please help it keeps coming back

**c0oder** · 2007-09-30, 22:20

My girfriends computer is running extremely slow. The CPU usage skyrockets. Whenever she tries to search something in any search window Explorer will close instantly sometimes without warning, and othertimes asking us if we would like to send an error report. Whenever i run CounterSpy it picks up some cookies and things but always picks up a Elevated risk file called Clickspring. Purityscan. I remove it but the computer doesnt run any better and it just shows up on the next scan. can you help? Here is my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:35 AM, on 9/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ActivCard\acachsrv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Common Files\ActivCard\acautoup.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\lwihyrai.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\SMANTE~1\ati2evxx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jamie\Desktop\hijackthis\HiJackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\rildlwwf.dll",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Fmpjg] "C:\Documents and Settings\Jamie\Application Data\?ecurity\m?dtc.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Mtmggij] "C:\Documents and Settings\Jamie\Application Data\a?sembly\m?dtc.exe"
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\SMANTE~1\ati2evxx.exe" -vt ndrv
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantispyware.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ActivCard Authentication Service (ACachSrv) - ActivCard - C:\Program Files\Common Files\ActivCard\acachsrv.exe
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Auto-Update Service (acautoupdate) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoup.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\lwihyrai.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8474 bytes

**Shaba** · 2007-10-01, 08:30

Hi c0oder

Rename HijackThis.exe to c0oder.exe and post back a fresh HijackThis log, please

**c0oder** · 2007-10-02, 06:23

Hope this helps.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:11:46 PM, on 10/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ActivCard\acachsrv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Common Files\ActivCard\acautoup.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\lwihyrai.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\SMANTE~1\ati2evxx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\Documents and Settings\Jamie\Desktop\hijackthis\C0oder.exe.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: 0 - {88CE02FD-D727-4AC3-1CB7-F2A9240779D6} - C:\Program Files\Common Files\qudap533.dll (file missing)
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {BDE3A02A-15BA-0F5E-EA28-4F766D4D079A} - C:\WINDOWS\system32\sryfmfq.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINDOWS\system32\uvdccatg.dll
O2 - BHO: (no name) - {D37F2F67-630A-478F-8FE6-FBB6A36CCC8A} - C:\WINDOWS\system32\ssqrp.dll
O2 - BHO: (no name) - {EFE3F62D-1DED-585F-EE28-4F766D4D01CA} - C:\WINDOWS\system32\dmwpml.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\oevwehun.dll",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Fmpjg] "C:\Documents and Settings\Jamie\Application Data\?ecurity\m?dtc.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Mtmggij] "C:\Documents and Settings\Jamie\Application Data\a?sembly\m?dtc.exe"
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\SMANTE~1\ati2evxx.exe" -vt ndrv
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantispyware.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O20 - Winlogon Notify: acAuth - C:\WINDOWS\SYSTEM32\acauth.dll
O20 - Winlogon Notify: tuvutts - tuvutts.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ActivCard Authentication Service (ACachSrv) - ActivCard - C:\Program Files\Common Files\ActivCard\acachsrv.exe
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Auto-Update Service (acautoupdate) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoup.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\lwihyrai.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9768 bytes

**Shaba** · 2007-10-02, 15:27

Hi

Yes it does

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

1. Download combofix from one of these links:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post:

- a fresh HijackThis log
- combofix report
- vundofix report

**c0oder** · 2007-10-04, 04:52

Here's the ComboFix log:

