My computer's symptoms:

In the last couple of days, my machine started sending out emails on its own, some of it is caught by my Norton Internet Security software and were blocked, but none of these showed up in my Sent Folder on Outlook. This is the first sign that made me think something is wrong.

Also, around the same time, IE started crashing on its own, frequently, to the point where I can't use it. It always comes up with an error message, giving me the options to "close" or "debug".

In addition, when I google something, and it comes back with the results, now when I click on the link that I want to see, it takes me to some completely different link, like the links were corrupted or something. This, so far is only happening on IE. I have FireFox and Opera as well, neither of them are acting this way.

I have Norton Internet Security installed on my machine, I also purchase Ad-aware pro a couple of days ago, hoping I could use it to fix this, but no luck. I also tried Spybot S&D, and Spyblaster, again, no luck. In addition I tried SmitFraudFix, but the problems still remains. I read your post and it mentioned HiJackThis, and I downloaded it and ran the scan and log option, the following is the result:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:04:07 PM, on 14/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
D:\WINDOWS\system32\spoolsv.exe
e:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\WINDOWS\system32\aspimgr.exe
D:\WINDOWS\ATKKBService.exe
D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\WINDOWS\system32\LVCOMSX.EXE
D:\WINDOWS\system32\WDBtnMgr.exe
E:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
D:\WINDOWS\system32\regsvr32.exe
D:\WINDOWS\system32\regsvr32.exe
D:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
E:\Program Files\My Book\WD Backup\uBBMonitor.exe
e:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
E:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
E:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Program Files\Windows Live\Messenger\usnsvc.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - D:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {200D0AAD-71B1-51C9-DDB0-092BA4662A54} - D:\Program Files\Zywicvdb\wsrqmurr.dll
O2 - BHO: (no name) - {261C35B4-9283-6344-C5C0-005CF873D624} - D:\Program Files\Rhguclsn\koaqzxlp.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - D:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [StatusClient 2.6] D:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] D:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HPLJ Config] D:\Program Files\Hewlett-Packard\hp LaserJet 3015_3020_3030_3380\SetConfig.exe -c Direct -p DOT4_001 -pn "" -n 1 -l 1033 -sl 120000
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "E:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMSX] D:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] E:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [jkdklqja] rundll32.exe "D:\Program Files\jkdklqja\vexivktq.dll",Init
O4 - HKLM\..\Run: [xmvqrmza] regsvr32 /u "D:\Documents and Settings\All Users\Application Data\xmvqrmza.dll"
O4 - HKLM\..\Run: [lshudyfe] regsvr32 /u "D:\Documents and Settings\All Users\Application Data\lshudyfe.dll"
O4 - HKLM\..\Run: [Ad-Watch] E:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [bgduncbw] regsvr32 /u "D:\Documents and Settings\All Users\Application Data\bgduncbw.dll"
O4 - HKLM\..\Run: [SC2] D:\Program Files\SecCenter\scprot4.exe
O4 - HKLM\..\Run: [pebklcdy] regsvr32 /u "D:\Documents and Settings\All Users\Application Data\pebklcdy.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5663] command /c del "D:\Documents and Settings\All Users\Application Data\pebklcdy.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6892] cmd /c del "D:\Documents and Settings\All Users\Application Data\pebklcdy.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5639] command /c del "D:\Documents and Settings\All Users\Application Data\bgduncbw.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC430] cmd /c del "D:\Documents and Settings\All Users\Application Data\bgduncbw.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB8995] command /c del "D:\Documents and Settings\All Users\Application Data\pebklcdy.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5596] cmd /c del "D:\Documents and Settings\All Users\Application Data\pebklcdy.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8342] command /c del "D:\Documents and Settings\All Users\Application Data\bgduncbw.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4557] cmd /c del "D:\Documents and Settings\All Users\Application Data\bgduncbw.dll_old"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: WD Backup Monitor.lnk = E:\Program Files\My Book\WD Backup\uBBMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - E:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171432850265
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/activex/...tupv2.0.0.9.cab?
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/activex/...upv2.0.0.10.cab?
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{939541F9-BA0A-42D2-98E8-7E1393181864}: NameServer = 192.168.1.1
O20 - Winlogon Notify: winosz32 - D:\WINDOWS\SYSTEM32\winosz32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - e:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Microsoft ASPI Manager (aspimgr) - Unknown owner - D:\WINDOWS\system32\aspimgr.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - D:\WINDOWS\ATKKBService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - E:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\hpzipm12.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Unknown owner - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 11935 bytes

My Ad-aware wouldn't even complete a scan. Can't find the logs.... It keeps bugging out half way through with a warning that something is wrong, giving me option to debug or close. Tried reinstalling it, still no luck. HELP!!

Download ComboFix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Thank you! But Ad-Aware, or Ad Watch still bug out and crash each time I try to scan the machine though.......

