Computer Security & Viruses/2 Trojan Virus' can't remove

Advertisement

Expert: - 7/19/2009


Question
QUESTION: I have 2 virus entries showing up in my Trend Micro log that can't be removed. TROJ_GEN.8V200 and TROJ_SUDIET.AC. Google searches seem to get swapped when clicking on resulting search sites, pop-up ads randomly appear,the yellow windows shield icon is trying to get me to update my computer, randomly some pop-up key stroke recorder message appears, blue screens happen periodically (especially when I attempt to fire up a citrix session). Any chance you can help me clean up. Also, I had the braviax virus that I may have partially or completely removed. Also, I appear to have a duplicate CD drive which showed up at the same time as the virus. Any chance you can help? My IT dept is wanting to strip down my computer and reload but I have a feeling the virus will remain.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:10:12 PM, on 7/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\WINDOWS\TEMP\CRD0FC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\updater.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Pando Networks\Media Booster\pmb.exe
C:\Documents and Settings\msalmond\Application Data\syssl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\msc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\msalmond\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://iconnect.criver.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://iconnect.criver.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://iconnect.criver.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.java.com/en/download/index.jsp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NetZero\SearchEnh1.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [Client Access PC5250 Sound] "C:\Program Files\IBM\Client Access\Emulator\pcssnd.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld12.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Pando Media Booster] "C:\Program Files\Pando Networks\Media Booster\PMB.exe"
O4 - HKCU\..\Run: [Win32load] C:\Documents and Settings\msalmond\Application Data\syssl.exe -lds
O4 - HKCU\..\Run: [defender32.exe] C:\DOCUME~1\msalmond\LOCALS~1\Temp\defender32.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O14 - IERESET.INF: START_PAGE_URL=http://iconnect.criver.com
O15 - Trusted Zone: *.webex.att.com
O15 - Trusted Zone: *.webmeeting.att.com
O15 - Trusted Zone: http://atlas.mtl.ca.crl
O15 - Trusted Zone: http://content.mtl.ca.crl
O15 - Trusted Zone: http://*.content
O15 - Trusted Zone: *.iconnect.criver.com
O15 - Trusted Zone: http://crlweb.criver.com
O15 - Trusted Zone: http://kvs-svr1.criver.com
O15 - Trusted Zone: *.criver.com
O15 - Trusted Zone: http://*.na01.crl.com
O15 - Trusted Zone: http://rivernet.crl.com
O15 - Trusted Zone: http://webmail.crl.com
O15 - Trusted Zone: *.crl.com
O15 - Trusted Zone: http://*.crl.com
O15 - Trusted Zone: http://*.itsdev
O15 - Trusted Zone: http://*.itstest
O15 - Trusted Zone: http://*.mtl-sv0040
O15 - Trusted Zone: http://*.mtl-sv1039
O15 - Trusted Zone: *.mycrlstudy.com
O15 - Trusted Zone: http://*.nobel
O15 - Trusted Zone: http://*.testcontent
O15 - Trusted Zone: http://*.validationcontent
O15 - Trusted Zone: http://*.webanchem
O15 - Trusted Zone: http://*.webex.com
O15 - Trusted Zone: http://*.webmeeting.com
O15 - Trusted Zone: http://*.Webtox
O15 - Trusted Zone: http://*.worglobal
O15 - ESC Trusted Zone: mtl.ca.crl
O15 - ESC Trusted Zone: http://*.filext.com
O15 - ESC Trusted Zone: http://www.google.ca
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://www.versalysformation.com
O15 - ESC Trusted Zone: http://www.windowsdevcenter.com
O15 - ESC Trusted Zone: mtl.ca.crl (HKLM)
O15 - ESC Trusted Zone: http://*.filext.com (HKLM)
O15 - ESC Trusted Zone: http://www.google.ca (HKLM)
O15 - ESC Trusted Zone: http://www.versalysformation.com (HKLM)
O15 - ESC Trusted Zone: http://www.windowsdevcenter.com (HKLM)
O16 - DPF: {3605B612-C3CF-4AB4-A426-2D853391DB2E} (Certificates Class) - http://mer-pr-sys-01:8080/qcbin/capicom.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuwe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muwe
O16 - DPF: {B2FC031D-8C74-46AE-8042-BCF4FC03C1EF} (Loader Class v4) - http://mer-pr-sys-01:8080/qcbin/Spider91.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na01.crl.com
O17 - HKLM\Software\..\Telephony: DomainName = na01.crl.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na01.crl.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = na01.crl.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = na01.crl.com
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

--
End of file - 16881 bytes


ANSWER: Hi Matt

Let's give it a try before handing it over to IT.  Please download ComboFix from here:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Important: Save it to your Desktop.
Double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. Follow the prompts and be sure to install the Windows Recovery Console if asked to. ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.  If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. ComboFix may also restart your computer.  Do not intervene.  Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.  It will then display the log file automatically for you.  Copy and paste that log to me and include a new HJT log.

