Malwarebytes keeps finding str.sys and will not remove it successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:13:04 PM, on 6/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE


C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Service ADVISOR\SUIR\LightweightIDOL.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\DRIVERS\o2flash.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\agent.exe
C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USSMB/1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pathways.XXXXXX.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USSMB/1
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ibm.com/eserver/iseries/navigator
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: *.XXXXX.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1240501097287
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = AD.XXXXXXX.com
O17 - HKLM\Software\..\Telephony: DomainName = AD.XXXXXXXX.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = AD.XXXXXXXX.com
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightweightIDOL - Unknown owner - C:\Program Files\Service ADVISOR\SUIR\LightweightIDOL.exe
O23 - Service: O2FLASH - O2Micro International - C:\WINDOWS\system32\DRIVERS\o2flash.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: XBaseMS-Service - Transaction Software, D 81829 Munich - C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe

--
End of file - 10829 bytes


Here is my mbam log Hi-Jack this log is above

Malwarebytes' Anti-Malware 1.37
Database version: 2278
Windows 5.1.2600 Service Pack 3

6/15/2009 9:30:01 AM
mbam-log-2009-06-15 (09-30-01).txt

Scan type: Quick Scan
Objects scanned: 111157
Time elapsed: 2 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Delete on reboot.

I was able to delete str.sys and ran malwarebytes a couple times and everything looks better.
my logs are below.
Thanks
Jeff

Malwarebytes' Anti-Malware 1.37
Database version: 2284
Windows 5.1.2600 Service Pack 3

6/15/2009 6:29:43 PM
mbam-log-2009-06-15 (18-29-43).txt

Scan type: Quick Scan
Objects scanned: 110570
Time elapsed: 1 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:32:14 PM, on 6/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Service ADVISOR\SUIR\LightweightIDOL.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\DRIVERS\o2flash.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USSMB/1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USSMB/1
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: *.deere.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1240501097287
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = AD.carricoimplement.com
O17 - HKLM\Software\..\Telephony: DomainName = AD.carricoimplement.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = AD.carricoimplement.com
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightweightIDOL - Unknown owner - C:\Program Files\Service ADVISOR\SUIR\LightweightIDOL.exe
O23 - Service: O2FLASH - O2Micro International - C:\WINDOWS\system32\DRIVERS\o2flash.exe
O23 - Service: Passwdrenew - Unknown owner - C:\WINDOWS\System32\rnpasswd.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: XBaseMS-Service - Transaction Software, D 81829 Munich - C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe

--
End of file - 7427 bytes

Hi and Welcome, jroberg,

I see you had Prevx running in your HJT log. Did you use Prevx to remove the rootkit driver file : \str.sys?

Please download ATF Cleaner by Atribune

• Close Internet Explorer and any other open browsers
• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click
• No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Launch HijackThis (HJT) by double-clicking the desktop shortcut and choose the Scan Only option. Close all programs except HJT and all browser windows, then check the following items for removal and click on "Fix Checked":

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

Close HijackThis and Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Disable the active protection component of your antivirus and antispyware programs by following the directions that apply here:
http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

• Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
• When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
• When the scan is finished (a few seconds, click the Rootkit/Malware tab,and then select the Scan button.
• Leave your system completely idle while this longer scan is in progress.
• When the scan is done, save the scan log to the Windows clipboard
• Open Notepad or a similar text editor
• Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
• Exit the Program
• Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.

You may now re-enable the active protection component of your antivirus and antispyware programs

Download DDS and save it to your desktop from here



Disable any script blocking programs you may have installed (such as Norton script blocking), and then double-click dss.scr to run the tool.

• When done, DDS will open two (2) logs:
  • DDS.txt
  • Attach.txt
• Save both reports to your desktop
• Please copy and paste both logs into your next reply,

To sum it up, I need to see:
1. ARK.txt
3. DDS - DDS.txt & Attach.txt posted into your reply - not attached

Hi thanks for the help,
I was getting BSOD and had to login via safe mode. I deleted str.sys manually and then downloaded prevx and it said another file in the drivers folder was bad so I deleted it also. After removing those two .sys files I was able to log back in with out getting BSOD.

I tried doing a restore when I was getting the BSOD but it would not restore. Should I shut off the restore and turn it back on to remove the restore points?

I have another computer that had the same str.sys file and I did the same thing removed the two files from the drivers folder and then I was able to relog back in. I will run the same instructions on it and post the log files back on it.
http://www.malwarebytes.org/forums/index.php?showtopic=17555

Below are the logs that you requested.

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-16 08:24:32
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT pxsec.sys (Prevx Realtime Analysis/Prevx) ZwTerminateProcess [0xBA10A680]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[2528] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3944] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 408BF341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3944] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 40A5178F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3944] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 40A51710 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3944] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 40A51754 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3944] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 40A5169C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3944] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 40A516D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3944] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 40A517CA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3944] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 408E16B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device A72C1D20

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@

---- EOF - GMER 1.0.15 ----








DDS (Ver_09-05-14.01) - NTFSx86
Run by Administrator at 8:27:02.84 on Tue 06/16/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2570 [GMT -5:00]

