w-    c:\windows\system32\drivers\symtdi.sys
2010-07-18 20:03 . 2009-03-05 03:35    119808    ----a-w-    c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-12-08 19:43 . 2009-12-08 19:43    28488    ----a-w-    c:\program files\mozilla firefox\plugins\atgpcdec.dll
2010-06-27 03:02 . 2009-12-08 19:43    239488    ----a-w-    c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-08-17 01:42 . 2008-08-17 01:42    13112    ----a-w-    c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-17 01:42 . 2008-08-17 01:42    70456    ----a-w-    c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-17 01:42 . 2008-08-17 01:42    91448    ----a-w-    c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-17 01:42 . 2008-08-17 01:42    20800    ----a-w-    c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-17 01:43 . 2008-08-17 01:43    206136    ----a-w-    c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-17 01:42 . 2008-08-17 01:42    31032    ----a-w-    c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-17 01:42 . 2008-08-17 01:42    40248    ----a-w-    c:\program files\mozilla firefox\plugins\icalogon.dll
2009-12-08 19:43 . 2009-12-08 19:43    99224    ----a-w-    c:\program files\mozilla firefox\plugins\ieatgpc.dll
2007-03-16 22:27 . 2007-03-16 22:27    479232    ----a-w-    c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-16 22:27 . 2007-03-16 22:27    548864    ----a-w-    c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-16 22:27 . 2007-03-16 22:27    626688    ----a-w-    c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 21:58 . 2008-06-05 21:58    648504    ----a-w-    c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-17 01:42 . 2008-08-17 01:42    23864    ----a-w-    c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-18 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-31 8429568]
"VRQ Uploader"="c:\program files\NortonVRQ\Engine\5.0.2.10\VRQUploadFiles.exe" [2010-06-11 1337712]
"vptray"="c:\program files\NavNT\vptray.exe" [2001-09-24 73728]
"systray"="c:\program files\Dell\Dell Mobile Broadband\systray.exe" [2007-04-13 331851]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-01-22 212992]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"nwiz"="nwiz.exe" [2007-05-31 1626112]
"NvMediaCenter"="NvMCTray.dll" [2007-05-31 81920]
"NVHotkey"="nvHotkey.dll" [2007-05-31 67584]
"Mobile Connectivity Suite"="c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe" [2009-11-20 598016]
"kmw_run.exe"="kmw_run.exe" [2006-08-03 106496]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-18 30192]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2007-01-30 102400]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2007-05-14 1191936]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"WD Anywhere Backup"="c:\program files\WD\WD Anywhere Backup\MemeoLauncher2.exe" [2008-11-07 197856]