Here is the ComboFix log:

ComboFix 07-11-08.1 - JASON 2007-11-14 22:01:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.490 [GMT -8:00]
Running from: D:\Documents and Settings\JASON\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Documents and Settings\All Users\Application Data.\rizungti.dll
D:\Program Files\SecCenter
D:\Program Files\SecCenter\scprot4.exe
D:\WINDOWS\g32.txt
D:\WINDOWS\gs32.txt
D:\WINDOWS\s32.txt
D:\WINDOWS\system32\aspimgr.exe
D:\WINDOWS\system32\fibagbia
D:\WINDOWS\system32\fibagbia\bg1.gif
D:\WINDOWS\system32\fibagbia\bgtop.gif
D:\WINDOWS\system32\fibagbia\bottom1.gif
D:\WINDOWS\system32\fibagbia\essentials.gif
D:\WINDOWS\system32\fibagbia\fibagbia1.exe
D:\WINDOWS\system32\fibagbia\fibagbia2.exe
D:\WINDOWS\system32\fibagbia\fibagbia3.exe
D:\WINDOWS\system32\fibagbia\icon1.ico
D:\WINDOWS\system32\fibagbia\install1.gif
D:\WINDOWS\system32\fibagbia\left1.gif
D:\WINDOWS\system32\fibagbia\li.gif
D:\WINDOWS\system32\fibagbia\logo.gif
D:\WINDOWS\system32\fibagbia\main.htm
D:\WINDOWS\system32\fibagbia\mainframe.htm
D:\WINDOWS\system32\fibagbia\reinstall1.gif
D:\WINDOWS\system32\fibagbia\right1.gif
D:\WINDOWS\system32\fibagbia\s1.htm
D:\WINDOWS\system32\fibagbia\s2.htm
D:\WINDOWS\system32\fibagbia\s3.htm
D:\WINDOWS\system32\fibagbia\SMTop1.gif
D:\WINDOWS\system32\fibagbia\SMTop2.gif
D:\WINDOWS\system32\fibagbia\SMTop3.gif
D:\WINDOWS\system32\fibagbia\SMTop4.gif
D:\WINDOWS\system32\fibagbia\soft1_off.gif
D:\WINDOWS\system32\fibagbia\soft1_off_ext.gif
D:\WINDOWS\system32\fibagbia\soft1_on.gif
D:\WINDOWS\system32\fibagbia\soft1_on_ext.gif
D:\WINDOWS\system32\fibagbia\soft2_off.gif
D:\WINDOWS\system32\fibagbia\soft2_off_ext.gif
D:\WINDOWS\system32\fibagbia\soft2_on.gif
D:\WINDOWS\system32\fibagbia\soft2_on_ext.gif
D:\WINDOWS\system32\fibagbia\soft3_off.gif
D:\WINDOWS\system32\fibagbia\soft3_off_ext.gif
D:\WINDOWS\system32\fibagbia\soft3_on.gif
D:\WINDOWS\system32\fibagbia\soft3_on_ext.gif
D:\WINDOWS\system32\fibagbia\softbottom_off.gif
D:\WINDOWS\system32\fibagbia\softbottom_on.gif
D:\WINDOWS\system32\fibagbia\softleft_off.gif
D:\WINDOWS\system32\fibagbia\softleft_on.gif
D:\WINDOWS\system32\fibagbia\top1.gif
D:\WINDOWS\system32\fibagbia\top2.gif
D:\WINDOWS\system32\fibagbia\turnoff1.gif
D:\WINDOWS\system32\fibagbia\turnon1.gif
D:\WINDOWS\system32\winosz32.dll
D:\WINDOWS\system32\xpdx.sys
D:\WINDOWS\ws386.ini
I:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_ASPIMGR
-------\aspimgr
-------\xpdx


((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 )))))))))))))))))))))))))))))))
.

