I have tried every known thing to remove this redirector, need some help. Not sure how I picked it because I am protected pretty good. Non the less here are the 2 files needed as described in the "before you post" thread.

5099
5098

When I run the DDS tool I did get an evP.exe memory execution error. not sure if its related or not, the tool continued anyways.

Please help, thanks.

Sorry I think i was supposed to post this in the thread;


DDS (Ver_10-03-17.01) - NTFSx86
Run by gpeterso at 13:35:46.25 on Tue 06/08/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1012 [GMT -7:00]

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
svchost.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\Rockwell\EventServer.exe
C:\Program Files\Common Files\Rockwell\FTAEArchiver.exe
C:\Program Files\Common Files\Rockwell\FTAE_HistServ.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Common Files\Rockwell\NmspHost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program files\Rockwell Software\FactoryTalk Historian\Server\PIPC\BIN\pilogsrv.exe
C:\Program files\Rockwell Software\FactoryTalk Historian\Server\PIPC\BIN\pinetmgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Rockwell\RdcyHost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe
C:\Program Files\Common Files\Rockwell\RsvcHost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
C:\Program files\Rockwell Software\FactoryTalk Historian\Server\PIPC\BIN\pimsgss.exe
C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe
C:\Program Files\Rockwell Software\RSView Enterprise\ServerFramework.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Common Files\Rockwell\RnaAeServer.exe
C:\Program Files\Common Files\Rockwell\RnaAlarmMux.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Shoreline Communications\ShoreWare Client\STCLogin.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\gpeterso\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.rockwellautomation.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [OM_Monitor] c:\program files\olympus\olympus master\Monitor.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
mRun: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "nwiz.exe" /installquiet
mRun: [NVHotkey] "rundll32.exe" nvHotkey.dll,Start
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [DLA] "c:\windows\system32\dla\DLACTRLW.EXE"
mRun: [TrueImageMonitor.exe] "c:\program files\acronis\trueimagehome\TrueImageMonitor.exe"
mRun: [AcronisTimounterMonitor] "c:\program files\acronis\trueimagehome\TimounterMonitor.exe"
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [OM_Monitor] "c:\program files\olympus\olympus master\FirstStart.exe"
mRun: [Apoint] "c:\program files\apoint\Apoint.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [DiskeeperSystray] "c:\program files\executive software\diskeeper\DkIcon.exe"
mRun: [vmware-tray] "c:\program files\vmware\vmware workstation\vmware-tray.exe"
mRun: [VMware hqtray] "c:\program files\vmware\vmware workstation\hqtray.exe"
mRun: [UsbCipHelper] "c:\program files\rockwell automation\rockwell automation usb cip driver package\usbciphelper\UsbCipHelper.exe"
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [CC_AgentToolbarReminder] "c:\program files\cc_agenttoolbarreminder\CC_AgentToolbarReminder.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/0/f/b/0fb0fab9-7f09-4bb6-86d8-8e791ba99ac5/VirtualEarth3D.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-24-0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - hxxp://www.autodesk.com/global/dwfviewer/installer/DwfViewerSetup.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://rockwellautomation.webex.com/client/T27L10NSP11EP5/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://remote.ncelec.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://remote.ncelec.com/dana-cached/sc/JuniperSetupClient.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap

============= SERVICES / DRIVERS ===============

R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-12-7 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2010-2-24 173328]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-4 164048]
R1 VirtualBackplane;A-B Virtual Backplane;c:\windows\system32\drivers\VirtualBackplane.sys [2007-7-20 63508]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-4 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-4 40384]
R2 FTAE_Archiver;Rockwell Alarm History Archiver;c:\program files\common files\rockwell\FTAEArchiver.exe [2007-9-18 61440]
R2 FTAE_HistServ;Rockwell Alarm Historian;c:\program files\common files\rockwell\FTAE_HistServ.exe [2007-9-18 143360]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2008-3-14 103744]
R2 NmspHost;Rockwell Namespace Services;c:\program files\common files\rockwell\NmspHost.exe [2009-6-11 222496]
R2 RdcyHost;Rockwell Redundancy Services;c:\program files\common files\rockwell\RdcyHost.exe [2009-6-11 222496]
R2 RnaAeServer;Rockwell Alarm Server;c:\program files\common files\rockwell\RnaAeServer.exe [2007-9-18 270336]
R2 RnaAlarmMux;Rockwell Alarm Multiplexer;c:\program files\common files\rockwell\RnaAlarmMux.exe [2007-9-21 753664]
R2 Rockwell HMI Framework;Rockwell HMI Framework;c:\program files\rockwell software\rsview enterprise\ServerFramework.exe [2007-9-18 491520]
R3 EventServer;Rockwell Event Server;c:\program files\common files\rockwell\EventServer.exe [2009-6-11 222496]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-7 61328]
S1 abpicw2k;AB PIC/AIC+ Driver;c:\windows\system32\drivers\abpicw2k.sys [2001-10-29 113600]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]
S3 1784-PCIDS DeviceNet;1784-PCIDS DeviceNet;c:\program files\rockwell software\rslogix emulate 5000\PcidsService.exe [2007-7-20 102400]
S3 ABKTCX;Rockwell Automation 1784-KTC(X) Driver;c:\windows\system32\drivers\abktcx.sys [2000-5-31 71448]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-4 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-4 40384]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [2007-5-30 39424]
S3 LogReceiver;LogReceiver;c:\program files\rockwell software\rslinx enterprise\LogReceiver.exe [2007-7-9 94208]
S3 pcidnt;A-B 1784-PCIDS;c:\windows\system32\drivers\pcidnt.sys --> c:\windows\system32\drivers\pcidnt.sys [?]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [2009-1-18 29824]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [2009-1-18 41344]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [2009-1-18 39936]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [2009-1-18 59776]
S3 Rockwell HMI Alarm Logger;Rockwell HMI Alarm Logger;c:\program files\rockwell software\rsview enterprise\RsAlarmLogServ.exe [2007-9-18 77824]
S3 RS_SS_NT;RSLinx Classic S-S SD/SD2 Device Driver;c:\windows\system32\RS_SS_NT.SYS [1999-11-10 142592]
S3 RSI-PKTX-A;RSI-PKTX-A;c:\windows\system32\drivers\RSI-PKTX-A.sys [2002-11-13 16447]
S3 RsiKtControl;RsiKtControl;c:\windows\system32\RSIKT.SYS [2006-1-18 39067]
S3 RSLINXNGKtControl;RSLINXNGKtControl;c:\windows\system32\drivers\rsiktNG.sys [2002-4-23 38999]
S3 RSSERIAL;RSLinx Classic Serial Driver;c:\windows\system32\rsserial.sys [1999-5-11 155440]
S3 SimModuleService;1789-SIM Simulator Module;c:\program files\rockwell software\rslogix emulate 5000\SimModuleService.exe [2007-7-20 98304]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\drivers\swnc8u56.sys [2007-6-27 101248]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\drivers\swumx56.sys [2007-6-27 73856]