c:\documents and settings\skissh\Start Menu\Programs\Startup\
taskmgr.lnk - c:\windows\system32\taskmgr.exe [2004-8-11 135680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
1-Click Answers.lnk - c:\program files\1-Click Answers\answers.exe [2009-3-29 806912]
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-100000000002}\SC_Acrobat.exe [2007-11-7 25214]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-10-31 50688]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-01-22 22:48    10536    ----a-w-    c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages    REG_MULTI_SZ       msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vmware-tray]
2008-10-29 06:07    96816    ----a-w-    c:\program files\VMware\VMware Workstation\vmware-tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VMware NAT Service"=2 (0x2)
"VMnetDHCP"=2 (0x2)
"Harmony"=3 (0x3)
"Bonjour Service"=2 (0x2)
"VMAuthdService"=2 (0x2)
"ufad-ws60"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Rockwell Software\\BOOTP-DHCP Server\\BootpServer.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Rockwell Software\\RSLogix 5000\\ENU\\v16\\Bin\\RS5000.Exe"=
"c:\\Program Files\\Common Files\\Rockwell\\EventClientMultiplexer.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RsvcHost.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RdcyHost.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\NmspHost.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RnaDirServer.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\EventServer.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\DaClient.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RNADiagReceiver.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RNADiagnosticsSrv.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\VStudio.exe"=
"c:\\WINDOWS\\system32\\OpcEnum.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RnaAeServer.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RnaAlarmMux.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RnaAlarmDetector.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\countermonitor.exe"=
"c:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\RSLinxNG.exe"=
"c:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\RSLinxShortcutAOA.exe"=
"c:\\Program Files\\Wave Systems Corp\\Security Wizards\\bin\\Secure 8021x.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"135:TCP"= 135:TCP:Port 135 TCP
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1107000.00C\symds.sys [6/29/2010 7:05 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1107000.00C\symefa.sys [6/29/2010 7:05 PM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\BASHDefs\20100709.001\BHDrvx86.sys [7/12/2010 6:10 PM 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1107000.00C\cchpx86.sys [6/29/2010 7:05 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1107000.00C\ironx86.sys [6/29/2010 7:05 PM 116784]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 12:21 PM 79432]
R2 FTAE_Archiver;Rockwell Alarm History Archiver;c:\program files\Common Files\Rockwell\FTAEArchiver.exe [9/18/2007 12:29 AM 61440]
R2 FTAE_HistServ;Rockwell Alarm Historian;c:\program files\Common Files\Rockwell\FTAE_HistServ.exe [9/18/2007 12:29 AM 143360]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\WD\WD Anywhere Backup\MemeoBackgroundService.exe [11/7/2008 12:20 PM 25824]
R2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [3/3/2007 9:12 PM 202096]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.7.0.12\ccsvchst.exe [6/29/2010 7:05 PM 126392]
R2 NmspHost;Rockwell Namespace Services;c:\program files\Common Files\Rockwell\NmspHost.exe [9/18/2007 1:57 AM 212992]
R2 RdcyHost;Rockwell Redundancy Services;c:\program files\Common Files\Rockwell\RdcyHost.exe [9/18/2007 1:57 AM 212992]
R2 RnaAeServer;Rockwell Alarm Server;c:\program files\Common Files\Rockwell\RnaAeServer.exe [9/18/2007 12:32 AM 270336]
R2 RnaAlarmMux;Rockwell Alarm Multiplexer;c:\program files\Common Files\Rockwell\RnaAlarmMux.exe [9/21/2007 3:27 PM 753664]
R2 Rockwell HMI Framework;Rockwell HMI Framework;c:\program files\Rockwell Software\RSView Enterprise\ServerFramework.exe [9/18/2007 9:21 PM 491520]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/7/2007 3:30 PM 24652]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [10/28/2008 11:08 PM 54960]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [8/11/2004 4:00 PM 5120]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 10:32 AM 97536]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/11/2010 9:04 AM 102448]
R3 EventServer;Rockwell Event Server;c:\program files\Common Files\Rockwell\EventServer.exe [9/18/2007 12:36 AM 217088]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [1/12/2010 2:13 PM 2234320]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\IPSDefs\20100730.001\IDSXpx86.sys [7/30/2010 5:43 PM 331640]
R3 NWDellModem;Dell Wireless Mobile Broadband Modem Driver;c:\windows\system32\drivers\nwdelmdm.sys [10/31/2007 3:14 PM 92288]
R3 NWDellPort;Dell Wireless Mobile Broadband Status Port Driver;c:\windows\system32\drivers\nwdelser.sys [10/31/2007 3:14 PM 92288]
R3 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [1/12/2010 2:12 PM 109072]
S1 SymSMR100;SMR Utility Service;\??\c:\windows\System32\drivers\SymSMR100.SYS --> c:\windows\System32\drivers\SymSMR100.SYS [?]
S1 VirtualBackplane;A-B Virtual Backplane;c:\windows\system32\Drivers\VirtualBackplane.sys --> c:\windows\system32\Drivers\VirtualBackplane.sys [?]
S2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys --> c:\windows\system32\drivers\omdrv.sys [?]
S2 gupdate1c9e96adb6c2fa;Google Update Service (gupdate1c9e96adb6c2fa);c:\program files\Google\Update\GoogleUpdate.exe [6/9/2009 6:23 PM 133104]
S3 ABKTCX;Rockwell Software 1784-KTC(X) Driver;c:\windows\system32\drivers\abktcx.sys [1/12/2004 11:07 AM 71448]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [3/4/2009 8:35 PM 30192]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [5/11/2010 2:30 PM 24576]
S3 LogReceiver;LogReceiver;c:\program files\Rockwell Software\RSLinx Enterprise\LogReceiver.exe [7/9/2007 11:47 AM 94208]
S3 NW001NDIS;Dell Wireless Network Adapter Service;c:\windows\system32\drivers\nw01ndis.sys [3/22/2007 12:12 PM 210432]
S3 pcidnt;A-B 1784-PCIDS;c:\windows\system32\Drivers\pcidnt.sys --> c:\windows\system32\Drivers\pcidnt.sys [?]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [4/17/2008 6:33 PM 58240]
S3 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe [3/3/2007 9:09 PM 17264]
S3 Rockwell HMI Alarm Logger;Rockwell HMI Alarm Logger;c:\program files\Rockwell Software\RSView Enterprise\RsAlarmLogServ.exe [9/18/2007 10:35 PM 77824]
S3 RS_SS_NT;RSLinx S-S SD/SD2 Device Driver;c:\windows\system32\RS_SS_NT.SYS [1/12/2004 11:07 AM 142592]
S3 RSI-PKTX-A;RSI-PKTX-A;c:\windows\system32\drivers\RSI-PKTX-A.sys [11/13/2002 3:38 PM 16447]
S3 RsiKtControl;RsiKtControl;c:\windows\system32\RSIKT.SYS [1/12/2004 11:07 AM 30166]
S3 RSLINXNGKtControl;RSLINXNGKtControl;c:\windows\system32\drivers\rsiktNG.sys [4/23/2002 8:02 PM 38999]
S3 RSSERIAL;RSLinx Serial Driver;c:\windows\system32\rsserial.sys [1/12/2004 11:07 AM 155440]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 5:17 AM 2805000]

