infected with spyware.ispynow

I realize that this is not the first, but as stated each problem is individual and I don't know what else to do.

Here's my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:22:49 PM, on 11/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kathafields.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - https://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213327991812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1214359285173
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 6814 bytes


Also my Uninstall log:


Ad-Aware
Adobe Acrobat 5.0
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
Adobe Shockwave Player 11
Advanced Video FX Utility
AIM 6
AOLIcon
Audacity 1.2.6
BlackBerry Desktop Software 4.2.2
BlackBerry Desktop Software 4.2.2
Bluetooth Stack for Windows by Toshiba
Bonjour
Broadcom Management Programs
Compatibility Pack for the 2007 Office system
Conexant HDA D110 MDC V.92 Modem
Corel Photo Album 6
Creative WebCam Center
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Support 3.1
EPSON CX 4200 4800 Guide
EPSON Printer Software
EPSON Scan
EPSON Web-To-Page
Get Yahoo! Messenger
Hauppauge English Help Files and Resources
Hauppauge WinTV Scheduler
Hauppauge WinTV Soft PVR
Hauppauge WinTV2000
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
Intel(R) Graphics Media Accelerator Driver for Mobile
Intel(R) PROSet/Wireless Software
Internal Network Card Power Management
Internet Explorer Default Page
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Learn2 Player (Uninstall Only)
Lernout & Hauspie TruVoice American English TTS Engine
Macromedia Flash Player
mCore
MCU
mDriver
mDrWiFi
mHlpDell
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft LifeCam
Microsoft National Language Support Downlevel APIs
Microsoft Office Small Business Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
mIWA
mIWCA
mLogView
mMHouse
Modem Helper
Mozilla Firefox (3.0.4)
mPfMgr
mPfWiz
mProSafe
mSSO
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
mToolkit
Musicmatch® Jukebox
mWlsSafe
mXML
mZConfig
NetWaiting
Network Play System (Patching)
NewBlue VideoFX MSP
Online Manuals for WinTV (English)
OpenCASE Media Agent
PowerDVD 5.5
QuickBooks Simple Start Special Edition
QuickSet
QuickTime
RegCure 1.5.0.0
Roxio Media Manager
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Shutterfly Studio
Sierra Utilities
SightSpeed (remove only)
Skype™ 3.8
Sonic Audio Module
Sonic CinePlayer
Sonic Copy Module
Sonic Data Module
Sonic DLA
Sonic MyDVD Studio Deluxe
Sonic Update Manager
Sonic Update Manager
Sony DVD Architect Studio 4.5
Sony Vegas Movie Studio Platinum 8.0
Synaptics Pointing Device Driver
TimeLeft 3 Freeware edition
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
VPN Client
WebCyberCoach 3.2 Dell
Windows Imaging Component
Windows Installer Clean Up
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix - KB895316
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
Yahoo! Messenger


I've run AdAware and RegCure to get rid of what I could. I had PCTools Antivirus, but since I was infected with this new virus I couldn't run it period, and when I tried to download the version again to repair it, it wouldn't allow me to go to pctools.com. It would only allow me to go to the google search of it even though i typed it into the address bar. It's like that with any antivirus site or download site for spyware protection.
I really appreciate the help.

Hello.
First, lets uninstall old version of Java.
Press Start > Control Panel > open "add/remove programs"
Allow the list to load and uninstall the following:

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 3


You aren't running any antivirus, but since you can't connect to websites, i'll skip this because I think I know what's causing it.
Please do not surf the web until I allow you to, you'll get even worse infections.
===

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE.

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Folders to delete:
C:\Program Files\Viewpoint

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Don't tick the box below.
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log.

When I click on the link it has a page load error screen (it does that for all antivirus sites) and I tried to just type it into the address bar to bypass the link but the same thing happens. Is there a way around it to get the program?

Hello.
I have uploaded to a mirror site.
http://www.sendspace.com/file/ml435u

Thank you for the mirror site. I'm not sure why any of the links are not working.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "TDSSserv.sys" found!
ImagePath: \systemroot\system32\drivers\TDSSmsuu.sys
Start Type: 1 (System)

Rootkit scan completed.

Folder "C:\Program Files\Viewpoint" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:21 PM, on 12/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kathafields.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - https://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213327991812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1214359285173
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 6986 bytes

Hello.
There's the problem.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to disable:
TDSSserv.sys

Drivers to delete:
TDSSserv.sys

Files to delete:
C:\windows\system32\drivers\TDSSmsuu.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Don't tick the box below.
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

5. Please copy/paste the content of c:\avenger.txt into your reply.

I think that this is the correct avenger log. it did not open up immediately on start up like it did previously so I had to go manually find it.

