jake_kelly

Things seem clean - haven't really tried to do much of anything yet, I want to get protection back in line before I do any browsing. Thanks for all your help!

The three requested files have been deleted with HijackThis. Adobe reader uninstalled and version 9 reinstalled. JavaRa was run and new JRE 6 Update 12 installed. JavaRa log and HijackThis log after all of above completed are posted below. PS. I have a feeling your next post might be all is good and well (fingers crossed), what would you recommend for antivirus / spyware protection? I have been using AVG for antivirus, and been trying out several differnt spyware blockers. Thanks!!!! JavaRa 1.13 Removal Log. Report follows after line. ------------------------------------ The JavaRa removal process was started on Sat Feb 07 23:29:58 2009 Found and removed: C:\Program Files\Java\j2re1.4.2_03 Found and removed: C:\Windows\System32\jpicpl32.cpl Found and removed: C:\Windows\Installer\{7148F0A8-6813-11D6-A77B-00B0D0142030} Found and removed: C:\Windows\Installer\{7148F0A8-6813-11D6-A77B-00B0D0142050} Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.4 Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7148F0A8-6813-11D6-A77B-00B0D0142030} Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7148F0A8-6813-11D6-A77B-00B0D0142050} Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBB} Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0005-ABCDEFFEDCBB} Found and removed: SOFTWARE\Classes\Installer\Products\8A0F841731866D117AB7000B0D410203 Found and removed: SOFTWARE\Classes\Installer\Products\8A0F841731866D117AB7000B0D410205 Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F841731866D117AB7000B0D410203 Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F841731866D117AB7000B0D410205 Found and removed: SOFTWARE\Classes\JavaPlugin.142_03 Found and removed: SOFTWARE\Classes\JavaPlugin.142_05 Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.4.2_03 Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.4.2_05 Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.4.2_03 Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.4.2_05 Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.4.2_03 Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.4.2_05 Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1 Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02 Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03 Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04 Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2 Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01 ------------------------------------ Finished reporting. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:40:46 PM, on 2/7/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\ZCfgSvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\1XConfig.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\DesktopAuthority\ragui.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\GPS Pathfinder Office 3.10\conmgr.exe C:\Program Files\GPS Pathfinder Office 3.10\pfpjchgr.exe C:\Program Files\Apoint\Apntex.exe C:\PROGRA~1\MICROS~4\rapimgr.exe C:\WINDOWS\System32\basfipm.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\DesktopAuthority\RaMaint.exe C:\PROGRA~1\COMMON~1\Trimble\REMOTE~1\TRDMU.EXE C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\DesktopAuthority\DesktopAuthority.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\RegSrvc.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\SW Employee\Desktop\hijackthis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.adp.com O15 - Trusted Zone: *.arcata O15 - Trusted Zone: *.davis O15 - Trusted Zone: *.intranet O15 - Trusted Zone: *.menehune O15 - Trusted Zone: *.ripple O15 - Trusted Zone: *.arcata (HKLM) O15 - Trusted Zone: *.davis (HKLM) O15 - Trusted Zone: *.intranet (HKLM) O15 - Trusted Zone: *.menehune (HKLM) O15 - Trusted Zone: *.ripple (HKLM) O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab O18 - Protocol: biblioscape - (no CLSID) - (no file) O20 - AppInit_DLLs: DAinit.dll O23 - Service: ArcGIS License Manager - Unknown owner - C:\Program Files\ESRI\License\arcgis9x\lmgrd.exe O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Desktop Authority Maintenance Service (DAMaint) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\RaMaint.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Desktop Authority Service (DesktopAuthority) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\DesktopAuthority.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- End of file - 9460 bytes