--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrv11010

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12    REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12
getPlusHelper    REG_MULTI_SZ       getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-10 01:23]

2010-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-10 01:23]

2010-08-01 c:\windows\Tasks\User_Feed_Synchronization-{2A1C8EEF-F57D-4652-A3C2-058C2325E46A}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]

2010-08-01 c:\windows\Tasks\User_Feed_Synchronization-{39833DAA-9CB4-40C2-9812-2D158396D3F0}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]

2010-08-01 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-14 05:18]
.
.
------- Supplementary Scan -------
.
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
LSP: c:\windows\system32\biolsp.dll
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
Trusted Zone: 4lightning.net\www
DPF: {1047CBD1-7E52-414F-B768-87CBB03678AD} - hxxps://app.e-builder.net/da/documents/MultiFileUpload3_V01/ebActiveTools3.CAB
DPF: {3B0EA9E6-7003-4B38-B398-9B1B6DF439C5} - hxxp://download1.answers.com/pub/AnswersSetup.cab
FF - ProfilePath - c:\documents and settings\skissh\Application Data\Mozilla\Firefox\Profiles\6iztyhpi.default\
FF - prefs.js: browser.startup.homepage - hxxp://by132w.bay132.mail.live.com/default.aspx?wa=wsignin1.0|http://www.google.com/webhp?sourceid=navclient-ff
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\skissh\Application Data\Mozilla\Firefox\Profiles\6iztyhpi.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\skissh\Application Data\Mozilla\Firefox\Profiles\6iztyhpi.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type",                  5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size",  4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKLM-Run-MSWheel - (no file)
HKLM-Run-EXSHOW95.EXE - EXSHOW95.EXE
Notify-ckpNotify - ckpNotify.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-31 21:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\17.7.0.12\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\17.7.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1904)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\system32\NavLogon.dll

