Ok So i ran SB&D and it siad i was infected with smithfraud- c.core-service.

I tryed to delete the file core.chache.dsk directly after SB&D said it was fixed, because the pc was still doing the same thing before the scan ( I open Ie7 and after a few seconds it opens random Ie7 windows displaying adds)

So i tryed to delete the file manually. Keeps saying that it is being used by another prog. I also tryed in Safe Mode but when I opened Ie7 in normal mode it did the samething and the file core.cache.dsk re-appeared. :mad:

Here is the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:10:38 PM, on 1/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" -1 --delay 15
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [tea timer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe

--
End of file - 3371 bytes

I thank you in advance for the help.:bigthumb:

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.


Provide:
a) The HJT log.
b) The Kaspersky log report.
Run this online scan

using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks

KASPERSKY ONLINE SCANNER REPORTKASPERSKY ONLINE SCANNER REPORT
Monday, January 28, 2008 7:42:38 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build
2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/01/2008
Kaspersky Anti-Virus database records: 534790


Scan Settings
Scan using the following antivirus databaseextended
Scan Archivestrue
Scan Mail Basestrue

Scan TargetMy Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics
Total number of scanned objects74763
Number of viruses found11
Number of infected objects23
Number of suspicious objects0
Duration of the scan process01:07:44

Infected Object NameVirus NameLast Action
C:\Documents and Settings\All Users\Application Data\Trend
Micro\AntiVirus\Log\tavui_S-1-5-21-328629753-2451073795-2445873556-500.log
Object is locked skipped

C:\Documents and Settings\HP_Administrator\Cookies\index.dat Object is
locked skipped

C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix\Reboot.exe
Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and
Settings\HP_Administrator\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe
Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and
Settings\HP_Administrator\Desktop\SmitfraudFix.exe/data.rar Infected:
not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix.exe
RarSFX: infected - 2 skipped

C:\Documents and Settings\HP_Administrator\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\HP_Administrator\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\HP_Administrator\Local
Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\HP_Administrator\Local Settings\Temporary
Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat
Object is locked skipped

C:\Documents and Settings\HP_Administrator\Local Settings\Temporary
Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\HP_Administrator\Local Settings\Temporary
Internet Files\silverstar.exe Infected: Trojan.Win32.Pakes.bvr skipped

C:\Documents and Settings\HP_Administrator\Local Settings\Temporary
Internet Files\tepU2314.exe/data0006 Infected:
Trojan-Downloader.Win32.VB.ceh skipped

C:\Documents and Settings\HP_Administrator\Local Settings\Temporary
Internet Files\tepU2314.exe NSIS: infected - 1 skipped

C:\Documents and Settings\HP_Administrator\NTUSER.DAT Object is locked
skipped

C:\Documents and Settings\HP_Administrator\ntuser.dat.LOG Object is locked
skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked
skipped

C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local
Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local
Settings\temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local
Settings\temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\temp\Temporary
Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet
Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped


C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked
skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is
locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local
Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet
Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked
skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked
skipped

C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\dxdss.sys.vir Infected:
Trojan.Win32.Pakes.bxx skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\rwinqldq.exe.vir Infected:
not-a-virus:AdWare.Win32.ZenoSearch.ad skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\vvgeowbv.exe.vir Infected:
not-virus:Hoax.Win32.Renos.kj skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\z4\lifre13drv.exe~.vir Infected:
not-a-virus:AdWare.Win32.Agent.co skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is
locked skipped

C:\System Volume
Information\_restore{855F4D29-BAF0-47DC-8190-9261CBA03A78}\RP272\A0050371.dll
Infected: not-a-virus:AdWare.Win32.BHO.rh skipped

C:\System Volume
Information\_restore{855F4D29-BAF0-47DC-8190-9261CBA03A78}\RP279\A0050500.dll
Infected: not-a-virus:AdWare.Win32.BHO.rh skipped

C:\System Volume
Information\_restore{855F4D29-BAF0-47DC-8190-9261CBA03A78}\RP284\A0051141.exe
Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped

C:\System Volume
Information\_restore{855F4D29-BAF0-47DC-8190-9261CBA03A78}\RP284\A0051172.exe
Infected: not-virus:Hoax.Win32.Renos.kj skipped

C:\System Volume
Information\_restore{855F4D29-BAF0-47DC-8190-9261CBA03A78}\RP284\A0051180.sys
Infected: Trojan.Win32.Pakes.bxx skipped