MBAM log and Hijackthis log below. Note, this is the first time Hijackthis has run without giving me an error. Thanks! Malwarebytes' Anti-Malware 1.33 Database version: 1736 Windows 5.1.2600 Service Pack 2 2/7/2009 9:43:55 AM mbam-log-2009-02-07 (9-43-55).txt Scan type: Full Scan (C:\|D:\|) Objects scanned: 104881 Time elapsed: 41 minute(s), 21 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\SW Employee\Start Menu\Programs\Startup\ChkDisk.dll (Trojan.Opachki) -> Quarantined and deleted successfully. C:\Documents and Settings\SW Employee\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:57:48 AM, on 2/7/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\ZCfgSvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\1XConfig.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\DesktopAuthority\ragui.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Apoint\Apntex.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\GPS Pathfinder Office 3.10\conmgr.exe C:\Program Files\GPS Pathfinder Office 3.10\pfpjchgr.exe C:\WINDOWS\System32\basfipm.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\DesktopAuthority\RaMaint.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\DesktopAuthority\DesktopAuthority.exe C:\PROGRA~1\MICROS~4\rapimgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\RegSrvc.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\PROGRA~1\COMMON~1\Trimble\REMOTE~1\TRDMU.EXE C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\SW Employee\Desktop\hijackthis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.adp.com O15 - Trusted Zone: *.arcata O15 - Trusted Zone: *.davis O15 - Trusted Zone: *.intranet O15 - Trusted Zone: *.menehune O15 - Trusted Zone: *.ripple O15 - Trusted Zone: *.arcata (HKLM) O15 - Trusted Zone: *.davis (HKLM) O15 - Trusted Zone: *.intranet (HKLM) O15 - Trusted Zone: *.menehune (HKLM) O15 - Trusted Zone: *.ripple (HKLM) O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab O18 - Protocol: biblioscape - (no CLSID) - (no file) O20 - AppInit_DLLs: DAinit.dll O23 - Service: ArcGIS License Manager - Unknown owner - C:\Program Files\ESRI\License\arcgis9x\lmgrd.exe O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Desktop Authority Maintenance Service (DAMaint) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\RaMaint.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Desktop Authority Service (DesktopAuthority) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\DesktopAuthority.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- End of file - 9478 bytes

combofix is uninstalled and malawarebytes is installed. Shall I run it and post the log?

Hi Tigger, new logs attached. Thanks! ComboFix 09-02-05.01 - SW Employee 2009-02-06 19:25:28.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.170 [GMT -8:00] Running from: c:\documents and settings\SW Employee\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\SW Employee\Desktop\CFScript.txt * Created a new restore point FILE :: c:\windows\SYSTEM32\windrv.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\LocalService\protect.dll c:\documents and settings\SW Employee\protect.dll c:\program files\Global Logger.exe C:\VundoFix Backups c:\windows\system32\bar\ c:\windows\SYSTEM32\CONFIG\systemprofile\protect.dll c:\windows\SYSTEM32\windrv.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_Acpild3arap ((((((((((((((((((((((((( Files Created from 2009-01-07 to 2009-02-07 ))))))))))))))))))))))))))))))) . 2009-02-05 22:36 . 2009-02-05 23:06 <DIR> d-------- C:\Trouble 2009-01-27 00:37 . 2009-02-05 20:18 <DIR> d----c--- c:\windows\SYSTEM32\DRVSTORE 2009-01-27 00:36 . 2009-02-05 20:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft 2009-01-26 23:33 . 2009-01-26 23:33 <DIR> d-------- c:\program files\Common Files\Download Manager 2009-01-26 20:47 . 2009-01-26 20:47 <DIR> d-------- c:\program files\AVG 2009-01-26 20:47 . 2009-02-05 21:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8 2009-01-26 20:45 . 