AV: Prevx 3.0 *On-access scanning enabled* (Updated) {D486329C-1488-4CEB-9CC8-D662B732D901}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Service ADVISOR\SUIR\LightweightIDOL.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\DRIVERS\o2flash.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.live.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/search?client=qsb-win&rlz=&aq=0&oq=trogan+fake+alert&q=trojan+fakealert
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: deere.com
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240501097287
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: {924C4595-CAA3-41D9-87B0-C94A6A6F402B} = 208.67.222.222,208.67.220.220
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: igfxcui - igfxdev.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-6-15 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [2009-6-15 27656]
R2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2009-6-15 4368952]
R2 LightweightIDOL;LightweightIDOL;c:\program files\service advisor\suir\LightweightIDOL.exe [2009-4-23 4145152]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2008-12-4 226640]
R2 XBaseMS-Service;XBaseMS-Service;c:\program files\proquestms\partsmanagerpro\xbasesrvr\tbmux32.exe [2009-4-23 401408]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2009-3-5 51288]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2009-3-5 43608]
S0 swekvcvn;swekvcvn;c:\windows\system32\drivers\tlogb.sys --> c:\windows\system32\drivers\tlogb.sys [?]
S0 vjtavl;vjtavl;c:\windows\system32\drivers\wfisncdn.sys --> c:\windows\system32\drivers\wfisncdn.sys [?]
S2 cmwzvuvnhubs;cmwzvuvnhubs;\??\c:\windows\system32\drivers\lvuairxpmjygt.sys --> c:\windows\system32\drivers\lvuairxpmjygt.sys [?]
S2 PAR1284;PAR1284;c:\windows\system32\Par1284.sys [2009-4-23 54792]
S2 Passwdrenew;Passwdrenew;System32\rnpasswd.exe --> System32\rnpasswd.exe [?]

=============== Created Last 30 ================

2009-06-15 16:07 <DIR> --d----- c:\windows\pss
2009-06-15 15:46 27,656 a------- c:\windows\system32\drivers\pxsec.sys
2009-06-15 15:46 22,024 a------- c:\windows\system32\drivers\pxscan.sys
2009-06-15 15:46 <DIR> --d----- c:\program files\Prevx
2009-06-15 15:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PrevxCSI
2009-06-15 15:18 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-06-15 11:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-06-15 11:31 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-06-14 18:41 <DIR> --d----- c:\windows\system32\appmgmt
2009-06-12 14:54 <DIR> --d----- C:\backup
2009-06-12 14:49 <DIR> --d----- c:\program files\CCleaner
2009-06-12 14:48 <DIR> --d----- C:\downloads
2009-06-12 14:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-12 13:21 <DIR> --d----- c:\program files\Trend Micro
2009-06-12 13:19 26,368 ac------ c:\windows\system32\dllcache\usbstor.sys
2009-06-11 10:25 36,864 a------- c:\windows\system32\cwbsotdc.dll
2009-06-11 10:18 390 a------- c:\windows\CwbRmDir.bat
2009-06-10 11:45 <DIR> --d----- c:\docume~1\admini~1.d06\applic~1\Windows Search
2009-06-10 11:09 <DIR> --d----- c:\docume~1\admini~1.d06\applic~1\Malwarebytes
2009-06-10 11:09 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-10 11:09 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-10 11:09 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-10 11:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-10 11:07 <DIR> --d----- c:\docume~1\admini~1.d06\applic~1\Dell
2009-06-10 11:06 <DIR> --d----- c:\docume~1\admini~1.d06\applic~1\Windows Desktop Search
2009-06-10 11:06 <DIR> --d----- c:\documents and settings\administrator.D063077

==================== Find3M ====================

2009-05-25 00:24 350,208 a------- c:\windows\system32\mssph.dll
2009-05-12 15:12 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-28 23:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-28 23:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-25 10:28 3,981 a------- c:\windows\unins000.dat
2009-04-25 10:28 691,545 a------- c:\windows\unins000.exe
2009-04-25 10:28 13,417 a------- c:\windows\unins002.dat
2009-04-25 10:27 684,377 a------- c:\windows\unins002.exe
2009-04-23 13:20 7,431 a------- c:\windows\unins001.dat
2009-04-23 13:20 684,377 a------- c:\windows\unins001.exe
2009-04-17 05:50 1,847,808 a------- c:\windows\system32\win32k.sys
2009-04-15 09:51 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 8:27:17.85 ===============









UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 4/23/2009 9:16:18 AM
System Uptime: 6/16/2009 7:43:17 AM (1 hours ago)

Motherboard: Dell Inc. | | 0R780K
Processor: Intel® Core™2 Duo CPU T7250 @ 2.00GHz | U2E1 | 1995/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 288 GiB total, 196.971 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\A000B0000010
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\A000B0000010
Service: NIC1394

