ive seen this pws.ldpinchie in a bunch of forums but cant seem to fix it. it opens and runs internet explorer in the background and also creates random number and letter named processes. here is my hijackthis log. thanks for any help. if i have done anything wrong please let me know and i will adjust immediately.

Logfile of HijackThis v1.99.1
Scan saved at 1:56:37 AM, on 3/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\McGrail\LOCALS~1\Temp\chuxzwuwxcmt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\McGrail\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rotoworld.com/content/Home_NFL.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: C:\WINDOWS\system32\gseb37dkjgfgf.dll - {C5AF42A3-94F3-42BD-F634-3604832C897D} - C:\WINDOWS\system32\gseb37dkjgfgf.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKCU\..\Run: [SP2ConnPatcher] "C:\Program Files\SP2 Connection Patcher\sp2connpatcher.exe" -n=200
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [wpud8uhgi7y4ua2w6xoahbdng6g0s6cxn] C:\DOCUME~1\McGrail\LOCALS~1\Temp\vpfbznz4xj1.exe
O4 - HKCU\..\Run: [cfypammd3yzjc3dxz4l3p7ehp8b6] C:\DOCUME~1\McGrail\LOCALS~1\Temp\ml2i872r1xt1c.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International
O12 - Plugin for .ipp: C:\Program Files\Internet Explorer\Plugins\npimth32.dll
O12 - Plugin for .ipt: C:\Program Files\Internet Explorer\Plugins\npimth32.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: pasrnn - pasrnn.dll (file missing)
O20 - Winlogon Notify: vturp - C:\WINDOWS\system32\vturp.dll (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Please read and follow the directions, download the correct version of HJT to the location described in the instructions. Then post a new HJT log, describe any recent symptoms.