2009-02-05 21:43 8,192 --a------ c:\documents and settings\tyc 2009-01-26 20:45 . 2009-02-05 21:43 8,192 --a------ c:\documents and settings\Chasco 2009-01-26 20:45 . 2009-02-05 21:43 8,192 --a------ c:\documents and settings\brandon 2009-01-26 16:40 . 2009-02-05 22:54 <DIR> d--hs---- c:\windows\SYSTEM32\twain32 2009-01-26 16:39 . 2009-01-26 16:39 54,156 --ah----- c:\windows\QTFont.qfn 2009-01-26 16:39 . 2009-01-26 16:39 1,409 --a------ c:\windows\QTFont.for 2009-01-22 21:03 . 2009-01-22 21:04 <DIR> d-------- c:\program files\Google 2009-01-22 21:03 . 2009-02-06 19:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-07 03:31 --------- d-----w c:\program files\Symantec AntiVirus 2009-02-07 03:10 --------- d-----w c:\program files\DesktopAuthority 2009-02-06 05:45 --------- d-----w c:\documents and settings\SW Employee\Application Data\Lavasoft 2009-01-27 08:40 4,224 ----a-w c:\windows\system32\drivers\BEEP.SYS 2009-01-26 09:18 --------- d-----w c:\program files\PokerStars 2006-12-13 20:27 557,056 -c--a-w c:\documents and settings\SW Employee\GoToAssist_phone__319_en.exe 2006-04-13 22:20 62,176 -c--a-w c:\documents and settings\SW Employee\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360] "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 1200128] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-22 39408] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\Apoint\Apoint.exe" [2004-02-02 155648] "SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_05\bin\jusched.exe" [2004-06-03 32881] "PRONoMgr.exe"="c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-19 86016] "DVDSentry"="c:\windows\System32\DSentry.exe" [2002-07-17 28672] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128] "Desktop Authority GUI"="c:\program files\DesktopAuthority\ragui.exe" [2004-06-09 409600] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-12-20 98304] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688] "CANON DR2080C SVC"="DR2KSVC.dll" [2002-12-11 c:\windows\SYSTEM32\DR2KSVC.DLL] "PFO Check Settings"="pfochk.exe" [2005-04-18 c:\windows\pfochk.exe] c:\windows\SYSTEM32\CONFIG\systemprofile\Start Menu\Programs\Startup\ ChkDisk.dll [2009-02-05 22016] c:\documents and settings\SW Employee\Start Menu\Programs\Startup\ ChkDisk.dll [2009-02-01 22016] ChkDisk.lnk - c:\windows\SYSTEM32\rundll32.exe [2004-03-19 33280] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-02-27 49254] Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-07-09 110592] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-08-03 24576] GPS Pathfinder Office Connection Manager.lnk - c:\program files\GPS Pathfinder Office 3.10\conmgr.exe [2007-02-14 65536] GPS Pathfinder Office Project Changer.lnk - c:\program files\GPS Pathfinder Office 3.10\pfpjchgr.exe [2007-02-14 32768] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring] 2004-01-13 12:17 110592 c:\windows\SYSTEM32\LgNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=DAinit.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.DVSD"= pdvcodec.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\SmartFTP\\SmartFTP.exe"= "c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"= "c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R2 DAInfo;Desktop Authority Kernel Information Provider;c:\program files\DesktopAuthority\rainfo.sys [2004-08-17 6528] R2 DAMaint;Desktop Authority Maintenance Service;c:\program files\DesktopAuthority\ramaint.exe [2004-08-17 49152] R2 DesktopAuthority;Desktop Authority Service;c:\program files\DesktopAuthority\DesktopAuthority.exe [2004-08-17 1081344] R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2004-03-12 169192] R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [2006-08-22 316992] R3 DAmirr;DAmirr;c:\windows\SYSTEM32\DRIVERS\DAmirr.sys [2004-08-17 3072] R3 GTICARD;GTICARD;c:\windows\SYSTEM32\DRIVERS\gticard.sys [2003-02-14 59328] S1 oxpar;%OXPAR.SVCDESC%;c:\windows\SYSTEM32\DRIVERS\oxpar.sys [2005-11-15 80128] S2 ArcGIS License Manager;ArcGIS License Manager;c:\program files\ESRI\License\arcgis9x\lmgrd.exe [2006-09-17 467968] S3 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-B;c:\windows\SYSTEM32\DRIVERS\wa301b.sys [1979-12-31 33847] S3 LxrSG20d;LxrSG20d;c:\windows\SYSTEM32\DRIVERS\LxrSG20d.sys [2004-09-17 68672] S3 LxrSG20s;Lexar