==== System Restore Points ===================

RP1: 4/23/2009 9:16:21 AM - System Checkpoint
RP2: 4/23/2009 10:24:19 AM - Installed Symantec AntiVirus
RP3: 4/23/2009 10:39:38 AM - Software Distribution Service 3.0
RP4: 4/23/2009 11:16:40 AM - Software Distribution Service 3.0
RP5: 4/23/2009 11:31:40 AM - Printer Driver Microsoft XPS Document Writer Installed
RP6: 4/23/2009 11:34:20 AM - Software Distribution Service 3.0
RP7: 4/23/2009 11:37:00 AM - Software Distribution Service 3.0
RP8: 4/23/2009 11:38:28 AM - Installed PartsManagerPro
RP9: 4/23/2009 12:47:15 PM - Installed PartsManager Pro Data
RP10: 4/23/2009 1:07:59 PM - Installed Adobe Reader 8
RP11: 4/23/2009 1:10:56 PM - Installed JD Common Loader
RP12: 4/23/2009 1:11:58 PM - Installed JD Field General
RP13: 4/23/2009 1:13:01 PM - Installed JD NetComm Serial
RP14: 4/23/2009 1:14:04 PM - Installed JD NetComm V2
RP15: 4/23/2009 1:15:07 PM - Installed JD Payload Processor
RP16: 4/23/2009 1:19:12 PM - Installed NEXIQ Readings
RP17: 4/23/2009 1:47:10 PM - Installed Service ADVISOR Data
RP18: 4/23/2009 1:49:21 PM - Installed Service ADVISOR
RP19: 4/23/2009 1:49:48 PM - Installed Microsoft Visual C++ 2005 Redistributable
RP20: 4/23/2009 1:49:53 PM - Installed Spicer Imagenation 8.10
RP21: 4/24/2009 2:22:27 PM - System Checkpoint
RP22: 4/25/2009 10:25:01 AM - Configured Service ADVISOR Data
RP23: 4/25/2009 10:25:46 AM - Installed Service ADVISOR
RP24: 4/25/2009 10:26:34 AM - Installed Service ADVISOR VMR Client
RP25: 4/25/2009 10:26:41 AM - Installed Service ADVISOR User Client
RP26: 4/25/2009 10:26:46 AM - Installed Service ADVISOR Report Card Client
RP27: 4/25/2009 10:26:51 AM - Installed Service ADVISOR DTAC Client
RP28: 4/25/2009 10:27:32 AM - Installed NEXIQ Readings
RP29: 4/26/2009 11:36:24 AM - System Checkpoint
RP30: 4/27/2009 11:36:52 AM - System Checkpoint
RP31: 4/28/2009 12:24:56 PM - System Checkpoint
RP32: 4/29/2009 1:35:24 PM - System Checkpoint
RP33: 4/30/2009 2:31:01 PM - System Checkpoint
RP34: 5/1/2009 3:23:20 PM - System Checkpoint
RP35: 5/2/2009 4:22:13 PM - System Checkpoint
RP36: 5/3/2009 5:22:11 PM - System Checkpoint
RP37: 5/4/2009 6:23:14 PM - System Checkpoint
RP38: 5/5/2009 7:22:08 PM - System Checkpoint
RP39: 5/6/2009 8:22:06 PM - System Checkpoint
RP40: 5/7/2009 9:25:06 PM - System Checkpoint
RP41: 5/8/2009 10:22:03 PM - System Checkpoint
RP42: 5/9/2009 11:22:01 PM - System Checkpoint
RP43: 5/10/2009 11:22:29 PM - System Checkpoint
RP44: 5/12/2009 12:33:58 AM - System Checkpoint
RP45: 5/13/2009 1:21:55 AM - System Checkpoint
RP46: 5/13/2009 3:00:13 AM - Software Distribution Service 3.0
RP47: 5/14/2009 3:21:54 AM - System Checkpoint
RP48: 5/15/2009 4:21:53 AM - System Checkpoint
RP49: 5/16/2009 5:21:50 AM - System Checkpoint
RP50: 5/17/2009 6:21:48 AM - System Checkpoint
RP51: 5/18/2009 7:43:44 AM - System Checkpoint
RP52: 5/19/2009 8:21:45 AM - System Checkpoint
RP53: 5/20/2009 8:22:48 AM - System Checkpoint
RP54: 5/21/2009 9:26:15 AM - System Checkpoint
RP55: 5/22/2009 10:21:40 AM - System Checkpoint
RP56: 5/23/2009 10:33:39 AM - System Checkpoint
RP57: 5/24/2009 11:21:37 AM - System Checkpoint
RP58: 5/25/2009 12:21:35 PM - System Checkpoint
RP59: 5/26/2009 12:22:40 PM - System Checkpoint
RP60: 5/27/2009 12:29:44 PM - System Checkpoint
RP61: 5/28/2009 1:29:45 PM - System Checkpoint
RP62: 5/29/2009 2:22:34 PM - System Checkpoint
RP63: 5/30/2009 3:21:28 PM - System Checkpoint
RP64: 5/31/2009 4:21:27 PM - System Checkpoint
RP65: 6/1/2009 4:22:30 PM - System Checkpoint
RP66: 6/2/2009 5:33:25 PM - System Checkpoint
RP67: 6/3/2009 6:21:22 PM - System Checkpoint
RP68: 6/4/2009 7:21:20 PM - System Checkpoint
RP69: 6/5/2009 8:21:19 PM - System Checkpoint
RP70: 6/6/2009 9:21:17 PM - System Checkpoint
RP71: 6/7/2009 9:33:46 PM - System Checkpoint
RP72: 6/8/2009 10:21:07 PM - System Checkpoint
RP73: 6/9/2009 10:21:11 PM - System Checkpoint
RP74: 6/10/2009 10:54:11 PM - System Checkpoint
RP75: 6/11/2009 3:00:13 AM - Software Distribution Service 3.0
RP76: 6/12/2009 3:52:06 AM - System Checkpoint
RP77: 6/12/2009 1:57:07 PM - Installed SUPERAntiSpyware Free Edition
RP78: 6/13/2009 2:10:57 PM - System Checkpoint
RP79: 6/14/2009 2:53:50 PM - System Checkpoint
RP80: 6/14/2009 6:41:53 PM - Removed SUPERAntiSpyware Free Edition
RP81: 6/14/2009 6:42:36 PM - Removed Symantec AntiVirus
RP82: 6/15/2009 11:29:12 AM - Avira AntiVir Personal - 6/15/2009 11:29
RP83: 6/15/2009 3:06:16 PM - Restore Operation
RP84: 6/15/2009 3:09:18 PM - Restore Operation
RP85: 6/15/2009 3:14:56 PM - Restore Operation
RP86: 6/15/2009 3:28:01 PM - Restore Operation

