Hello,
Picked up malware yesterday called tinyproxy.exe that NAV caught and blocked. However, now my google searches are being redirected.

I've run Ad-aware with latest definitions, problem is still there.

I'm running WinXP, IE 7, Norton AV 2008

Following is current HJT log. Thank you for your help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:24:54 AM, on 11/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\HPConfig.exe
C:\WINDOWS\system32\RadioSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe
C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
C:\Windows\system32\HpSrvUI.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\essspk.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ORiNOCO\Client Manager\CmLUC.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4nb.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us4nb.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4nb.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9090
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll
O2 - BHO: 890166 helper - {A48FE9AC-DD02-4FF7-9211-B7BA9A2C8BF2} - C:\WINDOWS\system32\890166\890166.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [HP TV Now] C:\Program Files\Hewlett-Packard\HP TV Now\HpTvNow.exe /RK
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPLaptopGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HPLaptop\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CmLUC.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/bizcenter-o
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2098F239-F08E-4840-9F81-B758A4971D83} - http://www.batesville.com/us/setup.cab
O16 - DPF: {3F807625-B32A-498F-9010-7ABB2BB5D3B3} - http://www.batesville.com/us/install.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.a...meInstaller.exe
O16 - DPF: {5A3AD060-E5D9-4DEF-8E77-B44336153FD9} - http://www.batesville.com/dlb/setup.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft Terminal Services Client Control (redist)) - https://ccgfalmouth.dyndns.org/Remote/msrdp.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab
O16 - DPF: {8B2BE470-543C-4662-8536-54D191F82675} - http://www.batesville.com/dlb/setup.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft Terminal Services Client Control (redist)) - http://68.160.177.202:10367/tsweb/msrdp.cab
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab
O16 - DPF: {BB707357-1966-4198-B14B-1F8156D79B98} - http://www.batesville.com/us/setup.cab
O16 - DPF: {CFC1C622-8C5B-4683-A64F-5A964EE397E1} - http://www.batesville.com/dlb/setup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/...ash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://webmail.gpjco.com/dwa7W.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Error Reporting Service (ERSvc) - Unknown owner - (no file)
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HP RF Device Service (HpRfDev) - Hewlett-Packard - C:\WINDOWS\system32\HpRfDev.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: RadioSvr - Hewlett-Packard - C:\WINDOWS\system32\RadioSvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WinPPPoverEthernet - Unknown owner - C:\Program Files\Verizon Online\WinPoET\WrOS.EXE (file missing)

--
End of file - 10271 bytes

Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum.

Disable resident protections (Antivirus...); you'll re-enable them after the scan

Download Lop S&D < here

Double-click Lop S&D.exe
Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt)

Here is report.txt from SDfix. logfile from Lop S&D will follow shortly. Thanks!


SDFix: Version 1.240
Run by Owner on Sat 11/08/2008 at 10:54 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found




Folder C:\WINDOWS\system32\890166 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-08 11:11:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"="C:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE:*:Enabled:pcAnywhere Main Program"
"C:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"="C:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE:*:Enabled:pcAnywhere Host Service"
"C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"="C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe:*:Enabled:pcAnywhere Remote Service"
"C:\\Program Files\\microsoft frontpage\\bin\\fpexplor.exe"="C:\\Program Files\\microsoft frontpage\\bin\\fpexplor.exe:*:Enabled:Microsoft FrontPage Explorer"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 4 Mar 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 7 Nov 2008 8,448 ..SHR --- "C:\RECYCLER\S-1-5-21-3499916212-2805738209-4071888707-1003\Dc517\tinyproxy.exe"
Fri 7 Nov 2008 29,696 A..H. --- "C:\System Volume Information\_restore{CBC2C510-007E-49FC-B319-B551940A2A56}\RP929\A0090266.exe"
Fri 7 Nov 2008 29,696 A..H. --- "C:\System Volume Information\_restore{CBC2C510-007E-49FC-B319-B551940A2A56}\RP930\A0090267.exe"
Thu 15 May 2003 43,008 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Fri 18 Jan 2008 400 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COH32LU.reg"
Fri 18 Jan 2008 403 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COHDLU.reg"
Sat 4 Mar 2006 4,348 ...H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1key.bak"
Tue 21 Mar 2006 20 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1lic.bak"
Sat 4 Mar 2006 400 A.SH. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv2key.bak"
Tue 25 Oct 2005 19,456 A..H. --- "C:\Documents and Settings\Owner\Desktop\HEY KIM! OLD FILES ARE HERE!\Kim\Job_Search\~WRL0005.tmp"
Tue 25 Oct 2005 20,480 A..H. --- "C:\Documents and Settings\Owner\Desktop\HEY KIM! OLD FILES ARE HERE!\Kim\Job_Search\~WRL0493.tmp"
Tue 25 Oct 2005 20,992 A..H. --- "C:\Documents and Settings\Owner\Desktop\HEY KIM! OLD FILES ARE HERE!\Kim\Job_Search\~WRL0551.tmp"
Tue 25 Oct 2005 19,456 A..H. --- "C:\Documents and Settings\Owner\Desktop\HEY KIM! OLD FILES ARE HERE!\Kim\Job_Search\~WRL1174.tmp"
Tue 25 Oct 2005 20,480 A..H. --- "C:\Documents and Settings\Owner\Desktop\HEY KIM! OLD FILES ARE HERE!\Kim\Job_Search\~WRL1835.tmp"
Tue 25 Oct 2005 20,480 A..H. --- "C:\Documents and Settings\Owner\Desktop\HEY KIM! OLD FILES ARE HERE!\Kim\Job_Search\~WRL2066.tmp"
Tue 25 Oct 2005 20,480 A..H. --- "C:\Documents and Settings\Owner\Desktop\HEY KIM! OLD FILES ARE HERE!\Kim\Job_Search\~WRL3695.tmp"
Tue 25 Oct 2005 20,992 A..H. --- "C:\Documents and Settings\Owner\Desktop\HEY KIM! OLD FILES ARE HERE!\Kim\Job_Search\~WRL3958.tmp"
Thu 12 Jul 2001 35,328 A..H. --- "C:\Documents and Settings\Owner\Desktop\HEY KIM! OLD FILES ARE HERE!\Kim\Work\~WRL0004.tmp"
Sun 25 Jan 2004 52,736 A..H. --- "C:\Documents and Settings\Owner\Desktop\HEY KIM! OLD FILES ARE HERE!\Kim\Work\~WRL0005.tmp"
Thu 12 Jul 2001 35,328 A..H. --- "C:\Documents and Settings\Owner\Desktop\HEY KIM! OLD FILES ARE HERE!\Kim\Work\~WRL1301.tmp"
Sun 25 Jan 2004 40,448 A..H. --- "C:\Documents and Settings\Owner\Desktop\HEY KIM! OLD FILES ARE HERE!\Kim\Work\~WRL1321.tmp"
Sun 25 Jan 2004 42,496 A..H. --- "C:\Documents and Settings\Owner\Desktop\HEY KIM! OLD FILES ARE HERE!\Kim\Work\~WRL2530.tmp"
Sun 25 Jan 2004 48,640 A..H. --- "C:\Documents and Settings\Owner\Desktop\HEY KIM! OLD FILES ARE HERE!\Kim\Work\~WRL2648.tmp"
Sun 25 Jan 2004 44,032 A..H. --- "C:\Documents and Settings\Owner\Desktop\HEY KIM! OLD FILES ARE HERE!\Kim\Work\~WRL2938.tmp"
Sun 25 Jan 2004 40,960 A..H. --- "C:\Documents and Settings\Owner\Desktop\HEY KIM! OLD FILES ARE HERE!\Kim\Work\~WRL3583.tmp"
Thu 12 Jul 2001 35,840 A..H. --- "C:\Documents and Settings\Owner\Desktop\HEY KIM! OLD FILES ARE HERE!\Kim\Work\~WRL3620.tmp"