Brian

---------- FOLLOW-UP ----------

QUESTION: Hi Brian,
Thanks for the instructions: Attached as requested

ComboFix 09-07-14.08 - MSALMOND 07/18/2009 21:31.1.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1022.607 [GMT -4:00]
Running from: c:\documents and settings\msalmond\Desktop\ComboFix.exe
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {3377B511-6559-46EC-AB63-062B64434788}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\msalmond\XP Deluxe Protector
c:\documents and settings\msalmond\XP Deluxe Protector\1.exe
c:\documents and settings\msalmond\XP Deluxe Protector\xpdeluxe.exe
C:\egtau.exe
C:\eughafh.exe
C:\fhlyeby.exe
C:\iilhoh.exe
C:\jatpma.exe
C:\khkha.exe
C:\mpktnpah.exe
c:\windows\010112010146118114.dat
c:\windows\0101120101464849.dat
c:\windows\0101120101465749.dat
c:\windows\Installer\1127e.msi
c:\windows\Installer\1142f32.msi
c:\windows\Installer\11f2be1.msp
c:\windows\Installer\11f2bfd.msp
c:\windows\Installer\12665.msi
c:\windows\Installer\130d57d.msi
c:\windows\Installer\17d59b.msp
c:\windows\Installer\17d5af.msp
c:\windows\Installer\184a685.msp
c:\windows\Installer\1a77d1.msp
c:\windows\Installer\1b6e8b.msi
c:\windows\Installer\1b6e8c.msp
c:\windows\Installer\1b6e8d.msp
c:\windows\Installer\1b6e8e.msp
c:\windows\Installer\1b6e8f.msp
c:\windows\Installer\1b6e90.msp
c:\windows\Installer\1b6e91.msp
c:\windows\Installer\1b6e92.msp
c:\windows\Installer\1b6e93.msp
c:\windows\Installer\1b6e94.msp
c:\windows\Installer\1c08fa2.msi
c:\windows\Installer\1e05b89.msi
c:\windows\Installer\208a24c.msi
c:\windows\Installer\20a6d1.msi
c:\windows\Installer\20a6d2.msp
c:\windows\Installer\20a6d3.msp
c:\windows\Installer\20a6d4.msp
c:\windows\Installer\20a6d5.msp
c:\windows\Installer\20a6d6.msp
c:\windows\Installer\20a6d7.msp
c:\windows\Installer\20a6d8.msp
c:\windows\Installer\20a6d9.msp
c:\windows\Installer\20a6da.msp
c:\windows\Installer\20a6db.msp
c:\windows\Installer\231d092.msp
c:\windows\Installer\231d0aa.msp
c:\windows\Installer\231d0bf.msp
c:\windows\Installer\2becfba.msi
c:\windows\Installer\3508795.msp
c:\windows\Installer\35087ae.msp
c:\windows\Installer\36fa076.msp
c:\windows\Installer\36fa082.msp
c:\windows\Installer\36fa093.msp
c:\windows\Installer\381498.msi
c:\windows\Installer\3fee35.msi
c:\windows\Installer\3fee37.msi
c:\windows\Installer\3fee45.msi
c:\windows\Installer\3fee47.msi
c:\windows\Installer\3fee49.msi
c:\windows\Installer\3fee4a.msi
c:\windows\Installer\40f2e4e.msp
c:\windows\Installer\40f2e63.msp
c:\windows\Installer\40f2e7f.msp
c:\windows\Installer\40f2e94.msp
c:\windows\Installer\561c9e.msi
c:\windows\Installer\60af91.msi
c:\windows\Installer\61f6e3.msi
c:\windows\Installer\6e807.msp
c:\windows\Installer\7bc4fe.msi
c:\windows\Installer\866214.msi
c:\windows\Installer\8721f.msp
c:\windows\Installer\8d40fe.msi
c:\windows\Installer\8d419e.msi
c:\windows\Installer\8ed03.msp
c:\windows\Installer\8ed18.msp
c:\windows\Installer\94a5d9.msi
c:\windows\Installer\ac6e1.msi
c:\windows\Installer\c620e.msp
c:\windows\Installer\df19f8.msi
c:\windows\Installer\f2729a.msi
c:\windows\msa.exe
c:\windows\srn_1247357928.exe
c:\windows\srn_1247373074.exe
c:\windows\srn_1247507826.exe
c:\windows\system32\DelSelf.bat
c:\windows\system32\drivers\beep.sys
c:\windows\system32\drivers\hjgruienkmpfgx.sys
c:\windows\system32\drivers\UACltoittsveotkgop.sys
c:\windows\system32\FTPx.dll
c:\windows\system32\gdi32lib.dll
c:\windows\system32\hjgruialvtjskm.dll
c:\windows\system32\hjgruifptmppuo.dat
c:\windows\system32\hjgruiijvjhrfm.dll
c:\windows\system32\hjgruinbaqgoeh.dat
c:\windows\system32\mcenspc.dll
c:\windows\system32\msxml71.dll
c:\windows\system32\UACjwomvjkaoyrdnya.dat
c:\windows\system32\UACxsnoewjkrtrmfot.dll
c:\windows\system32\UACxsnoewjkrtrmfot_3c0.VIR
c:\windows\system32\wbem\proquota.exe
c:\windows\system32\wisdstr.exe
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
c:\windows\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job