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 8
Adobe Reader 9
Bluetooth Stack for Windows by Toshiba
CCleaner (remove only)
Choice Guard
Dell Support Center (Support Software)
Dell System Restore
Dell Touchpad
Dell Wireless WLAN Card Utility
ECULP 3.6.6
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB953955)
Hotfix for Windows XP (KB954434)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB958347)
Hotfix for Windows XP (KB959252)
IBM iSeries Access for Windows
IBM iSeries Access for Windows SI23978
Intel® Graphics Media Accelerator Driver
J2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 11
JD Common Loader
JD Field General
JD NetComm Serial
JD NetComm V2
JD Payload Processor
JDActiveX 2.0.0.114a
JDActiveX3 3.0.0.11a
JDLM 2.1
Junk Mail filter update
LiveUpdate 2.6 (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2005 Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
MSVCRT
MSXML 6.0 Parser
NEXIQ Readings
PartsManagerPro
PowerDVD
Prevx 3.0
QuickSet
Realtek High Definition Audio Driver
Roxio Activation Module
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler 3
Roxio Update Manager
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB960714)
Seemage Players
Segoe UI
Service ADVISOR
Service ADVISOR Data
Service ADVISOR DTAC Client
Service ADVISOR Report Card Client
Service ADVISOR User Client
Service ADVISOR VMR Client
Sonic CinePlayer Decoder Pack
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
UpdateManager
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Presentation Foundation
Windows Search 4.0
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

6/15/2009 4:14:36 PM, error: Service Control Manager [7000] - The Passwdrenew service failed to start due to the following error: The system cannot find the file specified.
6/15/2009 3:36:08 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
6/15/2009 3:01:13 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: APPDRV FileDisk Fips intelppm Tosrfcom
6/15/2009 2:49:33 PM, error: Dhcp [1002] - The IP address lease 10.19.88.26 for the Network Card with network address 002170EEBA0D has been denied by the DHCP server 192.168.10.1 (The DHCP Server sent a DHCPNACK message).
6/15/2009 2:39:59 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
6/15/2009 12:22:34 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: APPDRV avgio avipbb FileDisk Fips intelppm ssmdrv Tosrfcom
6/15/2009 12:21:29 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
6/14/2009 8:50:39 AM, error: Dhcp [1002] - The IP address lease 192.168.20.10 for the Network Card with network address 00242BBBD49B has been denied by the DHCP server 192.168.20.1 (The DHCP Server sent a DHCPNACK message).
6/14/2009 1:55:26 AM, error: Dhcp [1002] - The IP address lease 192.168.20.12 for the Network Card with network address 00242BBBD49B has been denied by the DHCP server 192.168.20.1 (The DHCP Server sent a DHCPNACK message).
6/13/2009 9:08:36 AM, error: System Error [1003] - Error code 1000007e, parameter1 c0000005, parameter2 8646434d, parameter3 ba50f380, parameter4 ba50f07c.
6/12/2009 4:08:27 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
6/12/2009 2:50:44 PM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
6/12/2009 11:37:31 AM, error: Service Control Manager [7028] - The cmwzvuvnhubs Registry key denied access to SYSTEM account programs so the Service Control Manager took ownership of the Registry key.
6/12/2009 1:24:58 PM, error: Dhcp [1002] - The IP address lease 10.19.88.63 for the Network Card with network address 00242BBBD49B has been denied by the DHCP server 192.168.20.1 (The DHCP Server sent a DHCPNACK message).
6/11/2009 5:49:30 PM, error: Service Control Manager [7000] - The PAR1284 service failed to start due to the following error: The system cannot find the device specified.
6/11/2009 5:48:59 PM, error: NETLOGON [5719] - No Domain Controller is available for domain D063077 due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
6/10/2009 11:08:58 AM, error: EventLog [6004] - A driver packet received from the I/O subsystem was invalid. The data is the packet.
6/10/2009 11:07:14 AM, error: ACPIEC [1] - \Device\ACPIEC: The embedded controller (EC) hardware didn't respond within the timeout period. This may indicate an error in the EC hardware or firmware, or possibly a poorly designed BIOS which accesses the EC in an unsafe manner. The EC driver will retry the failed transaction if possible.

==== End Of File ===========================

Good job!

There are a bunch of suspicious randomly named drivers listed in your DDS.txt log, but none of them running. You have to be careful when deleting a driver file that you also delete its registry startup or you can get BSODs.

No, don't disable system restore yet.

There is a file I'd like to investigate that is listed in your DDS.txt report:
2009-06-11 10:18 390 a------- c:\windows\CwbRmDir.bat

Make sure you can view hidden files and folders

Locate this file in Windows Explorer, right-click it and select "Open with" Notepad. Copy and paste the content of the file in your next reply.

Close Notepad.

Upload the following file:
c:\windows\system32\cwbsotdc.dll
to the Virus Total Scanner by browsing to its folder. Please post the results of the scans back here, only if threats were detected by any of the scanners.

Do you know what this process is running on your system. It is a component of the Service ADVISOR program:
C:\Program Files\Service ADVISOR\SUIR\LightweightIDOL.exe

Please download Combofix from one of these locations:
HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as fixit.exe

Notes:

• It is very important that save the newly renamed EXE file to your desktop.
• You must rename Combofix.exe as you download it and not after it is on your computer.
  
  You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
• For Firefox
  • Open Firefox and click Tools -> Options -> Main
  • Under the downloads section check the button that says "Always ask me where to save files".
  • Click OK
• For Internet Explorer:
  • When downloading, choose to save, not open the file
  • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console if you have not done that already:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection (Prevx) and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:
http://www.bleepingcomputer.com/forums/topic114351.html

Also, disable your firewall!
You can enable the Window firewall in the interim, until the scan is complete.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

• Close any open browsers.
• Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix.exe (fixit.exe) & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt
3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post C:\ComboFix.txt in your next reply.

