I've tried running Spybot, and many other trojan removal programs but none have worked....for complete removal, anyway. The trojan causes multiple instances of iexplore.exe to run in the background I can't see them, but I constantly hear the clicks. Every once in a while, I hear an "error Message" tone, but don't see the error message. When I open up Internet explorer, it says that it wasn't closed properly, but it was. When I click to go to hte last viewed page, it takes me to a bunch of ad stuff. Other than that, I never see anything on my screen. I can just hear it clicking.

My Norton antivirus catches it form time to time and then says it removes it, but its never permanent because it catches it again several hours later. I've run Malwarebytes several times and it usually finds about 20 things. I tell it to remove them and then it has me restart. Once I restart, I run it again to see if they are all gone but there are two files that are always there as soon as I restart the system. They are: fhpatch.dll and fiplock.dll. If I don't do anything after a day or so...maybe even hours, all of the 20 or so files are back. I don't know what else to do. I think it is related somehow to svchost.exe but am not 100 percent sure. I have multiple processes of it running in my task manager.

In the past, Norton has said hte trojans are named Malware.trace, Bloodhound.MalPE and Backdoor.graybird, but it changes so I don't really know what it is.

Thanks in advance.

Here is a copy of my DDS.txt file. I've also attached a zipped version of the Attach.txt file.


DDS (Ver_10-10-10.03) - NTFSx86
Run by Ron.Beck at 8:47:49.15 on 2010-10-21
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1974.1141 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition*On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

c:\Program Files\Fingerprint Sensor\AtService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\KACE\KBOX\KBOXSMMPService.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\oracle\bin\omtsreco.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\r_server.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\scvhost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\ron.beck\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