Finished!

Here is log from Lop S&D. Thanks again!


--------------------\\ Lop S&D 4.2.4-9c XP/Vista

Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 2
X86-based PC ( Uniprocessor Free : Intel® Pentium® 4 Mobile CPU 1.40GHz )
BIOS : Insyde Software MobilePRO BIOS Version 4.00.01
USER : Owner ( Administrator )
BOOT : Normal boot
Antivirus : Norton AntiVirus 15.5.0.23 (Not Activated)
Firewall : Norton AntiVirus 15.5.0.23 (Activated)
C:\ (Local Disk) - NTFS - Total:27 Go (Free:9 Go)
D:\ (USB)
E:\ (CD or DVD)

"C:\Lop SD" ( MAJ : 01-11-2008|16:30 )
Option : [1] ( Sat 11/08/2008|11:41 )

--------------------\\ Listing folders in APPLIC~1

[02/09/2008|07:44] C:\DOCUME~2\ALLUSE~1\APPLIC~1\<DIR> Adobe
[05/14/2006|11:25] C:\DOCUME~2\ALLUSE~1\APPLIC~1\<DIR> BVRP Software
[06/06/2005|06:21] C:\DOCUME~2\ALLUSE~1\APPLIC~1\<DIR> InstallShield
[08/06/2007|07:07] C:\DOCUME~2\ALLUSE~1\APPLIC~1\<DIR> Intuit
[11/07/2008|09:17] C:\DOCUME~2\ALLUSE~1\APPLIC~1\<DIR> Lavasoft
[03/12/2007|09:16] C:\DOCUME~2\ALLUSE~1\APPLIC~1\<DIR> Microsoft
[04/04/2007|08:21] C:\DOCUME~2\ALLUSE~1\APPLIC~1\<DIR> Nero
[11/21/2002|10:11] C:\DOCUME~2\ALLUSE~1\APPLIC~1\<DIR> QuickTime
[04/11/2002|09:16] C:\DOCUME~2\ALLUSE~1\APPLIC~1\<DIR> SBSI
[03/21/2006|09:34] C:\DOCUME~2\ALLUSE~1\APPLIC~1\<DIR> Spybot - Search & Destroy
[08/31/2008|07:16] C:\DOCUME~2\ALLUSE~1\APPLIC~1\<DIR> Symantec
[03/09/2007|09:25] C:\DOCUME~2\ALLUSE~1\APPLIC~1\<DIR> Viewpoint
[10/06/2002|05:09] C:\DOCUME~2\ALLUSE~1\APPLIC~1\<DIR> Visual Networks
[02/04/2006|09:13] C:\DOCUME~2\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage

[04/11/2002|08:43] C:\DOCUME~2\DEFAUL~1\APPLIC~1\<DIR> Adobe
[04/11/2002|08:28] C:\DOCUME~2\DEFAUL~1\APPLIC~1\<DIR> Identities
[04/11/2002|08:43] C:\DOCUME~2\DEFAUL~1\APPLIC~1\<DIR> InterTrust
[04/11/2002|08:13] C:\DOCUME~2\DEFAUL~1\APPLIC~1\<DIR> Microsoft
[04/11/2002|09:19] C:\DOCUME~2\DEFAUL~1\APPLIC~1\<DIR> Symantec

[04/11/2002|08:43] C:\DOCUME~2\Guest\APPLIC~1\<DIR> Adobe
[04/11/2002|08:28] C:\DOCUME~2\Guest\APPLIC~1\<DIR> Identities
[04/11/2002|08:43] C:\DOCUME~2\Guest\APPLIC~1\<DIR> InterTrust
[03/24/2008|02:31] C:\DOCUME~2\Guest\APPLIC~1\<DIR> Microsoft
[04/11/2002|09:19] C:\DOCUME~2\Guest\APPLIC~1\<DIR> Symantec

