I ran Spybot in safe mode and fixed:

virtumonde
microsoft.windows.system

but it keeps coming back. Please help!

He is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:21:06 PM, on 7/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Autodesk\Data Management Server 2009\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe
C:\Program Files\Autodesk\Data Management Server 2009\Server\Webserver\Connectivity.EDMWS.Server.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TrippLite\PowerAlert\engine\pa.exe
C:\Program Files\Dantz\Client\Remotsvc.exe
C:\Program Files\Dantz\Client\retroclient.exe
C:\Program Files\SiteAdvisor\6173\SAService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
C:\Program Files\TrippLite\PowerAlert\console\pastatus.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Hewlett-Packard\HP Device Communication Services\Appinterfaces\HPDeviceService.exe
C:\Program Files\Hewlett-Packard\HP Easy Printer Care\HPPRun.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Hewlett-Packard\HP Device Communication Services\AppInterfaces\HPDeviceHost.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
C:\WINDOWS\system32\lphcesuj0ea3n.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\Documents and Settings\mattp\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.voscomputers.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe"
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [PALogView] C:\Program Files\TrippLite\PowerAlert\console\logview.exe /s
O4 - HKLM\..\Run: [PAStatus] C:\Program Files\TrippLite\PowerAlert\console\pastatus.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [KnexStarter] C:\Program Files\Common Files\Hewlett-Packard\HP Device Communication Services\Appinterfaces\HPDeviceService.exe
O4 - HKLM\..\Run: [RunTasktray] "C:\Program Files\Hewlett-Packard\HP Easy Printer Care\HPPRun.exe" --regkeypath=Software\Hewlett-Packard\HP Easy Printer Care\HPPRun --valuename=InstallTTM
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
O4 - HKLM\..\Run: [lphcesuj0ea3n] C:\WINDOWS\system32\lphcesuj0ea3n.exe
O4 - HKLM\..\Run: [SMrhcasuj0ea3n] C:\Program Files\rhcasuj0ea3n\rhcasuj0ea3n.exe
O4 - HKLM\..\Run: [ac25fb19] rundll32.exe "C:\WINDOWS\system32\qmksxjks.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'Default user')
O4 - Startup: Microsoft Office Outlook.lnk = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
O4 - Global Startup: Start 3DxWare.lnk = C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.voscomputers.com
O15 - Trusted Zone: http://*.hp.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155927456140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155927493500
O18 - Protocol: HPDCS - {BA135F49-A12C-4E26-A2C4-6EA945999072} - C:\Program Files\Common Files\Hewlett-Packard\HP Device Communication Services\APP\hpdcsapp.dll
O18 - Protocol: hppfile - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - C:\Program Files\Hewlett-Packard\HP Easy Printer Care\HPPCtrls.dll
O18 - Protocol: hppsam - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - C:\Program Files\Hewlett-Packard\HP Easy Printer Care\HPPCtrls.dll
O18 - Protocol: hppzip - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - C:\Program Files\Hewlett-Packard\HP Easy Printer Care\HPPCtrls.dll
O23 - Service: Autodesk Data Management Job Dispatch - Autodesk - C:\Program Files\Autodesk\Data Management Server 2009\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe
O23 - Service: Autodesk EDM Server - Autodesk - C:\Program Files\Autodesk\Data Management Server 2009\Server\Webserver\Connectivity.EDMWS.Server.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PowerAlert Agent - Unknown owner - C:\Program Files\TrippLite\PowerAlert\engine/pa.exe
O23 - Service: Retrospect Client - EMC Dantz - C:\Program Files\Dantz\Client\Remotsvc.exe
O23 - Service: Retrospect Helper - EMC Corporation - C:\Program Files\Dantz\Client\rthlpsvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6173\SAService.exe

--
End of file - 11335 bytes

I would appreciate any help. Thanks in advance!

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.

1) C:\Program Files\Java\jre1.6.0_05\ <<< check Java for an update:
http://forums.spybot.info/showpost.php?p=12880&postcount=2

2) Check Spybot S&D for and update and be sure you are fully immunized. Open Spybot S&D then click "Help" at the top, then click About. Post for me the version of Spybot S&D you are running and just under it post the Latest detection update.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

3) Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

Spybot - Search & Destroy 1.6.0.30

Combofix Log:
ComboFix 08-07-11.1 - mattp 2008-07-11 16:58:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2476 [GMT -7:00]
Running from: C:\Documents and Settings\mattp\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\mattp\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\mattp\Application Data\rhcasuj0ea3n
C:\Documents and Settings\mattp\Local Settings\Temporary Internet Files\plot.log
C:\WINDOWS\system32\ddcDvsPi.dll
C:\WINDOWS\system32\ljJYSmjg.dll
C:\WINDOWS\system32\lphcesuj0ea3n.exe
C:\WINDOWS\system32\MVyaayxx.ini
C:\WINDOWS\system32\MVyaayxx.ini2
C:\WINDOWS\system32\oeminfo.ini
C:\WINDOWS\system32\phcesuj0ea3n.bmp
C:\WINDOWS\system32\pphcesuj0ea3n.exe
C:\WINDOWS\system32\qmksxjks.dll
C:\WINDOWS\system32\skjxskmq.ini

.
((((((((((((((((((((((((( Files Created from 2008-06-12 to 2008-07-12 )))))))))))))))))))))))))))))))
.

2008-07-11 15:41 . 2008-07-11 15:55 81,208,728 --a------ C:\Temp\jdk-6u7-windows-i586-p.exe
2008-07-11 13:32 . 2008-07-11 14:23 <DIR> d-------- C:\Documents and Settings\mattp\Application Data\nView_Wallpaper
2008-07-11 12:41 . 2008-07-11 12:41 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-11 12:41 . 2008-07-11 12:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-11 12:41 . 2008-07-11 12:41 116,864 --a------ C:\WINDOWS\system32\viiadn.dll
2008-07-11 12:41 . 2008-07-11 12:41 116,864 --a------ C:\WINDOWS\system32\tassgdcx.dll
2008-07-11 12:40 . 2008-07-11 12:40 321,792 --a------ C:\WINDOWS\system32\xxyaayVM.dll
2008-07-11 12:38 . 2008-07-11 12:40 15,083,520 --a------ C:\Temp\spybotsd160.exe
2008-07-11 12:37 . 2008-07-11 12:38 2,676,592 --a------ C:\Temp\spybotsd_includes.exe
2008-07-07 10:57 . 2008-07-07 10:57 76,688 --a------ C:\Temp\38687.zip
2008-06-25 09:49 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-06-25 09:49 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-06-23 09:07 . 2008-06-23 09:08 <DIR> d-------- C:\Program Files\Windows Live
2008-06-23 09:07 . 2008-06-23 09:07 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-23 09:07 . 2008-06-23 09:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-17 09:38 . 2008-06-17 09:39 6,857,524 --a------ C:\Temp\SetupLegacyCharting7.exe
2008-06-12 09:23 . 2008-06-12 09:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LogMeIn

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-11 22:44 --------- d-----w C:\Program Files\Karen's Power Tools
2008-07-11 15:56 --------- d-----w C:\Program Files\LogMeIn
2008-07-10 22:24 --------- d-----w C:\Documents and Settings\mattp\Application Data\U3
2008-07-08 15:52 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-06-26 16:07 --------- d-----w C:\Documents and Settings\mattp\Application Data\ZoomBrowser EX
2008-06-26 16:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-06-11 00:33 --------- d-----w C:\Program Files\MFInstall
2008-06-06 22:06 --------- d-----w C:\Program Files\FamilySearch
2008-06-06 22:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-03 18:25 --------- d-----w C:\Program Files\Millennia
2008-06-03 18:25 --------- d-----w C:\Documents and Settings\mattp\Application Data\Millennia
2008-05-19 18:49 --------- d-----w C:\Program Files\NCPlot v1.2
2008-05-15 16:25 --------- d-----w C:\Documents and Settings\mattp\Application Data\Autodesk
2008-05-12 15:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2007-07-18 21:27 60,968 ----a-w C:\Documents and Settings\mattp\GoToAssistDownloadHelper.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62647d74-2a8f-4030-9567-0f0925df1547}]
2008-07-11 12:41 116864 --a------ C:\WINDOWS\system32\viiadn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C3AA5CB-0C89-4949-8310-06949B9DC67E}]
2008-07-11 12:40 321792 --a------ C:\WINDOWS\system32\xxyaayVM.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"H/PC Connection Agent"="C:\PROGRA~1\MI3AA1~1\wcescomm.exe" [2006-06-20 22:36 1207080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2006-08-02 17:17 9134080]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 03:01 32768]
"MVS Splash"="C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe" [2008-01-22 23:09 468288]
"McAfee Managed Services Tray"="C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe" [2008-01-22 23:09 87360]
"PALogView"="C:\Program Files\TrippLite\PowerAlert\console\logview.exe" [2005-06-01 15:22 172032]
"PAStatus"="C:\Program Files\TrippLite\PowerAlert\console\pastatus.exe" [2005-06-01 15:21 299008]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"KnexStarter"="C:\Program Files\Common Files\Hewlett-Packard\HP Device Communication Services\Appinterfaces\HPDeviceService.exe" [2007-02-26 13:12 81920]
"RunTasktray"="C:\Program Files\Hewlett-Packard\HP Easy Printer Care\HPPRun.exe" [2007-02-26 11:38 69120]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 16:09 63048]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-11-30 11:31 8523776]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-11-30 11:31 81920]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6173\SiteAdv.exe" [2007-08-28 13:07 36640]
"nwiz"="nwiz.exe" [2007-11-30 11:31 1626112 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"3DxAssociateFileExts"="C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe" [2006-11-07 16:46 98304]