[/i]Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "TDSSserv.sys" found!
ImagePath: \systemroot\system32\drivers\TDSSmsuu.sys
Start Type: 4 (Disabled)

Rootkit scan completed.

Driver "TDSSserv.sys" disabled successfully.
Driver "TDSSserv.sys" deleted successfully.
File "C:\windows\system32\drivers\TDSSmsuu.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

It's okay, that did the job.
The rootkit is gone, so we can carry on removing the junk.

• Download combofix from here, use the top links - combofix.exe
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

part 1

ComboFix 08-11-30.02 - Sarah 2008-12-01 13:47:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.547 [GMT -6:00]
Running from: c:\documents and settings\Sarah\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Sarah\Application Data\google\runhh6110411.exe
c:\documents and settings\Sarah\nah_coko.exe
c:\documents and settings\Sarah\nah_log.dat
c:\windows\IE4 Error Log.txt
c:\windows\system32\0nj3Uv0J.exe.a_a
c:\windows\system32\bszip.dll
c:\windows\system32\drivers\svchost.exe
c:\windows\system32\krrJSEvb.exe.a_a
c:\windows\system32\TDSSaphv.dat
c:\windows\system32\TDSSarek.dll
c:\windows\system32\TDSSolvb.log
c:\windows\system32\TDSSropn.dll
c:\windows\system32\TDSStpta.dll
c:\windows\system32\TDSSwcbv.dll

----- BITS: Possible infected sites -----

hxxp://www.graboid.com
hxxp://sus.net.tamu.edu
c:\windows\system32\winlogon.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-11-01 to 2008-12-01 )))))))))))))))))))))))))))))))
.

2008-12-01 13:21 . 2008-12-01 13:21 135,168 --a------ C:\zip.exe
2008-12-01 13:21 . 2008-12-01 13:21 19,286 --a------ C:\cleanup.exe
2008-12-01 13:21 . 2008-12-01 13:21 574 --a------ C:\cleanup.bat
2008-12-01 13:21 . 2008-12-01 13:21 0 --a------ C:\backup.reg
2008-11-30 21:58 . 2008-11-30 21:58 d-------- c:\program files\Trend Micro
2008-11-30 16:16 . 2008-12-01 12:20 2,274 --a------ c:\windows\system32\TDSSdggq.dll
2008-11-20 21:17 . 2008-11-20 21:17 d-------- c:\documents and settings\Sarah\Application Data\acccore
2008-11-20 21:00 . 2008-11-20 21:00 d-------- c:\documents and settings\All Users\Application Data\acccore
2008-11-20 20:59 . 2008-11-20 21:17 d-------- c:\program files\AIM6
2008-11-17 23:12 . 2008-11-17 23:12 d-------- c:\program files\Yahoo!
2008-11-17 23:12 . 2008-11-17 23:12 d-------- c:\documents and settings\Sarah\Application Data\Yahoo!
2008-11-17 23:12 . 2008-11-17 23:12 d-------- c:\documents and settings\All Users\Application Data\Yahoo!
2008-11-12 09:13 . 2008-09-04 11:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 09:13 . 2008-10-24 05:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-01 16:30 --------- d-----w c:\program files\Java
2008-12-01 04:21 --------- d-----w c:\documents and settings\Sarah\Application Data\Viewpoint
2008-12-01 04:21 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-01 04:20 --------- d-----w c:\program files\MUSICMATCH
2008-12-01 04:19 --------- d-----w c:\program files\Google
2008-12-01 04:17 --------- d-----w c:\program files\DivX
2008-12-01 04:16 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-01 00:57 --------- d-----w c:\documents and settings\Sarah\Application Data\PC Tools
2008-12-01 00:42 --------- d-----w c:\documents and settings\Sarah\Application Data\Skype
2008-11-30 22:38 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-30 22:38 --------- d-----w c:\program files\WinTV
2008-11-30 22:09 --------- d-----w c:\documents and settings\Sarah\Application Data\skypePM
2008-11-25 23:22 --------- d--h--w c:\documents and settings\Sarah\Application Data\Move Networks
2008-11-17 17:44 --------- d-----w c:\documents and settings\Sarah\Application Data\Roxio
2008-10-27 05:51 --------- d-----w c:\program files\VideoLAN
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 04:57 --------- d-----w c:\documents and settings\All Users\Application Data\ExtendMedia
2008-10-23 04:19 --------- d-----w c:\program files\OpenCase
2008-10-18 18:34 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-16 17:21 --------- d-----w c:\documents and settings\Sarah\Application Data\Graboid Inc
2008-10-16 03:09 --------- d-----w c:\documents and settings\All Users\Application Data\Launcher
2008-10-15 20:39 --------- d-----w c:\documents and settings\All Users\Application Data\Graboid Inc
2008-10-15 20:38 --------- d-----w c:\documents and settings\Sarah\Application Data\MozillaControl
2008-10-15 19:49 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2008-10-09 01:11 --------- d-----w c:\documents and settings\Sarah\Application Data\Uniblue
2008-10-08 00:51 --------- d-----w c:\program files\iTunes
2008-10-08 00:51 --------- d-----w c:\program files\iPod
2008-10-08 00:51 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-06 14:07 --------- d-----w c:\program files\Common Files\Real
2008-10-03 04:37 --------- d-----w c:\program files\Skype
2008-10-03 04:37 --------- d-----w c:\program files\Common Files\Skype
2008-10-03 04:37 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-10-03 04:26 --------- d-----w c:\program files\Windows Installer Clean Up
2008-10-03 04:26 --------- d-----w c:\program files\MSECache
2008-10-01 21:48 --------- d-----w c:\program files\Windows Media Connect 2
2008-04-13 23:55 56 --sh--r c:\windows\system32\E160B4BD18.sys
2008-04-13 23:55 3,610 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-18 2247]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
backup=c:\windows\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=c:\windows\pss\Google Updater.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTAVApp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recordpad
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-10-21 11:09 50472 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-09-03 19:12 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 04:42 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2005-09-01 17:24 684032 c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a--c--- 2004-03-25 01:04 122939 c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a--c--- 2005-07-19 10:06 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a--c--- 2005-07-19 10:10 114688 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a--c--- 2005-07-19 10:09 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 17:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
--a------ 2007-05-17 15:45 279912 c:\program files\Microsoft LifeCam\LifeExp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 04:42 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a--c--- 2007-03-26 06:07 228088 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 03:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2005-06-24 06:36 729178 c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
--a------ 2007-04-10 15:46 709992 c:\windows\vVX3000.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 16:43 4670704 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hcwemMON]
-ra------ 2007-03-29 15:22 61440 c:\windows\hcwemMON.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a--c--- 2005-09-09 23:19 393216 c:\windows\stsystra.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1145920614\\ee\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\OpenCase\\OpenCASE Media Agent\\PandoBinaries\\NBCPandoREST.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"62515:UDP"= 62515:UDP:Cisco VPN Service
"57883:TCP"= 57883:TCP:PandoRest Listening Port

