Browser Hijacked

[kclewis9965]

I am getting redirected on each search result selected. I am attaching the requested log files.

Thank You.


DDS (Ver_09-06-26.01) - NTFSx86
Run by KaseyW at 16:40:21.60 on 07/09/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3060.2037 [GMT -5:00]


============== Running Processes ===============

C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
svchost.exe
svchost.exe
C:\windows\system32\spoolsv.exe
c:\drivers\audio\r190031\stacsv.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
C:\windows\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\windows\system32\rundll32.exe
C:\windows\system32\RUNDLL32.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellTPad\Apntex.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\windows\system32\crypserv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\windows\system32\nvsvc32.exe
C:\windows\system32\Prot_srv.exe
C:\windows\system32\pstartSr.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\lotus\notes\NLNOTES.EXE
C:\Program Files\lotus\notes\framework\rcp\eclipse\plugins\com.ibm.rcp.base_6.1.2.200808010926\win32\x86\eclipse.exe
C:\Program Files\lotus\notes\framework\rcp\eclipse\plugins\com.ibm.rcp.j2se.win32.x86_1.6.0.20081029a-200812291355\jre\bin\notes2w.exe
C:\Program Files\lotus\notes\ntaskldr.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\KaseyW\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://www.millimanbrc.com/signin.asp
uDefault_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=4080826
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4080826
uInternet Settings,ProxyOverride = *.local
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] "c:\program files\delltpad\Apoint.exe"
mRun: [SysTrayApp] "%ProgramFiles%\IDT\WDM\sttray.exe"
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "nwiz.exe" /installquiet
mRun: [NVHotkey] "rundll32.exe" nvHotkey.dll,Start
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\iaanotif.exe"
mRun: [ChangeTPMAuth] c:\program files\wave systems corp\common\ChangeTPMAuth.exe /T:NTRU12
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [Pointsec Tray] "c:\program files\pointsec\pointsec for pc\P95Tray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AESTFltr] "%SystemRoot%\system32\AESTFltr.exe" /NoDlg
uExplorerRun: [1] \\dalnas2\software\scheduler\scheduler.hta
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: DisallowRun = 1 (0x1)
uPolicies-disallowrun: 1 = aim.exe
uPolicies-disallowrun: 2 = googletalk.exe
uPolicies-disallowrun: 3 = googletalk-setup.exe
uPolicies-disallowrun: 4 = icq.exe
uPolicies-disallowrun: 5 = icq5_setup.exe
uPolicies-disallowrun: 6 = install_aim.exe
uPolicies-disallowrun: 7 = install_msn_messenger.exe
uPolicies-disallowrun: 8 = msgr7us.exe
uPolicies-disallowrun: 9 = msnmsgr.exe
uPolicies-disallowrun: 10 = paltalk.exe
uPolicies-disallowrun: 11 = ymsgr7us.exe
uPolicies-disallowrun: 12 = ypager.exe
uPolicies-disallowrun: 13 = yupdate.exe
uPolicies-disallowrun: 14 = yupdater.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: advisorchannel.com
Trusted Zone: mandr.com
Trusted Zone: milliman.com
Trusted Zone: millimanbenefits.com
Trusted Zone: millimanbrc.com
Trusted Zone: millimandallas.com
Trusted Zone: millimandocs.com
Trusted Zone: millimandocumentation.com
Trusted Zone: millimanonline.com
Trusted Zone: millimanpension.com
Trusted Zone: millimantrc.com
Trusted Zone: omnimanager.eb
Trusted Zone: omnitrade.eb
Trusted Zone: powerimage.eb
Trusted Zone: prod.om.eb
Trusted Zone: prod.ot.eb
Trusted Zone: prod.pi.eb
Trusted Zone: schwab.com\*.operationscenter
Trusted Zone: test.om.eb
Trusted Zone: test.ot.eb
Trusted Zone: test.pi.eb
Trusted Zone: tpasource.com
Trusted Zone: trust3000anywhere.com
Trusted Zone: advisorchannel.com
Trusted Zone: mandr.com
Trusted Zone: milliman.com
Trusted Zone: millimanbenefits.com
Trusted Zone: millimanbrc.com
Trusted Zone: millimandallas.com
Trusted Zone: millimandocs.com
Trusted Zone: millimandocumentation.com
Trusted Zone: millimanonline.com
Trusted Zone: millimanpension.com
Trusted Zone: millimantrc.com
Trusted Zone: omnimanager.eb
Trusted Zone: omnitrade.eb
Trusted Zone: powerimage.eb
Trusted Zone: prod.om.eb
Trusted Zone: prod.ot.eb
Trusted Zone: prod.pi.eb
Trusted Zone: schwab.com\*.operationscenter
Trusted Zone: test.om.eb
Trusted Zone: test.ot.eb
Trusted Zone: test.pi.eb
Trusted Zone: tpasource.com
Trusted Zone: trust3000anywhere.com
DPF: FirstViewer - hxxp://204.64.21.87/PlansOnline/Components/FirstVwr.CAB
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://fb.familylink.com/we_are_related/stream/core/lib/AurigmaImageUploader/ImageUploader5.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241111632454
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\pkmcdo.dll
Notify: ckpNotify - ckpNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kaseyw\applic~1\mozilla\firefox\profiles\tirgpbhf.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.millimanbrc.com/signin.asp
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPOJI610.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 prot_2k;prot_2k;c:\windows\system32\drivers\prot_2k.sys [2008-2-12 220096]
R1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2008-1-29 2235760]
R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-4-19 133968]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2008-6-3 386328]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2008-1-29 47504]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2008-7-31 808296]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2008-7-31 21352]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2008-8-18 455960]
R2 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [2008-2-12 367168]
R2 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [2008-2-12 145984]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [2008-1-29 121136]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2008-1-29 673872]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2008-8-25 108160]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2008-8-25 32808]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-8-25 244368]
S3 kwkxusb;Kyocera CDMA Wireless Modem Driver;c:\windows\system32\drivers\kwusb2k.sys [2007-8-28 191104]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]