- - - - - - - > 'lsass.exe'(1960)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(728)
c:\windows\system32\WININET.dll
c:\windows\system32\kmw_dll.dll
c:\windows\system32\WOW32.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Dell\QuickSet\dadkeyb.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL.4\MSSQL\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Rockwell\RNADiagnosticsSrv.exe
c:\program files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
c:\program files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe
c:\program files\Common Files\Rockwell\RsvcHost.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Common Files\Rockwell\EventClientMultiplexer.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
c:\program files\Common Files\Rockwell\RnaDirServer.exe
c:\program files\Common Files\Rockwell\RNADirMultiplexor.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\system32\RunDLL32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\kmw_run.exe
c:\windows\system32\KMW_SHOW.EXE
c:\program files\Microsoft ActiveSync\Wcescomm.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
c:\program files\Common Files\Teleca Shared\logger.exe
c:\program files\Common Files\Teleca Shared\CapabilityManager.exe
c:\program files\WD\WD Anywhere Backup\MemeoBackup.exe
c:\program files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
c:\program files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
c:\program files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
c:\program files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2010-07-31  22:02:32 - machine was rebooted
ComboFix-quarantined-files.txt  2010-08-01 05:02

Pre-Run: 23,699,562,496 bytes free
Post-Run: 25,633,001,472 bytes free

- - End Of File - - 6C8B7E5924DB8E869896F21FB1EE156C

 Results of screen317's Security Check version 0.99.4 
 Windows XP Service Pack 3 
 Internet Explorer 8 
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Enabled! 
 Norton AntiVirus    
 Norton AntiVirus Corporate Edition  
 Rockwell Windows Firewall Configuration Utility 1.00.02
 Antivirus up to date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:
 Malwarebytes' Anti-Malware   
 HijackThis 2.0.2   
 CCleaner    
 Java(TM) 6 Update 15 
 Java(TM) 6 Update 3 
 Java(TM) 6 Update 5 
 Java(TM) 6 Update 7 
 Out of date Java installed!
 Adobe Flash Player 10.0.45.2 
Adobe Reader 8.2.3
Out of date Adobe Reader installed!
 Mozilla Firefox (3.6.8)
````````````````````````````````
Process Check: 
objlist.exe by Laurent
 Norton ccSvcHst.exe
````````````````````````````````
DNS Vulnerability Check:
 GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

Hi skissh,

Please continue as follows:

Step 1

Uninstall the following from Add/Remove programs via the Control Panel.

Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
HJT Version 2.0.2
Also any of the following, if present.

• Viewpoint
• Viewpoint Manager
• Viewpoint Media Player
• Viewpoint Toolbar
• Viewpoint Experience Technology

Step 2

I see that you have CCleaner installed, please run the cleaner function now please, i`ve given my install instruction, this includes the general settings

Download and scan with CCleaner

1. Starting with v 1.27.26 (This version no. will differ), CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free or Slim versions instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 24 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:

• Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:

• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

Step 3

Run an online virus scan with Kaspersky from HERE. This scan is very thorough and may take several hours to run, please allow it to complete.
1. At the main page. Press on "Accept". After reading the contents.
2. At the next window Select  Update. Allow the Database to update.
Note: If prompted to run or update your Java, then follow the prompts to do so. Kaspersky requires Java to run.
3. Once the Database has finished, under the Scan icon Select My Computer to start the scan. The scan may take a few minutes to complete.
4. Select Scan Report.
5. If any threats were found they will appear in the report
6. Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select text .txt
Save it to your Desktop.
Copy and post the results of the Kaspersky Online scan. If no threats were found then report that as well.

The following animation may help.