Thanks

Hello again. Sorry about having the wrong version of hijackthis dled. I have read the rules for posting but I had already had one version on my cpu and got confused somehow. Anyways, now that i have turned of teatimer and ran the new hijackthis I can see a whole lot of random executable files trying to run. I end the processess but they come back after 30 minutes to and hour usually. I've tried to run spybot in safe mode and it catches the problem and fixes it, but its back upon restart. Here is my new log file and thanks for any help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:07:35 PM, on 3/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera\opera.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\McGrail\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rotoworld.com/content/Home_NFL.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: C:\WINDOWS\system32\gseb37dkjgfgf.dll - {C5AF42A3-94F3-42BD-F634-3604832C897D} - C:\WINDOWS\system32\gseb37dkjgfgf.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKCU\..\Run: [SP2ConnPatcher] "C:\Program Files\SP2 Connection Patcher\sp2connpatcher.exe" -n=200
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [wpud8uhgi7y4ua2w6xoahbdng6g0s6cxn] C:\DOCUME~1\McGrail\LOCALS~1\Temp\vpfbznz4xj1.exe
O4 - HKCU\..\Run: [cfypammd3yzjc3dxz4l3p7ehp8b6] C:\DOCUME~1\McGrail\LOCALS~1\Temp\ml2i872r1xt1c.exe
O4 - HKCU\..\Run: [mf4iklkr7tzqacgz64el] C:\DOCUME~1\McGrail\LOCALS~1\Temp\l4uhizsca3y.exe
O4 - HKCU\..\Run: [udluzbs8pmkbuduv21i] C:\DOCUME~1\McGrail\LOCALS~1\Temp\jzr94js.exe
O4 - HKCU\..\Run: [ymamcfb69eb7j] C:\DOCUME~1\McGrail\LOCALS~1\Temp\ljkqfacvo.exe
O4 - HKCU\..\Run: [ivnd092pi26fbkekqyu0mevovi6vw9x9mg4460w] C:\DOCUME~1\McGrail\LOCALS~1\Temp\aqo1k22q.exe
O4 - HKCU\..\Run: [ltndfwxeqx4fc42qpf3ljt29prh3athv7nvq9hvhj3ex398z] C:\DOCUME~1\McGrail\LOCALS~1\Temp\fybof2u.exe
O4 - HKCU\..\Run: [lr11xcunigb2ig] C:\DOCUME~1\McGrail\LOCALS~1\Temp\ngzat73cqwet.exe
O4 - HKCU\..\Run: [ky8j2iz45do8aj4yfb527p3o0n6bqdrfftc4jra70w] C:\DOCUME~1\McGrail\LOCALS~1\Temp\i3v2c8n2m.exe
O4 - HKCU\..\Run: [ejt1n7gmtq65spwqt7d9aw6sy] C:\DOCUME~1\McGrail\LOCALS~1\Temp\uvscvl1.exe
O4 - HKCU\..\Run: [vxev68tydl3jqm7s6isldwj37wv6377j3] C:\DOCUME~1\McGrail\LOCALS~1\Temp\wfv4cmwrtuc8.exe
O4 - HKCU\..\Run: [rbfrtgxxuxe9fwzqjjwagfljca9gw4jse1ken0v6ma] C:\DOCUME~1\McGrail\LOCALS~1\Temp\aidjqi6ob3kj1.exe
O4 - HKCU\..\Run: [bbyqt2bin81w9wuua7c] C:\DOCUME~1\McGrail\LOCALS~1\Temp\ov6fg0guzv6o9.exe
O4 - HKCU\..\Run: [afdfcbai4kjqhe3py4ztgdmrw4ap4tu] C:\DOCUME~1\McGrail\LOCALS~1\Temp\x4a99vnzch756.exe