=============== Created Last 30 ================

2009-07-09 13:13 <DIR> --d----- c:\docume~1\kaseyw\applic~1\smkits
2009-07-09 12:41 <DIR> --d----- C:\GMER
2009-07-09 12:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-09 12:12 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-09 12:12 <DIR> --d----- c:\docume~1\kaseyw\applic~1\SUPERAntiSpyware.com
2009-07-09 11:04 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-07-09 09:52 116,224 ac------ c:\windows\system32\dllcache\xrxwiadr.dll
2009-07-09 09:52 23,040 ac------ c:\windows\system32\dllcache\xrxwbtmp.dll
2009-07-09 09:52 18,944 ac------ c:\windows\system32\dllcache\xrxscnui.dll
2009-07-09 09:52 27,648 ac------ c:\windows\system32\dllcache\xrxftplt.exe
2009-07-09 09:52 4,608 ac------ c:\windows\system32\dllcache\xrxflnch.exe
2009-07-09 09:50 765,884 ac------ c:\windows\system32\dllcache\usrti.sys
2009-07-09 09:49 31,744 ac------ c:\windows\system32\dllcache\tp4.dll
2009-07-09 09:48 106,584 ac------ c:\windows\system32\dllcache\spdports.dll
2009-07-09 09:47 161,568 ac------ c:\windows\system32\dllcache\sgsmusb.sys
2009-07-09 09:46 19,017 ac------ c:\windows\system32\dllcache\rtl8029.sys
2009-07-09 09:45 29,769 ac------ c:\windows\system32\dllcache\pcntn5m.sys
2009-07-09 09:44 60,480 ac------ c:\windows\system32\dllcache\neo20xx.dll
2009-07-09 09:43 164,586 ac------ c:\windows\system32\dllcache\mdgndis5.sys
2009-07-09 09:42 811,064 ac------ c:\windows\system32\dllcache\imjp81k.dll
2009-07-09 09:41 150,239 ac------ c:\windows\system32\dllcache\hsf_amos.sys
2009-07-09 09:40 101,888 ac------ c:\windows\system32\dllcache\evntagnt.dll
2009-07-09 09:39 131,156 ac------ c:\windows\system32\dllcache\digidbp.dll
2009-07-09 09:38 342,336 ac------ c:\windows\system32\dllcache\banshee.dll
2009-07-07 16:59 <DIR> --d----- c:\windows\pss
2009-07-07 15:15 <DIR> --d----- c:\program files\Trend Micro
2009-07-07 13:52 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-07 13:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-07-07 13:05 <DIR> --d----- c:\docume~1\kaseyw\applic~1\Malwarebytes
2009-07-07 13:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-06 16:04 <DIR> --d----- c:\program files\MSSOAP
2009-07-06 16:04 <DIR> --d----- c:\program files\Webroot
2009-07-06 16:04 164 a------- c:\windows\install.dat

==================== Find3M ====================

2009-07-09 09:10 157,326 a------- c:\windows\system32\nvModes.dat
2009-05-29 13:36 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-05-29 13:36 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-04-23 13:17 2,097,152 ---shr-- C:\PROT_INS.SYS
2009-04-23 13:17 6 a------- C:\VOL_CHAR.DAT
2007-10-18 09:12 92,064 a------- c:\documents and settings\kaseyw\mqdmmdm.sys
2007-10-18 09:12 79,328 a------- c:\documents and settings\kaseyw\mqdmserd.sys
2007-10-18 09:12 5,936 a------- c:\documents and settings\kaseyw\mqdmwhnt.sys
2007-10-18 09:12 66,656 a------- c:\documents and settings\kaseyw\mqdmbus.sys
2007-10-18 09:12 9,232 a------- c:\documents and settings\kaseyw\mqdmmdfl.sys
2007-10-18 09:12 6,208 a------- c:\documents and settings\kaseyw\mqdmcmnt.sys
2007-10-18 09:12 4,048 a------- c:\documents and settings\kaseyw\mqdmcr.sys

============= FINISH: 16:41:13.73 ===============

[kclewis9965]

I still have not had a response. bump.