R1 Cinemsup;Cinemsup;c:\windows\system32\drivers\Cinemsup.sys [2003-12-19 6656]
R2 OpenCASE Media Agent;OpenCASE Media Agent;"c:\program files\OpenCase\OpenCASE Media Agent\MediaAgent.exe" [2008-08-29 835208]
R3 USB28xxBGA;WinTV HVR-900;c:\windows\system32\DRIVERS\emBDA.sys [2008-09-14 361728]
R3 USB28xxOEM;WinTV OEM Filter;c:\windows\system32\DRIVERS\emOEM.sys [2008-09-14 39680]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" []
S3 ASPI;Advanced SCSI Programming Interface Driver;\??\c:\windows\System32\DRIVERS\ASPI32.sys [2008-08-26 16512]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{50910ebe-17b4-11dd-a650-00142291165a}]
\Shell\AutoRun\command - E:\Autorun.exe /run
\Shell\Shell00\Command - E:\Autorun.exe /run
\Shell\Shell01\Command - E:\Autorun.exe /action
\Shell\Shell02\Command - E:\Autorun.exe /uninstall
.
Contents of the 'Scheduled Tasks' folder

2008-11-30 c:\windows\Tasks\!how_i_met_your_mother.job
- c:\progra~1\WinTV\Scheduler\StayAwake.exe [2006-05-08 07:55]

part 2

2008-11-30 c:\windows\Tasks\!saturday_night_live.job
- c:\progra~1\WinTV\Scheduler\StayAwake.exe [2006-05-08 07:55]

2008-11-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-01 c:\windows\Tasks\At1.job
- c:\windows\system32\0nj3Uv0J.exe []

2008-11-30 c:\windows\Tasks\At10.job
- c:\windows\system32\0nj3Uv0J.exe []

2008-11-30 c:\windows\Tasks\At11.job
- c:\windows\system32\0nj3Uv0J.exe []

2008-12-01 c:\windows\Tasks\At12.job
- c:\windows\system32\0nj3Uv0J.exe []

2008-12-01 c:\windows\Tasks\At13.job
- c:\windows\system32\0nj3Uv0J.exe []

2008-12-01 c:\windows\Tasks\At14.job
- c:\windows\system32\0nj3Uv0J.exe []

2008-11-30 c:\windows\Tasks\At15.job
- c:\windows\system32\0nj3Uv0J.exe []

2008-11-30 c:\windows\Tasks\At16.job
- c:\windows\system32\0nj3Uv0J.exe []