Hi,
Here are the logs

C:\Program Files\Service ADVISOR\SUIR\LightweightIDOL.exe
is from a installed program called Service Advisor 2.8 from John Deere

Content from CwbRmDir.bat
@rmdir C:\DOCUME~1\ALLUSE~1\DOCUME~1\IBM\CLIENT~1\classes\com\ibm\as400\access
@rmdir C:\DOCUME~1\ALLUSE~1\DOCUME~1\IBM\CLIENT~1\classes\com\ibm\as400
@rmdir C:\DOCUME~1\ALLUSE~1\DOCUME~1\IBM\CLIENT~1\classes\com\ibm
@rmdir C:\DOCUME~1\ALLUSE~1\DOCUME~1\IBM\CLIENT~1\classes\com
@rmdir C:\DOCUME~1\ALLUSE~1\DOCUME~1\IBM\CLIENT~1\classes
@rmdir C:\PROGRA~1\IBM\CLIENT~1\Mri2924
@exit




c:\windows\system32\cwbsotdc.dll appears to be ok
http://www.virustotal.com/analisis/1077f52...88c4-1245099104





ComboFix 09-06-16.02 - Administrator 06/16/2009 23:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2454 [GMT -5:00]
Running from: c:\documents and settings\administrator.D063077\Desktop\savemyass.exe
AV: Prevx 3.0 *On-access scanning enabled* (Updated) {D486329C-1488-4CEB-9CC8-D662B732D901}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\system volume information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP73\A0004968.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PODMENA
-------\Legacy_PODMENADRV


((((((((((((((((((((((((( Files Created from 2009-05-17 to 2009-06-17 )))))))))))))))))))))))))))))))
.