2007-11-14 22:00 51,200 --a------ D:\WINDOWS\NirCmd.exe
2007-11-14 14:36 <DIR> d-------- D:\Program Files\Common Files\Wise Installation Wizard
2007-11-14 14:36 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-14 14:34 <DIR> d-------- D:\Program Files\Gvxfyueg
2007-11-14 12:20 5,130 --a------ D:\WINDOWS\system32\tmp.reg
2007-11-14 08:57 <DIR> d-------- D:\Program Files\Zywicvdb
2007-11-14 08:37 <DIR> d-------- D:\Program Files\Oqjqqejp
2007-11-13 22:32 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-12 22:09 94,480 --a------ D:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-12 22:05 <DIR> d-------- D:\Documents and Settings\JASON\Application Data\HouseCall 6.6
2007-11-12 12:11 <DIR> d-------- D:\Program Files\Psrrjdbk
2007-11-12 11:04 626,688 --a------ D:\WINDOWS\system32\msvcr80.dll
2007-11-12 10:56 <DIR> d-------- D:\Documents and Settings\JASON\Application Data\Uniblue
2007-11-12 10:34 <DIR> d-------- D:\Program Files\ACW
2007-11-11 15:58 <DIR> d-------- D:\Program Files\Rhguclsn
2007-11-11 15:57 <DIR> d-------- D:\Program Files\jkdklqja
2007-11-11 13:19 <DIR> d-------- D:\Program Files\Windows Live Toolbar
2007-11-11 13:17 <DIR> d-------- D:\Program Files\Microsoft SQL Server Compact Edition
2007-11-11 13:17 3,426,072 --a------ D:\WINDOWS\system32\d3dx9_32.dll
2007-11-11 13:12 <DIR> d-------- D:\Program Files\Windows Live
2007-11-11 13:12 <DIR> d--hsc--- D:\Program Files\Common Files\WindowsLiveInstaller
2007-11-11 13:11 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-06 07:08 <DIR> d-------- D:\Program Files\iPod
2007-11-05 20:29 288,768 --------- D:\WINDOWS\system32\rhttpaa.dll
2007-11-05 20:29 116,736 --------- D:\WINDOWS\system32\aaclient.dll
2007-11-05 20:29 36,352 --------- D:\WINDOWS\system32\tsgqec.dll
2007-11-05 20:23 <DIR> d-------- D:\Program Files\Nokia
2007-10-30 19:55 625,032 --a------ D:\WINDOWS\system32\SymNeti.dll
2007-10-30 19:55 242,056 --a------ D:\WINDOWS\system32\SymRedir.dll
2007-10-30 19:55 191,536 --a------ D:\WINDOWS\system32\drivers\symtdi.sys
2007-10-30 19:55 145,968 --a------ D:\WINDOWS\system32\drivers\symfw.sys
2007-10-30 19:55 39,856 --a------ D:\WINDOWS\system32\drivers\symids.sys
2007-10-30 19:55 37,936 --a------ D:\WINDOWS\system32\drivers\symndisv.sys
2007-10-30 19:55 35,120 --a------ D:\WINDOWS\system32\drivers\symndis.sys
2007-10-30 19:55 27,696 --a------ D:\WINDOWS\system32\drivers\symredrv.sys
2007-10-30 19:55 12,848 --a------ D:\WINDOWS\system32\drivers\symdns.sys
2007-10-28 15:09 <DIR> d-------- D:\Documents and Settings\NINA\Application Data\DivX
2007-10-18 11:31 51,224 --a------ D:\WINDOWS\system32\sirenacm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-14 21:40 --------- d-----w D:\Program Files\Common Files\Symantec Shared
2007-11-13 05:20 --------- d-----w D:\Documents and Settings\All Users\Application Data\Symantec
2007-11-11 23:47 --------- d-----w D:\Documents and Settings\All Users\Application Data\Installations
2007-11-11 21:05 --------- d-----w D:\Documents and Settings\JASON\Application Data\uTorrent
2007-11-06 15:05 --------- d-----w D:\Program Files\QuickTime
2007-11-06 04:23 --------- d-----w D:\Program Files\Common Files\Nokia
2007-10-31 03:24 12,963 ----a-w D:\WINDOWS\system32\drivers\SymRedir.cat
2007-10-31 03:24 1,358 ----a-w D:\WINDOWS\system32\drivers\SymRedir.inf
2007-10-15 22:02 805 ----a-w D:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-15 22:02 123,952 ----a-w D:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-15 22:02 10,740 ----a-w D:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-15 22:02 --------- d-----w D:\Program Files\Symantec
2007-09-18 21:44 10,662 ----a-w D:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 21:44 10,662 ----a-w D:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 21:44 10,658 ----a-w D:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 21:44 1,430 ----a-w D:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 21:44 1,421 ----a-w D:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 21:44 1,415 ----a-w D:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 21:43 43,696 ----a-w D:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 21:43 317,616 ----a-w D:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 21:43 278,576 ----a-w D:\WINDOWS\system32\drivers\srtsp.sys
2007-09-18 01:29 --------- d-----w D:\Program Files\Apple Software Update
2007-09-17 22:13 --------- d-----w D:\Documents and Settings\JASON\Application Data\Nokia Multimedia Player
2007-09-15 15:31 --------- d-----w D:\Documents and Settings\NINA\Application Data\ArcSoft
1999-05-19 22:46 7,247 ----a-w D:\Program Files\ScrptDbg.inf
1997-11-11 20:47 15,410 ----a-w D:\Program Files\ReadMe.Htm
1997-10-22 12:10 236,544 ----a-w D:\Program Files\textmgr.dll
1997-10-22 12:08 25,600 ----a-w D:\Program Files\filesvc.dll
1997-10-22 12:07 53,248 ----a-w D:\Program Files\srcedit.dll
1997-10-22 12:05 83,968 ----a-w D:\Program Files\htmlclr.dll
1997-10-22 12:04 64,000 ----a-w D:\Program Files\comwin.dll
1997-10-22 12:03 135,680 ----a-w D:\Program Files\msscrdbg.exe
1997-10-22 12:01 54,784 ----a-w D:\Program Files\sdbgenu.dll
1997-10-22 12:00 119,296 ----a-w D:\Program Files\scrdbg.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{200D0AAD-71B1-51C9-DDB0-092BA4662A54}]
2007-11-14 14:34 114688 --a------ D:\Program Files\Gvxfyueg\jvhzrtoc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{261C35B4-9283-6344-C5C0-005CF873D624}]
2007-11-11 15:58 114688 --a------ D:\Program Files\Rhguclsn\koaqzxlp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [2004-09-03 15:15]
"nwiz"="nwiz.exe" [2004-09-03 15:15 D:\WINDOWS\system32\nwiz.exe]
"StatusClient 2.6"="D:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2003-10-03 10:52]
"TomcatStartup 2.5"="D:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2003-07-25 14:35]
"HPLJ Config"="D:\Program Files\Hewlett-Packard\hp LaserJet 3015_3020_3030_3380\SetConfig.exe" [2003-03-31 17:32]
"ccApp"="D:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]
"osCheck"="E:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 18:22]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
"Symantec PIF AlertEng"="D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]
"NvMediaCenter"="D:\WINDOWS\system32\NvMcTray.dll" [2004-09-03 15:15]
"LVCOMSX"="D:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 17:32]
"WD Button Manager"="WDBtnMgr.exe" [2007-08-20 20:34 D:\WINDOWS\system32\WDBtnMgr.exe]
"PCSuiteTrayApplication"="E:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 14:10]
"QuickTime Task"="D:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="F:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"Ad-Watch"="E:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2007-10-31 15:32]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"SpybotSD TeaTimer"="E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=E:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-06-02 22:08:40]
APC UPS Status.lnk - E:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [2007-02-13 22:38:50]
WD Backup Monitor.lnk - E:\Program Files\My Book\WD Backup\uBBMonitor.exe [2007-08-20 20:34:54]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=D:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus XtremeG]
D:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iIWiper]
E:\Program Files\iISystem Wiper\SystemWiper.exe m