============== File Associations ===============

.scr=DWGTrueViewScriptFile

=============== Created Last 30 ================

2010-06-08 20:33:51 184 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-06-08 20:03:13 904 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-06-08 15:58:38 20480 ---ha-w- C:\SZKGFS.dat
2010-06-07 15:44:45 7006 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-06-07 15:31:02 0 d-----w- c:\windows\system32\scripting
2010-06-07 15:31:02 0 d-----w- c:\windows\l2schemas
2010-06-07 15:31:01 0 d-----w- c:\windows\system32\en
2010-06-07 15:31:01 0 d-----w- c:\windows\system32\bits
2010-06-07 03:45:21 0 d-sh--w- c:\documents and settings\gpeterso\IECompatCache
2010-06-07 03:44:37 0 d-sh--w- c:\documents and settings\gpeterso\PrivacIE
2010-06-07 03:39:13 0 d-sh--w- c:\documents and settings\gpeterso\IETldCache
2010-06-07 03:34:15 0 dc-h--w- c:\windows\ie8
2010-06-04 16:22:56 164 ----a-w- c:\windows\install.dat
2010-06-04 04:31:00 0 d-----w- c:\windows\system32\wbem\Repository
2010-06-04 03:36:49 0 d-----w- C:\ComboFix(2)
2010-06-03 22:49:39 0 d-----w- C:\cmdcons
2010-05-12 21:59:10 1975 ------w- C:\pisetup.ini
2010-05-12 16:21:58 179 ----a-w- c:\windows\PIPC.INI

==================== Find3M ====================


============= FINISH: 13:36:52.92 ===============

Here is my GMER scan:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-08 20:55:41
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\gpeterso\LOCALS~1\Temp\uwlyafow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB6DADC7A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB6DADB36]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xB6DAE0EA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB6DAE014]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB6DAD70C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB6DADC10]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB6DAD64C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB6DAD6B0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB6DADD30]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xB6DAE1B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB6DADCF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB6DADE70]
SSDT szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.) ZwTerminateProcess [0xBA78C710]

INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) B3D6716D
INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) B3D66FC2

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xB6DBAAC6]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xB6DBA8EA]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xB6DBAA24]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2CC0 8050454C 4 Bytes JMP 58B6DAE0
PAGE ntkrnlpa.exe!ZwLoadDriver 8058413A 2 Bytes JMP B6DBAA28 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ZwLoadDriver + 3 8058413D 4 Bytes JMP 4C8EC4AA
PAGE ntkrnlpa.exe!NtCreateSection 805AB3AE 7 Bytes JMP B6DBA8EE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BC512 5 Bytes JMP B6DB6536 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObInsertObject 805C2F96 5 Bytes JMP B6DB7EC2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1136 7 Bytes JMP B6DBAACA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB97EA360, 0x30A247, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[200] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[200] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[200] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\System32\svchost.exe[1900] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1900] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 009B000A
.text C:\WINDOWS\System32\svchost.exe[1900] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 0099000C
.text C:\WINDOWS\System32\svchost.exe[1900] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 07F6000A
.text C:\WINDOWS\System32\svchost.exe[1900] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00E0000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[1216] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003B0002
IAT C:\WINDOWS\system32\services.exe[1216] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003B0000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)

Device \Driver\usbhub \Device\000000b6 hcmon.sys (VMware USB monitor/VMware, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbhub \Device\000000aa hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-0 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-1 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\000000ac hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-2 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-3 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\000000ae hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbehci \Device\USBFDO-4 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBPDO-0 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBPDO-1 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBPDO-2 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBPDO-3 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbehci \Device\USBPDO-4 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\USBPDO-5 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\USBPDO-6 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\000000b0 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\000000b2 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\000000b4 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \FileSystem\Fastfat \Fat AFF69D20

AttachedDevice \FileSystem\Fastfat \Fat szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016414af816
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016414af816 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0016414af816 (not active ControlSet)

---- EOF - GMER 1.0.15 ----

Hi,

Please do NOT run 'FIXES' (ComboFix etc) without being asked (http://forums.spybot.info/showthread.php?t=16806)

Please post c:\ComboFix.txt log contents that should exist since your earlier ComboFix run. Post a fresh dds log too.

Heres the COmbifix.txt file:

ComboFix 10-06-12.03 - gpeterso 06/13/2010 7:07.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1444 [GMT -7:00]
Running from: c:\documents and settings\gpeterso\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\gpeterso\Application Data\.#
c:\documents and settings\gpeterso\Application Data\.#\MBX@E98@373F80.###
c:\documents and settings\gpeterso\Application Data\.#\MBX@E98@373FB0.###
c:\documents and settings\gpeterso\g2mdlhlpx.exe
c:\documents and settings\gpeterso\System
c:\documents and settings\gpeterso\System\win_qs8.jqx
c:\windows\system32\st325602.dll

Infected copy of c:\windows\system32\drivers\termdd.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-05-13 to 2010-06-13 )))))))))))))))))))))))))))))))
.