[PropagandaPanda]

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Had you knowingly added this sites to your trusted zone?
Trusted Zone: advisorchannel.com
Trusted Zone: mandr.com
Trusted Zone: milliman.com
Trusted Zone: millimanbenefits.com
Trusted Zone: millimanbrc.com
Trusted Zone: millimandallas.com
Trusted Zone: millimandocs.com
Trusted Zone: millimandocumentation.com
Trusted Zone: millimanonline.com
Trusted Zone: millimanpension.com
Trusted Zone: millimantrc.com
Trusted Zone: omnimanager.eb
Trusted Zone: omnitrade.eb
Trusted Zone: powerimage.eb
Trusted Zone: prod.om.eb
Trusted Zone: prod.ot.eb
Trusted Zone: prod.pi.eb
Trusted Zone: schwab.com\*.operationscenter
Trusted Zone: test.om.eb
Trusted Zone: test.ot.eb
Trusted Zone: test.pi.eb
Trusted Zone: tpasource.com
Trusted Zone: trust3000anywhere.com

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3

• Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
• Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
• If you did not have it installed, you will see the prompt below. Choose YES.
  
  
  
• When the Recovery Console has been installed, you will see the prompt below. Choose YES.
  
• When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

[kclewis9965]

hi panda and thank you for your response. i have completed the steps that you requested and the results are posted below. the trusted sites that you mentioned are ones that i have added and are truly trusted sites.
combo fix note: it did find rootkit activity and restarted with the message below -

ComboFix detected the presence of rootkit activity and needs to reboot.
c:\windows\system32\drivers\hjgruikctvxdqc.sys
c:\windows\system32\hjgruismredovc.dll
c:\windows\system32\hjgruiaborjqj.dat
c:\windows\system32\hjgruitiymdecw.dll
c:\windows\system32\hjgruixwevpaxv.dat

Here is the ComboFix.txt -

ComboFix 09-07-12.03 - KaseyW 07/13/2009 12:51.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3060.2644 [GMT -5:00]
Running from: c:\documents and settings\KaseyW\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\hjgruikctvxdqc.sys
c:\windows\system32\hjgruiayborjqj.dat
c:\windows\system32\hjgruiriymdecw.dll
c:\windows\system32\hjgruismredovc.dll
c:\windows\system32\hjgruixwevpaxv.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruieqlvjlkj


((((((((((((((((((((((((( Files Created from 2009-06-13 to 2009-07-13 )))))))))))))))))))))))))))))))
.