ComboFix 07-10-02.2 - Jamie 2007-10-02 13:23:23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.56 [GMT -8:00]
Running from: C:\Documents and Settings\Jamie\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Documents and Settings\Jamie\Application Data\ASEMBL~1
C:\Documents and Settings\Jamie\Application Data\ASEMBL~1\m?dtc.exe
C:\Documents and Settings\Jamie\Application Data\ECURIT~1
C:\Documents and Settings\Jamie\Application Data\PPPATC~1
C:\Documents and Settings\Jamie\Application Data\WinTouch
C:\Documents and Settings\Jamie\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\Jamie\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\Jamie\My Documents\STEM32~1
C:\Documents and Settings\Jamie\My Documents\YSTEM3~1
C:\Documents and Settings\Jamie\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Jamie\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Jamie\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\mantec~1
C:\Program Files\Insider
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\smante~1
C:\Program Files\smante~1\ati2evxx.exe
C:\Program Files\smante~1\S?mantec\
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\a4
C:\WINDOWS\system32\A4\icm33o.exe
C:\WINDOWS\system32\achtprlq.exe
C:\WINDOWS\system32\cbssxdwi.exe
C:\WINDOWS\system32\clkofrkl.exe
C:\WINDOWS\system32\ejjlxcui.exe
C:\WINDOWS\system32\evcpvqcv.exe
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f02WtR\f02WtR1065.exe
C:\WINDOWS\SYSTEM32\fwwldlir.ini
C:\WINDOWS\system32\gvgoddqn.exe
C:\WINDOWS\system32\inxhbnea.exe
C:\WINDOWS\system32\jtgcsrgg.exe
C:\WINDOWS\system32\lttungkl.exe
C:\WINDOWS\system32\lwihyrai.exe
C:\WINDOWS\system32\mhcnmxbb.exe
C:\WINDOWS\system32\mhudklqd.exe
C:\WINDOWS\system32\nlceauvy.exe
C:\WINDOWS\system32\oqobunov.exe
C:\WINDOWS\system32\pluauqjx.exe
C:\WINDOWS\system32\ppatch~1
C:\WINDOWS\SYSTEM32\prqss.ini
C:\WINDOWS\system32\pxcfptny.exe
C:\WINDOWS\system32\rfedctao.exe
C:\WINDOWS\system32\rildlwwf.dll
C:\WINDOWS\system32\rtofwcdc.exe
C:\WINDOWS\system32\sdshse.dll
C:\WINDOWS\SYSTEM32\sngtdxqu.ini
C:\WINDOWS\SYSTEM32\ssqrp.dll
C:\WINDOWS\system32\ttkovjem.exe
C:\WINDOWS\system32\uqxdtgns.dll
C:\WINDOWS\system32\uugqlqds.exe
C:\WINDOWS\system32\vttqcqiw.dll
C:\WINDOWS\system32\wapisvtr.exe
C:\WINDOWS\system32\xcuifejy.exe
C:\WINDOWS\system32\xdgyckly.exe
C:\WINDOWS\system32\xdnqvitw.exe
C:\WINDOWS\system32\yiaunetx.exe
C:\WINDOWS\system32\Z1
C:\WINDOWS\ymante~1

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-09-02 to 2007-10-02 )))))))))))))))))))))))))))))))
.