C:\Documents and Settings\mattp\Start Menu\Programs\Startup\
Microsoft Office Outlook.lnk - C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE [2007-05-25 20:09:50 12831608]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Start 3DxWare.lnk - C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exe [2006-11-02 17:22:20 118272]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-05-19 15:23 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
"C:\\Program Files\\Dantz\\Client\\retroclient.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Hewlett-Packard\\HP Easy Printer Care\\HPPRun.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 EngineServer;EngineServer;C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe [2007-12-01 12:30]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2008-02-28 15:31]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2008-03-07 13:39]
R2 MSSQL$AUTODESKVAULT;SQL Server (AUTODESKVAULT);C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-18 10:50]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [2008-01-22 23:09]
R2 PowerAlert Agent;PowerAlert Agent;C:\Program Files\TrippLite\PowerAlert\engine/pa.exe [2007-01-25 16:17]
R2 Retrospect Client;Retrospect Client;C:\Program Files\Dantz\Client\Remotsvc.exe [2005-03-01 09:48]
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 15:31]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 03:39]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56c9189d-cadd-11dc-8905-0019d1fd5654}]
\Shell\AutoRun\command - H:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{838fbb04-9f73-11dc-88eb-0019d1fd5654}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-lphcesuj0ea3n - C:\WINDOWS\system32\lphcesuj0ea3n.exe
HKLM-Run-SMrhcasuj0ea3n - C:\Program Files\rhcasuj0ea3n\rhcasuj0ea3n.exe
HKLM-Run-ac25fb19 - C:\WINDOWS\system32\qmksxjks.dll
HKLM-Run-SigmatelSysTrayApp - sttray.exe
HKLM-Run-NWEReboot - (no file)
Notify-AtiExtEvent - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-11 17:04:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PowerAlert Agent]
"ImagePath"="C:\Program Files\TrippLite\PowerAlert\engine/pa.exe -service"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Autodesk\Data Management Server 2009\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe
C:\Program Files\Autodesk\Data Management Server 2009\Server\Webserver\Connectivity.EDMWS.Server.exe
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\TrippLite\PowerAlert\engine\pa.exe
C:\Program Files\Dantz\Client\retroclient.exe
C:\Program Files\SiteAdvisor\6173\SAService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
C:\Program Files\Common Files\Hewlett-Packard\HP Device Communication Services\AppInterfaces\HPDeviceHost.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-11 17:06:55 - machine was rebooted [mattp]
ComboFix-quarantined-files.txt 2008-07-12 00:06:52

Pre-Run: 224,895,479,808 bytes free
Post-Run: 224,849,072,128 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

190


HJT Log #2:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:37 AM, on 7/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Autodesk\Data Management Server 2009\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe
C:\Program Files\Autodesk\Data Management Server 2009\Server\Webserver\Connectivity.EDMWS.Server.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\TrippLite\PowerAlert\console\pastatus.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Hewlett-Packard\HP Device Communication Services\Appinterfaces\HPDeviceService.exe
C:\Program Files\Hewlett-Packard\HP Easy Printer Care\HPPRun.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Hewlett-Packard\HP Device Communication Services\AppInterfaces\HPDeviceHost.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TrippLite\PowerAlert\engine\pa.exe
C:\Program Files\Dantz\Client\Remotsvc.exe
C:\Program Files\Dantz\Client\retroclient.exe
C:\Program Files\SiteAdvisor\6173\SAService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgttry.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\mattp\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe"
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [PALogView] C:\Program Files\TrippLite\PowerAlert\console\logview.exe /s
O4 - HKLM\..\Run: [PAStatus] C:\Program Files\TrippLite\PowerAlert\console\pastatus.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [KnexStarter] C:\Program Files\Common Files\Hewlett-Packard\HP Device Communication Services\Appinterfaces\HPDeviceService.exe
O4 - HKLM\..\Run: [RunTasktray] "C:\Program Files\Hewlett-Packard\HP Easy Printer Care\HPPRun.exe" --regkeypath=Software\Hewlett-Packard\HP Easy Printer Care\HPPRun --valuename=InstallTTM
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'Default user')
O4 - Startup: Microsoft Office Outlook.lnk = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
O4 - Global Startup: Start 3DxWare.lnk = C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.voscomputers.com
O15 - Trusted Zone: http://*.hp.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155927456140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155927493500
O18 - Protocol: HPDCS - {BA135F49-A12C-4E26-A2C4-6EA945999072} - C:\Program Files\Common Files\Hewlett-Packard\HP Device Communication Services\APP\hpdcsapp.dll
O18 - Protocol: hppfile - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - C:\Program Files\Hewlett-Packard\HP Easy Printer Care\HPPCtrls.dll
O18 - Protocol: hppsam - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - C:\Program Files\Hewlett-Packard\HP Easy Printer Care\HPPCtrls.dll
O18 - Protocol: hppzip - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - C:\Program Files\Hewlett-Packard\HP Easy Printer Care\HPPCtrls.dll
O23 - Service: Autodesk Data Management Job Dispatch - Autodesk - C:\Program Files\Autodesk\Data Management Server 2009\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe
O23 - Service: Autodesk EDM Server - Autodesk - C:\Program Files\Autodesk\Data Management Server 2009\Server\Webserver\Connectivity.EDMWS.Server.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PowerAlert Agent - Unknown owner - C:\Program Files\TrippLite\PowerAlert\engine/pa.exe
O23 - Service: Retrospect Client - EMC Dantz - C:\Program Files\Dantz\Client\Remotsvc.exe
O23 - Service: Retrospect Helper - EMC Corporation - C:\Program Files\Dantz\Client\rthlpsvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6173\SAService.exe

--
End of file - 11423 bytes

Thanks for your help, it is greatly appreciated

I have concerns about the validity of the information you are providing me.

This is the most recent HJT log:
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:24:37 AM, on 7/14/2008

These were my instructions prior to combofix:
3) Remove any old copies of combofix before you proceed.

The is the newest version of combofix that is available:
Ver_08-07-12.6 7/14/2008

This is the information from combofix you have provided me:
Today, 13:36 <<< on this day
ComboFix 08-07-11.1 - mattp 2008-07-11 16:58:08.1 - NTFSx86

Please explain before we go forward.

:oops:I am humbled by my own lack of patience, which is embarrassing, as that is one of my pet peeves. It irritates me when people try and jump ahead.:banghead:I have learned my lesson for the day. God I feel like an ass now!
New combofix log:
ComboFix 08-07-14.1 - mattp 2008-07-14 11:46:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2132 [GMT -7:00]
Running from: C:\Documents and Settings\mattp\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dmziqx.dll
C:\WINDOWS\system32\guetgoch.ini
C:\WINDOWS\system32\hcogteug.dll
C:\WINDOWS\system32\MVyaayxx.ini
C:\WINDOWS\system32\MVyaayxx.ini2
C:\WINDOWS\system32\qwsrepmn.dll
C:\WINDOWS\system32\tassgdcx.dll
C:\WINDOWS\system32\viiadn.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-14 to 2008-07-14 )))))))))))))))))))))))))))))))
.