mWinlogon: Userinit=c:\windows\system32\KUsrInit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [cftmon] c:\windows\system32\cftmon.exe
mRunOnce: [Uninstall Adobe Download Manager] "c:\windows\system32\rundll32.exe" "c:\program files\nos\bin\getPlus_Helper_3004.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{a7091e1d-36a4-47f1-a739-173cc341414f}\Icon3E5562ED7.ico
uPolicies-explorer: DisallowRun = 1 (0x1)
uPolicies-disallowrun: 1 = aim.exe
uPolicies-disallowrun: 2 = aim6.exe
uPolicies-disallowrun: 3 = gaim.exe
uPolicies-disallowrun: 4 = googletalk.exe
uPolicies-disallowrun: 5 = icqlite.exe
uPolicies-disallowrun: 6 = Install_AIM.exe
uPolicies-disallowrun: 7 = mirc.exe
uPolicies-disallowrun: 8 = msmsgs.exe
uPolicies-disallowrun: 9 = msnmsgr.exe
uPolicies-disallowrun: 10 = qq.exe
uPolicies-disallowrun: 11 = Skype.exe
uPolicies-disallowrun: 12 = trillian.exe
uPolicies-disallowrun: 13 = yahoomessenger.exe
uPolicies-disallowrun: 14 = YahooMessenger.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {30FE4017-9CC6-45D2-9D6C-E96F4E385B8F} - hxxp://phoenix/osoft/installation/Ev4Inst.CAB
DPF: {5E1358C4-8831-4DEF-8293-0834F9B9C4A5} - hxxp://phoenix/osoft/installation/Ev4Diag.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206719847382
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
Notify: kwinhook - kwinhook.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ron~1.bec\applic~1\mozilla\firefox\profiles\rv5vhndw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\ron.beck\application data\mozilla\firefox\profiles\rv5vhndw.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2008-3-28 24064]
R0 siwinacc;siwinacc;c:\windows\system32\drivers\siwinacc.sys [2010-4-2 17328]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2010-4-2 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2010-4-2 54968]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2008-6-12 1164536]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2010-4-2 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2010-4-2 169632]
R2 KBOXSMMP;KBOX SMMP Management Service;c:\program files\kace\kbox\KBOXSMMPService.exe [2010-4-5 1718272]
R2 LogWatch;Event Log Watch;c:\program files\ca\sharedcomponents\ca_lic\LogWatNT.exe [2002-9-20 53248]
R2 r_server;Remote Administrator Service;c:\windows\system32\r_server.exe [2010-4-2 724992]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2010-4-2 115952]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2010-4-2 1799408]
R2 WMOptimizer;Windows Media Optimizer;c:\windows\system32\scvhost.exe service --> c:\windows\system32\scvhost.exe service [?]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-6-12 477696]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-1 102448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2010-4-2 41216]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101015.007\naveng.sys [2010-10-18 86064]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101015.007\navex15.sys [2010-10-18 1371184]
S3 CA_LIC_CLNT;CA License Client;c:\program files\ca\sharedcomponents\ca_lic\lic98rmt.exe [2002-9-20 77824]
S3 CA_LIC_SRVR;CA License Server;c:\program files\ca\sharedcomponents\ca_lic\lic98rmtd.exe [2002-9-20 77824]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-9-21 38224]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2010-4-2 14336]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2010-10-21 03:42:00 5120 ----a-w- c:\windows\system32\dllcache\rasauto.dll
2010-10-21 03:39:41 76288 --sh--r- c:\windows\system32\cftmon.exe
2010-10-21 03:39:41 6 ----a-w- c:\windows\system32\iphy.dll
2010-10-21 03:39:41 5120 ----a-w- c:\windows\system32\C2H3
2010-10-21 03:39:02 76288 --sh--r- c:\windows\system32\scvhost.exe
2010-10-20 04:01:10 3 ----a-w- c:\windows\system32\fhpatch.dll
2010-10-20 04:01:10 0 ----a-w- c:\windows\system32\fiplock.dll
2010-10-13 17:59:25 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 17:59:25 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 17:59:10 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-12 01:39:45 442448 ----a-w- C:\setup2.exe
2010-10-04 14:20:47 -------- d-----w- c:\program files\Registry Convoy 2009
2010-09-25 04:41:52 81920 ------w- c:\windows\system32\ieencode.dll
2010-09-25 04:41:52 516768 ------w- c:\windows\system32\ativvaxx.dll
2010-09-25 04:41:52 229376 ------w- c:\windows\system32\ati2cqag.dll
2010-09-25 04:41:52 201728 ------w- c:\windows\system32\ati2dvag.dll
2010-09-25 04:41:52 1888992 ------w- c:\windows\system32\ati3duag.dll
2010-09-25 04:41:50 701440 ------w- c:\windows\system32\drivers\ati2mtag.sys
2010-09-25 04:41:17 19569 ----a-w- c:\windows\000001_.tmp
2010-09-21 19:45:10 -------- d-----w- c:\docume~1\ron~1.bec\applic~1\Office Genuine Advantage
2010-09-21 17:02:43 -------- d-----w- c:\docume~1\ron~1.bec\applic~1\Malwarebytes
2010-09-21 17:02:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-21 17:02:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-21 17:02:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-21 17:02:34 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2010-10-21 03:39:41 5120 ----a-w- c:\windows\system32\rasauto.dll
2010-10-20 02:48:06 5120 ----a-w- c:\windows\system32\4F3X
2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-08 02:06:11 573440 ----a-w- c:\windows\system32\MwUsbDs64.dll
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

============= FINISH: 8:48:20.58 ===============

Because I've seen it asked for in my serches. I've also downloaded hijackthis and created the log file, in case its needed.