SG20;LxrSG20s.exe --> LxrSG20s.exe [?] S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\DRIVERS\rcvpn.sys --> c:\windows\system32\DRIVERS\rcvpn.sys [?] S3 TrmbTS;TrimbleTS Driver (TrmbTS.sys);c:\windows\SYSTEM32\DRIVERS\TrmbTS.sys [2008-01-28 23040] S3 TRMUSB5K;Trimble USB GPS Driver;c:\windows\SYSTEM32\DRIVERS\TRMUSB5K.SYS [2008-01-28 9881] S3 USA19H;USA19H;c:\windows\SYSTEM32\DRIVERS\USA19H2k.sys [2007-03-13 727908] S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\SYSTEM32\DRIVERS\USA19H2kp.sys [2007-03-13 44928] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03c97f10-99a6-11dd-a2f6-000e354e1ff8}] \Shell\AutoRun\command - E:\Autorun.exe /run \Shell\Shell00\Command - E:\Autorun.exe /run \Shell\Shell01\Command - E:\Autorun.exe /action \Shell\Shell02\Command - E:\Autorun.exe /uninstall [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{411d5470-af04-11dd-a311-000e354e1ff8}] \Shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a5efa840-cb26-11da-bb8a-006073eb272a}] \Shell\AutoRun\command - SETUP.exe . Contents of the 'Scheduled Tasks' folder 2009-02-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [] 2009-02-07 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-22 21:03] . - - - - ORPHANS REMOVED - - - - HKU-Default-Run-autochk - c:\docume~1\LOCALS~1\protect.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie mStart Page = hxxp://www.dell.com uInternet Settings,ProxyOverride = 127.0.0.1;<local> uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: adp.com Trusted Zone: arcata Trusted Zone: davis Trusted Zone: intranet Trusted Zone: menehune Trusted Zone: ripple Trusted Zone: arcata Trusted Zone: davis Trusted Zone: intranet Trusted Zone: menehune Trusted Zone: ripple FF - ProfilePath - c:\documents and settings\SW Employee\Application Data\Mozilla\Firefox\Profiles\9vldvxf5.default\ FF - plugin: c:\program files\Google\Google Updater\2.4.1441.4352\npCIDetect13.dll FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJava11.dll FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJava12.dll FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJava13.dll FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJava14.dll FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJava32.dll FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJPI142_05.dll FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPOJI610.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://*.adp.com O15 - Trusted Zone: *.arcata O15 - Trusted Zone: *.davis O15 - Trusted Zone: *.intranet O15 - Trusted Zone: *.menehune O15 - Trusted Zone: *.ripple O15 - Trusted Zone: *.arcata (HKLM) O15 - Trusted Zone: *.davis (HKLM) O15 - Trusted Zone: *.intranet (HKLM) O15 - Trusted Zone: *.menehune (HKLM) O15 - Trusted Zone: *.ripple (HKLM) O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab O18 - Protocol: biblioscape - (no CLSID) - (no file) O20 - AppInit_DLLs: DAinit.dll O23 - Service: ArcGIS License Manager - Unknown owner - C:\Program Files\ESRI\License\arcgis9x\lmgrd.exe O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Desktop Authority Maintenance Service (DAMaint) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\RaMaint.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Desktop Authority Service (DesktopAuthority) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\DesktopAuthority.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- End of file - 9400 bytes

I just re-read your note, and saw the part about never renaming ComboFix, sorry about failing to follow instructions, not thinking with all my wits as frustration has really set in and I had forgot your instructions that I read many hours earlier. Nevertheless, it ran, and I am posting a Combofix log and a Hijackthis log - I'll stay on ask as I wait for further instructions. ComboFix 09-02-05.01 - SW Employee 2009-02-05 22:57:04.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.227 [GMT -8:00] Running from: c:\documents and settings\SW Employee\Desktop\Trouble.