[06/08/2002|01:00] C:\DOCUME~2\LOCALS~1\APPLIC~1\<DIR> Microsoft

[04/11/2002|08:13] C:\DOCUME~2\NETWOR~1\APPLIC~1\<DIR> Microsoft

[07/18/2008|01:09] C:\DOCUME~2\Owner\APPLIC~1\<DIR> Adobe
[12/09/2007|12:38] C:\DOCUME~2\Owner\APPLIC~1\<DIR> AdobeUM
[04/04/2007|08:42] C:\DOCUME~2\Owner\APPLIC~1\<DIR> Ahead
[04/05/2006|03:23] C:\DOCUME~2\Owner\APPLIC~1\<DIR> Allume Systems
[08/12/2002|06:06] C:\DOCUME~2\Owner\APPLIC~1\<DIR> CyberLink
[07/01/2002|11:01] C:\DOCUME~2\Owner\APPLIC~1\<DIR> Help
[04/11/2002|08:28] C:\DOCUME~2\Owner\APPLIC~1\<DIR> Identities
[08/12/2002|07:21] C:\DOCUME~2\Owner\APPLIC~1\<DIR> InterVideo
[08/06/2007|07:00] C:\DOCUME~2\Owner\APPLIC~1\<DIR> Intuit
[02/28/2006|09:28] C:\DOCUME~2\Owner\APPLIC~1\<DIR> Lavasoft
[04/04/2007|05:03] C:\DOCUME~2\Owner\APPLIC~1\<DIR> Leadertech
[01/15/2004|08:38] C:\DOCUME~2\Owner\APPLIC~1\<DIR> Macromedia
[12/09/2007|01:03] C:\DOCUME~2\Owner\APPLIC~1\<DIR> Microsoft
[06/19/2006|09:01] C:\DOCUME~2\Owner\APPLIC~1\<DIR> Sun
[02/24/2007|12:32] C:\DOCUME~2\Owner\APPLIC~1\<DIR> Symantec
[08/06/2002|11:16] C:\DOCUME~2\Owner\APPLIC~1\<DIR> VERITAS
[03/09/2007|09:25] C:\DOCUME~2\Owner\APPLIC~1\<DIR> Viewpoint

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[11/04/2008 07:10 AM][--a------] C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Owner.job
[11/08/2008 11:04 AM][--ah-----] C:\WINDOWS\tasks\SA.DAT
[08/18/2001 07:00 AM][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[11/13/2006|08:47] C:\Program Files\<DIR> 3DGroove
[07/03/2008|01:53] C:\Program Files\<DIR> Adobe
[10/02/2002|07:57] C:\Program Files\<DIR> Adobe Type Manager
[04/05/2006|03:21] C:\Program Files\<DIR> Allume Systems
[09/01/2002|04:49] C:\Program Files\<DIR> ArcSoft
[03/15/2004|03:51] C:\Program Files\<DIR> Batesville
[05/14/2006|10:07] C:\Program Files\<DIR> Burncdcc
[08/23/2002|01:39] C:\Program Files\<DIR> Canon
[10/05/2003|10:53] C:\Program Files\<DIR> CDCheck
[11/07/2008|09:14] C:\Program Files\<DIR> Common Files
[04/11/2002|08:20] C:\Program Files\<DIR> ComPlus Applications
[03/21/2006|09:36] C:\Program Files\<DIR> CyberLink
[10/25/2005|06:50] C:\Program Files\<DIR> Directors Tribute Creator
[04/11/2002|09:00] C:\Program Files\<DIR> Games
[11/07/2007|07:52] C:\Program Files\<DIR> Hewlett-Packard
[04/21/2008|07:36] C:\Program Files\<DIR> Hooked on Phonics Learning
[04/11/2002|08:33] C:\Program Files\<DIR> HP
[12/26/2002|09:06] C:\Program Files\<DIR> HP DLA
[02/06/2004|03:30] C:\Program Files\<DIR> HP RecordNow
[09/02/2007|08:51] C:\Program Files\<DIR> InstallShield Installation Information
[01/01/2004|02:54] C:\Program Files\<DIR> InterActual
[10/15/2008|02:08] C:\Program Files\<DIR> Internet Explorer
[04/11/2002|08:44] C:\Program Files\<DIR> InterVideo
[06/19/2006|08:57] C:\Program Files\<DIR> Java
[11/07/2008|09:15] C:\Program Files\<DIR> Lavasoft
[05/14/2006|10:39] C:\Program Files\<DIR> LiveUpdate
[06/07/2002|05:31] C:\Program Files\<DIR> MapInfo MapX
[08/16/2008|02:14] C:\Program Files\<DIR> Messenger
[04/12/2002|12:39] C:\Program Files\<DIR> Microsoft ActiveSync
[09/14/2002|01:20] C:\Program Files\<DIR> microsoft frontpage
[11/24/2006|01:42] C:\Program Files\<DIR> Microsoft IntelliPoint
[10/28/2008|01:22] C:\Program Files\<DIR> Microsoft Office
[05/14/2006|10:51] C:\Program Files\<DIR> mobile PhoneTools
[10/06/2002|05:07] C:\Program Files\<DIR> Motive
[04/23/2006|07:51] C:\Program Files\<DIR> Motorola
[03/12/2007|08:00] C:\Program Files\<DIR> Movie Maker
[10/28/2008|01:21] C:\Program Files\<DIR> MSECache
[12/24/2005|10:04] C:\Program Files\<DIR> MSN Apps
[04/11/2002|08:19] C:\Program Files\<DIR> MSN Gaming Zone
[12/24/2005|10:02] C:\Program Files\<DIR> MSN Messenger
[03/07/2005|07:29] C:\Program Files\<DIR> MsnMusic
[03/30/2007|02:32] C:\Program Files\<DIR> MSXML 4.0
[04/11/2002|08:59] C:\Program Files\<DIR> MusicMatch
[04/04/2007|08:21] C:\Program Files\<DIR> Nero
[03/12/2007|07:53] C:\Program Files\<DIR> NetMeeting
[05/13/2008|02:31] C:\Program Files\<DIR> Norton AntiVirus
[04/15/2006|02:58] C:\Program Files\<DIR> NoteWorthy Composer
[02/24/2004|07:49] C:\Program Files\<DIR> OfficeUpdate11
[06/10/2002|10:25] C:\Program Files\<DIR> ORiNOCO
[06/02/2008|06:27] C:\Program Files\<DIR> Outlook Express
[05/08/2006|10:08] C:\Program Files\<DIR> Outlook Express Backup Wizard
[04/19/2004|08:16] C:\Program Files\<DIR> PowerPoint Viewer
[04/11/2002|09:05] C:\Program Files\<DIR> QuickenFC
[10/26/2008|07:41] C:\Program Files\<DIR> QUICKENW
[11/05/2004|07:00] C:\Program Files\<DIR> QuickTime
[08/28/2007|09:47] C:\Program Files\<DIR> S3
[08/29/2004|07:18] C:\Program Files\<DIR> Samsung
[07/05/2002|05:44] C:\Program Files\<DIR> Seagate Software
[10/22/2004|06:50] C:\Program Files\<DIR> Snapshot Viewer
[03/21/2006|09:34] C:\Program Files\<DIR> Spybot - Search & Destroy
[08/23/2008|06:08] C:\Program Files\<DIR> Symantec
[11/08/2008|12:01] C:\Program Files\<DIR> Trend Micro
[07/17/2003|09:39] C:\Program Files\<DIR> Uninstall Information
[12/16/2005|11:32] C:\Program Files\<DIR> Verizon Wireless
[03/07/2005|12:10] C:\Program Files\<DIR> Viewpoint
[07/19/2008|02:37] C:\Program Files\<DIR> Virtools
[07/19/2008|02:35] C:\Program Files\<DIR> Virtools Web Player 3.5
[09/02/2007|08:51] C:\Program Files\<DIR> VTech
[04/23/2006|07:51] C:\Program Files\<DIR> WIBUKEY
[04/23/2006|07:51] C:\Program Files\<DIR> WIBU-SYSTEMS
[03/30/2007|02:19] C:\Program Files\<DIR> Windows Media Player
[03/12/2007|07:52] C:\Program Files\<DIR> Windows NT
[05/13/2008|07:33] C:\Program Files\<DIR> Windows Sidebar
[02/04/2006|08:57] C:\Program Files\<DIR> WindowsUpdate
[07/21/2007|01:23] C:\Program Files\<DIR> WinZip
[04/11/2002|08:24] C:\Program Files\<DIR> xerox
[04/05/2006|03:27] C:\Program Files\<DIR> X-Fonter