Thanks again for your help. I'm at my wits end with this.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:54:20 AM, on 2010-10-21
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
c:\Program Files\Fingerprint Sensor\AtService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\KACE\KBOX\KBOXSMMPService.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\oracle\bin\omtsreco.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\r_server.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\scvhost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\ron.beck\My Documents\Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\KUsrInit.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [cftmon] C:\WINDOWS\system32\cftmon.exe
O4 - HKLM\..\RunOnce: [Uninstall Adobe Download Manager] "C:\WINDOWS\system32\rundll32.exe" "C:\Program Files\NOS\bin\getPlus_Helper_3004.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} (Device Detection) - http://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
O16 - DPF: {30FE4017-9CC6-45D2-9D6C-E96F4E385B8F} (ClientInstallControl.EverestInstall) - http://phoenix/osoft/installation/Ev4Inst.CAB
O16 - DPF: {5E1358C4-8831-4DEF-8293-0834F9B9C4A5} (ClientDiag.EverestDiagnostic) - http://phoenix/osoft/installation/Ev4Diag.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206719847382
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lan.thrifty.net
O17 - HKLM\Software\..\Telephony: DomainName = lan.thrifty.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lan.thrifty.net
O20 - Winlogon Notify: kwinhook - kwinhook.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: AuthenTec Fingerprint Service (ATService) - AuthenTec, Inc. - c:\Program Files\Fingerprint Sensor\AtService.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KBOX SMMP Management Service (KBOXSMMP) - KACE Networks, Inc. - C:\Program Files\KACE\KBOX\KBOXSMMPService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\bin\omtsreco.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\System32\r_server.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Windows Media Optimizer (WMOptimizer) - Unknown owner - C:\WINDOWS\system32\scvhost.exe

--
End of file - 8454 bytes

Hi Nurofreeze

Malwarebytes' Anti-Malware


Open Malwarebytes' Anti-Malware
Select the Update tab
Click Check for Updates
After the update have been completed, Select the Scanner tab.
Make sure the "Perform full scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
Click on the Show Results button to see a list of any malware that was found.
Check all items except items in the C:\System Volume Information folder... then click on Remove Selected.
We will take care of the System Volume Information items later.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Please reply with

Malwarebytes' Anti-Malware Log

Thanks peku006

Thanks for your response PeKu.

Here is the log file...

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4988

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2010-10-29 9:22:39 AM
mbam-log-2010-10-29 (09-22-39).txt

Scan type: Full scan (C:\|)
Objects scanned: 231301
Time elapsed: 46 minute(s), 12 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 59

Memory Processes Infected:
C:\WINDOWS\system32\AdbUpdater.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe updater (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mslivemsn (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\AdbUpdater.exe (Trojan.Downloader) -> Delete on reboot.
C:\setup2.exe (Adware.Hotbar.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Symantec AntiVirus\296702.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP12\A0003155.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP12\A0003157.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP12\A0003158.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP12\A0003159.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP12\A0003160.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP12\A0003172.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP12\A0003156.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP13\A0003274.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP13\A0003275.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP13\A0003276.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP13\A0003277.exe (Adware.Hotbar.Gen) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP13\A0003286.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP16\A0003964.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP16\A0003966.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP16\A0003967.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP16\A0003971.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP16\A0007092.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP16\A0007093.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP16\A0007094.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP16\A0007095.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP16\A0007102.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP18\A0007512.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP18\A0007513.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP18\A0007514.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP3\A0000434.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP3\A0000435.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP3\A0000436.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP3\A0000437.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP4\A0000942.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP4\A0000943.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP4\A0000944.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP4\A0001484.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP4\A0001432.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP4\A0001433.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP4\A0001434.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP4\A0001435.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP4\A0001476.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP7\A0001606.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP7\A0001737.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP7\A0001739.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP7\A0001747.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP7\A0001941.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP7\A0001933.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP7\A0001934.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP7\A0001935.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP8\A0002627.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP8\A0002630.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP8\A0002631.dll (Trojan.Phyiost) -> Not selected for removal.
C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP9\A0002672.dll (Trojan.Phyiost) -> Not selected for removal.
C:\WINDOWS\system32\4F3X (Trojan.Phyiost) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\AdbUpdtr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\C2H3 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fhpatch.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fiplock.dll (Malware.Trace) -> Delete on reboot.
C:\WINDOWS\system32\htmp.030 (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iphy.dll (Malware.Trace) -> Quarantined and deleted successfully.

