Two days ago I contracted the Sinowal Trojan. My Norton 360 was unable to remove it. I also read some of the previous posts. I have updated Java and run SDFix, but the virus remains on my computer. I do not have Hijack This or any similar programs downloaded, but I will download them if need be. Any help that you can give is greatly appreciated. Thanks!

Please run the following scans and post their logs. Please download Malwarebytes' Anti-Malware from one of these sites: MalwareBytes1 MalwareBytes2 1. Double Click mbam-setup.exe to install the application. 2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. 3. If an update is found, it will download and install the latest version. 4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. 5. When the scan is complete, click OK, then Show Results to view the results. 6. Make sure that everything found is checked, and click Remove Selected. 7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately. 8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. 9. Copy&Paste the entire report in your next reply. Please download and install the latest version of HijackThis v2.0.2: Download the "HijackThis" Installer from this link: Hijack This 1. Save " HJTInstall.exe" to your desktop. 2. Double click on HJTInstall.exe to run the program. 3. By default it will install to C:\Program Files\Trend Micro\HijackThis. 4. Accept the license agreement by clicking the "I Accept" button. 5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log. 6. Click "Save log" to save the log file and then the log will open in Notepad. 7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log. 8. Paste the log in your next reply. 9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Here are the copies of the logs from Malware Bytes and Hijack This. Malwarebytes' Anti-Malware 1.31 Database version: 1456 Windows 5.1.2600 Service Pack 3 12/6/2008 4:05:55 PM mbam-log-2008-12-06 (16-05-55).txt Scan type: Quick Scan Objects scanned: 57978 Time elapsed: 5 minute(s), 9 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 12 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\g2ax_customer_downloadhelper_win32_x86.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:14:01 PM, on 12/6/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\LogMeIn\x86\RaMaint.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\HPZipm12.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\windows\system\hpsysdrv.exe C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\LTMSG.exe C:\Program Files\Multimedia Card Reader\shwicon2k.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\HP\KBD\KBD.exe C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\kdx\khost.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe C:\Program Files\interMute\SpamSubtract\SpamSub.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe C:\Program Files\Common Files\Real\Update_OB\realevent.exe C:\Documents and Settings\Owner\Desktop\HiJackThis.exe C:\WINDOWS\system32\NOTEPAD.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin... R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin... R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin... R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin... R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7 O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe" O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [kdx] C:\WINDOWS\kdx\khost.exe O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKUS\S-1-5-21-3976914450-1040455045-2035118420-1008\..\Run: [RecordNow!] (User 'LogMeInRemoteUser') O4 - HKUS\S-1-5-21-3976914450-1040455045-2035118420-1008\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook (User 'LogMeInRemoteUser') O4 - S-1-5-18 Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe (User 'SYSTEM') O4 - .DEFAULT Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe (User 'Default user') O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Search - ?p=ZJxdm035YYUS O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.att.net O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.co... O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr0... O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/download... O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - http://kdx.kontiki.com/kdx/Client40... O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/gam... O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by13fd.bay13.hotmail.msn.com... O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neu... O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing) O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.exe O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O24 - Desktop Component 1: MuggleNet's Goblet of Fire Movie Countdown (November 18) - http://www.mugglenet.com/countdown/... -- End of file - 13160 bytes

Please download ComboFix to the desktop from one of the following links: Link1 Link 2 Link 3 Combofix is a powerful tool so follow the instructions exactly or you could damage your computer. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results". Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. In your case to run Combofix do the following: 1. Go offline turn off your Nortons antivirus, Spybot and any other antispyware that you may have. 2. Run Combofix and save its log. 3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned. 4. Post the Combofix log. Remember to re-enable the protection again afterwards before connecting to the Internet. Double-click combofix.exe Follow the prompts. (Don't click on the window while the program is running or move the mouse, it will cause your system to hang.) Please post the log it produces.