2008-07-11 17:39 . 2008-07-11 17:39 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-11 17:38 . 2008-07-11 17:38 <DIR> d-------- C:\WINDOWS\SQLTools9_KB948109_ENU
2008-07-11 17:35 . 2008-07-11 17:35 <DIR> d-------- C:\WINDOWS\SQL9_KB948109_ENU
2008-07-11 17:35 . 2008-07-11 17:35 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-07-11 17:31 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-07-11 17:31 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-11 16:31 . 2008-07-11 16:31 4,608,744 --a------ C:\Temp\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
2008-07-11 15:41 . 2008-07-11 15:55 81,208,728 --a------ C:\Temp\jdk-6u7-windows-i586-p.exe
2008-07-11 13:32 . 2008-07-14 11:50 <DIR> d-------- C:\Documents and Settings\mattp\Application Data\nView_Wallpaper
2008-07-11 12:41 . 2008-07-11 12:41 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-11 12:41 . 2008-07-11 17:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-11 12:40 . 2008-07-11 12:40 321,792 --a------ C:\WINDOWS\system32\xxyaayVM.dll
2008-07-11 12:38 . 2008-07-11 12:40 15,083,520 --a------ C:\Temp\spybotsd160.exe
2008-07-11 12:37 . 2008-07-11 12:38 2,676,592 --a------ C:\Temp\spybotsd_includes.exe
2008-07-07 10:57 . 2008-07-07 10:57 76,688 --a------ C:\Temp\38687.zip
2008-06-25 09:49 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-06-25 09:49 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-06-23 09:07 . 2008-06-23 09:08 <DIR> d-------- C:\Program Files\Windows Live
2008-06-23 09:07 . 2008-06-23 09:07 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-23 09:07 . 2008-06-23 09:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-17 09:38 . 2008-06-17 09:39 6,857,524 --a------ C:\Temp\SetupLegacyCharting7.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-14 16:07 --------- d-----w C:\Program Files\LogMeIn
2008-07-12 00:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-12 00:38 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-07-11 22:44 --------- d-----w C:\Program Files\Karen's Power Tools
2008-07-10 22:24 --------- d-----w C:\Documents and Settings\mattp\Application Data\U3
2008-07-08 15:52 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-06-26 16:07 --------- d-----w C:\Documents and Settings\mattp\Application Data\ZoomBrowser EX
2008-06-26 16:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-06-12 16:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogMeIn
2008-06-11 00:33 --------- d-----w C:\Program Files\MFInstall
2008-06-06 22:06 --------- d-----w C:\Program Files\FamilySearch
2008-06-06 22:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-03 18:25 --------- d-----w C:\Program Files\Millennia
2008-06-03 18:25 --------- d-----w C:\Documents and Settings\mattp\Application Data\Millennia
2008-05-19 18:49 --------- d-----w C:\Program Files\NCPlot v1.2
2008-05-15 16:25 --------- d-----w C:\Documents and Settings\mattp\Application Data\Autodesk
2007-07-18 21:27 60,968 ----a-w C:\Documents and Settings\mattp\GoToAssistDownloadHelper.exe
.

