ComboFix and Hijack This logs...please help :)

[totinnere]

Hey all. I ran SmitFraudFix the other day, and it got rid of the pop up telling me I spyware, but my task manager and regedit are still disabled, and windows still appears to be randomly copying files somewhere (the "copying" window pops up). Please also note that whatever I have seems to have deleted my SpySweeper definitions, and it prevented me from opening Norton. Also, it prevented me from running smitfraudfix.exe until i renamed it, and the same thing happened with combofix (renamed combofi.exe). After my machine rebooted during combofix, Norton seems to be (at least) semi-functional. Anyway, as someone else told to do on here, I ran combofix, then a fresh hijackthis log...here they are. Thank you ahead of time :)

Combofix:
ComboFix 07-12-21.4 - Anthony 2007-12-28 2:02:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.244 [GMT -5:00]
Running from: C:\Documents and Settings\Anthony\Desktop\ComboFi.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\.exe
C:\Autorun.inf
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\findfast.exe
C:\Documents and Settings\Anthony\Application Data\antivirus.exe
C:\Documents and Settings\Anthony\Application Data\printer.exe
C:\WINDOWS\system32\kernelw.sys
C:\WINDOWS\system32\kernelwind32.exe
C:\WINDOWS\system32\wowfx.dll
F:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DRIVER
-------\Driver


((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 )))))))))))))))))))))))))))))))
.

2007-12-27 19:50 . 2007-12-27 19:50 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-27 19:47 . 2007-12-27 19:47 16,384 --a------ C:\WINDOWS\system32\users32.dat
2007-12-23 23:12 . 2007-12-28 02:10 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-12-23 19:36 . 2007-12-24 12:36 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-12-23 19:06 . 2007-12-28 02:10 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-23 19:06 . 2007-12-23 19:06 <DIR> d-------- C:\Documents and Settings\Anthony\Application Data\SUPERAntiSpyware.com
2007-12-23 19:06 . 2007-12-23 19:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-23 19:05 . 2007-12-23 19:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-23 19:03 . 2007-12-27 19:46 9,216 --a------ C:\WINDOWS\system32\suspend.exe
2007-12-23 07:24 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-12-23 07:24 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-12-23 07:24 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2007-12-23 07:24 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-12-23 07:24 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-23 07:24 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-23 07:24 . 2007-12-23 07:51 2,276 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-23 03:05 . 2007-12-23 03:05 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-12-23 02:59 . 2007-12-23 02:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2007-12-23 02:56 . 2007-12-23 02:56 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-12-23 02:37 . 2007-12-23 02:37 <DIR> d-------- C:\Program Files\EliteProtector
2007-12-23 02:37 . 2007-12-23 02:36 89,088 ---h----- C:\Documents and Settings\Anthony\Anthony.exe
2007-12-23 02:37 . 2007-12-23 02:36 89,088 ---h----- C:\Documents and Settings\All Users\All Users.exe
2007-12-23 02:37 . 2007-12-23 02:37 29,184 --a------ C:\WINDOWS\wsystmp_bja.exe
2007-12-23 02:37 . 2007-12-23 03:13 0 --a------ C:\WINDOWS\system32\dllgh8jkd1q8.exe
2007-12-23 02:36 . 2007-12-23 02:36 89,088 --a------ C:\WINDOWS\wsystmp_axh.exe
2007-12-23 02:36 . 2007-12-23 02:36 89,088 ---hs---- C:\WINDOWS\system32\winsn.exe
2007-12-23 02:36 . 2007-12-23 02:36 89,088 ---hs---- C:\WINDOWS\system32\shovth.exe
2007-12-23 02:36 . 2007-12-23 02:36 89,088 ---hs---- C:\BCD443AD.exe
2007-12-23 02:36 . 2007-12-28 02:11 28,929 --a------ C:\WINDOWS\system32\winsos.exe
2007-12-23 02:35 . 2007-12-28 02:11 6,144 --a------ C:\WINDOWS\system32\user32.dat
2007-12-23 02:30 . 2007-12-27 19:43 8,192 --a------ C:\WINDOWS\medichi2.exe
2007-12-23 02:30 . 2007-12-27 19:43 6,144 --a------ C:\WINDOWS\murka.dat
2007-12-23 02:30 . 2007-12-27 19:43 5,632 --a------ C:\WINDOWS\medichi.exe
2007-12-23 02:28 . 2007-12-23 02:28 35,840 --a------ C:\WINDOWS\wsystmp_kwq.exe
2007-12-23 02:11 . 2007-12-23 02:11 15,872 --a------ C:\WINDOWS\windisk.dll
2007-12-21 02:00 . 2007-12-21 02:00 28,929 --a------ C:\WINDOWS\trayicons.exe
2007-12-21 02:00 . 2007-12-21 02:00 28,929 --a------ C:\Documents and Settings\Anthony\wn852.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-28 07:11 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-28 07:10 --------- d-----w C:\Program Files\QuickTime
2007-12-28 00:47 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2007-12-24 20:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-24 20:45 806 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-24 20:45 8,014 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-24 20:45 115,000 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-24 20:45 --------- d-----w C:\Program Files\Symantec
2007-12-24 09:09 --------- d-----w C:\Documents and Settings\Anthony\Application Data\Symantec
2005-04-10 02:24 99,384 ----a-w C:\Documents and Settings\Anthony\Application Data\GDIPFONTCACHEV1.DAT
2003-09-14 19:52 811 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-12-27 19:47]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BootSkin Startup Jobs"="C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2007-12-27 19:47]
"EasyMP3 Track Rename"="EasyRen.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-27 19:47]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-27 19:47]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 18:05]
"Medichi"="medichi.exe" [2007-12-27 19:43 C:\WINDOWS\medichi.exe]
"Medichi2"="medichi2.exe" [2007-12-27 19:43 C:\WINDOWS\medichi2.exe]
"sis32"="C:\WINDOWS\system32\winsos.exe" [2007-12-28 02:11]
"winroot"="C:\WINDOWS\system32\winsn.exe" [2007-12-23 02:36]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2006-08-03 20:02]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-12-27 19:47]
"IS CfgWiz"="C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" [2007-12-27 19:47]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-12-27 19:47]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 02:56 C:\WINDOWS\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)
"DisableTaskMgr"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)
"DisableTaskMgr"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"= 1 (0x1)
"NoWindowsUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo Scheduler server.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo Scheduler server.lnk
backup=C:\WINDOWS\pss\InterVideo Scheduler server.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CallControl 4.5]
C:\Program Files\FaxTalk Communicator\FTCtrl32.exe /autoload