2009-07-10 19:26 . 2009-07-10 19:26 -------- d-----w- c:\documents and settings\KaseyW\Local Settings\Application Data\Help
2009-07-10 19:26 . 2009-07-10 19:26 -------- d-----w- c:\program files\Sophos
2009-07-09 18:13 . 2009-07-09 18:13 -------- d-----w- c:\documents and settings\KaseyW\Application Data\smkits
2009-07-09 17:41 . 2009-07-09 21:26 -------- d-----w- C:\GMER
2009-07-09 17:12 . 2009-07-09 17:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-09 17:12 . 2009-07-09 17:37 -------- d-----w- c:\documents and settings\KaseyW\Application Data\SUPERAntiSpyware.com
2009-07-09 17:12 . 2009-07-09 17:37 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-09 16:40 . 2009-07-09 16:40 0 ----a-w- c:\windows\nsreg.dat
2009-07-09 16:40 . 2009-07-09 16:40 -------- d-----w- c:\documents and settings\KaseyW\Local Settings\Application Data\Mozilla
2009-07-09 16:04 . 2009-07-09 16:04 -------- d-----w- c:\windows\system32\CatRoot_bak
2009-07-09 14:52 . 2008-04-14 10:42 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2009-07-09 14:52 . 2001-08-18 03:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-07-09 14:52 . 2008-04-14 10:42 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2009-07-09 14:52 . 2001-08-18 03:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2009-07-09 14:52 . 2001-08-18 03:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2009-07-09 14:50 . 2001-08-17 18:28 765884 -c--a-w- c:\windows\system32\dllcache\usrti.sys
2009-07-09 14:49 . 2001-08-18 03:36 31744 -c--a-w- c:\windows\system32\dllcache\tp4.dll
2009-07-09 14:48 . 2001-08-18 03:36 106584 -c--a-w- c:\windows\system32\dllcache\spdports.dll
2009-07-09 14:47 . 2001-07-21 19:29 161568 -c--a-w- c:\windows\system32\dllcache\sgsmusb.sys
2009-07-09 14:46 . 2001-08-17 17:12 19017 -c--a-w- c:\windows\system32\dllcache\rtl8029.sys
2009-07-09 14:45 . 2001-08-17 17:11 29769 -c--a-w- c:\windows\system32\dllcache\pcntn5m.sys
2009-07-09 14:44 . 2001-08-18 03:36 60480 -c--a-w- c:\windows\system32\dllcache\neo20xx.dll
2009-07-09 14:43 . 2008-04-14 12:00 37888 -c--a-w- c:\windows\system32\dllcache\md5filt.dll
2009-07-09 14:42 . 2008-04-14 12:00 81976 -c--a-w- c:\windows\system32\dllcache\imjpdct.dll
2009-07-09 14:41 . 2001-08-17 18:28 150239 -c--a-w- c:\windows\system32\dllcache\hsf_amos.sys
2009-07-09 14:40 . 2008-04-14 12:00 92160 -c--a-w- c:\windows\system32\dllcache\evntwin.exe
2009-07-09 14:39 . 2001-08-18 03:36 131156 -c--a-w- c:\windows\system32\dllcache\digidbp.dll
2009-07-09 14:38 . 2001-08-17 19:56 342336 -c--a-w- c:\windows\system32\dllcache\banshee.dll
2009-07-08 18:24 . 2009-07-08 18:24 1634304 ----a-w- c:\documents and settings\KaseyW\Application Data\Microsoft\SharePoint Designer\ProxyAssemblyCache\12.0.0.6421\Microsoft.SharePoint.Proxy.dll
2009-07-08 18:24 . 2009-07-08 18:24 28672 ----a-w- c:\documents and settings\KaseyW\Application Data\Microsoft\SharePoint Designer\ProxyAssemblyCache\12.0.0.6421\System.Web.Proxy.dll
2009-07-07 20:15 . 2009-07-07 20:15 -------- d-----w- c:\program files\Trend Micro
2009-07-07 18:52 . 2009-07-09 16:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-07 18:52 . 2009-07-08 07:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-07 18:05 . 2009-07-07 18:05 -------- d-----w- c:\documents and settings\KaseyW\Application Data\Malwarebytes
2009-07-07 18:05 . 2009-07-07 18:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-06 21:04 . 2009-07-06 21:04 -------- d-----w- c:\program files\MSSOAP
2009-07-06 21:04 . 2009-07-06 21:04 -------- d-----w- c:\program files\Webroot
2009-07-06 21:04 . 2009-07-06 21:04 164 ----a-w- c:\windows\install.dat
2009-06-16 16:25 . 2009-06-16 16:25 -------- d-----w- c:\documents and settings\KaseyW\Local Settings\Application Data\imr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-09 17:37 . 2009-05-20 20:09 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-09 14:10 . 2008-08-25 23:30 157326 ----a-w- c:\windows\system32\nvModes.dat
2009-07-07 14:44 . 2008-08-25 23:53 68456 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-07 14:38 . 2009-04-23 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-07 14:37 . 2009-04-23 18:53 -------- d-----w- c:\program files\Microsoft Works
2009-07-07 14:37 . 2008-04-25 21:42 -------- d-----w- c:\program files\MSBuild
2009-07-06 20:20 . 2009-05-26 18:18 -------- d-----w- c:\program files\Coupons
2009-06-13 21:51 . 2009-04-23 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-03 18:26 . 2009-06-03 18:26 -------- d-----w- c:\documents and settings\KaseyW\Application Data\Smith Micro
2009-06-03 18:25 . 2009-06-03 18:25 10134 ----a-r- c:\documents and settings\KaseyW\Application Data\Microsoft\Installer\{461D92DA-0B8C-496B-B6AA-BD0614BE0867}\ARPPRODUCTICON.exe
2009-06-03 18:25 . 2009-06-03 18:25 -------- d-----w- c:\program files\Kyocera Wireless Corp
2009-06-03 18:25 . 2009-06-03 18:25 -------- d-----w- c:\program files\Verizon Wireless
2009-06-02 05:04 . 2009-06-02 05:04 -------- d-----w- c:\program files\iTunes
2009-06-02 05:04 . 2009-06-02 05:04 -------- d-----w- c:\program files\iPod
2009-06-02 05:04 . 2009-04-23 20:31 -------- d-----w- c:\program files\Common Files\Apple
2009-06-02 05:03 . 2009-06-02 05:03 -------- d-----w- c:\program files\QuickTime
2009-06-02 05:01 . 2009-06-02 05:01 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-05-29 18:36 . 2009-04-23 20:31 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-29 18:36 . 2009-04-23 20:31 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-05-20 20:10 . 2009-05-20 20:10 -------- d-----w- c:\documents and settings\All Users\Application Data\TechSmith
2009-05-20 20:10 . 2008-09-22 20:49 -------- d-----w- c:\program files\TechSmith
2009-05-19 14:50 . 2009-05-19 14:50 -------- d-----w- c:\program files\My Company Name
2009-05-19 14:43 . 2009-05-19 14:43 -------- d-----w- c:\program files\IBM
2009-04-30 17:04 . 2009-04-30 17:04 193824 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VBExpress\9.0\1033\ResourceCache.dll
2009-04-30 17:04 . 2009-04-30 17:04 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2009-04-23 20:17 . 2009-04-23 20:17 129 ----a-w- c:\documents and settings\KaseyW\Local Settings\Application Data\fusioncache.dat
2009-04-23 18:17 . 2009-04-23 18:17 2097152 --sh--r- C:\PROT_INS.SYS
2009-04-23 18:17 . 2009-04-23 18:17 6 ----a-w- C:\VOL_CHAR.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-07-01 196608]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-06-30 442467]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-07 13537280]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-08-07 86016]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-06-15 178712]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2008-05-30 593920]
"Pointsec Tray"="c:\program files\Pointsec\Pointsec for PC\P95Tray.exe" [2008-02-12 666176]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-06-30 466944]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-08-07 1630208]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2008-08-07 90112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2008-8-18 1205528]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= aim.exe
"2"= googletalk.exe
"3"= googletalk-setup.exe
"4"= icq.exe
"5"= icq5_setup.exe
"6"= install_aim.exe
"7"= install_msn_messenger.exe
"8"= msgr7us.exe
"9"= msnmsgr.exe
"10"= paltalk.exe
"11"= ymsgr7us.exe
"12"= ypager.exe
"13"= yupdate.exe
"14"= yupdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2008-01-29 21:14 24669 ----a-w- c:\windows\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3134950130-510564349-2352034471-2840\Scripts\Logon\0\0]
"Script"=\\dall.milliman.com\SysVol\dall.milliman.com\scripts\pas.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3134950130-510564349-2352034471-2840\Scripts\Logon\1\0]
"Script"=\\dall.milliman.com\SysVol\dall.milliman.com\scripts\pas.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SERVICE.EXE"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.EXE"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SCC.EXE"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.EXE"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_DIAGNOSTICS.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\lotus\\notes\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.j2se.win32.x86_1.6.0.20081029a-200812291355\\jre\\bin\\notes2w.exe"=