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch PC Probe II]
"E:\Program Files\ASUS\PC Probe II\Probe2.exe" 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
E:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
E:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"D:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
D:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"D:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"E:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)

R1 OxFWLF;OxFWLF;\??\D:\WINDOWS\system32\drivers\OxFWLF.sys
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);D:\WINDOWS\system32\DRIVERS\A3AB.sys
R3 WD_FireWire_HID;WD FireWire Pseudo-HID driver;D:\WINDOWS\system32\DRIVERS\wdfwhid.sys
S3 OXUDIDRV;OXUDIDRV;\??\D:\WINDOWS\system32\Drivers\OXUDIDRV_X32.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f3a43a91-bacd-11db-9640-806d6172696f}]
\Shell\AutoRun\command - L:\ASUSACPI.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-11-13 07:06:06 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-14 15:22:18 D:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - JASON.job"
- E:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
"2007-11-12 18:56:19 D:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
"2007-11-12 18:56:19 D:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- E:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-14 22:10:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-14 22:11:46 - machine was rebooted
.
--- E O F ---



And here is the HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:14:08 PM, on 14/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
e:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\WINDOWS\ATKKBService.exe
D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
D:\WINDOWS\system32\LVCOMSX.EXE
D:\WINDOWS\system32\WDBtnMgr.exe
E:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
D:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
E:\Program Files\My Book\WD Backup\uBBMonitor.exe
e:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
D:\WINDOWS\system32\notepad.exe
D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
D:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - D:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {200D0AAD-71B1-51C9-DDB0-092BA4662A54} - D:\Program Files\Gvxfyueg\jvhzrtoc.dll
O2 - BHO: (no name) - {261C35B4-9283-6344-C5C0-005CF873D624} - D:\Program Files\Rhguclsn\koaqzxlp.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - D:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [StatusClient 2.6] D:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] D:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HPLJ Config] D:\Program Files\Hewlett-Packard\hp LaserJet 3015_3020_3030_3380\SetConfig.exe -c Direct -p DOT4_001 -pn "" -n 1 -l 1033 -sl 120000
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "E:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMSX] D:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] E:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Watch] E:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: WD Backup Monitor.lnk = E:\Program Files\My Book\WD Backup\uBBMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - E:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171432850265
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/activex/...tupv2.0.0.9.cab?
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/activex/...upv2.0.0.10.cab?
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{939541F9-BA0A-42D2-98E8-7E1393181864}: NameServer = 192.168.1.1
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - e:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - D:\WINDOWS\ATKKBService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - E:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\hpzipm12.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Unknown owner - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9931 bytes


I have attached both logs for your review. Again, many thanks!!

I'm still writing this up from the logs you posted and will post back in a little bit with the final, but you should know that this computer was infected with a backdoor trojan and rootkit and likely used as a "zombie" by a remote attacker
as Described here:
Zombies and botnets: Help keep your computer under your control
http://www.microsoft.com/protect/computer/...es/zombies.mspx

That was why it was spewing out spam emails at the control of your remote attacker using your computer.

I see that you are running uTorrent which is often a source of illegal program downloads and those are often laden with new undetected trojans that infect your computer in this manner. Always avoid cracks, illegal programs and be very suspect of any files downloaded via P2P

The file I see in the logs that indicates the rootkit/backdoor trojan was deleted by combofix:
D:\WINDOWS\system32\xpdx.sys

See a description of that file here:
Troj/Rustok-B
http://www.sophos.com/security/analyses/trojrustokb.html

So, we might able to remove the infected files I see in these logs, but your computer has been under someone else's control for about the last 4 days a least. You should be aware that anything could have stolen off it or done to it without your knowledge and may be hidden from you making this PC no longer trustworthy, even if we clean off the infected files left on it.