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyMP3 Track Rename]
EasyRen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FastTVSync]
2004-03-11 03:55 245760 --a------ C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-06-04 06:33 1400944 --------- C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2003-08-19 16:23 32873 --a------ C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
RUNDLL32.exe C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll,cdaEngineMain

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows auto update]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSIServer"=3 (0x3)
"Messenger"=2 (0x2)
"ION Java Daemon 1.6"=3 (0x3)
"InCDsrv"=2 (0x2)
"Alerter"=3 (0x3)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff0849a4-0f97-11da-b849-0020e03a4d46}]
\Shell\AutoRun\command - H:\setupSNK.exe

*Newly Created Service* - COMHOST
*Newly Created Service* - SYMREDRV
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 02:11:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\win.tmp 950 bytes
C:\WINDOWS\Winamp.ini 1125 bytes
C:\WINDOWS\winampa.ini 41 bytes
C:\WINDOWS\windisk.dll 15872 bytes executable
C:\WINDOWS\Windows Update.log 186484 bytes
C:\WINDOWS\WindowsShell.Manifest 749 bytes
C:\WINDOWS\WindowsUpdate.log 1953759 bytes
C:\WINDOWS\winhelp.exe 256192 bytes
C:\WINDOWS\winhlp32.exe 283648 bytes executable
C:\WINDOWS\wininit.ini 138 bytes
C:\WINDOWS\winnt.bmp 48680 bytes
C:\WINDOWS\winnt256.bmp 48680 bytes
C:\WINDOWS\WinSxS
C:\WINDOWS\winzip32.ini 27 bytes
C:\WINDOWS\wmsetup.log 33989 bytes
C:\WINDOWS\wmsetup10.log 498 bytes
C:\WINDOWS\WMSysPr9.prx 316640 bytes
C:\WINDOWS\WMSysPrx.prx 299552 bytes
C:\WINDOWS\wordpad.ini 29 bytes
C:\WINDOWS\WRUninstall.dll 253440 bytes executable
C:\WINDOWS\wsystmp_axh.exe 89088 bytes executable
C:\WINDOWS\wsystmp_bja.exe 29184 bytes executable
C:\WINDOWS\wsystmp_kwq.exe 35840 bytes executable
C:\WINDOWS\wt
C:\WINDOWS\xpsp1hfm.log 83069 bytes
C:\WINDOWS\Zapotec.bmp 9522 bytes
C:\WINDOWS\_default.pif 707 bytes
C:\WINDOWS\_MSRSTRT.EXE 2560 bytes executable

scan completed successfully
hidden files: 28

**************************************************************************
.
Completion time: 2007-12-28 2:14:35 - machine was rebooted