Kaspersky Gif

Step 4

Click here to download HJTInstaller Version 2.0.4

• Save HJTInstaller to your desktop.
• Doubleclick on the HJTInstall.exe icon on your desktop.
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
• Click on Install.
• It will create a HijackThis icon on the desktop.
• Once installed, it will launch Hijackthis.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

What i`d like in your reply :-

• Log from Kaspersky
• Log from HJT
• Any specific issues

Kevin

Everything took longer then the descriptions estimated. CCleaner took hours but I did opt for the Wipe, Kapersky over 9 hrs which did find some infections that I haven't addressed yet. The logs follow.

Thanks,

skissh

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
 Monday, August 2, 2010
 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
 Kaspersky Online Scanner version: 7.0.26.13
 Last database update: Sunday, August 01, 2010 16:22:17
 Records in database: 4169820
--------------------------------------------------------------------------------

Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

Scan area - My Computer:
    C:\
    D:\
    Y:\
    Z:\

Scan statistics:
    Objects scanned: 235457
    Threats found: 4
    Infected objects found: 7
    Suspicious objects found: 0
    Scan duration: 09:07:02


File name / Threat / Threats count
C:\Docs\Manuals\Access 2003 Bible\software\DBpwdSniffer\dbpwd.CAB    Infected: not-a-virus:PSWTool.Win32.DBSniffer    1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\15A80000.VBN    Infected: Backdoor.Win32.Agent.ani    1
C:\Documents and Settings\stevkis\Local Settings\Application Data\Microsoft\Outlook\OutlookHotmail-00000004.pst    Infected: Trojan-Spy.HTML.Paylap.bw    1
C:\Qoobox\32788R22FWJFW\pci.sys    Infected: Rootkit.Win32.TDSS.ap    1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP37\A0034599.sys    Infected: Rootkit.Win32.TDSS.ap    1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP37\A0034611.sys    Infected: Rootkit.Win32.TDSS.ap    1
Y:\My WD_Backup\Memeo\My WD_Backup\C_\Docs\Manuals\Access 2003 Bible\software\DBpwdSniffer\dbpwd.CAB    Infected: not-a-virus:PSWTool.Win32.DBSniffer    1

Selected area has been scanned.