2008-11-30 c:\windows\Tasks\At17.job
- c:\windows\system32\0nj3Uv0J.exe []

2008-11-30 c:\windows\Tasks\At18.job
- c:\windows\system32\0nj3Uv0J.exe []

2008-12-01 c:\windows\Tasks\At19.job
- c:\windows\system32\0nj3Uv0J.exe []

2008-12-01 c:\windows\Tasks\At2.job
- c:\windows\system32\0nj3Uv0J.exe []

2008-12-01 c:\windows\Tasks\At20.job
- c:\windows\system32\0nj3Uv0J.exe []

2008-12-01 c:\windows\Tasks\At21.job
- c:\windows\system32\0nj3Uv0J.exe []

2008-12-01 c:\windows\Tasks\At22.job
- c:\windows\system32\0nj3Uv0J.exe []

2008-12-01 c:\windows\Tasks\At23.job
- c:\windows\system32\0nj3Uv0J.exe []

2008-12-01 c:\windows\Tasks\At24.job
- c:\windows\system32\0nj3Uv0J.exe []

2008-11-30 c:\windows\Tasks\At25.job
- c:\windows\system32\krrJSEvb.exe []

2008-12-01 c:\windows\Tasks\At26.job
- c:\windows\system32\krrJSEvb.exe []

2008-12-01 c:\windows\Tasks\At27.job
- c:\windows\system32\krrJSEvb.exe []

2008-12-01 c:\windows\Tasks\At28.job
- c:\windows\system32\krrJSEvb.exe []

2008-11-30 c:\windows\Tasks\At29.job
- c:\windows\system32\krrJSEvb.exe []

2008-12-01 c:\windows\Tasks\At3.job
- c:\windows\system32\0nj3Uv0J.exe []

2008-11-30 c:\windows\Tasks\At30.job
- c:\windows\system32\krrJSEvb.exe []

2008-11-30 c:\windows\Tasks\At31.job
- c:\windows\system32\krrJSEvb.exe []

2008-11-30 c:\windows\Tasks\At32.job
- c:\windows\system32\krrJSEvb.exe []

2008-11-30 c:\windows\Tasks\At33.job
- c:\windows\system32\krrJSEvb.exe []

2008-11-30 c:\windows\Tasks\At34.job
- c:\windows\system32\krrJSEvb.exe []

2008-11-30 c:\windows\Tasks\At35.job
- c:\windows\system32\krrJSEvb.exe []

2008-12-01 c:\windows\Tasks\At36.job
- c:\windows\system32\krrJSEvb.exe []

2008-12-01 c:\windows\Tasks\At37.job
- c:\windows\system32\krrJSEvb.exe []

2008-12-01 c:\windows\Tasks\At38.job
- c:\windows\system32\krrJSEvb.exe []

2008-11-30 c:\windows\Tasks\At39.job
- c:\windows\system32\krrJSEvb.exe []

2008-12-01 c:\windows\Tasks\At4.job
- c:\windows\system32\0nj3Uv0J.exe []

2008-11-30 c:\windows\Tasks\At40.job
- c:\windows\system32\krrJSEvb.exe []

2008-11-30 c:\windows\Tasks\At41.job
- c:\windows\system32\krrJSEvb.exe []

2008-11-30 c:\windows\Tasks\At42.job
- c:\windows\system32\krrJSEvb.exe []

2008-12-01 c:\windows\Tasks\At43.job
- c:\windows\system32\krrJSEvb.exe []

2008-12-01 c:\windows\Tasks\At44.job
- c:\windows\system32\krrJSEvb.exe []

2008-12-01 c:\windows\Tasks\At45.job
- c:\windows\system32\krrJSEvb.exe []

2008-12-01 c:\windows\Tasks\At46.job
- c:\windows\system32\krrJSEvb.exe []

2008-12-01 c:\windows\Tasks\At47.job
- c:\windows\system32\krrJSEvb.exe []

2008-12-01 c:\windows\Tasks\At48.job
- c:\windows\system32\krrJSEvb.exe []

2008-11-30 c:\windows\Tasks\At5.job
- c:\windows\system32\0nj3Uv0J.exe []

2008-11-30 c:\windows\Tasks\At6.job
- c:\windows\system32\0nj3Uv0J.exe []

2008-11-30 c:\windows\Tasks\At7.job
- c:\windows\system32\0nj3Uv0J.exe []

2008-11-30 c:\windows\Tasks\At8.job
- c:\windows\system32\0nj3Uv0J.exe []

2008-11-30 c:\windows\Tasks\At9.job
- c:\windows\system32\0nj3Uv0J.exe []

2008-11-30 c:\windows\Tasks\how_i_met_your_mother.job
- c:\progra~1\WinTV\WinTV2K.EXE [2006-10-24 15:32]