2007-10-02 13:21 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-02 12:46 <DIR> d-------- C:\VundoFix Backups
2007-10-01 15:34 87,104 --a------ C:\WINDOWS\SYSTEM32\oevwehun.dll
2007-09-29 15:34 0 --a------ C:\WINDOWS\SYSTEM32\SBRC.dat
2007-09-29 15:34 0 --a------ C:\WINDOWS\SYSTEM32\SBFC.dat
2007-09-17 10:21 15,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sbhr.sys
2007-09-17 10:18 <DIR> d-------- C:\Documents and Settings\Jamie\Application Data\Sunbelt Software
2007-09-17 10:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-09-17 10:15 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-09-16 23:05 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-16 23:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-09-16 22:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-06 14:53 <DIR> d--hs---- C:\WINDOWS\U2NvdHQgUmF0aGJ1cm4
2007-09-06 14:52 <DIR> d-------- C:\WINDOWS\SYSTEM32\drvr3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-17 11:00 246 --a------ C:\Program Files\Common Files\qudap533
2007-09-16 23:30 --------- d-------- C:\Program Files\microsoft frontpage
2007-09-16 23:04 --------- d-------- C:\Documents and Settings\Jamie\Application Data\Lavasoft
2007-09-09 19:00 --------- d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-08-26 17:48 --------- d-------- C:\Program Files\Soulseek
2007-08-10 18:49 --------- d-------- C:\Documents and Settings\Jamie\Application Data\U3
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-28 01:06 135 --a------ C:\Program Files\Common Files\rtemed.html
2005-07-30 00:24:26 472 --sha-r C:\WINDOWS\U2NvdHQgUmF0aGJ1cm4\oZhSxJk0oAIXu3LYwAb.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88CE02FD-D727-4AC3-1CB7-F2A9240779D6}]
C:\Program Files\Common Files\qudap533.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDE3A02A-15BA-0F5E-EA28-4F766D4D079A}]
C:\WINDOWS\system32\sryfmfq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [2003-12-11 18:35]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 08:35]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 08:36]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 08:32]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 07:27]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-14 22:04]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-11-10 12:30]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"Fmpjg"="C:\Documents and Settings\Jamie\Application Data\?ecurity\m?dtc.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
"AIM"="C:\Program Files\AIM\aim.exe" [2004-04-27 14:18]
"Mtmggij"="C:\Documents and Settings\Jamie\Application Data\a?sembly\m?dtc.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acAuth]
acauth.dll 2002-12-17 11:11 65536 C:\WINDOWS\SYSTEM32\acauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvutts]
tuvutts.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ActivCard Gold Smart Card Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ActivCard Gold Smart Card Agent.lnk
backup=C:\WINDOWS\pss\ActivCard Gold Smart Card Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jamie^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Jamie\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jamie^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\Jamie\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray]
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\acEventServ]
"C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aida]
"C:\PROGRA~1\SMANTE~1\ati2evxx.exe" -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hjkldhb]
"C:\Documents and Settings\Jamie\My Documents\?ystem32\s?anregw.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Insider]
C:\Program Files\Insider\Insider.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mezelow]
C:\Program Files\microsoft frontpage\mezelow22011.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\Media Experience\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRISMSVR.EXE]
"C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBCSTray]
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w]
C:\Documents and Settings\Jamie\Application Data\Microsoft\Windows\rayiou.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
rundll32.exe "C:\WINDOWS\system32\pnrioiyq.dll",forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
C:\Program Files\WinPop\winpop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch]
C:\Documents and Settings\Jamie\Application Data\WinTouch\WinTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Words]
C:\Program Files\Words\Words.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{9D-D4-41-1F-ZN}]
C:\windows\system32\ksdsrngo.exe CHD003

R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys
S3 SBAPIFS;SBAPIFS;\??\C:\WINDOWS\system32\drivers\sbapifs.sys
S3 SCR131C;SCRx31 Serial Smart Card Reader;C:\WINDOWS\system32\DRIVERS\SCR131C.sys
S3 SCR33X USB Smart Card Reader;SCR33X USB Smart Card Reader;C:\WINDOWS\system32\DRIVERS\SCR33X2K.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-24 17:23:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2004-07-22 05:09:49 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1088560859.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
"2007-09-29 04:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
"2007-10-02 22:01:02 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2007-10-02 01:46:00 C:\WINDOWS\Tasks\WebReg 20070108174630.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-02 14:00:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-02 14:04:46 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-02 14:04
.
--- E O F ---

**c0oder** · 2007-10-04, 04:53

Here's the VundoFix log:

VundoFix V6.5.9

Checking Java version...

Scan started at 12:46:58 PM 10/2/2007

Listing files found while scanning....

C:\windows\system32\bsxirvif.ini
C:\windows\system32\fivrixsb.dll
C:\windows\system32\jcrcubum.ini
C:\windows\system32\mubucrcj.dll
C:\WINDOWS\system32\oevwehun.dll
C:\windows\system32\pnrioiyq.dll
C:\windows\system32\prqss.bak1
C:\windows\system32\prqss.bak2
C:\windows\system32\prqss.ini
C:\windows\system32\qosyoklr.ini
C:\windows\system32\qyioirnp.ini
C:\windows\system32\rlkoysoq.dll
C:\windows\system32\ssqrp.dll
C:\WINDOWS\system32\uvdccatg.dll

Beginning removal...

Attempting to delete C:\windows\system32\bsxirvif.ini
C:\windows\system32\bsxirvif.ini Has been deleted!