C:\System Volume
Information\_restore{855F4D29-BAF0-47DC-8190-9261CBA03A78}\RP284\change.log
Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\frexup2.exe/stream/data0002 Infected:
not-a-virus:Downloader.Win32.Agent.q skipped

C:\WINDOWS\frexup2.exe/stream/data0003 Infected:
not-a-virus:AdWare.Win32.AdBand.a skipped

C:\WINDOWS\frexup2.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.a
skipped

C:\WINDOWS\frexup2.exe NSIS: infected - 3 skipped

C:\WINDOWS\plite731.exe Infected: not-a-virus:AdWare.Win32.Agent.lv
skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked
skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped

C:\WINDOWS\system32\drivers\nwrdrr.sys Object is locked skipped

C:\WINDOWS\system32\edcA17\edcA172314.exe Infected:
Trojan-Downloader.Win32.VB.ceh skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked
skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\wqnjbl.exe Infected: Trojan.Win32.Pakes.bxx skipped

D:\System Volume
Information\_restore{855F4D29-BAF0-47DC-8190-9261CBA03A78}\RP284\change.log
Object is locked skipped

Scan process completed.

Sorry I did not do the scan before I posted originally.

Thanks for returning the scan, read and follow the directions carefully, the tools will not work unless you do.

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TeaTimer disabled until we finish)

http://www.bleepingcomputer.com/combofix/how-to-use-combofix <<< tutorial if needed

2) Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:55:51 AM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" -1 --delay 15
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [tea timer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe

--
End of file - 3608 bytes

ComboFix 08-01-28.2 - HP_Administrator 2008-01-29 9:46:55.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.169 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))
.

2008-01-29 09:48 . 2008-01-29 09:48 <DIR> d-------- C:\Temp\tn3
2008-01-28 14:24 . 2008-01-28 14:24 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-28 14:24 . 2008-01-28 14:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-28 11:28 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-01-28 11:28 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-01-28 11:28 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-01-28 11:28 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-01-28 11:28 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-01-28 11:24 . 2008-01-29 09:49 932 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-28 10:57 . 2008-01-28 11:34 1,750 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-27 21:20 . 2008-01-27 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-01-27 21:20 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-01-27 21:20 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-01-27 21:19 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-01-27 21:19 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-01-27 21:19 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-01-27 21:19 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-01-27 21:19 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-01-27 21:19 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-01-14 22:36 . 2008-01-14 22:36 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\InterVideo
2008-01-13 22:08 . 2008-01-13 22:08 <DIR> d-------- C:\Program Files\TryMedia
2008-01-13 02:48 . 2008-01-13 02:48 <DIR> d-------- C:\Temp\Ryuan1
2008-01-13 02:48 . 2008-01-13 02:48 86,016 --a------ C:\WINDOWS\system32\drivers\nwrdrr.sys
2008-01-09 23:01 . 2008-01-09 23:01 <DIR> d-------- C:\Program Files\Puzzle 1500
2008-01-09 23:01 . 2008-01-09 23:01 <DIR> d-------- C:\Program Files\Managed DirectX (0900)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-28 02:30 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\uTorrent
2008-01-28 02:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-28 02:28 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Move Networks
2008-01-28 02:25 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-28 02:16 --------- d-----w C:\Program Files\Google
2008-01-14 16:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-14 13:51 --------- d-----w C:\Program Files\Yahoo! Games
2008-01-12 15:01 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-25 20:14 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\AdobeUM
2007-12-03 01:45 --------- d-----w C:\Program Files\Common Files\SWF Studio
2007-12-03 01:44 --------- d-----w C:\Program Files\Selectsoft
2007-12-03 00:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2007-11-29 23:41 724,984 ----a-w C:\Documents and Settings\HP_Administrator\gotomypc_437.exe
2007-10-30 00:25 10,752 ----a-w C:\WINDOWS\DCEBoot.exe
2007-10-29 22:31 294,668 ----a-w C:\WINDOWS\frexup2.exe
2007-10-29 22:27 13,824 ----a-w C:\WINDOWS\plite731.exe
2007-05-30 22:35 722,176 ----a-w C:\Documents and Settings\HP_Administrator\gotomypc_428.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"tea timer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 15:46 1460560]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 15:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Trend Micro AntiVirus 2007"="C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" [2007-07-05 19:09 4609288]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 08:18 270648]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 07:38 241664]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 07:00 33280 C:\WINDOWS\system32\rundll32.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\awtsp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2004-06-30 02:06 88363 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2004-07-03 11:49 57344 C:\WINDOWS\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
--a------ 2004-07-06 10:05 2550272 C:\WINDOWS\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2004-08-04 03:43 118784 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
--a------ 2004-06-08 03:42 659456 C:\WINDOWS\system32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
--a------ 2004-06-08 03:53 49152 c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-08 01:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-07-10 08:18 270648 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2003-02-12 05:02 61440 C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2004-07-02 08:12 4112384 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-07-02 08:12 843776 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2002-10-17 01:57 81920 C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2004-04-15 05:43 233472 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2003-12-18 08:31 118784 C:\Windows\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-07-02 03:58 73728 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2004-08-12 08:29 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"Aim6"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HPDJ Taskbar Utility"=C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
"HPHmon05"=C:\WINDOWS\system32\hphmon05.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"NvCplDaemon"="RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup

