I'm running Win 2003 server w/ SP2 and all updates except for ie7. This is our mail server. Recently we did a major network overhaul, replacing a lot of hardware, including a new Watchguard firewall. By default 3389 was open to the world so we had a lot of intrutions to the system.
Anyway, I've got it mostly clean up but I want to make sure all was as it should be.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:21:32 PM, on 4/3/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\cba\pds.exe
C:\WINDOWS\System32\ismserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Exchsrvr\bin\srsmain.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec\SMSMSE\4.6\Server\SAVFMSESrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Symantec\SMSMSE\4.6\Server\SAVFMSECtrl.EXE
C:\Program Files\Symantec\SMSMSE\4.6\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\4.6\Server\SAVFMSEUI.EXE
C:\Program Files\Symantec\SMSMSE\4.6\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\4.6\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\4.6\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\4.6\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\4.6\Server\SAVFMSELog.EXE
C:\Program Files\Symantec\SMSMSE\4.6\Server\SAVFMSESJM.EXE
C:\Program Files\Symantec\SMSMSE\4.6\Server\SAVFMSETask.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cpqteam.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
c:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\IMFcompanion\IMFcompanion.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ftp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\mstsc.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
\istech\Install Files\Test Utilities\securable.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Administrator.SERVERS\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "c:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O15 - ESC Trusted Zone: http://ardownload.adobe.com
O15 - ESC Trusted Zone: http://www.countmein.com
O15 - ESC Trusted Zone: http://h18023.www1.hp.com
O15 - ESC Trusted Zone: http://*.mail
O15 - ESC Trusted Zone: http://www.mcse.ms
O15 - ESC Trusted Zone: http://ftp-mozilla.netscape.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1205870239953
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pacsci.org
O17 - HKLM\Software\..\Telephony: DomainName = pacsci.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{D597A8D3-BC44-4420-8CEB-FE02EA1E510A}: NameServer = 10.0.20.2,10.0.20.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pacsci.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pacsci.org
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ASP State Services - Unknown owner - C:\WINDOWS\system\systemsys
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: Symantec Mail Security Spam Statistics (SAVFMSESpamStatsManager) - Symantec Corporation - C:\Program Files\Symantec\SMSMSE\4.6\Server\SAVFMSESpamStatsManager.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Mail Security for Microsoft Exchange (SMSMSE) - Symantec Corporation - C:\Program Files\Symantec\SMSMSE\4.6\Server\SAVFMSESrv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Internet Security (Syslog) - Unknown owner - C:\WINDOWS\system32\dllcache\systemlogon.exe (file missing)

--
End of file - 9434 bytes


Any info would be terrific! Thanks alot

-Mike

You are using the beta release of HiJackTHis which is outdated.


Please delete the version of HiJackThis.exe you have installed, then download the new version from here:
http://www.trendsecure.com/portal/en-US/th.../HJTInstall.exe

Double Click on the HJTInstall.exe file. It will be installed to the default location of C:\Program File\Trend Micro\HiJackThis\