2010-06-11 15:21 . 2004-10-19 09:18 27519 ----a-r- c:\windows\system32\drivers\RTL8150.SYS
2010-06-08 20:28 . 2010-06-08 20:29 -------- d-----w- c:\program files\ERUNT
2010-06-08 15:58 . 2010-06-08 15:58 20480 ---ha-w- C:\SZKGFS.dat
2010-06-08 15:56 . 2010-06-08 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-06-08 15:55 . 2010-06-08 15:55 -------- d-----w- c:\program files\STOPzilla!
2010-06-08 15:55 . 2010-06-08 15:55 -------- d-----w- c:\program files\Common Files\iS3
2010-06-08 15:55 . 2010-06-13 14:18 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-06-07 15:40 . 2010-06-07 15:40 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-06-07 15:31 . 2010-06-07 15:31 -------- d-----w- c:\windows\system32\scripting
2010-06-07 15:31 . 2010-06-07 15:31 -------- d-----w- c:\windows\l2schemas
2010-06-07 15:31 . 2010-06-07 15:31 -------- d-----w- c:\windows\system32\en
2010-06-07 15:31 . 2010-06-07 15:31 -------- d-----w- c:\windows\system32\bits
2010-06-07 03:45 . 2010-06-07 03:45 -------- d-sh--w- c:\documents and settings\gpeterso\IECompatCache
2010-06-07 03:44 . 2010-06-07 03:44 -------- d-sh--w- c:\documents and settings\gpeterso\PrivacIE
2010-06-07 03:41 . 2010-06-07 03:41 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-07 03:39 . 2010-06-07 03:39 -------- d-sh--w- c:\documents and settings\gpeterso\IETldCache
2010-06-07 03:39 . 2010-06-07 03:39 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-06-07 03:34 . 2010-06-07 03:36 -------- dc-h--w- c:\windows\ie8
2010-06-04 22:43 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-04 22:43 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-04 22:43 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-04 22:43 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-04 22:43 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-04 22:43 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-04 22:43 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-04 22:43 . 2010-05-06 20:59 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-06-04 22:43 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-04 22:43 . 2010-06-04 22:43 -------- d-----w- c:\program files\Alwil Software
2010-06-04 22:43 . 2010-06-04 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-06-04 16:24 . 2010-06-04 16:24 -------- d-----w- c:\program files\Webroot
2010-06-04 16:22 . 2010-06-04 16:23 164 ----a-w- c:\windows\install.dat
2010-06-04 04:58 . 2010-06-04 04:58 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-06-04 04:31 . 2010-06-04 04:31 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-03 23:25 . 2010-06-03 23:25 -------- d-----w- c:\documents and settings\gpeterso\Application Data\Malwarebytes
2010-06-03 23:25 . 2010-06-03 23:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-03 17:40 . 2010-06-03 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-06-03 17:40 . 2010-06-03 17:40 -------- d-----w- c:\program files\Lavasoft
2010-06-03 17:33 . 2010-06-04 04:26 -------- dc----w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-13 14:18 . 2010-06-13 14:06 1824 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-06-13 14:08 . 2010-06-13 14:06 904 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-06-13 14:03 . 2006-06-08 19:50 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2010-06-13 14:03 . 2006-06-08 19:49 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2010-06-09 04:04 . 2007-07-25 22:34 -------- d-----w- c:\documents and settings\NetworkService\Application Data\VMware
2010-06-09 04:03 . 2006-06-08 20:11 -------- d-----w- c:\documents and settings\gpeterso\Application Data\VMware
2010-06-07 15:44 . 2010-06-07 15:44 7006 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-06-07 15:43 . 2006-05-30 05:05 88232 ----a-w- c:\documents and settings\gpeterso\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-07 15:33 . 2006-05-02 21:01 87263 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-06-04 22:42 . 2006-05-02 22:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-04 22:41 . 2006-05-02 22:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-04 22:40 . 2009-03-11 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-06-04 04:30 . 2006-06-20 16:13 -------- d-----w- c:\program files\Common Files\Rockwell
2010-05-26 17:28 . 2006-05-02 21:41 236884 ----a-w- c:\windows\system32\nvModes.dat
2010-05-21 18:12 . 2008-06-27 19:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Rockwell Automation
2010-05-14 15:01 . 2006-09-13 16:16 -------- d-----w- c:\documents and settings\gpeterso\Application Data\webex
2010-05-12 22:35 . 2006-06-20 16:14 -------- d-----w- c:\program files\Rockwell Software
2010-05-06 00:25 . 2006-05-31 16:00 -------- d-----w- c:\program files\EMS
2010-05-06 00:24 . 2006-05-31 16:00 796672 ----a-w- c:\windows\GPInstall.exe
2010-04-29 17:22 . 2010-04-29 17:22 11502 ----a-r- c:\documents and settings\gpeterso\Application Data\Microsoft\Installer\{21A64408-0069-47D2-88F0-7D3C9605FD5A}\_4ae13d6c.exe
2010-04-29 17:22 . 2010-04-29 17:22 11502 ----a-r- c:\documents and settings\gpeterso\Application Data\Microsoft\Installer\{21A64408-0069-47D2-88F0-7D3C9605FD5A}\_2cd672ae.exe
2010-04-29 17:22 . 2010-04-29 17:22 11502 ----a-r- c:\documents and settings\gpeterso\Application Data\Microsoft\Installer\{21A64408-0069-47D2-88F0-7D3C9605FD5A}\_294823.exe
2010-04-29 17:22 . 2010-04-29 17:22 11502 ----a-r- c:\documents and settings\gpeterso\Application Data\Microsoft\Installer\{21A64408-0069-47D2-88F0-7D3C9605FD5A}\_18be6784.exe
2010-03-26 15:30 . 2010-03-26 15:30 1179136 ----a-w- c:\windows\system32\AutoPartNt.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-17 57344]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10c.exe" [2009-07-18 257440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"nwiz"="nwiz.exe" [2007-11-17 1626112]
"NVHotkey"="nvHotkey.dll" [2007-11-17 86016]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2006-05-19 1106344]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-05-19 1848150]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-05-19 126976]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2006-05-17 40960]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"DiskeeperSystray"="c:\program files\Executive Software\Diskeeper\DkIcon.exe" [2004-10-05 176216]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2007-10-08 72240]
"VMware hqtray"="c:\program files\VMware\VMware Workstation\hqtray.exe" [2007-10-08 55856]
"UsbCipHelper"="c:\program files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe" [2006-09-29 434176]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-17 81920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"CC_AgentToolbarReminder"="c:\program files\CC_AgentToolbarReminder\CC_AgentToolbarReminder.exe" [2010-02-11 151552]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-28 149280]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 1724416]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-6-20 122880]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\netdde.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RNADiagnosticsSrv.exe"=
"c:\\WINDOWS\\system32\\OpcEnum.exe"=
"c:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\RSLinxNG.exe"=
"c:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\RSLinxShortcutAOA.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\ShoreTel\\Contact Center\\Agent\\Bin\\nprocess.exe"=
"c:\\Program Files\\Rockwell Software\\RSLogix 5000\\ENU\\v16\\Bin\\RS5000.Exe"=
"c:\\Program Files\\Common Files\\Rockwell\\countermonitor.exe"=
"c:\\Program Files\\Rockwell Software\\RSLINX\\RSLINX.EXE"=
"c:\\Program Files\\Rockwell Software\\OPCTools\\OPCTest\\opctest.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Rockwell Software\\RSView\\sptddssv32.exe"=
"c:\\Program Files\\Rockwell Software\\RSView\\SptFTServer.exe"=
"c:\\Program Files\\Rockwell Software\\RSView\\sptddeex32.exe"=
"c:\\Program Files\\Rockwell Software\\RSView\\MonitorRemoteProcesses.exe"=
"c:\\Program Files\\Rockwell Software\\RDM\\Cmeopc32.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RSViewLogServer.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RSVWHist.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\EventClientMultiplexer.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RsvcHost.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RdcyHost.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\NmspHost.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RnaDirServer.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\EventServer.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\DaClient.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RNADiagReceiver.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\VStudio.exe"=
"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\AlmCliSrvWrap.exe"=
"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\AlmMpx.exe"=
"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\AlarmQB.exe"=
"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\AlmSrv.exe"=
"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\CommandCliSrv.exe"=
"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\CommandCliTagHMIService.exe"=
"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\CommandErrorLogSrv.exe"=
"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\DatalogServ.exe"=
"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\DerivedTags.exe"=
"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\DisplayClient.exe"=
"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\DlgRdRp.exe"=
"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\DlgRdServ.exe"=
"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\EventDetector.exe"=
"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\MERuntime.exe"=
"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\ServerFramework.exe"=
"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\TagSrv.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RnaAeServer.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RnaAlarmMux.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RnaAlarmDetector.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:Port 135 TCP
"400:TCP"= 400:TCP:Port 400 TCP
"401:TCP"= 401:TCP:Port 401 TCP
"402:TCP"= 402:TCP:Port 402 TCP
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [12/7/2009 5:59 PM 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2/24/2010 3:06 PM 173328]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/4/2010 3:43 PM 164048]
R1 VirtualBackplane;A-B Virtual Backplane;c:\windows\system32\drivers\VirtualBackplane.sys [7/20/2007 10:59 AM 63508]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/4/2010 3:43 PM 19024]
R2 FTAE_Archiver;Rockwell Alarm History Archiver;c:\program files\Common Files\Rockwell\FTAEArchiver.exe [9/18/2007 12:29 AM 61440]
R2 FTAE_HistServ;Rockwell Alarm Historian;c:\program files\Common Files\Rockwell\FTAE_HistServ.exe [9/18/2007 12:29 AM 143360]
R2 NmspHost;Rockwell Namespace Services;c:\program files\Common Files\Rockwell\NmspHost.exe [6/11/2009 8:16 AM 222496]
R2 RdcyHost;Rockwell Redundancy Services;c:\program files\Common Files\Rockwell\RdcyHost.exe [6/11/2009 8:16 AM 222496]
R2 RnaAeServer;Rockwell Alarm Server;c:\program files\Common Files\Rockwell\RnaAeServer.exe [9/18/2007 12:32 AM 270336]
R2 RnaAlarmMux;Rockwell Alarm Multiplexer;c:\program files\Common Files\Rockwell\RnaAlarmMux.exe [9/21/2007 3:27 PM 753664]
R2 Rockwell HMI Framework;Rockwell HMI Framework;c:\program files\Rockwell Software\RSView Enterprise\ServerFramework.exe [9/18/2007 9:21 PM 491520]
R3 EventServer;Rockwell Event Server;c:\program files\Common Files\Rockwell\EventServer.exe [6/11/2009 8:15 AM 222496]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [12/7/2009 5:59 PM 61328]
S1 abpicw2k;AB PIC/AIC+ Driver;c:\windows\system32\drivers\abpicw2k.sys [10/29/2001 1:53 PM 113600]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 9:49 PM 135664]
S3 1784-PCIDS DeviceNet;1784-PCIDS DeviceNet;c:\program files\Rockwell Software\RSLogix Emulate 5000\PcidsService.exe [7/20/2007 10:59 AM 102400]
S3 ABKTCX;Rockwell Automation 1784-KTC(X) Driver;c:\windows\system32\drivers\abktcx.sys [5/31/2000 7:13 PM 71448]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [5/30/2007 4:34 PM 39424]
S3 LogReceiver;LogReceiver;c:\program files\Rockwell Software\RSLinx Enterprise\LogReceiver.exe [7/9/2007 10:47 AM 94208]
S3 pcidnt;A-B 1784-PCIDS;c:\windows\system32\Drivers\pcidnt.sys --> c:\windows\system32\Drivers\pcidnt.sys [?]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [1/18/2009 8:18 PM 29824]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [1/18/2009 8:18 PM 41344]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [1/18/2009 8:18 PM 39936]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [1/18/2009 8:18 PM 59776]
S3 Rockwell HMI Alarm Logger;Rockwell HMI Alarm Logger;c:\program files\Rockwell Software\RSView Enterprise\RsAlarmLogServ.exe [9/18/2007 10:35 PM 77824]
S3 RS_SS_NT;RSLinx Classic S-S SD/SD2 Device Driver;c:\windows\system32\RS_SS_NT.SYS [11/10/1999 8:27 AM 142592]
S3 RSI-PKTX-A;RSI-PKTX-A;c:\windows\system32\drivers\RSI-PKTX-A.sys [11/13/2002 2:38 PM 16447]
S3 RsiKtControl;RsiKtControl;c:\windows\system32\RSIKT.SYS [1/18/2006 10:33 AM 39067]
S3 RSLINXNGKtControl;RSLINXNGKtControl;c:\windows\system32\drivers\rsiktNG.sys [4/23/2002 7:02 PM 38999]
S3 RSSERIAL;RSLinx Classic Serial Driver;c:\windows\system32\rsserial.sys [5/11/1999 1:48 PM 155440]
S3 SimModuleService;1789-SIM Simulator Module;c:\program files\Rockwell Software\RSLogix Emulate 5000\SimModuleService.exe [7/20/2007 10:59 AM 98304]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\drivers\swnc8u56.sys [6/27/2007 11:41 AM 101248]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\drivers\swumx56.sys [6/27/2007 11:42 AM 73856]
S3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;c:\windows\system32\drivers\RTL8150.SYS [6/11/2010 8:21 AM 27519]
.
Contents of the 'Scheduled Tasks' folder