((((((((((((((((((((((((((((( snapshot@2008-07-11_17.06.44.93 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-13 13:10:50 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
+ 2006-10-27 22:16:36 133,936 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119130000000000000000F01FEC\12.0.4518\CONTAB32.DLL
+ 2006-10-27 03:55:32 87,344 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119130000000000000000F01FEC\12.0.4518\DLGSETP.DLL
+ 2006-10-27 03:55:48 340,248 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119130000000000000000F01FEC\12.0.4518\MIMEDIR.DLL
+ 2006-10-27 22:04:08 497,504 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119130000000000000000F01FEC\12.0.4518\MORPH9.DLL
+ 2006-10-27 03:34:12 660,792 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119130000000000000000F01FEC\12.0.4518\OMSMAIN.DLL
+ 2006-10-27 03:34:10 192,848 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119130000000000000000F01FEC\12.0.4518\OMSXP32.DLL
+ 2006-10-27 22:16:44 594,256 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119130000000000000000F01FEC\12.0.4518\OUTLMIME.DLL
+ 2006-10-27 22:16:40 176,976 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119130000000000000000F01FEC\12.0.4518\OUTLPH.DLL
+ 2006-10-27 03:09:36 136,008 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119130000000000000000F01FEC\12.0.4518\PRTF9.DLL
+ 2006-10-27 03:55:54 413,472 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119130000000000000000F01FEC\12.0.4518\PSTPRX32.DLL
+ 2006-10-27 22:04:06 624,456 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119130000000000000000F01FEC\12.0.4518\PTXT9.DLL
+ 2006-10-27 22:23:04 347,432 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119130000000000000000F01FEC\12.0.4518\WINWORD.EXE
+ 2006-10-27 04:17:08 11,072 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119130000000000000000F01FEC\12.0.4518\XLCALL32.DLL
- 2007-07-17 01:05:06 1,165,584 ----a-r C:\WINDOWS\Installer\{91120000-0031-0000-0000-0000000FF1CE}\accicons.exe
+ 2008-07-12 00:41:37 1,165,584 ----a-r C:\WINDOWS\Installer\{91120000-0031-0000-0000-0000000FF1CE}\accicons.exe
- 2007-07-17 01:05:06 20,240 ----a-r C:\WINDOWS\Installer\{91120000-0031-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-07-12 00:41:38 20,240 ----a-r C:\WINDOWS\Installer\{91120000-0031-0000-0000-0000000FF1CE}\cagicon.exe
- 2007-07-17 01:05:06 217,864 ----a-r C:\WINDOWS\Installer\{91120000-0031-0000-0000-0000000FF1CE}\misc.exe
+ 2008-07-12 00:41:38 217,864 ----a-r C:\WINDOWS\Installer\{91120000-0031-0000-0000-0000000FF1CE}\misc.exe
- 2007-07-17 01:05:06 18,704 ----a-r C:\WINDOWS\Installer\{91120000-0031-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-07-12 00:41:38 18,704 ----a-r C:\WINDOWS\Installer\{91120000-0031-0000-0000-0000000FF1CE}\mspicons.exe
- 2007-07-17 01:05:06 35,088 ----a-r C:\WINDOWS\Installer\{91120000-0031-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-07-12 00:41:38 35,088 ----a-r C:\WINDOWS\Installer\{91120000-0031-0000-0000-0000000FF1CE}\oisicon.exe
- 2007-07-17 01:05:06 845,584 ----a-r C:\WINDOWS\Installer\{91120000-0031-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-07-12 00:41:38 845,584 ----a-r C:\WINDOWS\Installer\{91120000-0031-0000-0000-0000000FF1CE}\outicon.exe
- 2007-07-17 01:05:06 922,384 ----a-r C:\WINDOWS\Installer\{91120000-0031-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-07-12 00:41:38 922,384 ----a-r C:\WINDOWS\Installer\{91120000-0031-0000-0000-0000000FF1CE}\pptico.exe
- 2007-07-17 01:05:06 272,648 ----a-r C:\WINDOWS\Installer\{91120000-0031-0000-0000-0000000FF1CE}\pubs.exe
+ 2008-07-12 00:41:38 272,648 ----a-r C:\WINDOWS\Installer\{91120000-0031-0000-0000-0000000FF1CE}\pubs.exe
- 2007-07-17 01:05:06 888,080 ----a-r C:\WINDOWS\Installer\{91120000-0031-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-07-12 00:41:38 888,080 ----a-r C:\WINDOWS\Installer\{91120000-0031-0000-0000-0000000FF1CE}\wordicon.exe
- 2007-07-17 01:05:06 1,172,240 ----a-r C:\WINDOWS\Installer\{91120000-0031-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-07-12 00:41:38 1,172,240 ----a-r C:\WINDOWS\Installer\{91120000-0031-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-07-12 00:35:04 32,768 ----a-r C:\WINDOWS\Installer\{C04E32E0-0416-434D-AFB9-6969D703A9EF}\icon.exe
+ 2007-02-10 12:09:12 127,856 ----a-w C:\WINDOWS\SQL9_KB948109_ENU\batchparser90.dll
+ 2007-02-10 12:09:20 1,039,728 ----a-w C:\WINDOWS\SQL9_KB948109_ENU\dbghelp.dll
+ 2007-02-10 12:15:30 1,160,560 ----a-w C:\WINDOWS\SQL9_KB948109_ENU\dumpdatastore.dll
+ 2008-02-27 05:08:46 2,501,648 ----a-w C:\WINDOWS\SQL9_KB948109_ENU\hotfix.exe
+ 2005-10-14 06:26:42 548,864 ----a-w C:\WINDOWS\SQL9_KB948109_ENU\msvcp80.dll
+ 2005-10-14 06:26:42 626,688 ----a-w C:\WINDOWS\SQL9_KB948109_ENU\msvcr80.dll
+ 2007-02-10 12:29:52 143,728 ----a-w C:\WINDOWS\SQL9_KB948109_ENU\sqlcmd.exe
+ 2007-02-10 12:29:52 533,872 ----a-w C:\WINDOWS\SQL9_KB948109_ENU\sqldiscoveryapi.dll
+ 2007-02-10 12:29:54 230,256 ----a-w C:\WINDOWS\SQL9_KB948109_ENU\sqlsetupvista.dll
+ 2007-02-10 12:09:12 127,856 ----a-w C:\WINDOWS\SQLTools9_KB948109_ENU\batchparser90.dll
+ 2007-02-10 12:09:20 1,039,728 ----a-w C:\WINDOWS\SQLTools9_KB948109_ENU\dbghelp.dll
+ 2007-02-10 12:15:30 1,160,560 ----a-w C:\WINDOWS\SQLTools9_KB948109_ENU\dumpdatastore.dll
+ 2008-02-27 05:08:46 2,501,648 ----a-w C:\WINDOWS\SQLTools9_KB948109_ENU\hotfix.exe
+ 2005-10-14 06:26:42 548,864 ----a-w C:\WINDOWS\SQLTools9_KB948109_ENU\msvcp80.dll
+ 2005-10-14 06:26:42 626,688 ----a-w C:\WINDOWS\SQLTools9_KB948109_ENU\msvcr80.dll
+ 2007-02-10 12:29:52 143,728 ----a-w C:\WINDOWS\SQLTools9_KB948109_ENU\sqlcmd.exe
+ 2007-02-10 12:29:52 533,872 ----a-w C:\WINDOWS\SQLTools9_KB948109_ENU\sqldiscoveryapi.dll
+ 2007-02-10 12:29:54 230,256 ----a-w C:\WINDOWS\SQLTools9_KB948109_ENU\sqlsetupvista.dll
- 2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
+ 2007-07-31 02:19:20 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
- 2007-04-17 05:45:28 92,504 -c--a-w C:\WINDOWS\system32\dllcache\cdm.dll
+ 2007-07-31 02:19:20 92,504 -c--a-w C:\WINDOWS\system32\dllcache\cdm.dll
- 2004-08-04 12:00:00 561,179 -c--a-w C:\WINDOWS\system32\dllcache\dao360.dll
+ 2008-03-25 04:50:25 554,008 -c--a-w C:\WINDOWS\system32\dllcache\dao360.dll
- 2006-06-26 17:37:10 148,480 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-02-20 05:32:43 148,992 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
- 2004-08-04 12:00:00 45,568 -c--a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
+ 2008-02-20 05:32:43 45,568 -c--a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
- 2007-03-08 15:36:28 281,600 -c--a-w C:\WINDOWS\system32\dllcache\gdi32.dll
+ 2008-02-20 06:51:05 282,624 -c--a-w C:\WINDOWS\system32\dllcache\gdi32.dll
- 2007-05-16 15:12:02 683,520 -c--a-w C:\WINDOWS\system32\dllcache\inetcomm.dll
+ 2007-08-21 06:15:44 683,520 -c--a-w C:\WINDOWS\system32\dllcache\inetcomm.dll
- 2006-05-18 05:24:25 450,560 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
+ 2007-12-18 14:40:58 450,560 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
- 2006-08-17 12:28:27 721,920 -c--a-w C:\WINDOWS\system32\dllcache\lsasrv.dll
+ 2007-11-07 09:26:56 721,920 -c--a-w C:\WINDOWS\system32\dllcache\lsasrv.dll
- 2004-08-04 12:00:00 512,029 -c--a-w C:\WINDOWS\system32\dllcache\msexch40.dll
+ 2008-03-25 04:50:28 518,944 -c--a-w C:\WINDOWS\system32\dllcache\msexch40.dll
- 2004-08-04 12:00:00 319,517 -c--a-w C:\WINDOWS\system32\dllcache\msexcl40.dll
+ 2008-03-25 04:50:30 326,432 -c--a-w C:\WINDOWS\system32\dllcache\msexcl40.dll
- 2004-08-04 12:00:00 1,507,356 -c--a-w C:\WINDOWS\system32\dllcache\msjet40.dll
+ 2008-03-25 04:50:34 1,516,568 -c--a-w C:\WINDOWS\system32\dllcache\msjet40.dll
- 2004-08-04 12:00:00 358,976 -c--a-w C:\WINDOWS\system32\dllcache\msjetol1.dll
+ 2008-03-25 04:50:40 355,112 -c--a-w C:\WINDOWS\system32\dllcache\msjetol1.dll
- 2004-08-04 12:00:00 151,583 -c--a-w C:\WINDOWS\system32\dllcache\msjint40.dll
+ 2008-03-27 08:12:54 151,583 -c--a-w C:\WINDOWS\system32\dllcache\msjint40.dll
- 2004-08-04 12:00:00 53,279 -c--a-w C:\WINDOWS\system32\dllcache\msjter40.dll
+ 2008-03-25 04:50:42 60,192 -c--a-w C:\WINDOWS\system32\dllcache\msjter40.dll
- 2004-08-04 12:00:00 241,693 -c--a-w C:\WINDOWS\system32\dllcache\msjtes40.dll
+ 2008-03-25 04:50:42 248,608 -c--a-w C:\WINDOWS\system32\dllcache\msjtes40.dll
- 2004-08-04 12:00:00 213,023 -c--a-w C:\WINDOWS\system32\dllcache\msltus40.dll
+ 2008-03-25 04:50:44 219,936 -c--a-w C:\WINDOWS\system32\dllcache\msltus40.dll
- 2004-08-04 12:00:00 348,189 -c--a-w C:\WINDOWS\system32\dllcache\mspbde40.dll
+ 2008-03-25 04:50:45 355,104 -c--a-w C:\WINDOWS\system32\dllcache\mspbde40.dll
- 2004-08-04 12:00:00 421,919 -c--a-w C:\WINDOWS\system32\dllcache\msrd2x40.dll
+ 2008-03-25 04:50:47 432,928 -c--a-w C:\WINDOWS\system32\dllcache\msrd2x40.dll
- 2004-08-04 12:00:00 315,423 -c--a-w C:\WINDOWS\system32\dllcache\msrd3x40.dll
+ 2008-03-25 04:50:49 322,336 -c--a-w C:\WINDOWS\system32\dllcache\msrd3x40.dll
- 2004-08-04 12:00:00 552,989 -c--a-w C:\WINDOWS\system32\dllcache\msrepl40.dll
+ 2008-03-25 04:50:52 559,904 -c--a-w C:\WINDOWS\system32\dllcache\msrepl40.dll
- 2004-08-04 12:00:00 258,077 -c--a-w C:\WINDOWS\system32\dllcache\mstext40.dll
+ 2008-03-25 04:50:55 264,992 -c--a-w C:\WINDOWS\system32\dllcache\mstext40.dll
- 2004-08-04 12:00:00 831,519 -c--a-w C:\WINDOWS\system32\dllcache\mswdat10.dll
+ 2008-03-25 04:50:57 838,432 -c--a-w C:\WINDOWS\system32\dllcache\mswdat10.dll
- 2004-08-04 12:00:00 614,429 -c--a-w C:\WINDOWS\system32\dllcache\mswstr10.dll
+ 2008-03-25 04:50:58 621,344 -c--a-w C:\WINDOWS\system32\dllcache\mswstr10.dll
- 2004-08-04 12:00:00 348,189 -c--a-w C:\WINDOWS\system32\dllcache\msxbde40.dll
+ 2008-03-25 04:50:58 355,104 -c--a-w C:\WINDOWS\system32\dllcache\msxbde40.dll
- 2004-08-04 12:00:00 553,472 -c--a-w C:\WINDOWS\system32\dllcache\oleaut32.dll
+ 2007-12-04 18:38:13 550,912 -c--a-w C:\WINDOWS\system32\dllcache\oleaut32.dll
- 2006-07-13 08:48:58 202,240 -c--a-w C:\WINDOWS\system32\dllcache\rmcast.sys
+ 2008-05-08 12:28:49 202,752 -c--a-w C:\WINDOWS\system32\dllcache\rmcast.sys
- 2004-08-04 12:00:00 581,120 -c--a-w C:\WINDOWS\system32\dllcache\rpcrt4.dll
+ 2007-07-09 13:16:16 582,656 -c--a-w C:\WINDOWS\system32\dllcache\rpcrt4.dll