O4 - HKCU\..\Run: [gn0igk51pc868ou3s814v3mx5f0y8rypdjs8f3uf5ck7en1sc0] C:\DOCUME~1\McGrail\LOCALS~1\Temp\vn7j2zf.exe
O4 - HKCU\..\Run: [zreec7a0er92uj26x8qiqzjo4tck7] C:\DOCUME~1\McGrail\LOCALS~1\Temp\t89az3f.exe
O4 - HKCU\..\Run: [poid8tvjql6cjsybmsz5qvwjmsnjown] C:\DOCUME~1\McGrail\LOCALS~1\Temp\y5wv0m1f23v.exe
O4 - HKCU\..\Run: [dt7filli3aximsa1e8199y9u] C:\DOCUME~1\McGrail\LOCALS~1\Temp\vlc8fqmgb.exe
O4 - HKCU\..\Run: [dv35tfh0ygpebkrf3gwihilqy4xxmlqhq694m] C:\DOCUME~1\McGrail\LOCALS~1\Temp\rj3kaw4.exe
O4 - HKCU\..\Run: [d1tt79dkij0quy99p9lgn6gpf7jwlm5rlnf] C:\DOCUME~1\McGrail\LOCALS~1\Temp\w8eggtmv1b3r.exe
O4 - HKCU\..\Run: [swczh2mq695sb1r8sggwm994] C:\DOCUME~1\McGrail\LOCALS~1\Temp\wzqk1dvv.exe
O4 - HKCU\..\Run: [kvwe3a5wrvju2tfilrfe9uh8c] C:\DOCUME~1\McGrail\LOCALS~1\Temp\uz9fr9fb.exe
O4 - HKCU\..\Run: [xplhb82wkxy94vpay] C:\DOCUME~1\McGrail\LOCALS~1\Temp\h0u4cx20olsh3.exe
O4 - HKCU\..\Run: [jprnkzvlwsp1mm8efcnykv721yj8bc6as968n7yawtq4] C:\DOCUME~1\McGrail\LOCALS~1\Temp\ivrffhjwr.exe
O4 - HKCU\..\Run: [cw663kn68sz35fs94tgdfgqprdbim4hc2sj17esm4eo4] C:\DOCUME~1\McGrail\LOCALS~1\Temp\i71qtfsre2.exe
O4 - HKCU\..\Run: [fy5mjv34g2gqwvasphg] C:\DOCUME~1\McGrail\LOCALS~1\Temp\m7t1vylqrzb.exe
O4 - HKCU\..\Run: [i55uhc8g1kjd39xx8ucr3qpy4g0fuw37zyxczgvypwzz] C:\DOCUME~1\McGrail\LOCALS~1\Temp\gllsm57bc.exe
O4 - HKCU\..\Run: [vfu9ewwena2isprcsrswa47rwsuoy8] C:\DOCUME~1\McGrail\LOCALS~1\Temp\hbzjz8.exe
O4 - HKCU\..\Run: [vl7c27b3u5azuemm13g8l2t] C:\DOCUME~1\McGrail\LOCALS~1\Temp\d1tew0.exe
O4 - HKCU\..\Run: [duogbud17suyuxmhvdajdyvz1npr0rzgo6ka7l579kaz] C:\DOCUME~1\McGrail\LOCALS~1\Temp\t6e6p84joso.exe
O4 - HKCU\..\Run: [kynyv3syxiboa6wckgv3208oyp] C:\DOCUME~1\McGrail\LOCALS~1\Temp\jlt0t4kgv.exe
O4 - HKCU\..\Run: [ya0sbia83vc] C:\DOCUME~1\McGrail\LOCALS~1\Temp\pfe7ugzeam0jt.exe
O4 - HKCU\..\Run: [n24czcweekqasfh8yhmfrnsh7z4] C:\DOCUME~1\McGrail\LOCALS~1\Temp\ztifsp.exe
O4 - HKCU\..\Run: [eqe2axammewgg3ewtst0alc45jajh] C:\DOCUME~1\McGrail\LOCALS~1\Temp\lmnw6gkp.exe
O4 - HKCU\..\Run: [vg66zk7bu42mvk248uomz06fo2] C:\DOCUME~1\McGrail\LOCALS~1\Temp\sv81e8v1yy.exe
O4 - HKCU\..\Run: [li0ukza6l4joetjrz47] C:\DOCUME~1\McGrail\LOCALS~1\Temp\rgr37sin4yyz.exe
O4 - HKCU\..\Run: [cmofe3vz479j1qd1mr5v57nglzfud37ou2nafqv6] C:\DOCUME~1\McGrail\LOCALS~1\Temp\go34qyx.exe
O4 - HKCU\..\Run: [jisglo29phptfir0hrzl5zrm3n7z3istt30ok80y7zxg64] C:\DOCUME~1\McGrail\LOCALS~1\Temp\qgo9yq84m.exe
O4 - HKCU\..\Run: [uf5knkf141u146rmj] C:\DOCUME~1\McGrail\LOCALS~1\Temp\ocwrtj.exe
O4 - HKCU\..\Run: [pinq8nxfsr4jh0wvs2hxr2r4] C:\DOCUME~1\McGrail\LOCALS~1\Temp\z0yupa.exe
