It appears that I am one of hundreds if not thousands that have been attacked - Seems that it came from My Space during one on my daughters visits to the sight.

The background on the desktop reads:
"Warning Spyware threat has been detected on your PC
Your computer has several fatel errors due to spywae activity
it is strongy reccomended to install an anti spyware...
etc, etc etc...

Additionally, the Task Manager has been disabled and, a shield is now on the task bar and messages appear in a balloon every 3-4 minutes. In between, a phoney windows security message pops up waring that some type os syware has been loaded on the computer.....

I really need someones help quickly - This happened on my work issued laptop and the reprocussions would be bad. So thanks very much in advance!!!! Here is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:26:42 AM, on 6/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
c:\Program Files\IdentiPHI\Advanced Authentication\sl_scannerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\BFUSA\SYSTEM32\FWStarter.exe
C:\Program Files\iPass\iPassConnect BSA\iPassPeriodicUpdateService.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mnmsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\IdentiPHI\Advanced Authentication\sl_session.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
c:\Program Files\IdentiPHI\Advanced Authentication\slogin32w.exe
C:\WINDOWS\system32\SUSS.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
c:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
C:\WINDOWS\system32\vfsFPService.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\iPass\iPassConnect BSA\iPassPeriodicUpdateApp.exe
c:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\iftuyszv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPass\iPassConnect BSA\iPassConnectGUI.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\IdentiPHI\SSO\slproto.exe
C:\Program Files\iPass\iPassConnect BSA\iPassConnectEngine.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\eaglemark\Application Data\Microsoft\dtsc\20541.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Documents and Settings\eaglemark\Application Data\Microsoft\dtsc\20541.exe
c:\Program Files\IdentiPHI\SSO\slbroker.exe
c:\Program Files\IdentiPHI\SSO\slwinsso.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\IdentiPHI\Advanced Authentication\ProtocomSysTray.exe
C:\Program Files\Nortel Networks\TunnelGuard\platforms\win32\TGIconApp.EXE
C:\Program Files\Infotriever\Agent\infoclient.exe
C:\Program Files\Trend Micro\HijackCheck\Hcheck.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://teambsa.bfusa.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Bridgestone / Firestone
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = PXY1-NA-CHQ.bfusa.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.bfusa.com;*.bfentirenet.com;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: PolicyMaker Browser Helper - {0A9CDB52-EBDF-4210-9C6A-B90C2FD410AB} - c:\WINDOWS\system32\pmbho.dll
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: IESSOObj Class - {7DE7B623-A17E-4A0B-94BA-D1B3BA646792} - c:\Program Files\IdentiPHI\SSO\iesso.dll
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [IMJPMIG9.0] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32
O4 - HKLM\..\Run: [iPassConnect] "C:\Program Files\iPass\iPassConnect BSA\iPassConnectGUI.exe" /S
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SecureLogin] c:\Program Files\IdentiPHI\SSO\slproto.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Documents and Settings\eaglemark\Application Data\Microsoft\dtsc\20541.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Infotriever.lnk = C:\Program Files\Infotriever\Agent\infoclient.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Advanced Authentication System Tray.lnk = C:\Program Files\IdentiPHI\Advanced Authentication\ProtocomSysTray.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Refresh My Citrix Applications.lnk = C:\Program Files\Citrix\ICA Client\PNAgentLauncher.exe
O4 - Global Startup: TunnelGuard Tray Monitor.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: SSO Wizard - {48428AD9-F53A-4c40-AC16-41DB6A2B67C6} - c:\Program Files\IdentiPHI\SSO\localhero.dll
O9 - Extra 'Tools' menuitem: SSO Wizard - {48428AD9-F53A-4c40-AC16-41DB6A2B67C6} - c:\Program Files\IdentiPHI\SSO\localhero.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amex.iers.ihost.com
O15 - Trusted Zone: *.bfusa.com
O15 - Trusted Zone: *.Bridgestone-Firestone.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} (InforbitHelper Class) - https://download.infotriever.com/bin/ifhelper.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bfusa.com
O17 - HKLM\Software\..\Telephony: DomainName = bfusa.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bfusa.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bfusa.com
O20 - Winlogon Notify: SLLgnEvt - SLLgnEvt.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FWStarter - - C:\BFUSA\SYSTEM32\FWStarter.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect BSA\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect BSA\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect BSA\iPassPeriodicUpdateService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: AA Session Server (ProtoSessSrvr) - ActivIdentity - c:\Program Files\IdentiPHI\Advanced Authentication\sl_session.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: AA Fingerprint Scanner Service (scannerservice) - ActivIdentity - c:\Program Files\IdentiPHI\Advanced Authentication\sl_scannerService.exe
O23 - Service: AA Local Server (SLAA) - ActivIdentity - c:\Program Files\IdentiPHI\Advanced Authentication\slogin32w.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Nortel Networks TunnelGuard (tunnelguardservice) - Alexandria Software Consulting - c:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
O23 - Service: Validity Fingerprint Service (vfsFPService) - Validity Sensors, Inc. - C:\WINDOWS\system32\vfsFPService.exe