2009-06-15 23:30 . 2009-06-15 23:31 -------- d-----w- c:\documents and settings\administrator.D063077\Application Data\U3
2009-06-15 20:46 . 2009-06-15 21:10 27656 ----a-w- c:\windows\system32\drivers\pxsec.sys
2009-06-15 20:46 . 2009-06-15 21:10 22024 ----a-w- c:\windows\system32\drivers\pxscan.sys
2009-06-15 20:46 . 2009-06-15 20:46 -------- d-----w- c:\program files\Prevx
2009-06-15 20:46 . 2009-06-16 21:14 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2009-06-15 20:18 . 2009-06-15 20:18 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-15 16:44 . 2009-06-15 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-15 16:31 . 2009-03-24 21:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-15 16:30 . 2008-04-14 12:00 185344 -c--a-w- c:\windows\system32\dllcache\thawbrkr.dll
2009-06-15 16:30 . 2008-04-14 12:00 185344 ----a-w- c:\windows\system32\Thawbrkr.dll
2009-06-15 16:30 . 2008-04-14 12:00 10752 -c--a-w- c:\windows\system32\dllcache\c_iscii.dll
2009-06-15 16:30 . 2008-04-14 12:00 10752 ----a-w- c:\windows\system32\c_iscii.dll
2009-06-15 16:30 . 2008-04-14 12:00 5632 -c--a-w- c:\windows\system32\dllcache\kbdusa.dll
2009-06-15 16:30 . 2008-04-14 12:00 5632 ----a-w- c:\windows\system32\kbdusa.dll
2009-06-15 16:30 . 2008-04-14 12:00 6144 -c--a-w- c:\windows\system32\dllcache\ftlx041e.dll
2009-06-15 16:30 . 2008-04-14 12:00 6144 ----a-w- c:\windows\system32\ftlx041e.dll
2009-06-15 16:30 . 2008-04-14 12:00 19456 -c--a-w- c:\windows\system32\dllcache\agt040d.dll
2009-06-15 16:30 . 2008-04-14 12:00 19456 -c--a-w- c:\windows\system32\dllcache\agt0401.dll
2009-06-12 19:54 . 2009-06-15 22:42 -------- d-----w- C:\backup
2009-06-12 19:49 . 2009-06-12 19:49 -------- d-----w- c:\program files\CCleaner
2009-06-12 19:48 . 2009-06-16 13:26 -------- d-----w- C:\downloads
2009-06-12 19:01 . 2009-06-12 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-12 18:21 . 2009-06-12 18:21 -------- d-----w- c:\program files\Trend Micro
2009-06-12 18:20 . 2009-06-12 18:21 -------- d-----w- c:\documents and settings\jdvision\Application Data\U3
2009-06-12 18:19 . 2008-04-14 05:15 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2009-06-11 15:26 . 2000-11-25 17:33 722192 ----a-w- c:\windows\system32\vb40032.dll
2009-06-11 15:26 . 2000-11-25 17:32 69632 ----a-w- c:\windows\system32\gswdll32.dll
2009-06-11 15:26 . 2000-11-25 17:32 290816 ----a-w- c:\windows\system32\gsw32.exe
2009-06-11 15:26 . 2000-11-25 17:32 253952 ----a-w- c:\windows\system32\grdkrn32.dll
2009-06-11 15:26 . 2002-05-13 04:03 307250 ----a-w- c:\windows\system32\cwbaffax.dll
2009-06-11 15:26 . 2002-08-12 10:20 868403 ----a-w- c:\windows\system32\cwbzzodb.dll
2009-06-11 15:26 . 2002-08-12 10:20 520192 ----a-w- c:\windows\system32\cwbodbc.dll
2009-06-11 15:26 . 2002-08-12 10:20 425984 ----a-w- c:\windows\system32\cwbtfutl.dll
2009-06-11 15:26 . 2002-08-12 10:20 278578 ----a-w- c:\windows\system32\cwbtfcrt.dll
2009-06-11 15:26 . 2002-08-12 10:20 163840 ----a-w- c:\windows\system32\cwbtfdlg.dll
2009-06-11 15:26 . 2002-05-07 10:20 251 ----a-w- c:\windows\system32\drivers\hlldrvr.sys
2009-06-11 15:26 . 2002-05-07 10:20 36864 ----a-w- c:\windows\system32\pcmfcenu.dll
2009-06-11 15:18 . 2009-06-11 15:18 390 ----a-w- c:\windows\CwbRmDir.bat
2009-06-11 14:35 . 2009-06-11 14:35 -------- d-----w- c:\documents and settings\administrator.D063077\Local Settings\Application Data\Help
2009-06-10 16:51 . 2009-06-10 16:51 -------- d-----w- c:\documents and settings\jdvision\Application Data\Malwarebytes
2009-06-10 16:45 . 2009-06-10 16:45 -------- d-----w- c:\documents and settings\administrator.D063077\Application Data\Windows Search
2009-06-10 16:09 . 2009-06-10 16:10 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-10 16:09 . 2009-06-10 16:09 -------- d-----w- c:\documents and settings\administrator.D063077\Application Data\Malwarebytes
2009-06-10 16:09 . 2009-05-26 18:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-10 16:09 . 2009-05-26 18:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-10 16:09 . 2009-06-10 16:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-10 16:09 . 2009-06-10 16:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-10 16:07 . 2009-06-10 16:07 -------- d-----w- c:\documents and settings\administrator.D063077\Application Data\Dell
2009-06-10 16:07 . 2009-06-10 16:07 -------- d-----w- c:\documents and settings\administrator.D063077\Local Settings\Application Data\Symantec
2009-06-10 16:06 . 2009-03-05 20:02 -------- d-----w- c:\documents and settings\administrator.D063077\Application Data\CyberLink
2009-06-10 15:54 . 2009-06-10 15:54 -------- d-----w- c:\documents and settings\jdvision\Application Data\Macrovision
2009-06-02 16:21 . 2009-06-02 16:21 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-14 23:43 . 2009-04-23 15:24 -------- d-----w- c:\program files\Symantec
2009-06-14 23:43 . 2009-04-23 15:24 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-14 23:43 . 2009-04-23 15:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-11 08:08 . 2009-03-05 19:52 -------- d-----w- c:\program files\Windows Desktop Search
2009-05-25 05:24 . 2008-05-27 04:18 350208 ----a-w- c:\windows\system32\mssph.dll
2009-05-12 20:12 . 2008-04-25 21:38 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-05-07 15:32 . 2008-04-25 16:16 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-30 12:35 . 2009-03-05 19:57 23576 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-29 13:25 . 2009-04-23 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Service ADVISOR
2009-04-29 04:56 . 2008-04-25 16:16 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2008-04-25 16:16 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-27 22:19 . 2009-04-23 16:38 -------- d-----w- c:\program files\ProQuestMS
2009-04-25 16:37 . 2009-04-25 16:37 -------- d-----w- c:\program files\Google
2009-04-25 15:28 . 2009-04-23 18:16 3981 ----a-w- c:\windows\unins000.dat
2009-04-25 15:28 . 2004-06-27 00:00 691545 ----a-w- c:\windows\unins000.exe
2009-04-25 15:28 . 2009-04-25 15:27 13417 ----a-w- c:\windows\unins002.dat
2009-04-25 15:27 . 2009-04-25 15:27 684377 ----a-w- c:\windows\unins002.exe
2009-04-25 15:27 . 2009-04-23 18:20 -------- d-----w- c:\program files\ECULP
2009-04-25 15:26 . 2009-04-23 18:19 -------- d-----w- c:\program files\Service ADVISOR
2009-04-25 15:26 . 2009-03-05 19:53 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-04-25 15:25 . 2009-04-25 15:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrovision
2009-04-25 15:25 . 2009-04-23 18:10 -------- d-----w- c:\program files\John Deere
2009-04-23 18:47 . 2009-04-23 18:47 117760 ----a-r- c:\documents and settings\jdvision\Application Data\Microsoft\Installer\{3FE7D2BF-DB37-429A-B47E-5DE073404A42}\IconTmpl.50919BAA_6A87_4FF2_9F31_77666E9D001A.exe
2009-04-23 18:20 . 2009-04-23 18:20 7431 ----a-w- c:\windows\unins001.dat
2009-04-23 18:20 . 2009-04-23 18:20 684377 ----a-w- c:\windows\unins001.exe
2009-04-23 18:20 . 2009-04-23 18:20 -------- d-----w- c:\program files\Common Files\John Deere
2009-04-23 18:10 . 2009-03-05 19:55 -------- d-----w- c:\program files\Common Files\InstallShield
2009-04-23 18:07 . 2009-03-05 19:53 -------- d-----w- c:\program files\Java
2009-04-23 18:06 . 2009-04-23 18:06 -------- d-----w- c:\program files\Common Files\Java
2009-04-23 18:02 . 2009-03-05 19:56 -------- d-----w- c:\program files\Microsoft.NET
2009-04-23 18:01 . 2009-04-23 17:59 -------- d-----w- c:\program files\Microsoft SQL Server
2009-04-23 18:01 . 2009-04-23 18:01 -------- d-----w- c:\program files\MSXML 6.0
2009-04-23 16:40 . 2009-04-23 16:40 -------- d-----w- c:\program files\Common Files\Borland Shared
2009-04-23 16:38 . 2009-04-23 16:38 -------- d-----w- c:\documents and settings\All Users\Application Data\ProQuestMS
2009-04-23 15:34 . 2009-03-05 19:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-23 15:29 . 2009-03-05 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
2009-04-23 15:12 . 2009-04-23 15:12 -------- d-----w- c:\documents and settings\jdvision\Application Data\Windows Search
2009-04-23 14:47 . 2009-04-23 14:47 -------- d-----w- c:\program files\IBM
2009-04-23 14:21 . 2009-04-23 14:21 -------- d-----w- c:\documents and settings\jdvision\Application Data\Dell
2009-04-23 14:18 . 2009-04-23 14:18 -------- d-----w- c:\documents and settings\test.D063077\Application Data\Dell
2009-04-23 14:16 . 2009-04-23 14:16 -------- d-----w- c:\documents and settings\test\Application Data\Dell
2009-04-17 10:50 . 2008-04-25 16:16 1847808 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2008-04-25 16:16 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-25 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1804624151-1348494641-2068054413-1002\Scripts\Logon\0\0]
"Script"=%logonserver%\netlogon\logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1804624151-1348494641-2068054413-1164\Scripts\Logon\0\0]
"Script"=%logonserver%\netlogon\logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1804624151-1348494641-2068054413-500\Scripts\Logon\0\0]
"Script"=%logonserver%\netlogon\logon.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [6/15/2009 3:46 PM 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [6/15/2009 3:46 PM 27656]
R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [6/15/2009 3:46 PM 4368952]
R2 LightweightIDOL;LightweightIDOL;c:\program files\Service ADVISOR\SUIR\LightweightIDOL.exe [4/23/2009 1:49 PM 4145152]
R2 XBaseMS-Service;XBaseMS-Service;c:\program files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe [4/23/2009 11:40 AM 401408]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [3/5/2009 4:43 PM 51288]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [3/5/2009 4:43 PM 43608]
S0 swekvcvn;swekvcvn;c:\windows\system32\drivers\tlogb.sys --> c:\windows\system32\drivers\tlogb.sys [?]
S0 vjtavl;vjtavl;c:\windows\system32\drivers\wfisncdn.sys --> c:\windows\system32\drivers\wfisncdn.sys [?]
S2 cmwzvuvnhubs;cmwzvuvnhubs;\??\c:\windows\system32\drivers\lvuairxpmjygt.sys --> c:\windows\system32\drivers\lvuairxpmjygt.sys [?]
S2 Passwdrenew;Passwdrenew;System32\rnpasswd.exe --> System32\rnpasswd.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2009-06-13 c:\windows\Tasks\dskchk.job
- c:\checkdisk\dskchk.cmd [2009-04-23 19:20]
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/search?client=qsb-win&rlz=&aq=0&oq=trogan+fake+alert&q=trojan+fakealert
Trusted Zone: deere.com
TCP: {924C4595-CAA3-41D9-87B0-C94A6A6F402B} = 208.67.222.222,208.67.220.220
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-16 23:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2972)
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\drivers\o2flash.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\system32\searchindexer.exe
c:\program files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
c:\program files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
c:\windows\system32\CF30397.exe
c:\windows\system32\wscript.exe
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2009-06-17 23:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-17 04:43