O4 - HKCU\..\Run: [pt69xdbxneikvizo7f6ooi6nqux9fxu82d0tbt] C:\DOCUME~1\McGrail\LOCALS~1\Temp\txzr1rtnvchhm.exe
O4 - HKCU\..\Run: [oz2b0vooo02y54oy6b9xbc23kihmrbhqe756cqc] C:\DOCUME~1\McGrail\LOCALS~1\Temp\b1sqlm2wcioo2.exe
O4 - HKCU\..\Run: [bf0ofhg6rppgfknb4ywtjewsr0x5bwj031diexcbp8sds] C:\DOCUME~1\McGrail\LOCALS~1\Temp\mkb98d.exe
O4 - HKCU\..\Run: [yooio13vd1a] C:\DOCUME~1\McGrail\LOCALS~1\Temp\t7uu77ano.exe
O4 - HKCU\..\Run: [zqq3a5i562ctso7qb9s2k4plsacxfdfejdy7bxdcc8gp] C:\DOCUME~1\McGrail\LOCALS~1\Temp\j7iktl.exe
O4 - HKCU\..\Run: [kik2zjlu8t4no95x26hp0801npdludck39a5kwl0tpytgj] C:\DOCUME~1\McGrail\LOCALS~1\Temp\cdeje2yi22zc.exe
O4 - HKCU\..\Run: [jk5pdokdoijakgc8tlbomqb80m2qrzr] C:\DOCUME~1\McGrail\LOCALS~1\Temp\p7q8hclq.exe
O4 - HKCU\..\Run: [kmlvyxjldp85c6zxxd34qbz8h00803hi0luz4l] C:\DOCUME~1\McGrail\LOCALS~1\Temp\mx2p4e.exe
O4 - HKCU\..\Run: [jrl0vzurvfu162da4] C:\DOCUME~1\McGrail\LOCALS~1\Temp\kjndm1nfzreyd.exe
O4 - HKCU\..\Run: [u9ilknpftjpl8b3] C:\DOCUME~1\McGrail\LOCALS~1\Temp\y01078u3v.exe
O4 - HKCU\..\Run: [ktuxa4xy3ulxjwat] C:\DOCUME~1\McGrail\LOCALS~1\Temp\zrpyfpeews.exe
O4 - HKCU\..\Run: [rdbll8vvlhbwxtfjfr4v29k80xmwii9php14sadn] C:\DOCUME~1\McGrail\LOCALS~1\Temp\rndieu55fm.exe
O4 - HKCU\..\Run: [n5ey58em8vocfeh029r6mwgknegjtjg2x6arzo1uul] C:\DOCUME~1\McGrail\LOCALS~1\Temp\gnhep6cbzh9v.exe
O4 - HKCU\..\Run: [wh6h4xog0poi9r1qb2g3iw2u3dttsa9b] C:\DOCUME~1\McGrail\LOCALS~1\Temp\jlohuloeltlwb.exe
O4 - HKCU\..\Run: [u4ivnll14l9oggvezs] C:\DOCUME~1\McGrail\LOCALS~1\Temp\z38gzm.exe
O4 - HKCU\..\Run: [hkod027z5rgu5uyi5si1n4b3oqekzsrtfpxjly] C:\DOCUME~1\McGrail\LOCALS~1\Temp\lr5nbme7v0k.exe
O4 - HKCU\..\Run: [ikxeoi1me4] C:\DOCUME~1\McGrail\LOCALS~1\Temp\dn8ywjksyiz.exe
O4 - HKCU\..\Run: [f3dwgo2zkme7q3566qx0wer5oj0] C:\DOCUME~1\McGrail\LOCALS~1\Temp\khwzpe9qeu.exe
O4 - HKUS\S-1-5-18\..\Run: [tezrtsjhfr84iusjfo84f] C:\WINDOWS\TEMP\csrssc.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [tezrtsjhfr84iusjfo84f] C:\WINDOWS\TEMP\csrssc.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .ipp: C:\Program Files\Internet Explorer\Plugins\npimth32.dll
O12 - Plugin for .ipt: C:\Program Files\Internet Explorer\Plugins\npimth32.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
O20 - Winlogon Notify: pasrnn - pasrnn.dll (file missing)
O20 - Winlogon Notify: vturp - C:\WINDOWS\system32\vturp.dll (file missing)
O22 - SharedTaskScheduler: hjse7fw3jnefi7wejfndd - {C5AF42A3-94F3-42BD-F634-3604832C897D} - C:\WINDOWS\system32\gseb37dkjgfgf.dll
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10630 bytes