-------------------
Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:21:01 AM, on 12/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\EasyMP3\EasyRen.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\medichi.exe
C:\WINDOWS\medichi2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\shovth.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [EasyMP3 Track Rename] EasyRen.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Medichi] medichi.exe
O4 - HKLM\..\Run: [Medichi2] medichi2.exe
O4 - HKLM\..\Run: [sis32] C:\WINDOWS\system32\winsos.exe
O4 - HKLM\..\Run: [winroot] C:\WINDOWS\system32\winsn.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - C:\Program Files\MANSION\FreePoker\MANSION.exe (file missing)
O9 - Extra 'Tools' menuitem: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - C:\Program Files\MANSION\FreePoker\MANSION.exe (file missing)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1094168057186
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab30149.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 5875 bytes

[Ried]

Hello totinnere and welcome to TSF,

Delete your existing renamed combofi.exe and download it again as it's been updated. Use any of these links below:

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Disconnect from the internet.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Rename ComboFix.exe to anything you like--just remember what it is.

--------------------------------------------------------------------

Double click on the renamed tool & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a new HijackThis log so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

[totinnere]

Thanks for the quick response. Here are the new logs :)

ComboFix 07-12-27.1 - Anthony 2007-12-28 2:55:34.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.203 [GMT -5:00]
Running from: C:\Documents and Settings\Anthony\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\WINDOWS\system32\dllgh8jkd1q8.exe
C:\WINDOWS\system32\user32.dat
C:\WINDOWS\system32\winsos.exe
C:\WINDOWS\trayicons.exe
C:\WINDOWS\windisk.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 )))))))))))))))))))))))))))))))
.