Hi Nurofreeze

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

Thanks peku006

Here is the combofix log...

ComboFix 10-10-28.09 - Ron.Beck 2010-10-29 11:34:16.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1974.1104 [GMT -5:00]
Running from: c:\documents and settings\ron.beck\My Documents\Downloads\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\ron.beck\g2mdlhlpx.exe
c:\windows\system32\fhpatch.dll
c:\windows\system32\fiplock.dll

Infected copy of c:\windows\system32\rasauto.dll was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\rasauto.dll

.
((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-29 )))))))))))))))))))))))))))))))
.

2010-10-13 17:59 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 17:59 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 17:59 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-04 14:20 . 2010-10-04 14:24 -------- d-----w- c:\program files\Registry Convoy 2009
2010-10-01 17:20 . 2010-10-01 17:20 -------- d-----w- c:\documents and settings\liam.kelly
2010-10-01 04:22 . 2010-10-01 04:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 17:23 . 2010-04-03 01:45 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2010-04-03 01:45 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2010-04-03 01:45 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2010-04-03 01:45 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2010-04-03 01:46 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2010-04-03 01:45 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2010-04-03 01:45 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-08 02:06 . 2010-09-08 02:06 573440 ----a-w- c:\windows\system32\MwUsbDs64.dll
2010-09-01 11:51 . 2010-04-03 01:44 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2010-04-03 01:46 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2010-04-03 01:46 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2010-04-03 01:46 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2010-04-03 01:45 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2010-04-03 01:43 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2010-04-03 01:44 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2010-04-03 01:46 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2010-04-03 01:46 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-04-06 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2010-04-06 124656]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-04-06 1310720]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-04-06 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-04-06 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-04-06 142360]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-05 1044480]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{A7091E1D-36A4-47F1-A739-173CC341414F}\Icon3E5562ED7.ico [2010-4-5 6144]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2010-04-06 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kwinhook]
2010-04-06 19:40 6144 ----a-w- c:\windows\system32\KWinHook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-492894223-1801674531-1130\Scripts\Logoff\0\0]
"Script"=\\lan.thrifty.net\sysvol\lan.thrifty.net\scripts\llogoff.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-492894223-1801674531-1130\Scripts\Logon\0\0]
"Script"=\\lan.thrifty.net\sysvol\lan.thrifty.net\scripts\llogin.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-492894223-1801674531-11566\Scripts\Logoff\0\0]
"Script"=\\lan.thrifty.net\sysvol\lan.thrifty.net\scripts\llogoff.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-492894223-1801674531-11566\Scripts\Logon\0\0]
"Script"=\\lan.thrifty.net\sysvol\lan.thrifty.net\scripts\llogin.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-492894223-1801674531-4997\Scripts\Logoff\0\0]
"Script"=\\lan.thrifty.net\sysvol\lan.thrifty.net\scripts\llogoff.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-492894223-1801674531-4997\Scripts\Logon\0\0]
"Script"=\\lan.thrifty.net\sysvol\lan.thrifty.net\scripts\llogin.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-492894223-1801674531-7584\Scripts\Logoff\0\0]
"Script"=\\lan.thrifty.net\sysvol\lan.thrifty.net\scripts\llogoff.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-492894223-1801674531-7584\Scripts\Logon\0\0]
"Script"=\\lan.thrifty.net\sysvol\lan.thrifty.net\scripts\llogin.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-492894223-1801674531-7851\Scripts\Logoff\0\0]
"Script"=\\lan.thrifty.net\sysvol\lan.thrifty.net\scripts\llogoff.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-492894223-1801674531-7851\Scripts\Logon\0\0]
"Script"=\\lan.thrifty.net\sysvol\lan.thrifty.net\scripts\llogin.vbs