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do. The junk can be tough to remove, so do not expect fast or easy.

You have a very infected computer and you still have not followed directions, please do this first...BEFORE YOU START.
1) Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log. <<< close HJT until I ask for the HJT log later.

2) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.

3) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from here:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

4) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

Thanks

Ok, i have followed all directions, deleted all help programs and reinstalled them. here are my hijackthis and combofix log files. Thanks again for the help! If i am missing something I will respond asap.

combofix log:

ComboFix 09-03-02.01 - McGrail 2009-03-02 19:13:03.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254.61 [GMT -5:00]
Running from: c:\documents and settings\McGrail\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\_install.exe
c:\documents and settings\All Users\Application Data\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\_install.exe
c:\documents and settings\Default User\Local Settings\Application Data\ApplicationHistory\_install.exe
c:\documents and settings\McGrail\Application Data\spoolsvc.dll
c:\documents and settings\McGrail\Local Settings\Application Data\ApplicationHistory\_install.exe
c:\documents and settings\McGrail\Local Settings\Temp\Temporary Directory 1 for wmpy_flv_player_pc.zip\_install.exe
c:\documents and settings\McGrail\Local Settings\Temp\Temporary Directory 2 for wmpy_flv_player_pc.zip\_install.exe
c:\documents and settings\Merc\Desktop\_install.exe
c:\documents and settings\Merc\Local Settings\Application Data\ApplicationHistory\_install.exe
c:\documents and settings\Merc\Local Settings\Temp\1RF6TBJQ\_install.exe
c:\windows\IE4 Error Log.txt
c:\windows\system32\drivers\fad.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\gseb37dkjgfgf.dll
c:\windows\system32\IEDFix.exe
c:\windows\system32\Process.exe
c:\windows\SYSTEM32\prutv.bak2
c:\windows\system32\prutv.ini
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RUNTIME
-------\Legacy_RUNTIME2
-------\Legacy_XLAVBA8
-------\Service_xlavba8


((((((((((((((((((((((((( Files Created from 2009-02-03 to 2009-03-03 )))))))))))))))))))))))))))))))
.

2009-03-02 19:01 . 2009-03-02 19:01 <DIR> d-------- c:\program files\Trend Micro
2009-03-01 01:44 . 2009-03-02 18:55 <DIR> d-------- c:\program files\ERUNT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-03 00:21 --------- d-----w c:\program files\SP2 Connection Patcher
2009-02-28 19:21 11,496 ----a-w c:\documents and settings\McGrail\Application Data\wklnhst.dat
2009-01-21 07:07 --------- d-----w c:\program files\Common Files\xing shared
2009-01-21 07:07 --------- d-----w c:\program files\Common Files\Real
2009-01-07 18:34 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\AdobeUM
2009-01-07 00:24 --------- d-----w c:\program files\Spybot - Search & Destroy
2006-03-23 20:25 4,928 ----a-w c:\documents and settings\Merc\Application Data\wklnhst.dat
2005-12-12 00:29 68,672 ----a-w c:\documents and settings\Merc\Application Data\GDIPFONTCACHEV1.DAT
2005-02-28 15:46 68,672 ----a-w c:\documents and settings\McGrail\Application Data\GDIPFONTCACHEV1.DAT
2004-10-24 04:51 56 --sh--r c:\windows\SYSTEM32\055533102B.sys
2004-10-24 04:51 1,890 --sha-w c:\windows\SYSTEM32\KGyGaAvL.sys
.

