I, like others, cannot get hijackthis to run. I have tried renaming it, putting it in other folders.... no luck. Internet Explorer will shut down when I try to go to antivirus sites (like HJT)

I also find that the system is installing a file, m.exe, on my E drive (USB drive). Don't know why or where it is coming from.

I've run all the familiar products; Sophus, Spybot, Ad-Aware. I've also run registry cleaners, rootkit revealers.....

Still stuck and asking for help.

Thanks.

You can also try to run hijackthis from safe mode, it won't show everything but will be a start.

Safe Mode:


Now reboot into safe mode( without networking support) by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.


Do you have windows xp or what?



* Please download Malwarebytes' Anti-Malware from HERE or HERE

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and zLaunch Malwarebytes Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.


Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Try renameing MBAM if you have to

Thanks for the response.

I have managed to get HiJackthis running again, so I am posting that log here.

I'll run Malwarebytes and post that result next.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:33 PM, on 8/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\AnyTrial.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\sophos\AutoUpdate\ALMon.exe
C:\Program Files\Webshots\webshots.scr
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\looker.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\cifvh5zs.slt\prefs.j s)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ****a - {933ED98E-57E9-11DD-BF82-A36255D89593} - C:\WINDOWS\system32\****a.dll
O2 - BHO: (no name) - {B03C703B-B8AE-9059-F9DA-B7DEBBB75BBB} - (no file)
O2 - BHO: (no name) - {B53C766B-E9FB-9759-F7DA-B7DEBBB758E2} - (no file)
O2 - BHO: (no name) - {ED3C7664-BAFF-9051-F1DA-B7DEBBB759E0} - (no file)
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Policies\Explorer\Run: [{C806F694-06A1-1033-0819-050831010001}] "C:\Program Files\Common Files\{C806F694-06A1-1033-0819-050831010001}\Update.exe" mc-110-12-0000140
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{C806F694-06A1-1033-0819-050831010002}] "C:\Program Files\Common Files\{C806F694-06A1-1033-0819-050831010002}\Update.exe" mc-110-12-0000140 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{C806F694-06A1-1033-0819-050831010002}] "C:\Program Files\Common Files\{C806F694-06A1-1033-0819-050831010002}\Update.exe" mc-110-12-0000140 (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\sophos\AutoUpdate\ALMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/re...s/MSNPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/.../GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1187828456015
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O20 - Winlogon Notify: daebefeabc - C:\WINDOWS\system32\daebefeabc.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (file missing)
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\DX9\SessionLaunche r.exe (file missing)
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

--
End of file - 10099 bytes

I've attached the Malwarebytes log below.

Malwarebytes' Anti-Malware 1.24
Database version: 1030
Windows 5.1.2600 Service Pack 2

9:38:51 PM 8/6/2008
mbam-log-8-6-2008 (21-38-51).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 76444
Time elapsed: 46 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 22

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{933ed98e-57e9-11dd-bf82-a36255d89593} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{933ed98e-57e9-11dd-bf82-a36255d89593} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\?ssembly (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\b3a8d89da21f74791f4767ec38e7af 41.sys.bd.ren (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\1st File Hider v3.22.torrent (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\1st File Hider v3.22.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\AVG INTERNET SECURITY 8.0.93 build 1283 serial by PARAG.torrent (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\BHK Alcohol Simulator v1.1.torrent (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Borland C++ Builder 6.0 Enterprise by NLiSO.torrent (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Borland C++ Builder 6.0 Enterprise by NLiSO.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\CFATest by DBC.torrent (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\CFATest by DBC.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Command.And.Conquer.The.First. Decade.GENERIC KEYGEN-FFF.torrent (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Command.And.Conquer.The.First. Decade.GENERIC KEYGEN-FFF.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\HollywoodFX 4.5.2.25 Gold.torrent (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\HollywoodFX 4.5.2.25 Gold.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Microsoft Office Accounting Professional 2007.torrent (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Microsoft Office Accounting Professional 2007.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Rebound (Reflexive Entertainment).torrent (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\s (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Sonic.Foundry.Sound.Forge.v4.5 h.402.final.torrent (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Sonic.Foundry.Sound.Forge.v4.5 h.402.final.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Sothink Coolmenu 3.0 by DBC.torrent (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msupdte.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\****a.dll (Trojan.BHO) -> Delete on reboot.