Pre-Run: 211,384,832,000 bytes free
Post-Run: 211,298,095,104 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

248 --- E O F --- 2009-06-11 08:02

When I ran combo fix I did disable Prevx but combofix said it was active.

That's OK. as long as Combofix ran with no problem that is what is important.

Please perform a scan with the ESET online virus scanner. You can expect some detections in Combofix's quarantine (Qoobox) and system volume information. They will not represent active malware so don't worry:
http://www.eset.com/onlinescan/index.php

• ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs. Please disable your antivirus's Guard and any antispyware or HIPS programs you are running.
• Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
• Check the "Yes, I accept the terms of use" box.
• Click "Start"
• Check the boxes the following two boxes:
  • enable "Remove found threats"
  • Scan unwanted applications
• Click the Scan button to begin scanning.
• When the scan is done the log is automatically saved. To retrieve it
  • Close the ESET scan Window.
  • Now open a run line by clicking Start >> Run...
  • Copy/paste "C:\Program Files\EsetOnlineScanner\log.txt" ino the Open box:
  • The Scan results will now display in Notepad
• Please copy and paste the ESET scan report that can be found in this location
  C:\Program Files\EsetOnlineScanner\log.txt into your next reply

Note to Vista users and anyone with restrictive IE security settings: Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).

To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then uncheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE7 Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.

Please post back a new

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# IEXPLORE.EXE=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=06da5d0141112c49a5e176375c78f156
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-06-18 05:39:31
# local_time=2009-06-18 12:39:31 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# scanned=43377
# found=0
# cleaned=0
# scan_time=641

I also ran ESET with archives_checked and it did not find anything either

I updated and ran malwarebytes today and found 1

Below are the logs from mbam and hihackthis

Malwarebytes' Anti-Malware 1.38
Database version: 2304
Windows 5.1.2600 Service Pack 3

6/18/2009 9:42:30 AM
mbam-log-2009-06-18 (09-42-30).txt

Scan type: Full Scan (C:\|)
Objects scanned: 168274
Time elapsed: 22 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{45b5e8b9-949a-471e-999d-f381da56a2d3}\RP86\A0022403.sys (Backdoor.Rustock) -> Quarantined and deleted successfully.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:45:01 AM, on 6/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Service ADVISOR\SUIR\LightweightIDOL.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\DRIVERS\o2flash.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USSMB/1
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: *.deere.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1240501097287
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = AD.carricoimplement.com
O17 - HKLM\Software\..\Telephony: DomainName = AD.carricoimplement.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{924C4595-CAA3-41D9-87B0-C94A6A6F402B}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = AD.carricoimplement.com
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightweightIDOL - Unknown owner - C:\Program Files\Service ADVISOR\SUIR\LightweightIDOL.exe
O23 - Service: O2FLASH - O2Micro International - C:\WINDOWS\system32\DRIVERS\o2flash.exe
O23 - Service: Passwdrenew - Unknown owner - C:\WINDOWS\System32\rnpasswd.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: XBaseMS-Service - Transaction Software, D 81829 Munich - C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe

--
End of file - 7672 bytes

That is not an active threat - it is in system restore data and we will purge that soon.

You still have some suspect services installed on your system, though they are not running - let's try to remove them.

Please do the following for me:

Launch notepad window by Clicking start -> run -> type notepad
Hit Enter
Paste the following text in the code box into the notepad window:


Save the file to your desktop by setting the "Save as Type" to "all files", and save it as fix.bat

Boot into safe mode:
1. Restart the computer
2. Watch the screen while it is black. After the BIOS memory check is done, start tapping the F8 key. If done right, the Windows Advanced Options Menu will appear.
3. Select Safe Mode from the menu. Starting Windows in Safe Mode may take several minutes

Disable Prevx so it does not interfere!