2007-12-28 02:45 . 2007-03-21 20:39 1,060,864 --a------ C:\WINDOWS\system32\MFC71.DL1
2007-12-28 02:45 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.DL1
2007-12-28 02:45 . 2007-03-21 20:33 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DL1
2007-12-27 19:50 . 2007-12-27 19:50 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-27 19:47 . 2007-12-27 19:47 16,384 --a------ C:\WINDOWS\system32\users32.dat
2007-12-23 23:12 . 2007-12-28 02:44 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-12-23 19:36 . 2007-12-24 12:36 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-12-23 19:06 . 2007-12-28 02:49 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-23 19:06 . 2007-12-23 19:06 <DIR> d-------- C:\Documents and Settings\Anthony\Application Data\SUPERAntiSpyware.com
2007-12-23 19:06 . 2007-12-23 19:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-23 19:05 . 2007-12-23 19:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-23 19:03 . 2007-12-27 19:46 9,216 --a------ C:\WINDOWS\system32\suspend.exe
2007-12-23 07:24 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-12-23 07:24 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-12-23 07:24 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2007-12-23 07:24 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-12-23 07:24 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-23 07:24 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-23 07:24 . 2007-12-23 07:51 2,276 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-23 03:05 . 2007-12-23 03:05 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-12-23 02:59 . 2007-12-23 02:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2007-12-23 02:56 . 2007-12-23 02:56 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-12-23 02:37 . 2007-12-23 02:37 <DIR> d-------- C:\Program Files\EliteProtector
2007-12-23 02:37 . 2007-12-23 02:36 89,088 ---h----- C:\Documents and Settings\Anthony\Anthony.exe
2007-12-23 02:37 . 2007-12-23 02:36 89,088 ---h----- C:\Documents and Settings\All Users\All Users.exe
2007-12-23 02:37 . 2007-12-23 02:37 29,184 --a------ C:\WINDOWS\wsystmp_bja.exe
2007-12-23 02:28 . 2007-12-23 02:28 35,840 --a------ C:\WINDOWS\wsystmp_kwq.exe
2007-12-21 02:00 . 2007-12-21 02:00 28,929 --a------ C:\Documents and Settings\Anthony\wn852.exe
2007-11-30 23:57 . 2007-11-30 23:57 317,616 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2007-11-30 23:57 . 2007-11-30 23:57 279,088 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-30 23:57 . 2007-11-30 23:57 43,696 --a------ C:\WINDOWS\system32\drivers\srtspx.sys
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspx.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspl.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,545 --a------ C:\WINDOWS\system32\drivers\srtsp.cat
2007-11-30 23:57 . 2007-11-30 23:57 1,430 --a------ C:\WINDOWS\system32\drivers\srtspl.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,421 --a------ C:\WINDOWS\system32\drivers\srtspx.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,415 --a------ C:\WINDOWS\system32\drivers\srtsp.inf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-28 07:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-28 07:47 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-28 07:36 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-28 07:36 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-28 07:36 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-28 07:36 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-28 07:36 --------- d-----w C:\Program Files\Symantec
2007-12-28 07:10 --------- d-----w C:\Program Files\QuickTime
2007-12-28 00:47 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2007-12-24 09:09 --------- d-----w C:\Documents and Settings\Anthony\Application Data\Symantec
2007-10-31 00:55 625,032 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-10-31 00:55 39,856 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2007-10-31 00:55 37,936 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2007-10-31 00:55 35,120 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2007-10-31 00:55 27,696 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2007-10-31 00:55 242,056 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-10-31 00:55 191,536 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2007-10-31 00:55 145,968 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2007-10-31 00:55 12,848 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2007-10-31 00:24 12,963 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2007-10-31 00:24 1,358 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2005-04-10 02:24 99,384 ----a-w C:\Documents and Settings\Anthony\Application Data\GDIPFONTCACHEV1.DAT
2003-09-14 19:52 811 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((( snapshot@2007-12-28_ 2.12.25.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-05-15 22:24:33 466,944 ----a-w C:\WINDOWS\system32\capicom.dll
+ 2007-09-12 23:27:24 511,328 ----a-w C:\WINDOWS\system32\capicom.dll
- 2007-12-14 02:26:50 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2000-08-31 13:00:00 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BootSkin Startup Jobs"="C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2007-12-27 19:47]
"EasyMP3 Track Rename"="EasyRen.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-27 19:47]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-27 19:47]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 18:05]
"sis32"="C:\WINDOWS\system32\winsos.exe" []
"winroot"="C:\WINDOWS\system32\winsn.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-12-27 19:47]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-12-27 19:47]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 02:56 C:\WINDOWS\system32\narrator.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo Scheduler server.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo Scheduler server.lnk
backup=C:\WINDOWS\pss\InterVideo Scheduler server.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CallControl 4.5]
C:\Program Files\FaxTalk Communicator\FTCtrl32.exe /autoload

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyMP3 Track Rename]
EasyRen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FastTVSync]
2004-03-11 03:55 245760 --a------ C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-06-04 06:33 1400944 --------- C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2003-08-19 16:23 32873 --a------ C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
RUNDLL32.exe C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll,cdaEngineMain

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows auto update]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSIServer"=3 (0x3)
"Messenger"=2 (0x2)
"ION Java Daemon 1.6"=3 (0x3)
"InCDsrv"=2 (0x2)
"Alerter"=3 (0x3)

R2 RVIEG01;VSC Engine;C:\Program Files\Cakewalk\Shared Dxi\Roland\RVIEg01.sys [2001-04-13 19:16]
R3 ham50;Intel HaM Data Fax Voice Modem;C:\WINDOWS\system32\DRIVERS\ham50.sys [2000-10-06 06:10]
R3 S3SAVAGE4M;S3SAVAGE4M;C:\WINDOWS\system32\DRIVERS\s3sav4m.sys [2001-08-17 07:50]
S3 LinksysFVNETusbl(AR)(R);Linksys FVNETusbl(AR)(R) Service for Instant Wireless USB Network Adapter ver.2.6;C:\WINDOWS\system32\DRIVERS\vnetusbl.sys [2004-03-09 18:48]
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;C:\WINDOWS\system32\DRIVERS\netusbxp.sys [2002-02-20 01:34]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff0849a4-0f97-11da-b849-0020e03a4d46}]
\Shell\AutoRun\command - H:\setupSNK.exe