--
End of file - 13324 bytes

Welcome to SAF, Mark.

It will take a few steps to fix this, so don't expect a quick resolution. But it is fixable, so don't worry.

Download Malwarebytes Anti-Malware to the desktop.

* Double-click on Download_mbam-setup.exe to install the application.
* When the installation begins, follow the prompts and do not make any changes to default settings.
* When installation has finished, make sure you leave both these checked:
o Update Malwarebytes Anti-Malware
o Launch Malwarebytes Anti-Malware
* Then click Finish.
* MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
* On the Scanner tab:
o Make sure the "Perform Full Scan" option is selected.
o Then click on the Scan button.
* The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
* The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
* When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
* Click OK to close the message box and continue with the removal process.
* Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
* Make sure that everything is checked, and click Remove Selected.
* When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
* The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
* Copy and paste the contents of that report in your next reply along with a fresh HijackThis log.

NB - If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process and, if asked to restart the computer, please do so immediately.

HKEd - Thank you for your help. I followed each step per your instructions - So far, so good. The logs from the newest hijack this scan as well as the Malwae run are below. Again, thanks. Please advise next step.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:42:18 AM, on 6/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\BFUSA\SYSTEM32\FWStarter.exe
C:\Program Files\iPass\iPassConnect BSA\iPassPeriodicUpdateService.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mnmsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\IdentiPHI\Advanced Authentication\sl_session.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
c:\Program Files\IdentiPHI\Advanced Authentication\slogin32w.exe
C:\WINDOWS\system32\SUSS.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
c:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
C:\WINDOWS\system32\vfsFPService.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
c:\Program Files\IdentiPHI\Advanced Authentication\sl_scannerService.exe
C:\Program Files\iPass\iPassConnect BSA\iPassPeriodicUpdateApp.exe
C:\WINDOWS\system32\msiexec.exe
c:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\IdentiPHI\SSO\slproto.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\IdentiPHI\Advanced Authentication\ProtocomSysTray.exe
C:\Program Files\Nortel Networks\TunnelGuard\platforms\win32\TGIconApp.EXE
C:\Program Files\Infotriever\Agent\infoclient.exe
c:\Program Files\IdentiPHI\SSO\slbroker.exe
c:\Program Files\IdentiPHI\SSO\slwinsso.exe
C:\Program Files\Trend Micro\HijackCheck\Hcheck.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://teambsa.bfusa.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Bridgestone / Firestone
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = PXY1-NA-CHQ.bfusa.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.bfusa.com;*.bfentirenet.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PolicyMaker Browser Helper - {0A9CDB52-EBDF-4210-9C6A-B90C2FD410AB} - c:\WINDOWS\system32\pmbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IESSOObj Class - {7DE7B623-A17E-4A0B-94BA-D1B3BA646792} - c:\Program Files\IdentiPHI\SSO\iesso.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [IMJPMIG9.0] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32
O4 - HKLM\..\Run: [iPassConnect] "C:\Program Files\iPass\iPassConnect BSA\iPassConnectGUI.exe" /S
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SecureLogin] c:\Program Files\IdentiPHI\SSO\slproto.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Infotriever.lnk = C:\Program Files\Infotriever\Agent\infoclient.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Advanced Authentication System Tray.lnk = C:\Program Files\IdentiPHI\Advanced Authentication\ProtocomSysTray.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Refresh My Citrix Applications.lnk = C:\Program Files\Citrix\ICA Client\PNAgentLauncher.exe
O4 - Global Startup: TunnelGuard Tray Monitor.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: SSO Wizard - {48428AD9-F53A-4c40-AC16-41DB6A2B67C6} - c:\Program Files\IdentiPHI\SSO\localhero.dll
O9 - Extra 'Tools' menuitem: SSO Wizard - {48428AD9-F53A-4c40-AC16-41DB6A2B67C6} - c:\Program Files\IdentiPHI\SSO\localhero.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amex.iers.ihost.com
O15 - Trusted Zone: *.bfusa.com
O15 - Trusted Zone: *.Bridgestone-Firestone.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} (InforbitHelper Class) - https://download.infotriever.com/bin/ifhelper.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bfusa.com
O17 - HKLM\Software\..\Telephony: DomainName = bfusa.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bfusa.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bfusa.com
O20 - Winlogon Notify: SLLgnEvt - SLLgnEvt.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FWStarter - - C:\BFUSA\SYSTEM32\FWStarter.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect BSA\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect BSA\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect BSA\iPassPeriodicUpdateService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: AA Session Server (ProtoSessSrvr) - ActivIdentity - c:\Program Files\IdentiPHI\Advanced Authentication\sl_session.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: AA Fingerprint Scanner Service (scannerservice) - ActivIdentity - c:\Program Files\IdentiPHI\Advanced Authentication\sl_scannerService.exe
O23 - Service: AA Local Server (SLAA) - ActivIdentity - c:\Program Files\IdentiPHI\Advanced Authentication\slogin32w.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Nortel Networks TunnelGuard (tunnelguardservice) - Alexandria Software Consulting - c:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
O23 - Service: Validity Fingerprint Service (vfsFPService) - Validity Sensors, Inc. - C:\WINDOWS\system32\vfsFPService.exe