----- BITS: Possible infected sites -----

hxxp://wlm-deploy01.na01.crl.com
c:\windows\system32\proquota.exe . . . is missing!!

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruiujwniyyg
-------\Service_UACd.sys


(((((((((((((((((((((((((   Files Created from 2009-06-19 to 2009-07-19  )))))))))))))))))))))))))))))))
.

2009-07-14 14:35 . 2009-07-19 01:10   10752   ----a-w-   c:\windows\DCEBoot.exe
2009-07-13 20:37 . 2009-07-13 20:37   --------   d-----w-   c:\documents and settings\pcconfig\Application Data\InstallShield
2009-07-13 16:07 . 2009-07-13 16:07   12288   ----a-w-   c:\documents and settings\msalmond\Application Data\syssl.exe
2009-07-13 12:51 . 2009-07-13 05:02   121344   ----a-w-   c:\windows\msc.exe
2009-07-13 02:56 . 2009-07-13 03:03   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2009-07-13 02:01 . 2009-07-13 03:17   11264   ----a-w-   C:\benfuse.exe
2009-07-11 22:53 . 2009-07-11 22:53   135680   ----a-w-   c:\windows\msb.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-19 01:40 . 2007-03-16 18:49   17408   ----a-w-   c:\windows\system32\rpcnetp.exe
2009-07-19 01:40 . 2007-03-16 18:29   56680   ----a-w-   c:\windows\system32\rpcnet.dll
2009-07-16 20:06 . 2007-03-16 18:49   17408   ----a-w-   c:\windows\system32\rpcnetp.dll
2009-07-13 23:56 . 2006-09-07 14:09   --------   d-----w-   c:\program files\AT&T Global Network Client
2009-07-12 04:00 . 2006-09-06 22:27   5427   ----a-w-   c:\windows\system32\EGATHDRV.SYS
2009-06-17 20:36 . 2007-08-17 15:29   --------   d-----w-   c:\documents and settings\msalmond\Application Data\Roxio
2009-06-07 19:26 . 2007-08-08 14:31   256   ----a-w-   c:\windows\system32\pool.bin
2009-06-01 00:10 . 2009-06-01 00:10   131   ----a-w-   C:\drmHeader.bin
2009-05-31 19:44 . 2006-12-02 02:37   56680   ----a-w-   c:\windows\system32\rpcnet.exe
2009-05-07 15:44 . 1980-01-01 07:00   344064   ------w-   c:\windows\system32\localspl.dll
2009-05-07 07:04 . 2007-09-23 18:27   157712   ----a-w-   c:\windows\system32\drivers\tmcomm.sys
2009-04-29 04:56 . 1980-01-01 07:00   827392   ----a-w-   c:\windows\system32\wininet.dll
2009-04-29 04:55 . 1980-01-01 07:00   78336   ----a-w-   c:\windows\system32\ieencode.dll
2006-12-29 19:15 . 2007-07-26 17:01   3100672   ----a-w-   c:\program files\Common Files\sapxlhelper.dll
2006-12-29 19:15 . 2007-07-26 17:01   192512   ----a-w-   c:\program files\Common Files\sapconsr3.dll
2006-12-29 19:15 . 2007-07-26 17:01   626688   ----a-w-   c:\program files\Common Files\sapconsaccess.dll
2006-12-29 19:15 . 2007-07-26 17:01   40960   ----a-w-   c:\program files\Common Files\DigitalSignature.ocx
2006-12-07 14:26 . 2007-07-26 17:01   1124864   ----a-w-   c:\program files\Common Files\SAPActiveXL_nosig.xlt
2006-12-07 14:26 . 2007-07-26 17:01   1129984   ----a-w-   c:\program files\Common Files\SAPActiveXL.xlt
.