*Newly Created Service* - AUTOMATIC_LIVEUPDATE_SCHEDULER
*Newly Created Service* - COMHOST
*Newly Created Service* - LIVEUPDATE
.
Contents of the 'Scheduled Tasks' folder
"2007-12-28 07:16:29 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Anthony.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 03:01:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\win.tmp 950 bytes
C:\WINDOWS\Winamp.ini 1125 bytes
C:\WINDOWS\winampa.ini 41 bytes
C:\WINDOWS\Windows Update.log 186484 bytes
C:\WINDOWS\WindowsShell.Manifest 749 bytes
C:\WINDOWS\WindowsUpdate.log 1958869 bytes
C:\WINDOWS\winhelp.exe 256192 bytes
C:\WINDOWS\winhlp32.exe 283648 bytes executable
C:\WINDOWS\wininit.ini 138 bytes
C:\WINDOWS\winnt.bmp 48680 bytes
C:\WINDOWS\winnt256.bmp 48680 bytes
C:\WINDOWS\WinSxS
C:\WINDOWS\winzip32.ini 27 bytes
C:\WINDOWS\wmsetup.log 33989 bytes
C:\WINDOWS\wmsetup10.log 498 bytes
C:\WINDOWS\WMSysPr9.prx 316640 bytes
C:\WINDOWS\WMSysPrx.prx 299552 bytes
C:\WINDOWS\wordpad.ini 29 bytes
C:\WINDOWS\WRUninstall.dll 253440 bytes executable
C:\WINDOWS\wsystmp_bja.exe 29184 bytes executable
C:\WINDOWS\wsystmp_kwq.exe 35840 bytes executable
C:\WINDOWS\wt
C:\WINDOWS\xpsp1hfm.log 83069 bytes
C:\WINDOWS\Zapotec.bmp 9522 bytes
C:\WINDOWS\_default.pif 707 bytes
C:\WINDOWS\_MSRSTRT.EXE 2560 bytes executable

scan completed successfully
hidden files: 26

**************************************************************************
.
Completion time: 2007-12-28 3:03:09



------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:05:27 AM, on 12/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\EasyMP3\EasyRen.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [EasyMP3 Track Rename] EasyRen.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [sis32] C:\WINDOWS\system32\winsos.exe
O4 - HKLM\..\Run: [winroot] C:\WINDOWS\system32\winsn.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - C:\Program Files\MANSION\FreePoker\MANSION.exe (file missing)
O9 - Extra 'Tools' menuitem: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - C:\Program Files\MANSION\FreePoker\MANSION.exe (file missing)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1094168057186
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab30149.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 5361 bytes

[totinnere]

Hmmm....after running this, nothing abnormal (that I've noticed at least) seems to be happening. I can access the Task Manager, regedit, download my spysweeper definitions again, etc...I'm afraid to reboot, though. Is this gone for good?

[Ried]

You're welcome.

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Code:

@echo off
Vfind.exe -ltf "%systemdrive%\* .exe" > Log.txt
Start notepad log.txt

Save this as check.bat Choose to "Save type as - All Files"
It should look like this:
Double click on check.bat & allow it to run

Copy/paste the contents of that report here

[Ried]

We cross posted...no, it's not gone--you are still infected.

[totinnere]

Thanks. Here's all it said:

Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0



Should I reboot and run it?

[Ried]

Do the following first...

This particular variant infects legit startup programs, and the following appear to have been infected--note the file date:

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-27 19:47]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-27 19:47]

Until those are addressed as well, the infection will remain and continue to call in more infected files. You will have to reinstall those.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Code:

File::
C:\WINDOWS\wsystmp_bja.exe
C:\WINDOWS\wsystmp_kwq.exe
C:\Documents and Settings\Anthony\wn852.exe

Folder::
C:\Program Files\QuickTime
C:\Program Files\Common Files\Real\Update_OB

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sis32"=- 
"winroot"=-

Save this as CFScript.txt, in the same location as your renamed ComboFix.exe




Refering to the picture above, drag CFScript into the renamed ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

----------------------------------------------------------

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------

Run a new scan with HijackThis and save the log.

---------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
Update on system behavior

[totinnere]

Ok, I am posting this from my laptop. My roommate actually uses my desktop, he's the one who screwed it up in the first place

Anyway...the virus scan just started a few minutes ago (12 minutes in and still at 0% and about 11,000 files), and it looks like it's going to take quite a while. Is it a problem if I fall asleep? I have to be up for work in a few hours, can I post the results when I wake up, and continue with you tomorrow after work or whenever else possible for? If so, should I leave the computer running all day, or is it not going to cause more damage if i shut down and reboot later in the day? I'm sorry, I honestly wasn't expecting such prompt help

[totinnere]

Quote:

Originally Posted by Ried

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
Update on system behavior

Here you go...plus since you said to do Hijackthis again, I have included that, too.