--
End of file - 10965 bytes

Malwarebytes' Anti-Malware 1.17
Database version: 857

10:29:07 AM 6/15/2008
mbam-log-6-15-2008 (10-29-07).txt

Scan type: Full Scan (C:\|)
Objects scanned: 130387
Time elapsed: 39 minute(s), 2 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 25
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 61

Memory Processes Infected:
C:\WINDOWS\system32\iftuyszv.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5321e378-ffad-4999-8c62-03ca8155f0b3} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00110011-4b0b-44d5-9718-90c88817369b} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{086ae192-23a6-48d6-96ec-715f53797e85} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{150fa160-130d-451f-b863-b655061432ba} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2d38a51a-23c9-48a1-a33c-48675aa2b494} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2e9caff6-30c7-4208-8807-e79d4ec6f806} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{587dbf2d-9145-4c9e-92c2-1f953da73773} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{79369d5c-2903-4b7a-ade2-d5e0dee14d24} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{799a370d-5993-4887-9df7-0a4756a77d00} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{98dbbf16-ca43-4c33-be80-99e6694468a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a55581dc-2cdb-4089-8878-71a080b22342} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b847676d-72ac-4393-bfff-43a1eb979352} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765721306} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e2ddf680-9905-4dee-8c64-0a5de7fe133c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e7afff2a-1b57-49c7-bf6b-e5123394c970} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fcaddc14-bd46-408a-9842-cdbe1c6d37eb} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fd9bc004-8331-4457-b830-4759ff704c22} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Installer (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\iftuyszv.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\explore.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\iexplorer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\x.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\y.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\xxxvideo.hta (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\default.htm (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\svchost32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\loader.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\internet.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iftuyszv.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\eaglemark\Application Data\Microsoft\dtsc\20541.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\accesss.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\astctl32.ocx (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\avpcc.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\clrssn.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\cpan.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ctfmon32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ctrlpan.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\directx32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\dnsrelay.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\editpad.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\explorer32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\funniest.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\funny.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\gfmnaaa.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\helpcvs.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\iedll.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\inetinf.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msconfd.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msspi.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mssys.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msupdate.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mswsc10.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mswsc20.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mtwirl32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\notepad32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\olehelp.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\qttasks.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\quicken.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\rundll16.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clbdll.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\000070.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\000080.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\rundll32.vbe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\searchword.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\sistem.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\svcinit.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\systeem.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\systemcritical.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\time.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\users32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\waol.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\win32e.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\win64.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\winajbm.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\window.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\winmgnt.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\xplugin.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\clbdriver.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\eaglemark\Local Settings\Temp\msiexec.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