------- Sigcheck -------

2005-05-25 14:07 359936 63fdfea54eb53de2d863ee454937ce1e c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 12:07 360448 5562cc0a47b2aef06d3417b733f3c195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 05:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 06:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 06:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2002-08-29 05:00 332928 244a2f9816bc9b593957281ef577d976 c:\windows\$NtServicePackUninstall$\tcpip.sys
2005-01-31 00:07 359040 3bb4b08619c111c7be8bda07aa0de6a2 c:\windows\$NtUninstallKB893066$\tcpip.sys
2005-06-15 10:03 359808 14143695e27b2718dee96ea2e50428b3 c:\windows\$NtUninstallKB913446$\tcpip.sys
2006-02-16 14:35 359808 eb98d5e55321cefd803e8173dbb000db c:\windows\$NtUninstallKB917953$\tcpip.sys
2006-06-17 13:53 359808 ba57942c0029b0878afba052a3e33689 c:\windows\$NtUninstallKB941644$\tcpip.sys
2008-04-07 03:39 360064 34a663e7f74ae8b2c992c2513343477e c:\windows\$NtUninstallKB951748$\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
2008-07-09 02:38 360320 1ab9333ec47bc064050a2bf554ae5a95 c:\windows\SYSTEM32\DRIVERS\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SP2ConnPatcher"="c:\program files\SP2 Connection Patcher\sp2connpatcher.exe" [2005-05-10 409600]
"SP2 Connection Patcher"="c:\program files\SP2 Connection Patcher\SP2ConnPatcher.exe" [2005-05-10 409600]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-09-19 4347120]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-04-19 53248]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2003-12-08 70776]
"URLLSTCK.exe"="c:\program files\Norton Internet Security\UrlLstCk.exe" [2004-02-25 70800]

c:\documents and settings\McGrail\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SP2 Connection Patcher"="c:\program files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
"WinAVX"=c:\windows\system32\WinAvXX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WinAVX"=c:\windows\system32\WinAvXX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\mmc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=


--- Other Services/Drivers In Memory ---

*Deregistered* - ALG
*Deregistered* - AudioSrv
*Deregistered* - Browser
*Deregistered* - ccSetMgr
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - HTTPFilter
*Deregistered* - ImapiService
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - SBService
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - UMWdf
*Deregistered* - VgaSave
*Deregistered* - Viewpoint Manager Service
*Deregistered* - VolSnap
*Deregistered* - w32time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-tezrtsjhfr84iusjfo84f - c:\windows\TEMP\csrssc.exe
Notify-vturp - c:\windows\system32\vturp.dll
Notify-pasrnn - pasrnn.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.rotoworld.com/content/Home_NFL.aspx
mStart Page = hxxp://www.google.com
mWindow Title =
uInternet Settings,ProxyOverride = 127.0.0.1
IE: { - c:\documents and settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-02 19:21:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2009-03-02 19:30:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-03 00:30:45

Pre-Run: 12,707,553,280 bytes free
Post-Run: 13,580,808,192 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

204 --- E O F --- 2009-02-25 09:55:47


NEW hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:37:32 PM, on 3/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Opera\opera.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rotoworld.com/content/Home_NFL.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKCU\..\Run: [SP2ConnPatcher] "C:\Program Files\SP2 Connection Patcher\sp2connpatcher.exe" -n=200
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .ipp: C:\Program Files\Internet Explorer\Plugins\npimth32.dll
O12 - Plugin for .ipt: C:\Program Files\Internet Explorer\Plugins\npimth32.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4325 bytes


UNINSTALL LIST:

7-Zip 4.60 beta
Adobe Acrobat - Reader 6.0.2 Update
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 6.0.1
AVI MPEG WMV Joiner
Boilsoft Video Joiner 5.16
Broadcom Management Programs
CC_ccProxyMSI
CC_ccStart
ccCommon
Dell Media Experience
Dell Photo Printer 720
Dell Solution Center
DellSupport
DivX Content Uploader
DivX Player
DivX Pro Trial
DivX Web Player
ERUNT 1.1j
ffdshow [rev 2083] [2008-08-21]
FLV Player 2.0, build 24
HijackThis 2.0.2
Intel(R) Extreme Graphics Driver
Internet Explorer Default Page
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_05
LiveReg (Symantec Corporation)
MathPlayer
Modem Event Monitor
Modem Helper
Modem On Hold
MSN
MSN Encarta Plus Support Files
MSN Toolbar
MSRedist
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MUSICMATCH® Jukebox
Norton AntiSpam
Norton AntiSpam
Norton AntiVirus
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton WMI Update
Opera 9.63
PokerStars
QuickTime
RealPlayer
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB960714)
Security Update for Windows Internet Explorer 8 (KB961260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Shockwave
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
SP2 Connection Patcher
SP2 Connection Patcher
Spybot - Search & Destroy
Symantec Script Blocking Installer
Verizon Broadband Toolbar (IE only)
Verizon Broadband Toolbar Firefox only
Verizon Online Help and Support
Verizon Servicepoint 1.5.22
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8 Beta 2
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 2
WinRAR archiver
Yahoo! Messenger