2008-12-01 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 10:20]

2008-11-29 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 10:20]

2008-11-30 c:\windows\Tasks\saturday_night_live.job
- c:\progra~1\WinTV\WinTV2K.EXE [2006-10-24 15:32]

2008-12-01 c:\windows\Tasks\User_Feed_Synchronization-{115D6610-F148-4AF2-9DEF-0C6030BCA663}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 17:36]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
MSConfigStartUp-SiteAdvisor - c:\program files\SiteAdvisor\6253\SiteAdv.exe
MSConfigStartUp-SVCHOST - c:\windows\system32\drivers\svchost.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Sarah\Application Data\Mozilla\Firefox\Profiles\opflxx82.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.kathafields.com/
FF -: plugin - c:\documents and settings\Sarah\Application Data\Mozilla\Firefox\Profiles\opflxx82.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-01 13:50:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-01 13:54:40 - machine was rebooted [Sarah]
ComboFix-quarantined-files.txt 2008-12-01 19:54:01

Pre-Run: 13,374,902,272 bytes free
Post-Run: 19,045,576,704 bytes free

340 --- E O F --- 2008-11-12 16:06:43

The window for the security alert window saying ispynow is still popping up. Is that a bad sign?

Hello.
Don't worry about that, it's just leftovers causing it. They will stop once we are done.
Also, can I ask, what anti-virus are you running? because I don't see one. Correct me if I'm wrong.

Now open a new notepad file.
Input this into the notepad file:

Driver::
Viewpoint Manager Service

File::
c:\windows\system32\TDSSdggq.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\system32\0nj3Uv0J.exe
c:\windows\system32\krrJSEvb.exe

Folder::
c:\documents and settings\Sarah\Application Data\Viewpoint
c:\documents and settings\All Users\Application Data\Viewpoint
c:\program files\Viewpoint

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{50910ebe-17b4-11dd-a650-00142291165a}]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

Oh! I'm sorry I didn't mention it earlier. I had PCTools Antivirus scan. But once I got infected with the ispynow it damaged some of the files I suppose for that program. It wouldn't open any more and when I tried to repair the program it just got rid of it entirely. I tried to go back to the website to get it back but that's when I realized I couldn't go to websites for antivirus software, only the google page. Currently the only programs I have are RegCure and Ad-aware but I know I need something stronger for antivirus protection. Should I get PCTools antivirus back or do you have another suggestion for me?

Here's the ComboFix Log:

ComboFix 08-11-30.02 - Sarah 2008-12-01 14:11:38.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.545 [GMT -6:00]
Running from: c:\documents and settings\Sarah\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Sarah\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\0nj3Uv0J.exe
c:\windows\system32\krrJSEvb.exe
c:\windows\system32\TDSSdggq.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Viewpoint
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\ComparativeSearch.xml
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\masteralerts.xml
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\Services_Registry2.xml
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\DynamicSearchTypes.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\featureCommon.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\featureManager.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\global.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\moreManager.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\navigationEvents.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\notificationManager.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\onCloseManager.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\options\images\inner_bl.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\options\images\inner_bot.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\options\images\inner_br.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\options\images\inner_tl.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\options\images\inner_top.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\options\images\inner_tr.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\options\images\s.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\options\index.html
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\options\offline.html
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\options\offline.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\options\options.css
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\options\options.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\options\options.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\options\optionsManager.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\options\optionsWindow.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\pingManager.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\selectorManager.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\selectorManager_util.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\tellafriend\offline\images\close.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\tellafriend\offline\images\frame_bottom.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\tellafriend\offline\images\frame_gradient.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\tellafriend\offline\images\frame_left.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\tellafriend\offline\images\frame_right.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\tellafriend\offline\images\frame_top.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\tellafriend\offline\images\header_back.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\tellafriend\offline\images\icon.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\tellafriend\offline\images\left_gradient.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\tellafriend\offline\images\logo.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\tellafriend\offline\images\offlinemsg.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\tellafriend\offline\images\s.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\tellafriend\offline\index.html
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\tellafriend\tellafriend.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\tellafriend\tellafriend.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\tellafriend\tellafriendWindow.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\buttons\button_glossy.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\buttons\button_glossy_description.txt
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\buttons\button_glossy_dropdown.html