Thanks for that.


Please download Brute Force Uninstaller to your desktop.

• Right click the BFU folder on your desktop, and choose Extract All
• Click "Next"
• In the box to choose where to extract the files to,
• Click "Browse"
• Click on the + sign next to "My Computer"
• Click on "Local Disk (C or whatever your primary drive is
• Click "Make New Folder" on the left side under Files and Folders
• Type in BFU
• Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not run the Uninstaller and the Remover yet.

Please reboot into Safemode:
Turn on the computer.
Immediately begin tapping the F8 key.
Use the arrow keys to highlight Safe Mode and press the Enter key.


Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe

Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu

Press execute and let it do its job.

Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.


Post a new hjackthis log please.

I believe BFU stopped at 98% ('trying heuristics').

Attached is the newest HJT Log. (note that 'looker.exe is just a renamed HJT.exe)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:31:18 PM, on 8/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\sophos\AutoUpdate\ALMon.exe
C:\Program Files\Webshots\webshots.scr
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Novell\GroupWise\grpwise.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\hjthis\looker.exe
C:\Novell\GroupWise\Notify.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\cifvh5zs.slt\prefs.j s)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {B03C703B-B8AE-9059-F9DA-B7DEBBB75BBB} - (no file)
O2 - BHO: (no name) - {B53C766B-E9FB-9759-F7DA-B7DEBBB758E2} - (no file)
O2 - BHO: (no name) - {ED3C7664-BAFF-9051-F1DA-B7DEBBB759E0} - (no file)
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Policies\Explorer\Run: [{C806F694-06A1-1033-0819-050831010001}] "C:\Program Files\Common Files\{C806F694-06A1-1033-0819-050831010001}\Update.exe" mc-110-12-0000140
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{C806F694-06A1-1033-0819-050831010002}] "C:\Program Files\Common Files\{C806F694-06A1-1033-0819-050831010002}\Update.exe" mc-110-12-0000140 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{C806F694-06A1-1033-0819-050831010002}] "C:\Program Files\Common Files\{C806F694-06A1-1033-0819-050831010002}\Update.exe" mc-110-12-0000140 (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\sophos\AutoUpdate\ALMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/re...s/MSNPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/.../GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1187828456015
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (file missing)
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\DX9\SessionLaunche r.exe (file missing)
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

--
End of file - 10011 bytes

Visit this page below to familiarize yourself to the tool below:

A guide and tutorial on using ComboFix




If you have previously downloaded ComboFix,please delete that version now.

Now download ComboFix and save to your desktop:

Note:

It is IMPORTANT that it is saved directly to your desktop

Close any open browsers.

Disconnect from the Internet.

Please do not re-connect your machine back to the Internet until Combofix has completely finished.

Disable your antivirus program and any realtime malware scanners and script blockers now


How To Disable



Double click on combofix.exe and follow the prompts.

When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Note:
Do not mouseclick combofix's window while it's running.

That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Re-enable your anti-virus and re-connect back to the internet and post the combofix log.



*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

ComboFix SHOULD NOT be used unless requested by a forum helper.


New hijackthis log please.

Combofix log:


ComboFix 08-08-10.06 - Owner 2008-08-11 17:07:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.205 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\WNSXS~1
C:\WINDOWS\IA
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\system32\actskn43.ocx
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\wnsintsv.exe
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLIENT_IP-IPX
-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-07-11 to 2008-08-11 )))))))))))))))))))))))))))))))
.