R0 prot_2k;prot_2k;c:\windows\system32\drivers\prot_2k.sys [02/12/2008 12:00 PM 220096]
R1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [01/29/2008 4:15 PM 2235760]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [04/19/2007 5:56 AM 133968]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [06/03/2008 4:28 PM 386328]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [01/29/2008 4:15 PM 47504]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [07/31/2008 9:41 PM 808296]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [07/31/2008 9:41 PM 21352]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [08/18/2008 11:39 AM 455960]
R2 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [02/12/2008 12:01 PM 367168]
R2 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [02/12/2008 12:01 PM 145984]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [01/29/2008 4:15 PM 121136]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [01/29/2008 4:15 PM 673872]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [08/25/2008 9:24 PM 108160]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [08/25/2008 9:24 PM 32808]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [08/25/2008 9:24 PM 244368]
S3 kwkxusb;Kyocera CDMA Wireless Modem Driver;c:\windows\system32\drivers\kwusb2k.sys [08/28/2007 4:53 PM 191104]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\29.tmp --> c:\windows\system32\29.tmp [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [07/10/2008 7:28 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [07/10/2008 2:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [07/10/2008 7:28 PM 369688]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-Run-ChangeTPMAuth - c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe
HKCU-Explorer_Run-1 - \\dalnas2\software\scheduler\scheduler.hta