2010-06-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-06-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 04:49]

2010-06-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 04:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.rockwellautomation.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://remote.ncelec.com/dana-cached/sc/JuniperSetupClient.cab
.
.
------- File Associations -------
.
.scr=DWGTrueViewScriptFile
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-13 07:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1085031214-484061587-839522115-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]
"Name"="ActiveSync"
"DisplayName"="Microsoft ActiveSync"
"Param1"="ActiveSync"
"Type"="wellknown"
"Order"=dword:00000001
"State"=dword:00000020

[HKEY_USERS\S-1-5-21-1085031214-484061587-839522115-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings]
"Name"="IESettings"
"Type"="IESettings"
"Order"=dword:00000004
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1085031214-484061587-839522115-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles]
"Name"="MediaFiles"
"Type"="MediaFiles"
"Order"=dword:00000003
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1085031214-484061587-839522115-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW]
"Name"="NPW"
"Param1"="NPW"
"Type"="wellknown"
"Order"=dword:00000002
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1085031214-484061587-839522115-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\Outlook]
"Name"="Outlook"
"DisplayName"="Microsoft Outlook"
"Param1"="Outlook"
"Type"="wellknown"
"Order"=dword:00000000
"State"=dword:00000020

[HKEY_USERS\S-1-5-21-1085031214-484061587-839522115-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\DesktopAppInstall\oemDesktop3]
"Name"="oemDesktop3"
"DisplayName"="QuickTime Player"
"Param1"="\\EXTRAS\\DESKTOP\\QuickTimePlayer\\QuickTimeInstaller.exe"
"Param2"=""
"Type"="createprocess"
"Order"=dword:00000000
"State"=dword:0000000b
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1496)
c:\windows\system32\relog_ap.dll
.
Completion time: 2010-06-13 07:21:28
ComboFix-quarantined-files.txt 2010-06-13 14:21

Pre-Run: 168,186,114,048 bytes free
Post-Run: 168,755,023,872 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 42E57C5176C925895F0B732F96B5AC19

Kindly post the requested fresh dds log too.