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\SWEMPL~1\LOCALS~1\Temp\fs.dll c:\windows\IE4 Error Log.txt c:\windows\system32\autochk.dll c:\windows\system32\bar\ c:\windows\system32\crypts.dll c:\windows\system32\drivers\fad.sys c:\windows\system32\drivers\TDSSmhlt.sys c:\windows\system32\iehelper.dll c:\windows\system32\TDSSbrsr.dll c:\windows\system32\TDSScfum.dll c:\windows\system32\TDSSlxwp.dll c:\windows\system32\TDSSnmxh.log c:\windows\system32\TDSSoiqh.dll c:\windows\system32\TDSSosvd.dat c:\windows\system32\TDSSrhym.log c:\windows\system32\TDSSriqp.dll c:\windows\system32\TDSSsihc.dll c:\windows\system32\TDSStkdv.log c:\windows\system32\twex.exe c:\windows\system32\windows.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_TDSSSERV.SYS -------\Legacy_TDSSSERV.SYS -------\Legacy_NETSVCS_0X0 -------\Service_netsvcs_0x0 ((((((((((((((((((((((((( Files Created from 2009-01-06 to 2009-02-06 ))))))))))))))))))))))))))))))) . 2009-02-01 20:12 . 2009-02-01 20:12 22,016 --ahs---- c:\documents and settings\LocalService\protect.dll 2009-02-01 19:16 . 2009-02-01 19:16 22,016 --ahs---- c:\documents and settings\SW Employee\protect.dll 2009-02-01 12:25 . 2009-02-01 12:25 22,016 --ahs---- c:\windows\SYSTEM32\CONFIG\systemprofile\protect.dll 2009-01-27 22:03 . 2009-01-27 22:03 <DIR> d-------- C:\VundoFix Backups 2009-01-27 00:37 . 2009-02-05 20:18 <DIR> d----c--- c:\windows\SYSTEM32\DRVSTORE 2009-01-27 00:36 . 2009-02-05 20:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft 2009-01-26 23:39 . 2009-01-26 23:39 1,152 --a------ c:\windows\SYSTEM32\windrv.sys 2009-01-26 23:33 . 2009-01-26 23:33 <DIR> d-------- c:\program files\Common Files\Download Manager 2009-01-26 20:47 . 2009-01-26 20:47 <DIR> d-------- c:\program files\AVG 2009-01-26 20:47 . 2009-02-05 21:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8 2009-01-26 20:45 . 2009-02-05 21:43 8,192 --a------ c:\documents and settings\tyc 2009-01-26 20:45 . 2009-02-05 21:43 8,192 --a------ c:\documents and settings\Chasco 2009-01-26 20:45 . 2009-02-05 21:43 8,192 --a------ c:\documents and settings\brandon 2009-01-26 16:40 . 2009-02-05 22:54 <DIR> d--hs---- c:\windows\SYSTEM32\twain32 2009-01-26 16:39 . 2009-01-26 16:39 54,156 --ah----- c:\windows\QTFont.qfn 2009-01-26 16:39 . 2009-01-26 16:39 1,409 --a------ c:\windows\QTFont.for 2009-01-22 21:03 . 2009-01-22 21:04 <DIR> d-------- c:\program files\Google 2009-01-22 21:03 . 2009-02-04 00:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-06 07:03 --------- d-----w c:\program files\Symantec AntiVirus 2009-02-06 05:45 --------- d-----w c:\documents and settings\SW Employee\Application Data\Lavasoft 2009-02-06 04:00 --------- d-----w c:\program files\DesktopAuthority 2009-01-27 08:40 4,224 ----a-w c:\windows\system32\drivers\BEEP.SYS 2009-01-26 09:18 --------- d-----w c:\program files\PokerStars 2006-12-13 20:27 557,056 -c--a-w c:\documents and settings\SW Employee\GoToAssist_phone__319_en.exe 2006-04-13 22:20 62,176 -c--a-w c:\documents and settings\SW Employee\Application Data\GDIPFONTCACHEV1.DAT 2001-09-24 22:13 1,064,960 ----a-w c:\program files\Global Logger.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360] "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 1200128] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-22 39408] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\Apoint\Apoint.exe" [2004-02-02 155648] "SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_05\bin\jusched.exe" [2004-06-03 32881] "PRONoMgr.exe"="c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-19 86016] "DVDSentry"="c:\windows\System32\DSentry.exe" [2002-07-17 28672] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128] "Desktop Authority GUI"="c:\program files\DesktopAuthority\ragui.exe" [2004-06-09 409600] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-12-20 98304] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688] "CANON DR2080C SVC"="DR2KSVC.dll" [2002-12-11 c:\windows\SYSTEM32\DR2KSVC.DLL] "PFO Check Settings"="pfochk.exe" [2005-04-18 c:\windows\pfochk.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "autochk"="c:\docume~1\LOCALS~1\protect.dll" [2009-02-01 22016] c:\windows\SYSTEM32\CONFIG\systemprofile\Start Menu\Programs\Startup\ ChkDisk.dll [2009-02-05 22016] c:\documents and settings\SW Employee\Start Menu\Programs\Startup\ ChkDisk.dll [2009-02-01 22016] ChkDisk.lnk - c:\windows\SYSTEM32\rundll32.exe [2004-03-19 33280] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-02-27 49254] Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-07-09 110592] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-08-03 24576] GPS Pathfinder Office Connection Manager.lnk - c:\program files\GPS Pathfinder Office 3.10\conmgr.exe [2007-02-14 65536] GPS Pathfinder Office Project Changer.lnk - c:\program files\GPS Pathfinder Office 3.10\pfpjchgr.exe [2007-02-14 32768] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring] 2004-01-13 12:17 110592 c:\windows\SYSTEM32\LgNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=DAinit.