.
------- Supplementary Scan -------
.
uStart Page = https://www.millimanbrc.com/signin.asp
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4080826
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: advisorchannel.com
Trusted Zone: mandr.com
Trusted Zone: milliman.com
Trusted Zone: millimanbenefits.com
Trusted Zone: millimanbrc.com
Trusted Zone: millimandallas.com
Trusted Zone: millimandocs.com
Trusted Zone: millimandocumentation.com
Trusted Zone: millimanonline.com
Trusted Zone: millimanpension.com
Trusted Zone: millimantrc.com
Trusted Zone: omnimanager.eb
Trusted Zone: omnitrade.eb
Trusted Zone: powerimage.eb
Trusted Zone: prod.om.eb
Trusted Zone: prod.ot.eb
Trusted Zone: prod.pi.eb
Trusted Zone: schwab.com\*.operationscenter
Trusted Zone: test.om.eb
Trusted Zone: test.ot.eb
Trusted Zone: test.pi.eb
Trusted Zone: tpasource.com
Trusted Zone: trust3000anywhere.com
Trusted Zone: advisorchannel.com
Trusted Zone: mandr.com
Trusted Zone: milliman.com
Trusted Zone: millimanbenefits.com
Trusted Zone: millimanbrc.com
Trusted Zone: millimandallas.com
Trusted Zone: millimandocs.com
Trusted Zone: millimandocumentation.com
Trusted Zone: millimanonline.com
Trusted Zone: millimanpension.com
Trusted Zone: millimantrc.com
Trusted Zone: omnimanager.eb
Trusted Zone: omnitrade.eb
Trusted Zone: powerimage.eb
Trusted Zone: prod.om.eb
Trusted Zone: prod.ot.eb
Trusted Zone: prod.pi.eb
Trusted Zone: schwab.com\*.operationscenter
Trusted Zone: test.om.eb
Trusted Zone: test.ot.eb
Trusted Zone: test.pi.eb
Trusted Zone: tpasource.com
Trusted Zone: trust3000anywhere.com
DPF: FirstViewer - hxxp://204.64.21.87/PlansOnline/Components/FirstVwr.CAB
FF - ProfilePath - c:\documents and settings\KaseyW\Application Data\Mozilla\Firefox\Profiles\tirgpbhf.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.millimanbrc.com/signin.asp
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPOJI610.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-13 12:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\29.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(996)
c:\windows\system32\pssogina.dll
.
Completion time: 2009-07-13 12:54
ComboFix-quarantined-files.txt 2009-07-13 17:54

Pre-Run: 100,460,654,592 bytes free
Post-Run: 101,143,068,672 bytes free

312 --- E O F --- 2009-04-23 18:14

[kclewis9965]

Oh, also i have not made any changes since submitting this issue.

[PropagandaPanda]

Hello.

That looks good. Let's do some updating.

Install From Windows Updates
Whenever a security problem in its software is found, Microsoft will create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malware being installed on your computer.

Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please reboot and repeat this process until there are no more updates to install.

Update Java to Version 6 Update 14
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please download the installer here. Choose "Windows".

Delete the installer after use.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

• Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
• Open the Kaspersky Scanner page.
• Click on Accept and install any components it needs.
• The program will install and then begin downloading the latest definition files.
• After the files have been downloaded on the left side of the page in the Scan section select Critical Areas.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run.
• Once the scan is complete, click on View scan report
• Now, click on the Save Report as button.
• Save the file to your desktop.
• Copy and paste that information in your next post.

You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.[hr]Take a new DDS.txt log after please.

Give me an update on the symptoms.

With Regards,
The Panda

[kclewis9965]

I have done as you asked and things appear to back to normal. Here are the files you requested:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, July 13, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, July 13, 2009 21:39:55
Records in database: 2466005
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\KaseyW\Start Menu\Programs\Startup
C:\Program Files
C:\windows

Scan statistics:
Files scanned: 53152
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 00:41:07

No malware has been detected. The scan area is clean.

The selected area was scanned.


DDS -


DDS (Ver_09-06-26.01) - NTFSx86
Run by KaseyW at 16:34:30.04 on 07/13/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3060.2371 [GMT -5:00]