HKEd - I forgot to ask for your rccomondation for program(s) that I could install to keep this from happening in the future. As you can see from the logs, Symantec is installed but totally ineffective in the case of this type of infection. Ideas? Also, I am curious as to how this stuff gets installed on computers. Obviously, it is a web based issues, however, am I correct in assuming that one has to open some type of file ot attachment in order for this stuff to install? My daughter was on "My Space" and opened a "Bulletin" from one of her friends when all heck broke loose and started this cascade of events. On one of our home computers, the same thing happened last week as a result of opening a "bulletin" on her My Space site - I simply chose to reformat the HDD. Possibly unelated, but I can only reformat if I pation the (80gig) HDD. Please advise - Thanks Again

correction - Partition (pation)

Hi Mark...best to address the partition problem in a new thread in the Hardware forum.

There is no real protection against this kind of infection. As you say, Norton is useless against it, but so are all antivirus programs. They are not coded to recognize these threats. If you get an antispyware program that has real-time protection, it might catch them, but not always, and never completely. Any 'Click here' invitations, even ones that purport to be from legitimate sources, should be ignored. That's the way they get in.

Next step is to download Deckard's System Scanner to the desktop (the download link is in the centre, about 2/3rds of the way down the page). Run Dss.exe and post the log it generates.

Thanks again for your help. The pop up baloon "warnings" are gone as well as the Windows Security Center fake alerts, The desktop is back to normal as well. Is this computer fixed? Amazing.

Here is the result so the DSS scan:
Deckard's System Scanner v20071014.68
Run by EagleMark on 2008-06-15 22:26:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
65: 2008-06-16 03:26:16 UTC - RP217 - Deckard's System Scanner Restore Point
64: 2008-06-15 04:16:52 UTC - RP216 - Restore Operation
63: 2008-06-15 04:13:23 UTC - RP215 - Restore Operation
62: 2008-06-14 16:33:53 UTC - RP214 - System Checkpoint
61: 2008-06-13 15:02:21 UTC - RP213 - System Checkpoint