------- Sigcheck -------

[7] 2004-08-04 12:00   4224   DA1F27D85E0D1525F6621372E7B685E9   c:\windows\system32\dllcache\beep.sys
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2009-02-19 2233672]
"Win32load"="c:\documents and settings\msalmond\Application Data\syssl.exe" [2009-07-13 12288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-09-15 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-15 512000]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 864256]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-11-17 237568]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-03-09 94208]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-12-15 925696]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"suScheduler"="c:\program files\ThinkVantage\SystemUpdate\UCLauncher.exe" [2005-08-02 40960]
"LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2006-01-25 106496]
"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2005-11-14 487424]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-09-21 127036]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"cssauth"="c:\program files\IBM ThinkVantage\Client Security Solution\cssauth.exe" [2005-12-22 1996336]
"PDService.exe"="c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-11-15 49152]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-29 196696]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-04-17 409600]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 98304]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-12-07 151552]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-12-07 208896]
"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2005-06-08 20530]
"Client Access Help Update"="c:\program files\IBM\Client Access\cwbinhlp.exe" [2005-06-08 24626]
"Client Access Check Version"="c:\program files\IBM\Client Access\cwbckver.exe" [2005-06-08 45106]
"Client Access Express Welcome"="c:\program files\IBM\Client Access\cwbwlwiz.exe" [2005-06-08 20480]
"Client Access PC5250 Sound"="c:\program files\IBM\Client Access\Emulator\pcssnd.exe" [2005-06-08 40960]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2009-04-08 718120]
"iRiver Updater"="\Updater.exe" [2004-07-01 212992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-03-20 77824]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-03-26 228088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-01 136600]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2005-11-07 106496]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-10-17 65536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-3-20 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-9-6 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2006-04-17 20:01   32768   ------w-   c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2005-12-08 21:59   39936   ------w-   c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 06:45   28672   ------w-   c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 03:16   24576   ------w-   c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages   REG_MULTI_SZ      scecli psqlpwd csspwntfy

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\msalmond\\Application Data\\syssl.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57912:TCP"= 57912:TCP:PMB P2P TCP Listening Port
"57912:UDP"= 57912:UDP:PMB P2P UDP Listening Port