--------------------\\ Listing Folders in C:\Program Files\Common Files

[02/09/2008|07:44] C:\Program Files\Common Files\<DIR> Adobe
[04/04/2007|08:24] C:\Program Files\Common Files\<DIR> Ahead
[04/12/2002|12:38] C:\Program Files\Common Files\<DIR> Designer
[04/23/2006|07:50] C:\Program Files\Common Files\<DIR> InstallShield
[08/06/2007|07:03] C:\Program Files\Common Files\<DIR> Intuit
[06/19/2006|08:55] C:\Program Files\Common Files\<DIR> Java
[10/28/2008|01:22] C:\Program Files\Common Files\<DIR> Microsoft Shared
[10/06/2002|05:06] C:\Program Files\Common Files\<DIR> Motive
[04/11/2002|08:21] C:\Program Files\Common Files\<DIR> MSSoap
[04/11/2002|08:14] C:\Program Files\Common Files\<DIR> ODBC
[08/06/2007|07:03] C:\Program Files\Common Files\<DIR> Palo Alto Software
[08/21/2002|06:08] C:\Program Files\Common Files\<DIR> Pervasive Software
[04/11/2002|08:21] C:\Program Files\Common Files\<DIR> Services
[04/11/2002|08:14] C:\Program Files\Common Files\<DIR> SpeechEngines
[11/07/2008|12:19] C:\Program Files\Common Files\<DIR> Symantec Shared
[06/02/2008|06:27] C:\Program Files\Common Files\<DIR> System
[07/02/2002|07:55] C:\Program Files\Common Files\<DIR> Vbox
[11/07/2008|09:14] C:\Program Files\Common Files\<DIR> Wise Installation Wizard

--------------------\\ Process

( 40 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

C:\DOCUME~2\Owner\Cookies\owner@greatermediaboston.advertserve[1].txt
C:\DOCUME~2\Owner\Cookies\owner@jra.advertserve[1].txt
C:\DOCUME~2\Owner\Cookies\owner@advertising[2].txt
C:\DOCUME~2\Owner\Cookies\owner@lasvegassun[2].txt

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-08 11:43:55
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0

--------------------\\ Searching for other infections

--------------------\\ KoobFace !

C:\WINDOWS\fmark2.dat

--------------------\\ Cracks & Keygens ..

C:\DOCUME~2\Owner\Cookies\owner@crackberry[1].txt
C:\DOCUME~2\Owner\Cookies\owner@forums.crackberry[1].txt
C:\DOCUME~2\Owner\Local Settings\Temporary Internet Files\Content.IE5\GCJGQGRP\crackberry-logo-wall-on[1].jpg
C:\DOCUME~2\Owner\Local Settings\Temporary Internet Files\Content.IE5\YVQ9CX1N\crackberry-logo-forums-on[1].jpg


[F:17][D:268]-> C:\DOCUME~2\Owner\LOCALS~1\Temp
[F:1713][D:0]-> C:\DOCUME~2\Owner\Cookies
[F:17887][D:29]-> C:\DOCUME~2\Owner\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - Sat 11/08/2008|11:46 - Option : [1]

--------------------\\ Scan completed at 11:46:15

Hello

Please download the OTMoveIt3 by OldTimer or from here.