c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\buttons\button_glossy_dropdown.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\background.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\background_framed.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\buttonContainer.html
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\buttonContainer.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\contents.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\dialog.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\dialogs.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\dlgIcons.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\dlgIconsLarge.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\field.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\info.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\info.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\message.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\message2.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\message3.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\progress.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\progress.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\progress.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\slideShowDialog.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dialogs\titlebar.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dropdowns\dropdown.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dropdowns\dropdown.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\dropdowns\dropdowns.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\htmldialog\htmldialog.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\htmldialog\htmldialog.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\list\list.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\listMenu\listMenu.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\listMenu\listMenu.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\listMenu\listMenu.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\notification\notification.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\notification\notification.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\options_menu_button\graphics\viewpoint_logo.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\options_menu_button\options_btn.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\preview\preview.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\preview\preview.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\preview\preview.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\scrollbar\scrollbar.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\scrollbar\scrollbar.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\searchWidget\DefaultSearchOptions.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\searchWidget\search_buttons.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\searchWidget\searchHistory.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\searchWidget\searchhistory.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\searchWidget\searchWidget.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\searchWidget\searchWidget.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\searchWidget\searchWidgetDefinition.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\selectors\selectors.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\selectors\selectors.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\shared_graphics\background.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\shared_graphics\highlight_bottom.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\shared_graphics\highlight_top.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\shared_graphics\popup_cursor.cur
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\shared_graphics\popupmoi.wav
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\shared_graphics\redeye_cursor.cur
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\shared_graphics\size_diagonal1_cursor.cur
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\shared_graphics\size_diagonal2_cursor.cur
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\shared_graphics\size_horizontal_cursor.cur
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\shared_graphics\size_move_cursor.cur
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\shared_graphics\size_vertival_cursor.cur
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\shared_graphics\thumbnail_404.jpg
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\shared_graphics\thumbnail_bookmarks.jpg

c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\shared_graphics\thumbnail_search.jpg
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\tray_scroller\tray_scroller.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\UI_elements\tray_scroller\trayScroller.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\utilities.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\core\ViewBarStringConstants.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\AdvancedOptions\AdvancedOptions.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\AdvancedOptions\AdvancedOptions.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\AdvancedOptions\feature.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\AdvancedOptions\options.html
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\alerts\alerts.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\alerts\alerts.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\alerts\alertsDefinition.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\alerts\feature.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\alerts\featureDefinition.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\alerts\graphics\alerts_icon.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\alerts\graphics\alerts_icon.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\alerts\graphics\alerts_text.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\alerts\graphics\list.html
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\alerts\graphics\list.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\alerts\graphics\panel_left_bottom.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\alerts\graphics\panel_left_top.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\alerts\graphics\panel_right_bottom.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\alerts\graphics\tray_face.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\alerts\options.html
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\bookmarks.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\bookmarks.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\bookmarksDefinition.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\feature.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\featureDefinitions.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\bookmarks_icon.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\bookmarks_icon.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\bookmarks_text.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\button_thumbnail_rollover.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\buttons_bookmarks.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\buttons_folders.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\dog_ear.bmp
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\icon_add.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\icon_expand.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\icon_folder.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\icon_refresh.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\icon_trash.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\securelock.bmp
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\tray_face.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\tray_face_treeview.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\treeIcon_folderClosed.bmp
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\treeIcon_folderOpen.bmp
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\graphics\treeIcon_root.bmp
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\options.html
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\bookmarks\treeviewDlg.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\GeneralOptions\feature.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\GeneralOptions\featureDefinition.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\GeneralOptions\GeneralOptions.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\GeneralOptions\GeneralOptions.module
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\GeneralOptions\graphics\options_icon.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\GeneralOptions\graphics\options_icon.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\GeneralOptions\graphics\options_text.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\GeneralOptions\graphics\traysize_icon.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\GeneralOptions\graphics\traysize_icon.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\GeneralOptions\graphics\traysize_text.swf
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\GeneralOptions\options.html
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\options\images\inner_bl.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\options\images\inner_bot.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\options\images\inner_br.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\options\images\inner_tl.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\options\images\inner_top.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\options\images\inner_tr.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\options\images\s.gif
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\options\options.css
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\options\options.js
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\photoviewVista\core\feature.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Toolbar Runtime\3.8.0\SkinEngine\features\photoviewVista\core\featureDefinition.js

I'm sorry this log is extremely big and I tried to copy paste but I'm afraid I'm getting these out of order. Do you want me to keep trying to post or is there another way I could do this?

1) Combofix has deleted alot of Viewpoint stuff - c:\documents and settings\All Users\Application Data\Viewpoint
Skip all that in the list and post all the rest.

This is the list immediately after all the Viewpoint programs.

c:\windows\system32\TDSSdggq.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_Viewpoint Manager Service


((((((((((((((((((((((((( Files Created from 2008-11-01 to 2008-12-01 )))))))))))))))))))))))))))))))
.