Attempting to delete C:\windows\system32\fivrixsb.dll
C:\windows\system32\fivrixsb.dll Has been deleted!

Attempting to delete C:\windows\system32\jcrcubum.ini
C:\windows\system32\jcrcubum.ini Has been deleted!

Attempting to delete C:\windows\system32\mubucrcj.dll
C:\windows\system32\mubucrcj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\oevwehun.dll
C:\WINDOWS\system32\oevwehun.dll Could not be deleted.

Attempting to delete C:\windows\system32\pnrioiyq.dll
C:\windows\system32\pnrioiyq.dll Has been deleted!

Attempting to delete C:\windows\system32\prqss.bak1
C:\windows\system32\prqss.bak1 Has been deleted!

Attempting to delete C:\windows\system32\prqss.bak2
C:\windows\system32\prqss.bak2 Has been deleted!

Attempting to delete C:\windows\system32\prqss.ini
C:\windows\system32\prqss.ini Has been deleted!

Attempting to delete C:\windows\system32\qosyoklr.ini
C:\windows\system32\qosyoklr.ini Has been deleted!

Attempting to delete C:\windows\system32\qyioirnp.ini
C:\windows\system32\qyioirnp.ini Has been deleted!

Attempting to delete C:\windows\system32\rlkoysoq.dll
C:\windows\system32\rlkoysoq.dll Has been deleted!

Attempting to delete C:\windows\system32\ssqrp.dll
C:\windows\system32\ssqrp.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\uvdccatg.dll
C:\WINDOWS\system32\uvdccatg.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.9

Checking Java version...

Scan started at 12:59:12 PM 10/2/2007

Listing files found while scanning....

C:\windows\system32\prqss.ini
C:\windows\system32\ssqrp.dll

Beginning removal...

Attempting to delete C:\windows\system32\prqss.ini
C:\windows\system32\prqss.ini Has been deleted!

Attempting to delete C:\windows\system32\ssqrp.dll
C:\windows\system32\ssqrp.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\prqss.ini
C:\windows\system32\prqss.ini Has been deleted!

Attempting to delete C:\windows\system32\ssqrp.dll
C:\windows\system32\ssqrp.dll Could not be deleted.

Performing Repairs to the registry.
Done!

**c0oder** · 2007-10-04, 04:54

Here's the fresh HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:54:23 PM, on 10/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ActivCard\acachsrv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Common Files\ActivCard\acautoup.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jamie\Desktop\hijackthis\C0oder.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: 0 - {88CE02FD-D727-4AC3-1CB7-F2A9240779D6} - C:\Program Files\Common Files\qudap533.dll (file missing)
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {BDE3A02A-15BA-0F5E-EA28-4F766D4D079A} - C:\WINDOWS\system32\sryfmfq.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Fmpjg] "C:\Documents and Settings\Jamie\Application Data\?ecurity\m?dtc.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Mtmggij] "C:\Documents and Settings\Jamie\Application Data\a?sembly\m?dtc.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantispyware.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O20 - Winlogon Notify: acAuth - C:\WINDOWS\SYSTEM32\acauth.dll
O20 - Winlogon Notify: tuvutts - tuvutts.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ActivCard Authentication Service (ACachSrv) - ActivCard - C:\Program Files\Common Files\ActivCard\acachsrv.exe
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Auto-Update Service (acautoupdate) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoup.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9057 bytes

**Shaba** · 2007-10-04, 11:47

Hi

Much better

Open HijackThis, click do a system scan only and checkmark these:

O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantispyware.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)

Close all windows including browser and press fix checked.