_________________________________________________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:26:01 AM, on 8/2/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Rockwell\EventServer.exe
C:\Program Files\Common Files\Rockwell\FTAEArchiver.exe
C:\Program Files\Common Files\Rockwell\FTAE_HistServ.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\WD\WD Anywhere Backup\MemeoBackgroundService.exe
C:\Program Files\Norton AntiVirus\Engine\17.7.0.12\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Common Files\Rockwell\NmspHost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Rockwell\RdcyHost.exe
C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe
C:\Program Files\Common Files\Rockwell\RsvcHost.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe
C:\Program Files\Rockwell Software\RSView Enterprise\ServerFramework.exe
C:\Program Files\Common Files\Rockwell\RnaAeServer.exe
C:\Program Files\Common Files\Rockwell\RnaAlarmMux.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton AntiVirus\Engine\17.7.0.12\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\kmw_run.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\1-Click Answers\answers.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\1-CLIC~1\agtserv.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\Teleca Shared\logger.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\17.7.0.12\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VRQ Uploader] C:\Program Files\NortonVRQ\Engine\5.0.2.10\VRQUploadFiles.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [systray] C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [Mobile Connectivity Suite] "C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [WD Anywhere Backup] C:\Program Files\WD\WD Anywhere Backup\MemeoLauncher2.exe --silent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: taskmgr.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Global Startup: 1-Click Answers.lnk = C:\Program Files\1-Click Answers\answers.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O16 - DPF: {1047CBD1-7E52-414F-B768-87CBB03678AD} (ebActiveTools3.ebFileDropper) - https://app.e-builder.net/da/documents/MultiFileUpload3_V01/ebActiveTools3.CAB
O16 - DPF: {3B0EA9E6-7003-4B38-B398-9B1B6DF439C5} - http://download1.answers.com/pub/AnswersSetup.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194449549462
O16 - DPF: {7E0FDFBB-87D4-43A1-9AD4-41F0EA8AFF7B} (Net6Launcher Class) - https://hummingbird2.nektar.com/net6helper.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://webexevents.webex.com/client/T27L/event/ieatgpc.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = phussc.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = phussc.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = phussc.net
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: dnWhoDisp - Unknown owner - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: Rockwell Event Multiplexer (EventClientMultiplexer) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
O23 - Service: Rockwell Event Server (EventServer) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\EventServer.exe
O23 - Service: Rockwell Alarm History Archiver (FTAE_Archiver) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\FTAEArchiver.exe
O23 - Service: Rockwell Alarm Historian (FTAE_HistServ) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\FTAE_HistServ.exe
O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate1c9e96adb6c2fa) (gupdate1c9e96adb6c2fa) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogReceiver - Unknown owner - C:\Program Files\Rockwell Software\RSLinx Enterprise\LogReceiver.exe
O23 - Service: MemeoBackgroundService - Memeo - C:\Program Files\WD\WD Anywhere Backup\MemeoBackgroundService.exe
O23 - Service: Norton AntiVirus (NAV) - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\17.7.0.12\ccSvcHst.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Rockwell Namespace Services (NmspHost) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\NmspHost.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: Rockwell Redundancy Services (RdcyHost) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\RdcyHost.exe
O23 - Service: Rockwell Alarm Server (RnaAeServer) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\RnaAeServer.exe
O23 - Service: Rockwell Alarm Multiplexer (RnaAlarmMux) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\RnaAlarmMux.exe
O23 - Service: FactoryTalk Diagnostics Local Reader (RNADiagnosticsService) - Rockwell Automation Inc. - C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
O23 - Service: FactoryTalk Diagnostics CE Receiver (RNADiagReceiver) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\RNADiagReceiver.exe
O23 - Service: Rockwell Directory Server (RNADirectory) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
O23 - Service: Rockwell Directory Multiplexer (RNADirMultiplexor) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe
O23 - Service: Rockwell HMI Activity Logger - Rockwell Automation, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\RsActivityLogServ.exe
O23 - Service: Rockwell HMI Alarm Logger - Rockwell Automation, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\RsAlarmLogServ.exe
O23 - Service: Rockwell HMI Diagnostics - Rockwell Automation, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
O23 - Service: Rockwell HMI Framework - Rockwell Automation, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\ServerFramework.exe
O23 - Service: Rockwell Tag Server - Rockwell Automation, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\TagSrv.exe
O23 - Service: RSLinx - Rockwell Software, Inc. - C:\PROGRA~1\ROCKWE~1\RSLINX\RSLINX.EXE
O23 - Service: RSLinx Enterprise (RSLinxNG) - Rockwell Automation - C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe
O23 - Service: Rockwell Application Services (RsvcHost) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\RsvcHost.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 19315 bytes

I had left my av program running when I ran OTM and the av program messaged me about some things but it seems the removals/moves still worked. I have yet to run many programs since following your last instructions but I can tell you this. Everything seems to work faster with less CPU time used overall. Also I had downloaded Chrome about 2 weeks ago in an attempt to get away from the redirections taking place in Firefox and that didn't help because Chrome wouldn't work but now it does. If I have any issues shall I just post them here and hope you check back? OTM log follows.