Here is the log from Combofix. ComboFix 08-12-06.03 - Owner 2008-12-06 16:50:17.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.188 [GMT -5:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Owner\Application Data\Google\ggqjh22510678.exe c:\windows\system32\AutoRun.inf c:\windows\system32\iAlmcoin.dll D:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 ))))))))))))))))))))))))))))))) . 2008-12-06 15:57 . 2008-12-06 15:57 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-12-06 15:57 . 2008-12-06 15:57 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes 2008-12-06 15:57 . 2008-12-06 15:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-12-06 15:57 . 2008-12-03 19:54 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-12-06 15:57 . 2008-12-03 19:54 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-12-06 11:29 . 2008-12-06 11:29 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll 2008-12-06 11:26 . 2008-12-06 11:27 <DIR> d-------- c:\windows\ERUNT 2008-12-06 11:13 . 2008-12-06 11:50 <DIR> d-------- C:\SDFix 2008-12-06 10:54 . 2008-12-06 10:54 410,984 --a------ c:\windows\system32\deploytk.dll 2008-12-06 10:54 . 2008-12-06 10:54 73,728 --a------ c:\windows\system32\javacpl.cpl 2008-12-06 10:29 . 2008-12-06 10:38 <DIR> d-------- c:\documents and settings\Owner\.SunDownloadManager 2008-12-05 22:33 . 2008-12-05 22:33 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy) 2008-12-05 22:33 . 2008-12-05 22:33 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy) 2008-12-05 22:33 . 2008-12-05 22:33 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy) 2008-12-05 22:33 . 2008-12-05 22:33 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy) 2008-12-05 22:15 . 2008-12-05 22:30 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-12-05 22:15 . 2008-12-06 00:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-12-05 20:25 . 2008-12-05 20:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Grisoft 2008-12-05 20:14 . 2008-12-05 20:14 <DIR> d-------- c:\program files\Belarc 2008-12-05 20:03 . 2008-12-05 23:13 <DIR> d-------- C:\OTS 2008-12-05 19:53 . 2008-12-06 00:19 <DIR> d-------- c:\windows\LMIF2.tmp 2008-12-05 19:38 . 2008-12-05 19:38 <DIR> d-------- c:\program files\LogMeIn Rescue 2008-12-05 19:29 . 2003-10-11 00:19 <DIR> d-------- c:\documents and settings\LogMeInRemoteUser\WINDOWS 2008-12-05 19:29 . 2003-10-14 00:21 <DIR> d-------- c:\documents and settings\LogMeInRemoteUser\Application Data\Symantec 2008-12-05 19:29 . 2003-10-10 23:57 <DIR> d-------- c:\documents and settings\LogMeInRemoteUser\Application Data\Sonic 2008-12-05 19:29 . 2003-10-11 00:47 <DIR> d-------- c:\documents and settings\LogMeInRemoteUser\Application Data\SampleView 2008-12-05 19:29 . 2003-10-14 00:24 <DIR> d-------- c:\documents and settings\LogMeInRemoteUser\Application Data\interMute 2008-12-05 19:29 . 2008-12-06 01:16 <DIR> d-------- c:\documents and settings\LogMeInRemoteUser 2008-12-05 19:14 . 2008-12-05 19:14 <DIR> d-------- c:\program files\LogMeIn Rescue Calling Card 2008-12-05 18:57 . 2008-12-05 18:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\LogMeIn 2008-12-05 18:56 . 2008-10-16 20:35 87,352 --a------ c:\windows\system32\LMIinit.dll 2008-12-05 18:56 . 2008-10-16 20:35 83,288 --a------ c:\windows\system32\LMIRfsClientNP.dll 2008-12-05 18:56 . 2008-07-24 18:46 47,640 --a------ c:\windows\system32\drivers\LMIRfsDriver.sys 2008-12-05 18:56 . 2008-10-16 20:35 28,984 --a------ c:\windows\system32\LMIport.dll 2008-12-05 18:56 . 2008-12-05 18:56 1,024 --a------ C:\.rnd 2008-12-05 18:55 . 2008-12-06 00:18 <DIR> d-------- c:\program files\LogMeIn 2008-12-05 18:37 . 2008-12-05 19:34 <DIR> d-------- c:\program files\Citrix 2008-12-05 17:15 . 2008-12-05 17:15 10,344 --a------ c:\windows\system32\drivers\symlcbrd.sys 2008-12-04 19:23 . 2008-12-06 13:17 54,156 --ah----- c:\windows\QTFont.qfn 2008-12-04 19:23 . 