• Save it to your desktop.
• Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  CODE
  :Processes
  explorer.exe
  
  :Services
  
  :Reg
  
  :Files
  C:\RECYCLER\S-1-5-21-3499916212-2805738209-4071888707-1003\Dc517\tinyproxy.exe
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]
  
  
• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.




Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

OTMoveIt3 log:

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\RECYCLER\S-1-5-21-3499916212-2805738209-4071888707-1003\Dc517\tinyproxy.exe moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~2\Owner\LOCALS~1\Temp\~DFBF36.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~2\Owner\LOCALS~1\Temp\~DFBF55.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet

Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\JETEDB9.tmp scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.0 log created on 11082008_131725

Files moved on Reboot...
File C:\DOCUME~2\Owner\LOCALS~1\Temp\~DFBF36.tmp not found!
File C:\DOCUME~2\Owner\LOCALS~1\Temp\~DFBF55.tmp not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet

Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\JETEDB9.tmp not found!


Combofix log:

ComboFix 08-11-07.01 - Owner 2008-11-08 13:40:01.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.470 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\setup.inf
c:\windows\fmark2.dat

.
((((((((((((((((((((((((( Files Created from 2008-10-08 to 2008-11-08 )))))))))))))))))))))))))))))))
.

2008-11-08 13:14 . 2008-11-08 13:14 <DIR> d-------- C:\_OTMoveIt
2008-11-08 11:40 . 2008-11-08 11:46 <DIR> d-------- C:\Lop SD
2008-11-08 10:45 . 2008-11-08 10:46 <DIR> d-------- c:\windows\ERUNT
2008-11-08 10:38 . 2008-11-08 11:30 <DIR> d-------- C:\SDFix
2008-11-08 00:01 . 2008-11-08 00:01 <DIR> d-------- c:\program files\Trend Micro
2008-11-07 21:15 . 2008-11-07 21:15 <DIR> d-------- c:\program files\Lavasoft
2008-11-07 21:15 . 2008-11-07 21:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-07 21:14 . 2008-11-07 21:14 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-07 12:18 . 2008-11-07 14:00 1 ---h----- c:\windows\f49f4daa.dat
2008-10-28 13:21 . 2008-10-28 13:21 <DIR> d-------- c:\program files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-07 17:19 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-27 00:41 --------- d-----w c:\program files\QUICKENW
2008-10-15 16:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-15 11:57 1,846,016 ------w c:\windows\system32\dllcache\win32k.sys
2008-08-28 10:04 333,056 ------w c:\windows\system32\dllcache\srv.sys
2008-08-27 08:24 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-08-25 08:38 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-08-25 08:37 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-08-23 23:08 60,800 ----a-w c:\windows\system32\S32EVNT1.DLL
2008-08-23 05:56 635,848 ------w c:\windows\system32\dllcache\iexplore.exe
2008-08-23 05:54 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-08-14 10:00 2,180,352 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 10:00 2,180,352 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2008-08-14 09:58 2,136,064 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2008-08-14 09:51 138,368 ------w c:\windows\system32\dllcache\afd.sys
2008-08-14 09:22 2,057,728 ----a-w c:\windows\system32\ntkrnlpa.exe
2008-08-14 09:22 2,057,728 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2008-08-14 09:22 2,015,744 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2007-11-25 01:38 66,808 ----a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP TV Now"="c:\program files\Hewlett-Packard\HP TV Now\HpTvNow.exe" [2002-03-14 237568]
"HP Display Settings"="c:\program files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe" [2002-03-07 61440]
"CP4HPOT"="c:\progra~1\HEWLET~1\ONE-TO~1\OneTouch.EXE" [2002-02-22 90112]
"hp Silent Service"="c:\windows\system32\HpSrvUI.exe" [2001-11-29 32768]
"hpScannerFirstBoot"="c:\hp\drivers\scanners\scannerfb.exe" [2001-12-13 20480]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [2001-07-19 52736]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2002-03-14 102455]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-11-05 98304]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 36975]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton AntiVirus\osCheck.exe" [2008-02-07 718704]
"S3TRAY2"="S3tray2.exe" [2003-09-09 c:\windows\system32\S3tray2.exe]
"EssSpkPhone"="essspk.exe" [2002-05-31 c:\windows\essspk.exe]
"VTPreset"="VTPreset.exe" [2004-02-24 c:\windows\system32\VTPreset.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ORiNOCO Client Manager.lnk - c:\program files\ORiNOCO\Client Manager\CmLUC.exe [2002-07-22 339968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2002-02-15 09:51 24638 c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=
"c:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\microsoft frontpage\\bin\\fpexplor.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
R2 MLPTDR_J;MLPTDR_J;c:\windows\System32\MLPTDR_J.sys [2003-01-30 19904]
R3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;c:\windows\system32\Drivers\WBSD.SYS [2002-03-31 24320]
R3 wlluc48b;ORINOCO PC Card Driver;c:\windows\system32\DRIVERS\wlluc48b.sys [2002-07-15 156672]
S3 BW2NDIS5;BW2NDIS5 NDIS Protocol Driver;c:\windows\system32\Drivers\BW2NDIS5.sys [ ]
S3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
S3 S3chipid;S3chipid;c:\windows\TEMP\_ISTMP0.DIR\S3chipid.sys [ ]
S3 wlags48b;Agere Wireless PCCard Driver;c:\windows\system32\DRIVERS\wlags48b.sys [2003-01-09 163328]
S3 WrKPoET2000;WrKPoET2000;c:\program files\Verizon Online\WinPoET\WrKPoET2000.sys [ ]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-04 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job
- c:\program files\Norton AntiVirus\Navw32.exe [2008-02-07 09:05]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-HPLaptopGamesActiveMenu - c:\program files\WildTangent\ActiveMenu\HPLaptop\Games\ActiveMenu.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Default_Search_URL = hxxp://srch-us4nb.hpwis.com/
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKLM-Main,Search Bar = hxxp://srch-us4nb.hpwis.com/
R1 -: HKCU-Internet Settings,ProxyOverride = *.local;<local>
R1 -: HKCU-Internet Settings,ProxyServer = http=127.0.0.1:9090
O8 -: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {2098F239-F08E-4840-9F81-B758A4971D83} - hxxp://www.batesville.com/us/setup.cab
c:\windows\Downloaded Program Files\Setup.inf