Here is why (some articles you need to read):
Security Management - May 2004
Help: I Got Hacked. Now What Do I Do?
http://www.microsoft.com/technet/community...gmt/sm0504.mspx

Security Management - July 2004
Help: I Got Hacked. Now What Do I Do? Part II
http://www.microsoft.com/technet/community...gmt/sm0704.mspx





And I often include these (in the case of RAT & rootkit infestation, which you had)

When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

What is a backdoor or remote access trojan?
Read this article.
Danger: Remote Access Trojans
http://www.microsoft.com/technet/security/...o/virusrat.mspx

What is a rootkit? In the simpliest of terms, it is technology to hide an attackers tools. Rootkits can prevent detection and removal and in some cases, attempting to remove a rootkit can destroy a system. You can't know what else a rootkit has done.

Once you've identified a rootkit on your system, the remediation options are somewhat limited. Because rootkits can hide themselves, you may not know how long they've been on the system. You also may not know what information the rootkits have compromised. The best reaction to an identified rootkit is to wipe and reinstall the system. Although drastic, this is the only proven method to completely remove rootkits.

Rootkits: The Obscure Hacker Attack
http://www.microsoft.com/technet/community...tip/st1005.mspx

Does it matter, or help that my computer is connected to the next via a wireless router? I heard that the hardware acts as a hardware firewall, it certainly does not prevent viruses that I let in the door, but at least it prevents hackers. Is that correct?

No, your router doesn't prevent outbound which your computer used to connect to the remote channel and await commands.

1. Close any open browsers.

2. Open notepad and copy/paste the text you see in the whitespace of the quotebox below into it (but not the word: quote)



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When done please post back with the Combofix.txt and a fresh HijackThis log for review

Here you go! Thanks again! Should I be running ad-aware full scan now? what about spybot s&d and its resident?

new combofix.txt:

ComboFix 07-11-08.1 - JASON 2007-11-15 10:03:58.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.488 [GMT -8:00]
Running from: D:\Documents and Settings\JASON\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\JASON\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Program Files\ACW
D:\Program Files\ACW\ActiveContentWizard.dll
D:\Program Files\ACW\ACW.exe
D:\Program Files\ACW\ACWExt.xml
D:\Program Files\ACW\AcwPSSExtn.dll
D:\Program Files\ACW\ACWRuntimesCab
D:\Program Files\Gvxfyueg
D:\Program Files\Gvxfyueg\jvhzrtoc.dll
D:\Program Files\jkdklqja
D:\Program Files\jkdklqja\vexivktq.dll
D:\Program Files\Oqjqqejp
D:\Program Files\Oqjqqejp\anmvuxgy.dll
D:\Program Files\Psrrjdbk
D:\Program Files\Psrrjdbk\fxwhfdwt.dll
D:\Program Files\Rhguclsn
D:\Program Files\Rhguclsn\koaqzxlp.dll
D:\Program Files\Zywicvdb
D:\Program Files\Zywicvdb\wsrqmurr.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 )))))))))))))))))))))))))))))))
.

