I picked somthing up off of limewire and now its creating a lot of problems, I have a hp pavillion slimline s7421c pc. I tried doing a full windows restore but it freezes everytime I try to do it now, My d: is where all the recovery files are and it wont let me open it to look through it but I did a scan on it and there are a ton of .t files in there that I cannot remove. They also pop up randomly all over my c: as well. I need help! this isnt even my computer lol...

Heres my hjt scan

Logfile of HijackThis v1.99.1
Scan saved at 12:17:49 PM, on 1/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

O1 - Hosts: 69.25.74.36 MAIL006 #Exchange Hosting 12/28/06 10:09:11
O1 - Hosts: 69.25.74.37 MAIL007 #Exchange Hosting 12/28/06 10:09:11
O1 - Hosts: 69.25.74.38 BE008 #Exchange Hosting 12/28/06 10:09:11
O1 - Hosts: 69.25.74.39 BE009 #Exchange Hosting 12/28/06 10:09:11
O1 - Hosts: 69.25.74.40 BE010 #Exchange Hosting 12/28/06 10:09:11
O1 - Hosts: 69.25.74.41 BE011 #Exchange Hosting 12/28/06 10:09:11
O1 - Hosts: 69.25.74.42 BE012 #Exchange Hosting 12/28/06 10:09:11
O1 - Hosts: 69.25.74.43 BE013 #Exchange Hosting 12/28/06 10:09:11
O1 - Hosts: 69.25.74.44 BE014 #Exchange Hosting 12/28/06 10:09:11
O1 - Hosts: 69.25.75.222 BE015 #Exchange Hosting 12/28/06 10:09:11
O1 - Hosts: 69.25.74.46 BE016 #Exchange Hosting 12/28/06 10:09:11
O1 - Hosts: 69.25.74.47 BE017 #Exchange Hosting 12/28/06 10:09:11
O1 - Hosts: 69.25.74.48 BE018 #Exchange Hosting 12/28/06 10:09:11
O1 - Hosts: 69.25.74.49 BE019 #Exchange Hosting 12/28/06 10:09:11
O1 - Hosts: 69.25.74.50 BE020 #Exchange Hosting 12/28/06 10:09:11
O1 - Hosts: 69.25.74.51 BE021 #Exchange Hosting 12/28/06 10:09:11
O1 - Hosts: 69.25.74.52 BE022 #Exchange Hosting 12/28/06 10:09:11
O1 - Hosts: 69.25.74.53 BE023 #Exchange Hosting 12/28/06 10:09:11
O1 - Hosts: 69.25.74.54 BE024 #Exchange Hosting 12/28/06 10:09:11
O1 - Hosts: 69.25.74.55 BE025 #Exchange Hosting 12/28/06 10:09:11
O1 - Hosts: 69.25.74.56 BE026 #Exchange Hosting 12/28/06 10:09:11
O1 - Hosts: 69.25.74.57 BE027 #Exchange Hosting 12/28/06 10:09:11
O1 - Hosts: 69.25.74.58 BE028 #Exchange Hosting 12/28/06 10:09:11
O1 - Hosts: 64.95.72.199 BE029 #Exchange Hosting 12/28/06 10:09:11
O1 - Hosts: 64.95.72.200 BE030 #Exchange Hosting 12/28/06 10:09:11
O1 - Hosts: 64.95.72.201 BE031 #Exchange Hosting 12/28/06 10:09:11
O1 - Hosts: 64.95.72.202 BE032 #Exchange Hosting 12/28/06 10:09:11
O1 - Hosts: 64.95.72.203 BE033 #Exchange Hosting 12/28/06 10:09:11
O1 - Hosts: 64.95.72.204 BE034 #Exchange Hosting 12/28/06 10:09:11
O1 - Hosts: 64.95.72.205 BE035 #Exchange Hosting 12/28/06 10:09:11
O1 - Hosts: 64.95.72.206 BE036 #Exchange Hosting 12/28/06 10:09:11
O1 - Hosts: 64.95.72.207 BE037 #Exchange Hosting 12/28/06 10:09:11
O1 - Hosts: 64.95.72.208 BE038 #Exchange Hosting 12/28/06 10:09:11
O1 - Hosts: 64.95.72.209 BE039 #Exchange Hosting 12/28/06 10:09:11
O1 - Hosts: 64.95.72.210 BE040 #Exchange Hosting 12/28/06 10:09:11
O1 - Hosts: 64.95.72.211 BE041 #Exchange Hosting 12/28/06 10:09:11
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
O4 - HKLM\..\Run: [DMAScheduler] c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {F073BDC9-0D67-4ff0-879E-27241C843828} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [system spool] C:\WINDOWS\system32\syspools.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [winclean] c:\windows\system32\winclean.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [system spool] C:\WINDOWS\system32\syspools.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\DOCUME~1\kyle\Desktop\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167249827419
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167249391343
O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} (Zenturi Active Programs Control) - http://www.programchecker.com/dll/nixon.cab
O20 - AppInit_DLLs: ,
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Unknown owner - c:\Program Files\Norton Internet Security\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000137 (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE (file missing)
O23 - Service: Symantec AVScan (SAVScan) - Unknown owner - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Oh also, I have to be in safemode always because the computer randomly restarts, or when I go into certain folders, or when I try to update windows security.
Thanks for any help!!!

Hi el-camino-ss and welcome to the Forums :)

You're badly infected. You have an infection which infects legitimate files.

One or more of the identified infections is a backdoor trojan :sick:

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

I can help you in the cleaning if you don't want to reformat but I can't promise that we'll get you 100% clean.

Please let us know what you have decided to do in your next post:bigthumb:

This topic has been closed to prevent others with similar issues posting in it.

If you need it re-opened, please send me a private message (pm) and provide a link to this thread.


I picked somthing up off of limewire
File Sharing, otherwise known as Peer To Peer. (P2P) (http://forums.spybot.info/showthread.php?t=282)