- 2006-12-19 21:52:18 8,453,632 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
+ 2007-10-26 03:34:01 8,460,288 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
- 2004-08-04 12:00:00 417,792 -c--a-w C:\WINDOWS\system32\dllcache\vbscript.dll
+ 2007-12-18 14:40:58 417,792 -c--a-w C:\WINDOWS\system32\dllcache\vbscript.dll
- 2006-12-19 18:08:07 852,480 -c--a-w C:\WINDOWS\system32\dllcache\vgx.dll
+ 2007-06-26 15:13:22 851,968 -c--a-w C:\WINDOWS\system32\dllcache\vgx.dll
- 2005-01-28 20:44:28 224,768 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
+ 2007-10-28 00:40:06 227,328 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
- 2006-04-29 13:07:48 5,533,696 -c--a-w C:\WINDOWS\system32\dllcache\wmp.dll
+ 2007-04-30 15:20:24 5,537,792 -c--a-w C:\WINDOWS\system32\dllcache\wmp.dll
- 2007-04-17 05:45:48 549,720 -c--a-w C:\WINDOWS\system32\dllcache\wuapi.dll
+ 2007-07-31 02:19:36 549,720 -c--a-w C:\WINDOWS\system32\dllcache\wuapi.dll
- 2007-04-17 05:45:20 53,080 -c--a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
+ 2007-07-31 02:19:16 53,080 -c--a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
- 2007-04-17 05:45:54 1,710,936 -c--a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
+ 2007-07-31 02:19:42 1,712,984 -c--a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
- 2007-04-17 05:45:42 325,976 -c--a-w C:\WINDOWS\system32\dllcache\wucltui.dll
+ 2007-07-31 02:19:32 325,976 -c--a-w C:\WINDOWS\system32\dllcache\wucltui.dll
- 2007-04-17 05:47:36 33,624 -c--a-w C:\WINDOWS\system32\dllcache\wups.dll
+ 2007-07-31 02:18:40 33,624 -c--a-w C:\WINDOWS\system32\dllcache\wups.dll
- 2007-04-17 05:45:36 203,096 -c--a-w C:\WINDOWS\system32\dllcache\wuweb.dll
+ 2007-07-31 02:19:28 203,096 -c--a-w C:\WINDOWS\system32\dllcache\wuweb.dll
- 2006-06-26 17:37:10 148,480 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-02-20 05:32:43 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
- 2004-08-04 12:00:00 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
+ 2008-02-20 05:32:43 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
- 2006-07-13 08:48:58 202,240 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
+ 2008-05-08 12:28:49 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
- 2004-08-04 12:00:00 27,440 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
+ 2007-11-13 10:25:53 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
- 2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
+ 2008-02-20 06:51:05 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
- 2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
+ 2007-08-21 06:15:44 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
- 2006-05-18 05:24:25 450,560 ----a-w C:\WINDOWS\system32\jscript.dll
+ 2007-12-18 14:40:58 450,560 ----a-w C:\WINDOWS\system32\jscript.dll
- 2006-08-17 12:28:27 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
+ 2007-11-07 09:26:56 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
- 2004-08-04 12:00:00 512,029 ----a-w C:\WINDOWS\system32\msexch40.dll
+ 2008-03-25 04:50:28 518,944 ----a-w C:\WINDOWS\system32\msexch40.dll
- 2004-08-04 12:00:00 319,517 ----a-w C:\WINDOWS\system32\msexcl40.dll
+ 2008-03-25 04:50:30 326,432 ----a-w C:\WINDOWS\system32\msexcl40.dll
- 2004-08-04 12:00:00 1,507,356 ------w C:\WINDOWS\system32\msjet40.dll
+ 2008-03-25 04:50:34 1,516,568 ------w C:\WINDOWS\system32\msjet40.dll
- 2004-08-04 12:00:00 358,976 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
+ 2008-03-25 04:50:40 355,112 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
- 2004-08-04 12:00:00 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
+ 2008-03-27 08:12:54 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
- 2004-08-04 12:00:00 53,279 ----a-w C:\WINDOWS\system32\msjter40.dll
+ 2008-03-25 04:50:42 60,192 ----a-w C:\WINDOWS\system32\msjter40.dll
- 2004-08-04 12:00:00 241,693 ----a-w C:\WINDOWS\system32\msjtes40.dll
+ 2008-03-25 04:50:42 248,608 ----a-w C:\WINDOWS\system32\msjtes40.dll
- 2004-08-04 12:00:00 213,023 ----a-w C:\WINDOWS\system32\msltus40.dll
+ 2008-03-25 04:50:44 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll
- 2004-08-04 12:00:00 348,189 ----a-w C:\WINDOWS\system32\mspbde40.dll
+ 2008-03-25 04:50:45 355,104 ----a-w C:\WINDOWS\system32\mspbde40.dll
- 2004-08-04 12:00:00 421,919 ----a-w C:\WINDOWS\system32\msrd2x40.dll
+ 2008-03-25 04:50:47 432,928 ----a-w C:\WINDOWS\system32\msrd2x40.dll
- 2004-08-04 12:00:00 315,423 ----a-w C:\WINDOWS\system32\msrd3x40.dll
+ 2008-03-25 04:50:49 322,336 ----a-w C:\WINDOWS\system32\msrd3x40.dll
- 2004-08-04 12:00:00 552,989 ----a-w C:\WINDOWS\system32\msrepl40.dll
+ 2008-03-25 04:50:52 559,904 ----a-w C:\WINDOWS\system32\msrepl40.dll
- 2004-08-04 12:00:00 258,077 ----a-w C:\WINDOWS\system32\mstext40.dll
+ 2008-03-25 04:50:55 264,992 ----a-w C:\WINDOWS\system32\mstext40.dll
- 2004-08-04 12:00:00 831,519 ----a-w C:\WINDOWS\system32\mswdat10.dll
+ 2008-03-25 04:50:57 838,432 ----a-w C:\WINDOWS\system32\mswdat10.dll
- 2004-08-04 12:00:00 614,429 ----a-w C:\WINDOWS\system32\mswstr10.dll
+ 2008-03-25 04:50:58 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
- 2004-08-04 12:00:00 348,189 ----a-w C:\WINDOWS\system32\msxbde40.dll
+ 2008-03-25 04:50:58 355,104 ----a-w C:\WINDOWS\system32\msxbde40.dll
- 2006-12-15 02:07:30 1,233,920 ----a-w C:\WINDOWS\system32\msxml4.dll
+ 2007-05-08 22:03:04 1,275,392 ----a-w C:\WINDOWS\system32\msxml4.dll
- 2006-12-04 21:37:58 1,317,648 ----a-w C:\WINDOWS\system32\msxml6.dll
+ 2007-05-15 22:43:10 1,320,800 ----a-w C:\WINDOWS\system32\msxml6.dll
- 2007-04-17 05:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
+ 2007-07-31 02:19:10 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
- 2007-04-17 05:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
+ 2007-07-31 02:19:04 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
- 2004-08-04 12:00:00 553,472 ----a-w C:\WINDOWS\system32\oleaut32.dll
+ 2007-12-04 18:38:13 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
- 2008-06-12 01:17:34 88,936 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-12 00:36:57 88,936 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-06-12 01:17:34 485,862 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-12 00:36:57 485,862 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2004-08-04 12:00:00 581,120 ----a-w C:\WINDOWS\system32\rpcrt4.dll
+ 2007-07-09 13:16:16 582,656 ----a-w C:\WINDOWS\system32\rpcrt4.dll
- 2006-12-19 21:52:18 8,453,632 ----a-w C:\WINDOWS\system32\shell32.dll
+ 2007-10-26 03:34:01 8,460,288 ----a-w C:\WINDOWS\system32\shell32.dll
+ 2007-07-31 02:18:40 33,624 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.6000.381\wups.dll
+ 2007-07-31 02:19:12 43,352 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.0.6000.381\wups2.dll
- 2006-10-16 23:10:58 14,640 ----a-w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w C:\WINDOWS\system32\spmsg.dll
- 2007-01-29 08:58:06 60,416 ----a-w C:\WINDOWS\system32\tzchange.exe
+ 2008-03-27 09:24:20 60,416 ----a-w C:\WINDOWS\system32\tzchange.exe
- 2004-08-04 12:00:00 417,792 ----a-w C:\WINDOWS\system32\vbscript.dll
+ 2007-12-18 14:40:58 417,792 ----a-w C:\WINDOWS\system32\vbscript.dll
- 2005-01-28 20:44:28 224,768 ----a-w C:\WINDOWS\system32\wmasf.dll
+ 2007-10-28 00:40:06 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
- 2006-04-29 13:07:48 5,533,696 ----a-w C:\WINDOWS\system32\wmp.dll
+ 2007-04-30 15:20:24 5,537,792 ----a-w C:\WINDOWS\system32\wmp.dll
- 2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
+ 2007-07-31 02:19:36 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
- 2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
+ 2007-07-31 02:19:16 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
- 2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
+ 2007-07-31 02:19:42 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
- 2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
+ 2007-07-31 02:19:32 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
- 2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
+ 2007-07-31 02:18:40 33,624 ----a-w C:\WINDOWS\system32\wups.dll
- 2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
+ 2007-07-31 02:19:12 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
- 2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
+ 2007-07-31 02:19:28 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
- 2007-04-18 10:07:59 248,320 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2007-10-29 10:04:03 350,720 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2007-05-08 22:06:44 1,275,392 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9848.0_x-ww_1b897e9a\msxml4.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3C9DBBF9-CECF-4140-879F-1FD0F13C9531}]
2008-07-11 12:40 321792 --a------ C:\WINDOWS\system32\xxyaayVM.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"H/PC Connection Agent"="C:\PROGRA~1\MI3AA1~1\wcescomm.exe" [2006-06-20 22:36 1207080]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2006-08-02 17:17 9134080]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 03:01 32768]
"MVS Splash"="C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe" [2008-01-22 23:09 468288]
"McAfee Managed Services Tray"="C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe" [2008-01-22 23:09 87360]
"PALogView"="C:\Program Files\TrippLite\PowerAlert\console\logview.exe" [2005-06-01 15:22 172032]
"PAStatus"="C:\Program Files\TrippLite\PowerAlert\console\pastatus.exe" [2005-06-01 15:21 299008]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"KnexStarter"="C:\Program Files\Common Files\Hewlett-Packard\HP Device Communication Services\Appinterfaces\HPDeviceService.exe" [2007-02-26 13:12 81920]
"RunTasktray"="C:\Program Files\Hewlett-Packard\HP Easy Printer Care\HPPRun.exe" [2007-02-26 11:38 69120]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 16:09 63048]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-11-30 11:31 8523776]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-11-30 11:31 81920]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6173\SiteAdv.exe" [2007-08-28 13:07 36640]
"nwiz"="nwiz.exe" [2007-11-30 11:31 1626112 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"3DxAssociateFileExts"="C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe" [2006-11-07 16:46 98304]