2007-11-14 22:00 51,200 --a------ D:\WINDOWS\NirCmd.exe
2007-11-14 14:36 <DIR> d-------- D:\Program Files\Common Files\Wise Installation Wizard
2007-11-14 14:36 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-14 12:20 5,130 --a------ D:\WINDOWS\system32\tmp.reg
2007-11-13 22:32 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-12 22:09 94,480 --a------ D:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-12 22:05 <DIR> d-------- D:\Documents and Settings\JASON\Application Data\HouseCall 6.6
2007-11-12 11:04 626,688 --a------ D:\WINDOWS\system32\msvcr80.dll
2007-11-12 10:56 <DIR> d-------- D:\Documents and Settings\JASON\Application Data\Uniblue
2007-11-11 13:19 <DIR> d-------- D:\Program Files\Windows Live Toolbar
2007-11-11 13:17 <DIR> d-------- D:\Program Files\Microsoft SQL Server Compact Edition
2007-11-11 13:17 3,426,072 --a------ D:\WINDOWS\system32\d3dx9_32.dll
2007-11-11 13:12 <DIR> d-------- D:\Program Files\Windows Live
2007-11-11 13:12 <DIR> d--hsc--- D:\Program Files\Common Files\WindowsLiveInstaller
2007-11-11 13:11 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-06 07:08 <DIR> d-------- D:\Program Files\iPod
2007-11-05 20:29 288,768 --------- D:\WINDOWS\system32\rhttpaa.dll
2007-11-05 20:29 116,736 --------- D:\WINDOWS\system32\aaclient.dll
2007-11-05 20:29 36,352 --------- D:\WINDOWS\system32\tsgqec.dll
2007-11-05 20:23 <DIR> d-------- D:\Program Files\Nokia
2007-10-30 19:55 625,032 --a------ D:\WINDOWS\system32\SymNeti.dll
2007-10-30 19:55 242,056 --a------ D:\WINDOWS\system32\SymRedir.dll
2007-10-30 19:55 191,536 --a------ D:\WINDOWS\system32\drivers\symtdi.sys
2007-10-30 19:55 145,968 --a------ D:\WINDOWS\system32\drivers\symfw.sys
2007-10-30 19:55 39,856 --a------ D:\WINDOWS\system32\drivers\symids.sys
2007-10-30 19:55 37,936 --a------ D:\WINDOWS\system32\drivers\symndisv.sys
2007-10-30 19:55 35,120 --a------ D:\WINDOWS\system32\drivers\symndis.sys
2007-10-30 19:55 27,696 --a------ D:\WINDOWS\system32\drivers\symredrv.sys
2007-10-30 19:55 12,848 --a------ D:\WINDOWS\system32\drivers\symdns.sys
2007-10-28 15:09 <DIR> d-------- D:\Documents and Settings\NINA\Application Data\DivX
2007-10-18 11:31 51,224 --a------ D:\WINDOWS\system32\sirenacm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-14 21:40 --------- d-----w D:\Program Files\Common Files\Symantec Shared
2007-11-13 05:20 --------- d-----w D:\Documents and Settings\All Users\Application Data\Symantec
2007-11-11 23:47 --------- d-----w D:\Documents and Settings\All Users\Application Data\Installations
2007-11-11 21:05 --------- d-----w D:\Documents and Settings\JASON\Application Data\uTorrent
2007-11-06 15:05 --------- d-----w D:\Program Files\QuickTime
2007-11-06 04:23 --------- d-----w D:\Program Files\Common Files\Nokia
2007-10-31 03:24 12,963 ----a-w D:\WINDOWS\system32\drivers\SymRedir.cat
2007-10-31 03:24 1,358 ----a-w D:\WINDOWS\system32\drivers\SymRedir.inf
2007-10-15 22:02 805 ----a-w D:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-15 22:02 60,800 ----a-w D:\WINDOWS\system32\S32EVNT1.DLL
2007-10-15 22:02 123,952 ----a-w D:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-15 22:02 10,740 ----a-w D:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-15 22:02 --------- d-----w D:\Program Files\Symantec
2007-09-18 21:44 10,662 ----a-w D:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 21:44 10,662 ----a-w D:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 21:44 10,658 ----a-w D:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 21:44 1,430 ----a-w D:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 21:44 1,421 ----a-w D:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 21:44 1,415 ----a-w D:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 21:43 43,696 ----a-w D:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 21:43 317,616 ----a-w D:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 21:43 278,576 ----a-w D:\WINDOWS\system32\drivers\srtsp.sys
2007-09-18 01:29 --------- d-----w D:\Program Files\Apple Software Update
2007-09-17 22:13 --------- d-----w D:\Documents and Settings\JASON\Application Data\Nokia Multimedia Player
2007-09-15 15:31 --------- d-----w D:\Documents and Settings\NINA\Application Data\ArcSoft
2007-08-21 06:15 683,520 ----a-w D:\WINDOWS\system32\inetcomm.dll
2007-08-21 04:34 339,968 ----a-w D:\WINDOWS\system32\WDBtnMgr.exe
1999-05-19 22:46 7,247 ----a-w D:\Program Files\ScrptDbg.inf
1997-11-11 20:47 15,410 ----a-w D:\Program Files\ReadMe.Htm
1997-10-22 12:10 236,544 ----a-w D:\Program Files\textmgr.dll
1997-10-22 12:08 25,600 ----a-w D:\Program Files\filesvc.dll
1997-10-22 12:07 53,248 ----a-w D:\Program Files\srcedit.dll
1997-10-22 12:05 83,968 ----a-w D:\Program Files\htmlclr.dll
1997-10-22 12:04 64,000 ----a-w D:\Program Files\comwin.dll
1997-10-22 12:03 135,680 ----a-w D:\Program Files\msscrdbg.exe
1997-10-22 12:01 54,784 ----a-w D:\Program Files\sdbgenu.dll
1997-10-22 12:00 119,296 ----a-w D:\Program Files\scrdbg.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [2004-09-03 15:15]
"nwiz"="nwiz.exe" [2004-09-03 15:15 D:\WINDOWS\system32\nwiz.exe]
"StatusClient 2.6"="D:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2003-10-03 10:52]
"TomcatStartup 2.5"="D:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2003-07-25 14:35]
"HPLJ Config"="D:\Program Files\Hewlett-Packard\hp LaserJet 3015_3020_3030_3380\SetConfig.exe" [2003-03-31 17:32]
"ccApp"="D:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]
"osCheck"="E:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 18:22]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
"Symantec PIF AlertEng"="D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]
"NvMediaCenter"="D:\WINDOWS\system32\NvMcTray.dll" [2004-09-03 15:15]
"LVCOMSX"="D:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 17:32]
"WD Button Manager"="WDBtnMgr.exe" [2007-08-20 20:34 D:\WINDOWS\system32\WDBtnMgr.exe]
"PCSuiteTrayApplication"="E:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 14:10]
"QuickTime Task"="D:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="F:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"Ad-Watch"="E:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2007-10-31 15:32]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"SpybotSD TeaTimer"="E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=E:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-06-02 22:08:40]
APC UPS Status.lnk - E:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [2007-02-13 22:38:50]
WD Backup Monitor.lnk - E:\Program Files\My Book\WD Backup\uBBMonitor.exe [2007-08-20 20:34:54]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=D:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus XtremeG]
D:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iIWiper]
E:\Program Files\iISystem Wiper\SystemWiper.exe m