2008-08-10 22:14 . 2004-03-25 01:06 1,802,240 --------- C:\WINDOWS\UNNMP.exe
2008-08-10 22:14 . 2004-04-21 00:10 52,418 --------- C:\WINDOWS\UNNMP.cfg
2008-08-10 22:11 . 2008-08-10 22:13 <DIR> d-------- C:\Program Files\Ahead
2008-08-10 22:10 . 2004-04-18 21:37 1,814,528 --------- C:\WINDOWS\UNNeroVision.exe
2008-08-10 22:10 . 2004-04-21 00:10 96,891 --------- C:\WINDOWS\UNNeroVision.cfg
2008-08-10 19:33 . 2008-08-10 21:41 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Roxio
2008-08-10 19:28 . 2008-08-10 19:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-08-10 19:24 . 2008-08-10 22:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-08-10 19:21 . 2008-08-10 22:07 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-08-10 17:14 . 2008-08-10 17:14 <DIR> d-------- C:\Program Files\dvd43
2008-08-10 17:14 . 2008-08-10 17:14 18,816 --------- C:\WINDOWS\system32\drivers\dvd43llh.sys
2008-08-08 18:16 . 2008-08-08 18:16 <DIR> d-------- C:\bintheredunthat
2008-08-08 18:08 . 2008-08-08 18:09 <DIR> d-------- C:\bfu
2008-08-06 23:37 . 2008-08-06 23:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-08-06 20:51 . 2008-08-06 20:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-06 20:51 . 2008-08-06 20:51 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-06 20:51 . 2008-08-06 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-06 20:51 . 2008-07-30 20:07 38,472 --------- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-06 20:51 . 2008-07-30 20:07 17,144 --------- C:\WINDOWS\system32\drivers\mbam.sys
2008-08-04 15:52 . 2008-08-08 18:31 <DIR> d-------- C:\hjthis
2008-08-04 14:26 . 2008-08-04 14:26 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-08-04 06:23 . 2008-08-04 15:44 <DIR> d-------- C:\Program Files\Softwin
2008-08-02 22:39 . 1995-12-15 04:10 346,112 --a------ C:\WINDOWS\system\QTIM32.DLL
2008-07-29 21:44 . 2008-07-29 21:44 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-29 21:44 . 2008-08-06 23:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-28 20:31 . 2008-07-28 20:31 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-07-28 20:31 . 2008-07-28 20:25 17,920 --------- C:\WINDOWS\system32\sophosboottasks.exe
2008-07-28 20:30 . 2008-07-28 20:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sophos
2008-07-28 20:27 . 2008-07-28 20:27 101,120 --------- C:\WINDOWS\system32\drivers\savonaccesscontrol.sys
2008-07-28 20:26 . 2008-07-28 20:26 33,408 --------- C:\WINDOWS\system32\drivers\savonaccessfilter.sys
2008-07-28 20:11 . 2008-08-04 15:20 <DIR> d-------- C:\Program Files\sophos
2008-07-28 19:20 . 2008-07-28 19:21 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-07-28 19:13 . 2008-07-28 19:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-28 17:22 . 2008-07-28 20:15 <DIR> d-------- C:\WINDOWS\system32\6463
2008-07-20 16:17 . 2008-07-20 16:17 <DIR> d-------- C:\Documents and Settings\Guest

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-08-11 04:15 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ahead
2008-08-11 00:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-08-10 23:24 --------- d-----w C:\Program Files\Common Files\Ahead
2008-08-10 23:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-08-05 02:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-07-29 02:15 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-29 01:13 --------- d-----w C:\Program Files\Lavasoft
2008-07-29 01:13 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-27 02:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2004-10-01 21:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2008-02-22 02:39 15,872 --sha-w C:\WINDOWS\AnyTrial.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 04:40 86960]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-05-04 19:21 278528]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-07-28 14:19 4841472]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-03 21:34 98304]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-01 18:49 185896]
"dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [2008-04-09 10:00 826880]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.e xe" [2001-07-09 11:50 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 06:00 15360]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2007-12-02 19:27:52 157008]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
AutoUpdate Monitor.lnk - C:\Program Files\sophos\AutoUpdate\ALMon.exe [2007-08-02 12:38:12 245760]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run-]
"NVIEW"=rundll32.exe nview.dll,nViewLoadHook