O16 -: {3F807625-B32A-498F-9010-7ABB2BB5D3B3} - hxxp://www.batesville.com/us/install.cab
c:\windows\Downloaded Program Files\Setup.inf

O16 -: {5A3AD060-E5D9-4DEF-8E77-B44336153FD9} - hxxp://www.batesville.com/dlb/setup.cab
c:\windows\Downloaded Program Files\Setup.inf

O16 -: {8B2BE470-543C-4662-8536-54D191F82675} - hxxp://www.batesville.com/dlb/setup.cab
c:\windows\Downloaded Program Files\Setup.inf

O16 -: {BB707357-1966-4198-B14B-1F8156D79B98} - hxxp://www.batesville.com/us/setup.cab
c:\windows\Downloaded Program Files\Setup.inf

O16 -: {CFC1C622-8C5B-4683-A64F-5A964EE397E1} - hxxp://www.batesville.com/dlb/setup.cab
c:\windows\Downloaded Program Files\Setup.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-08 13:44:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Error Reporting Service (ERSvc) ]
"ImagePath"=""
.
Completion time: 2008-11-08 13:49:42
ComboFix-quarantined-files.txt 2008-11-08 18:48:31

Pre-Run: 12,637,306,880 bytes free
Post-Run: 12,735,676,416 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

157 --- E O F --- 2008-10-29 07:05:26

Hello



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Rorschach112,
Had to go to in-laws for dinner. Will have the Combofix log for you ASAP.
Thanks!

Second Combofix log. Sorry for the delay.


ComboFix 08-11-07.01 - Owner 2008-11-08 14:58:50.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\f49f4daa.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\f49f4daa.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ERROR_REPORTING_SERVICE_(ERSVC)_
-------\Service_Error Reporting Service (ERSvc)


((((((((((((((((((((((((( Files Created from 2008-10-08 to 2008-11-08 )))))))))))))))))))))))))))))))
.

2008-11-08 13:14 . 2008-11-08 13:14 <DIR> d-------- C:\_OTMoveIt
2008-11-08 11:40 . 2008-11-08 11:46 <DIR> d-------- C:\Lop SD
2008-11-08 10:45 . 2008-11-08 10:46 <DIR> d-------- c:\windows\ERUNT
2008-11-08 10:38 . 2008-11-08 11:30 <DIR> d-------- C:\SDFix
2008-11-08 00:01 . 2008-11-08 00:01 <DIR> d-------- c:\program files\Trend Micro
2008-11-07 21:15 . 2008-11-07 21:15 <DIR> d-------- c:\program files\Lavasoft
2008-11-07 21:15 . 2008-11-07 21:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-07 21:14 . 2008-11-07 21:14 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-10-28 13:21 . 2008-10-28 13:21 <DIR> d-------- c:\program files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-07 17:19 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-27 00:41 --------- d-----w c:\program files\QUICKENW
2007-11-25 01:38 66,808 ----a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-11-08_13.47.42.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP TV Now"="c:\program files\Hewlett-Packard\HP TV Now\HpTvNow.exe" [2002-03-14 237568]
"HP Display Settings"="c:\program files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe" [2002-03-07 61440]
"CP4HPOT"="c:\progra~1\HEWLET~1\ONE-TO~1\OneTouch.EXE" [2002-02-22 90112]
"hp Silent Service"="c:\windows\system32\HpSrvUI.exe" [2001-11-29 32768]
"hpScannerFirstBoot"="c:\hp\drivers\scanners\scannerfb.exe" [2001-12-13 20480]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [2001-07-19 52736]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2002-03-14 102455]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-11-05 98304]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 36975]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton AntiVirus\osCheck.exe" [2008-02-07 718704]
"S3TRAY2"="S3tray2.exe" [2003-09-09 c:\windows\system32\S3tray2.exe]
"EssSpkPhone"="essspk.exe" [2002-05-31 c:\windows\essspk.exe]
"VTPreset"="VTPreset.exe" [2004-02-24 c:\windows\system32\VTPreset.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ORiNOCO Client Manager.lnk - c:\program files\ORiNOCO\Client Manager\CmLUC.exe [2002-07-22 339968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2002-02-15 09:51 24638 c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=
"c:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\microsoft frontpage\\bin\\fpexplor.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
R2 MLPTDR_J;MLPTDR_J;c:\windows\System32\MLPTDR_J.sys [2003-01-30 19904]
R3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;c:\windows\system32\Drivers\WBSD.SYS [2002-03-31 24320]
S3 BW2NDIS5;BW2NDIS5 NDIS Protocol Driver;c:\windows\system32\Drivers\BW2NDIS5.sys [ ]
S3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
S3 S3chipid;S3chipid;c:\windows\TEMP\_ISTMP0.DIR\S3chipid.sys [ ]
S3 wlags48b;Agere Wireless PCCard Driver;c:\windows\system32\DRIVERS\wlags48b.sys [2003-01-09 163328]
S3 wlluc48b;ORINOCO PC Card Driver;c:\windows\system32\DRIVERS\wlluc48b.sys [2002-07-15 156672]
S3 WrKPoET2000;WrKPoET2000;c:\program files\Verizon Online\WinPoET\WrKPoET2000.sys [ ]

*Newly Created Service* - ERROR_REPORTING_SERVICE_(ERSVC)_
.
Contents of the 'Scheduled Tasks' folder

2008-11-04 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job
- c:\program files\Norton AntiVirus\Navw32.exe [2008-02-07 09:05]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-08 15:11:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Error Reporting Service (ERSvc) ]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\system32\HPConfig.exe
c:\windows\system32\RadioSvr.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-11-08 15:21:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-08 20:21:11
ComboFix2.txt 2008-11-08 18:49:44

Pre-Run: 12,723,879,936 bytes free
Post-Run: 12,658,851,840 bytes free

129 --- E O F --- 2008-10-29 07:05:26

Hello

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.