R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [9/6/2006 6:04 PM 85760]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [9/6/2006 6:04 PM 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [9/6/2006 6:28 PM 4442]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [12/21/2005 8:14 PM 12544]
R2 PrivateDisk;PrivateDisk;c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\privatediskm.sys [11/15/2005 4:11 PM 46142]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [12/21/2005 7:45 PM 3968]
R2 smihlp;SMI helper driver;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [12/8/2005 5:44 PM 3328]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [11/9/2005 8:34 PM 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [11/9/2005 8:34 PM 36368]
R3 ABVPN2K;Net Firewall Miniport Interface;c:\windows\system32\drivers\abvpn2k.sys [9/7/2006 10:09 AM 161316]
R3 avpnnic;AGN Virtual Network Adapter;c:\windows\system32\drivers\avpnnic.sys [9/7/2006 10:09 AM 13952]
R3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [8/25/2008 9:37 AM 652552]
UnknownUnknown dsload;dsload; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-07-19 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-09-06 08:12]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-Run-PExpress Unattended - (no file)
Notify-NavLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://iconnect.criver.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.java.com/en/download/index.jsp
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Trusted Zone: att.com\*.webex
Trusted Zone: att.com\*.webmeeting
Trusted Zone: ca.crl\atlas.mtl
Trusted Zone: ca.crl\content.mtl
Trusted Zone: ca.crl\nagios-1.mtl
Trusted Zone: content
Trusted Zone: criver.com
Trusted Zone: criver.com\*.iconnect
Trusted Zone: criver.com\crlweb
Trusted Zone: criver.com\kvs-svr1
Trusted Zone: criver.com\portal
Trusted Zone: crl.com
Trusted Zone: crl.com\*.na01
Trusted Zone: crl.com\rivernet
Trusted Zone: crl.com\webmail
Trusted Zone: gotomeeting.com
Trusted Zone: itsdev
Trusted Zone: itstest
Trusted Zone: mtl-sv0040
Trusted Zone: mtl-sv1039
Trusted Zone: mycrlstudy.com
Trusted Zone: nobel
Trusted Zone: testcontent
Trusted Zone: validationcontent
Trusted Zone: webanchem
Trusted Zone: webex.com
Trusted Zone: webmeeting.com
Trusted Zone: Webtox
Trusted Zone: worglobal
DPF: {B2FC031D-8C74-46AE-8042-BCF4FC03C1EF} - hxxp://mer-pr-sys-01:8080/qcbin/Spider91.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-18 21:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1556)
c:\windows\system32\vrlogon.dll
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\crypto.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\windows\system32\tphklock.dll

- - - - - - - > 'lsass.exe'(1612)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\IBM ThinkVantage\Client Security Solution\csspwntfy.dll
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtsp.dll
c:\program files\IBM ThinkVantage\Client Security Solution\tcsrpc.dll
c:\program files\IBM ThinkVantage\Client Security Solution\cssuserdatadispatcher.dll

- - - - - - - > 'explorer.exe'(5656)
c:\windows\system32\PROCHLP.DLL
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\ati2evxx.exe
c:\program files\lotus\notes\ntmulti.exe
c:\progra~1\AT&TGL~1\NetCfgSv.EXE
c:\program files\Trend Micro\OfficeScan Client\NTRtScan.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\rpcnet.exe
c:\program files\Trend Micro\OfficeScan Client\TmListen.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
c:\program files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
c:\program files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
c:\program files\ThinkVantage\SystemUpdate\UCLauncherService.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\Temp\GF9734.EXE
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
c:\windows\system32\rundll32.exe
C:\Updater.exe
.
**************************************************************************
.
Completion time: 2009-07-19 21:47 - machine was rebooted
ComboFix-quarantined-files.txt  2009-07-19 01:47

Pre-Run: 6,316,544,000 bytes free
Post-Run: 6,340,448,256 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