2008-12-01 13:21 . 2008-12-01 13:21 135,168 --a------ C:\zip.exe
2008-12-01 13:21 . 2008-12-01 13:21 19,286 --a------ C:\cleanup.exe
2008-12-01 13:21 . 2008-12-01 13:21 574 --a------ C:\cleanup.bat
2008-12-01 13:21 . 2008-12-01 13:21 0 --a------ C:\backup.reg
2008-11-30 21:58 . 2008-11-30 21:58 d-------- c:\program files\Trend Micro
2008-11-20 21:17 . 2008-11-20 21:17 d-------- c:\documents and settings\Sarah\Application Data\acccore
2008-11-20 21:00 . 2008-11-20 21:00 d-------- c:\documents and settings\All Users\Application Data\acccore
2008-11-20 20:59 . 2008-11-20 21:17 d-------- c:\program files\AIM6
2008-11-17 23:12 . 2008-11-17 23:12 d-------- c:\program files\Yahoo!
2008-11-17 23:12 . 2008-11-17 23:12 d-------- c:\documents and settings\Sarah\Application Data\Yahoo!
2008-11-17 23:12 . 2008-11-17 23:12 d-------- c:\documents and settings\All Users\Application Data\Yahoo!
2008-11-12 09:13 . 2008-09-04 11:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 09:13 . 2008-10-24 05:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-01 16:30 --------- d-----w c:\program files\Java
2008-12-01 04:20 --------- d-----w c:\program files\MUSICMATCH
2008-12-01 04:19 --------- d-----w c:\program files\Google
2008-12-01 04:17 --------- d-----w c:\program files\DivX
2008-12-01 04:16 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-01 00:57 --------- d-----w c:\documents and settings\Sarah\Application Data\PC Tools
2008-12-01 00:42 --------- d-----w c:\documents and settings\Sarah\Application Data\Skype
2008-11-30 22:38 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-30 22:38 --------- d-----w c:\program files\WinTV
2008-11-30 22:09 --------- d-----w c:\documents and settings\Sarah\Application Data\skypePM
2008-11-25 23:22 --------- d--h--w c:\documents and settings\Sarah\Application Data\Move Networks
2008-11-17 17:44 --------- d-----w c:\documents and settings\Sarah\Application Data\Roxio
2008-10-27 05:51 --------- d-----w c:\program files\VideoLAN
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 04:57 --------- d-----w c:\documents and settings\All Users\Application Data\ExtendMedia
2008-10-23 04:19 --------- d-----w c:\program files\OpenCase
2008-10-18 18:34 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-16 17:21 --------- d-----w c:\documents and settings\Sarah\Application Data\Graboid Inc
2008-10-16 03:09 --------- d-----w c:\documents and settings\All Users\Application Data\Launcher
2008-10-15 20:39 --------- d-----w c:\documents and settings\All Users\Application Data\Graboid Inc
2008-10-15 20:38 --------- d-----w c:\documents and settings\Sarah\Application Data\MozillaControl
2008-10-15 19:49 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2008-10-09 01:11 --------- d-----w c:\documents and settings\Sarah\Application Data\Uniblue
2008-10-08 00:51 --------- d-----w c:\program files\iTunes
2008-10-08 00:51 --------- d-----w c:\program files\iPod
2008-10-08 00:51 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-06 14:07 --------- d-----w c:\program files\Common Files\Real
2008-10-03 04:37 --------- d-----w c:\program files\Skype
2008-10-03 04:37 --------- d-----w c:\program files\Common Files\Skype
2008-10-03 04:37 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-10-03 04:26 --------- d-----w c:\program files\Windows Installer Clean Up
2008-10-03 04:26 --------- d-----w c:\program files\MSECache
2008-10-01 21:48 --------- d-----w c:\program files\Windows Media Connect 2
2008-04-13 23:55 56 --sh--r c:\windows\system32\E160B4BD18.sys
2008-04-13 23:55 3,610 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-18 2247]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
backup=c:\windows\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-10-21 11:09 50472 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-09-03 19:12 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 04:42 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2005-09-01 17:24 684032 c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a--c--- 2004-03-25 01:04 122939 c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a--c--- 2005-07-19 10:06 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a--c--- 2005-07-19 10:10 114688 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a--c--- 2005-07-19 10:09 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 17:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
--a------ 2007-05-17 15:45 279912 c:\program files\Microsoft LifeCam\LifeExp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 04:42 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a--c--- 2007-03-26 06:07 228088 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 03:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2005-06-24 06:36 729178 c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
--a------ 2007-04-10 15:46 709992 c:\windows\vVX3000.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 16:43 4670704 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hcwemMON]
-ra------ 2007-03-29 15:22 61440 c:\windows\hcwemMON.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a--c--- 2005-09-09 23:19 393216 c:\windows\stsystra.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1145920614\\ee\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\OpenCase\\OpenCASE Media Agent\\PandoBinaries\\NBCPandoREST.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"62515:UDP"= 62515:UDP:Cisco VPN Service
"57883:TCP"= 57883:TCP:PandoRest Listening Port