C:\Documents and Settings\mattp\Start Menu\Programs\Startup\
Microsoft Office Outlook.lnk - C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE [2007-12-12 23:56:18 12829216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Start 3DxWare.lnk - C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exe [2006-11-02 17:22:20 118272]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-05-19 15:23 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
"C:\\Program Files\\Dantz\\Client\\retroclient.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Hewlett-Packard\\HP Easy Printer Care\\HPPRun.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 EngineServer;EngineServer;C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe [2007-12-01 12:30]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2008-02-28 15:31]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2008-03-07 13:39]
R2 MSSQL$AUTODESKVAULT;SQL Server (AUTODESKVAULT);C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 22:08]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [2008-01-22 23:09]
R2 PowerAlert Agent;PowerAlert Agent;C:\Program Files\TrippLite\PowerAlert\engine/pa.exe [2007-01-25 16:17]
R2 Retrospect Client;Retrospect Client;C:\Program Files\Dantz\Client\Remotsvc.exe [2005-03-01 09:48]
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 15:31]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 03:39]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56c9189d-cadd-11dc-8905-0019d1fd5654}]
\Shell\AutoRun\command - H:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{838fbb04-9f73-11dc-88eb-0019d1fd5654}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
- - - - ORPHANS REMOVED - - - -

BHO-{201fe518-463d-4b74-8706-05c44f5b0e67} - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-14 11:50:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PowerAlert Agent]
"ImagePath"="C:\Program Files\TrippLite\PowerAlert\engine/pa.exe -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Autodesk\Data Management Server 2009\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe
C:\Program Files\Autodesk\Data Management Server 2009\Server\Webserver\Connectivity.EDMWS.Server.exe
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\TrippLite\PowerAlert\engine\pa.exe
C:\Program Files\Dantz\Client\retroclient.exe
C:\Program Files\SiteAdvisor\6173\SAService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Hewlett-Packard\HP Device Communication Services\AppInterfaces\HPDeviceHost.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-14 11:53:47 - machine was rebooted [mattp]
ComboFix-quarantined-files.txt 2008-07-14 18:53:43
ComboFix2.txt 2008-07-12 00:06:56

Pre-Run: 224,328,859,648 bytes free
Post-Run: 224,324,214,784 bytes free

412 --- E O F --- 2008-07-12 00:41:40

New HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:50 PM, on 7/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Autodesk\Data Management Server 2009\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe
C:\Program Files\Autodesk\Data Management Server 2009\Server\Webserver\Connectivity.EDMWS.Server.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TrippLite\PowerAlert\engine\pa.exe
C:\Program Files\Dantz\Client\Remotsvc.exe
C:\Program Files\Dantz\Client\retroclient.exe
C:\Program Files\SiteAdvisor\6173\SAService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\TrippLite\PowerAlert\console\pastatus.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Hewlett-Packard\HP Device Communication Services\Appinterfaces\HPDeviceService.exe
C:\Program Files\Hewlett-Packard\HP Easy Printer Care\HPPRun.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Hewlett-Packard\HP Device Communication Services\AppInterfaces\HPDeviceHost.exe
C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\mattp\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O2 - BHO: (no name) - {3C9DBBF9-CECF-4140-879F-1FD0F13C9531} - C:\WINDOWS\system32\xxyaayVM.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe"
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [PALogView] C:\Program Files\TrippLite\PowerAlert\console\logview.exe /s
O4 - HKLM\..\Run: [PAStatus] C:\Program Files\TrippLite\PowerAlert\console\pastatus.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [KnexStarter] C:\Program Files\Common Files\Hewlett-Packard\HP Device Communication Services\Appinterfaces\HPDeviceService.exe
O4 - HKLM\..\Run: [RunTasktray] "C:\Program Files\Hewlett-Packard\HP Easy Printer Care\HPPRun.exe" --regkeypath=Software\Hewlett-Packard\HP Easy Printer Care\HPPRun --valuename=InstallTTM
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'Default user')
O4 - Startup: Microsoft Office Outlook.lnk = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
O4 - Global Startup: Start 3DxWare.lnk = C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.voscomputers.com
O15 - Trusted Zone: http://*.hp.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155927456140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155927493500
O18 - Protocol: HPDCS - {BA135F49-A12C-4E26-A2C4-6EA945999072} - C:\Program Files\Common Files\Hewlett-Packard\HP Device Communication Services\APP\hpdcsapp.dll
O18 - Protocol: hppfile - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - C:\Program Files\Hewlett-Packard\HP Easy Printer Care\HPPCtrls.dll
O18 - Protocol: hppsam - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - C:\Program Files\Hewlett-Packard\HP Easy Printer Care\HPPCtrls.dll
O18 - Protocol: hppzip - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - C:\Program Files\Hewlett-Packard\HP Easy Printer Care\HPPCtrls.dll
O23 - Service: Autodesk Data Management Job Dispatch - Autodesk - C:\Program Files\Autodesk\Data Management Server 2009\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe
O23 - Service: Autodesk EDM Server - Autodesk - C:\Program Files\Autodesk\Data Management Server 2009\Server\Webserver\Connectivity.EDMWS.Server.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PowerAlert Agent - Unknown owner - C:\Program Files\TrippLite\PowerAlert\engine/pa.exe
O23 - Service: Retrospect Client - EMC Dantz - C:\Program Files\Dantz\Client\Remotsvc.exe
O23 - Service: Retrospect Helper - EMC Corporation - C:\Program Files\Dantz\Client\rthlpsvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6173\SAService.exe