395   --- E O F ---   2009-06-15 12:23

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:06 PM, on 7/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\TEMP\GF9734.EXE
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmproxy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Updater.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Pando Networks\Media Booster\pmb.exe
C:\Documents and Settings\msalmond\Application Data\syssl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Documents and Settings\msalmond\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://iconnect.criver.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.java.com/en/download/index.jsp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NetZero\SearchEnh1.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [Client Access PC5250 Sound] "C:\Program Files\IBM\Client Access\Emulator\pcssnd.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Pando Media Booster] "C:\Program Files\Pando Networks\Media Booster\PMB.exe"
O4 - HKCU\..\Run: [Win32load] C:\Documents and Settings\msalmond\Application Data\syssl.exe -lds
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O14 - IERESET.INF: START_PAGE_URL=http://iconnect.criver.com
O15 - Trusted Zone: *.webex.att.com
O15 - Trusted Zone: *.webmeeting.att.com
O15 - Trusted Zone: http://atlas.mtl.ca.crl
O15 - Trusted Zone: http://content.mtl.ca.crl
O15 - Trusted Zone: http://*.content
O15 - Trusted Zone: *.iconnect.criver.com
O15 - Trusted Zone: http://crlweb.criver.com
O15 - Trusted Zone: http://kvs-svr1.criver.com
O15 - Trusted Zone: *.criver.com
O15 - Trusted Zone: http://*.na01.crl.com
O15 - Trusted Zone: http://rivernet.crl.com
O15 - Trusted Zone: http://webmail.crl.com
O15 - Trusted Zone: *.crl.com
O15 - Trusted Zone: http://*.crl.com
O15 - Trusted Zone: http://*.itsdev
O15 - Trusted Zone: http://*.itstest
O15 - Trusted Zone: http://*.mtl-sv0040
O15 - Trusted Zone: http://*.mtl-sv1039
O15 - Trusted Zone: *.mycrlstudy.com
O15 - Trusted Zone: http://*.nobel
O15 - Trusted Zone: http://*.testcontent
O15 - Trusted Zone: http://*.validationcontent
O15 - Trusted Zone: http://*.webanchem
O15 - Trusted Zone: http://*.webex.com
O15 - Trusted Zone: http://*.webmeeting.com
O15 - Trusted Zone: http://*.Webtox
O15 - Trusted Zone: http://*.worglobal
O15 - ESC Trusted Zone: mtl.ca.crl
O15 - ESC Trusted Zone: http://*.filext.com
O15 - ESC Trusted Zone: http://www.google.ca
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://www.versalysformation.com
O15 - ESC Trusted Zone: http://www.windowsdevcenter.com
O15 - ESC Trusted Zone: mtl.ca.crl (HKLM)
O15 - ESC Trusted Zone: http://*.filext.com (HKLM)
O15 - ESC Trusted Zone: http://www.google.ca (HKLM)
O15 - ESC Trusted Zone: http://www.versalysformation.com (HKLM)
O15 - ESC Trusted Zone: http://www.windowsdevcenter.com (HKLM)
O16 - DPF: {3605B612-C3CF-4AB4-A426-2D853391DB2E} (Certificates Class) - http://mer-pr-sys-01:8080/qcbin/capicom.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuwe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muwe
O16 - DPF: {B2FC031D-8C74-46AE-8042-BCF4FC03C1EF} (Loader Class v4) - http://mer-pr-sys-01:8080/qcbin/Spider91.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na01.crl.com
O17 - HKLM\Software\..\Telephony: DomainName = na01.crl.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na01.crl.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = na01.crl.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = na01.crl.com
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

--
End of file - 16214 bytes


Answer
Hi Mat

Good, now let's continue cleaning things up.  Please run the following programs and post me the logs.

Download TFC to your desktop from here:

http://oldtimer.geekstogo.com/TFC.exe

   * Close all windows.
   * Double click on the TFC icon to run the program.
   * TFC closes all open programs in order for it to run.
   * Click the Start button to begin the cleanup.
   * Allow TFC to run uninterrupted.
   * Once its finished it should automatically reboot your machine.
   * If it doesn't, manually reboot to ensure a complete cleanup.

Next, download Rooter Rootkit Detector to your Desktop:

http://eric.71.mespages.googlepages.com/Rooter.exe

   * Double-click the icon to start the tool.
   * A Notepad file containing the report will open when it's  finished.


Finally, please download Malwarebytes' Anti-Malware to your desktop from here:

http://malwarebytes.gt500.org/mbam-setup.exe

   * Double-click mbam-setup.exe and follow the prompts to install the program.
   * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
   * If an update is found, it will download and install the latest version.
   * Once the program has loaded, select Perform Full scan, then click Scan.
   * When the scan is complete, click OK, then Show Results to view the results.
   * Be sure that everything is checked, and click Remove Selected.
   * When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
   * Note: If you receive a notice that some of the items couldn't be removed until a reboot, please do so.

Also, give me an update on how the computer is running after the scans.  You may not have enough room to post all the logs here on AllExperts, so you can attach the logs to an email and send them to me at numbersix6@yahoo.com.

Brian

Computer Security & Viruses

All Answers

Answers by Expert:

Ask Experts

Volunteer

Brian Benosky

Expertise

I will help you in eradicating malware and all forms of virus/trojans/adware. I can answer all PC-related hardware issues. I can also troubleshoot Windows OS errors (all versions) and other software problems. HijackThis logs are a MUST for virus related help. If you do not know how to do this, I have posted easy-to-follow instructions on the Ask a Question page. Every computer infection is different, so I will give you personal instructions on how to remove the malware, not a 'pat' answer. You can be assured of a prompt, polite, and knowledgeable response in all regards.

Experience

I have over 25 years experience in using, building, and repairing computers. I have helped over two thousand people here on AllExperts, with consistent Top Feedback Scores. Please look at my answers here: http://en.allexperts.com/q/Computer-Security-Viruses-1737/indexExp_84308.htm I am also a Top Contributor of General Computing answers in Yahoo! Questions.

Education/Credentials
College Educated Self-taught Computer Skills

©2012 About.com, a part of The New York Times Company. All rights reserved.