2008-12-06 13:17 1,409 --a------ c:\windows\QTFont.for 2008-12-01 16:16 . 2008-12-01 16:16 <DIR> d-------- c:\program files\Windows Sidebar 2008-12-01 16:14 . 2008-12-04 18:18 <DIR> d-------- c:\program files\Symantec 2008-12-01 16:14 . 2008-12-04 18:18 123,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS 2008-12-01 16:14 . 2008-12-04 18:18 60,800 --a------ c:\windows\system32\S32EVNT1.DLL 2008-12-01 16:14 . 2008-12-04 18:18 10,671 --a------ c:\windows\system32\drivers\SYMEVENT.CAT 2008-12-01 16:14 . 2008-12-04 18:18 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF 2008-11-17 18:59 . 2008-11-17 18:59 268 --ah----- C:\sqmdata13.sqm 2008-11-17 18:59 . 2008-11-17 18:59 244 --ah----- C:\sqmnoopt13.sqm 2008-11-16 20:28 . 2008-11-16 20:28 268 --ah----- C:\sqmdata12.sqm 2008-11-16 20:28 . 2008-11-16 20:28 244 --ah----- C:\sqmnoopt12.sqm 2008-11-15 22:01 . 2008-11-15 22:01 268 --ah----- C:\sqmdata11.sqm 2008-11-15 22:01 . 2008-11-15 22:01 244 --ah----- C:\sqmnoopt11.sqm 2008-11-14 22:18 . 2008-11-14 22:18 268 --ah----- C:\sqmdata10.sqm 2008-11-14 22:18 . 2008-11-14 22:18 244 --ah----- C:\sqmnoopt10.sqm 2008-11-13 21:30 . 2008-11-13 21:30 268 --ah----- C:\sqmdata09.sqm 2008-11-13 21:30 . 2008-11-13 21:30 244 --ah----- C:\sqmnoopt09.sqm 2008-11-12 22:12 . 2008-11-12 22:12 268 --ah----- C:\sqmdata08.sqm 2008-11-12 22:12 . 2008-11-12 22:12 244 --ah----- C:\sqmnoopt08.sqm 2008-11-12 16:52 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll 2008-11-12 16:52 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys 2008-11-11 22:00 . 2008-11-11 22:00 268 --ah----- C:\sqmdata07.sqm 2008-11-11 22:00 . 2008-11-11 22:00 244 --ah----- C:\sqmnoopt07.sqm 2008-11-10 21:49 . 2008-11-10 21:49 268 --ah----- C:\sqmdata06.sqm 2008-11-10 21:49 . 2008-11-10 21:49 244 --ah----- C:\sqmnoopt06.sqm 2008-11-09 21:54 . 2008-11-09 21:54 268 --ah----- C:\sqmdata05.sqm 2008-11-09 21:54 . 2008-11-09 21:54 244 --ah----- C:\sqmnoopt05.sqm 2008-11-09 10:13 . 2008-11-09 10:13 268 --ah----- C:\sqmdata04.sqm 2008-11-09 10:13 . 2008-11-09 10:13 244 --ah----- C:\sqmnoopt04.sqm 2008-11-08 22:29 . 2008-11-08 22:29 268 --ah----- C:\sqmdata03.sqm 2008-11-08 22:29 . 2008-11-08 22:29 244 --ah----- C:\sqmnoopt03.sqm . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-06 21:46 --------- d-----w c:\program files\Common Files\Symantec Shared 2008-12-06 15:54 --------- d-----w c:\program files\Java 2008-12-06 05:39 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec 2008-12-06 04:59 --------- d-----w c:\program files\Yahoo! 2008-12-02 21:18 --------- d-----w c:\program files\Norton 360 2008-12-01 21:20 --------- d-----w c:\documents and settings\Owner\Application Data\Symantec 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-17 01:35 23,736 ----a-w c:\windows\system32\lmimirr.dll 2008-10-17 01:35 10,040 ----a-w c:\windows\system32\lmimirr2.dll 2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-06 21:25 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-10-05 20:21 98,304 ----a-w c:\windows\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABP4EN\plugin\bin\PluginCtrl.dll 2008-10-05 20:21 45,056 ----a-w c:\windows\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABP4EN\plugin\bin\jsharpde\util.dll 2008-10-05 20:21 36,864 ----a-w c:\windows\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABP4EN\plugin\bin\jsharpde\gnu.dll 2008-10-05 20:21 32,768 ----a-w c:\windows\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABP4EN\plugin\bin\jsharpde\pchapi.dll 2008-10-05 20:21 3,072 ----a-w c:\windows\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABP4EN\plugin\bin\jsharpde\pchealthde.exe 2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded] @="{4433A54A-1AC8-432F-90FC-85F045CF383C}" [HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}] 2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending] @="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}" [HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}] 