--
End of file - 11767 bytes

Resident is continually popping up with:

(current time) Registry change denied
Identified as: User Blacklist

Resident denied the change of
{02ECF848-8F5F-4136-B9D5-7E04B8D06BE1}
{category Browser Helper Object} based on your blacklist

I have been denying registry changes as they appear from SpyBot. Did I screw something up by not approving this one? It is continually running. Or did I just screw-up and miss something in your instructions again! (I need a smiley for bending over and getting a good ass kicking!)

by using process explorer found rundll.exe. If I kill process, resident will quit on that one, but another will start up. And the process repeats. If I suspend it, Resident will close.
Here is the path: "rundll32.exe C:\WINDOWS\system32\xxyaayVM.dll,c"

I am unable to delete this. In use error pops up. I apologize for getting ahead if I have, figured this might help.

Matt

Well, I will tell you this, this is not a good start. If you had TeaTimer running in the first log, which you did not, I would have posted these instructions:

START BY FOLLOWING THESE DIRECTIONS
1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

3) Open notepad and copy/paste the text in the codebox below into it:


File::
C:\WINDOWS\system32\xxyaayVM.dll
C:\Temp\38687.zip

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3C9DBBF9-CECF-4140-879F-1FD0F13C9531}]

Save this as CFScript

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(may be gone, removed by the CFScript)

O2 - BHO: (no name) - {3C9DBBF9-CECF-4140-879F-1FD0F13C9531} - C:\WINDOWS\system32\xxyaayVM.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

6) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

Restart and post the combofix log from CFScript, the logfile from MBAM, a new HJT log and some feedback from you. How is the computer running?

Thanks

OK, I've learned a valuable lesson today on following directions!
Steps Review:

1) completed
2) completed
3) completed
4) completed, you were right .dll was removed by CFScript
5) completed, that was a good chunk of kb's returned
6) completed, 28 instances found and removed.

Combofix/CFScript Log:
ComboFix 08-07-14.2 - mattp 2008-07-14 13:34:43.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2474 [GMT -7:00]
Running from: C:\Documents and Settings\mattp\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\mattp\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Temp\38687.zip
C:\WINDOWS\system32\xxyaayVM.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\38687.zip
C:\WINDOWS\system32\ahyswqhh.ini
C:\WINDOWS\system32\hhqwsyha.dll
C:\WINDOWS\system32\htwrmmrt.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MVyaayxx.ini
C:\WINDOWS\system32\MVyaayxx.ini2
C:\WINDOWS\system32\xvanxz.dll
C:\WINDOWS\system32\xxyaayVM.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-14 to 2008-07-14 )))))))))))))))))))))))))))))))
.

2008-07-11 17:39 . 2008-07-11 17:39 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-11 17:38 . 2008-07-11 17:38 <DIR> d-------- C:\WINDOWS\SQLTools9_KB948109_ENU
2008-07-11 17:35 . 2008-07-11 17:35 <DIR> d-------- C:\WINDOWS\SQL9_KB948109_ENU
2008-07-11 17:35 . 2008-07-11 17:35 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-07-11 17:31 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-07-11 17:31 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-11 16:31 . 2008-07-11 16:31 4,608,744 --a------ C:\Temp\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
2008-07-11 15:41 . 2008-07-11 15:55 81,208,728 --a------ C:\Temp\jdk-6u7-windows-i586-p.exe
2008-07-11 13:32 . 2008-07-14 13:40 <DIR> d-------- C:\Documents and Settings\mattp\Application Data\nView_Wallpaper
2008-07-11 12:41 . 2008-07-11 12:41 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-11 12:41 . 2008-07-11 17:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-11 12:38 . 2008-07-11 12:40 15,083,520 --a------ C:\Temp\spybotsd160.exe
2008-07-11 12:37 . 2008-07-11 12:38 2,676,592 --a------ C:\Temp\spybotsd_includes.exe
2008-06-25 09:49 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-06-25 09:49 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-06-23 09:07 . 2008-06-23 09:08 <DIR> d-------- C:\Program Files\Windows Live
2008-06-23 09:07 . 2008-06-23 09:07 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-23 09:07 . 2008-06-23 09:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-17 09:38 . 2008-06-17 09:39 6,857,524 --a------ C:\Temp\SetupLegacyCharting7.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-14 16:07 --------- d-----w C:\Program Files\LogMeIn
2008-07-12 00:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-12 00:38 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-07-11 22:44 --------- d-----w C:\Program Files\Karen's Power Tools
2008-07-10 22:24 --------- d-----w C:\Documents and Settings\mattp\Application Data\U3
2008-07-08 15:52 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-06-26 16:07 --------- d-----w C:\Documents and Settings\mattp\Application Data\ZoomBrowser EX
2008-06-26 16:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-06-12 16:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogMeIn
2008-06-11 00:33 --------- d-----w C:\Program Files\MFInstall
2008-06-06 22:06 --------- d-----w C:\Program Files\FamilySearch
2008-06-06 22:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-03 18:25 --------- d-----w C:\Program Files\Millennia
2008-06-03 18:25 --------- d-----w C:\Documents and Settings\mattp\Application Data\Millennia
2008-05-19 18:49 --------- d-----w C:\Program Files\NCPlot v1.2
2008-05-15 16:25 --------- d-----w C:\Documents and Settings\mattp\Application Data\Autodesk
2007-07-18 21:27 60,968 ----a-w C:\Documents and Settings\mattp\GoToAssistDownloadHelper.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"H/PC Connection Agent"="C:\PROGRA~1\MI3AA1~1\wcescomm.exe" [2006-06-20 22:36 1207080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2006-08-02 17:17 9134080]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 03:01 32768]
"MVS Splash"="C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe" [2008-01-22 23:09 468288]
"McAfee Managed Services Tray"="C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe" [2008-01-22 23:09 87360]
"PALogView"="C:\Program Files\TrippLite\PowerAlert\console\logview.exe" [2005-06-01 15:22 172032]
"PAStatus"="C:\Program Files\TrippLite\PowerAlert\console\pastatus.exe" [2005-06-01 15:21 299008]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"KnexStarter"="C:\Program Files\Common Files\Hewlett-Packard\HP Device Communication Services\Appinterfaces\HPDeviceService.exe" [2007-02-26 13:12 81920]
"RunTasktray"="C:\Program Files\Hewlett-Packard\HP Easy Printer Care\HPPRun.exe" [2007-02-26 11:38 69120]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 16:09 63048]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-11-30 11:31 8523776]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-11-30 11:31 81920]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6173\SiteAdv.exe" [2007-08-28 13:07 36640]
"nwiz"="nwiz.exe" [2007-11-30 11:31 1626112 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"3DxAssociateFileExts"="C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe" [2006-11-07 16:46 98304]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Start 3DxWare.lnk - C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exe [2006-11-02 17:22:20 118272]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-05-19 15:23 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
"C:\\Program Files\\Dantz\\Client\\retroclient.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Hewlett-Packard\\HP Easy Printer Care\\HPPRun.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 EngineServer;EngineServer;C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe [2007-12-01 12:30]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2008-02-28 15:31]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2008-03-07 13:39]
R2 MSSQL$AUTODESKVAULT;SQL Server (AUTODESKVAULT);C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 22:08]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [2008-01-22 23:09]
R2 PowerAlert Agent;PowerAlert Agent;C:\Program Files\TrippLite\PowerAlert\engine/pa.exe [2007-01-25 16:17]
R2 Retrospect Client;Retrospect Client;C:\Program Files\Dantz\Client\Remotsvc.exe [2005-03-01 09:48]
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 15:31]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 03:39]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56c9189d-cadd-11dc-8905-0019d1fd5654}]
\Shell\AutoRun\command - H:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{838fbb04-9f73-11dc-88eb-0019d1fd5654}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-14 13:39:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PowerAlert Agent]
"ImagePath"="C:\Program Files\TrippLite\PowerAlert\engine/pa.exe -service"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Autodesk\Data Management Server 2009\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe
C:\Program Files\Autodesk\Data Management Server 2009\Server\Webserver\Connectivity.EDMWS.Server.exe
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\TrippLite\PowerAlert\engine\pa.exe
C:\Program Files\Dantz\Client\retroclient.exe
C:\Program Files\SiteAdvisor\6173\SAService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
C:\Program Files\Common Files\Hewlett-Packard\HP Device Communication Services\AppInterfaces\HPDeviceHost.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-14 13:42:09 - machine was rebooted [mattp]
ComboFix-quarantined-files.txt 2008-07-14 20:42:06
ComboFix2.txt 2008-07-14 18:53:47
ComboFix3.txt 2008-07-12 00:06:56