Thanks,

skissh

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== FILES ==========
c:\windows\TMP0001.TMP moved successfully.
C:\Docs\Manuals\Access 2003 Bible\software\DBpwdSniffer\dbpwd.CAB moved successfully.
C:\Documents and Settings\stevkis\Local Settings\Application Data\Microsoft\Outlook\OutlookHotmail-00000004.pst moved successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP37\A0034599.sys moved successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP37\A0034611.sys moved successfully.
Y:\My WD_Backup\Memeo\My WD_Backup\C_\Docs\Manuals\Access 2003 Bible\software\DBpwdSniffer\dbpwd.CAB moved successfully.
========== COMMANDS ==========
Restore point Set: OTM Restore Point (0)
 
[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes
->Flash cache emptied: 915 bytes
 
User: administrator.KAHUNA
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes
->Flash cache emptied: 621 bytes
 
User: All Users
 
User: bradful
->Temp folder emptied: 0 bytes
 
User: Copy of stevkis
->Temp folder emptied: 238432366 bytes
->Temporary Internet Files folder emptied: 238486484 bytes
 
User: davikot
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes
->Java cache emptied: 7058 bytes
->Flash cache emptied: 8589 bytes
 
User: Default User
->Temp folder emptied: 16384 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 41 bytes
 
User: gregjuc
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 805979 bytes
->FireFox cache emptied: 4681724 bytes
 
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 655494 bytes
->Flash cache emptied: 6498 bytes
 
User: mattlor
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes
 
User: NetworkService
->Temp folder emptied: 16384 bytes
->Temporary Internet Files folder emptied: 3899526 bytes
->Flash cache emptied: 49825 bytes
 
User: petecas.KAHUNA
 
User: skissh
->Temp folder emptied: 106820367 bytes
->Temporary Internet Files folder emptied: 459928 bytes
->Java cache emptied: 10808356 bytes
->FireFox cache emptied: 50780983 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 7096998 bytes
 
User: stevkis
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 16404466 bytes
->Java cache emptied: 7434872 bytes
->FireFox cache emptied: 33457525 bytes
->Flash cache emptied: 29433 bytes
 
User: stevkis.07SFL-SMK
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 5243058 bytes
->FireFox cache emptied: 3781107 bytes
->Flash cache emptied: 405 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 247127 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 33429 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 323697 bytes
RecycleBin emptied: 2006194 bytes
 
Total Files Cleaned = 698.00 mb
 
 
OTM by OldTimer - Version 3.1.15.0 log created on 08022010_185303

Files moved on Reboot...
File C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_570.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_5d0.dat not found!

Registry entries deleted on Reboot...

I have completed the steps you sent but haven't read all of your references. I do look forward to it actually. Thank you very much for your help. I definitely want to learn more about this whole process ,can you suggest any resources?

I have Norton 2010 running on all my computer which updates it's definitions several time a day, but it didn't stop me from getting infected and it didn't fix things once I did. In your view is there a better alternative?

Respectfully,

skissh

Hi skissh

From your logs it would appear that you could have been infected via an email.   Norton is a very good security program, but like all security, not infallible. Unfortunately malware is also very good at breaching vulnerabilities and taking advantage of peoples curiosity.

Always keep everything upto date, not just windows and your security. Java, Adobe, even your applications need to be kept upto date with all current patches. Never open anything you do not recognize, the same goes for dubious websites. If something sounds to good to be true, then usually it isn`t.

My home site is SpywareHammer go there and register. There is a school available to learn the trait of malware fighting. To join you must send a PM to Bugbatter making your request.

It is very worthwhile and satisfying. However, it can take upto a year to complete the training, depending how much time you have available. All of the teachers are very knowledgeable and dedicated, but more importantly, very friendly and understanding. That is where I did my training.

One last thing for you to do.

You will probably have programs installed that may be outdated and as such, most likely exploited. To be certain use Secunia to check, please run the free online scan from Here   Before clicking the Start scan  button, please check the box for the option Enable thorough system inspection. Just below the "Scan Options:" section, you'll see the status of what's currently processing. You will also see an in process indicator as you progress....
...when the scan completes, the message "Detection completed successfully" will appear in the Programs/Result section. For each problem detected, Secunia will offer a "Solution" option. Please follow those instructions to download updated versions of the programs as recommended by Secunia.It is very safe.

Kevin