R1 nwrdrr;nwrdrr;C:\WINDOWS\system32\drivers\nwrdrr.sys [2008-01-13 02:48]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-03 04:56:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-29 13:41:00 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\HP\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 09:50:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-01-29 9:52:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-29 14:52:07
ComboFix2.txt 2008-01-28 15:37:18
.
2008-01-29 00:53:53 --- E O F ---

Thanks for returning your information. Wondering why you are asking for help:
http://www.techforyourpc.com/main.html

Kaspersky Online Scan: Monday, January 28, 2008 7:42:38 PM

C:\Documents and Settings\HP_Administrator\Cookies\ <<< delete cookies
C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix\ <<< delete Smitfraudfix
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary
Internet Files\ <<< delete TIF files
C:\Documents and Settings\LocalService\Local Settings\temp\ <<< delete temp files

When all is done and the computer is functioning properly as far as malware goes, follow these instructions to clean System Restore, you do have a few infected files that could get back on the computer:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx


1) TeaTimer disabled

2) Open notepad and copy/paste the text in the codebox below into it:


Driver::
nwrdrr

File::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\nwrdrr.sys

Save this as
CFScript

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

(wait until you finish to post the logs)

3) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

4) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

5) RIGHT Click on Start then click on Explore. Locate and delete these items if they are there.

(files in red)
C:\WINDOWS\frexup2.exe
C:\WINDOWS\plite731.exe
C:\WINDOWS\system32\edcA17\edcA172314.exe
C:\wqnjbl.exe

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Now post the combofix log and a last HJT log for a final check. Scan with Kaspersky but I do not need to see the results unless you have a question.

Thanks

Thanks for returning your information. Wondering why you are asking for help:
http://www.techforyourpc.com/main.html


Well to answer your question. I have tryed everything I know to fix this one. I have already used some of the tools you have decided to recommend and then some. I figured geting help from a different person could not do anything but help. Maybe you know somthing I don't in terms of what order to do this. I have seen this particular malware before but it has never been so reluctant to delete as in this situation. I have been using SB&D for years and have recomended it to a number of co-workers and friends alike. This is the 1st time I have ever needed some assistance in removing a bug.
I do appreciate the help:bigthumb: and am not ashamed to get help when it is needed. One person can never know everything. This is why forums are the best thing since sliced bread!:D:

Well before I start rambeling here is the log you requested:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:37:10 AM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" -1 --delay 15
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [tea timer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe

--
End of file - 3543 bytes

ComboFix 08-01-28.2 - HP_Administrator 2008-01-29 11:24:51.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.144 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: K:\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\nwrdrr.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\nwrdrr.sys
C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\nwrdrr.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NWRDRR
-------\nwrdrr


((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))
.