Go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   Spyware, Adware, Dialers, and other potentially dangerous programs
   Archives
   Mail databases
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

Hello Rorschach112,

The following is Malwarebytes log. Running Kaspersky scan now.

Thanks!

Malwarebytes' Anti-Malware 1.30
Database version: 1378
Windows 5.1.2600 Service Pack 2

11/9/2008 4:50:40 PM
mbam-log-2008-11-09 (16-50-40).txt

Scan type: Quick Scan
Objects scanned: 49425
Time elapsed: 6 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Post a new HJT log with the Kaspersky one

Here is Kasperky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, November 9, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, November 09, 2008 10:09:15
Records in database: 1376472
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 70983
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 02:41:30


File name / Threat name / Threats count
C:\SDFix\backups\890166\890166.dll Infected: not-a-virus:AdWare.Win32.E404.iy 1
C:\_OTMoveIt\MovedFiles\11082008_131725\RECYCLER\S-1-5-21-3499916212-2805738209-4071888707-1003\Dc517\tinyproxy.exe Infected: Trojan-Proxy.Win32.Agent.bcw 1

The selected area was scanned.

and here is HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:05:44 PM, on 11/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\HPConfig.exe
C:\WINDOWS\system32\RadioSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe
C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
C:\Windows\system32\HpSrvUI.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\essspk.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\ORiNOCO\Client Manager\CmLUC.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\temp\jkos-Owner\binaries\ScanningProcess.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9090
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [HP TV Now] C:\Program Files\Hewlett-Packard\HP TV Now\HpTvNow.exe /RK
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CmLUC.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/bizcenter-o
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2098F239-F08E-4840-9F81-B758A4971D83} - http://www.batesville.com/us/setup.cab
O16 - DPF: {3F807625-B32A-498F-9010-7ABB2BB5D3B3} - http://www.batesville.com/us/install.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.a...meInstaller.exe
O16 - DPF: {5A3AD060-E5D9-4DEF-8E77-B44336153FD9} - http://www.batesville.com/dlb/setup.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft Terminal Services Client Control (redist)) - https://ccgfalmouth.dyndns.org/Remote/msrdp.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab
O16 - DPF: {8B2BE470-543C-4662-8536-54D191F82675} - http://www.batesville.com/dlb/setup.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft Terminal Services Client Control (redist)) - http://68.160.177.202:10367/tsweb/msrdp.cab
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab
O16 - DPF: {BB707357-1966-4198-B14B-1F8156D79B98} - http://www.batesville.com/us/setup.cab
O16 - DPF: {CFC1C622-8C5B-4683-A64F-5A964EE397E1} - http://www.batesville.com/dlb/setup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/...ash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://webmail.gpjco.com/dwa7W.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Error Reporting Service (ERSvc) - Unknown owner - (no file)
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HP RF Device Service (HpRfDev) - Hewlett-Packard - C:\WINDOWS\system32\HpRfDev.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: RadioSvr - Hewlett-Packard - C:\WINDOWS\system32\RadioSvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WinPPPoverEthernet - Unknown owner - C:\Program Files\Verizon Online\WinPoET\WrOS.EXE (file missing)

--
End of file - 9812 bytes

Hello

• Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
• Double click on RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Here is log.txt

Logfile of random's system information tool 1.04 (written by random/random)
Run by Owner at 2008-11-09 20:59:35
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 12 GB (42%) free of 29 GB
Total RAM: 751 MB (65% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:39 PM, on 11/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\HPConfig.exe
C:\WINDOWS\system32\RadioSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe
C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
C:\Windows\system32\HpSrvUI.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\essspk.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\ORiNOCO\Client Manager\CmLUC.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\temp\jkos-Owner\binaries\ScanningProcess.exe
C:\Documents and Settings\Owner\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9090
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [HP TV Now] C:\Program Files\Hewlett-Packard\HP TV Now\HpTvNow.exe /RK
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CmLUC.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/bizcenter-o
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2098F239-F08E-4840-9F81-B758A4971D83} - http://www.batesville.com/us/setup.cab
O16 - DPF: {3F807625-B32A-498F-9010-7ABB2BB5D3B3} - http://www.batesville.com/us/install.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.a...meInstaller.exe
O16 - DPF: {5A3AD060-E5D9-4DEF-8E77-B44336153FD9} - http://www.batesville.com/dlb/setup.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft Terminal Services Client Control (redist)) - https://ccgfalmouth.dyndns.org/Remote/msrdp.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab
O16 - DPF: {8B2BE470-543C-4662-8536-54D191F82675} - http://www.batesville.com/dlb/setup.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft Terminal Services Client Control (redist)) - http://68.160.177.202:10367/tsweb/msrdp.cab
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab
O16 - DPF: {BB707357-1966-4198-B14B-1F8156D79B98} - http://www.batesville.com/us/setup.cab
O16 - DPF: {CFC1C622-8C5B-4683-A64F-5A964EE397E1} - http://www.batesville.com/dlb/setup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/...ash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://webmail.gpjco.com/dwa7W.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Error Reporting Service (ERSvc) - Unknown owner - (no file)
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HP RF Device Service (HpRfDev) - Hewlett-Packard - C:\WINDOWS\system32\HpRfDev.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: RadioSvr - Hewlett-Packard - C:\WINDOWS\system32\RadioSvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WinPPPoverEthernet - Unknown owner - C:\Program Files\Verizon Online\WinPoET\WrOS.EXE (file missing)