-- First Restore Point --
1: 2008-03-19 12:57:42 UTC - RP153 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as EagleMark.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:27:45 PM, on 6/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\BFUSA\SYSTEM32\FWStarter.exe
C:\Program Files\iPass\iPassConnect BSA\iPassPeriodicUpdateService.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mnmsrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\IdentiPHI\Advanced Authentication\sl_session.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
c:\Program Files\IdentiPHI\Advanced Authentication\slogin32w.exe
C:\WINDOWS\system32\SUSS.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
c:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
C:\WINDOWS\system32\vfsFPService.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
c:\Program Files\IdentiPHI\Advanced Authentication\sl_scannerService.exe
C:\Program Files\iPass\iPassConnect BSA\iPassPeriodicUpdateApp.exe
c:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPass\iPassConnect BSA\iPassConnectGUI.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPass\iPassConnect BSA\iPassConnectEngine.exe
C:\Program Files\IdentiPHI\SSO\slproto.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\IdentiPHI\Advanced Authentication\ProtocomSysTray.exe
C:\Program Files\Nortel Networks\TunnelGuard\platforms\win32\TGIconApp.EXE
C:\Program Files\Infotriever\Agent\infoclient.exe
c:\Program Files\IdentiPHI\SSO\slbroker.exe
c:\Program Files\IdentiPHI\SSO\slwinsso.exe
C:\Documents and Settings\eaglemark\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\EagleMark.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://teambsa.bfusa.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Bridgestone / Firestone
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = PXY1-NA-CHQ.bfusa.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.bfusa.com;*.bfentirenet.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PolicyMaker Browser Helper - {0A9CDB52-EBDF-4210-9C6A-B90C2FD410AB} - c:\WINDOWS\system32\pmbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IESSOObj Class - {7DE7B623-A17E-4A0B-94BA-D1B3BA646792} - c:\Program Files\IdentiPHI\SSO\iesso.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [IMJPMIG9.0] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32
O4 - HKLM\..\Run: [iPassConnect] "C:\Program Files\iPass\iPassConnect BSA\iPassConnectGUI.exe" /S
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SecureLogin] c:\Program Files\IdentiPHI\SSO\slproto.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Infotriever.lnk = C:\Program Files\Infotriever\Agent\infoclient.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Advanced Authentication System Tray.lnk = C:\Program Files\IdentiPHI\Advanced Authentication\ProtocomSysTray.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Refresh My Citrix Applications.lnk = C:\Program Files\Citrix\ICA Client\PNAgentLauncher.exe
O4 - Global Startup: TunnelGuard Tray Monitor.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: SSO Wizard - {48428AD9-F53A-4c40-AC16-41DB6A2B67C6} - c:\Program Files\IdentiPHI\SSO\localhero.dll
O9 - Extra 'Tools' menuitem: SSO Wizard - {48428AD9-F53A-4c40-AC16-41DB6A2B67C6} - c:\Program Files\IdentiPHI\SSO\localhero.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amex.iers.ihost.com
O15 - Trusted Zone: *.bfusa.com
O15 - Trusted Zone: *.Bridgestone-Firestone.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} (InforbitHelper Class) - https://download.infotriever.com/bin/ifhelper.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bfusa.com
O17 - HKLM\Software\..\Telephony: DomainName = bfusa.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bfusa.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bfusa.com
O20 - Winlogon Notify: SLLgnEvt - SLLgnEvt.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FWStarter - - C:\BFUSA\SYSTEM32\FWStarter.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect BSA\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect BSA\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect BSA\iPassPeriodicUpdateService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: AA Session Server (ProtoSessSrvr) - ActivIdentity - c:\Program Files\IdentiPHI\Advanced Authentication\sl_session.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: AA Fingerprint Scanner Service (scannerservice) - ActivIdentity - c:\Program Files\IdentiPHI\Advanced Authentication\sl_scannerService.exe
O23 - Service: AA Local Server (SLAA) - ActivIdentity - c:\Program Files\IdentiPHI\Advanced Authentication\slogin32w.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Nortel Networks TunnelGuard (tunnelguardservice) - Alexandria Software Consulting - c:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
O23 - Service: Validity Fingerprint Service (vfsFPService) - Validity Sensors, Inc. - C:\WINDOWS\system32\vfsFPService.exe

--
End of file - 11102 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 iPassP (iPass Protocol (IEEE 802.1x) v3.5.3.0) - c:\windows\system32\drivers\ipassp.sys <Not Verified; Meetinghouse Data Communications; iPass Client 3.5.3.0>
R2 LxrJD31d - c:\windows\system32\drivers\lxrjd31d.sys
R2 pmsecdrv253162 (PolicyMaker Security Driver - pmsecdrv253162) - c:\windows\system32\drivers\pmsecdrv253162.sys <Not Verified; DesktopStandard Corporation; PolicyMaker Application Security>
R3 Eacfilt (Eacfilt Miniport) - c:\windows\system32\drivers\eacfilt.sys <Not Verified; Nortel Networks; Filter Driver for CVC>
R3 IPSECSHM (Nortel IPSECSHM Adapter) - c:\windows\system32\drivers\ipsecw2k.sys <Not Verified; Nortel Networks NA, Inc.; Contivity VPN Client>