2008-01-29 11:26 . 2008-01-29 11:26 <DIR> d-------- C:\Temp\tn3
2008-01-28 14:24 . 2008-01-28 14:24 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-28 14:24 . 2008-01-28 14:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2008-01-28 11:28 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-01-28 11:28 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-01-28 11:28 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-01-28 11:28 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-01-28 11:28 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-01-28 10:57 . 2008-01-28 11:34 1,750 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-27 21:20 . 2008-01-27 21:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
2008-01-27 21:20 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-01-27 21:20 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-01-27 21:19 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-01-27 21:19 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-01-27 21:19 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-01-27 21:19 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-01-27 21:19 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-01-27 21:19 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-01-14 22:36 . 2008-01-14 22:36 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\InterVideo
2008-01-14 22:36 . 2008-01-14 22:36 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\InterVideo
2008-01-13 22:08 . 2008-01-13 22:08 <DIR> d-------- C:\Program Files\TryMedia
2008-01-13 02:48 . 2008-01-13 02:48 <DIR> d-------- C:\Temp\Ryuan1
2008-01-09 23:01 . 2008-01-09 23:01 <DIR> d-------- C:\Program Files\Puzzle 1500
2008-01-09 23:01 . 2008-01-09 23:01 <DIR> d-------- C:\Program Files\Managed DirectX (0900)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-28 02:30 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\uTorrent
2008-01-28 02:30 --------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\uTorrent
2008-01-28 02:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-28 02:28 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Move Networks
2008-01-28 02:28 --------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\Move Networks
2008-01-28 02:25 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-28 02:16 --------- d-----w C:\Program Files\Google
2008-01-14 16:27 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2008-01-14 13:51 --------- d-----w C:\Program Files\Yahoo! Games
2008-01-12 15:01 --------- d---a-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-12-25 20:14 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\AdobeUM
2007-12-25 20:14 --------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\AdobeUM
2007-12-03 01:45 --------- d-----w C:\Program Files\Common Files\SWF Studio
2007-12-03 01:44 --------- d-----w C:\Program Files\Selectsoft
2007-12-03 00:41 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
2007-11-29 23:41 724,984 ----a-w C:\Documents and Settings\HP_Administrator\gotomypc_437.exe
2007-10-30 00:25 10,752 ----a-w C:\WINDOWS\DCEBoot.exe
2007-10-29 22:31 294,668 ----a-w C:\WINDOWS\frexup2.exe
2007-10-29 22:27 13,824 ----a-w C:\WINDOWS\plite731.exe
2007-05-30 22:35 722,176 ----a-w C:\Documents and Settings\HP_Administrator\gotomypc_428.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"tea timer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 15:46 1460560]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 15:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Trend Micro AntiVirus 2007"="C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" [2007-07-05 19:09 4609288]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 08:18 270648]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 07:38 241664]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 07:00 33280 C:\WINDOWS\system32\rundll32.exe]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\awtsp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2004-06-30 02:06 88363 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2004-07-03 11:49 57344 C:\WINDOWS\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
--a------ 2004-07-06 10:05 2550272 C:\WINDOWS\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2004-08-04 03:43 118784 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
--a------ 2004-06-08 03:42 659456 C:\WINDOWS\system32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
--a------ 2004-06-08 03:53 49152 c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-08 01:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-07-10 08:18 270648 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2003-02-12 05:02 61440 C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2004-07-02 08:12 4112384 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-07-02 08:12 843776 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2002-10-17 01:57 81920 C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2004-04-15 05:43 233472 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2003-12-18 08:31 118784 C:\Windows\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-07-02 03:58 73728 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2004-08-12 08:29 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"Aim6"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HPDJ Taskbar Utility"=C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
"HPHmon05"=C:\WINDOWS\system32\hphmon05.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"NvCplDaemon"="RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup


.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 11:28:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-01-29 11:30:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-29 16:30:03
ComboFix2.txt 2008-01-29 14:52:17
ComboFix3.txt 2008-01-28 15:37:18
.
2008-01-29 00:53:53 --- E O F ---

Thanks for the feedback, I picked up this fix looking over someone else's shoulder. The driver is like a rootkit, keeps putting the item back. Thank God for the tools the software writers create for us. I'll give you an idea of where we going.
http://sunbeltblog.blogspot.com/2008/01/growth-of-malware.html
used to be kids being bad, now it's all about the $$$ and organized crime.

I am wondering why TeaTimer is showing running twice?
O4 - HKCU\..\Run: [tea timer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

You may want to check that, make sure 1.5 is installed and nothing else.

Remove combofix if you have not done so: Start > Run > ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.
This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Everything else looks ok, so unless I can do more, I'll leave you with this information:

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...Phil
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

Phil,
Thanks a million for the assistance and the info:bigthumb:. I am taking notes and saving them for reference as a good tech should. I too learn alot from looking over peoples shoulder. It is the best way to learn.:bigthumb:

Agian Thank You!