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe
"Persistence"=C:\WINDOWS\system32\igfxpers.exe
"RunFlip"=C:\WINDOWS\RunFlip.exe
"BigDogPath"=C:\WINDOWS\VM_STI.EXE Ezonics VGA camera

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Novell\\GroupWise\\grpwise.exe"=
"C:\\Novell\\GroupWise\\notify.exe"=

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\orea ns32.sys [2007-09-02 20:03]
R1 SAVOnAccessControl;SAVOnAccessControl;C:\WINDOWS\s ystem32\DRIVERS\savonaccesscontrol.sys [2008-07-28 20:27]
R1 SAVOnAccessFilter;SAVOnAccessFilter;C:\WINDOWS\sys tem32\DRIVERS\savonaccessfilter.sys [2008-07-28 20:26]
S0 b3a8d89da21f74791f4767ec38e7af41;b3a8d89da21f74791 f4767ec38e7af41;C:\WINDOWS\system32\b3a8d89da21f74 791f4767ec38e7af41.sys []
S2 RoxLiveShare10;LiveShare P2P Server 10;C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe []
S2 SessionLauncher;SessionLauncher;C:\DOCUME~1\Owner\ LOCALS~1\Temp\DX9\SessionLauncher.exe []
S3 DarkSpy;DarkSpy;C:\WINDOWS\system32\DarkSpyKernel. sys []
S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\1.tmp []

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{a954d326-6230-11dd-9331-a06f140efcf4}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\m.exe /s
.
Contents of the 'Scheduled Tasks' folder

2008-08-01 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Explorer_Run-{C806F694-06A1-1033-0819-050831010001} - C:\Program Files\Common Files\{C806F694-06A1-1033-0819-050831010001}\Update.exe
HKU-Default-Explorer_Run-{C806F694-06A1-1033-0819-050831010002} - C:\Program Files\Common Files\{C806F694-06A1-1033-0819-050831010002}\Update.exe
HKU-Default-Explorer_Run-{C806F694-06A2-1033-0819-050831010002} - C:\Program Files\Common Files\{C806F694-06A2-1033-0819-050831010002}\Update.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.ca/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 -: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
C:\WINDOWS\Downloaded Program Files\GoPetsWeb.inf
C:\WINDOWS\Downloaded Program Files\GoPetsWeb.ocx


************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-11 17:12:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\M EMSWEEP2]
"ImagePath"="\??\C:\WINDOWS\system32\1.tmp"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\sophos\Sophos Anti-Virus\SavService.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webshots\Webshots.scr
.
************************************************** ************************
.
Completion time: 2008-08-11 17:18:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-11 23:18:36

Pre-Run: 3,280,625,664 bytes free
Post-Run: 3,178,795,008 bytes free

187 --- E O F --- 2008-05-28 09:02:43



New HiJackthis log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:22:24 PM, on 8/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\sophos\AutoUpdate\ALMon.exe
C:\Program Files\Webshots\webshots.scr
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Novell\GroupWise\grpwise.exe
C:\Novell\GroupWise\Notify.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hjthis\looker.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\cifvh5zs.slt\prefs.j s)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\sophos\AutoUpdate\ALMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/re...s/MSNPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/.../GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1187828456015
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (file missing)
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (file missing)
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\DX9\SessionLaunche r.exe (file missing)
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

--
End of file - 8674 bytes

Open notepad(Must be NotePad) and copy/paste the text in the quotebox below into it:NOT THE WORD QUOTE

File::
C:\WINDOWS\RunFlip.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{a954d326-6230-11dd-9331-a06f140efcf4}]

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.






This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.


How are things running now?