S2 pmsecdrv200135 (PolicyMaker Security Driver - pmsecdrv200135) - c:\windows\system32\drivers\pmsecdrv200135.sys (file missing)
S3 IPSECEXT (Nortel Extranet Access Protocol) - c:\windows\system32\drivers\ipsecw2k.sys <Not Verified; Nortel Networks NA, Inc.; Contivity VPN Client>
S3 UIUSys (Conexant Setup API) - c:\windows\system32\drivers\uiusys.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 FWStarter - c:\bfusa\system32\fwstarter.exe
R2 iPassPeriodicUpdateService - "c:\program files\ipass\ipassconnect bsa\ipassperiodicupdateservice.exe" <Not Verified; iPass, Inc.; Periodic Update Service>
R2 LxrJD31s (Lexar JD31) - lxrjd31s.exe
R2 ProtoSessSrvr (AA Session Server) - "c:\program files\identiphi\advanced authentication\sl_session.exe" <Not Verified; ActivIdentity; Advanced Authentication>
R2 SLAA (AA Local Server) - "c:\program files\identiphi\advanced authentication\slogin32w.exe" <Not Verified; ActivIdentity; Advanced Authentication>
R2 SU (SU Service) - c:\windows\system32\suss.exe <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
R2 tunnelguardservice (Nortel Networks TunnelGuard) - "c:\program files\nortel networks\tunnelguard\cueagent_srv.exe" <Not Verified; Alexandria Software Consulting; JavaService>
R2 vfsFPService (Validity Fingerprint Service) - c:\windows\system32\vfsfpservice.exe <Not Verified; Validity Sensors, Inc.; vfsEMPIRE>
R3 iPassConnectEngine - c:\program files\ipass\ipassconnect bsa\ipassconnectengine.exe <Not Verified; iPass, Inc.; iPassConnectEngine>
R3 iPassPeriodicUpdateApp - "c:\program files\ipass\ipassconnect bsa\ipassperiodicupdateapp.exe" <Not Verified; iPass, Inc.; Periodic Update>
R3 scannerservice (AA Fingerprint Scanner Service) - "c:\program files\identiphi\advanced authentication\sl_scannerservice.exe" <Not Verified; ActivIdentity; Advanced Authentication>

S3 Imapi Helper - "c:\program files\alex feinman\iso recorder\imapihelper.exe" <Not Verified; Alex Feinman; ISO Recorder>
S4 SLSCMON (AA Smartcard Monitor) - "c:\program files\identiphi\advanced authentication\sl_scmon.exe" <Not Verified; ActivIdentity; Advanced Authentication>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-05-15 and 2008-06-15 -----------------------------

2008-06-15 09:39:08 0 d-------- C:\Documents and Settings\eaglemark\Application Data\Malwarebytes
2008-06-15 09:39:06 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-15 09:39:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-15 00:21:04 0 d-------- C:\Program Files\Trend Micro
2008-06-14 23:15:14 0 d-------- C:\WINDOWS\system32\netrax06
2008-06-14 23:15:14 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-06-14 23:14:58 0 d-------- C:\Program Files\uTorrent
2008-06-14 22:31:27 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-06-14 22:27:03 0 d-------- C:\Temp
2008-06-14 22:26:29 4 --a------ C:\WINDOWS\system32\hljwugsf.bin