2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected] @="{476D0EA3-80F9-48B5-B70B-05E677C9C148}" [HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}] 2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BackupNotify"="c:\program files\HP\Digital Imaging\bin\backupnotify.exe" [2003-06-22 24576] "MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704] "kdx"="c:\windows\kdx\khost.exe" [2005-04-01 2605056] "RealPlayer"="c:\program files\Real\RealOne Player\realplay.exe" [2006-06-03 1003520] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "Aim6"="c:\program files\AIM6\aim6.exe" [2008-01-03 50528] "msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352] "NVIEW"="nview.dll" [2003-08-19 c:\windows\system32\nview.dll] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736] "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688] "CamMonitor"="c:\program files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 90112] "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-10-10 151597] "Recguard"="c:\windows\SMINST\RECGUARD.exe" [2002-09-13 212992] "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-08-19 4841472] "Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 139264] "HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-05-07 188416] "mmtask"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2004-07-28 53248] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 77824] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152] "KBD"="c:\hp\KBD\KBD.exe" [2005-02-02 61440] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048] "osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-06 136600] "nwiz"="nwiz.exe" [2003-08-19 c:\windows\system32\nwiz.exe] "LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe] c:\documents and settings\Owner\Start Menu\Programs\Startup\ spamsubtract.lnk - c:\program files\interMute\SpamSubtract\SpamSub.exe [2003-10-14 557056] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Event Reminder.lnk - c:\program files\Broderbund\PrintMaster\PMremind.exe [2007-07-12 442368] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520] Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 176128] KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 16423] Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-07-30 57344] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2008-10-16 20:35 87352 c:\windows\system32\LMIinit.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\GameHouse\\FeedingFrenzy\\FeedingFrenzy.exe"= "c:\\WINDOWS\\kdx\\khost.exe"= "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2008-02-18 149352] R2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys [2008-07-24 12856] R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\c:\windows\system32\drivers\LMIRfsDriver.sys [2008-12-05 47640] R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-02-24 24652] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-01 99376] S2 mrtRate;mrtRate; [] S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2008-01-12 23888] S4 LMIRfsClientNP;LMIRfsClientNP; [] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L] \Shell\AutoRun\command - L:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{62623656-3948-11db-839d-000ea65829cd}] \Shell\AutoRun\command - I:\LaunchU3.exe -a *Newly Created Service* - COMHOST *Newly Created Service* - PROCEXP90 . Contents of the 'Scheduled Tasks' folder 2008-12-06 c:\windows\Tasks\WebReg Deskjet D2400 series.job - c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2007-03-11 21:27] . - - - - ORPHANS REMOVED - - - - WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file) HKCU-Run-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe HKCU-Run-Weather - c:\program files\AWS\WeatherBug\Weather.exe HKCU-Run-vidxhp - c:\documents and settings\Owner\Application Data\Google\ggqjh22510678.exe HKCU-Run-RecordNow! - (no file) HKLM-Run-HPHUPD05 - c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe HKLM-Run-AlcxMonitor - ALCXMNTR.