New DDS file:


DDS (Ver_10-03-17.01) - NTFSx86
Run by gpeterso at 8:54:35.50 on Sun 06/13/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.950 [GMT -7:00]

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\Rockwell\EventServer.exe
C:\Program Files\Common Files\Rockwell\FTAEArchiver.exe
C:\Program Files\Common Files\Rockwell\FTAE_HistServ.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Common Files\Rockwell\NmspHost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program files\Rockwell Software\FactoryTalk Historian\Server\PIPC\BIN\pilogsrv.exe
C:\Program files\Rockwell Software\FactoryTalk Historian\Server\PIPC\BIN\pinetmgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Rockwell\RdcyHost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe
C:\Program Files\Common Files\Rockwell\RsvcHost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program files\Rockwell Software\FactoryTalk Historian\Server\PIPC\BIN\pimsgss.exe
C:\Program Files\Rockwell Software\RSView Enterprise\ServerFramework.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe
C:\Program Files\Common Files\Rockwell\RnaAeServer.exe
C:\Program Files\Common Files\Rockwell\RnaAlarmMux.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Shoreline Communications\ShoreWare Client\STCLogin.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\gpeterso\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.rockwellautomation.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [OM_Monitor] c:\program files\olympus\olympus master\Monitor.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
mRun: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "nwiz.exe" /installquiet
mRun: [NVHotkey] "rundll32.exe" nvHotkey.dll,Start
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [DLA] "c:\windows\system32\dla\DLACTRLW.EXE"
mRun: [TrueImageMonitor.exe] "c:\program files\acronis\trueimagehome\TrueImageMonitor.exe"
mRun: [AcronisTimounterMonitor] "c:\program files\acronis\trueimagehome\TimounterMonitor.exe"
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [OM_Monitor] "c:\program files\olympus\olympus master\FirstStart.exe"
mRun: [Apoint] "c:\program files\apoint\Apoint.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [DiskeeperSystray] "c:\program files\executive software\diskeeper\DkIcon.exe"
mRun: [vmware-tray] "c:\program files\vmware\vmware workstation\vmware-tray.exe"
mRun: [VMware hqtray] "c:\program files\vmware\vmware workstation\hqtray.exe"
mRun: [UsbCipHelper] "c:\program files\rockwell automation\rockwell automation usb cip driver package\usbciphelper\UsbCipHelper.exe"
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [CC_AgentToolbarReminder] "c:\program files\cc_agenttoolbarreminder\CC_AgentToolbarReminder.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/0/f/b/0fb0fab9-7f09-4bb6-86d8-8e791ba99ac5/VirtualEarth3D.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-24-0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - hxxp://www.autodesk.com/global/dwfviewer/installer/DwfViewerSetup.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://rockwellautomation.webex.com/client/T27L10NSP11EP5/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://remote.ncelec.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://remote.ncelec.com/dana-cached/sc/JuniperSetupClient.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap

============= SERVICES / DRIVERS ===============

R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-12-7 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2010-2-24 173328]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-4 164048]
R1 VirtualBackplane;A-B Virtual Backplane;c:\windows\system32\drivers\VirtualBackplane.sys [2007-7-20 63508]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-4 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-4 40384]
R2 FTAE_Archiver;Rockwell Alarm History Archiver;c:\program files\common files\rockwell\FTAEArchiver.exe [2007-9-18 61440]
R2 FTAE_HistServ;Rockwell Alarm Historian;c:\program files\common files\rockwell\FTAE_HistServ.exe [2007-9-18 143360]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2008-3-14 103744]
R2 NmspHost;Rockwell Namespace Services;c:\program files\common files\rockwell\NmspHost.exe [2009-6-11 222496]
R2 RdcyHost;Rockwell Redundancy Services;c:\program files\common files\rockwell\RdcyHost.exe [2009-6-11 222496]
R2 RnaAeServer;Rockwell Alarm Server;c:\program files\common files\rockwell\RnaAeServer.exe [2007-9-18 270336]
R2 RnaAlarmMux;Rockwell Alarm Multiplexer;c:\program files\common files\rockwell\RnaAlarmMux.exe [2007-9-21 753664]
R2 Rockwell HMI Framework;Rockwell HMI Framework;c:\program files\rockwell software\rsview enterprise\ServerFramework.exe [2007-9-18 491520]
R3 EventServer;Rockwell Event Server;c:\program files\common files\rockwell\EventServer.exe [2009-6-11 222496]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-7 61328]
S1 abpicw2k;AB PIC/AIC+ Driver;c:\windows\system32\drivers\abpicw2k.sys [2001-10-29 113600]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]
S3 1784-PCIDS DeviceNet;1784-PCIDS DeviceNet;c:\program files\rockwell software\rslogix emulate 5000\PcidsService.exe [2007-7-20 102400]
S3 ABKTCX;Rockwell Automation 1784-KTC(X) Driver;c:\windows\system32\drivers\abktcx.sys [2000-5-31 71448]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-4 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-4 40384]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [2007-5-30 39424]
S3 LogReceiver;LogReceiver;c:\program files\rockwell software\rslinx enterprise\LogReceiver.exe [2007-7-9 94208]
S3 pcidnt;A-B 1784-PCIDS;c:\windows\system32\drivers\pcidnt.sys --> c:\windows\system32\drivers\pcidnt.sys [?]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [2009-1-18 29824]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [2009-1-18 41344]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [2009-1-18 39936]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [2009-1-18 59776]
S3 Rockwell HMI Alarm Logger;Rockwell HMI Alarm Logger;c:\program files\rockwell software\rsview enterprise\RsAlarmLogServ.exe [2007-9-18 77824]
S3 RS_SS_NT;RSLinx Classic S-S SD/SD2 Device Driver;c:\windows\system32\RS_SS_NT.SYS [1999-11-10 142592]
S3 RSI-PKTX-A;RSI-PKTX-A;c:\windows\system32\drivers\RSI-PKTX-A.sys [2002-11-13 16447]
S3 RsiKtControl;RsiKtControl;c:\windows\system32\RSIKT.SYS [2006-1-18 39067]
S3 RSLINXNGKtControl;RSLINXNGKtControl;c:\windows\system32\drivers\rsiktNG.sys [2002-4-23 38999]
S3 RSSERIAL;RSLinx Classic Serial Driver;c:\windows\system32\rsserial.sys [1999-5-11 155440]
S3 SimModuleService;1789-SIM Simulator Module;c:\program files\rockwell software\rslogix emulate 5000\SimModuleService.exe [2007-7-20 98304]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\drivers\swnc8u56.sys [2007-6-27 101248]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\drivers\swumx56.sys [2007-6-27 73856]
S3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;c:\windows\system32\drivers\RTL8150.SYS [2010-6-11 27519]