============== Running Processes ===============

C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
svchost.exe
svchost.exe
C:\windows\system32\spoolsv.exe
c:\drivers\audio\r190031\stacsv.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
C:\windows\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\windows\system32\rundll32.exe
C:\windows\system32\RUNDLL32.EXE
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\windows\system32\crypserv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\windows\system32\nvsvc32.exe
C:\windows\system32\Prot_srv.exe
C:\windows\system32\pstartSr.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\TextPad 5\TextPad.exe
C:\Documents and Settings\KaseyW\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://www.millimanbrc.com/signin.asp
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4080826
uInternet Settings,ProxyOverride = *.local
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] "%ProgramFiles%\IDT\WDM\sttray.exe"
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "nwiz.exe" /installquiet
mRun: [NVHotkey] "rundll32.exe" nvHotkey.dll,Start
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\iaanotif.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [Pointsec Tray] "c:\program files\pointsec\pointsec for pc\P95Tray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AESTFltr] "%SystemRoot%\system32\AESTFltr.exe" /NoDlg
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-disallowrun: 1 = aim.exe
uPolicies-disallowrun: 2 = googletalk.exe
uPolicies-disallowrun: 3 = googletalk-setup.exe
uPolicies-disallowrun: 4 = icq.exe
uPolicies-disallowrun: 5 = icq5_setup.exe
uPolicies-disallowrun: 6 = install_aim.exe
uPolicies-disallowrun: 7 = install_msn_messenger.exe
uPolicies-disallowrun: 8 = msgr7us.exe
uPolicies-disallowrun: 9 = msnmsgr.exe
uPolicies-disallowrun: 10 = paltalk.exe
uPolicies-disallowrun: 11 = ymsgr7us.exe
uPolicies-disallowrun: 12 = ypager.exe
uPolicies-disallowrun: 13 = yupdate.exe
uPolicies-disallowrun: 14 = yupdater.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: advisorchannel.com
Trusted Zone: mandr.com
Trusted Zone: milliman.com
Trusted Zone: millimanbenefits.com
Trusted Zone: millimanbrc.com
Trusted Zone: millimandallas.com
Trusted Zone: millimandocs.com
Trusted Zone: millimandocumentation.com
Trusted Zone: millimanonline.com
Trusted Zone: millimanpension.com
Trusted Zone: millimantrc.com
Trusted Zone: omnimanager.eb
Trusted Zone: omnitrade.eb
Trusted Zone: powerimage.eb
Trusted Zone: prod.om.eb
Trusted Zone: prod.ot.eb
Trusted Zone: prod.pi.eb
Trusted Zone: schwab.com\*.operationscenter
Trusted Zone: test.om.eb
Trusted Zone: test.ot.eb
Trusted Zone: test.pi.eb
Trusted Zone: tpasource.com
Trusted Zone: trust3000anywhere.com
Trusted Zone: advisorchannel.com
Trusted Zone: mandr.com
Trusted Zone: milliman.com
Trusted Zone: millimanbenefits.com
Trusted Zone: millimanbrc.com
Trusted Zone: millimandallas.com
Trusted Zone: millimandocs.com
Trusted Zone: millimandocumentation.com
Trusted Zone: millimanonline.com
Trusted Zone: millimanpension.com
Trusted Zone: millimantrc.com
Trusted Zone: omnimanager.eb
Trusted Zone: omnitrade.eb
Trusted Zone: powerimage.eb
Trusted Zone: prod.om.eb
Trusted Zone: prod.ot.eb
Trusted Zone: prod.pi.eb
Trusted Zone: schwab.com\*.operationscenter
Trusted Zone: test.om.eb
Trusted Zone: test.ot.eb
Trusted Zone: test.pi.eb
Trusted Zone: tpasource.com
Trusted Zone: trust3000anywhere.com
DPF: FirstViewer - hxxp://204.64.21.87/PlansOnline/Components/FirstVwr.CAB
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://fb.familylink.com/we_are_related/stream/core/lib/AurigmaImageUploader/ImageUploader5.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241111632454
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\pkmcdo.dll
Notify: ckpNotify - ckpNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kaseyw\applic~1\mozilla\firefox\profiles\tirgpbhf.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.millimanbrc.com/signin.asp
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 prot_2k;prot_2k;c:\windows\system32\drivers\prot_2k.sys [2008-2-12 220096]
R1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2008-1-29 2235760]
R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-4-19 133968]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2008-6-3 386328]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2008-1-29 47504]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2008-7-31 808296]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2008-7-31 21352]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2008-8-18 455960]
R2 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [2008-2-12 367168]
R2 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [2008-2-12 145984]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [2008-1-29 121136]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2008-1-29 673872]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2008-8-25 108160]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2008-8-25 32808]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-8-25 244368]
S3 kwkxusb;Kyocera CDMA Wireless Modem Driver;c:\windows\system32\drivers\kwusb2k.sys [2007-8-28 191104]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\29.tmp --> c:\windows\system32\29.tmp [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]