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mSearch Bar = hxxp://srch-us10.hpwis.com/ uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = <local> IE: &Search - ?p=ZJxdm035YYUS IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 LSP: SpSubLSP.dll c:\windows\Downloaded Program Files\CoxFastConnect20.ocx - O16 -: {B030900C-746A-47BF-8B1D-EA3FB3395563} hxxps://fastconnect.cox.net/cd20/CoxFastConnect20.ocx . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-06 16:53:34 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKCU\Software\Microsoft\Windows\CurrentVersion\Run Yahoo! Pager = c:\program files\Yahoo!\Messenger\ypager.exe -quiet??s Aim6 = "c:\program files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp?? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(936) c:\windows\system32\LMIinit.dll c:\windows\system32\LMIRfsClientNP.dll - - - - - - - > 'lsass.exe'(992) c:\windows\system32\SpSubLSP.dll . Completion time: 2008-12-06 16:54:44 ComboFix-quarantined-files.txt 2008-12-06 21:54:32 Pre-Run: 136,396,754,944 bytes free Post-Run: 136,378,384,384 bytes free 260 --- E O F --- 2008-12-02 02:07:35

Sorry I missed your post, thanks for the PM. Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX File:: C:\sqmdata13.sqm C:\sqmnoopt13.sqm C:\sqmdata12.sqm C:\sqmnoopt12.sqm C:\sqmdata11.sqm C:\sqmnoopt11.sqm C:\sqmdata10.sqm C:\sqmnoopt10.sqm C:\sqmdata09.sqm C:\sqmnoopt09.sqm C:\sqmdata08.sqm C:\sqmnoopt08.sqm C:\sqmdata07.sqm C:\sqmnoopt07.sqm C:\sqmdata06.sqm C:\sqmnoopt06.sqm C:\sqmdata05.sqm C:\sqmnoopt05.sqm C:\sqmdata04.sqm C:\sqmnoopt04.sqm C:\sqmdata03.sqm C:\sqmnoopt03.sqm XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop. Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run". Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok. Download ATF Cleaner from this link: http://www.majorgeeks.com/ATF_Cleaner_d4949.html Run ATF-Cleaner Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. Run an online scan with Kaspersky from the following link: Kaspersky Online Scanner Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component 1. Click Accept, when prompted to download and install the program files and database of malware definitions. 2. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes. 3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan. 4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. 5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. 6. Click View scan report at the bottom. 7. Click the Save Report As... button. 8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply. **Note** To optimize scanning time and produce a more sensible report for review: Close any open programs. Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan. Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Here is the report from the Kaspersky Scan. Monday, December 8, 2008 Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Monday, December 08, 2008 01:30:05 Records in database: 1443164 Scan settings Scan using the following database extended Scan archives yes Scan mail databases yes Scan area My Computer A:\ C:\ D:\ E:\ F:\ G:\ H:\ T:\ U:\ Scan statistics Files scanned 101033 Threat name 3 Infected objects 4 Suspicious objects 0 Duration of the scan 01:45:58 File name Threat name Threats count C:\Documents and Settings\Owner\My Documents\Internet Downloads\LOTRROTK3DSetup.exe Infected: not-a-virus:AdWare.Win32.Quick.a 1 C:\Documents and Settings\Owner\My Documents\Internet Downloads\LOTRROTK3DSetup.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1 C:\Documents and Settings\Owner\My Documents\Internet Downloads\LOTRROTK3DSetup.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v 2 The selected area was scanned.