============== File Associations ===============

.scr=DWGTrueViewScriptFile

=============== Created Last 30 ================

2010-06-13 14:23:54 0 d--h--w- c:\windows\$hf_mig$
2010-06-13 14:06:49 904 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-06-13 14:06:11 1824 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-06-13 13:56:28 0 d-sha-r- C:\cmdcons
2010-06-13 13:53:04 98816 ----a-w- c:\windows\sed.exe
2010-06-13 13:53:04 77312 ----a-w- c:\windows\MBR.exe
2010-06-13 13:53:04 161792 ----a-w- c:\windows\SWREG.exe
2010-06-11 15:21:30 27519 ----a-r- c:\windows\system32\drivers\RTL8150.SYS
2010-06-08 15:58:38 2174976 ---ha-w- C:\SZKGFS.dat
2010-06-08 15:56:47 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-06-08 15:55:39 0 d-----w- c:\program files\STOPzilla!
2010-06-08 15:55:36 0 d-----w- c:\program files\common files\iS3
2010-06-08 15:55:34 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-06-07 15:44:45 7006 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-06-07 15:31:02 0 d-----w- c:\windows\system32\scripting
2010-06-07 15:31:02 0 d-----w- c:\windows\l2schemas
2010-06-07 15:31:01 0 d-----w- c:\windows\system32\en
2010-06-07 15:31:01 0 d-----w- c:\windows\system32\bits
2010-06-07 03:45:21 0 d-sh--w- c:\documents and settings\gpeterso\IECompatCache
2010-06-07 03:44:37 0 d-sh--w- c:\documents and settings\gpeterso\PrivacIE
2010-06-07 03:39:13 0 d-sh--w- c:\documents and settings\gpeterso\IETldCache
2010-06-07 03:34:15 0 dc-h--w- c:\windows\ie8
2010-06-04 22:43:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-06-04 16:24:48 0 d-----w- c:\program files\Webroot
2010-06-04 16:22:56 164 ----a-w- c:\windows\install.dat
2010-06-04 04:31:00 0 d-----w- c:\windows\system32\wbem\Repository
2010-06-03 23:25:17 0 d-----w- c:\docume~1\gpeterso\applic~1\Malwarebytes
2010-06-03 23:25:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-03 17:40:19 0 d-----w- c:\program files\Lavasoft
2010-06-03 17:33:58 0 dc----w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

==================== Find3M ====================

2010-05-26 17:28:46 236884 ----a-w- c:\windows\system32\nvModes.dat
2010-05-06 00:24:52 796672 ----a-w- c:\windows\GPInstall.exe
2010-03-26 15:30:43 1179136 ----a-w- c:\windows\system32\AutoPartNt.exe

============= FINISH: 8:55:19.09 ===============

Hi again,


Open notepad and copy/paste the text in the quotebox below into it:



Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"=-
"400:TCP"=-
"401:TCP"=-
"402:TCP"=-



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Uninstall old Adobe Reader versions and get the latest one (both 9.3 and update 9.3.2) here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log. How's the system running?

ComboFix 10-06-12.03 - gpeterso 06/13/2010 9:32.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1015 [GMT -7:00]
Running from: c:\documents and settings\gpeterso\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\gpeterso\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-05-13 to 2010-06-13 )))))))))))))))))))))))))))))))
.