Run HiJackThis, scan, save the log, then post the new log in this thread.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:11:27 PM, on 4/3/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\cba\pds.exe
C:\WINDOWS\System32\ismserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Exchsrvr\bin\srsmain.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec\SMSMSE\4.6\Server\SAVFMSESrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Symantec\SMSMSE\4.6\Server\SAVFMSECtrl.EXE
C:\Program Files\Symantec\SMSMSE\4.6\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\4.6\Server\SAVFMSEUI.EXE
C:\Program Files\Symantec\SMSMSE\4.6\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\4.6\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\4.6\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\4.6\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\4.6\Server\SAVFMSELog.EXE
C:\Program Files\Symantec\SMSMSE\4.6\Server\SAVFMSESJM.EXE
C:\Program Files\Symantec\SMSMSE\4.6\Server\SAVFMSETask.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cpqteam.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
c:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\IMFcompanion\IMFcompanion.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ftp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
\istech\Install Files\Test Utilities\securable.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\DfrgNtfs.exe
C:\WINDOWS\system32\DfrgNtfs.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "c:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O15 - ESC Trusted Zone: http://ardownload.adobe.com
O15 - ESC Trusted Zone: http://www.countmein.com
O15 - ESC Trusted Zone: http://h18023.www1.hp.com
O15 - ESC Trusted Zone: http://*.mail
O15 - ESC Trusted Zone: http://www.mcse.ms
O15 - ESC Trusted Zone: http://ftp-mozilla.netscape.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1205870239953
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pacsci.org
O17 - HKLM\Software\..\Telephony: DomainName = pacsci.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{D597A8D3-BC44-4420-8CEB-FE02EA1E510A}: NameServer = 10.0.20.2,10.0.20.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pacsci.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pacsci.org
O23 - Service: ASP State Services - Unknown owner - C:\WINDOWS\system\systemsys
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: Symantec Mail Security Spam Statistics (SAVFMSESpamStatsManager) - Symantec Corporation - C:\Program Files\Symantec\SMSMSE\4.6\Server\SAVFMSESpamStatsManager.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Mail Security for Microsoft Exchange (SMSMSE) - Symantec Corporation - C:\Program Files\Symantec\SMSMSE\4.6\Server\SAVFMSESrv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Internet Security (Syslog) - Unknown owner - C:\WINDOWS\system32\dllcache\systemlogon.exe (file missing)

--
End of file - 9236 bytes

Two suspicious entries are in your log -- see the next post for instructions.

Your Java runtime is way out of date also, unless you are bound to that version by software that you are running, the current version is 1.6_05 ans should be installed. As always, the Sun installer does not remove prior versions so be sure to remove all older versions. (again, unless needed).

I/m doubling checking and don't like t he look of the following:
C:\WINDOWS\system\systemsys
C:\WINDOWS\system32\dllcache\systemlogon.exe


Please submit the following file(s) to Jotti.org for analysis: http://virusscan.jotti.org/

C:\WINDOWS\system\systemsys
C:\WINDOWS\system32\dllcache\systemlogon.exe


Be sure to post the results in this thread.


Make sure both services are disabled for the time being.

File: systemsys
Status:
INFECTED/MALWARE
MD5: 2ab9ba5199aa90a33740a58e9a130041
Packers detected:
-
Bit9 reports: File not found
Scanner results
Scan taken on 04 Apr 2008 09:25:01 (GMT)
A-Squared - Found nothing
AntiVir - Found TR/Dldr.Delphi.Gen
ArcaVir - Found nothing
Avast - Found Win32:Hupigon-HCR
AVG Antivirus - Found nothing
BitDefender - Found GenPack:Generic.Graybird.5687ABEA
ClamAV - Found Trojan.Packed-18
CPsecure - Found BackDoor.W32.Hupigon.gt
Dr.Web - Found BackDoor.Pigeon.83
F-Prot Antivirus - Found Possibly a new variant of W32/PWStealer1!Generic
F-Secure Anti-Virus - Found nothing
Fortinet - Found nothing
Ikarus - Found Backdoor.Win32.Agent.ahj
Kaspersky Anti-Virus - Found nothing
NOD32 - Found nothing
Norman Virus Control - Found W32/Hupigon.gen67
Rising Antivirus - Found nothing
Sophos Antivirus - Found Mal/Packer
VirusBuster - Found nothing
VBA32 - Found OScope.Backdoor.XiaoBird.6AF9


According to HijackThis systemlogon.exe is missing... maybe picked up by Symantec?

HiJAckThis often reports programs as missing when they are not. THe only way to be sure is to check for the file. But I am believe this one is bad as well so lets proceed.



First step is to stop and disable each service. You can do it manually.

Start -> Run -> services.msc (press 'Enter')
Scan down the pane in the right hand side and find each service.
Double Click on the service to select it
Use the pull down menu and change the Service Type to 'Disabled'
Reboot your computer (if possible)

Then do the following...

Open a Command Prompt Window (Start -> Run -> cmd)
Enter the following commands: (then press 'Enter')
sc delete "ASP State Service"
sc delete "Internet Security"
exit



Finally. delete the files....

C:\WINDOWS\system\systemsys
C:\WINDOWS\system32\dllcache\systemlogon.exe (file missing)

Awesome, thanks for help on removing the services.
The syslogon file actually does not exist though, neither does its parent folder.