Update on system behavior: nothing out of the ordinary seems to be going on at the moment as far as my task manager, regedit, and random copying is concerned. Last night before I did the last set of thing you asked me to do, I was getting an error trying to open norton, but now it is opening again. Also, I tried killing SpySweeper.exe in my task manager, but it said access denied. Okay, here are the logs. I am going to shut my computer down while I am at work, please let me know if I have to repeat any steps because of this.


ComboFix 07-12-27.1 - Anthony 2007-12-28 3:51:17.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.207 [GMT -5:00]
Running from: C:\Documents and Settings\Anthony\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Anthony\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\Anthony\wn852.exe
C:\WINDOWS\wsystmp_bja.exe
C:\WINDOWS\wsystmp_kwq.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Anthony\wn852.exe
C:\Program Files\Common Files\Real\Update_OB
C:\Program Files\Common Files\Real\Update_OB\faus3270.dll
C:\Program Files\Common Files\Real\Update_OB\nprfxins.dll
C:\Program Files\Common Files\Real\Update_OB\pnmi3270.dll
C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\Program Files\Common Files\Real\Update_OB\RealPlayer-log.txt
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\rnad3201.dll
C:\Program Files\Common Files\Real\Update_OB\rnms3270.dll
C:\Program Files\Common Files\Real\Update_OB\rnqu3270.dll
C:\Program Files\Common Files\Real\Update_OB\rnup3270.dll
C:\Program Files\Common Files\Real\Update_OB\rnxproc.exe
C:\Program Files\Common Files\Real\Update_OB\setu3270.dll
C:\Program Files\Common Files\Real\Update_OB\UI\ath.vs
C:\Program Files\Common Files\Real\Update_OB\UI\default.png
C:\Program Files\Common Files\Real\Update_OB\UI\default.smi
C:\Program Files\Common Files\Real\Update_OB\UI\Images\real_logo_93x44.gif
C:\Program Files\Common Files\Real\Update_OB\UI\loc\msgdata.js
C:\Program Files\Common Files\Real\Update_OB\UI\loc\msgStyle.css
C:\Program Files\Common Files\Real\Update_OB\UI\mirak.vs
C:\Program Files\Common Files\Real\Update_OB\UI\msgoff.htm
C:\Program Files\Common Files\Real\Update_OB\UI\msgui.vs
C:\Program Files\Common Files\Real\Update_OB\UI\rnupgui.vs
C:\Program Files\Common Files\Real\Update_OB\Update-log.txt
C:\Program Files\Common Files\Real\Update_OB\upgr3270.dll
C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe
C:\Program Files\QuickTime
C:\Program Files\QuickTime\PictureViewer.exe
C:\Program Files\QuickTime\PictureViewer.Resources\da.lproj\PictureViewerLocalized.dll
C:\Program Files\QuickTime\PictureViewer.Resources\da.lproj\PictureViewerLocalized.qtr
C:\Program Files\QuickTime\PictureViewer.Resources\de.lproj\PictureViewerLocalized.dll
C:\Program Files\QuickTime\PictureViewer.Resources\de.lproj\PictureViewerLocalized.qtr
C:\Program Files\QuickTime\PictureViewer.Resources\en.lproj\PictureViewerLocalized.dll
C:\Program Files\QuickTime\PictureViewer.Resources\en.lproj\PictureViewerLocalized.qtr
C:\Program Files\QuickTime\PictureViewer.Resources\es.lproj\PictureViewerLocalized.dll
C:\Program Files\QuickTime\PictureViewer.Resources\es.lproj\PictureViewerLocalized.qtr
C:\Program Files\QuickTime\PictureViewer.Resources\fi.lproj\PictureViewerLocalized.dll
C:\Program Files\QuickTime\PictureViewer.Resources\fi.lproj\PictureViewerLocalized.qtr
C:\Program Files\QuickTime\PictureViewer.Resources\fr.lproj\PictureViewerLocalized.dll
C:\Program Files\QuickTime\PictureViewer.Resources\fr.lproj\PictureViewerLocalized.qtr
C:\Program Files\QuickTime\PictureViewer.Resources\it.lproj\PictureViewerLocalized.dll
C:\Program Files\QuickTime\Pic