Please follow the directions carefully and in the posted order:

1) C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546
http://vil.nai.com/vil/content/v_137262.htm

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

3) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

How is the computer running now?

Thanks


This can be done as time permits, but it is important, and may be why you are infected.
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87
http://www.adobe.com/support/security/bulletins/apsb09-01.html

Adobe Reader 6.0.1 <<< out of date and unsafe, see this:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows (make sure to uncheck any toolbars)
http://www.foxitsoftware.com/pdf/rd_intro.php

Java 2 Runtime Environment, SE v1.4.2_03 <<< very old
Java 2 Runtime Environment, SE v1.4.2_05 <<< very oldBoth very old and unsafe, see this:
Sun Microsystems~Java. Security vunerability in older versions left on system
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php
http://raproducts.org/ <<< this program will help if you have trouble uninstalling these old versions.

Viewpoint Manager (Remove Only)
Viewpoint Media Player
Covered in instruction #1

Hello again. Thanks a lot for everything my computer is running a lot better now and no random processesses or ie windows are loading on thier own anymore. I really appreciate you taking all of this time not only to fix things but to show me why they needed fixed. Here are my hijackthis and malwarebytes logs. I downloaded the new flash player, but the new adobe reader and java runtime environments were downloading at an extremely low rate ( about .5k/sec) so i will get those when i am through here. Thanks again!

HIJACKTHIS:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:54:11 PM, on 3/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rotoworld.com/content/Home_NFL.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKCU\..\Run: [SP2ConnPatcher] "C:\Program Files\SP2 Connection Patcher\sp2connpatcher.exe" -n=200
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .ipp: C:\Program Files\Internet Explorer\Plugins\npimth32.dll
O12 - Plugin for .ipt: C:\Program Files\Internet Explorer\Plugins\npimth32.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)

--
End of file - 3866 bytes


MALWAREBYTES LOG:

Malwarebytes' Anti-Malware 1.34
Database version: 1814
Windows 5.1.2600 Service Pack 2

3/3/2009 2:31:47 PM
mbam-log-2009-03-03 (14-31-47).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 126679
Time elapsed: 52 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\Documents and Settings\McGrail\Application Data\spoolsvc.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP978\A0120612.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP927\A0112947.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP927\A0112961.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP928\A0113020.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP928\A0113044.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP928\A0113055.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP928\A0113083.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP928\A0113119.exe (Proxy.Wopla) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP928\A0113136.exe (Proxy.Wopla) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\AntvrsInstall.exe (Rogue.Installer) -> Quarantined and deleted successfully.

If that is all have a good one and keep doing what youre doing we need you lol.

Ok I just downloaded the runtime environment and adobe reader. it was quick, i mustve just had a bad connection for a minute.

Thanks for the feedback, MBAM did find one rouge installer:
C:\WINDOWS\Downloaded Program Files\AntvrsInstall.exe (Rogue.Installer)
-> Quarantined and deleted successfully.
The rest were already quarantined by combofix or in infected System Restore files.

Let's see if we can wrap up like this...

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, update it and run it once a month or so)

Update Norton AntiVirus and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions.
http://www.symantec.com/enterprise/support/index.jsp

If all is well at this point, let me know and I will close the topic.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html

is it okay to turn teatimer back on now? thats my only other question and the topic can be closed.

Yes:yes: Make sure you read those links I posted, that information will go a long way to help you prevent another infection.

cool man thanks again