2010-06-13 14:23 . 2010-06-13 14:23 -------- d--h--w- c:\windows\$hf_mig$
2010-06-13 14:23 . 2010-06-13 14:23 -------- d-----w- c:\windows\LastGood
2010-06-11 15:21 . 2004-10-19 09:18 27519 ----a-r- c:\windows\system32\drivers\RTL8150.SYS
2010-06-08 20:28 . 2010-06-08 20:29 -------- d-----w- c:\program files\ERUNT
2010-06-08 15:58 . 2010-06-08 15:58 2203648 ---ha-w- C:\SZKGFS.dat
2010-06-08 15:56 . 2010-06-08 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-06-08 15:55 . 2010-06-08 15:55 -------- d-----w- c:\program files\STOPzilla!
2010-06-08 15:55 . 2010-06-08 15:55 -------- d-----w- c:\program files\Common Files\iS3
2010-06-08 15:55 . 2010-06-13 17:07 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-06-07 15:40 . 2010-06-07 15:40 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-06-07 15:31 . 2010-06-07 15:31 -------- d-----w- c:\windows\system32\scripting
2010-06-07 15:31 . 2010-06-07 15:31 -------- d-----w- c:\windows\l2schemas
2010-06-07 15:31 . 2010-06-07 15:31 -------- d-----w- c:\windows\system32\en
2010-06-07 15:31 . 2010-06-07 15:31 -------- d-----w- c:\windows\system32\bits
2010-06-07 03:45 . 2010-06-07 03:45 -------- d-sh--w- c:\documents and settings\gpeterso\IECompatCache
2010-06-07 03:44 . 2010-06-07 03:44 -------- d-sh--w- c:\documents and settings\gpeterso\PrivacIE
2010-06-07 03:41 . 2010-06-07 03:41 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-07 03:39 . 2010-06-07 03:39 -------- d-sh--w- c:\documents and settings\gpeterso\IETldCache
2010-06-07 03:39 . 2010-06-07 03:39 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-06-07 03:34 . 2010-06-07 03:36 -------- dc-h--w- c:\windows\ie8
2010-06-04 22:43 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-04 22:43 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-04 22:43 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-04 22:43 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-04 22:43 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-04 22:43 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-04 22:43 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-04 22:43 . 2010-05-06 20:59 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-06-04 22:43 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-04 22:43 . 2010-06-04 22:43 -------- d-----w- c:\program files\Alwil Software
2010-06-04 22:43 . 2010-06-04 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-06-04 16:24 . 2010-06-04 16:24 -------- d-----w- c:\program files\Webroot
2010-06-04 16:22 . 2010-06-04 16:23 164 ----a-w- c:\windows\install.dat
2010-06-04 04:58 . 2010-06-04 04:58 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-06-04 04:31 . 2010-06-04 04:31 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-03 23:25 . 2010-06-03 23:25 -------- d-----w- c:\documents and settings\gpeterso\Application Data\Malwarebytes
2010-06-03 23:25 . 2010-06-03 23:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-03 17:40 . 2010-06-03 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-06-03 17:40 . 2010-06-03 17:40 -------- d-----w- c:\program files\Lavasoft
2010-06-03 17:33 . 2010-06-04 04:26 -------- dc----w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-13 17:07 . 2010-06-13 14:06 1072 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-06-13 14:18 . 2010-06-13 14:06 1824 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-06-13 14:03 . 2006-06-08 19:50 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2010-06-13 14:03 . 2006-06-08 19:49 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2010-06-09 04:04 . 2007-07-25 22:34 -------- d-----w- c:\documents and settings\NetworkService\Application Data\VMware
2010-06-09 04:03 . 2006-06-08 20:11 -------- d-----w- c:\documents and settings\gpeterso\Application Data\VMware
2010-06-07 15:44 . 2010-06-07 15:44 7006 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-06-07 15:43 . 2006-05-30 05:05 88232 ----a-w- c:\documents and settings\gpeterso\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-07 15:33 . 2006-05-02 21:01 87263 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-06-04 22:42 . 2006-05-02 22:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-04 22:41 . 2006-05-02 22:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-04 22:40 . 2009-03-11 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-06-04 04:30 . 2006-06-20 16:13 -------- d-----w- c:\program files\Common Files\Rockwell
2010-05-26 17:28 . 2006-05-02 21:41 236884 ----a-w- c:\windows\system32\nvModes.dat
2010-05-21 18:12 . 2008-06-27 19:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Rockwell Automation
2010-05-14 15:01 . 2006-09-13 16:16 -------- d-----w- c:\documents and settings\gpeterso\Application Data\webex
2010-05-12 22:35 . 2006-06-20 16:14 -------- d-----w- c:\program files\Rockwell Software
2010-05-06 00:25 . 2006-05-31 16:00 -------- d-----w- c:\program files\EMS
2010-05-06 00:24 . 2006-05-31 16:00 796672 ----a-w- c:\windows\GPInstall.exe
2010-04-29 17:22 . 2010-04-29 17:22 11502 ----a-r- c:\documents and settings\gpeterso\Application Data\Microsoft\Installer\{21A64408-0069-47D2-88F0-7D3C9605FD5A}\_4ae13d6c.exe
2010-04-29 17:22 . 2010-04-29 17:22 11502 ----a-r- c:\documents and settings\gpeterso\Application Data\Microsoft\Installer\{21A64408-0069-47D2-88F0-7D3C9605FD5A}\_2cd672ae.exe
2010-04-29 17:22 . 2010-04-29 17:22 11502 ----a-r- c:\documents and settings\gpeterso\Application Data\Microsoft\Installer\{21A64408-0069-47D2-88F0-7D3C9605FD5A}\_294823.exe
2010-04-29 17:22 . 2010-04-29 17:22 11502 ----a-r- c:\documents and settings\gpeterso\Application Data\Microsoft\Installer\{21A64408-0069-47D2-88F0-7D3C9605FD5A}\_18be6784.exe
2010-03-26 15:30 . 2010-03-26 15:30 1179136 ----a-w- c:\windows\system32\AutoPartNt.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-06-13_14.18.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-20 15:22 . 2010-06-13 14:25 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-06-20 15:22 . 2010-06-08 17:25 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-20 15:22 . 2010-06-13 14:25 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-06-20 15:22 . 2010-06-08 17:25 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-06-13 15:16 . 2010-06-13 14:25 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-06-20 15:22 . 2010-06-08 17:25 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-17 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"nwiz"="nwiz.exe" [2007-11-17 1626112]
"NVHotkey"="nvHotkey.dll" [2007-11-17 86016]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2006-05-19 1106344]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-05-19 1848150]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-05-19 126976]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2006-05-17 40960]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"DiskeeperSystray"="c:\program files\Executive Software\Diskeeper\DkIcon.exe" [2004-10-05 176216]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2007-10-08 72240]
"VMware hqtray"="c:\program files\VMware\VMware Workstation\hqtray.exe" [2007-10-08 55856]
"UsbCipHelper"="c:\program files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe" [2006-09-29 434176]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-17 81920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"CC_AgentToolbarReminder"="c:\program files\CC_AgentToolbarReminder\CC_AgentToolbarReminder.exe" [2010-02-11 151552]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-28 149280]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 1724416]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-6-20 122880]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\netdde.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RNADiagnosticsSrv.exe"=
"c:\\WINDOWS\\system32\\OpcEnum.exe"=
"c:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\RSLinxNG.exe"=
"c:\\Program Files\\Rockwell Software\\RSLinx Enterprise\\RSLinxShortcutAOA.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\ShoreTel\\Contact Center\\Agent\\Bin\\nprocess.exe"=
"c:\\Program Files\\Rockwell Software\\RSLogix 5000\\ENU\\v16\\Bin\\RS5000.Exe"=
"c:\\Program Files\\Common Files\\Rockwell\\countermonitor.exe"=
"c:\\Program Files\\Rockwell Software\\RSLINX\\RSLINX.EXE"=
"c:\\Program Files\\Rockwell Software\\OPCTools\\OPCTest\\opctest.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Rockwell Software\\RSView\\sptddssv32.exe"=
"c:\\Program Files\\Rockwell Software\\RSView\\SptFTServer.exe"=
"c:\\Program Files\\Rockwell Software\\RSView\\sptddeex32.exe"=
"c:\\Program Files\\Rockwell Software\\RSView\\MonitorRemoteProcesses.exe"=
"c:\\Program Files\\Rockwell Software\\RDM\\Cmeopc32.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RSViewLogServer.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RSVWHist.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\EventClientMultiplexer.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RsvcHost.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RdcyHost.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\NmspHost.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RnaDirServer.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\EventServer.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\DaClient.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RNADiagReceiver.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\VStudio.exe"=
"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\AlmCliSrvWrap.exe"=
"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\AlmMpx.exe"=
"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\AlarmQB.exe"=
"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\AlmSrv.exe"=
"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\CommandCliSrv.exe"=
"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\CommandCliTagHMIService.exe"=
"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\CommandErrorLogSrv.exe"=
"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\DatalogServ.exe"=
"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\DerivedTags.exe"=
"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\DisplayClient.exe"=
"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\DlgRdRp.exe"=
"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\DlgRdServ.exe"=
"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\EventDetector.exe"=
"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\MERuntime.exe"=
"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\ServerFramework.exe"=
"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\TagSrv.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RnaAeServer.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RnaAlarmMux.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RnaAlarmDetector.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [12/7/2009 5:59 PM 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2/24/2010 3:06 PM 173328]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/4/2010 3:43 PM 164048]
R1 VirtualBackplane;A-B Virtual Backplane;c:\windows\system32\drivers\VirtualBackplane.sys [7/20/2007 10:59 AM 63508]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/4/2010 3:43 PM 19024]
R2 FTAE_Archiver;Rockwell Alarm History Archiver;c:\program files\Common Files\Rockwell\FTAEArchiver.exe [9/18/2007 12:29 AM 61440]
R2 FTAE_HistServ;Rockwell Alarm Historian;c:\program files\Common Files\Rockwell\FTAE_HistServ.exe [9/18/2007 12:29 AM 143360]
R2 NmspHost;Rockwell Namespace Services;c:\program files\Common Files\Rockwell\NmspHost.exe [6/11/2009 8:16 AM 222496]
R2 RdcyHost;Rockwell Redundancy Services;c:\program files\Common Files\Rockwell\RdcyHost.exe [6/11/2009 8:16 AM 222496]
R2 RnaAeServer;Rockwell Alarm Server;c:\program files\Common Files\Rockwell\RnaAeServer.exe [9/18/2007 12:32 AM 270336]
R2 RnaAlarmMux;Rockwell Alarm Multiplexer;c:\program files\Common Files\Rockwell\RnaAlarmMux.exe [9/21/2007 3:27 PM 753664]
R2 Rockwell HMI Framework;Rockwell HMI Framework;c:\program files\Rockwell Software\RSView Enterprise\ServerFramework.exe [9/18/2007 9:21 PM 491520]
R3 EventServer;Rockwell Event Server;c:\program files\Common Files\Rockwell\EventServer.exe [6/11/2009 8:15 AM 222496]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [12/7/2009 5:59 PM 61328]
S1 abpicw2k;AB PIC/AIC+ Driver;c:\windows\system32\drivers\abpicw2k.sys [10/29/2001 1:53 PM 113600]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 9:49 PM 135664]
S3 1784-PCIDS DeviceNet;1784-PCIDS DeviceNet;c:\program files\Rockwell Software\RSLogix Emulate 5000\PcidsService.exe [7/20/2007 10:59 AM 102400]
S3 ABKTCX;Rockwell Automation 1784-KTC(X) Driver;c:\windows\system32\drivers\abktcx.sys [5/31/2000 7:13 PM 71448]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [5/30/2007 4:34 PM 39424]
S3 LogReceiver;LogReceiver;c:\program files\Rockwell Software\RSLinx Enterprise\LogReceiver.exe [7/9/2007 10:47 AM 94208]
S3 pcidnt;A-B 1784-PCIDS;c:\windows\system32\Drivers\pcidnt.sys --> c:\windows\system32\Drivers\pcidnt.sys [?]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [1/18/2009 8:18 PM 29824]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [1/18/2009 8:18 PM 41344]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [1/18/2009 8:18 PM 39936]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [1/18/2009 8:18 PM 59776]
S3 Rockwell HMI Alarm Logger;Rockwell HMI Alarm Logger;c:\program files\Rockwell Software\RSView Enterprise\RsAlarmLogServ.exe [9/18/2007 10:35 PM 77824]
S3 RS_SS_NT;RSLinx Classic S-S SD/SD2 Device Driver;c:\windows\system32\RS_SS_NT.SYS [11/10/1999 8:27 AM 142592]
S3 RSI-PKTX-A;RSI-PKTX-A;c:\windows\system32\drivers\RSI-PKTX-A.sys [11/13/2002 2:38 PM 16447]
S3 RsiKtControl;RsiKtControl;c:\windows\system32\RSIKT.SYS [1/18/2006 10:33 AM 39067]
S3 RSLINXNGKtControl;RSLINXNGKtControl;c:\windows\system32\drivers\rsiktNG.sys [4/23/2002 7:02 PM 38999]
S3 RSSERIAL;RSLinx Classic Serial Driver;c:\windows\system32\rsserial.sys [5/11/1999 1:48 PM 155440]
S3 SimModuleService;1789-SIM Simulator Module;c:\program files\Rockwell Software\RSLogix Emulate 5000\SimModuleService.exe [7/20/2007 10:59 AM 98304]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\drivers\swnc8u56.sys [6/27/2007 11:41 AM 101248]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\drivers\swumx56.sys [6/27/2007 11:42 AM 73856]
S3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;c:\windows\system32\drivers\RTL8150.SYS [6/11/2010 8:21 AM 27519]
.
Contents of the 'Scheduled Tasks' folder