-- Find3M Report ---------------------------------------------------------------

2008-06-15 20:50:58 0 d-------- C:\Program Files\Symantec AntiVirus
2008-06-15 11:41:14 12 --a------ C:\WINDOWS\bthservsdp.dat
2008-06-14 22:26:53 0 d-------- C:\Program Files\Common Files
2008-06-13 07:33:16 228156 --a------ C:\WINDOWS\system32\nvModes.dat
2008-06-02 13:50:50 0 d-------- C:\Documents and Settings\eaglemark\Application Data\AdobeUM
2008-04-29 14:41:17 0 d-------- C:\Program Files\CCleaner
2008-03-29 11:18:50 37027 --a------ C:\WINDOWS\atmoUn.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0A9CDB52-EBDF-4210-9C6A-B90C2FD410AB}]
03/31/2006 02:00 PM 204288 -ra------ c:\WINDOWS\system32\pmbho.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/04/2004 07:00 AM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 07:00 AM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 07:00 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [01/19/2006 09:14 AM]
"nwiz"="nwiz.exe" [01/19/2006 09:14 AM C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [01/19/2006 09:14 AM C:\WINDOWS\system32\nvhotkey.dll]
"IMJPMIG9.0"="C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.exe" [03/17/2005 03:40 PM]
"iPassConnect"="C:\Program Files\iPass\iPassConnect BSA\iPassConnectGUI.exe" [11/30/2006 07:10 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [03/24/2006 07:14 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [05/27/2006 03:40 AM]
"SigmatelSysTrayApp"="stsystra.exe" [11/16/2005 03:35 PM C:\WINDOWS\stsystra.exe]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [10/07/2005 02:13 PM]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/04/2004 07:00 AM C:\WINDOWS\system32\bthprops.cpl]
"SecureLogin"="c:\Program Files\IdentiPHI\SSO\slproto.exe" [05/18/2007 12:23 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 07:00 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [12/14/2007 01:53 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Documents and Settings\eaglemark\Start Menu\Programs\Startup\
Infotriever.lnk - C:\Program Files\Infotriever\Agent\infoclient.exe [11/27/2007 5:40:44 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [10/23/2003 11:37:56 PM]
Advanced Authentication System Tray.lnk - C:\Program Files\IdentiPHI\Advanced Authentication\ProtocomSysTray.exe [6/12/2007 11:29:50 AM]
Desktop Manager.lnk - C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe [12/14/2006 6:17:12 PM]
Refresh My Citrix Applications.lnk - C:\Program Files\Citrix\ICA Client\PNAgentLauncher.exe [11/30/2004 1:08:38 PM]
TunnelGuard Tray Monitor.lnk - c:\WINDOWS\Installer\{B5CDAA75-7472-4B48-9D47-BABD96DC95AD}\Icon079d381e2.exe [11/12/2007 3:15:45 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"RunLogonScriptSync"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)
"NoMSAppLogo5ChannelNotify"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)
"NoWindowsUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SLLgnEvt]
SLLgnEvt.dll 05/18/2007 12:23 PM 65536 c:\Program Files\IdentiPHI\SSO\SLLgnEvt.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
HPZ12 Pml Driver HPZ12 Net Driver HPZ12


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53916c55-93b9-11dc-8b0d-001641cd954d}]
AutoRun\command- E:\JDSecure\Windows\JDSecure31.exe




-- End of Deckard's System Scanner: finished at 2008-06-15 22:30:13 ------------

Hi Mark...


Yep...pretty much so. MBAM does an outstanding job with this infection. Not all are as easy as this, however.

To finish, download The Avenger to the desktop and unzip it to there. Run Avenger.exe and copy/paste the contents of the Code box below to the section under 'Input script here':



Click on Execute and reboot when prompted. Post the Avenger log (C:\Avenger.txt) so I can check the file and folder have been deleted.

Again, many, many thanks Here is the results from Avenger. What do you think?

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\hljwugsf.bin" deleted successfully.
Folder "C:\WINDOWS\system32\netrax06" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

All looks well, Mark. I'd say you're good to go.

Edit: I just have to check this startup file: C:\BFUSA\SYSTEM32\FWStarter.exe It looks like something you use for work?

HKEd - A million thanks to you!!! I can't express my appreciation enough for your quick response and expert help. You turned a dire situation into a "non-event" No more opening bulletins for my daughter on her My Space site. What's more amazing is that I talked to her two friends that dsent her bulletins and neither report any issues like we have experienced two weeks in a row. Again, a million thanks from Tennessee!

And a big 'You're welcome' from Hong Kong.

C:BFUSA\System 32 does appear to be a work related file but no idea what specifically it is

If you right-click on the file and select Properties, is there any company or other info showing?

From one hit on Google, it may be VMware-related.

HKEd - I followed your instructions and found nothing on any of the properties tabs that would give me a clue what this program is or what it is for. Suggestions?

Hi Mark...click on Start > Run > type services.msc in the Run box and click OK. Scroll down to FWStarter and double-click on it. Set the 'Service Status' to Stop and use the drop-down menu to set the 'Startup type' to Disabled. Click Apply and OK. Locate FWStarter.exe and rename it to FWStarter.OLD.

If you find that you do need the file, reverse the changes.

With that file path, I doubt it's malicious, but you never know.

HKEd - I located FWStarter in the services.msc and found the description reads Firewall Starter

Hi Mark...Googling Firewall Starter FWStarter produces no hits. That rings alarm bells with me.

Upload the file to VirusTotal for a scan. Click on the Browse button and migrate to the file along this path: C:\BFUSA\SYSTEM32\FWStarter.exe. Click on Send File and wait for the results. Copy/paste the results here.