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.DVSD"= pdvcodec.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\SmartFTP\\SmartFTP.exe"= "c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"= "c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R2 DAInfo;Desktop Authority Kernel Information Provider;c:\program files\DesktopAuthority\rainfo.sys [2004-08-17 6528] R2 DAMaint;Desktop Authority Maintenance Service;c:\program files\DesktopAuthority\ramaint.exe [2004-08-17 49152] R2 DesktopAuthority;Desktop Authority Service;c:\program files\DesktopAuthority\DesktopAuthority.exe [2004-08-17 1081344] R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2004-03-12 169192] R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [2006-08-22 316992] R3 DAmirr;DAmirr;c:\windows\SYSTEM32\DRIVERS\DAmirr.sys [2004-08-17 3072] R3 GTICARD;GTICARD;c:\windows\SYSTEM32\DRIVERS\gticard.sys [2003-02-14 59328] S1 oxpar;%OXPAR.SVCDESC%;c:\windows\SYSTEM32\DRIVERS\oxpar.sys [2005-11-15 80128] S2 ArcGIS License Manager;ArcGIS License Manager;c:\program files\ESRI\License\arcgis9x\lmgrd.exe [2006-09-17 467968] S3 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-B;c:\windows\SYSTEM32\DRIVERS\wa301b.sys [1979-12-31 33847] S3 Acpild3arap;Acpild3arap; [x] S3 LxrSG20d;LxrSG20d;c:\windows\SYSTEM32\DRIVERS\LxrSG20d.sys [2004-09-17 68672] S3 LxrSG20s;Lexar SG20;LxrSG20s.exe --> LxrSG20s.exe [?] S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\DRIVERS\rcvpn.sys --> c:\windows\system32\DRIVERS\rcvpn.sys [?] S3 TrmbTS;TrimbleTS Driver (TrmbTS.sys);c:\windows\SYSTEM32\DRIVERS\TrmbTS.sys [2008-01-28 23040] S3 TRMUSB5K;Trimble USB GPS Driver;c:\windows\SYSTEM32\DRIVERS\TRMUSB5K.SYS [2008-01-28 9881] S3 USA19H;USA19H;c:\windows\SYSTEM32\DRIVERS\USA19H2k.sys [2007-03-13 727908] S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\SYSTEM32\DRIVERS\USA19H2kp.sys [2007-03-13 44928] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03c97f10-99a6-11dd-a2f6-000e354e1ff8}] \Shell\AutoRun\command - E:\Autorun.exe /run \Shell\Shell00\Command - E:\Autorun.exe /run \Shell\Shell01\Command - E:\Autorun.exe /action \Shell\Shell02\Command - E:\Autorun.exe /uninstall [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{411d5470-af04-11dd-a311-000e354e1ff8}] \Shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a5efa840-cb26-11da-bb8a-006073eb272a}] \Shell\AutoRun\command - SETUP.exe . Contents of the 'Scheduled Tasks' folder 2009-02-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [] 2009-02-06 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-22 21:03] . - - - - ORPHANS REMOVED - - - - BHO-{C9C42510-9B21-41c1-9DCD-8382A2D07C61} - c:\windows\system32\iehelper.dll HKLM-Run-bascstray - BascsTray.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie mStart Page = hxxp://www.dell.com uInternet Settings,ProxyOverride = 127.0.0.1;<local> uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: adp.com Trusted Zone: arcata Trusted Zone: davis Trusted Zone: intranet Trusted Zone: menehune Trusted Zone: ripple Trusted Zone: arcata Trusted Zone: davis Trusted Zone: intranet Trusted Zone: menehune Trusted Zone: ripple FF - ProfilePath - c:\documents and settings\SW Employee\Application Data\Mozilla\Firefox\Profiles\9vldvxf5.default\ FF - plugin: c:\program files\Google\Google Updater\2.4.1441.4352\npCIDetect13.dll FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJava11.dll FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJava12.dll FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJava13.dll FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJava14.dll FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJava32.dll FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJPI142_05.dll FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPOJI610.