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch PC Probe II]
"E:\Program Files\ASUS\PC Probe II\Probe2.exe" 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
E:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
E:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"D:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
D:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"D:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"E:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f3a43a91-bacd-11db-9640-806d6172696f}]
\Shell\AutoRun\command - L:\ASUSACPI.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-11-13 07:06:06 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-14 15:22:18 D:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - JASON.job"
- E:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
"2007-11-12 18:56:19 D:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
"2007-11-12 18:56:19 D:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- E:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 10:23:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-15 10:24:35 - machine was rebooted
D:\ComboFix2.txt ... 2007-11-14 22:11
.
--- E O F ---

and here is the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:26:21 AM, on 15/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
e:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\WINDOWS\ATKKBService.exe
D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
D:\Program Files\Hewlett-Packard\hp LaserJet 3015_3020_3030_3380\SetConfig.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\WINDOWS\system32\LVCOMSX.EXE
D:\WINDOWS\system32\WDBtnMgr.exe
E:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
D:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
E:\Program Files\My Book\WD Backup\uBBMonitor.exe
e:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - D:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - D:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [StatusClient 2.6] D:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] D:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HPLJ Config] D:\Program Files\Hewlett-Packard\hp LaserJet 3015_3020_3030_3380\SetConfig.exe -c Direct -p DOT4_001 -pn "" -n 1 -l 1033 -sl 120000
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "E:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMSX] D:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] E:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Watch] E:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: WD Backup Monitor.lnk = E:\Program Files\My Book\WD Backup\uBBMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - E:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171432850265
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/activex/...tupv2.0.0.9.cab?
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/activex/...upv2.0.0.10.cab?
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{939541F9-BA0A-42D2-98E8-7E1393181864}: NameServer = 192.168.1.1
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - e:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - D:\WINDOWS\ATKKBService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - E:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\hpzipm12.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Unknown owner - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9748 bytes

Looks good

One minor (harmless) leftover in the registry we can fix using HijackThis.

Open HijackThis and do a *system scan only*

When it finishes, place a checkmark against this entry and then press the *fix checked* button:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

.................................

Yes, try it after the final cleanup steps below and see if you have any problems (be sure to update it first)

Yes, scan again with Spybot too as it may find some loose ends that Ad-aware might miss and vice versa.

I wouldn't recommend running both Ad-Watch and Spybot's teatimer (resident protection) at the same time as this could cause slow-downs on your PC with both programs trying to do the same job at once. Keep Spybot as a backup ondemand scanner (and keep it updated too)

Some final cleanup and prevention recommendations follow.

You can go ahead and delete any special tools we used (ComboFix). They won't serve a future purpose and are replaced with updated versions frequently, so the copies you have are probably already out of date and no need to keep them.
You can also delete the folders they made
C:\ComboFix
C:\Qoobox

and the combofix.zip on your desktop
..................
Do a disk cleanup. Go to Start > Run and type in the box: Cleanmgr
Wait while Windows scans your system for files to delete.
Make sure these 3 are checkmarked and press *ok* to delete them.

Temporary Files
Temporary Internet Files
Recycle Bin

Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore.
Go to Start and right-click on *My Computer*.
Click Properties.
Click the System Restore tab.
Put a Checkmark in the box next to "Turn off System Restore".
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
Go to Start and right-click on *My Computer*.
Click Properties.
Click the System Restore tab.
Remove the checkmark next to "Turn off System Restore".
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405
......................

Also, I can't stress enough the importance of having your Windows critical Security Updates. Most malware today uses exploits on unpatched systems to creep onto your system without your even doing anything but visiting an infected webpage!!

Watch what you download, be careful where you surf, and don't trust attachments or even links in email and Instant messages. Even if they come from a buddy, that buddy could be the one infected and it is the virus sending that link from his account. You click on it thinking he is trusted, and *boom* you're infected.
Many "Phishing" attempts are made by cleverly crafted email to look like it is coming from an "official" source (like Microsoft, or your bank, or some other provider). Don't click on links in those. Go directly to the site instead and navigate the menus - don't trust email you think came from a "safe source" unless you are expecting it! There is more in the link I will provide below, but those are the choice avenues of infection these days.
Stay far AWAY from cracks and warez sites - you're sure to get infected files there, and the same can be said for files downloaded from p2p (more than half are usually infected and probably not detectable by your current security software - the newest nasties are always released in those venues).

A word about shared computers and networks.
Share Your PC
http://www.microsoft.com/windowsxp/using/s...hare/intro.mspx
Not all users need to have Admin Accounts. It is much safer to have most of your users on a shared system running as Limited User accounts. That way, if there is "an accident", it will only affect one user's account and not the entire system.


Next, I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help .
How do I prevent Browser Hijacks and Spyware?
http://www.dslreports.com/faq/13620

I'm happy to see you have SP2 installed. That will address numerous security issues in your Operating System and IE
Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month. This is the first step in malware prevention, as many nasties now take advantage of new exploits and if not patched, you are vulnerable!
Windows Update
http://update.microsoft.com/microsoftupdate/

And see this link for instructions on how to configure the enhanced security features in SP2:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.

MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:
Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/security/...s/mbsahome.mspx
Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you.

Also visit this Free Online Scanner from Microsoft for PC Health and Safety
http://safety.live.com/site/en-US/default.htm
and Microsoft Security At Home
http://www.microsoft.com/athome/security/default.mspx
for tips to Protect your Pc, Protect yourself and Protect your Family.

Thank you SOOOOO much!

Now, what if Ad-aware and Ad-watch are both quitting on me half way? It gives me that "Ad-watch has encountered a problem and needs to close" and then gives me the option to "debug" or "send', or "do not send" to MS. What should I do? I can't complete an Ad-aware scan right now. It bugs out after scanning my cookies.

Also, do I need to reformat the whole machine? Now I am worried about identity theft and stuff......

Thanks again.

There is a known issue when scanning cookies and using Opera - I'm not sure that's been resolved yet, although I've seen some workarounds posted in various threads in the forums.

As for reformatting, if that were my primary computer - I would, yes. I think you should also change all your passwords on all accounts and monitor any thing that may have been breached. There is no way to know what was accessed on your computer but that it was definitely hacked as it was sending spam (and the evident files associated with RAT/rootkit type variant)

I can't find any "Application Data" folders that are supposed to be on my computer, like they just disappeared. Also, under "Documents and Settings", other than the Admin, and the other two user names that I created, now I have two more:

Administrator.N-5DFFAE66F1A74.000
and
Administrator.N-5DFFAE66F1A74

What are these? One of them were created only this afternoon......

Application Data is a hidden folder by default. The ComboFix tools resets those settings which is why you can't see them now. So to see that folder, you need to make sure your PC is configured to show hidden files

Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

So the two new "users" are harmless?

I have no idea what the two admin accounts are, sorry. I was looking at the hidden folders and application data question.

Let's run this tool just to check for any hidden sdbot possibly:

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Ok, on this...Did you either create new user accounts or change the name of user accounts on this system recently?

If so, the system may have created these additional directories in relation to that - but I'm only guessing because I'm not sure what all you are doing there.

You are looking at a directory but that is not the same as user accounts. Your user accounts can be viewed in the Control Panel *User Accounts*, whereas the directory you refer to that you are looking at contains multiple directories (folders) regarding those user accounts. The best explanation I can find on that is explained by the member (and a fellow MS MVP Windows-Security) "dave" responding to a similar question at a different security forum:
http://www.dslreports.com/forum/remark,11706932

and again, here:
http://www.dslreports.com/forum/remark,11706986

What do you see when you look in the control panel under "user accounts" and, were you changing or making new user accounts today or yesterday?

Here is the new HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:05:14 PM, on 16/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
D:\WINDOWS\Explorer.EXE
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
e:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\WINDOWS\ATKKBService.exe
D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
D:\Program Files\Hewlett-Packard\hp LaserJet 3015_3020_3030_3380\SetConfig.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\WINDOWS\system32\LVCOMSX.EXE
D:\WINDOWS\system32\WDBtnMgr.exe
E:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
D:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
D:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
E:\Program Files\My Book\WD Backup\uBBMonitor.exe
e:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - D:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {200D0AAD-71B1-51C9-DDB0-092BA4662A54} - (no file)
O2 - BHO: (no name) - {261C35B4-9283-6344-C5C0-005CF873D624} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - D:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [StatusClient 2.6] D:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] D:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HPLJ Config] D:\Program Files\Hewlett-Packard\hp LaserJet 3015_3020_3030_3380\SetConfig.exe -c Direct -p DOT4_001 -pn "" -n 1 -l 1033 -sl 120000
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "E:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMSX] D:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] E:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Watch] E:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: WD Backup Monitor.lnk = E:\Program Files\My Book\WD Backup\uBBMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - E:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171432850265
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/activex/...tupv2.0.0.9.cab?
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/activex/...upv2.0.0.10.cab?
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{939541F9-BA0A-42D2-98E8-7E1393181864}: NameServer = 192.168.1.1
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - e:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - D:\WINDOWS\ATKKBService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - E:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\hpzipm12.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Unknown owner - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9376 bytes


and here is the SDFix log:

SDFix: Version 1.114

Run by JASON on 16/11/2007 at 02:56 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: D:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

D:\WINDOWS
No streams found.

D:\WINDOWS\system32
No streams found.

D:\WINDOWS\system32\svchost.exe
No streams found.

D:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-16 15:01:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

{snipped to eliminate email address being shown}

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 2


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------


Files with Hidden Attributes:

Mon 18 Jun 2007 0 A.SH. --- "D:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!


Thanks!

PS, I have made no changes whatsoever with users in the last week.

Open HijackThis and do a *system scan only*
and checkmark these entries in the list. Then press the *fix checked* button

O2 - BHO: (no name) - {200D0AAD-71B1-51C9-DDB0-092BA4662A54} - (no file)

O2 - BHO: (no name) - {261C35B4-9283-6344-C5C0-005CF873D624} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)

Those are just dead entries in the registry.

Other than that, everything looks ok in those logs. So I can't really say what those admin directories are.