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-04-03 01:27 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2008-03-28 2:14 PM 24064]
R0 siwinacc;siwinacc;c:\windows\system32\drivers\siwinacc.sys [2010-04-02 8:45 PM 17328]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [2008-06-12 1164536]
R2 KBOXSMMP;KBOX SMMP Management Service;c:\program files\KACE\KBOX\KBOXSMMPService.exe [2010-04-05 6:31 PM 1718272]
R2 LogWatch;Event Log Watch;c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2002-09-20 9:29 AM 53248]
R2 r_server;Remote Administrator Service;c:\windows\system32\r_server.exe [2010-04-02 8:46 PM 724992]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2010-04-02 8:29 PM 115952]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-06-12 2:40 PM 477696]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-06-01 8:29 AM 102448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2010-04-02 8:45 PM 41216]
S3 CA_LIC_CLNT;CA License Client;c:\program files\CA\SharedComponents\CA_LIC\lic98rmt.exe [2002-09-20 9:27 AM 77824]
S3 CA_LIC_SRVR;CA License Server;c:\program files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [2002-09-20 9:41 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {30FE4017-9CC6-45D2-9D6C-E96F4E385B8F} - hxxp://phoenix/osoft/installation/Ev4Inst.CAB
DPF: {5E1358C4-8831-4DEF-8293-0834F9B9C4A5} - hxxp://phoenix/osoft/installation/Ev4Diag.CAB
FF - ProfilePath - c:\documents and settings\ron.beck\Application Data\Mozilla\Firefox\Profiles\rv5vhndw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
FF - prefs.js: network.proxy.type - 0
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Notify-AtiExtEvent - (no file)
MSConfigStartUp-cftmon - c:\windows\system32\cftmon.exe
MSConfigStartUp-StartCCC - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
AddRemove-Agere Systems Soft Modem - c:\windows\agrsmdel



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-29 11:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,38,69,26,1e,1d,de,db,4d,bc,95,72,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,38,69,26,1e,1d,de,db,4d,bc,95,72,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1356)
c:\windows\system32\kwinhook.dll
c:\windows\system32\MSVCR71.dll

- - - - - - - > 'explorer.exe'(3324)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\oracle\bin\omtsreco.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2010-10-29 11:43:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-29 16:43

Pre-Run: 220,678,844,416 bytes free
Post-Run: 220,820,422,656 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - EDC0285F84B116DCCDC765493E8B3F40

Hi Nurofreeze

This machine is not used for business purposes or connected to a business network is it?

Thanks peku006

Yes. It is, but I have admin rights to it.

Hi

I'm sorry but I can not help you, you should have read this (http://forums.spybot.info/showthread.php?t=288) properly


The malware removal forum is set up to help those in need of assistance with their personal computers. This service is free and provided by volunteer analysts.

When an infected computer is a company machine and/or in the workplace.

The intention of this forum is not to replace a company's IT department, helpers cannot anticipate alterations or configurations that may have been made to a business machine, or how it will interact with the tools commonly used in the removal of malware.

Another consideration is that company information may show in the logs and more than one machine could be at stake, possibly even the server. If sensitive material has been compromised by an infection, the company could be held liable.

To prevent possible loss or corruption of company information, please inform your IT Professional or Supervisor when a workplace computer has been infected. If niether are available please consider calling in a local technician who can see the machine/network in person.

It's not that we don't want to help, but there are too many issues that could arise from a networked company machine that malware forum volunteers are not experienced in dealing with.

Thank you for your understanding.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Corporate, Government, Small Business or Institutional

Spybot S&D Corporate-Small Business Editions (http://www.safer-networking.ie/en/index.html)

Please contact our office support so they may provide direct assistance for your needs. :)

Thank you.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
If you are a computer business removing malware for paying customers, please don't post the logs here as our volunteers are not here to support such. Clients with infected PCs may be directed to this forum to receive advice in the first person. :euro:

Due to a lack of response, this topic is now closed

If you still require help, please open a new thread in the Malware Removal forum (http://forums.spybot.info/forumdisplay.php?f=22), include a
fresh DDS log, and wait for a new helper.

Your donation helps improving Spybot-S&D! (http://www.safer-networking.org/en/donate/index.html)