=============== Created Last 30 ================

2009-07-13 14:47 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-13 14:47 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-13 12:52 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-13 12:42 161,792 a------- c:\windows\SWREG.exe
2009-07-13 12:42 155,136 a------- c:\windows\PEV.exe
2009-07-13 12:42 98,816 a------- c:\windows\sed.exe
2009-07-13 12:41 <DIR> --ds---- C:\ComboFix
2009-07-10 14:26 <DIR> --d----- c:\program files\Sophos
2009-07-09 13:13 <DIR> --d----- c:\docume~1\kaseyw\applic~1\smkits
2009-07-09 12:41 <DIR> --d----- C:\GMER
2009-07-09 12:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-09 12:12 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-09 12:12 <DIR> --d----- c:\docume~1\kaseyw\applic~1\SUPERAntiSpyware.com
2009-07-09 11:04 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-07-09 09:52 116,224 ac------ c:\windows\system32\dllcache\xrxwiadr.dll
2009-07-09 09:52 23,040 ac------ c:\windows\system32\dllcache\xrxwbtmp.dll
2009-07-09 09:52 18,944 ac------ c:\windows\system32\dllcache\xrxscnui.dll
2009-07-09 09:52 27,648 ac------ c:\windows\system32\dllcache\xrxftplt.exe
2009-07-09 09:52 4,608 ac------ c:\windows\system32\dllcache\xrxflnch.exe
2009-07-09 09:50 765,884 ac------ c:\windows\system32\dllcache\usrti.sys
2009-07-09 09:49 31,744 ac------ c:\windows\system32\dllcache\tp4.dll
2009-07-09 09:48 106,584 ac------ c:\windows\system32\dllcache\spdports.dll
2009-07-09 09:47 161,568 ac------ c:\windows\system32\dllcache\sgsmusb.sys
2009-07-09 09:46 19,017 ac------ c:\windows\system32\dllcache\rtl8029.sys
2009-07-09 09:45 29,769 ac------ c:\windows\system32\dllcache\pcntn5m.sys
2009-07-09 09:44 60,480 ac------ c:\windows\system32\dllcache\neo20xx.dll
2009-07-09 09:43 164,586 ac------ c:\windows\system32\dllcache\mdgndis5.sys
2009-07-09 09:42 811,064 ac------ c:\windows\system32\dllcache\imjp81k.dll
2009-07-09 09:41 150,239 ac------ c:\windows\system32\dllcache\hsf_amos.sys
2009-07-09 09:40 101,888 ac------ c:\windows\system32\dllcache\evntagnt.dll
2009-07-09 09:39 131,156 ac------ c:\windows\system32\dllcache\digidbp.dll
2009-07-09 09:38 342,336 ac------ c:\windows\system32\dllcache\banshee.dll
2009-07-07 16:59 <DIR> --d----- c:\windows\pss
2009-07-07 15:15 <DIR> --d----- c:\program files\Trend Micro
2009-07-07 13:52 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-07 13:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-07-07 13:05 <DIR> --d----- c:\docume~1\kaseyw\applic~1\Malwarebytes
2009-07-07 13:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-06 16:04 <DIR> --d----- c:\program files\MSSOAP
2009-07-06 16:04 <DIR> --d----- c:\program files\Webroot
2009-07-06 16:04 164 a------- c:\windows\install.dat

==================== Find3M ====================

2009-07-09 09:10 157,326 a------- c:\windows\system32\nvModes.dat
2009-05-29 13:36 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-05-29 13:36 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-28 23:46 666,624 a------- c:\windows\system32\wininet.dll
2009-04-28 23:46 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-23 13:17 2,097,152 ---shr-- C:\PROT_INS.SYS
2009-04-23 13:17 6 a------- C:\VOL_CHAR.DAT
2009-04-17 07:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 09:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2007-10-18 09:12 92,064 a------- c:\documents and settings\kaseyw\mqdmmdm.sys
2007-10-18 09:12 79,328 a------- c:\documents and settings\kaseyw\mqdmserd.sys
2007-10-18 09:12 5,936 a------- c:\documents and settings\kaseyw\mqdmwhnt.sys
2007-10-18 09:12 66,656 a------- c:\documents and settings\kaseyw\mqdmbus.sys
2007-10-18 09:12 9,232 a------- c:\documents and settings\kaseyw\mqdmmdfl.sys
2007-10-18 09:12 6,208 a------- c:\documents and settings\kaseyw\mqdmcmnt.sys
2007-10-18 09:12 4,048 a------- c:\documents and settings\kaseyw\mqdmcr.sys

============= FINISH: 16:34:41.92 ===============


Thank you again for helping me this, you are a life saver!

[PropagandaPanda]

Hello.

I had forgotten to mention this, but ComboFix had removed a backdoor trojan. This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

Please read When Should I Format, How Should I Reinstall.

If you want to do a reinstall, reply back saying so.[hr]
---
In any case, your computer appears to be clean now. Unless there are any issues at the moment, we can wrap up.

Uninstall ComboFix
Remove Combofix now that we're done with it.

• Click on your Start Menu, then Run....
• Now type the following into the runbox and click OK. Notice the space between the "x" and "/".
  
  Code:

  ComboFix /u

  
  

Uninstalling ComboFix will do the following:

1. Delete ComboFix and its components from your computer.
2. Delete other tools commonly used during the malware removal process.
3. Resets clock settings to standard format.
4. Hides file extensions and hidden/system files.
5. Clears System Restore cache and creates new restore point.

Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections:

• So How did I get infected?
• Microsoft - 'Security at home'

For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.
[hr]Do you have any questions or concerns?

With Regards,
The Panda

[amateur]

Since this issue appears resolved, this topic will now be archived. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

http://www.techsupportforum.com/secu...oval-help.html

Surf Safely, and Think Prevention!