2010-06-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-06-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 04:49]

2010-06-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 04:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.rockwellautomation.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://remote.ncelec.com/dana-cached/sc/JuniperSetupClient.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-13 10:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1085031214-484061587-839522115-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]
"Name"="ActiveSync"
"DisplayName"="Microsoft ActiveSync"
"Param1"="ActiveSync"
"Type"="wellknown"
"Order"=dword:00000001
"State"=dword:00000020

[HKEY_USERS\S-1-5-21-1085031214-484061587-839522115-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings]
"Name"="IESettings"
"Type"="IESettings"
"Order"=dword:00000004
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1085031214-484061587-839522115-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles]
"Name"="MediaFiles"
"Type"="MediaFiles"
"Order"=dword:00000003
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1085031214-484061587-839522115-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW]
"Name"="NPW"
"Param1"="NPW"
"Type"="wellknown"
"Order"=dword:00000002
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1085031214-484061587-839522115-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\Outlook]
"Name"="Outlook"
"DisplayName"="Microsoft Outlook"
"Param1"="Outlook"
"Type"="wellknown"
"Order"=dword:00000000
"State"=dword:00000020

[HKEY_USERS\S-1-5-21-1085031214-484061587-839522115-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\DesktopAppInstall\oemDesktop3]
"Name"="oemDesktop3"
"DisplayName"="QuickTime Player"
"Param1"="\\EXTRAS\\DESKTOP\\QuickTimePlayer\\QuickTimeInstaller.exe"
"Param2"=""
"Type"="createprocess"
"Order"=dword:00000000
"State"=dword:0000000b
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1496)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(5032)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
Completion time: 2010-06-13 10:20:43
ComboFix-quarantined-files.txt 2010-06-13 17:20
ComboFix2.txt 2010-06-13 14:21

Pre-Run: 168,730,292,224 bytes free
Post-Run: 168,696,815,616 bytes free

- - End Of File - - 39EDCE56205B3CB48DC67E210BD128B9

Uninstalled adobe, running kaspersky now.

Got BSoD at about 75% of Kaspersky scan, what to do??

Hi,

Could you give Kaspersky scanner another attempt?

Still there, gpeterso?

Due to inactivity, this thread will now be closed.

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.