Double-click the fix.bat icon on your desktop (allow the script to run and disable any script blocking programs).
A notepad file will open called C:\output.txt.
Reboot normally.
Please copy and paste the contents of C:\output.txt in a reply back here.

Are you using this program identified in your logs:
O23 - Service: Passwdrenew - Unknown owner - C:\WINDOWS\System32\rnpasswd.exe (file missing)

It doesn't look as if it's running/working.

Hi,
I ran fix.bat and the log is below.

"Are you using this program identified in your logs:
O23 - Service: Passwdrenew - Unknown owner - C:\WINDOWS\System32\rnpasswd.exe"
I do not know anything about this. I checked and this file is not in the System32 folder.


[SC] ControlService FAILED 1062:

The service has not been started.


[SC] DeleteService SUCCESS
[SC] ControlService FAILED 1062:

The service has not been started.


[SC] DeleteService SUCCESS
[SC] ControlService FAILED 1062:

The service has not been started.


[SC] DeleteService SUCCESS

File lvuairxpmjygt.sys is the other file I deleted manually when I deleted str.sys

Well, we just got rid of the load point for that driver, too, as well as the other two suspect services/drivers.

Now, I want you to remove the password service:
Passwdrenew

FYI: http://virscan.org/report/a55dd1c9273bfc8e...634e74f358.html

Open a run line:
Click start -> run
Paste the following text in the open box:
cmd /k sc delete Passwdrenew
Hit Enter

Please tell me if you received a DeleteService SUCCESS message.

Hi,
Yes I received a success message.
Jeff

OK good.

I assume you know what this program is that is running on your system:

O23 - Service: XBaseMS-Service - Transaction Software, D 81829 Munich - C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe

Is all running OK now?

I do know what Parts Manager Pro is and it appears to belong to that program. So yes I believe it to be ok. Scanning it directly with Malwarebytes and Prevx says it is ok.

Yes everything seems to be ok.

Are we all clear.

Can you look at my logs on my second computer
http://www.malwarebytes.org/forums/index.php?showtopic=17554
It appears to be running ok. I will upload a new set of HJT logs tomorrow.

Thanks
Jeff

I'll be happy to check you logs from your other PC but the link you gave me is the one too this topic. Please post the correct one!

Good job! Your computer is clean now.

We have a few steps to finish up now.

Let's remove Combofix and all its associated files including those in quarantine:
Click start -> run, then copy and paste the following line into the Open box and click OK.

"%userprofile%\desktop\savemyass.exe" /u

This will do the following:

• Uninstall Combofix and all its associated files and folders.
• It will flush your system restore points and create a new restore point.
• It will rehide your system files and folders
• Reset your system clock

If I asked you to download and run an ARK (Antirootkit program), then delete the contents of the C:\ARK folder and then delete the folder itself.

Here are some additional measures you should take to keep your system in good working order and ensure your continued security.

1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI)

Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.

Note: If your firewall prompts you about access, allow it.

2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.

3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.

4. Download and install SpywareBlaster:
http://www.javacoolsoftware.com/spywareblaster.html
Update it and the enable protection for all unprotected items.
You will have to update the free version manually about once a month by clicking the UPdates button.

Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.

Happy Surfing!

Latest Hijack this log.
Everything seems to be running ok.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:53:38 PM, on 6/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Qqest Software Systems\TimeForce\ClockLink\ClockLinkService.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Data Deposit Box\nts.exe
C:\Program Files\Data Deposit Box\startup.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Prevx\prevx.exe
c:\Inetpub\wwwroot\qqest\Utilities\TimeForceServices.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Data Deposit Box\starter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Data Deposit Box\backup.exe
c:\Inetpub\wwwroot\qqest\Utilities\TimeForcePunches.exe
c:\Inetpub\wwwroot\qqest\Utilities\TFProcessingQueue.exe
C:\Program Files\Data Deposit Box\status.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080822
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Acrobat Speed Launch] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Synchronizer] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - Global Startup: Data Deposit Box.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} (Image Uploader Control) - http://picturesbypros.lifepics.com/net/Upl...PUploader45.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1220538395086
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E7C44C86-0CD3-11D2-9311-00A0247A4E65} (SEAGULL J Walk ActiveX Client) - http://keystone/JWalkX.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = AD.XXXXXXXXX.com
O17 - HKLM\Software\..\Telephony: DomainName = AD.XXXXXXXXX.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F96AE2B8-5096-4727-A722-21CE25D5F65B}: NameServer = 10.19.88.30
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = AD.XXXXXXXXX.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = AD.XXXXXXXXX.com
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ClockLink Scheduler (ClockLink) - Qqest Software Systems - C:\Program Files\Qqest Software Systems\TimeForce\ClockLink\ClockLinkService.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Online Backup Service - Unknown owner - C:\Program Files\Data Deposit Box\nts.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: TimeForce Advanced Server (ServiceTimeForce) - Qqest Software Systems - c:\Inetpub\wwwroot\qqest\Utilities\TimeForceServices.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TimeForce Punches (TFPunches) - Qqest Software Systems - c:\Inetpub\wwwroot\qqest\Utilities\TimeForcePunches.exe
O23 - Service: TimeForce Punch Processing Queue (TFPunchProcessQueue) - Qqest Software Systems - c:\Inetpub\wwwroot\qqest\Utilities\TFProcessingQueue.exe

--
End of file - 10451 bytes

The log that I just added was from my 2nd computer. I was trying to add it to the orginal post but posted it on this one by mistake.
Here is my post that I was trying to add the logs to.
http://www.malwarebytes.org/forums/index.php?showtopic=17555

Thanks for all your help
Jeff

That looks good.

You could trim down your nonessential startups so be sure to run this (from my last reply):