Reboot.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\WINDOWS\SYSTEM32\oevwehun.dll
C:\Program Files\Common Files\rtemed.html

Folder::
C:\WINDOWS\U2NvdHQgUmF0aGJ1cm4
C:\WINDOWS\SYSTEM32\drvr3
C:\Program Files\Common Files\qudap533

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88CE02FD-D727-4AC3-1CB7-F2A9240779D6}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDE3A02A-15BA-0F5E-EA28-4F766D4D079A}]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jamie^Start Menu^Programs^Startup^TA_Start.lnk]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jamie^Start Menu^Programs^Startup^Think-Adz.lnk]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aida]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hjkldhb]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Insider]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mezelow]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Words]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{9D-D4-41-1F-ZN}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Fmpjg"=-
"Mtmggij"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvutts]

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

**c0oder** · 2007-10-04, 23:26

ComboFix 07-10-02.2 - Jamie 2007-10-04 12:46:45.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.51 [GMT -8:00]
Running from: C:\Documents and Settings\Jamie\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jamie\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\SYSTEM32\oevwehun.dll
C:\Program Files\Common Files\rtemed.html
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\qudap533\
C:\Program Files\Common Files\rtemed.html
C:\WINDOWS\SYSTEM32\drvr3
C:\WINDOWS\SYSTEM32\oevwehun.dll
C:\WINDOWS\U2NvdHQgUmF0aGJ1cm4
C:\WINDOWS\U2NvdHQgUmF0aGJ1cm4\oZhSxJk0oAIXu3LYwAb.vbs

.
((((((((((((((((((((((((( Files Created from 2007-09-04 to 2007-10-04 )))))))))))))))))))))))))))))))
.

2007-10-02 13:21 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-02 12:46 <DIR> d-------- C:\VundoFix Backups
2007-09-29 15:34 0 --a------ C:\WINDOWS\SYSTEM32\SBRC.dat
2007-09-29 15:34 0 --a------ C:\WINDOWS\SYSTEM32\SBFC.dat
2007-09-17 10:21 15,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sbhr.sys
2007-09-17 10:18 <DIR> d-------- C:\Documents and Settings\Jamie\Application Data\Sunbelt Software
2007-09-17 10:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-09-17 10:15 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-09-16 23:05 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-16 23:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-09-16 22:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-17 11:00 246 --a------ C:\Program Files\Common Files\qudap533
2007-09-16 23:30 --------- d-------- C:\Program Files\microsoft frontpage
2007-09-16 23:04 --------- d-------- C:\Documents and Settings\Jamie\Application Data\Lavasoft
2007-09-09 19:00 --------- d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-08-26 17:48 --------- d-------- C:\Program Files\Soulseek
2007-08-10 18:49 --------- d-------- C:\Documents and Settings\Jamie\Application Data\U3
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [2003-12-11 18:35]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 08:35]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 08:36]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 08:32]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 07:27]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-14 22:04]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-11-10 12:30]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
"AIM"="C:\Program Files\AIM\aim.exe" [2004-04-27 14:18]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acAuth]
acauth.dll 2002-12-17 11:11 65536 C:\WINDOWS\SYSTEM32\acauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ActivCard Gold Smart Card Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ActivCard Gold Smart Card Agent.lnk
backup=C:\WINDOWS\pss\ActivCard Gold Smart Card Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray]
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\acEventServ]
"C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\Media Experience\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRISMSVR.EXE]
"C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBCSTray]
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

.
Contents of the 'Scheduled Tasks' folder
"2007-09-24 17:23:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2004-07-22 05:09:49 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1088560859.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
"2007-09-29 04:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
"2007-10-04 21:06:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2007-10-04 01:46:00 C:\WINDOWS\Tasks\WebReg 20070108174630.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-04 13:04:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-04 13:08:32 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-04 13:08
C:\ComboFix2.txt ... 2007-10-02 14:04
.
--- E O F ---

**c0oder** · 2007-10-04, 23:29

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:28:15 PM, on 10/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ActivCard\acachsrv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Common Files\ActivCard\acautoup.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jamie\Desktop\hijackthis\C0oder.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O20 - Winlogon Notify: acAuth - C:\WINDOWS\SYSTEM32\acauth.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ActivCard Authentication Service (ACachSrv) - ActivCard - C:\Program Files\Common Files\ActivCard\acachsrv.exe
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Auto-Update Service (acautoupdate) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoup.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7960 bytes

Thread: please help it keeps coming back

Thread Tools

Display

please help it keeps coming back

here it is!

here's the combofix log

here's the fresh hijackthis log

Posting Permissions