Pre-Run: 224,329,289,728 bytes free
Post-Run: 224,315,432,960 bytes free

174 --- E O F --- 2008-07-12 00:41:40

MBAM Log:
Malwarebytes' Anti-Malware 1.20
Database version: 949
Windows 5.1.2600 Service Pack 2

2:08:19 PM 7/14/2008
mbam-log-7-14-2008 (14-08-19).txt

Scan type: Full Scan (C:\|)
Objects scanned: 116698
Time elapsed: 17 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 28

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\ddcDvsPi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\dmziqx.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\hcogteug.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\hhqwsyha.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\htwrmmrt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ljJYSmjg.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\qmksxjks.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\qwsrepmn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\tassgdcx.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\viiadn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\xvanxz.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\xxyaayVM.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AE2D1EEE-ADB3-4A87-9E45-504030DE5956}\RP13\A0001893.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AE2D1EEE-ADB3-4A87-9E45-504030DE5956}\RP13\A0001894.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AE2D1EEE-ADB3-4A87-9E45-504030DE5956}\RP13\A0001895.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AE2D1EEE-ADB3-4A87-9E45-504030DE5956}\RP16\A0003294.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AE2D1EEE-ADB3-4A87-9E45-504030DE5956}\RP16\A0003295.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AE2D1EEE-ADB3-4A87-9E45-504030DE5956}\RP16\A0003296.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AE2D1EEE-ADB3-4A87-9E45-504030DE5956}\RP16\A0003297.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AE2D1EEE-ADB3-4A87-9E45-504030DE5956}\RP16\A0003298.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AE2D1EEE-ADB3-4A87-9E45-504030DE5956}\RP18\A0003425.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AE2D1EEE-ADB3-4A87-9E45-504030DE5956}\RP18\A0003426.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AE2D1EEE-ADB3-4A87-9E45-504030DE5956}\RP18\A0003427.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AE2D1EEE-ADB3-4A87-9E45-504030DE5956}\RP18\A0003428.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT (Rogue.SpywareDestructor) -> Quarantined and deleted successfully.
C:\Documents and Settings\McAfeeMVSUser\Local Settings\Application Data\GDIPFONTCACHEV1.DAT (Rogue.SpywareDestructor) -> Quarantined and deleted successfully.
C:\Documents and Settings\mattp\Local Settings\Application Data\GDIPFONTCACHEV1.DAT (Rogue.SpywareDestructor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Default User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT (Rogue.SpywareDestructor) -> Quarantined and deleted successfully.

HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:15:45 PM, on 7/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Autodesk\Data Management Server 2009\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
C:\Program Files\TrippLite\PowerAlert\console\pastatus.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Hewlett-Packard\HP Device Communication Services\Appinterfaces\HPDeviceService.exe
C:\Program Files\Hewlett-Packard\HP Easy Printer Care\HPPRun.exe
C:\Program Files\Common Files\Hewlett-Packard\HP Device Communication Services\AppInterfaces\HPDeviceHost.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Autodesk\Data Management Server 2009\Server\Webserver\Connectivity.EDMWS.Server.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TrippLite\PowerAlert\engine\pa.exe
C:\Program Files\Dantz\Client\Remotsvc.exe
C:\Program Files\Dantz\Client\retroclient.exe
C:\Program Files\SiteAdvisor\6173\SAService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\mattp\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe"
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [PALogView] C:\Program Files\TrippLite\PowerAlert\console\logview.exe /s
O4 - HKLM\..\Run: [PAStatus] C:\Program Files\TrippLite\PowerAlert\console\pastatus.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [KnexStarter] C:\Program Files\Common Files\Hewlett-Packard\HP Device Communication Services\Appinterfaces\HPDeviceService.exe
O4 - HKLM\..\Run: [RunTasktray] "C:\Program Files\Hewlett-Packard\HP Easy Printer Care\HPPRun.exe" --regkeypath=Software\Hewlett-Packard\HP Easy Printer Care\HPPRun --valuename=InstallTTM
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'Default user')
O4 - Global Startup: Start 3DxWare.lnk = C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.voscomputers.com
O15 - Trusted Zone: http://*.hp.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155927456140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155927493500
O18 - Protocol: HPDCS - {BA135F49-A12C-4E26-A2C4-6EA945999072} - C:\Program Files\Common Files\Hewlett-Packard\HP Device Communication Services\APP\hpdcsapp.dll
O18 - Protocol: hppfile - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - C:\Program Files\Hewlett-Packard\HP Easy Printer Care\HPPCtrls.dll
O18 - Protocol: hppsam - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - C:\Program Files\Hewlett-Packard\HP Easy Printer Care\HPPCtrls.dll
O18 - Protocol: hppzip - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - C:\Program Files\Hewlett-Packard\HP Easy Printer Care\HPPCtrls.dll
O23 - Service: Autodesk Data Management Job Dispatch - Autodesk - C:\Program Files\Autodesk\Data Management Server 2009\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe
O23 - Service: Autodesk EDM Server - Autodesk - C:\Program Files\Autodesk\Data Management Server 2009\Server\Webserver\Connectivity.EDMWS.Server.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PowerAlert Agent - Unknown owner - C:\Program Files\TrippLite\PowerAlert\engine/pa.exe
O23 - Service: Retrospect Client - EMC Dantz - C:\Program Files\Dantz\Client\Remotsvc.exe
O23 - Service: Retrospect Helper - EMC Corporation - C:\Program Files\Dantz\Client\rthlpsvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6173\SAService.exe

--
End of file - 11464 bytes

Thank you for your help, everything seems to be a bit quicker, especially internet browser!!!!! Thank you, thank you, thank you!:bigthumb:

Awaiting further instructions, and I promise not to do anything till I have your response!!!!!!:bow:

Thanks for returning your information, MBAM did find a few rouge items missed by combofix but most of that is the combofix quarantine and infected System Restore files.

1) Remove combofix (and the quarantined items) like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

2) Clean the infected System Restore files:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Run a new MBAM scan to make sure we got it all, no need to post a clean scan.

As we are nearing close, I am noticing you have a load of running processes. If you want your computer to boot faster and run better, you need to look at this information:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.netsquirrel.com/msconfig/msconfig_xp.html

I suggest you update McAfee and run a system scan, make sure all is working as it should. Malware like to mess up your security programs. If you have issues, contact McAfee technical support for instructions.

Some good information for you:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

okay here you go:

1) completed
2a) completed

rebooted

2b) completed

ran mbam

1 file infected (cleaned)

MBAM log:
Malwarebytes' Anti-Malware 1.20
Database version: 949
Windows 5.1.2600 Service Pack 2

3:24:00 PM 7/14/2008
mbam-log-7-14-2008 (15-24-00).txt

Scan type: Quick Scan
Objects scanned: 46479
Time elapsed: 4 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT (Rogue.SpywareDestructor) -> Quarantined and deleted successfully.

I attached the mbam log as it wasn't clean. Do I need to repeat the "system restore" procedure? Or is it gone since it was cleaned?

Once again, thank you for your help, and your patience!!!!!!!:2thumb:

I am going through you link recommendations now as I await any further instructions.

Thanks,

Matt

It would not hurt, that infected .dat file was there the reboot as it was located by MBAM at that point. I suggest you repeat the steps to be sure System Restore did not backup that infection. If that was the case, the infected file would get back on the computer IF you used that restore point.

Thanks

Thank you for all of your help. I will do the "restore" procedure one more time. Everything seems to be working great! I used your links and cleaned up the "start-up" processes, wow what a difference! Thanks again!

Regards,

Matt

PS I believe it is safe to say the problem has been resolved, and lesson learned:)