--
End of file - 9857 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Owner.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
Symantec Intrusion Prevention - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll [2008-05-13 116088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll [2006-05-03 434279]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9394EDE7-C8B5-483E-8773-474BF36AF6E4}]
ST - C:\Program Files\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll [2004-08-13 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}]
MSNToolBandBHO - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\en-us\msntb.dll [2006-01-17 282624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - MSN - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\en-us\msntb.dll [2006-01-17 282624]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2"=C:\WINDOWS\system32\S3tray2.exe [2003-09-09 77824]
"HP TV Now"=C:\Program Files\Hewlett-Packard\HP TV Now\HpTvNow.exe [2002-03-14 237568]
"HP Display Settings"=C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe [2002-03-07 61440]
"CP4HPOT"=C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE [2002-02-22 90112]
"hp Silent Service"=C:\Windows\system32\HpSrvUI.exe [2001-11-29 32768]
"hpScannerFirstBoot"=c:\hp\drivers\scanners\scannerfb.exe [2001-12-13 20480]
"hpsysdrv"=c:\windows\system\hpsysdrv.exe [2001-07-19 52736]
"Synchronization Manager"=C:\WINDOWS\system32\mobsync.exe [2004-08-04 143360]
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe [2002-03-14 102455]
"EssSpkPhone"=C:\WINDOWS\essspk.exe [2002-05-31 167936]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2004-11-05 98304]
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2005-02-16 221184]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-02-16 81920]
"VTPreset"=C:\WINDOWS\system32\VTPreset.exe [2004-02-24 45056]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe [2006-05-03 36975]
"IntelliPoint"=C:\Program Files\Microsoft IntelliPoint\point32.exe [2005-03-23 217088]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2007-03-09 153136]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2008-10-17 51048]
"osCheck"=C:\Program Files\Norton AntiVirus\osCheck.exe [2008-02-07 718704]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2008-10-22 399504]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
ORiNOCO Client Manager.lnk - C:\Program Files\ORiNOCO\Client Manager\CmLUC.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PCANotify]
C:\WINDOWS\system32\PCANotify.dll [2002-02-15 24638]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SYMTDI]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=
"NoDrives"=
"NoDriveAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Symantec\pcAnywhere\WINAW32.EXE"="C:\Program Files\Symantec\pcAnywhere\WINAW32.EXE:*:Enabled:pcAnywhere Main Program"
"C:\Program Files\Symantec\pcAnywhere\AWHOST32.EXE"="C:\Program Files\Symantec\pcAnywhere\AWHOST32.EXE:*:Enabled:pcAnywhere Host Service"
"C:\Program Files\Symantec\pcAnywhere\awrem32.exe"="C:\Program Files\Symantec\pcAnywhere\awrem32.exe:*:Enabled:pcAnywhere Remote Service"
"C:\Program Files\microsoft frontpage\bin\fpexplor.exe"="C:\Program Files\microsoft frontpage\bin\fpexplor.exe:*:Enabled:Microsoft FrontPage Explorer"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"

======List of files/folders created in the last 1 months======

2008-11-09 20:59:35 ----D---- C:\rsit
2008-11-09 16:42:39 ----D---- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-11-09 16:42:31 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-11-09 16:42:31 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-11-08 15:21:27 ----A---- C:\ComboFix.txt
2008-11-08 13:35:39 ----A---- C:\Boot.bak
2008-11-08 13:35:19 ----RASHD---- C:\cmdcons
2008-11-08 13:32:42 ----A---- C:\WINDOWS\zip.exe
2008-11-08 13:32:42 ----A---- C:\WINDOWS\VFIND.exe
2008-11-08 13:32:42 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-11-08 13:32:42 ----A---- C:\WINDOWS\SWSC.exe
2008-11-08 13:32:42 ----A---- C:\WINDOWS\SWREG.exe
2008-11-08 13:32:42 ----A---- C:\WINDOWS\sed.exe
2008-11-08 13:32:42 ----A---- C:\WINDOWS\NIRCMD.exe
2008-11-08 13:32:42 ----A---- C:\WINDOWS\grep.exe
2008-11-08 13:32:42 ----A---- C:\WINDOWS\fdsv.exe
2008-11-08 13:32:35 ----D---- C:\WINDOWS\ERDNT
2008-11-08 13:32:35 ----D---- C:\Qoobox
2008-11-08 13:14:58 ----D---- C:\_OTMoveIt
2008-11-08 11:41:14 ----A---- C:\lopR.txt
2008-11-08 11:40:49 ----D---- C:\Lop SD
2008-11-08 10:45:59 ----D---- C:\WINDOWS\ERUNT
2008-11-08 10:43:35 ----A---- C:\WINDOWS\ntbtlog.txt
2008-11-08 10:38:44 ----D---- C:\SDFix
2008-11-08 00:01:46 ----D---- C:\Program Files\Trend Micro
2008-11-07 21:15:23 ----D---- C:\Program Files\Lavasoft
2008-11-07 21:15:21 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-11-07 21:14:08 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-28 13:21:41 ----D---- C:\Program Files\MSECache
2008-10-24 02:01:51 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-10-15 02:09:49 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-10-15 02:09:26 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2008-10-15 02:09:02 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-10-15 02:07:02 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-10-15 02:05:18 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$

======List of files/folders modified in the last 1 months======

2008-11-09 20:59:24 ----D---- C:\WINDOWS\Prefetch
2008-11-09 16:55:28 ----D---- C:\WINDOWS\Temp
2008-11-09 16:42:35 ----D---- C:\WINDOWS\system32\drivers
2008-11-09 16:42:31 ----AD---- C:\Program Files
2008-11-09 16:37:21 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-09 16:37:13 ----A---- C:\WINDOWS\ModemLog_ESS SuperLink-M Data Fax Voice Modem.txt
2008-11-09 12:45:50 ----A---- C:\WINDOWS\SchedLgU.Txt