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://*.adp.com O15 - Trusted Zone: *.arcata O15 - Trusted Zone: *.davis O15 - Trusted Zone: *.intranet O15 - Trusted Zone: *.menehune O15 - Trusted Zone: *.ripple O15 - Trusted Zone: *.arcata (HKLM) O15 - Trusted Zone: *.davis (HKLM) O15 - Trusted Zone: *.intranet (HKLM) O15 - Trusted Zone: *.menehune (HKLM) O15 - Trusted Zone: *.ripple (HKLM) O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab O18 - Protocol: biblioscape - (no CLSID) - (no file) O20 - AppInit_DLLs: DAinit.dll O23 - Service: ArcGIS License Manager - Unknown owner - C:\Program Files\ESRI\License\arcgis9x\lmgrd.exe O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Desktop Authority Maintenance Service (DAMaint) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\RaMaint.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Desktop Authority Service (DesktopAuthority) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\DesktopAuthority.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- End of file - 9780 bytes

I got ComboFix to run by renaming the .exe, so it is scanning now and hopefully I will have logs to post shortly!

Hi: Thanks for the reply! I can't run combofix.exe - installed on my desktop. I've tried in safe mode as well. Any suggestions on how to get around? Note that this si the same symptoms as when I try to run mbam.exe = nothing happens. Thanks!

HI, please help! System is Windows XP SP2. I have the Vundo virus and it won't let me install malawarebytes or update my antivirus and other spyware software. The antivirus has removed pieces of it, so that I don't get the pop-ups anymore about the fake antispyware stuff, but overall the virus is still very functional. HiJackThis log below (note, I did get an error when HijackThis ran, but I did still get a report.) Thanks! Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:21:29 AM, on 2/5/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\S24EvMon.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\system32\ZCfgSvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\1XConfig.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\SCardSvr.exe C:\WINDOWS\System32\basfipm.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\DesktopAuthority\RaMaint.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\DesktopAuthority\DesktopAuthority.exe C:\Program Files\DesktopAuthority\RAGui.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\RegSrvc.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\wbem\unsecapp.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\System32\wbem\wmiprvse.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Apoint\Apntex.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\GPS Pathfinder Office 3.10\conmgr.exe C:\PROGRA~1\MICROS~4\rapimgr.exe C:\Program Files\GPS Pathfinder Office 3.10\pfpjchgr.exe C:\PROGRA~1\COMMON~1\Trimble\REMOTE~1\TRDMU.EXE C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\AVG\AVG8\avgscanx.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\Documents and Settings\SW Employee\Desktop\hijackthis.exe C:\WINDOWS\System32\wbem\wmiprvse.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.adp.com O15 - Trusted Zone: *.arcata O15 - Trusted Zone: *.davis O15 - Trusted Zone: *.intranet O15 - Trusted Zone: *.menehune O15 - Trusted Zone: *.ripple O15 - Trusted Zone: *.arcata (HKLM) O15 - Trusted Zone: *.davis (HKLM) O15 - Trusted Zone: *.intranet (HKLM) O15 - Trusted Zone: *.menehune (HKLM) O15 - Trusted Zone: *.ripple (HKLM) O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab O18 - Protocol: biblioscape - (no CLSID) - (no file) O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: DAinit.dll,avgrsstx.dll O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll O23 - Service: ArcGIS License Manager - Unknown owner - C:\Program Files\ESRI\License\arcgis9x\lmgrd.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Desktop Authority Maintenance Service (DAMaint) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\RaMaint.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Desktop Authority Service (DesktopAuthority) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\DesktopAuthority.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- End of file - 11180 bytes