R1 Cinemsup;Cinemsup;c:\windows\system32\drivers\Cinemsup.sys [2003-12-19 6656]
R2 OpenCASE Media Agent;OpenCASE Media Agent;"c:\program files\OpenCase\OpenCASE Media Agent\MediaAgent.exe" [2008-08-29 835208]
R3 USB28xxBGA;WinTV HVR-900;c:\windows\system32\DRIVERS\emBDA.sys [2008-09-14 361728]
R3 USB28xxOEM;WinTV OEM Filter;c:\windows\system32\DRIVERS\emOEM.sys [2008-09-14 39680]
S3 ASPI;Advanced SCSI Programming Interface Driver;\??\c:\windows\System32\DRIVERS\ASPI32.sys [2008-08-26 16512]
.
Contents of the 'Scheduled Tasks' folder

2008-11-30 c:\windows\Tasks\!how_i_met_your_mother.job
- c:\progra~1\WinTV\Scheduler\StayAwake.exe [2006-05-08 07:55]

2008-11-30 c:\windows\Tasks\!saturday_night_live.job
- c:\progra~1\WinTV\Scheduler\StayAwake.exe [2006-05-08 07:55]

2008-11-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-30 c:\windows\Tasks\how_i_met_your_mother.job
- c:\progra~1\WinTV\WinTV2K.EXE [2006-10-24 15:32]

2008-12-01 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 10:20]

2008-11-29 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 10:20]

2008-11-30 c:\windows\Tasks\saturday_night_live.job
- c:\progra~1\WinTV\WinTV2K.EXE [2006-10-24 15:32]

2008-12-01 c:\windows\Tasks\User_Feed_Synchronization-{115D6610-F148-4AF2-9DEF-0C6030BCA663}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 17:36]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-01 14:16:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-01 14:20:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-01 20:19:24
ComboFix2.txt 2008-12-01 19:54:42

Pre-Run: 19,029,577,728 bytes free
Post-Run: 19,009,818,624 bytes free

786 --- E O F --- 2008-11-12 16:06:43

That was the rootkit preventing you from going to PCtools.
The rootkit is gone, so you should be able to access these websites.

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition
-Anti-virus program for Windows.
-The home edition is freeware for noncommercial user.
3) AVG Anti-Virus Free Edition
- Free edition of the AVG anti-virus program for Windows.
- Available for single computer use for home and non commercial use.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

Combofix log looks good, delete these files/folders in bold:

C:\backup.reg <== file
C:\zip.exe <== file
C:\cleanup.exe <== file
C:\cleanup.bat <== file
C:\Qoobox <== folder

What problems remain?

I think that might have fixed it! I checked my windows security center and my firewall is back on and staying on, the window hasn't shown up again, and I've tried to go to PCTools and it will let me go there now!
I can't find anything else wrong. Thank you so much for all your help!!!!

Hello, before I can let you go, we need to get you secured.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

• Download the latest version of Java SE Runtime Environment (JRE) 6 Update 10.
  
• Select the first option where it says "Java SE Runtime Environment (JRE) 6 Update 10".
  
• Click the "Download" button to the right.
  
• In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  
• Click on the link to download Windows Offline Installation and save to your desktop.
  
• Close any programs you may have running - especially your web browser.
  
• Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  - Examples of older versions in Add or Remove Programs:
  - Java 2 Runtime Environment, SE v1.4.2
  - J2SE Runtime Environment 5.0
  - J2SE Runtime Environment 5.0 Update 2
  
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java versions.
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on jre-6u10-windows-i586-p.exe that you downloaded to install the newest version.
  

Please make sure the new version of Java is installed before you run JavaRa.

Please download JavaRa from here

• First, unzip it.
  
• Then run JavaRa.
  
• Select English from the drop down menu and press Select.
  
• This will open JavaRa.
  
• Press Remove older versions
  
• Press yes to the prompt.
  
• It will make a log file of what it's removed.
  
• Copy and paste the log back here.
  

JavaRa 1.11 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Mon Dec 01 22:19:21 2008

Found and removed: Software\JavaSoft\Java2D\1.5.0_03

Found and removed: Software\JavaSoft\Java2D\1.5.0_10

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\JavaPlugin.150_03

Found and removed: SOFTWARE\Classes\JavaPlugin.150_10

Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.5.0.0

Found and removed: SOFTWARE\Classes\JavaPlugin.142_03

Found and removed: Software\Classes\JavaPlugin.160_05

------------------------------------

Finished reporting.

After I've updated all my Java and my antivirus software is there anything else I need to do to make sure I'm free of this virus?

Hello.
The logs were clean, so you are free of it now, but follow this advice to make sure it doesn't come back.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Hopefully this should take care of your problems! Good luck.

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.